Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 6 hours 18 min ago

Thursday's security updates

Thursday 13th of October 2016 04:33:44 PM

Arch Linux has updated crypto++ (information disclosure).

Fedora has updated bash (F23: code execution), chromium (F23: multiple vulnerabilities), freeimage (F24; F23: code execution), mingw-freeimage (F24; F23: code execution), perl-DBD-MySQL (F24: denial of service), and python-pillow (F23: memory disclosure).

Mageia has updated libass (three vulnerabilities) and ruby (encrypted ciphertext duplication).

openSUSE has updated flash-player (13.2; 13.1: multiple vulnerabilities), irssi (Leap42.1, 13.2: three vulnerabilities), python-suds-jurko (Leap42.1: symbolic link attack from 2013), systemd (13.2: denial of service), tiff (Leap42.1: multiple vulnerabilities), and tiff (13.2: denial of service).

Red Hat has updated flash-plugin (RHEL5,6: multiple vulnerabilities).

SUSE has updated firefox (SLE11-SP3,4: multiple vulnerabilities) and flash-playerqemu (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated libdbd-mysql-perl (14.04, 12.04: three vulnerabilities) and quagga (16.04, 14.04, 12.04: two vulnerabilities).

Apache OpenOffice 4.1.3 released

Thursday 13th of October 2016 04:05:23 PM
The long-awaited OpenOffice 4.1.3 release is out. "Apache OpenOffice 4.1.3 is a maintenance release incorporating important bug fixes, security fixes, updated dictionaries, and build fixes. All users of Apache OpenOffice 4.1.2 or earlier are advised to upgrade."

[$] Weekly Edition for October 13, 2016

Thursday 13th of October 2016 12:55:48 AM
The Weekly Edition for October 13, 2016 is available.

Security advisories for Wednesday

Wednesday 12th of October 2016 03:56:09 PM

CentOS has updated kernel (C7: stack corruption), tomcat (C7: multiple vulnerabilities), and tomcat6 (C6: multiple vulnerabilities).

Debian has updated ghostscript (multiple vulnerabilities).

Fedora has updated ca-certificates (F24: certificate update), nsd (F24: denial of service), and openssl (F23: multiple vulnerabilities).

Gentoo has updated bind (multiple vulnerabilities).

Mageia has updated libgd (denial of service), openssl (multiple vulnerabilities), and python-twisted-web (HTTP proxy redirect).

openSUSE has updated kde-cli-tools5 (SPH for SLE12; Leap42.1, 13.2: code execution), nodejs (Leap42.1, 13.2: multiple vulnerabilities), and xen (Leap42.1; 13.2: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: stack corruption), tomcat (SL7: multiple vulnerabilities), and tomcat6 (SL6: multiple vulnerabilities).

SUSE has updated ghostscript-library (SLE12-SP1; SLE11-SP2,3,4: multiple vulnerabilities) and xen (SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated kdepimlibs (12.04: HTML injection) and tracker (16.04: denial of service).

[$] An update on input

Tuesday 11th of October 2016 09:20:10 PM
Peter Hutterer gave an update on the input stack at the 2016 X.Org Developers Conference (XDC). A lot has been accomplished, but there is, naturally, more to do—especially as more and more quirky (or buggy) input hardware is released. But, overall Hutterer painted a picture of a mature subsystem that is largely feature-complete at this point.

Announcing Google Code-in 2016 and Google Summer of Code 2017

Tuesday 11th of October 2016 08:36:59 PM
The Google Open Source Programs Office has announced Google Code-in 2016 and Google Summer of Code 2017. Google Code-in is for students from 13-17 years of age who would like to explore open source. "Students will find opportunities to learn and get hands on experience with tasks from a range of categories. This structure allows students to stretch themselves as they take on increasingly more challenging tasks." Students will begin on November 28.

Student applications for Google Summer of Code (GSoC) open on March 20, 2017. Applications for interested open source organizations open on January 19. GSoC "provides university students from around the world with an opportunity to take their skills and hone them by contributing to open source projects during their summer break from university."

The FSF seeks nominations for the annual Free Software Awards

Tuesday 11th of October 2016 07:37:07 PM
The Free Software Foundation and the GNU Project are asking for nominations for the 19th annual Free Software Awards. The Award for the Advancement of Free Software will be presented to "an individual who has made a great contribution to the progress and development of free software, through activities that accord with the spirit of free software" and the Award for Projects of Social Benefit will be presented to "the project or team responsible for applying free software, or the ideas of the free software movement, in a project that intentionally and significantly benefits society in other aspects of life." The deadline for nominations is November 6.

Security updates for Tuesday

Tuesday 11th of October 2016 04:33:33 PM

Debian has updated icedove (multiple vulnerabilities).

Debian-LTS has updated graphicsmagick (multiple vulnerabilities), qemu (three vulnerabilities), and qemu-kvm (three vulnerabilities).

Fedora has updated c-ares (F23: code execution), irssi (F24; F23: three vulnerabilities), mujs (F24; F23: two vulnerabilities), nodejs (F24: improper validation), python-django (F24; F23: cross-site request forgery), and zathura-pdf-mupdf (F24; F23: two vulnerabilities).

Gentoo has updated mysql (multiple unspecified vulnerabilities) and subversion (multiple vulnerabilities).

openSUSE has updated thunderbird (Leap42.1, 13.2; SPH for SLE12: multiple vulnerabilities).

Oracle has updated kernel (OL7: stack corruption), tomcat (OL7: two vulnerabilities), and tomcat6 (OL6: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: stack corruption), tomcat (RHEL7: multiple vulnerabilities), and tomcat6 (RHEL6: multiple vulnerabilities).

Ubuntu has updated kernel (16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04: multiple vulnerabilities), and linux-snapdragon (16.04: multiple vulnerabilities).

FreeBSD 11

Monday 10th of October 2016 08:09:50 PM
FreeBSD 11.0 has been released. This version features new architecture support, performance improvements, toolchain enhancements, and support for contemporary wireless chipsets. See the release notes for more information.

Here's Why Software Patents Are in Peril (Fortune)

Monday 10th of October 2016 07:13:30 PM
Fortune covers a ruling [PDF] by the U.S. Court of Appeals for the Federal Circuit that invalidates three patents asserted against anti-virus companies Symantec and Trend Micro. "The most important part of the decision, which has created a stir among the patent bar, is a concurrence by Circuit Judge Haldane Mayer. In striking down a key claim from U.S. Patent 5987610, which claims a monopoly on using anti-virus tools within a phone network, Mayer says it is time to acknowledge that a famous Supreme Court 2014 decision known as “Alice” basically ended software patents altogether."

Security advisories for Monday

Monday 10th of October 2016 05:00:21 PM

Arch Linux has updated imagemagick (two vulnerabilities), kcoreaddons (HTML injection), messagelib (two vulnerabilities), and wpa_supplicant (two vulnerabilities).

Debian has updated php5 (multiple vulnerabilities).

Debian-LTS has updated mat (information leak).

Fedora has updated libdwarf (F24: two vulnerabilities), libXfixes (F24: integer overflow), libXi (F24: insufficient validation), libXrandr (F24: insufficient validation), libXrender (F24: insufficient validation), libXtst (F24: insufficient validation), libXv (F24: insufficient validation), libXvMC (F24: insufficient validation), mingw-c-ares (F24; F23: code execution), mingw-openjpeg2 (F24; F23: denial of service), openjpeg2 (F23: denial of service), php-ZendFramework (F24; F23: SQL injection), and python-pillow (F24: memory disclosure).

Gentoo has updated libgcrypt (multiple vulnerabilities) and quagga (code execution).

Mageia has updated graphicsmagick (multiple vulnerabilities).

Red Hat has updated python-django (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: cross-site request forgery).

SUSE has updated php5 (SLE12-SP1: multiple vulnerabilities) and systemd (SLE12-SP1; SLE12: denial of service).

[$] Supporting UEFI secure boot in Debian

Monday 10th of October 2016 02:57:56 PM
The Debian project can be accused of many things, but jumping too quickly on leading-edge technology is not one of them. That can be seen in, among other things, the fact that there is still not a version of the distribution that supports the UEFI secure boot mechanism. But, as Ben Hutchings explained during his 2016 Kernel Recipes talk, such support is in the works, and it will be implemented in a uniquely Debian-like manner.

GDB 7.12 released

Monday 10th of October 2016 01:19:22 PM
Version 7.12 of the GDB debugger is out. The biggest changes this time around appear to be support for the Andes NDS32 architecture and the ability to debug programs written in the Rust language.

FSF: Tim Berners-Lee just gave us an opening to stop DRM in Web standards

Friday 7th of October 2016 07:31:41 PM
The Free Software Foundation's Defective By Design campaign reports that Tim Berners-Lee decided not to exercise his power to extend the development timeline for the Encrypted Media Extensions (EME) Web technology standard. "Berners-Lee made his surprising decision on Tuesday, as explained in an email announcement by W3C representative Philippe Le Hégaret. Instead of granting a time extension — as he has already done once — Berners-Lee delegated the decision to the W3C's general decision-making body, the Advisory Committee. The Advisory Committee includes diverse entities from universities to companies to nonprofits, and it is divided as to whether EME should be part of Web standards. It is entirely possible that the Advisory Committee will reject the time extension and terminate EME development, marking an important victory for the free Web."

Stable kernel updates

Friday 7th of October 2016 04:41:05 PM
Greg Kroah-Hartman has released stable kernels 4.8.1, 4.7.7, and 4.4.24. All contain important fixes.

Security advisories for Friday

Friday 7th of October 2016 04:18:39 PM

Debian-LTS has updated c-ares (code execution) and python-django (cross-site request forgery).

Fedora has updated mongodb (F24: information leak).

Gentoo has updated apache (multiple vulnerabilities) and groovy (code execution).

Mageia has updated thunderbird (code execution).

Oracle has updated kernel 4.1.12 (OL7; OL6: two vulnerabilities), kernel 3.8.13 (OL7; OL6: two vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities).

SUSE has updated compat-openssl098 (SLE12-SP1: multiple vulnerabilities), nodejs4 (SLEM12: multiple vulnerabilities), openssl1 (SLES11-SECURITY: multiple vulnerabilities), and xen (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated oxide-qt (16.04, 14.04: multiple vulnerabilities).

[$] OpenSSL after Heartbleed

Thursday 6th of October 2016 09:56:25 PM
Rich Salz and Tim Hudson started off their LinuxCon Europe 2016 talk by stating that April 3, 2014 shall forever be known as the "re-key the Internet date." That, of course, was the day that the Heartbleed vulnerability in the OpenSSL library was disclosed. A lot has happened with OpenSSL since that day, to the point that, Salz said, this should be the last talk he gives that ever mentions that particular vulnerability. In the last two years, the project has recovered from Heartbleed and is now more vital than ever before.

Bassi: Who wrote GTK+ 3.22

Thursday 6th of October 2016 09:52:11 PM
On the GTK+ Development Blog, Emmanuele Bassi looks at some statistics on the development of GTK+ 3.22 and GLib contributions during the same cycle (that resulted in GLib 2.50.0). He looks at which developers contributed the most change sets and changed lines of code, as well as how many change sets and hackers there are for each component by company affiliation. "During the 3.22 development cycle, GLib saw a total of 14119 lines added, 2031 removed, for a net gain of 12088 lines [...] GTK+, instead, saw a total of 46581 lines added, 19163 removed, for a net gain of 27418 lines". Those numbers do not include the translation work that was done for 3.22.

Thursday's security advisories

Thursday 6th of October 2016 03:21:33 PM

Debian has updated nspr (code execution) and nss (multiple vulnerabilities, some from 2015).

Debian-LTS has updated bind9 (two denial of service flaws), freeimage (code execution), and zendframework (SQL injection).

Fedora has updated c-ares (F24: code execution).

openSUSE has updated ffmpeg (42.1: not well specified), postgresql94 (42.1: two vulnerabilities), and python-Jinja2 (13.2: privilege escalation from 2014).

Scientific Linux has updated kernel (SL6: two vulnerabilities).

SUSE has updated openssl (SLE11: multiple vulnerabilities), php53 (SLE11SP4; SLE11SP2: multiple vulnerabilities), and php7 (SLE12: multiple vulnerabilities).

Ubuntu has updated ntp (16.04, 14.04, 12.04: multiple vulnerabilities, many from 2015).

[$] Weekly Edition for October 6, 2016

Thursday 6th of October 2016 12:00:50 AM
The Weekly Edition for October 6, 2016 is available.

More in Tux Machines

Red Hat and Fedora

  • Red Hat – the open source conglomerate
    As successful companies grow, they accumulate products; new ones are developed and additional ones are acquired. Managing diverse portfolios is a challenge, not least when it comes to putting it all together on a single presentation slide to make it appear there is an overall coherent product strategy.
  • Ericsson Embraces Red Hat OpenStack Platform
    Ericsson and Red Hat today announced a broad alliance to work together on network functions virtualization (NFV) products. And the telco infrastructure provider will now support the Red Hat OpenStack Platform. Ericsson already has a longstanding distribution partnership with Red Hat that includes Red Hat Enterprise Linux and Red Hat JBoss Middleware. The existing distribution partnerships define not only commercial terms, but also joint support models, co-engineering and certification testing, and joint go-to-market collaboration.
  • Raleigh's Red Hat teams up with Ericsson
    Open-source software firm Red Hat (NYSE: RHT) has teamed up with Ericsson (Nasdaq: ERIC) on what the companies are calling a “broad alliance” aimed at transforming the information and communications technology market. Red Hat, headquartered at downtown Raleigh’s Red Hat Tower, announced that its new partnership with Ericsson would allow the duo to deliver fully open-source and production-ready cloud infrastructure, spanning OpenStack, software-defined networking and software-defined infrastructure.
  • FCAIC in the House
    The job is like many other roles called “Community Manager” or “Community Lead.” That means there is a focus on metrics and experiences. One role is to try ensure smooth forward movement of the project towards its goals. Another role is to serve as a source of information and motivation. Another role is as a liaison between the project and significant downstream and sponsoring organizations. In Fedora, this means I help the Fedora Project Leader. I try to be the yen to his yang, the zig to his zag, or the right hand to his right elbow. In all seriousness, it means that I work on a lot of the non-engineering focused areas of the Fedora Project. While Matthew has responsibility for the project as a whole I try to think about users and contributors and be mechanics of keeping the project running smoothly.
  • keepalived: Simple HA
    We have been using keepalived in Fedora Infrastructure for a while now. It’s a pretty easy to use and simple way to do some basic HA. Keepalived can keep track of which machine is “master” for a IP address and quickly fail over and back when moving that IP address around. You can also run scripts on state change. Keepalived uses VRRP and handles updating arp tables when IP addresses move around. It also supports weighting so you can prefer one or another server to “normally” have the master IP/scripts.
  • What does Factory 2.0 mean for Modularity?
    This blog now has a drop-down category called Modularity. But, many arteries of Modularity lead into a project called Factory 2.0. These two are, in fact, pretty much inseparable. In this post, we’ll talk about the 5 problems that need to be solved before Modularity can really live. The origins of Factory 2.0 go back a few years, when Matthew Miller started the conversation at Flock. The first suggested names were “Fedora Rings”, “Envs and Stacks”, and Alephs.
  • varnish-5.0, varnish-modules-0.9.2 and hitch-1.4.1, packages for Fedora and EPEL
    The Varnish Cache project recently released varnish-5.0, and Varnish Software released hitch-1.4.1. I have wrapped packages for Fedora and EPEL. varnish-5.0 has configuration changes, so the updated package has been pushed to rawhide, but will not replace the ones currently in EPEL nor in Fedora stable. Those who need varnish-5.0 for EPEL may use my COPR repos at They include the varnish-5.0 and matching varnish-modules packages, and are compatible with EPEL 5, 6, and 7.
  • Installroot in DNF-2.0

Security News

  • Security advisories for Thursday
  • More information about Dirty COW (aka CVE-2016-5195)
    The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.
  • CVE-2016-5195
    My prior post showed my research from earlier in the year at the 2016 Linux Security Summit on kernel security flaw lifetimes. Now that CVE-2016-5195 is public, here are updated graphs and statistics. Due to their rarity, the Critical bug average has now jumped from 3.3 years to 5.2 years. There aren’t many, but, as I mentioned, they still exist, whether you know about them or not. CVE-2016-5195 was sitting on everyone’s machine when I gave my LSS talk, and there are still other flaws on all our Linux machines right now. (And, I should note, this problem is not unique to Linux.) Dealing with knowing that there are always going to be bugs present requires proactive kernel self-protection (to minimize the effects of possible flaws) and vendors dedicated to updating their devices regularly and quickly (to keep the exposure window minimized once a flaw is widely known).
  • “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)
    While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.
  • Linux users urged to protect against 'Dirty COW' security flaw
    Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'. This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild. Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used. "The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.
  • Hackers Hit U.S. Senate GOP Committee
    The national news media has been consumed of late with reports of Russian hackers breaking into networks of the Democratic National Committee. Lest the Republicans feel left out of all the excitement, a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the Web storefront of the National Republican Senatorial Committee (NRSC). [...] Dataflow markets itself as an “offshore” hosting provider with presences in Belize and The Seychelles. Dataflow has long been advertised on Russian-language cybercrime forums as an offshore haven that offers so-called “bulletproof hosting,” a phrase used to describe hosting firms that court all manner of sites that most legitimate hosting firms shun, including those that knowingly host spam and phishing sites as well as malicious software. De Groot published a list of the sites currently present at Dataflow. The list speaks for itself as a collection of badness, including quite a number of Russian-language sites selling synthetic drugs and stolen credit card data. According to De Groot, other sites that were retrofitted with the malware included e-commerce sites for the shoe maker Converse as well as the automaker Audi, although he says those sites and the NRSC’s have been scrubbed of the malicious software since his report was published. But De Groot said the hackers behind this scheme are continuing to find new sites to compromise. “Last Monday my scans found about 5,900 hacked sites,” he said. “When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised.”
  • Thoughts on the BTB Paper
    The Branch Target Buffer (BTB) whitepaper presents some interesting information. It details potential side-channel attacks by utilizing timing attacks against the branch prediction hardware present in Intel Haswell processors. The article does not mention Intel processors later than Haswell, such as Broadwell or Skylake. Side-channel attacks are always interesting and fun. Indeed, the authors have stumbled into areas that need more research. Their research can be applicable in certain circumstances. As a side-note, KASLR in general is rather weak and can be considered a waste of time[1]. The discussion why is outside the scope of this article.

Android Leftovers

Debian-Based Parsix GNU/Linux 8.15 "Nev" Gets First Test Build, Ships GNOME 3.22

Today, October 21, 2016, the developers of the Debian-based Parsix GNU/Linux operating system proudly announced the availability for download of the first test build of the upcoming Parsix GNU/Linux 8.15 "Nev" release. Read more