Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 weeks 1 day ago

Important Etherpad release

Monday 9th of April 2018 04:05:33 PM
Several security vulnerabilities were found in Etherpad and version 1.6.4 has been released with fixes. The vulnerabilities include arbitrary code execution and information disclosure. Site admins are urged to update Etherpad to 1.6.4 as soon as possible.

Security updates for Monday

Monday 9th of April 2018 03:48:50 PM
Security updates have been issued by Arch Linux (openssl and zziplib), Debian (ldap-account-manager, ming, python-crypto, sam2p, sdl-image1.2, and squirrelmail), Fedora (bchunk, koji, libidn, librelp, nodejs, and php), Gentoo (curl, dhcp, libvirt, mailx, poppler, qemu, and spice-vdagent), Mageia (389-ds-base, aubio, cfitsio, libvncserver, nmap, and ntp), openSUSE (GraphicsMagick, ImageMagick, spice-gtk, and wireshark), Oracle (kubernetes), Slackware (patch), and SUSE (apache2 and openssl).

[$] Accelerating networking with AF_XDP

Monday 9th of April 2018 01:21:31 PM
The Linux network stack does not lack for features; it also performs well enough for most uses. At the highest network speeds, though, any overhead at all is too much; that has driven the most demanding users toward specialized, user-space networking implementations that can outperform the kernel for highly constrained tasks. The express data path (XDP) development effort is an attempt win those users back, with some apparent success so far. With the posting of the AF_XDP patch set by Björn Töpel, another piece of the XDP puzzle is coming into focus.

A big pile of weekend stable kernel updates

Sunday 8th of April 2018 03:58:01 PM
The 4.16.1, 4.15.16, 4.14.33, 4.9.93, 4.4.127, and 3.18.103 stable kernels have all been released; each contains a fairly long list of important fixes.

[$] Kernel lockdown locked out — for now

Friday 6th of April 2018 04:40:43 PM
As the 4.17 merge window opened, it seemed possible that the kernel lockdown patch set could be merged at last. That was before the linux-kernel mailing list got its hands on the issue. What resulted was not one of the kernel community's finest moments. But it did result in a couple of evident conclusions: kernel lockdown will almost certainly not be merged for 4.17, but something that looks very much like it is highly likely to be accepted in a subsequent merge window.

Security updates for Friday

Friday 6th of April 2018 02:42:37 PM
Security updates have been issued by Debian (sharutils), Fedora (firefox, httpd, and mod_http2), openSUSE (docker-distribution, graphite2, libidn, and postgresql94), Oracle (libvorbis and thunderbird), Red Hat (libvorbis, python-paramiko, and thunderbird), Scientific Linux (libvorbis and thunderbird), SUSE (apache2), and Ubuntu (firefox, linux-lts-xenial, linux-aws, and ruby1.9.1, ruby2.0, ruby2.3).

[$] The first half of the 4.17 merge window

Thursday 5th of April 2018 04:21:37 PM
As of this writing, 5,392 non-merge changesets have been pulled into the mainline repository for the 4.17 release. The 4.17 merge window is thus off to a good start, but it is far from complete. The changes pulled thus far cover a wide part of the core kernel as well as the networking, driver, and filesystem subsystems.

Security updates for Thursday

Thursday 5th of April 2018 01:47:52 PM
Security updates have been issued by Arch Linux (drupal), Debian (openjdk-7), Fedora (exempi, gd, and tomcat), SUSE (python-paramiko), and Ubuntu (kernel, libvncserver, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-lts-trusty, and linux-raspi2).

[$] LWN.net Weekly Edition for April 5, 2018

Thursday 5th of April 2018 12:43:57 AM
The LWN.net Weekly Edition for April 5, 2018 is available.

[$] Fedora and Python 2

Wednesday 4th of April 2018 08:47:09 PM

It has been known for quite some time that Python 2 will reach its end of life in 2020—after being extended by five years from its original 2015 expiry. After that, there will be no support, bug fixes, or security patches for Python 2, at least from the Python Software Foundation and the core developers. Some distributions will need to continue to support the final Python 2 release, however, since their support windows extend past that date; the enterprise and long-term support distributions will likely be supporting it well into the 2020s and possibly beyond. But even shorter-support-cycle distributions need to consider their plan for a sweeping change of this sort—in less than two years.

Security updates for Wednesday

Wednesday 4th of April 2018 03:20:38 PM
Security updates have been issued by Debian (apache2, ldap-account-manager, and openjdk-7), Fedora (libuv and nodejs), Gentoo (glibc and libxslt), Mageia (acpica-tools, openssl, and php), SUSE (clamav, coreutils, and libvirt), and Ubuntu (kernel, libraw, linux-hwe, linux-gcp, linux-oem, and python-crypto).

Free Nitrokey cryptographic cards for kernel developers

Wednesday 4th of April 2018 02:20:50 PM
The Linux Foundation and Nitrokey have announced a program whereby anybody who appears in the kernel's MAINTAINERS file or who has a kernel.org email address can obtain a free Nitrokey Start crypto card. The intent, of course, is that kernel developers will use these devices to safeguard their GnuPG keys and, as a result, improve the security of the kernel development process as a whole. "A digital smartcard token like Nitrokey Start contains a cryptographic chip that is capable of storing private keys and performing crypto operations directly on the token itself. Because the key contents never leave the device, the operating system of the computer into which the token is plugged in is not able to retrieve the private keys themselves, therefore significantly limiting the ways in which the keys can be leaked or stolen."

See this LWN article for a look at crypto cards.

[$] wait_var_event()

Tuesday 3rd of April 2018 09:19:38 PM
One of the trickiest aspects to concurrency in the kernel is waiting for a specific event to take place. There is a wide variety of possible events, including a process exiting, the last reference to a data structure going away, a device completing an operation, or a timeout occurring. Waiting is surprisingly hard to get right — race conditions abound to trap the unwary — so the kernel has accumulated a large set of wait_event_*() macros to make the task easier. An attempt to add a new one, though, has led to the generalization of specific types of waits for 4.17.

[$] Making institutional free software successful

Tuesday 3rd of April 2018 03:08:20 PM

Many large institutions, especially government agencies, would like to distribute their software—including the software of the vendors with whom they contract—as free software. They have a variety of reasons, ranging from the hope that opening the code will boost its use, all the way to a mature understanding of the importance of community, transparency, and freedom. There are special steps institutions can take to help ensure success, some stemming from best practices performed by many free-software projects and others specific to large organizations. At the 2018 LibrePlanet conference, Cecilia Donnelly laid out nine principles for the successful creation and maintenance of a software project under these circumstances.

Security updates for Tuesday

Tuesday 3rd of April 2018 02:45:19 PM
Security updates have been issued by Debian (beep and jruby), Fedora (libvncserver), and Ubuntu (openjdk-7 and openjdk-8).

Git v2.17.0 released

Tuesday 3rd of April 2018 02:31:38 PM
Version 2.17.0 of the Git source-code management system is out. It includes a long list of relatively minor tweaks. "Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when the side branch being merged is a descendant of the current commit, create a merge commit instead of fast-forwarding) when merging a tag object. This was appropriate default for integrators who pull signed tags from their downstream contributors, but caused an unnecessary merges when used by downstream contributors who habitually 'catch up' their topic branches with tagged releases from the upstream. Update 'git merge' to default to --no-ff only when merging a tag object that does *not* sit at its usual place in refs/tags/ hierarchy, and allow fast-forwarding otherwise, to mitigate the problem."

GnuCash 3.0 released

Tuesday 3rd of April 2018 02:22:38 PM
The GnuCash 3.0 release is out. "The headline item for this release is that GnuCash now uses the Gtk+-3.0 Toolkit and the WebKit2Gtk API. This change was forced on us by some major Linux distributions dropping support for the WebKit1 API." This release also includes some new reports, a rewritten CSV importer, and more. LWN looked at GnuCash from a business-accounting point of view in August 2017.

OpenBSD 6.3 released

Monday 2nd of April 2018 08:11:43 PM
The OpenBSD 6.3 release is out. "The release was scheduled for April 15, but since all the components are ready ahead of schedule it is being released now." This release includes mitigation for the Meltdown vulnerability but not for Spectre on x86.

[$] Kernel lockdown in 4.17?

Monday 2nd of April 2018 07:23:09 PM
The UEFI secure boot mechanism is intended to protect the system against persistent malware threats — unpleasant bits of software attached to the operating system or bootloader that will survive a reboot. While Linux has supported secure boot for some time, proponents have long said that this support is incomplete in that it is still possible for the root user to corrupt the system in a number of ways. Patches that attempt to close this hole have been circulating for years, but they have been controversial at best. This story may finally come to a close, though, if Linus Torvalds accepts the "kernel lockdown" patch series during the 4.17 merge window.

Security updates for Monday

Monday 2nd of April 2018 03:25:15 PM
Security updates have been issued by Debian (dovecot, irssi, libevt, libvncserver, mercurial, mosquitto, openssl, python-django, remctl, rubygems, and zsh), Fedora (acpica-tools, dovecot, firefox, ImageMagick, mariadb, mosquitto, openssl, python-paramiko, rubygem-rmagick, and thunderbird), Mageia (flash-player-plugin and squirrelmail), Slackware (php), and Ubuntu (dovecot).

More in Tux Machines

5 top Blender video tutorials for beginners

Blender is a complex piece of software that is capable of producing extremely high-quality visuals for all manner of visual art purposes, from video games to product visualization. Of course, that power needs to be wielded by a controlled hand. Otherwise, you'll end up with a mush of digital geometry that makes no sense at all. These days, video tutorials are the educational tool of choice for most people. I'm going to give you five of the best free beginner video tutorials for Blender currently available. I recommend you watch all of them. They all cover a lot of the same information. However, every instructor has a different way of presenting. Stick with the one that clicks with you. Read more

Cinnamon 3.8 Desktop Environment Released with Python 3 Support, Improvements

Scheduled to ship with the upcoming Linux Mint 19 "Tara" operating system series this summer, the Cinnamon 3.8 desktop environment is now available for download and it's a major release that brings numerous improvements, new features, and lots of Python 3 ports for a bunch of components. Among the components that got ported to Python 3 in the Cinnamon 3.8 release, we can mention cinnamon-settings, cinnamon-menu-editor, cinnamon-desktop-editor, cinnamon-settings-users, melange, background slideshow, the switch editor and screensaver lock dialogs, desktop file generation scripts, as well as all the utilities. Read more

Canonical Releases Kernel Security Updates for Ubuntu 17.10 and Ubuntu 16.04 LTS

For Ubuntu 17.10 (Artful Aardvark) users, today's security update addresses a bug (CVE-2018-8043) in Linux kernel's Broadcom UniMAC MDIO bus controller driver, which improperly validated device resources, allowing a local attacker to crash the vulnerable system by causing a denial of service (DoS attack). For Ubuntu 16.04 LTS (Xenial Xerus) users, the security patch fixes a buffer overread vulnerability (CVE-2017-13305) in Linux kernel's keyring subsystem and an information disclosure vulnerability (CVE-2018-5750) in the SMBus driver for ACPI Embedded Controllers. Both issues could allow a local attacker to expose sensitive information. Read more

Security: Updates, Reproducible Builds, Match.com and More

  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #156
  • A Match.com glitch reactivated a bunch of old profiles, raising concerns about user data

    A Match Group spokesperson confirmed that a “limited number” of old accounts had been accidentally reactivated recently and that any account affected received a password reset. Match.com’s current privacy statement, which was last updated in 2016, says that the company can “retain certain information associated with your account” even after you close it. But that Match Group spokesperson also told The Verge that the company plans to roll out a new privacy policy “in the next month or so,” in order to comply with the EU’s General Data Protection Regulation (GDPR); under the new policy, all those years-old accounts will be deleted. The Verge has requested clarification on which accounts will qualify for deletion, and what “deletion” will specifically entail, but has not received a response as of press time.

  • New hacks siphon private cryptocurrency keys from airgapped wallets

    Like most of the other attacks developed by Ben-Gurion University professor Mordechai Guri and his colleagues, the currency wallet exploits start with the already significant assumption that a device has already been thoroughly compromised by malware. Still, the research is significant because it shows that even when devices are airgapped—meaning they aren't connected to any other devices to prevent the leaking of highly sensitive data—attackers may still successfully exfiltrate the information. Past papers have defeated airgaps using a wide array of techniques, including electromagnetic emissions from USB devices, radio signals from a computer's video card, infrared capabilities in surveillance cameras, and sounds produced by hard drives.

  • New hacker group targets US health-care industry, researchers say

    The group, which Symantec has named “Orangeworm,” has been installing backdoors in large international corporations based in the U.S., Europe and Asia that operate in the health-care sector.

    Among its victims are health-care providers and pharmaceutical companies, as well as IT companies and equipment manufacturers that work for health organizations.