It was just a few weeks back that KSMBD was merged into Linux 5.15 while now it's seeing its first important security fix.

A change first proposed last year to the Linux kernel's Spectre mitigation defaults looks like it will soon be sent in for the mainline kernel.

After many development snapshots and three years worth of work, OpenSSL 3.0 is now available as a major update to this widely-used SSL library.

For more than a year there has been work on FGKASLR for finer grained kernel address space layout randomization. While KASLR is widely-used these days, with enough guessing or unintentional kernel leakage, the base address of the kernel can be figured out. Finer grained KASLR allows for randomization at the per-functional level to dramatically boost defenses. The latest take on FG-KASLR has now been published.

The latest security effort being pursued by Google's Kees Cook is to provide full compile-time and run-time coverage of all detectable buffer overflows.

With the Linux 5.15 kernel is a new build-time option to further harden the kernel around side channel attacks and information leakage. Enabling this option can have some (small) performance cost and a slightly larger kernel.

Worked on for more than one year is the patches out of Amazon for allowing opt-in L1 data cache flushing on context switching. This L1d flushing is done in the name of greater security given the various CPU speculative execution hardware vulnerabilities these days and protecting against other possible future vulnerabilities. After trying to get the code merged last summer, Linus Torvalds called it "beyond stupid" and reverted the code but now for Linux 5.15 a revised form of it was submitted.

Due to the growing threat posed by file-less malware attacks where malware code is executed from anonymous executable memory pages that aren't backed by data on the file-system, the "NAX" Linux security module has been seeing work recently for helping to protect against such scenarios.

The work going on for over a year to optionally flush the L1 data cache on context switching is going to try again for the next kernel cycle as an opt-in feature for select tasks. This was the feature rejected last year by Linus Torvalds that went on to "beyond stupid" and other concerns about it when it was trying to be mainlined originally.

The "Linux Random Number Generator" (LRNG) effort as a new drop-in replacement for /dev/random is now up to its 41st revision and in development for more than five years.

Of the many new features in Linux 5.13 one of the prominent security features is the ability to randomize the kernel stack offset at each system call. With Linux 5.13 stable imminent, here are some performance benchmarks of the impact from enabling this security feature.

While some Huawei engineers are currently facing criticism for submitting superfluous kernel patches in an effort to boost their own or the company's standing in the kernel community, other engineers at Huawei are working on more substantive kernel patches. Here's a rather peculiar new patch series out on Friday where a Huawei engineer is effectively proposing an in-kernel transactional database.

As part of Google's latest work on trying to enhance open-source software security, months after starting their own open-source vulnerability database they are now looking to push an open-source vulnerability interchange schema to make it easier to exchange information on vulnerabilities and making it easier for automated analysis.

With the latest mainline Git kernel as well as the newest stable point releases as of Wednesday, a Spectre issue with the kernel's BPF subsystem has been addressed.

Alibaba engineers are looking to mainline an x86_64 tuned version of the SM4 cipher that with making use of AVX and AES-NI can allow for a dramatic performance speed-up.

Merged today to Linux 5.13 Git and marked for back-porting to stable series is a new "confused deputy" weakness and affects kernels going back to Linux 2.6.12 from 2005.

Apple's shiny new in-house M1 Arm chip is the latest processor challenged by a security vulnerability. The "M1RACLES" vulnerability was made public today as a covert channel vulnerability by where a mysterious register could leak EL0 state.

A security module continues to be worked on for being able to detect and mitigate against fork/execute brute force attacks to Linux systems.

It looks like the years-long effort around CPU core scheduling that's been worked on by multiple vendors in light of CPU security vulnerabilities threatening SMT/HT security will see mainline later this summer with Linux 5.14.

FragAttacks was made public on Tuesday as a set of new security vulnerabilities affecting WiFi devices. These are just not some driver-level bugs but rather three of the vulnerabilities are attributed as design flaws in the WiFi standard itself and in turn most devices on the market.

Going back about a half-decade has been the Landlock Linux Security Module (LSM) as a means of allowing even unprivileged processes to create "powerful security" sandboxes. After a number of rounds of reviews and revisions over the year, Landlock has finally been mainlined for Linux 5.13!

University of Virginia and University of California San Diego researchers have discovered multiple new variants of Spectre attacks that are not protected by existing Spectre mitigations and could yield both Intel and AMD CPUs leaking data via micro-op caches.

One of the new security features in Linux 5.13 is the ability to randomize kernel stack offsets at each system call. This optional feature is now mainlined.

The past few months there has been work by Google's Chrome OS engineers on Restricted DMA functionality for the Linux kernel to protect systems lacking an IOMMU.

In development for more than one year has been the ability to create secret memory areas on Linux that would be visible only to the owning process and is not mapped for other processes or the kernel page tables. That "memfd_secret" system call has finally materialized in Linux-Next and looking like it could be ready for mainline.

The ability to randomize the kernel stack offset at each system call looks like it will land for the upcoming Linux 5.13 cycle. This optional feature makes it much more difficult to carry out stack-based attacks on the Linux kernel.

Besides Linux kernel developers still working to optimize code due to Retpolines overhead three years after Spectre rocked the ecosystem, another area kernel developers have still been actively working on is core scheduling for controlling the behavior of what software can share CPU resources or run on the sibling thread of a CPU core. That core scheduling work is finally closer to the mainline Linux kernel.

Security researcher and Microsoft engineer Mickaël Salaün is proposing unprivileged chroot support for the Linux kernel.

Last summer the GRUB bootloader was impacted by "BootHole" with security issues hitting its UEFI Secure Boot support while today a new round of vulnerabilities were made public.

On Monday the crypto subsystem updates were sent in to the Linux 5.12 kernel by crypto maintainer Herbert Xu.