Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 38 min ago

Security updates for Thursday

Thursday 16th of July 2015 02:52:01 PM

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities), java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from 2011).

Debian-LTS has updated python-django (three vulnerabilities).

Fedora has updated cryptopp (F22; F21: information disclosure), drupal7-feeds (F22; F21: three vulnerabilities), rsyslog (F22: denial of service), and springframework (F22; F21: denial of service).

openSUSE has updated bind (13.2; 13.1: three vulnerabilities, one from 2014).

Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified), java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities), and kernel 2.6.32 (OL6; OL5: denial of service).

Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: many vulnerabilities), and kernel (SL6: multiple vulnerabilities, one from 2011).

Rkt 0.7.0 released

Thursday 16th of July 2015 08:30:52 AM
Version 0.7.0 of the rkt container runtime system is available. "This release includes new subcommands for a rkt image to manipulate images from the local store, a new build system based on autotools and integration with SELinux. These new capabilities improve the user experience, make it easier to build future features and improve security isolation between containers."

[$] LWN.net Weekly Edition for July 16, 2015

Thursday 16th of July 2015 12:22:23 AM
The LWN.net Weekly Edition for July 16, 2015 is available.

[$] Python 3.5 is on its way

Wednesday 15th of July 2015 06:34:20 PM

It has been nearly a year and a half since the last major Python release, which was 3.4 in March 2014—that means it is about time for Python 3.5. We looked at some of the new features in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta release for 3.5 seems like a good time to see what will be coming in the new release.

Subscribers can click below to see the full article from this week's edition.

Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention (Linux.com)

Wednesday 15th of July 2015 06:11:31 PM
Linux.com has an interview with Bruce Schneier. "Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it."

Security updates for Wednesday

Wednesday 15th of July 2015 04:22:50 PM

openSUSE has updated cups-filters (13.2: multiple vulnerabilities) and libunwind (13.2; 13.1: buffer overflow).

Oracle has updated kernel (OL6: multiple vulnerabilities).

Red Hat has updated java-1.7.0-openjdk (RHEL6,7; RHEL5: multiple vulnerabilities) and java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).

Ubuntu has updated firefox (12.04: multiple vulnerabilities).

FSF and SFC work with Canonical on an "intellectual property" policy update

Wednesday 15th of July 2015 02:49:51 PM
The Free Software Foundation (FSF) and Software Freedom Conservancy (SFC) have both put out statements about a change to the Canonical, Ltd. "intellectual property" policy that was negotiated over the last two years (FSF statement and SFC statement). Effectively, Canonical has added a "trump clause" that clarifies that the licenses of the individual packages override the Canonical policy when there is a conflict. Though, as SFC points out: "While a trump clause is a reasonable way to comply with the GPL in a secondary licensing document, the solution is far from ideal. Redistributors of Ubuntu have little choice but to become expert analysts of Canonical, Ltd.'s policy. They must identify on their own every place where the policy contradicts the GPL. If a dispute arises on a subtle issue, Canonical, Ltd. could take legal action, arguing that the redistributor's interpretation of GPL was incorrect. Even if the redistributor was correct that the GPL trumped some specific clause in Canonical, Ltd.'s policy, it may be costly to adjudicate the issue." While backing the change made, both FSF and SFC recommend further changes to make the situation even more clear.

An interview with Larry Wall (LinuxVoice)

Wednesday 15th of July 2015 10:23:52 AM
LinuxVoice has an interview with Perl creator Larry Wall. "So I was the language designer, but I was almost explicitly told: 'Stay out of the implementation! We saw what you did made out of Perl 5, and we don’t like it!' It was really funny because the innards of the new implementation started looking a whole lot like Perl 5 inside, and maybe that’s why some of the early implementations didn’t work well."

How to win the copyleft fight—without litigation (Opensource.com)

Tuesday 14th of July 2015 10:17:30 PM
Opensource.com has an interview with Bradley Kuhn. "I continued on in my professional career, which included developing and supporting proprietary software, but I found that the lack of source code and/or the ability to rebuild it myself constantly hampered my ability to do my job. Proprietary software companies today are more careful to give "some open source"; thus, many technology professionals don't realize until it's too late how crippling proprietary software can be when you rely on it every day. In the mid 1990s, hardly any business software license gave us software freedom, so denying our rights to practice our profession (i.e, fix software) made many of us hate our jobs. I considered leaving the field of software entirely because I disliked working with proprietary software so much. Those experiences made me a software freedom zealot. I made a vow that I never wanted any developer or sysadmin to feel the constraints of proprietary software licensing, which limits technologists by what legal agreements their company's lawyers can negotiate rather than their technical skill."

NSA releases Linux-based open source infosec tool (ITNews)

Tuesday 14th of July 2015 07:16:38 PM
ITNews reports that the US National Security Agency is in the process of releasing its systems integrity management platform - SIMP. "SIMP helps to keep networked systems compliant with security standards, the NSA said, and should form part of a layered, "defence-in-depth" approach to information security. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies." Currently only RHEL and CentOS versions 6.6 and 7.1 are supported.

Tuesday's security advisories

Tuesday 14th of July 2015 04:45:15 PM

Fedora has updated cups-filters (F22: code execution), firefox (F22; F21: multiple vulnerabilities), libssh (F22: denial of service), openssl (F22; F21: certificate verification botch), openvas-cli (F22: sql injection), openvas-libraries (F22: sql injection), openvas-manager (F22: sql injection), openvas-scanner (F22: sql injection), pcre (F22: two vulnerabilities), polkit (F22: multiple vulnerabilities), rubygem-moped (F22; F21: denial of service), and wesnoth (F22; F21: information leak).

openSUSE has updated roundcubemail (13.1: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6: multiple vulnerabilities).

[$] Why Debian returned to FFmpeg

Monday 13th of July 2015 08:11:02 PM
Slightly less than one year ago, the Debian community had an extended discussion on whether the FFmpeg multimedia library should return to the distribution. Debian had followed the contentious libav fork when it happened in 2011, but some community members were starting to have second thoughts about that move. At the time, the discussion died out without any changes being made, but the seeds had evidently been planted; on July 8, the project's multimedia developers announced that not only was FFmpeg returning to Debian, but it would be replacing libav.

Click below (subscribers only) for a look at how this decision was made.

Security advisories for Monday

Monday 13th of July 2015 04:48:24 PM

Arch Linux has updated krb5 (two vulnerabilities), lib32-krb5 (two vulnerabilities), lib32-openssl (certificate verification botch), and thunderbird (multiple vulnerabilities).

Debian-LTS has updated bind9 (denial of service) and libunwind (buffer overflow).

Fedora has updated cups-x2go (F21: multiple vulnerabilities), libwmf (F22: multiple vulnerabilities), mariadb (F21: man-in-the-middle attack), openssh (F22; F21: restriction bypass), and s3ql (F22; F21: code execution).

Gentoo has updated libcapsinetwork (denial of service).

openSUSE has updated Firefox, nss (13.2, 13.1: multiple vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated MySQL (SLES11SP2,SP1: cipher-downgrade attacks) and kernel (SLES11SP3: multiple vulnerabilities).

Kernel prepatch 4.2-rc2

Sunday 12th of July 2015 11:22:53 PM
The second 4.2 prepatch is available for testing. "This is not a particularly big rc, and things have been fairly calm. We definitely did have some problems in -rc1 that bit people, but they all seemed to be pretty small, and let's hope that -rc2 ends up having fewer annoying issues."

Jones: Future development of Trinity

Sunday 12th of July 2015 11:21:27 PM
Here's a discouraging blog post from Dave Jones on why he will no longer be developing the Trinity fuzz tester. "It’s no coincidence that the number of bugs reported found with Trinity have dropped off sharply since the beginning of the year, and I don’t think it’s because the Linux kernel suddenly got lots better. Rather, it’s due to the lack of real ongoing development to 'try something else' when some approaches dry up. Sadly we now live in a world where it’s easier to get paid to run someone else’s fuzzer these days than it is to develop one."

Microservices 101: The good, the bad and the ugly (ZDNet)

Friday 10th of July 2015 10:26:12 PM
ZDNet has an interview about "microservices" with Red Hat VP of engineering for middleware, Dr. Mark Little. Microservices are a relatively recent software architecture that relies on small, easily replaced components and is an alternative to the well-established service-oriented architecture (SOA)—but it is not a panacea: "'Just because you adopt microservices doesn't suddenly mean your badly architected ball of mud is suddenly really well architected and no longer a ball of mud. It could just be lots of distributed balls of mud,' Little said. 'That worries me a bit. I've been around service-oriented architecture for a long time and know the plus points and the negative points. I like microservices because it allows us to focus on the positive points but it does worry me that people see it as the answer to a lot of problems that it's never going to be the answer for.'"

A new crop of stable kernels

Friday 10th of July 2015 07:53:51 PM
Greg Kroah-Hartman has announced the release of the 4.1.2, 4.0.8, 3.14.48, and 3.10.84 stable kernels. All contain important fixes and users should upgrade. In addition, this is the second to last 4.0.x release (i.e. there will be a 4.0.9, but that's the last), so users should be making plans to move to 4.1.x.

Friday's security updates

Friday 10th of July 2015 02:51:22 PM

Arch Linux has updated openssl (certificate verification botch).

CentOS has updated php (C6: many vulnerabilities, some from 2014).

Debian has updated pdns (full fix for denial of service) and pdns-recursor (full fix for denial of service).

Gentoo has updated adobe-flash (multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, some from 2014), perl (denial of service from 2013), portage (certificate verification botch from 2013), pypam (code execution from 2012), and t1utils (multiple vulnerabilities).

Mageia has updated openssl (certificate verification botch).

openSUSE has updated MariaDB (13.2, 13.1: many vulnerabilities, some from 2014).

Oracle has updated php (OL6: many vulnerabilities, some from 2014).

Red Hat has updated php (RHEL6: many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated php (SL6: many vulnerabilities, some from 2014).

Slackware has updated openssl (certificate verification botch).

Ubuntu has updated firefox (15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).

Security advisories for Thursday

Thursday 9th of July 2015 03:04:18 PM

Debian has updated python-django (two vulnerabilities).

Mageia has updated bind (denial of service), cups-filters (two code execution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).

openSUSE has updated flash-player (11.4: unspecified vulnerabilities), libwmf (13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipher downgrade), tiff (13.2, 13.1: multiple vulnerabilities), and wireshark (13.2: two denial of service vulnerabilities).

Red Hat has updated flash-plugin (RHEL5&6: many vulnerabilities).

SUSE has updated flash-player (SLE12: many vulnerabilities).

Ubuntu has updated python-django (two vulnerabilities).

A new OpenSSL vulnerability

Thursday 9th of July 2015 01:42:32 PM
The OpenSSL project has disclosed a new certificate validation vulnerability. "During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and 'issue' an invalid certificate." This is thus a client-side, man-in-the-middle vulnerability.

Note that the affected versions of OpenSSL were released in mid-June; anybody with an older release should not be vulnerable.

More in Tux Machines

Leftovers: Gaming

KDE and Akademy

  • Plasma 5: Keeping an Eye on the Disk Quota
    At this year’s KDE conference Akademy, I was working on a small plasmoid to continuously track the disk quota. The disk quota is usually used in enterprise installations where network shares are mounted locally. Typically, sysadmins want to avoid that users copy lots of data into their folders, and therefor set quotas (the quota limit has nothing to do with the physical size of a partition). Typically, once a user gets over the hard limit of the quota, the account is blocked and the user cannot login anymore. This happens from time to time, since the users are not really aware of the current quota limit and the already used disk space.
  • KDEPIM 5.0
    KDEPIM 5.0 is the port of kdepim to kf5/qt5.
  • rsibreak port to KF5 started!
    I just started the port of rsibreak to KF5.
  • Akademy 2015
  • Akademy 2015 and Akademy-es 2015 recap
    Finally thanks to the both Akademy and Akademy-es sponsors. Specially Qindel, that sponsored us for the first time, hope we can continue the relationship in the future.
  • Plasma 5 (KDE) In Testing
    A few days ago, fellow Qt/KDE team member Lisandro gave an update on the situation with migration to Plasma 5 in Debian Testing (AKA Stretch). It’s changed again. All of Plasma 5 is now in Testing. The upgrade probably won’t be entirely smooth, which we’ll work on that after the gcc5 transition is done, but it will be much better than the half KDE4 SC half Kf5/Plasma 5 situation we’ve had for the last several days.

Red Hat and Fedora

Red Hat:
  • Red Hat support evolves with new Access Insights services
    Open source users flock to Red Hat for enterprise support, but not all subscribers like the way the company handles IT issues. The company recently launched an updated support service. User experience is important to Red Hat Inc., and it dedicated its day-three keynote at the Red Hat Summit last month to its support.
  • Citrix, Red Hat Helping Startup Companies Launch in Raleigh, N.C.
    Raleigh has seen a 23% increase in IT jobs
  • Red Hat Receives Average Recommendation of “Buy” from Analysts (NYSE:RHT)
    Several research firms have weighed in on RHT. Northland Securities reissued a “buy” rating and set a $92.00 target price (up from $85.00) on shares of Red Hat in a report on Thursday, June 25th. Northland Capital Partners upped their price objective on Red Hat from $85.00 to $92.00 in a report on Thursday, June 25th. Cantor Fitzgerald reiterated a “buy” rating on shares of Red Hat in a research report on Friday, June 26th. Deutsche Bank restated a “hold” rating and set a $75.00 price objective (up from $70.00) on shares of Red Hat in a research report on Thursday, July 2nd. Finally, JPMorgan Chase & Co. reaffirmed an “overweight” rating and issued a $85.00 target price (up previously from $82.00) on shares of Red Hat in a report on Thursday, July 2nd.
Fedora:
  • Helps Improve Quality Kernel in Fedora
  • Flock Update
    So the schedule for Flock is finally fixed and I have to update some things according to my last post. First the practical part of the Wallpaper Hunt is scheduled now for Friday now instead of Satruday. Addionally I will help Máirín Duffy on Saturday morning with the Inkscape and GIMP Bootcamp, guess which part I will do.
  • Fedora 22 on Cubietruck
    In previous post (How-to set up network audio server based on PulseAudio and auto-discovered via Avahi) I’ve wrote details how I set up network audio-server. Actually I’m using cubietruck there.
  • Testing systemd-networkd based Fedora 22 AMI(s)
    Few days back I wrote about a locally built Fedora 22 image which has systemd-networkd handling the network configuration. You can test that image locally on your system, or on an Openstack Cloud. In case you want to test the same on AWS, we now have two AMI(s) for the same, one in the us-west-1, and the other in ap-southeast-1. Details about the AMI(s) are below:

Leftovers: Debian

  • He who forgets history...
    Hi all, I just looked back on the Halloween Documents, specifically http://www.catb.org/esr/halloween/halloween1.html . Here are two quotes I find both interesting and timely: * Linux can win as long as services / protocols are commodities. * OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market. So next time one of the new breed calls you a neckbeard for helping build a distro with simple protocols and services, show him http://www.catb.org/esr/halloween/halloween1.html . And try not to laugh when the whole thing goes right over his head.
  • My Free Software Activities in July 2015
    This month I have been paid to work 15 hours on Debian LTS.
  • Linaro VLANd v0.3
    VLANd is a python program intended to make it easy to manage port-based VLAN setups across multiple switches in a network. It is designed to be vendor-agnostic, with a clean pluggable driver API to allow for a wide range of different switches to be controlled together.