Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 4 min ago

Announcing Flatpak

Tuesday 21st of June 2016 07:41:10 PM
Not to be left behind by a certain competing project, the developers of the Flatpak packaging system have put out a press release proclaiming its virtues. "The Linux desktop has long been held back by platform fragmentation. This has been a burden on developers, and creates a high barrier to entry for third party application developers. Flatpak aims to change all that. From the very start its primary goal has been to allow the same application to run across a myriad of Linux distributions and operating systems. In doing so, it greatly increases the number of users that application developers can easily reach."

Security updates for Tuesday

Tuesday 21st of June 2016 04:24:59 PM

Fedora has updated nfdump (F23; F22: multiple vulnerabilities) and webkitgtk4 (F22: two vulnerabilities).

openSUSE has updated ctdb (Leap42.1, 13.2: privilege escalation), libtorrent-rasterbar (Leap42.1, 13.2: denial of service), ntp (Leap42.1: multiple vulnerabilities), and kernel (Leap42.1: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Slackware has updated libarchive (multiple vulnerabilities) and pcre (denial of service).

SUSE has updated ctdb (SLE11-SP4: privilege escalation), libimobiledevice, usbmuxd (SLE12-SP1: sockets listening on INADDR_ANY), and php53 (SLES11-SP2: multiple vulnerabilities).

Ubuntu has updated dnsmasq (16.04, 15.10: denial of service), expat (two vulnerabilities), haproxy (16.04: denial of service), spice (16.04, 15.10, 14.04: two vulnerabilities), wget (code execution), and xmlrpc-c (12.04: multiple vulnerabilities).

Fedora 24 released

Tuesday 21st of June 2016 02:28:18 PM
After several schedule slips, the Fedora 24 release is available. "The Fedora Project has embarked on a great journey... redefining what an operating system should be for users and developers. Such innovation does not come overnight, and Fedora 24 is one big step on the road to the next generation of Linux distributions. But that does not mean that Fedora 24 is some 'interim' release; there are great new features for Fedora users to deploy in their production environments right now!" See the Fedora 24 approved features list for an idea of what's in this release.

Horn: Exploiting Recursion in the Linux Kernel

Tuesday 21st of June 2016 02:04:26 AM
On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. "However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they're still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064."

[$] Transport-level protocols in user space

Monday 20th of June 2016 09:31:48 PM
The Linux networking developers have long held a strong opinion about user-space protocol implementations: they should be avoided in favor of making the in-kernel implementation better. So it might be surprising to see a veteran networking developer post a patch set aimed at making user-space implementations easier. A look at this patch and its motivations shines an interesting light on changes that are taking place in the networking world.

Security advisories for Monday

Monday 20th of June 2016 04:40:07 PM

Arch Linux has updated flashplugin (multiple vulnerabilities), glibc (denial of service), lib32-flashplugin (multiple vulnerabilities), lib32-glibc (denial of service), and wget (code execution).

Debian has updated libxslt (three vulnerabilities).

Debian-LTS has updated firefox-esr (multiple vulnerabilities) and horizon (cross-site scripting).

Fedora has updated expat (F23: multiple vulnerabilities), GraphicsMagick (F23; F22: multiple vulnerabilities), iperf3 (F23; F22: denial of service), sudo (F22: information leak), and wget (F22: code execution).

Gentoo has updated dhcpcd (denial of service), ffmpeg (multiple vulnerabilities), flash-player (multiple vulnerabilities), and php (multiple vulnerabilities).

openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2: multiple vulnerabilities), flash-player (13.2; 13.1: multiple vulnerabilities), and poppler (Leap42.1: code execution).

Scientific Linux has updated ImageMagick (SL6,7: multiple vulnerabilities).

Kernel prepatch 4.7-rc4

Monday 20th of June 2016 04:14:04 PM

The 4.7-rc4 prepatch is now available for testing. Linus Torvalds said that it is "pretty small" with "nothing particularly worrisome". The development cycle proceeds apace with the usual sorts of changes: "The statistics look very normal: about two thirds drivers, with the rest being half architecture updates and half "misc" (small filesystem updates,. some documentation, and a smattering of patches elsewhere)."

Klumpp: A few words about the future of the Limba project

Saturday 18th of June 2016 12:40:26 AM

Those concerned about the proliferation of application-packaging formats will soon have one fewer to worry about. At his blog, Matthias Klumpp announces that he intends to scale back his work on Limba, the cross-distribution application-packaging format he has developed as an extension of the ideas in the earlier Listaller. The decision comes on the heels of discussions with Flatpak developer Alexander Larsson, since the two projects overlap in many respects: "Alex and I had very productive discussions, and except for the modularity issue, we were pretty much on the same page in every other aspect regarding the sandboxing and app-distribution matters."

Given that he has several other active projects in development, Klumpp has decided to throttle back on Limba, although he will continue to hack on it "as a research project" and sees several opportunities where it might still fit into vendor-independent software distribution down the road. "This is good news for all the people out there using the Tanglu Linux distribution, AppStream-metadata-consuming services, PackageKit on Debian, etc. – those will receive more attention," Klumpp concludes.

Friday's security updates

Saturday 18th of June 2016 12:14:01 AM

CentOS has updated firefox (C6; C5; C7: multiple vulnerabilities) and imagemagick (C6; C7: multiple vulnerabilities).

Debian has updated drupal7 (privilege escalation).

Debian-LTS has updated imagemagick (buffer overflow) and kernel (multiple vulnerabilities).

Gentoo has updated nginx (multiple vulnerabilities) and spice (multiple vulnerabilities).

Mageia has updated expat (M5: multiple vulnerabilities), flash-player-plugin (M5: multiple vulnerabilities), and virtualbox (M5: unspecified vulnerability).

openSUSE has updated wireshark (13.2, Leap 42.1: multiple vulnerabilities).

Oracle has updated ImageMagick (O7; O6: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL 5,6: multiple vulnerabilities) and imagemagick (RHEL 6,7: multiple vulnerabilities).

Scientific Linux has updated firefox (SL 5,6,7: multiple vulnerabilities), kernel (SL6: multiple vulnerabilities), ntp (SL 6,7: multiple vulnerabilities), spice-server (SL6: multiple vulnerabilities), squid (SL6: multiple vulnerabilities), and squid34 (SL6: multiple vulnerabilities).

SUSE has updated ImageMagick (SLE11: command execution), libxml2 (SLE11: multiple vulnerabilities), and ntp (SLE11: multiple vulnerabilities).

The Children's Illustrated Guide to Kubernetes

Friday 17th of June 2016 11:33:53 PM
For those who are wondering what Kubernetes is all about, Matt Butcher has posted an illustrated guide for children. "Phippy loved life aboard Captain Kube's ship and she enjoyed the company of her new friends (every replicated pod of Goldie was equally delightful). But as she thought back to her days on the scary hosted provider, she began to wonder if perhaps she could also have a little privacy. 'It sounds like what you need,' said Captain Kube, 'is a namespace.'"

The Qt Company Releases Qt 5.7

Thursday 16th of June 2016 05:11:41 PM
Qt 5.7 has been released, with a new Qt 3D module and other improvements. "The future of user interfaces is moving towards heavier integration of 3D graphics. 3D integration of Qt has always been possible with direct OpenGL programming but with Qt 5.7 and the new Qt 3D module it is now easy to create 3D UIs and interact with 3D objects using high-level Qt C++ and QML APIs. Visualizing a 3D model with Qt 3D is now a matter of minutes instead of hours or days of OpenGL programming. In addition to just 3D rendering, Qt 3D is a fully extensible 3D framework for near-realtime simulations e.g. physics engine, artificial intelligence, collision detection. Qt 3D has been developed together with KDAB, a Qt Service Partner and the biggest external contributor to Qt. For more information about KDAB, please visit www.kdab.com."

Thursday's security updates

Thursday 16th of June 2016 03:22:20 PM

openSUSE has updated libxml2 (Leap42.1; 13.2: multiple vulnerabilities).

SUSE has updated kernel (SLE12: privilege escalation).

[$] LWN.net Weekly Edition for June 16, 2016

Thursday 16th of June 2016 12:15:21 AM
The LWN.net Weekly Edition for June 16, 2016 is available.

Keen: The case against upstream packaging

Wednesday 15th of June 2016 08:27:31 PM
Arch maintainer Kyle Keen speaks out against direct delivery of software by upstream projects. "Maintainers' greatest power is the ability to outright say 'This is not good enough for our users' and consequently punish an ISV by either patching out the offensive part or in extreme cases removing the software from the repositories. ISVs know this and so don't act out. After 20 years of enforced good behavior this has lead to the idea of ISVs as 'the benevolent upstream developer.' This is why Linux doesn't have spyware, doesn't come with browser toolbars, doesn't bundle limited trials, doesn't nag you to purchase and doesn't pummel you with advertising."

Security advisories for Wednesday

Wednesday 15th of June 2016 03:47:28 PM

Debian has updated libav (code execution) and php5 (multiple vulnerabilities).

openSUSE has updated clamav-database (Leap42.1: database refresh), monit (Leap42.1: disable SSLv3), and ntp (13.2: multiple vulnerabilities).

SUSE has updated ntp (SLE11-SP4: multiple vulnerabilities) and php53 (SOSC5, SMP2.1, SM2.1, SLE11-SP4: multiple vulnerabilities).

[$] Kernel building with GCC plugins

Tuesday 14th of June 2016 09:44:30 PM
It has long been understood that static-analysis tools can be useful in finding (and defending against) bugs and security problems in code. One of the best places to implement such tools is in the compiler itself, since much of the work required to analyze a program is already done in the compilation process. Despite the fact that GCC has had the ability to support security-oriented plugins for some years, the mainline kernel has never adopted any such plugins. That situation looks likely to change with the 4.8 kernel release, though.

Ubuntu’s snap apps are coming to distros everywhere (Ars Technica)

Tuesday 14th of June 2016 06:56:56 PM
Ars Technica reports that Ubuntu's snapd tool has been ported to other Linux distributions. "To install snap packages on non-Ubuntu distributions, Linux desktop and server users will have to first install the newly cross-platform snapd. This daemon verifies the integrity of snap packages, confines them into their own restricted space, and acts as a launcher. Instructions for creating snaps and installing snapd on a variety of distributions are available at this website. Snapd itself is installed as traditional packages on these other operating systems. That means there's a snapd RPM package for Fedora, for example. It's the same snapd code for every Linux distribution, just packaged differently, and applications packaged as snaps should work on any Linux distro running snapd without needing to be re-packaged." Snapd is available for Arch, Debian, and Fedora. It's also being tested by CentOS, Elementary, Gentoo, Mint, openSUSE, OpenWrt and RHEL.

Security updates for Tuesday

Tuesday 14th of June 2016 03:48:01 PM

Debian has updated icedove (code execution).

Debian-LTS has updated libav (code execution).

openSUSE has updated libtasn1 (13.2: two denial of service vulnerabilities) and nodejs (Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated kernel 4.1.12 (OL7; OL6: privilege escalation), kernel 3.8.13 (OL7; OL6: privilege escalation), kernel 2.6.39 (OL6; OL5: privilege escalation).

Red Hat has updated kernel (RHEL6.5: two remote denial of service vulnerabilities).

SUSE has updated ImageMagick (SLE12-SP1: command execution) and ntp (SLE12-SP1; SLE12: multiple vulnerabilities).

Git v2.9.0 released

Tuesday 14th of June 2016 01:03:34 PM
Version 2.9.0 of the Git source-code management system is out. There are various improvements and small changes that maintainers of scripts using Git will want to look at, but no major changes.

Lortie: Gtk 4.0 is not Gtk 4

Monday 13th of June 2016 11:11:00 PM
Allison Lortie writes about a new proposed GTK release scheme that may take some getting used to. "Meanwhile, Gtk 4.0 will not be the final stable API of what we would call 'Gtk 4'. Each 6 months, the new release (Gtk 4.2, Gtk 4.4, Gtk 4.6) will break API and ABI vs. the release that came before it. These incompatible minor versions will not be fully parallel installable; they will use the same pkg-config name and the same header file directory. We will, of course, bump the soname with each new incompatible release — you will be able to run Gtk 4.0 apps alongside Gtk 4.2 and 4.4 apps, but you won’t be able to build them on the same system. This policy fits the model of how most distributions think about libraries and their 'development packages'." Only the last release in each major number series (expected every two years) would have a stable API. Read the whole thing to fully understand what is being proposed.

More in Tux Machines

Canonical Releases Snapcraft 2.12 Snaps Creator with New Parts Ecosystem, More

Today, June 29, 2016, Canonical has had the great pleasure of announcing the release of the highly anticipated Snapcraft 2.12 Snappy creator tool for the Ubuntu Linux operating system. Read more

AMDGPU-PRO Driver 16.30 Officially Released with Support for Ubuntu 16.04 LTS

Today, June 29, 2016, AMD released the final version of the AMDGPU-Pro 16.30 graphics driver for GNU/Linux operating systems, bringing support for new technologies like the Vulkan API. Read more

Red Hat News

Peppermint 7 Released

Peppermint 7 launched a few days ago. Peppermint is a lightweight Ubuntu-based Linux distribution with an emphasis on speed and simplicity. Although the name is similar to Linux Mint, the projects aren't directly related. Peppermint originally was envisioned as a "spicier" alternative to Mint—whatever that means! Many distros come with a wide assortment of feature-rich applications, and that's great for power users who need those apps. But older machines can struggle to cope with those demanding distros. Peppermint solves the problem by offering a carefully curated suite of web apps that perform tasks traditionally handled by native apps. It's an approach that will be familiar to any Chromebook users reading this article. Read more