LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 49 min ago

An Interview with Karen Sandler (Model View Culture)

Thursday 24th of July 2014 06:19:46 PM
Over at Model View Culture, Adam Saunders interviews Karen Sandler, executive director of the Software Freedom Conservancy (SFC) and formerly the executive director of the GNOME Foundation. Sandler talks about SFC, the Outreach Program for Women, as well as being a cyborg: "I was diagnosed with a heart condition and needed a pacemaker/defibrillator, and none of the device manufacturers would let me see the source code that was to be literally sewn into my body and connected to my heart. My life relies on the proper functioning of software every day, and I have no confidence that it will. The FDA generally doesn't review the source code of medical devices nor can the public. But multiple researchers have shown that these devices can be maliciously hacked, with fatal consequences. Once you start considering medical devices, you quickly start to realize that it's all kinds of software that is life and society-critical - cars, voting machines, stock markets... It's essential that our software be safe, and the only way we can realistically expect that to be the case over time is by ensuring that our software is free and open. If there's catastrophic failure at Medtronic (the makers of my defibrillator), for example, I wouldn't be able to fix a bug in my own medical device."

Security updates for Thursday

Thursday 24th of July 2014 04:41:31 PM

CentOS has updated httpd (C7; C6; C5: multiple vulnerabilities).

Debian has updated iceweasel (multiple vulnerabilities) and openjdk-7 (multiple vulnerabilities).

Fedora has updated firefox (F20: multiple vulnerabilities).

Oracle has updated dovecot (OL7: denial of service), firefox (OL7; OL7; OL5: multiple vulnerabilities), gnutls (OL7: two vulnerabilities), httpd (OL7; OL6; OL5: multiple vulnerabilities), java-1.6.0-openjdk (OL7; OL7: multiple vulnerabilities), java-1.7.0-openjdk (OL7; OL7: multiple vulnerabilities), json-c (OL7: two denial of service flaws), kernel (OL7; OL6: two privilege escalations), kernel (OL7: multiple vulnerabilities), kernel (OL7:privilege escalation), libtasn1 (OL7: three vulnerabilities), libvirt (OL7: information disclosure/denial of service), lzo (OL7: denial of service/possible code execution), mariadb (OL7: multiple unspecified vulnerabilities), nss, nspr (OL7: code execution), openssl (OL7: multiple vulnerabilities), openssl098e (OL7: man-in-the-middle attack), qemu-kvm (OL7: many vulnerabilities), qemu-kvm (OL7: code execution), samba (?:), (tomcat (OL7: three vulnerabilities), and tomcat (OL7: three vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6.4; RHEL6; RHEL5: two privilege escalations) and qemu-kvm (RHEL7: many vulnerabilities).

Scientific Linux has updated kernel (SL6; SL5: two privilege escalations).

Slackware has updated httpd (multiple vulnerabilities), thunderbird (multiple vulnerabilities), and firefox (multiple vulnerabilities).

SUSE has updated libtasn1 (SLE11SP3: three vulnerabilities) and ppc64-diag (SLE11SP3: two vulnerabilities).

Ubuntu has updated apache2 (14.04, 12.04, 10.04: multiple vulnerabilities), jinja2 (12.04: code execution), lzo2 (14.04, 12.04: denial of service/possible code execution), and oxide-qt (14.04: multiple vulnerabilities).

Oracle Linux 7 released

Thursday 24th of July 2014 01:54:09 PM
Another of the Red Hat Enterprise Linux (RHEL) rebuilds has released its version of RHEL 7: Oracle Linux 7 for x86_64 is now available. It does add some features, including DTrace, Ksplice, and Xen. More information can be found in the release notes.

[$] LWN.net Weekly Edition for July 24, 2014

Thursday 24th of July 2014 01:44:00 AM
The LWN.net Weekly Edition for July 24, 2014 is available.

[$] Browser tracking through "canvas fingerprinting"

Wednesday 23rd of July 2014 06:27:14 PM

Recently, public attention has been called to a new online user-tracking method that is purported to be nearly impossible to block. Called "canvas fingerprinting," the technique relies on forcing the browser to generate an image on the client side of the connection—an image that is unique enough to serve as a fingerprint for the browser that created it. In fact, the basis for this fingerprinting approach is several years old, but it does now seem to be in use in the wild. Whether or not it truly amounts to an insurmountable blocking challenge, however, remains to be seen.

ownCloud 7 released

Wednesday 23rd of July 2014 05:59:36 PM
The ownCloud 7 release has been announced. The headline feature this time around appears to be server-to-server sharing, but it also has mobile web browser support, file activity notifications, and an improved management interface.

Security advisories for Wednesday

Wednesday 23rd of July 2014 05:48:41 PM

CentOS has updated firefox (C6; C5: multiple vulnerabilities), firefox, xulrunner (C7: multiple vulnerabilities), libvirt (C7: information disclosure/denial of service), nss, nspr (C7: code execution), nss (C5; C6: code execution), nss-util (C6: code execution), nspr (C6; C5: code execution), and thunderbird (C5; C6: multiple vulnerabilities).

Debian has updated acpi-support (privilege escalation) and mysql-5.5 (unidentified vulnerabilities).

Fedora has updated libXfont (F19: multiple vulnerabilities), python-simplejson (F19: information disclosure), and readline (F20: insecure temporary files).

Oracle has updated firefox (OL6: multiple vulnerabilities), nss, nspr (OL6; OL5: code execution), and thunderbird (OL6: multiple vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities), httpd (RHEL5,6; RHEL7: multiple vulnerabilities), httpd24-httpd (RHSC1: multiple vulnerabilities), kernel-rt (RHE MRG2.5: multiple vulnerabilities), libvirt (RHEL7: information disclosure/denial of service), nss (RHEL5.6,5.9,6.2,6.4: code execution), nss, nspr (RHEL5,7: code execution), nss, nspr (RHEL6: multiple vulnerabilities), and thunderbird (RHEL5,6: multiple vulnerabilities).

Scientific Linux has updated firefox (SL5,6: multiple vulnerabilities), httpd (SL5,6: multiple vulnerabilities), nss and nspr (SL6; SL5: code execution), and thunderbird (SL5,6: multiple vulnerabilities).

Ubuntu has updated acpi-support (12.04 LTS: privilege escalation), firefox (14.04 LTS, 12.04 LTS: multiple vulnerabilities), libtasn1-3, libtasn1-6 (14.04 LTS, 12.04 LTS, 10.04 LTS: multiple vulnerabilities), and thunderbird (14.04 LTS, 12.04 LTS: multiple vulnerabilities).

Firefox 31 released

Tuesday 22nd of July 2014 10:21:21 PM
Firefox 31 has been released. This version adds a search field to the new tab page, adds support of Prefer:Safe http header for parental control, and it will block malware from downloaded files. See the release notes for more information.

Spencer: The Community Team

Tuesday 22nd of July 2014 07:44:39 PM
Rick Spencer introduces Ubuntu's community team. "First, we created the role Community Team Manager. Notice the important inclusion of the word “Team”. This person’s job is not to “manage the community”, but rather to organize and lead the rest of the community team members. This includes things like project planning, HR responsibilities, strategic planning and everything else entailed in being a good line manager. After a rather competitive interview process, with some strong candidates, one person clearly rose to the top as the best candidate. So, I would like formally introduce David Planella as the Community Team Manager!" Michael Hall, Daniel Holbach, and Nicholas Skaggs are the other members of the team.

Docker security with SELinux (Opensource.com)

Tuesday 22nd of July 2014 06:51:09 PM
Dan Walsh looks at container security, on Opensource.com. "I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system [...] Stop assuming that Docker and the Linux kernel protect you from malware."

Tuesday's security updates

Tuesday 22nd of July 2014 04:35:07 PM

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).

Fedora has updated couchdb (F20; F19: denial of service), erlang-ibrowse (F20; F19: denial of service), php-ZendFramework (F20; F19: SQL injection), and polarssl (F20; F19: denial of service).

Oracle has updated java-1.6.0-openjdk (OL6; OL5: multiple vulnerabilities).

Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities) and java-1.6.0-sun (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6: multiple vulnerabilities).

Ubuntu has updated cups (privilege escalation).

Security advisories for Monday

Monday 21st of July 2014 04:34:13 PM

Debian has updated drupal7 (multiple vulnerabilities) and ruby-activerecord-3.2 (SQL injection).

Fedora has updated cups (F20: privilege escalation), dpkg (F20: two file modification via path traversal flaws), java-1.7.0-openjdk (F20: multiple vulnerabilities), kernel (F20: privilege escalation), ocsinventory (F20; F19: cross-site scripting), and transmission (F20: code execution).

openSUSE has updated privoxy (13.1: privoxy requires privoxyd), dbus-1 (13.1; 12.3: two denial of service flaws), eet (13.1, 12.3: code execution), lzo (13.1, 12.3: code execution), and php (13.1, 12.3: multiple vulnerabilities).

The EFF's open wireless router project

Monday 21st of July 2014 12:04:01 PM
The Electronic Frontier Foundation has announced a project to create a new distribution for wireless home routers. It is based on CeroWrt and is meant to make it easy and safe to run an open wireless network, include all of the latest bufferbloat fixes, and "advance the state of the art in consumer Wi-Fi router security and begin turning back the growing tide of attacks against them." The work is in an early state and only runs on Netgear WNDR3800 routers for now; testers and contributors are eagerly sought.

Kernel prepatch 3.16-rc6

Monday 21st of July 2014 11:55:00 AM
The 3.16-rc6 release is out, and Linus is starting to think that things are still too active. "Anyway, rc6 still isn't all *that* big, so I'm not exactly worried, but I am getting to the point where I'm going to start calling people names and shouting at you if you send me stuff that isn't appropriate for the late rc releases. Which is not to say that people did: while rc6 is bigger than I wished for, I don't think there's too much obviously frivolous in there. But I'll be keeping an eye out, and I'll be starting to get grumpy (or grumpiER) if I notice that people aren't being serious about trying to calm things down."

Four new kernel releases

Friday 18th of July 2014 06:13:31 PM

Greg Kroah-Hartman has released four new stable kernels: 3.15.6, 3.14.13, 3.10.49, and 3.4.99; each contains important updates and fixes.

Friday's security updates

Friday 18th of July 2014 03:34:25 PM

Debian has updated fail2ban (multiple vulnerabilities), openjdk-6 (multiple vulnerabilities), and polarssl (denial of service).

Red Hat has updated java-1.7.0-oracle (multiple vulnerabilities) and kernel (RHEL6: multiple vulnerabilities).

Ubuntu has updated liblwp-protocol-https-perl (14.04: information leak).

Changes on the openSUSE board

Friday 18th of July 2014 02:15:49 PM
OpenSUSE board chair Vincent Untz has announced that he will be stepping down from the position to free time for other priorities. "I'm stepping down with regrets because these two years as chairman have been totally awesome, and I would love to keep contributing to the project that way. But I know I won't have enough time to dedicate to being a chairman in the months to come, and I'm a strong believer that board members (including the chairman) should be active in their role. Having motivation is extremely important, of course, but free time is simply essential." SUSE has chosen Richard Brown as Vincent's successor.

Faults in Linux 2.6

Thursday 17th of July 2014 08:36:37 PM
Six researchers (including Julia Lawall of the Coccinelle project) have just released a paper [PDF] (abstract) that looks at the faults in the 2.6 kernel. "In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than other directories. This result inspired numerous efforts on improving the reliability of driver code. Today, Linux is used in a wider range of environments, provides a wider range of services, and has adopted a new development and release model. What has been the impact of these changes on code quality? To answer this question, we have transported Chou et al.'s experiments to all versions of Linux 2.6; released between 2003 and 2011. We find that Linux has more than doubled in size during this period, but the number of faults per line of code has been decreasing. Moreover, the fault rate of drivers is now below that of other directories, such as arch. These results can guide further development and research efforts for the decade to come. To allow updating these results as Linux evolves, we define our experimental protocol and make our checkers available." (Thanks to Asger Alstrup Palm.)

The state of accessibility in Linux and open source software (Opensource.com)

Thursday 17th of July 2014 08:18:07 PM
Over at Opensource.com, Rikki Endsley interviews Spencer Hunley, who will be giving a talk on accessibility at LinuxCon NA in August. Hunley also spoke at last year's LinuxCon NA and, shortly after that, helped form the Universal Tux Google+ community to work on accessibility in Linux. "Built-in, easy to use and understand accessibility support is hard to find in many distributions. Can you tell me the key combination to activate that support in Ubuntu? How about any other distro? The fact is that although it's there, it may not be easy to locate and/or use. When addressing this, focusing on independence is vital. No one wants to have to call upon someone else to help them install a new OS, or to utilize an application. This is especially true for people with disabilities; the learning curve can be nearly impossible, which leaves little in the way of choice in the FOSS world, depending on your abilities."

X.Org server 1.16.0 released

Thursday 17th of July 2014 04:44:04 PM
Keith Packard has announced the release of the 1.16.0 X.Org server with many new features, including Glamor (GL-based 2D X acceleration) integration, XWayland, systemd integration, Glamor for the Xephyr nested X server, and support for non-PCI devices. In addition, "thousands of compiler warnings were eliminated from the code base. "For the first time in several releases, we've added substantial amounts of code to the server, only 2/3 of which was the glamor code base: 604 files changed, 34449 insertions(+), 7024 deletions(-)"