Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 50 min ago

Security advisories for Wednesday

Wednesday 25th of June 2014 04:21:35 PM

Fedora has updated rb_libtorrent (F19: stop UPNP from opening port 0) and wireshark (F20: denial of service).

openSUSE has updated ctdb (13.1, 12.3: insecure temporary files), kernel (13.1: multiple vulnerabilities), and php5 (13.1, 12.3: code execution).

Red Hat has updated kernel (RHEL7: multiple vulnerabilities).

Slackware has updated bind (two vulnerabilities), gnupg (denial of service), gnupg2 (denial of service), samba (multiple vulnerabilities), and seamonkey (multiple vulnerabilities).

SUSE has updated firefox (SLES11 SP2 LTSS: multiple vulnerabilities), kernel (SLES11 Unsupported Extras; SLES11 SP2 LTSS: privilege escalation), and rxvt-unicode (SLE11 SP3: command execution).

No more updates for Freecode

Tuesday 24th of June 2014 07:00:22 PM
The Freecode site (once known as Freshmeat), has announced that they are no longer updating entries. "Freecode has been the Web's largest index of Linux, Unix and cross-platform software, and mobile applications. Thousands of applications, which are preferably released under an open source license, were meticulously cataloged in the Freecode database, but links to new applications and releases are no longer being added. Each entry provides a description of the software, links to download it and to obtain more information, and a history of the project's releases."

Tuesday's security updates

Tuesday 24th of June 2014 04:12:36 PM

openSUSE has updated wireshark (13.1: denial of service).

SUSE has updated firefox (SLES11 SP1 LTSS, SLES10 SP4 LTSS: multiple vulnerabilities).

Steps to diversity in your open source group (Opensource.com)

Monday 23rd of June 2014 08:29:41 PM
Opensource.com covers a talk by Coraline Ehmke about diversity in open source. "She came at the topic from the angle of diversity as a value of the culture of our groups. By now we've heard from many open source thought leaders on why we need diversity in open source—arguments mainly center around the more people of the greater population that we include in our groups, and make feel welcome to our groups, the better our results will be. Why? Coraline points to a study indicating that groupthinking is a real thing—we tend to agree with and value the things that are said and done by other people that are simply like us. So, the presence of someone different in our group increases accuracy by reducing knee-jerk agreements."

[$] Questioning EXPORT_SYMBOL_GPL()

Monday 23rd of June 2014 07:36:08 PM
There have been arguments about the legality of binary-only kernel modules for almost as long as the kernel has had loadable module support. One of the key factors in this disagreement is the EXPORT_SYMBOL_GPL() directive, which is intended to keep certain kernel functions out of the reach of proprietary modules. A recent discussion about the merging of a proposed new kernel subsystem has revived some questions about the meaning and value of EXPORT_SYMBOL_GPL() — and whether it is worth bothering with at all.

Security advisories for Monday

Monday 23rd of June 2014 05:01:35 PM

Debian has updated iodine (authentication bypass), samba (multiple vulnerabilities), and tiff (code execution).

Fedora has updated kernel (F19: privilege escalation), python-jinja2 (F20; F19: code execution), and rb_libtorrent (F20: stop UPNP from opening port 0).

Gentoo has updated curl (two vulnerabilities), nginx (code execution), and nss (multiple vulnerabilities).

Mageia has updated ansible (MG4: insecure evaluation function), kernel (MG3: multiple vulnerabilities), pdns (denial of service), sendmail (denial of service), and smb4k (credential cache leak).

SUSE has updated firefox (SLE11 SP3, SLES10 SP3 LTSS: multiple vulnerabilities).

Ubuntu has updated libreoffice (14.04 LTS: unexpected VBA macro execution), php5 (multiple vulnerabilities), and openssl (regression in previous update).

NetworkManager 0.9.10 released

Sunday 22nd of June 2014 01:33:29 PM
NetworkManager 0.9.10 is out with a long list of new features including a curses-based management interface, more modular device support, data center bridging support, many new customization options, better cooperation with other network management tools, and more. (Correction: the release is almost out, being planned for "later this week").

Kernel prepatch 3.16-rc2

Sunday 22nd of June 2014 01:16:14 PM
The second 3.16 prepatch is out. Linus says: "It's a day early, but tomorrow ends up being inconvenient for me due to being on the road most of the day, so here you are. These days most people send me their pull requests and patches during the week, so it's not like I expect that a Sunday release would have made much of a difference. And it's also not like I didn't have enough changes for making a rc2 release."

PyPy3 2.3.1 released

Saturday 21st of June 2014 08:57:13 PM
The PyPy3 2.3.1 release has been announced. This is the first stable release that supports version 3 of the Python language; it also has a number of performance improvements.

Microformats turn 9 years old

Friday 20th of June 2014 10:44:15 PM

At his blog, Tantek Çelik writes about the ninth birthday of the microformats effort, which seeks to express semantic information in web pages through the use of attribute names within HTML elements, in contrast to comparatively "heavyweight" schemes like RDFa and Microdata. Çelik notes that the community-driven process of microformats' development seems to have enabled its survival. "Looking back nine years ago, none of the other alternatives promoted in the 2000s (even by big companies like Google and Yahoo) survive to this day in any meaningful way," he says. "Large companies tend to promote more complex solutions, perhaps because they can afford the staff, time, and other resources to develop and support complex solutions. Such approaches fundamentally lack empathy for independent developers and designers, who don't have time to keep up with all the complexity." In addition to his analysis about the past nine years (including an exploration of the down side of email-based discussions), Çelik takes the occasion to announce that microformats2 has now been upgraded to the status of ready-to-use recommendation, and points site maintainers to tools to support the transition.

Friday's security updates

Friday 20th of June 2014 04:34:27 PM

CentOS has updated kernel (C6: multiple vulnerabilities).

Fedora has updated polarssl (F19; F20: information disclosure) and sendmail (F19: file descriptor leak).

Mageia has updated cups-filter (M4: multiple vulnerabilities) and tomcat, tomcat6 (M3, M4: multiple vulnerabilities).

openSUSE has updated castor (12.3, 13.1: XML injection), dbus-1 (12.3, 13.1: denial of service), and MozillaFirefox, (12.3, 13.1: multiple vulnerabilities).

Oracle has updated kernel (O6: multiple vulnerabilities).

Red Hat has updated kernel (RHEL5; RHEL6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: multiple vulnerabilities).

Ubuntu has updated EC2 kernel (10.04: multiple vulnerabilities) and kernel (10.04: multiple vulnerabilities).

US Supreme Court rules against software patents

Thursday 19th of June 2014 03:10:56 PM
In April, LWN reported on the case of Alice Corp. v. CLS Bank International, which addresses the issue of whether ideas implemented in software are patentable. The ruling [PDF] is now in: a 9-0 decision against patentability. "We hold that the claims at issue are drawn to the abstract idea of intermediated settlement, and that merely requiring generic computer implementation fails to transform that abstract idea into a patent-eligible invention."

Security updates for Thursday

Thursday 19th of June 2014 02:29:42 PM

Fedora has updated kernel (F20: privilege escalation).

Gentoo has updated rxvt-unicode (code execution).

Mageia has updated dbus (denial of service), kernel (M4: three vulnerabilities), musl (M4: code execution), qt3 (two denial of service flaws), and wireshark (M4: denial of service).

Red Hat has updated foreman-proxy (OSP3&4: shell command injection) and rubygem-openshift-origin-node (OSE2.1; OSE2.0; OSE1.2.8: code execution).

Ubuntu has updated cinder (14.04, 13.10: privilege escalation), heat (14.04: information leak), and thunderbird (14.04, 13.10, 12.04: three vulnerabilities).

Debian switching back to Glibc

Thursday 19th of June 2014 02:20:47 PM
Aurelien Jarmo reports that the Debian Project is switching back to the GNU C Library and will no longer ship the EGLIBC fork. The reason is simple: the changes in the Glibc project mean that EGLIBC is no longer needed and is no longer under development. "This has resulted in a much more friendly development based on team work with good cooperation. The development is now based on peer review, which results in less buggy code (humans do make mistakes). It has also resulted in things that were clearly impossible before, like using the same repository for all architectures, and even getting rid of the ports/ directory."

30 years of X

Thursday 19th of June 2014 01:59:03 PM
The X.Org Foundation reminds us that the first announcement for the X Window System came out on June 19, 1984. "The X developers have pushed the boundaries and moved X from a system originally written to run on the CPU of a VAX VS100 to one that runs the GUI on today's laptops with 3D rendering capabilities. Indeed, X predates the concept of a Graphics Processing Unit (GPU) as we currently know it, and even the company that popularized this term in 1999, Nvidia." Congratulations to one of the oldest and most successful free software projects out there.

[$] LWN.net Weekly Edition for June 19, 2014

Thursday 19th of June 2014 01:03:12 AM
The LWN.net Weekly Edition for June 19, 2014 is available.

Security advisories for Wednesday

Wednesday 18th of June 2014 05:14:58 PM

Debian has updated lucene-solr (multiple vulnerabilities) and nspr (code execution).

Fedora has updated dovecot (F19: denial of service), libfep (F20; F19: privilege escalation), lynis (F20: privilege escalation), mod_wsgi (F20; F19: two vulnerabilities), php (F20; F19: denial of service), php-doctrine-orm (F20; F19: denial of service), php-horde-Horde-Ldap (F19: check for empty passwords), php-phpunit-PHPUnit-MockObject (F20; F19: denial of service), and python-djblets (F20; F19: cross-site scripting).

openSUSE has updated miniupnpc (13.1, 12.3: denial of service), rxvt-unicode (13.1, 12.3: command execution), and typo3-cms-4_5 (13.1, 12.3: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities) and kernel (SLES11 SP1 LTSS: multiple vulnerabilities).

Ubuntu has updated apt (invalid source package authentication) and nova (14.04 LTS, 13.10, 12.04 LTS: multiple vulnerabilities).

[$] Android without the mothership

Wednesday 18th of June 2014 02:10:37 PM
The success of Android has brought Linux to many millions of new users and that, in turn, has increased the development community for Linux itself. But those who value free software and privacy can be forgiven for seeing Android as a step backward in some ways; Android systems include significant amounts of proprietary software, and they report vast amounts of information back to the Google mothership. But Android is, at its heart, an open-source system, meaning that it should be possible to cast it into a more freedom- and privacy-respecting form. Your editor has spent some time working on that goal; the good news is that it is indeed possible to create a (mostly) free system on the Android platform.

Poettering: Factory Reset, Stateless Systems, Reproducible Systems & Verifiable Systems

Tuesday 17th of June 2014 09:57:31 PM
On his blog, Lennart Poettering writes about new systemd features that will make it easier to "factory reset" systems back to their initial configuration. By handling /etc and /var differently, it will also support other use cases, such as "stateless" systems that store no persistent configuration, as well as "reproducible" and "verifiable" systems. "Booting up a system without a populated /var is relatively straight-forward. With a few lines of tmpfiles configuration it is possible to populate /var with its basic structure in a way that is sufficient to make a system boot cleanly. systemd version 214 and newer ship with support for this. Of course, support for this scheme in systemd is only a small part of the solution. While a lot of software reconstructs the directory hierarchy it needs in /var automatically, many software does not. In case like this it is necessary to ship a couple of additional tmpfiles lines that setup up at boot-time the necessary files or directories in /var to make the software operate, similar to what RPM or DEB packages would set up at installation time. Booting up a system without a populated /etc is a more difficult task. In /etc we have a lot of configuration bits that are essential for the system to operate, for example and most importantly system user and group information in /etc/passwd and /etc/group. If the system boots up without /etc there must be a way to replicate the minimal information necessary in it, so that the system manages to boot up fully."

LibreOffice bug hunting event

Tuesday 17th of June 2014 08:00:38 PM
The Document Foundation (TDF) has announced a LibreOffice 4.3 bug hunting session on June 20-22. "The community has already made a large collective effort to make LibreOffice 4.3 the best ever, based on automated stress tests and structured tests by Quality Assurance volunteers. Enterprise and individual LibreOffice users can now contribute to the quality of the best free office suite ever by testing the release candidate to identify issues in their preferred user scenario." See the wiki page for more information about the hunt.