Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 5 hours 47 min ago

[$] Weekly Edition for November 19, 2015

Thursday 19th of November 2015 02:13:23 AM
The Weekly Edition for November 19, 2015 is available.

Hiring Open Source Maintainers is Key to Stable Software Supply Chain (

Thursday 19th of November 2015 12:36:55 AM
Brian Warner talks about why Samsung has an open-source group in this article. "If you want the full economic and technical benefit of consuming open source, you hire people who are already influential in the projects that matter to you. You then ask them to continue doing exactly what they do: write great code, manage great releases, and contribute to the overall stability of the project. This is the single best way to ensure stability and predictability in your software supply chain."

Security advisories for Wednesday

Wednesday 18th of November 2015 05:17:23 PM

Arch Linux has updated jenkins (multiple vulnerabilities).

Debian-LTS has updated libpng (multiple vulnerabilities) and openafs (multiple vulnerabilities).

Fedora has updated cyrus-imapd (F22: information disclosure) and pdns (F22: denial of service).

openSUSE has updated dracut (13.2: unspecified vulnerability) and putty (Leap42.1, 13.2, 13.1: memory corruption).

Red Hat has updated nss, nss-util, nspr (RHEL6.2, 6.4, 6.5, 6.6: code execution).

Ubuntu has updated lxcfs (15.10, 15.04: privilege escalation).

Microsoft's Visual Studio Code open-sourced

Wednesday 18th of November 2015 04:05:05 PM
Microsoft has announced that its Visual Studio Code tool is now available under the MIT license. "Code combines the streamlined UI of a modern editor with rich code assistance and navigation, and an integrated debugging experience – without the need for a full IDE." The code for Code can be found in its GitHub repository.

[$] Supporting secure DNS in glibc

Wednesday 18th of November 2015 03:55:52 PM
One of the many weak links in Internet security is the domain name system (DNS); it is subject to attacks that, among other things, can mislead applications regarding the IP address of a system they wish to connect to. That, in turn, can cause connections to go to the wrong place, facilitating man-in-the-middle attacks and more. The DNSSEC protocol extensions are meant to address this threat by setting up a cryptographically secure chain of trust for DNS information. When DNSSEC is set up properly, applications should be able to trust the results of domain lookups. As the discussion over an attempt to better integrate DNSSEC into the GNU C Library shows, though, ensuring that DNS lookups are safe is still not a straightforward problem.

Red Hat delivers Software Collections 2.1

Tuesday 17th of November 2015 05:26:29 PM
Red Hat has announced the availability of Red Hat Software Collections 2.1. Red Hat Developer Toolset 4 was also released. "Applications built with Red Hat Software Collections can be deployed into production with greater confidence, as most software collections and components are supported for three years. In addition to Red Hat Enterprise Linux 6 and 7, applications built with Red Hat Software Collections can also be deployed to Red Hat Enterprise Linux Atomic Host and OpenShift, Red Hat’s Platform-as-a-Service (PaaS) offering, giving more choice and flexibility for application portfolios."

Security advisories for Tuesday

Tuesday 17th of November 2015 05:19:06 PM

Arch Linux has updated lib32-libpng (two vulnerabilities) and libpng (two vulnerabilities).

CentOS has updated xen (C5: code execution).

Fedora has updated cyrus-imapd (F23: information disclosure), pdns (F23: denial of service), python-pygments (F23: shell execution), and webkitgtk4 (F23: two vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (information leak), iceape (multiple vulnerabilities), krb5 (code execution), and mariadb (multiple vulnerabilities).

openSUSE has updated xen (13.2: multiple vulnerabilities).

Oracle has updated xen (OL5: code execution).

Red Hat has updated xen (RHEL5: code execution).

Scientific Linux has updated xen (SL5: code execution).

SUSE has updated krb5 (SLEDebuginfo11SP3: denial of service).

Ubuntu has updated libxml2 (multiple vulnerabilities) and strongswan (15.10, 15.04, 14.04: authentication bypass).

Security advisories for Monday

Monday 16th of November 2015 06:18:29 PM

Debian has updated freexl (regression in previous update) and strongswan (authentication bypass).

Fedora has updated dovecot (F23; F22; F21: buffer overflow), drupal7-jquery_update (F23; F22; F21: open redirect attack), libsedml (F23; F22: hardened builds), libsndfile (F23: buffer overflow), MUMPS (F23; F22; F21: hardened builds), openms (F23; F22: hardened builds), owncloud (F23; F22; F21: unspecified vulnerabilities), snappy-player (F23; F22; F21: denial of service), telegram-cli (F23; F22: hardened builds), tubo (F23; F22; F21: hardened builds), and wildmagic5 (F23; F22; F21: hardened builds).

openSUSE has updated krb5 (Leap42.1: multiple vulnerabilities), libsndfile (13.2, 13.1: multiple vulnerabilities), and python-tornado (13.1: side-channel attack).

Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities).

Slackware has updated seamonkey (multiple vulnerabilities).

Kernel prepatch 4.4-rc1

Monday 16th of November 2015 01:28:54 AM
Linus has released the 4.4-rc1 prepatch and closed the merge window for this cycle. "Just looking at the patch itself, things look fairly normal at a high level, possibly a bit more driver-heavy than usual with about 75% of the patch being drivers, and 10% being architecture updates. The remaining 15% is documentation, filesystem, core networking (as opposed to network drivers), tooling and some core infrastructure."

A change of look

Sunday 15th of November 2015 04:52:25 PM
The basic form of the LWN site was first laid out in early 1998, with some tweaks when the site code was replaced in 2002; since then, it has been mostly static. Meanwhile, the web has moved on, leaving LWN looking increasingly dated, especially on small-screen devices. We have been working (sporadically) on a new layout for the last year and some, and many readers have helped us out by testing it. Now the time has come to switch to the new mode by default.

Hopefully, the result is a cleaner screen and much better usability on mobile devices.

The "Clair" security scanner

Friday 13th of November 2015 09:11:31 PM
CoreOS has announced the release of a container-security tool called Clair. "Clair scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the Common Vulnerabilities and Exposures database (CVE) and similar databases from Red Hat, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs."

Friday's security updates

Friday 13th of November 2015 03:07:00 PM

Arch Linux has updated chromium (information leak) and putty (code execution).

Debian has updated krb5 (denial of service).

Fedora has updated kernel (F21: privilege escalation), openstack-ironic-discoverd (F23; F22: remote code execution), python-cryptography (F23: denial of service), python-cryptography-vectors (F23: denial of service), sddm (F22: denial of service), and wpa_supplicant (F23: denial of service).

openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities).

SUSE has updated MozillaFirefox, mozilla-nspr, mozilla-nss (SLE11 SP2; SLE11 SP3, SP4: multiple vulnerabilities).

Ubuntu has updated krb5 (multiple vulnerabilities) and lxd (15.10: privilege escalation).

Did the FBI Pay a University to Attack Tor Users? (Tor blog)

Thursday 12th of November 2015 10:38:59 PM
The Tor blog is carrying a post from interim executive director Roger Dingledine that accuses Carnegie Mellon University (CMU) of accepting $1 million from the FBI to de-anonymize Tor users. "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once. Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users." Cryptographer Matthew Green has also weighed in (among others, including Forbes and Ars Technica): "If CMU really did conduct Tor de-anonymization research for the benefit of the FBI, the people they identified were allegedly not doing the nicest things. It's hard to feel particularly sympathetic. Except for one small detail: there's no reason to believe that the defendants were the only people affected."

Thursday's security advisories

Thursday 12th of November 2015 02:43:50 PM

Arch Linux has updated flashplugin (multiple vulnerabilities) and powerdns (denial of service).

Fedora has updated lxc (F22; F21: directory traversal).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

openSUSE has updated git (13.2, 13.1: code execution), java-1_7_0-openjdk (42.1: multiple vulnerabilities), and xen (13.1; 42.1: multiple vulnerabilities, one from 2014).

Firefox OS 2.5 developer preview

Thursday 12th of November 2015 01:06:26 PM
Mozilla has announced the availability of a developer preview for version 2.5 of Firefox OS. New features include an add-on mechanism, tracking protection, and more. There is also a version of the system packaged as an Android app, allowing it to be tried on an Android device without wiping Android itself. "If you’re curious to see what Firefox OS is all about, or just interested in testing out new features, the Firefox OS 2.5 Developer Preview app makes it very simple to get started with very little risk involved. By downloading the app, you can experience Firefox OS and explore many of its capabilities, without flashing hardware. If you decide you’re done trying it out, the app can be removed as simply as any other app." Weekly Edition for November 12, 2015

Thursday 12th of November 2015 01:09:48 AM
The Weekly Edition for November 12, 2015 is available.

[$] A look at darktable 2.0

Wednesday 11th of November 2015 10:50:42 PM
The darktable project has unveiled the first release-candidate (RC) packages for its upcoming version 2.0 milestone. Darktable retains its focus as a high-end photo editor in the forthcoming release, with new features that target professional workflows and experienced users. But there are also improvements that will be appreciated by casual shutterbugs.

Security advisories for Wednesday

Wednesday 11th of November 2015 05:19:11 PM

CentOS has updated sssd (C6: memory leak).

Debian has updated wpa (multiple vulnerabilities).

Fedora has updated php-udan11-sql-parser (F23; F21: content spoofing) and phpMyAdmin (F23; F21: content spoofing).

Mageia has updated kernel-linus (denial of service), libreoffice (multiple vulnerabilities), putty (memory corruption), python-curl (use-after-free), and sudo (privilege escalation).

Oracle has updated sssd (OL6: memory leak).

Red Hat has updated flash-plugin (RHEL6; RHEL5: multiple vulnerabilities).

SUSE has updated xen (SLE11SP2: multiple vulnerabilities).

Ubuntu has updated linux-lts-wily (14.04: denial of service) and wpa (15.10, 15.04, 14.04: multiple vulnerabilities).

Linux Ransomware Debut Fails on Predictable Encryption Key (Bitdefender Labs)

Tuesday 10th of November 2015 11:45:01 PM
Bitdefender Labs takes a look at Linux.Encoder.1 ransomware. "Linux.Encoder.1 is executed on the victim’s Linux box after remote attackers leverage a flaw in the popular Magento content management system app. Once executed, the Trojan looks for the /home, /root and /var/lib/mysql folders and starts encrypting their contents. Just like Windows-based ransomware, it encrypts the contents of these files using AES (a symmetric key encryption algorithm), which provides enough strength and speed while keeping system resources usage to a minimum. The symmetric key is then encrypted with an asymmetric encryption algorithm (RSA) and is prepended to the file, along with the initialization vector used by AES." Once the files are encrypted the hackers demand a fee in exchange for the RSA private key to decrypt the AES symmetric one. However, Bitdefender researchers were able to recover the AES key without having to decrypt it with the RSA private key. One can also thwart this threat with some good backups. (Thanks to Richard Moore)

Tuesday's security advisories

Tuesday 10th of November 2015 05:39:12 PM

Debian has updated kernel (multiple vulnerabilities) and unzip (regression in previous update).

Fedora has updated firefox (F21: multiple vulnerabilities), icecat (F23; F22; F21: hardened build), nspr (F21: multiple vulnerabilities), nss (F21: multiple vulnerabilities), nss-softokn (F21: multiple vulnerabilities), nss-util (F21: multiple vulnerabilities), and xen (F22; F21: multiple vulnerabilities).

openSUSE has updated firefox, nspr, nss, xulrunner, seamonkey (Leap42.1, 13.2, 13.1: multiple vulnerabilities).

Red Hat has updated sssd (RHEL6: memory leak).

Scientific Linux has updated sssd (SL6: memory leak).

Ubuntu has updated kernel (15.10; 15.04; 14.04; 12.04: denial of service), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), and linux-lts-vivid (14.04: denial of service).

More in Tux Machines

Opinion: Why open source is the future of MBaaS

The open-source advantages of Linux have spurred enterprise adoption of the OS. For many of the same reasons, an open-source Mobile-Backend-as-a-Service (MBaaS) framework is also the right choice for enterprise companies looking to support their branded apps. Read more

GIMP 2.10 Development Started, Will Bring GEGL-Based Tools, OpenEXR Support

After turning 20 years of activity, the GIMP developers have been happy to announce that the development cycle of the upcoming GIMP 2.10 open-source and cross-platform image editor software has started with the immediate availability of GIMP 2.9.2. Read more

Kwort Linux 4.3 Is Based on CRUX 3.2, Adds Chromium 47.0 and Linux Kernel 4.1.13

David Cortarello of the Kwort project has announced today, November 27, the release and immediate availability for download of the Kwort Linux 4.3 computer operating system. Read more

Elive 2.6.12 beta released

This version includes bugfixes in the installer handling special cases and some improvements in the overall speed process. The desktop has now the clock by default included and there’s some improved configurations by default too. We still working on the packaging for the other architectures like 64bit and different distros to keep the updates and fixes more reliable in the future. Read more