Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 51 min ago

Security updates for Thursday

Thursday 17th of November 2016 03:56:46 PM

Arch Linux has updated firefox (multiple vulnerabilities), libgit2 (two vulnerabilities), python-django (two vulnerabilities), and python2-django (two vulnerabilities).

Debian has updated firefox-esr (multiple vulnerabilities).

Fedora has updated bind99 (F24: two vulnerabilities), firefox (F24: multiple vulnerabilities), and kernel (F24: denial of service).

Gentoo has updated libuv (privilege escalation from 2015).

Mageia has updated nss, firefox (multiple vulnerabilities).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and nss and nss-util (OL7; OL6; OL5: two vulnerabilities).

Red Hat has updated openssl (RHEL6: denial of service).

[$] LWN.net Weekly Edition for November 17, 2016

Thursday 17th of November 2016 01:05:56 AM
The LWN.net Weekly Edition for November 17, 2016 is available.

Farewell to Rob Collins

Wednesday 16th of November 2016 05:36:31 PM
The EuroPython Society shares the sad news that Rob Collins has passed away. "Many of you may know Rob from the sponsored massage sessions he regularly ran at EuroPython in recent years and which he continued to develop, taking them from a single man setup (single threaded process) to a group of people setup by giving workshops (multiprocessing) and later on by passing on his skills to more leaders (removing the GIL) to spread wellness and kindness throughout our conference series."

Security advisories for Wednesday

Wednesday 16th of November 2016 05:01:33 PM

Debian has updated akonadi (denial of service), gst-plugins-bad0.10 (code execution), and moin (cross-site scripting).

Debian-LTS has updated mysql-5.5 (multiple unspecified vulnerabilities) and postgresql-9.1 (PostgreSQL 9.1 is eol, users are encouraged to upgrade).

Mageia has updated libarchive (unspecified).

openSUSE has updated pcre (13.2: multiple vulnerabilities).

Oracle has updated 389-ds-base (OL6: three vulnerabilities) and kernel (OL6: multiple vulnerabilities).

Red Hat has updated 389-ds-base (RHEL6: three vulnerabilities), atomic-openshift (RHOSCP3.3: redirect network traffic), atomic-openshift-utils (RHOSCP3.2,3.3: code execution), firefox (RHEL5,6,7: multiple vulnerabilities), kernel (RHEL6: two vulnerabilities), and nss and nss-util (RHEL5,6,7: three vulnerabilities).

Microsoft joins The Linux Foundation

Wednesday 16th of November 2016 04:35:08 PM
The Linux Foundation has announced that Microsoft has joined as a platinum member. "From cloud computing and networking to gaming, Microsoft has steadily increased its engagement in open source projects and communities. The company is currently a leading open source contributor on GitHub and earlier this year announced several milestones that indicate the scope of its commitment to open source development."

Firefox 50.0

Tuesday 15th of November 2016 08:48:59 PM
Mozilla has released Firefox 50.0. This version features improved performance for SDK extensions or extensions using the SDK module loader, added download protection for a large number of executable file types, added option to Find in page that allows users to limit search to whole words only, and more. See the release notes for details.

Two stable kernel updates

Tuesday 15th of November 2016 06:25:07 PM
Stable kernels 4.8.8 and 4.4.32 have been released. Both of them contain important fixes and users should upgrade.

Security updates for Tuesday

Tuesday 15th of November 2016 05:45:16 PM

Arch Linux has updated shutter (code execution).

Debian-LTS has updated sudo (privilege escalation).

Fedora has updated libgit2 (F24: unspecified), memcached (F24; F23: code execution), python-django (F24: two vulnerabilities), and tre (F24; F23: code execution).

Gentoo has updated libpng (multiple vulnerabilities), polkit (privilege escalation), tnftp (command execution from 2014), xen (multiple vulnerabilities), and xinetd (privilege escalation from 2013).

openSUSE has updated Chromium (SPH for SLE12; Leap42.2, Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated policycoreutils (OL7; OL6: sandbox escape).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), qemu-kvm-rhev (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: denial of service), rh-mysql56-mysql (RHSCL: multiple vulnerabilities), and rh-php56 (RHSCL: multiple vulnerabilities).

The "cryptsetup initrd root shell" vulnerability

Tuesday 15th of November 2016 03:58:04 PM
Hector Marco and Ismael Ripoll report a discouraging vulnerability in many encrypted disk setups: simply running up too many password failures will eventually result in a root shell. "This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse."

KDE neon users may want to reinstall

Monday 14th of November 2016 10:14:29 PM
The KDE Project has a little problem to report for users of the KDE neon distribution: "The package archive used by KDE neon was incorrectly configured allowing anyone to upload packages to it. There is no reason to think that anyone actually did so but as a precaution we have emptied the archives and removed ISOs built before this date." Once the process of rebuilding the archive is complete, users are recommended to upgrade to the new versions, or, better, simply reinstall.

The Linux Foundation's Core Infrastructure Initiative Renews Funding for Reproducible Builds Project

Monday 14th of November 2016 10:10:21 PM
The Core Infrastructure Initiative (CII) has announced continued financial support for the Reproducible Builds Project. "The grant extends the contribution to include Debian developers Chris Lamb, Mattia Rizzolo, Ximin Luo and Vagrant Cascadian, as well as extending funding for Holger Levsen. Furthermore, this contribution adds support for Ed Maste, working with FreeBSD." (Thanks to Paul Wise)

[$] Topics in live kernel patching

Monday 14th of November 2016 08:42:31 PM
Getting live-patching capabilities into the mainline kernel has been a multi-year process. Basic patching support was merged for the 4.0 release, but further work has been stalled over disagreements on how the consistency model — the code ensuring that a patch is safe to apply to a running kernel — should work. The addition of kernel stack validation has addressed the biggest of the objections, so, arguably, it is time to move forward. At the 2016 Linux Plumbers Conference, developers working on live patching got together to discuss current challenges and future directions.

Click below (subscribers only) for the full report from LPC 2016.

Security advisories for Monday

Monday 14th of November 2016 05:12:04 PM

CentOS has updated java-1.7.0-openjdk (C6: multiple vulnerabilities), libgcrypt (C6: flawed random number generation), and pacemaker (C6: privilege escalation).

Debian has updated mariadb-10.0 (multiple vulnerabilities) and terminology (command execution).

Fedora has updated bind (F24: denial of service), mingw-libwebp (F24: integer overflows), sudo (F24: privilege escalation), and tomcat (F24; F23: multiple vulnerabilities).

Mageia has updated libwmf (denial of service), monit (cross-site request forgery), python-cryptography (returns empty byte-string), and quagga (stack overrun).

openSUSE has updated flash-player (13.1: multiple vulnerabilities), mysql-community-server (Leap42.2: multiple vulnerabilities), and opera (Leap42.2; Leap42.1: multiple vulnerabilities).

Red Hat has updated policycoreutils (RHEL6,7: sandbox escape).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities) and mysql (SLE11-SP4: three vulnerabilities).

Kernel prepatch 4.9-rc5

Sunday 13th of November 2016 07:27:53 PM
The 4.9-rc5 kernel prepatch is out. Linus says: "Things have definitely gotten smaller, so a normal release schedule (with rc7 being the last one) is still looking possible despite the large size of 4.9. But let's see how things work out over the next couple of weeks. In the meantime, there's a lot of normal fixes in here, and we just need more testing."

Security Exercises (Linux Journal)

Friday 11th of November 2016 08:54:23 PM
Over at Linux Journal, Susan Sons has a lengthy article on security exercises, which are a way to test the readiness of a project or organization for some kind of security problem. "Scheduling exercises at a predictable time and reminding others when it will happen prevents confusion among staff. It is wise to begin with low-impact exercises (more on this below) that don't leverage production systems, and move on to higher-potential-impact exercises only when the organization's infrastructure and personnel have had most of the bugs shaken out. If something as small as a runaway process on a single server can seriously impact your business, it's better to find out at a planned time with all hands on deck than at 4am on a holiday when no one who knows what to do can be reached. The whole point of security exercises is to increase resilience: raise the threshold of what is normal for your team to deal with, what your systems can shrug off." She followed that article up with some example security exercises.

Security updates for Friday

Friday 11th of November 2016 04:54:44 PM

Debian has updated pillow (two vulnerabilities).

Fedora has updated jasper (F23: multiple vulnerabilities), kdepimlibs (F23: three vulnerabilities), libXi (F23: two vulnerabilities), and xen (F23: multiple vulnerabilities).

Mageia has updated freeimage (two vulnerabilities, one from 2015).

openSUSE has updated curl (42.1: multiple vulnerabilities), flash-player (13.2: multiple vulnerabilities), gd (42.1: three vulnerabilities), ImageMagick (42.1: multiple vulnerabilities, some from 2014 and 2015), and mysql-community-server (42.1, 13.2: multiple vulnerabilities, many unspecified).

Oracle has updated 389-ds-base (OL7: unspecified), bind (OL7: denial of service), curl (OL7: TLS botch), dhcp (OL7: unspecified), firewalld (OL7: authentication bypass), fontconfig (OL7: privilege escalation), gimp (OL7: code execution), glibc (OL7: code execution), java-1.7.0-openjdk (OL7: unspecified), kernel (OL7: multiple vulnerabilities, some from 2013 and 2015), krb5 (OL7: two vulnerabilities), libgcrypt (OL7: bad random numbers), libguestfs (OL7: information leak from 2015), libreoffice (OL7: code execution), libreswan (OL7: denial of service), libvirt (OL7: three vulnerabilities, two from 2015), mariadb (OL7: privilege escalation), mod_nss (OL7: cipher choosing botch), nettle (OL7: multiple vulnerabilities, three from 2015), NetworkManager (OL7: information leak), ntp (OL7: multiple vulnerabilities from 2015), openssh (OL7: privilege escalation from 2015), php (OL7: multiple vulnerabilities), poppler (OL7: code execution from 2015), postgresql (OL7: two vulnerabilities), python (OL7: code execution), qemu-kvm (OL7: two vulnerabilities), resteasy-base (OL7: code execution), squid (OL7: multiple vulnerabilities), sudo (OL7: information disclosure), systemd (OL7: denial of service), tomcat (OL7: multiple vulnerabilities, three from 2015), util-linux (OL7: denial of service), and wget (OL7: code execution).

Ubuntu has updated kernel (16.10; 16.04: denial of service), kernel (14.04: multiple vulnerabilities, one from 2014 and 2015), kernel (12.04: two vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities, one from 2014 and 2015), linux-lts-xenial (14.04: denial of service), linux-raspi2 (16.10: denial of service), linux-snapdragon (16.04: denial of service), and linux-ti-omap4 (12.04: two vulnerabilities).

Fedora 25 to have MP3 playback

Thursday 10th of November 2016 10:50:18 PM
Christian Schaller writes that, after all these years, a stock Fedora system will be able to play MP3 files. "I know this has been a big wishlist item for a long time for a lot of people so I am really happy that we are finally in a position to fulfill that wish. You should be able to download the mp3 plugin on day 1 through GNOME Software or through the missing codec installer in various GStreamer applications. For Fedora Workstation 26 I would not be surprised if we decide to ship it on the install media."

Stable kernels 4.8.7 and 4.4.31

Thursday 10th of November 2016 04:18:14 PM
The 4.8.7 and 4.4.31 stable kernels have been released. As usual, they contain multiple important fixes; users of 4.8.x and 4.4.x should upgrade.

Thursday's security advisories

Thursday 10th of November 2016 03:15:31 PM

Fedora has updated chromium (F24: multiple vulnerabilities), chromium-native_client (F24: multiple vulnerabilities), dracut (F24: information disclosure), jasper (F24: multiple vulnerabilities), and xen (F24: multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities), kernel (multiple vulnerabilities), and mariadb (multiple vulnerabilities).

Red Hat has updated kernel (RHEL7.2: denial of service) and systemd (RHEL7.2: denial of service).

SUSE has updated php5 (SLE12: three vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).

[$] LWN.net Weekly Edition for November 10, 2016

Thursday 10th of November 2016 01:04:38 AM
The LWN.net Weekly Edition for November 10, 2016 is available.

More in Tux Machines

Linux Graphics

Zorin OS 12 Ubuntu-based Linux distribution now available -- a Windows 10 alternative

Windows 10 is a really great desktop operating system, but it is not for everyone. For those that care deeply about security and privacy, an open source Linux-based operating system is a wise alternative. The problem? Learning a new user interface can be hard for some. If you have always used a Windows OS in the past, moving to a desktop environment like GNOME or Unity can be confusing and scary. Luckily, for those that have difficulty with change, there are some Linux-based operating systems that are designed for Windows-switchers. One fairly popular such offering, Zorin OS, has now reached version 12. It is designed to be familiar to former users of Microsoft's OS. While the company does charge for an "Ultimate" version, the "Core" edition of Zorin OS 12 is entirely free. Read more

Getting started with Raspberry Pi

So you have a Raspberry Pi, or you’re thinking of getting one, and you want to know how to get started and how to become a master user of one. The Raspberry Pi is a single board computer, meaning that in many ways it's a regular PC, except that everything that makes up the computer is on a single board rather than a traditional PC, which has a motherboard and requires a number of additional daughterboards to make a whole unit. Read more

Games for GNU/Linux

  • Shadow Tactics: Blades of the Shogun Hardcore Tactical Stealth Game Out on Linux
    More and more AAA games are coming to our beloved Linux platform, and nothing makes us happier than to see Daedalic Entertainment's Shadow Tactics: Blades of the Shogun title launching today on Steam for Linux, Mac, and Windows. If you're not familiar with Daedalic Entertainment's work, they are the creators of the superb and fun Deponia series, but Shadow Tactics: Blades of the Shogun is something different, a tactical stealth-strategy game in the style of the Commandos stealth-oriented real-time tactics video game series.
  • Shadow Tactics: Blades of the Shogun, the top-down stealth game is now out
    Shadow Tactics: Blades of the Shogun [GOG, Steam, Official Site] is the rather good top-down stealth game from Mimimi Productions. It's now out way a day-1 Linux release and it has a demo. I played the demo and I was massively impressed, so impressed that I would very much like to cover the game properly. So I will be reaching out to the developer for a key.
  • The Keeper, a promising looking side-scrolling survival action game with plenty of action is coming to Linux
    The Keeper side-scrolling survival action game full of boss battles, a combo system for combat and a day and night cycle will come to Linux.
  • Editorial: A chat about asking developers for a Linux port
    It has come to my attention recently that some people have been taking a really hard stance against developers who want to gauge interest for a Linux port. I want to talk about it for a bit. [...] Be the Linux community I know and love, be helpful to developers, get in on beta testing when you can (I’ve seen plenty of developers give out free keys for this too!) and appreciate the good games we get. We are a smaller market in most people’s eyes, so let’s not turn away anything that could help us grow even a little. The fact is, I’ve seen multiple games only come to Linux because Linux fans showed actual interest in it. One such example is Nightside, which I discovered on Steam. After a quick chat with the developer, I was able to convince them to do a Linux build and after a short test they then decided to do support a Linux build. There’s many such examples like this, but due to the amount of games I cover that’s one I could quickly pull up (without having to sift through hundreds of articles).
  • Dawn of War II has a minor patch to fix a few issues
  • Khronos are working on an open standard for VR, Valve will use it
  • BOOR, a new puzzle platformer will arrive with Linux support next year
    BOOR [Official Site] is a new puzzle platformer from developer Dazlog Studio and publisher BadLand Games that will have Linux support. We have many puzzle platformers now, so I do hope BOOR has something to set itself apart from the rest of them. I haven't seen anything in the trailer or the feature list that really jumps out at me. I am hoping when they reveal more gameplay it will look more enticing.
  • The developers of 'EVERSPACE' are still working on the Linux version, seeking help from Epic Games
    EVERSPACE [Steam, Official Site] is the fantastic looking UE4 space shooter that's being ported to Linux, but the developers have encountered a problem with lighting bugs. I follow the topic on Steam, but a user also emailed this in to ask me to highlight it. I would have anyway since I'm interested in it.
  • Total War: WARHAMMER - Realm of The Wood Elves DLC will come to Linux soon
    Total War: WARHAMMER - Realm of The Wood Elves [Steam] is the next DLC that introduces an exciting race into this strategy game. Feral have confirmed it will be on Linux soon with the quick tweet they sent out.
  • DoomRL or 'DRL' as it's now called has gone open source
    After ZeniMax sent the lawyers knocking, the developer of what was called DoomRL (Doom Roguelike) has changed it's name to 'DRL' [Github, Official Site] and it's now open source. ZeniMax are well within their rights to "protect" the Doom brand, but I still think their lawyers are idiotic for doing this. It's not like small-time roguelike was actually competing with the real Doom.