Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 28 min ago

Samba 4.1.11 and 4.0.21 Security Releases Available

Friday 1st of August 2014 05:03:04 PM
The Samba Team has put out an important-looking set of releases. "All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root)."

Security advisories for Friday

Friday 1st of August 2014 04:25:52 PM

CentOS has updated kernel (C6: multiple vulnerabilities).

Fedora has updated bugzilla (F20: cross-site request forgery), kernel (F20: multiple vulnerabilities), openstack-neutron (F20: denial of service), and sdcc (F20; F19: remote denial of service).

openSUSE has updated kernel (12.3: multiple vulnerabilities).

SUSE has updated lzo (SLES11&10: denial of service/possible code execution).

Stable kernel updates

Thursday 31st of July 2014 11:10:58 PM
Stable kernels 3.15.8, 3.14.15, 3.10.51, and 3.4.101 have been released. All contain important fixes.

This thumbdrive hacks computers. (Ars Technica)

Thursday 31st of July 2014 06:53:29 PM
Ars Technica takes a look at an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms. "Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices."

Thursday's security updates

Thursday 31st of July 2014 04:43:47 PM

Debian has updated nss (multiple vulnerabilities) and tor (traffic confirmation attack).

Fedora has updated cups (F20: privilege escalation).

Mandriva has updated dbus (BS1.0: two denial of service flaws), file (BS1.0: denial of service), live (BS1.0: code execution), php-ZendFramework (BS1.0: SQL injection), and sendmail (BS1.0: denial of service).

openSUSE has updated apache2-mod_wsgi (13.1: off-by-one error), firefox (13.1, 12.3: multiple vulnerabilities), gpg2 (11.4: denial of service), memcached (11.4: multiple vulnerabilities), Mozilla (11.4: multiple vulnerabilities), ntp (13.1, 12.3: denial of service), php5 (13.1, 12.3: multiple vulnerabilities), ppc64-diag (13.1; 12.3: two vulnerabilities), pulseaudio (13.1, 12.3: denial of service), samba (11.4: two vulnerabilities), php5 (11.4: code execution), and xalan-j2 (11.4: information disclosure/code execution).

Red Hat has updated openstack-keystone (RHELOS3&4: privilege escalation).

Ubuntu has updated kde4libs (14.04 LTS, 12.04 LTS: ), tomcat6, tomcat7 (14.04 LTS, 12.04 LTS, 10.04 LTS: multiple vulnerabilities), and unity (14.04 LTS: command execution).

[$] LWN.net Weekly Edition for July 31, 2014

Thursday 31st of July 2014 12:54:26 AM
The LWN.net Weekly Edition for July 31, 2014 is available.

Akademy 2014 Keynotes: Sascha Meinrath and Cornelius Schumacher

Wednesday 30th of July 2014 05:58:15 PM
KDE.News looks at Akademy keynote speakers Sascha Meinrath and Cornelius Schumacher. "Akademy 2014 will kick off on September 6 in Brno, Czech Republic; our keynote speakers will be opening the first two days. Continuing a tradition, the first keynote speaker is from outside the KDE community, while the second is somebody you all know. On Saturday, Sascha Meinrath will speak about the dangerous waters he sees our society sailing into, and what is being done to help us steer clear of the cliffs. Outgoing KDE e.V. Board President, Cornelius Schumacher, will open Sunday's sessions with a talk about what it is to be KDE and why it matters."

[$] Wayland in GNOME: two progress reports

Wednesday 30th of July 2014 05:28:21 PM
The X11 replacement protocol Wayland has been in development since 2010. Compared to X11 itself, it is still a relatively new project, but the enthusiasm with which distributions and large software projects announced their intent to support Wayland makes it at least understandable that users would ask how much longer they need to wait before Wayland is made available to them. At GUADEC 2014 in Strasbourg, France, a pair of talks presented the latest status of Wayland support in various GNOME desktop components.

Security advisories for Wednesday

Wednesday 30th of July 2014 04:02:58 PM

Fedora has updated moodle (F20; F19: multiple vulnerabilities) and phpMyAdmin (F20; F19: multiple vulnerabilities).

Mageia has updated apache (MG4; MG3: multiple vulnerabilities).

Mandriva has updated apache (BS1.0: multiple vulnerabilities), java-1.7.0-openjdk (BS1.0: multiple vulnerabilities), owncloud (BS1.0: undisclosed vulnerability), and phpmyadmin (BS1.0: multiple vulnerabilities).

Oracle has updated kernel (OL6: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: multiple vulnerabilities).

GDB 7.8 released

Wednesday 30th of July 2014 01:42:47 PM
Version 7.8 of the GDB debugger is out. New features include support for scripting in the Guile language, better Python scripting, support for debugging on little-endian PowerPC64 systems, handling of C99 variable-length arrays, and more.

LibreOffice 4.3 released

Wednesday 30th of July 2014 12:17:47 PM
The LibreOffice 4.3 release is available. New features include improved document interoperability, better comment management, "intuitive spreadsheet handling," 3D models in Impress, and more. See the release notes for details. "LibreOffice 4.3 also supports 'monster' paragraphs exceeding 65,000 characters (an example of an 11 years old bug solved thanks to the modernization of the OOo source code, which is an exclusive function of LibreOffice)."

[$] The EFF launches a router project

Tuesday 29th of July 2014 04:12:39 PM
The Electronic Frontier Foundation is probably best known for its work in the political arena. But the EFF also occasionally tries to make change happen more directly by releasing interesting technologies of its own. The organization's July 20 announcement of the Open Wireless Router project is an example of this type of initiative. Your editor has long been concerned about the state of home (and small business) router software, so it made sense to take a look. What was revealed is a project with some interesting potential — but that potential may take more resources than are currently available to realize.

openSUSE Factory becomes a rolling-release distribution

Tuesday 29th of July 2014 04:06:19 PM
The openSUSE project has announced that the "Factory" development distribution has been reworked into an independent distribution using a rolling-release model. "With a daily fresh Factory distribution making it easier for those who want to preview and test, we hope to see more users and contributors, leading to faster fixes and even higher quality. Factory is critical as it provides the base technology for openSUSE and SUSE Linux Enterprise, which is used by tens of thousands of organizations around the world."

Tuesday's security updates

Tuesday 29th of July 2014 03:31:47 PM

Debian has updated kernel (multiple vulnerabilities).

Fedora has updated drupal6 (F20; F19: multiple vulnerabilities) and drupal7 (F20; F19: multiple vulnerabilities).

Mandriva has updated nss (BS1.0: code execution).

Red Hat has updated kernel (RHEL6.2: privilege escalation).

Android crypto blunder exposes users to highly privileged malware (ars technica)

Tuesday 29th of July 2014 01:37:04 PM
Ars technica reports on a newly disclosed Android vulnerability. It seems that some apps are hard-coded into the system as having special privileges. "According to Jeff Forristal, CTO of Bluebox Security, Android fails to verify the chain of certificates used to certify an app belongs to this elite class of super privileged programs. As a result, a maliciously developed app can include an invalid certificate claiming it's Flash, Wallet, or any other app hard coded into Android. The OS, in turn, will give the rogue app the same special privileges assigned to the legitimate app without ever taking the time to detect the certificate forgery."

An Indiegogo campaign for the Ottawa Linux Symposium

Monday 28th of July 2014 09:06:45 PM
Andrew Hutton, the organizer of the Ottawa Linux Symposium, has put together an Indiegogo campaign to try to raise funds for this event, which has fallen on hard times in recent years. "When I admitted that this year would likely be the last OLS many people expressed a desire to do something to help. This crowdfunding campaign is the best way I could think of to reach out and offer the community a way to help."

Chris Beard Named CEO of Mozilla

Monday 28th of July 2014 08:11:28 PM
Mitchell Baker announced that Chris Beard has been appointed CEO of Mozilla Corp. "Over the years, Chris has led many of Mozilla’s most innovative projects. We have relied on his judgment and advice for nearly a decade. Chris has a clear vision of how to take Mozilla’s mission and turn it into industry-changing products and ideas."

Stable kernel updates

Monday 28th of July 2014 06:11:06 PM
Greg KH has released stable kernels 3.15.7, 3.14.14, 3.10.50, and 3.4.100. All contain important fixes throughout the tree.

Security advisories for Monday

Monday 28th of July 2014 04:39:53 PM

Debian has updated cups (privilege escalation) and modsecurity-apache (rules bypass).

Fedora has updated audacious-plugins (F20: denial of service), cinnamon (F20: denial of service), cinnamon-control-center (F20: denial of service), cinnamon-settings-daemon (F20: denial of service), cobbler (F20; F19: path traversal), control-center (F20: denial of service), empathy (F20: denial of service), ffgtk (F20: denial of service), firefox (F19: multiple vulnerabilities), fldigi (F20: denial of service), fluidsynth (F20: denial of service), gnome-settings-daemon (F20: denial of service), gnome-shell (F20: denial of service), gqrx (F20: denial of service), gstreamer1-plugins-good (F20: denial of service), guacamole-server (F20: denial of service), java-1.7.0-openjdk (F20: denial of service), libmikmod (F20: denial of service), minimodem (F20: denial of service), mumble (F20: denial of service), paprefs (F20: denial of service), phonon (F20: denial of service), pulseaudio (F20: denial of service), qemu (F20: denial of service), qmmp (F20: denial of service), qt (F20: denial of service), qt-mobility (F20: denial of service), qt5-qtmultimedia (F20: denial of service), sidplayfp (F20: denial of service), speech-dispatcher (F20: denial of service), sphinxtrain (F20: denial of service), spice-gtk (F20: denial of service), thunderbird (F20: multiple vulnerabilities), xmp (F20: denial of service), and zarafa (F20; F19: information disclosure).

Gentoo has updated openssl (multiple vulnerabilities).

Mageia has updated asterisk (multiple vulnerabilities), avidemux (undisclosed vulnerabilities), cacti (MG4: multiple vulnerabilities), dbus (two denial of service flaws), java-1.7.0-openjdk (multiple vulnerabilities), live555, vlc, mplayer (code execution), mariadb (unidentified vulnerabilities), nss, firefox, thunderbird (multiple vulnerabilities), owncloud (undisclosed vulnerability), pidgin (code execution), ruby-actionpack (MG4: two vulnerabilities), and transmission (code execution).

Oracle has updated kernel (OL5: two vulnerabilities).

Kernel prepatch 3.16-rc7

Sunday 27th of July 2014 10:42:43 PM
Linus has released 3.16-rc7. "We obviously *do* have various real fixes in here, but none of them look all that special or worrisome. And rc7 is finally noticeably smaller than previous rc's, so we clearly are calming down. So unlike my early worries, this might well be the last rc, we'll see how next week looks/feels."

More in Tux Machines

What the Linux Foundation Does for Linux

Jim Zemlin, the executive director of the Linux Foundation, talks about Linux a lot. During his keynote at the LinuxCon USA event here, Zemlin noted that it's often difficult for him to come up with new material for talking about the state of Linux at this point. Every year at LinuxCon, Zemlin delivers his State of Linux address, but this time he took a different approach. Zemlin detailed what he actually does and how the Linux Foundation works to advance the state of Linux. Fundamentally it's all about enabling the open source collaboration model for software development. "We are seeing a shift now where the majority of code in any product or service is going to be open source," Zemlin said. Zemlin added that open source is the new Pareto Principle for software development, where 80 percent of software code is open source. The nature of collaborative development itself has changed in recent years. For years the software collaboration was achieved mostly through standards organizations. Read more

Arch-based Linux distro KaOS 2014.08 is here with KDE 4.14.0

The Linux desktop community has reached a sad state. Ubuntu 14.04 was a disappointing release and Fedora is taking way too long between releases. Hell, OpenSUSE is an overall disaster. It is hard to recommend any Linux-based operating system beyond Mint. Even the popular KDE plasma environment and its associated programs are in a transition phase, moving from 4.x to 5.x. As exciting as KDE 5 may be, it is still not ready for prime-time; it is recommended to stay with 4 for now. Read more

diff -u: What's New in Kernel Development

One problem with Linux has been its implementation of system calls. As Andy Lutomirski pointed out recently, it's very messy. Even identifying which system calls were implemented for which architectures, he said, was very difficult, as was identifying the mapping between a call's name and its number, and mapping between call argument registers and system call arguments. Some user programs like strace and glibc needed to know this sort of information, but their way of gathering it together—although well accomplished—was very messy too. Read more

GNU hackers discover HACIENDA government surveillance and give us a way to fight back

GNU community members and collaborators have discovered threatening details about a five-country government surveillance program codenamed HACIENDA. The good news? Those same hackers have already worked out a free software countermeasure to thwart the program. According to Heise newspaper, the intelligence agencies of the United States, Canada, United Kingdom, Australia, and New Zealand, have used HACIENDA to map every server in twenty-seven countries, employing a technique known as port scanning. The agencies have shared this map and use it to plan intrusions into the servers. Disturbingly, the HACIENDA system actually hijacks civilian computers to do some of its dirty work, allowing it to leach computing resources and cover its tracks. Read more