Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 40 min ago

kdenlive 16.08.0 released

Friday 19th of August 2016 05:56:16 PM
The kdenlive video editor project has announced the 16.08.0 release. "Kdenlive 16.08.0 marks a milestone in the project’s history bringing it a step closer to becoming a full-fledged professional tool." Highlights include three-point editing, pre-rendering of timeline effects, Krita image support, and more.

Friday's security updates

Friday 19th of August 2016 03:16:14 PM

CentOS has updated python (C7; C6: multiple vulnerabilities).

Fedora has updated ca-certificates (F24: update to CA certificates) and spice (F23: multiple vulnerabilities).

Oracle has updated kernel (O7: TCP injection) and python (O7; O6: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6: TCP injection), kernel-rt (RHEL7: TCP injection), python (RHEL 6,7: multiple vulnerabilities), python27-python (RHSC: multiple vulnerabilities), python33-python (RHSC: multiple vulnerabilities), realtime-kernel (RHEM2.5: TCP injection), rh-mariadb101-mariadb (RHSC: multiple vulnerabilities), rh-python34-python (RHSC: multiple vulnerabilities), and rh-python35-python (RHSC: multiple vulnerabilities).

SUSE has updated the Linux Kernel (SLE12: multiple vulnerabilities) and xen (SLE11: multiple vulnerabilities).

Ubuntu has updated gnupg (12.04, 14.04, 16.04: flawed random-number generation), libgcrypt11, libgcrypt20 (12.04, 14.04, 16.06: flawed random-number generation), and postgresql-9.1, postgresql-9.3, postgresql-9.5 (12.04, 14.04, 16.04: multiple vulnerabilities).

Microsoft announces PowerShell for Linux and Open Source

Thursday 18th of August 2016 10:35:42 PM
Microsoft has announced the release of its PowerShell automation and scripting platform under the MIT license, complete with a GitHub repository. "Last year we started down this path by contributing to a number of open source projects (e.g. OpenSSH) and open sourcing a number of our own components including DSC resources. We learned that working closely with the community, in the code and with our backlog and issues list, allowed us prioritize and drive the development much more responsively. We’ve always worked with the community but shifting to a fine-grain, tight, feedback loop with the code, energized the team and allowed us to focus on the things that had the most impact for our customers and partners. Now we are going big by making PowerShell itself an open source project and making it available on Mac OS X, Ubuntu, CentOS/RedHat and others in the future."

Xenomai project mourns Gilles Chanteperdrix

Thursday 18th of August 2016 07:47:46 PM
The Xenomai project is mourning Gilles Chanteperdrix, a longtime maintainer of the realtime framework, who recently passed away. In the announcement, Philippe Gerum writes: "Gilles will forever be remembered as a true-hearted man, a brilliant mind always scratching beneath the surface, looking for elegance in the driest topics, never jaded from such accomplishment. According to Paul Valéry, “death is a trick played by the inconceivable on the conceivable”. Gilles’s absence is inconceivable to me, I can only assume that for once, he just got rest from tirelessly helping all of us."

Security against Election Hacking (Freedom to Tinker)

Thursday 18th of August 2016 07:01:08 PM
Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.

With optical-scan voting, the voter fills in the bubbles next to the names of her selected candidates on paper ballot; then she feeds the op-scan ballot into the optical-scan computer. The computer counts the vote, and the paper ballot is kept in a sealed ballot box. The computer could be hacked, in which case (when the polls close) the voting-machine lies about how many votes were cast for each candidate. But we can recount the physical pieces of paper marked by the voter’s own hands; that recount doesn’t rely on any computer. Instead of doing a full recount of every precinct in the state, we can spot-check just a few ballot boxes to make sure they 100% agree with the op-scan computers’ totals.

Problem: What if it’s not an optical-scan computer, what if it’s a paperless touchscreen (“DRE, Direct-Recording Electronic) voting computer? Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there. If the computer is hacked, then the hacker gets to decide what numbers are reported. There are no paper ballots to audit or recount. All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem.

Thursday's security advisories

Thursday 18th of August 2016 03:39:58 PM

Arch Linux has updated chromium (multiple vulnerabilities) and linux-zen (connection hijacking).

Debian has updated gnupg (flawed random number generation) and libgcrypt20 (flawed random number generation).

Debian-LTS has updated libupnp (arbitrary file overwrite).

Fedora has updated bind (F23: denial of service), fontconfig (F23: privilege escalation), and python3 (F23: proxy injection).

SUSE has updated xen (SLE12: multiple vulnerabilities, one from 2014) and yast2-ntp-client (SLE10: multiple vulnerabilities, most from 2015).

Ubuntu has updated fontconfig (16.04, 14.04, 12.04: privilege escalation).

[$] LWN.net Weekly Edition for August 18, 2016

Thursday 18th of August 2016 12:16:34 AM
The LWN.net Weekly Edition for August 18, 2016 is available.

[$] Bus1: a new Linux interprocess communication proposal

Wednesday 17th of August 2016 07:44:33 PM
Anyone who has been paying attention to Linux kernel development in recent years would be aware that IPC — interprocess communication — is not a solved problem. There are certainly many partial solutions, from pipes and signals, through sockets and shared memory, to more special-purpose solutions like Cross Memory Attach and Android's binder. But it seems there are still some use cases that aren't fully addressed by current solutions, leading to new solutions being occasionally proposed to try to meet those needs. The latest proposal is called "bus1".

Security updates for Wednesday

Wednesday 17th of August 2016 04:02:33 PM

Fedora has updated curl (F23: three vulnerabilities), drupal7-theme-zen (F24; F23: cross-site scripting), mingw-libarchive (F24: code execution), mingw-xz (F24: code execution), pulp (F24: two vulnerabilities), pulp-docker (F24: two vulnerabilities), pulp-ostree (F24: two vulnerabilities), pulp-puppet (F24: two vulnerabilities), pulp-python (F24: two vulnerabilities), and pulp-rpm (F24: two vulnerabilities).

Red Hat has updated kernel (RHEL6.2: privilege escalation).

Scientific Linux has updated mariadb (SL7: multiple unspecified vulnerabilities), php (SL7: proxy injection), and qemu-kvm (SL7: two vulnerabilities).

SUSE has updated squid3 (SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated openjdk-7 (14.04: multiple vulnerabilities).

Stable kernel updates

Tuesday 16th of August 2016 09:28:00 PM
Stable kernels 4.7.1, 4.6.7, 4.4.18, and 3.14.76 have been released. All contain important fixes. This is the last 4.6.y kernel, users should upgrade to 4.7.1 now.

Go 1.7 released

Tuesday 16th of August 2016 05:36:55 PM
Version 1.7 of the Go language has been released. "There is one tiny language change in this release. The section on terminating statements clarifies that to determine whether a statement list ends in a terminating statement, the 'final non-empty statement' is considered the end, matching the existing behavior of the gc and gccgo compiler toolchains." On the other hand, there appear to be significant optimization improvements; see the release notes for details.

Security advisories for Tuesday

Tuesday 16th of August 2016 03:52:04 PM

Debian-LTS has updated extplorer (archive traversal).

Fedora has updated jasper (F24: multiple vulnerabilities) and kernel (F24; F23: denial of service).

openSUSE has updated harfbuzz (Leap42.1, 13.2: multiple vulnerabilities) and squid (Leap42.1: multiple vulnerabilities).

Oracle has updated kernel 4.1.12 (OL7; OL6: information disclosure), kernel 3.8.13 (OL7; OL6: information disclosure).

SUSE has updated php5 (SLE11-SP2: multiple vulnerabilities).

Ubuntu has updated openssh (two vulnerabilities).

Google is developing an OS called “Fuchsia,” runs on All the Things (Android Police)

Monday 15th of August 2016 07:22:28 PM
Android Police takes a look at a new OS from Google. "Enter “Fuchsia.” Google’s own description for it on the project’s GitHub page is simply, “Pink + Purple == Fuchsia (a new Operating System)”. Not very revealing, is it? When you begin to dig deeper into Fuchsia’s documentation, everything starts to make a little more sense. First, there’s the Magenta kernel based on the ‘LittleKernel’ project. Just like with Linux and Android, the Magenta kernel powers the larger Fuchsia operating system. Magenta is being designed as a competitor to commercial embedded OSes, such as FreeRTOS or ThreadX." Fuchsia also uses the Flutter user interface, the Dart programming language, and Escher, "a renderer that supports light diffusion, soft shadows, and other visual effects, with OpenGL or Vulkan under the hood".

Monday's security advisories

Monday 15th of August 2016 04:16:24 PM

Arch Linux has updated kernel (information disclosure), linux-grsec (information disclosure), and postgresql (two vulnerabilities).

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated openssh (denial of service) and wireshark (multiple vulnerabilities).

Fedora has updated chromium (F24: multiple vulnerabilities) and drupal7-entity_translation (F24; F23: cross-site scripting).

openSUSE has updated GraphicsMagick (Leap42.1: multiple vulnerabilities), ImageMagick (13.2: three vulnerabilities), and php5 (13.2: multiple vulnerabilities).

Scientific Linux has updated php (SL6: proxy injection).

SUSE has updated firefox, nspr, nss (SLE11-SP2: multiple vulnerabilities) and kernel (SLE11-SP2: multiple vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (regression in previous update).

Kernel prepatch 4.8-rc2

Monday 15th of August 2016 12:46:20 PM
The second 4.8 prepatch has been released. Linus says: "Nothing really strange seems to be going on, so please just go out and test it and report any problems you encounter. It's obviously fairly early in the rc series, but I don't think there was anything particularly worrisome this merge window, so don't be shy."

OpenMandriva Lx 3.0 released

Saturday 13th of August 2016 07:49:57 PM
The OpenMandriva Lx 3.0 release is available. "OpenMandriva Lx is a cutting edge distribution compiled with LLVM/clang. Combined with the high level of optimisation used for both code and linking (by enabling LTO) used in its building, this gives the OpenMandriva desktop an unbelievably crisp response to operations on the KDE Plasma 5 desktop which makes it a pleasure to use."

Ardour 5.0 released

Friday 12th of August 2016 11:40:13 PM
The Ardour audio workstation has released its 5.0 version. There are many new features in the release, including a tabbed user interface, Lua scripting, built-in plugins, and new themes. "Ardour 5.0 is now available for Linux, OS X and Windows. This is a major release focused on substantial changes to the GUI and major new features related to mixing, plugin use, tempo maps, scripting and more. As usual, there are also hundreds of bug fixes. Ardour 5.0 can be parallel-installed with older versions of the program, and does not use the same preference files. It will load sessions from Ardour 2, 3 and 4, though with some potential minor changes."

Lefkowitz: The One Python Library Everyone Needs

Friday 12th of August 2016 09:14:40 PM
Twisted developer Glyph Lefkowitz writes about the attrs library for Python, which he calls "my favorite mandatory Python library". Instead of a lot of boilerplate to handle attributes in classes, attrs makes it far easier. "It lets you say what you mean directly with a declaration rather than expressing it in a roundabout imperative recipe. Instead of “I have a type, it’s called MyType, it has a constructor, in the constructor I assign the property ‘A’ to the parameter ‘A’ (and so on)”, you say “I have a type, it’s called MyType, it has an attribute called a”, and behavior is derived from that fact, rather than having to later guess about the fact by reverse engineering it from behavior (for example, running dir on an instance, or looking at self.__class__.__dict__)."

Security updates for Friday

Friday 12th of August 2016 05:07:32 PM

CentOS has updated mariadb (C7: multiple unspecified vulnerabilities), php (C7; C6: proxy injection), and qemu-kvm (C7: two vulnerabilities).

Debian has updated icedove (multiple vulnerabilities) and postgresql-9.4 (two vulnerabilities).

Debian-LTS has updated nettle (?:).

Fedora has updated perl-DBD-MySQL (F23: code execution from 2015), python (F24: proxy injection), and python3 (F24: proxy injection).

openSUSE has updated go (42.1, 13.2; SPH: denial of service), hawk2 (42.1: clickjacking prevention), java-1_7_0-openjdk (42.1; 13.2: multiple vulnerabilities), java-1_8_0-openjdk (42.1: multiple vulnerabilities), libarchive (42.1: multiple vulnerabilities, many from 2015), OpenJDK7 (13.1: multiple vulnerabilities), pcre2 (42.1: code execution), sqlite3 (42.1: information leak), and wget (13.2: code execution).

Oracle has updated mariadb (OL7: multiple unspecified vulnerabilities), php (OL7; OL6: proxy injection), and qemu-kvm (OL7: two vulnerabilities).

Red Hat has updated mariadb (RHEL7: multiple unspecified vulnerabilities), mariadb55-mariadb (RHSC: multiple unspecified vulnerabilities), php (RHEL7; RHEL6: proxy injection), php54-php (RHSC: proxy injection), php55-php (RHSC: proxy injection), qemu-kvm (RHEL7: two vulnerabilities), Red Hat OpenShift Enterprise (two vulnerabilities), rh-mariadb100-mariadb (RHSC: multiple unspecified vulnerabilities), rh-mysql56-mysql (RHSC: multiple unspecified vulnerabilities), and rh-php56-php (RHSC: proxy injection).

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open (Ars Technica)

Thursday 11th of August 2016 10:04:21 PM
Ars Techica is reporting on a mistake by Microsoft that resulted in providing a "golden key" to circumvent Secure Boot. The "key" is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a "rather funky website" (viewing the source of that page is a good way to avoid the visual and audio funkiness). "The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled. And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse." As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.

Update: For some more detail, see Matthew Garrett's blog post .

More in Tux Machines

Games for GNU/Linux

Red Hat and Fedora

  • Flatpak Universal Linux Package Supports Local Path References for Git Sources
    Alex Larsson from the Flatpak project has announced the release of a new maintenance update to the universal binary package format for Linux kernel-based operating systems. Flatpak 0.6.9 is now the latest version, and it promises to add many great enhancements, among which we can mention the ability to pass partial references every time a terminal command takes a runtime or application name, as well as a brand new command called build-commit-from. Application developers who want to package their apps and distribute it in the Flatpak format can use the above-mentioned command for creating new commits based on the contents of an existing commit, which can be from another local repository or a remote one.
  • Multiple vulnerabilities in RPM – and a rant
    Last year in November I decided that it might be a good idea to fuzz the parsers of package management tools in Linux distributions. I quickly found a couple of issues in DPKG and RPM. For DPKG the process went very smooth. I reported them to Debian's security team, eight days later fixes and security advisories were published by both Debian and Ubuntu, the main distributions using DPKG. For RPM the process was a bit more difficult.
  • Commvault announces support for Red Hat Virtualisation 4
    Back-up and archive specialist CommVault has announced support for Red Hat Virtualisation 4, the open source company's kernel-based virtual machine powered virtualisation platform. Red Hat Virtualisation 4 is built on the company's enterprise Linux distribution. It provides a centralised management platform for both Linux- and Windows-based workloads.
  • Zacks Assigns Rating To Red Hat, Inc. (NYSE:RHT)
  • GSoC Wrap Up
    GSoC 2016 finished last week and i am writing this blog to list the work done by me in last three months for Fedora. My project was to adjust pagure and write script(s) so that we can have pkgs.fedoraproject.org on a pagure instance.

Android Leftovers

GNOME Builder 3.22 Enters Beta with Many Vim Improvements, New Search & Replace

The GNOME Builder open-source IDE (Integrated Development Environment) designed for the GNOME desktop environment will soon get a major update as part of the upcoming GNOME 3.22 release. Read more