Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 7 min ago

Bash 4.4 and Readline 7.0 released

Friday 16th of September 2016 10:22:03 PM
The GNU Bourne Again SHell (Bash) project has released version 4.4 of the tool. It comes with a large number of bug fixes as well as new features:"The most notable new features are mapfile's ability to use an arbitrary record delimiter; a --help option available for nearly all builtins; a new family of ${parameter@spec} expansions that transform the value of `parameter'; the `local' builtin's ability to save and restore the state of the single-letter shell option flags around function calls; a new EXECIGNORE variable, which adds the ability to specify names that should be ignored when searching for commands; and the beginning of an SDK for loadable builtins, which consists of a set of headers and a Makefile fragment that can be included in projects wishing to build their own loadable builtins, augmented by support for a BASH_LOADABLES_PATH variable that defines a search path for builtins loaded with `enable -f'. The existing loadable builtin examples are now installed by default with `make install'." In addition, the related Readline command-line editing library project has released Readline 7.0.

Friday's security advisories

Friday 16th of September 2016 05:15:09 PM

CentOS has updated libarchive (C7; C6: multiple vulnerabilities, some from 2015).

Debian has updated tomcat7 (privilege escalation) and tomcat8 (privilege escalation).

Debian-LTS has updated mysql-5.5 (privilege escalation).

Fedora has updated curl (F24: code execution).

Mageia has updated cracklib (code execution), dropbear (three code execution flaws), jasper (two vulnerabilities from 2015), krb5 (denial of service), lcms2 (information leak), mediawiki (multiple vulnerabilities), openvpn (information leak), perl-DBD-mysql (two code execution flaws from 2014 and 2015), and perl-XSLoader (code execution).

openSUSE has updated opera (42.1: multiple vulnerabilities) and tiff (42.1: multiple vulnerabilities, three from 2015).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: three vulnerabilities).

Slackware has updated curl (code execution).

Hutterer: Synaptics pointer acceleration

Friday 16th of September 2016 12:57:42 PM
For this week's development horror story, it would be hard to do better than Peter Hutterer's quest to figure out how pointer acceleration works in the Synaptics driver. "Also a disclaimer: the last time some serious work was done on acceleration was in 2008/2009. A lot of things have changed since and since the server is effectively un-testable, we ended up with the mess below that seems to make little sense. It probably made sense 8 years ago and given that most or all of the patches have my signed-off-by it must've made sense to me back then. But now we live in the glorious future and holy cow it's awful and confusing."

Linux 4.7.4 and 4.4.21

Thursday 15th of September 2016 05:45:50 PM

Stable kernels 4.7.4 and 4.4.21 have been released. As is normal, they contain fixes throughout the kernel tree and users of those series should upgrade.

Security updates for Thursday

Thursday 15th of September 2016 05:40:35 PM

Arch Linux has updated flashplugin (many vulnerabilities), lib32-flashplugin (many vulnerabilities), and mariadb (two vulnerabilities).

Debian has updated chromium-browser (multiple vulnerabilities) and mailman (cross-site request forgery).

Debian-LTS has updated autotrace (code execution), tomcat6 (privilege escalation), and tomcat7 (privilege escalation).

Fedora has updated GraphicsMagick (F24: multiple vulnerabilities).

openSUSE has updated chromium (42.1; 13.2; SPH for SLE12: multiple vulnerabilities), flash-player (13.2: multiple vulnerabilities), perl (42.1: multiple vulnerabilities, one from 2015), and virtualbox (13.2: two unspecified vulnerabilities).

Oracle has updated kernel (OL7: two vulnerabilities).

Red Hat has updated kernel (RHEL7: three vulnerabilities) and kernel-rt (RHEL7; RHEL6: three vulnerabilities).

SUSE has updated flash-player (SLE12: many vulnerabilities).

Ubuntu has updated oxide-qt (16.04, 14.04: multiple vulnerabilities) and python-imaging (12.04: three vulnerabilities, one from 2014).

[$] LWN.net Weekly Edition for September 15, 2016

Thursday 15th of September 2016 12:22:57 AM
The LWN.net Weekly Edition for September 15, 2016 is available.

[$] Backports and long-term stable kernels

Wednesday 14th of September 2016 09:26:46 PM
One of the longest running debates in the kernel community has to do with the backporting of patches from newer kernels to older ones. Substantial effort goes into these backports, with the resulting kernels appearing in everything from enterprise distributions to mobile devices. A recent resurgence of this debate on the Kernel Summit discussion list led to no new conclusions, but it does show how the debate has shifted over time.

Kügler: LTS releases align neatly for Plasma 5.8

Wednesday 14th of September 2016 06:07:41 PM
Sebastian Kügler reports that Plasma 5.8 will be the first LTS release of the Plasma 5 series. "One great thing of this release is that it aligns support time-frames across the whole stack from the desktop through Qt and underlying operating systems. This makes Plasma 5.8 very attractive for users need to that rely on the stability of their computers." Plasma 5.8 will receive at least 18 months of bugfix and security support from upstream KDE.

Security advisories for Wednesday

Wednesday 14th of September 2016 04:26:40 PM

Arch Linux has updated libtorrent-rasterbar (denial of service) and powerdns (denial of service).

Debian has updated mysql-5.5 (SQL injection/privilege escalation).

Fedora has updated gnupg (F23: flawed random number generation), gnutls (F24; F23: certificate verification vulnerability), openjpeg2 (F24: denial of service), thunderbird (F24: unspecified vulnerabilities), and xen (F24: three vulnerabilities).

openSUSE has updated mysql-connector-java (Leap42.1: information disclosure).

Red Hat has updated flash-plugin (RHEL5,6: multiple vulnerabilities).

Slackware has updated mariadb (SQL injection/privilege escalation).

Ubuntu has updated mysql-5.5, mysql-5.7 (SQL injection/privilege escalation) and webkit2gtk (16.04: multiple vulnerabilities).

Apache NetBeans Incubator Proposal

Tuesday 13th of September 2016 07:39:14 PM
Geertjan Wielenga posted a proposal to the Apache incubator list to adopt NetBeans, an open source development environment, tooling platform, and application framework. "NetBeans has been run by Oracle, with the majority of code contributions coming from Oracle. The specific reason for moving to Apache is to expand the diversity of contributors and to increase the level of meritocracy in NetBeans. Apache NetBeans will be actively seeking new contributors and will welcome them warmly and provide a friendly and productive environment for purposes of providing a development environment, tooling environment, and application framework." (Thanks to Stephen Kitt)

Tuesday's security updates

Tuesday 13th of September 2016 04:31:23 PM

Debian-LTS has updated libphp-adodb (SQL injection).

openSUSE has updated Chromium (13.2: multiple vulnerabilities).

Oracle has updated libarchive (OL7; OL6: file overwrite) and ntp (OL7; OL6: denial of service from 2013).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), libarchive (RHEL7; RHEL6: multiple vulnerabilities), Red Hat OpenShift Enterprise 3.1 (file overwrite), Red Hat OpenShift Enterprise 3.2 (file overwrite), rh-ror41-rubygem-actionview (RHSCL: cross-site scripting), rh-ror42 (RHSCL: two vulnerabilities), ror40-rubygem-actionpack (RHSCL: cross-site scripting), and ruby193-rubygem-actionpack (RHSCL: cross-site scripting).

Scientific Linux has updated libarchive (SL7; SL6: multiple vulnerabilities).

Ubuntu has updated openjdk-6 (12.04: multiple vulnerabilities).

Tridgell: ArduPilot and DroneCode

Tuesday 13th of September 2016 01:31:42 PM
Andrew "Tridge" Tridgell writes about the ArduPilot project's withdrawal from the Dronecode group. "Unfortunately DroneCode has a built-in flaw. The structure and bylaws of DroneCode are built around exceptional power for the Platinum members, giving them extraordinary control over the future of DroneCode. [...] Just how great a flaw that is has been shown by the actions of the Platinum members over the last two months. Due to their overwhelming desire to be able to make a proprietary autopilot stack the Platinum members staged what can only be called a coup. They removed all top level open source projects from DroneCode, leaving only their own nominees in the Technical Steering Committee. They passed a resolution requiring that all projects hand over control of all trademarks, accounts and domains to their control."

Vim 8.0 released

Monday 12th of September 2016 05:42:42 PM
The Vim editor project is celebrating its 8.0 release. "This the first major Vim release in ten years. There are interesting new features, many small improvements and lots of bug fixes." New features include asynchronous I/O, jobs, a package system, GTK+ 3 support, and more.

Stable kernel update - 3.14 eol

Monday 12th of September 2016 04:52:04 PM
Greg KH has released stable kernel 3.14.79. This is the last update in the 3.14.x series. "Please use 4.4 if you want a LTS kernel that will last for another year, or even better yet, just use the normal stable releases as those will always contain the latest fixes and updates."

Security advisories for Monday

Monday 12th of September 2016 04:03:23 PM

Arch Linux has updated file-roller (file deletion), graphicsmagick (denial of service), and tomcat8 (redirect HTTP traffic).

Debian has updated openjpeg2 (multiple vulnerabilities) and pdns (multiple denial of service flaws).

Debian-LTS has updated libarchive (two vulnerabilities), qemu (directory/path traversal), and qemu-kvm (directory/path traversal).

Fedora has updated chromium (F24: multiple vulnerabilities), elog (F24; F23: unauthorized posts), phpMyAdmin (F23: multiple vulnerabilities), python-jwcrypto (F24; F23: information disclosure), and slock (F24; F23: screen locking bypass).

openSUSE has updated libtorrent-rasterbar (Leap42.1: denial of service), kernel (Leap42.1: multiple vulnerabilities), and wget (13.2: race condition).

Slackware has updated gnutls (denial of service).

SUSE has updated java-1_7_0-ibm (SOSC5, SMP2.1, SM2.1, SLES11-SP2,3: three vulnerabilities).

Kernel prepatch 4.8-rc6

Monday 12th of September 2016 12:42:39 PM
Linus has released the 4.8-rc6 kernel prepatch. "I still haven't decided whether we're going to do an rc8, but I guess I don't have to decide yet. Nothing looks particularly bad, and it will depend on how rc7 looks."

Abbott: Success with Interns

Friday 9th of September 2016 11:16:58 PM

Laura Abbott marks the end of the latest round of open-source internships at Outreachy with a blog post reflecting on "what makes an internship successful," especially as seen in the kernel team's internships. Among Abbott's lessons: "Choose your tasks carefully. Tasks with a specific goal but multiple ways to solve are best. Too open ended tasks can be frustrating for all involved but there should be some chance for decision making. Just giving a list of tasks and exactly how they should be completed isn't good for learning. Give your intern a chance to propose a solution and then review it together." Also: "Speaking of review, code review is a skill. Model how to respond to code review comments. Encourage interns to practice reviewing others code and ask questions as well." That is just a sampling; in total, Abbott lists well over a dozen take-aways from the experience, all worth reading.

Friday's security updates

Friday 9th of September 2016 02:26:10 PM

Arch Linux has updated wordpress (multiple vulnerabilities).

Debian has updated inspircd (user impersonation) and xen (multiple vulnerabilities).

Debian-LTS has updated curl (certificate reuse) and xen (multiple vulnerabilities).

openSUSE has updated fontconfig (Leap 42.1: privilege escalation), gdk-pixbuf (13.2, Leap 42.1: denial of service), krb5 (Leap 42.1: denial of service), mariadb (Leap 42.1: multiple vulnerabilities), ocaml (Leap 42.1: information leak), tiff (13.2: multiple vulnerabilities), and wget (Leap 42.1: multiple vulnerabilities).

Slackware has updated php (14.0, 14.1, 14.2: multiple vulnerabilities).

Ubuntu has updated file-roller (14.04, 16.04: file deletion) and imlib2 (12.04, 14.04, 16.04: multiple vulnerabilities).

LWN.net Weekly Edition for September 9, 2016

Friday 9th of September 2016 12:08:16 AM
The LWN.net Weekly Edition for September 9, 2016 is available.

A bite of Python (Red Hat Security Blog)

Thursday 8th of September 2016 05:59:11 PM
On the Red Hat Security Blog, Ilya Etingof describes some traps for the unwary in Python, some that have security implications. "Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at; experienced developers may well be aware of the peculiarities that follow." (Thanks to Paul Wise.)

More in Tux Machines

Kernel Backports and Graphics

  • [Older] Backports and long-term stable kernels
  • What’s New in Wayland and Weston 1.12?
    The Wayland core protocol documentation has received numerous refinements to improve its clarity and consistency. Along with this, many blank areas of the protocol documentation have been fleshed out. A new wl_display_add_protocol logger API provides a new, interactive way to debug requests; along with this are new APIs for examining clients and their resources. This is analogous to using WAYLAND_DEBUG=1, but more powerful since it allows run time review of log data such as through a UI view. There have been improvements to how the protocol XML scanner handles version identification in protocol headers. This enables better detection and fallback handling when compositors and clients support differt versions of their protocols.
  • XDC2016 Wraps Up After Many Wayland, X.Org & Mesa Discussions
    The 2016 X.Org Developers' Conference (XDC2016) wrapped up Friday in Helsinki, Finland. Here is a summary of the major happenings for those that may have missed it or didn't yet watch the video streams.

IBM Claims “New Linux Based Power System Server Kicks Butt

today's howtos

Leftovers: Ubuntu

  • Ubuntu Phone, Sep 2016 - Vorsprung durch Touch
    The Ubuntu Phone is getting better, and with every new iteration of the OTA, my little BQ Aquaris E4.5 is gaining more speed and functionality. Like in the air force, with an avionics upgrade, which transforms ancient wings into a powerful and modern bird of prey. Only the pace of advancement is lagging behind the market. See what Android and iOS can do, even Windows Phone, and you realize how late and insufficiently meaningful the Ubuntu Phone really is. This has to change, massively. This latest round does bring some fine goods to the table - more speed and stability, better icons, more overall visual polish, incremental improvements in the applications and the scopes. But that's not enough to win the heart of the average user. A more radical, app-centric effort is required. More focus on delivering the mobile experience, be it as it may. Ubuntu cannot revolutionalize that which is already considered the past. It can only join the club and enjoy the benefits of a well-established reality. And that is a kickass app stack that makes the touch device worth using in the first place. Still, it's not all gloomy. E4.5 is a better product now than it was a year ago, fact. Ubuntu Phone is a better operating system than it was even this spring, fact. So maybe one day we will see Ubuntu become an important if not dominant player in the phone and tablet space. It sure is heading in the right direction, my only fear is the availability of resources to pull off this massive rehaul that is needed to make it stand up to the old and proven giants. And that's it really. If you're keen on Linux (not Android) making it in the mobile world, do not forget to check my Ubuntu tablet review! Especially the convergence piece. On that merry note, you do remember that I'm running a wicked contest this year, too? He/she who reads my books might get a chance to win an M10 tablet. Indeed. Off you go, dear readers. Whereas I will now run the same set of tests we did here on the Aquaris tablet, and see how it likes the OTA-12 upgrade. The end.
  • Ubuntu 16.10 Unity 8 - new window snapping feature
  • Ubuntu Online Summit for Ubuntu 17.04 is Taking Place In Mid-November
  • Ubuntu Online Summit: 15-16 November 2016