Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 26 min ago

Tschacher: Typosquatting programming language package managers

Thursday 9th of June 2016 01:32:13 PM
Nikolai Tschacher demonstrates how easy it is to run arbitrary code by way of "typosquatting" uploads to programming language download sites. "Because everybody can upload any package on PyPi, it is possible to create packages which are typo versions of popular packages that are prone to be mistyped. And if somebody unintentionally installs such a package, the next question comes intuitively: Is it possible to run arbitrary code and take over the computer during the installation process of a package?" He tried an experiment and was able to run a little program that phoned home from thousands of systems.

[$] LWN.net Weekly Edition for June 9, 2016

Thursday 9th of June 2016 12:52:54 AM
The LWN.net Weekly Edition for June 9, 2016 is available.

Maru OS now freely available

Wednesday 8th of June 2016 11:33:57 PM
The Maru OS handset distribution (reviewed here in April) has moved out of the beta-test period and is now freely downloadable without an invitation. Maru functions as both an Android handset and an Ubuntu desktop (when connected to an external monitor). For now, it remains limited to Nexus 5 handsets. "Now that the beta program is over, I’m finally turning my attention to the open-source project so we can expand device support with the help of the community. Let’s get Maru in the hands of a lot more people!"

Stable kernel updates

Wednesday 8th of June 2016 05:05:50 PM
Greg Kroah-Hartman has released stable kernels 4.6.2, 4.5.7, 4.4.13, and 3.14.72. This is the last 4.5.y stable kernel release. Users of the 4.5 kernel series should upgrade to the 4.6 kernel series.

Security advisories for Wednesday

Wednesday 8th of June 2016 04:39:25 PM

Arch Linux has updated firefox (multiple vulnerabilities), qemu (multiple vulnerabilities), qemu-arch-extra (multiple vulnerabilities), and subversion (two vulnerabilities).

CentOS has updated spice (C7: two vulnerabilities) and spice-server (C6: two vulnerabilities).

Debian has updated expat (two vulnerabilities) and vlc (code execution).

Debian-LTS has updated expat (two vulnerabilities), libpdfbox-java (XML External Entity attacks), and libxstream-java (XML External Entity attacks).

Fedora has updated openslp (F23; F22: denial of service).

Mageia has updated chromium-browser-stable/libpng (multiple vulnerabilities), libxslt (two vulnerabilities), and ntp (multiple vulnerabilities).

openSUSE has updated expat (Leap42.1: code execution), gd (13.2: information leak), glibc (13.2: multiple vulnerabilities), GraphicsMagick (Leap42.1; 13.2: command execution), libimobiledevice, libusbmuxd (Leap42.1, 13.2: sockets listening on INADDR_ANY), libksba (Leap42.1: denial of service), and php5 (Leap42.1: multiple vulnerabilities).

SUSE has updated expat (SLE11-SP4: code execution).

The Qt Automotive Suite launches

Wednesday 8th of June 2016 02:02:20 PM
The Qt Blog announces the launch of the Qt Automotive Suite. "With cumulative experience from over 20 automotive projects it was noted how Qt is really well suited to the needs of building IVIs and Instrument Clusters, that there were already millions of vehicles on the road with Qt inside, and that there were a lot of ongoing projects. There was though a feeling that things could be even better, that there were still a few things holding back the industry, contributing to the sense that shipped IVI systems could be built faster, cheaper and with a higher quality."

[$] Distributors ponder a systemd change

Tuesday 7th of June 2016 10:56:49 PM
Linux users tend to pride themselves on their position at the leading edge of a fast-moving development community. But, in truth, much of what we do is rooted in many decades of Unix tradition, and we tend to get grumpy when young developers show up and start changing things around. A recent change of default in systemd represents such a change and the kind of response that it brings out; as a result, Linux distributors are going to have to make a decision on whether they should preserve the way things have always worked or make a change that, while potentially disruptive to users, is arguably a step toward more predictable, controllable, and secure behavior.

Firefox 47

Tuesday 7th of June 2016 04:26:27 PM
Firefox 47 has been released. This version enables the VP9 video codec for users with fast machines, plays embedded YouTube videos with HTML5 video if Flash is not installed, and more. There is a blog post about these and other improvements. "Now, we are making it even easier to access synced tabs directly in your desktop Firefox browser. If you’re logged into your Firefox Account, you will see all open tabs from your smartphone or other computers within the sidebar. In the sidebar you can also search for specific tabs quickly and easily." See the release notes for more information.

Tuesday's security updates

Tuesday 7th of June 2016 03:38:55 PM

Debian has updated spice (two vulnerabilities).

Debian-LTS has updated dhcpcd5 (code execution) and nss (cipher-downgrade attacks).

Fedora has updated glibc (F23: denial of service), nginx (F23: denial of service), and qemu (F22: multiple vulnerabilities).

openSUSE has updated clamav-database (Leap42.1: database refresh).

Oracle has updated spice (OL7: two vulnerabilities) and spice-server (OL6: two vulnerabilities).

Red Hat has updated glibc (RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities), spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).

Scientific Linux has updated spice (SL7: two vulnerabilities) and squid (SL7: multiple vulnerabilities).

SUSE has updated expat (SLE12-SP1: code execution).

Ubuntu has updated libxml2 (multiple vulnerabilities) and oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities).

Open Build Service 2.7 released

Monday 6th of June 2016 08:25:21 PM
Open Build Service 2.7 has been released. "Three large features around the topic of integrating external resources made it into this release. We worked on automatic tracking of moving repositories of development versions like Fedora Rawhide, distribution updates or rolling Linux releases like Arch. A change to the OBS git integration to enable developers to work on continuous builds. And last but not least an experimental KIWI import that can be used to easily migrate your images from SUSE studio."

Security updates for Monday

Monday 6th of June 2016 04:07:54 PM

Arch Linux has updated chromium (multiple vulnerabilities), ntp (multiple vulnerabilities), and webkit2gtk (code execution).

Debian has updated chromium-browser (multiple vulnerabilities), mariadb-10.0 (multiple vulnerabilities), and samba (regression in previous update).

Debian-LTS has updated libxml2 (multiple vulnerabilities).

Fedora has updated php (F22: multiple vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), roundcubemail (F23; F22: cross-site scripting), sudo (F23: information leak), and xen (F23: multiple vulnerabilities).

Gentoo has updated gnupg (multiple vulnerabilities), libjpeg-turbo (information leak), puppet-agent (multiple vulnerabilities), and putty (multiple vulnerabilities).

openSUSE has updated Chromium (Leap42.1; 13.2: multiple vulnerabilities).

Slackware has updated ntp (multiple vulnerabilities).

SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities).

Kernel prepatch 4.7-rc2

Monday 6th of June 2016 01:00:56 AM
The second 4.7 prepatch is now available for testing. Linus says: "There's a late non-fix I took even though the merge window is over, because I've been wanting it for a while. I doubt anybody notices the actual effects of a pty change/cleanup that means that our old disgusting DEVPTS_MULTIPLE_INSTANCES kernel config option is gone, because the cleanup means that it is no longer needed." For details on this change, see this article from last week's Kernel Page.

Wolf: Stop it with those short PGP key IDs!

Friday 3rd of June 2016 11:12:13 PM

At his blog, Gunnar Wolf urges developers to stop using "short" (eight hex-digit) PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild. The possibility of short-ID collisions has been known for a while, but it is still disconcerting to see in the wild. "Those three keys are not (yet?) uploaded to the keyservers, though... But we can expect them to appear at any point in the future. We don't know who is behind this, or what his purpose is. We just know this looks very evil."

Wolf goes on to note that short IDs are not merely human-readable conveniences, but are actually used to identify PGP keys in some software programs. To mitigate the risk, he recommends configuring GnuPG to never shows short IDs, to ensure that other programs do not consume short IDs, and to "only sign somebody else's key if you see and verify its full fingerprint. [...] And there are surely many other important recommendations. But this is a good set of points to start with."

Friday's security updates

Friday 3rd of June 2016 02:23:31 PM

Debian has updated libxml2 (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), libgd (M5: multiple vulnerabilities), nginx (M5: denial of service), pgpdump (M5: buffer overrun), and php (M5: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Ubuntu has updated nginx (14.04, 15.10, 16.04: denial of service).

LWN.net Weekly Edition for June 3, 2016

Friday 3rd of June 2016 12:19:33 AM
The LWN.net Weekly Edition for June 3, 2016 is available.

Patents and the open-source community

Thursday 2nd of June 2016 07:05:17 PM

At OSCON 2016 in Austin, a panel of invited experts debated the always-thorny subject of how open-source software projects deal with patents. The panel was packed, featuring representatives from the free-software world, commerce, and the legal community, so there was scarcely enough time to move through the prepared topics in the time allotted, much less to take questions from the audience. But the discussion was able to highlight a number of current issues, including patent abolition, implicit patent licenses, and where the open-source community should focus its efforts to improve matters.

Security advisories for Thursday

Thursday 2nd of June 2016 07:04:45 PM

Arch Linux has updated nginx (denial of service) and nginx-mainline (denial of service).

Debian has updated nginx (denial of service).

Debian-LTS has updated gdk-pixbuf (buffer overflows), graphicsmagick (command execution), and imagemagick (command execution).

Fedora has updated compat-nettle27 (F23: improper cryptographic calculations), dosfstools (F22: two vulnerabilities), gd (F23: two vulnerabilities), kernel (F23; F22: multiple vulnerabilities), libimobiledevice (F22: sockets listening on INADDR_ANY), libusbmuxd (F22: sockets listening on INADDR_ANY), and phpMyAdmin (F23: three vulnerabilities).

SUSE has updated java-1_8_0-ibm (SLE12-SP1: multiple vulnerabilities) and ntp (SOSC5, SMP2.1, SM2.1, SLE11-SP2,3: multiple vulnerabilities).

Ubuntu has updated imagemagick (multiple vulnerabilities).

[$] PostgreSQL 9.6 Beta and PGCon 2016

Thursday 2nd of June 2016 04:13:18 PM
PostgreSQL's annual developer conference, PGCon, took place in May, which made it a good place to get a look at the new PostgreSQL features coming in version 9.6. The first 9.6 beta was released just the week before and several contributors demonstrated key changes at the conference in Ottawa. For many users, this was the first time to see the finished versions of features that had been under development for months or years.

Nextcloud launches

Thursday 2nd of June 2016 01:26:38 PM
For those who have been wondering about the exodus from ownCloud, the announcement of a company called "Nextcloud" should make things clear. "Started by the well known open source file sync and share developer Frank Karlitschek and joined by the most active contributors to his previous project, building on its mature code base, we offer a more reliable and sustainable solution for users and customers. We will develop a drop-in replacement for that legacy code base over the coming weeks, providing the bug fixes and security hardening all users need and the Enterprise Subscription capabilities enterprise customers require." See also this blog post from Jos Poortvliet.

[$] Containers, pseudo TTYs, and backward compatibility

Wednesday 1st of June 2016 11:12:00 PM
There is no doubt that the addition of container technologies to Linux has created a lot of value, allowing workloads to be effectively and efficiently isolated from each other. Implementing these technologies presents a number of challenges, particularly as much of Linux and Unix was designed to use singletons: objects of which there could never ever be more than one, such as host names, network routing tables, or process-ID namespaces. Containers require this design approach to be revised as they need multiple instances of these objects. A singleton that has been causing problems recently is the set of pseudo terminals (TTYs).

Click below (subscribers only) for the full article from Neil Brown.

More in Tux Machines

Q4OS 1.4.12 Distro Receives the Latest Debian GNU/Linux 8.5 "Jessie" Updates

The Q4OS team have informed Softpedia today, June 27, 2016, about the immediate availability for download of a new maintenance release in the stable "Orion" series of the Debian-based GNU/Linux operating system. Q4OS 1.4.12 "Orion" is now the latest and most advanced version of the distribution build around the Trinity desktop environment, and it has received all the important security patches and software updates from the upstream Debian GNU/Linux 8.5 "Jessie" repositories, along with a couple of other improvements requested by users. Read more

Linux 4.7 RC5

  • Linux 4.7-rc5 Kernel Released
    The fifth weekly test release to the Linux 4.7 kernel is now available for testing. As of writing this article, Linus Torvalds has yet to send out an official 4.7-rc5 announcement but it's available for those interested in the latest installment of the kernel that's codenamed the Psychotic Stoned Sheep.
  • Linus Torvalds Announces Linux Kernel 4.7 RC5, Things Are Calming Down
    Another Sunday, another Release Candidate build of the upcoming Linux 4.7 kernel is out for testing, as announced by Linus Torvalds himself a few hours ago, June 26, 2016.
  • Linux 4.7-rc5
    Another week, another -rc. Hmm. I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series. The stats looks fairly normal: about half the patch is drivers, roughly a quarter is architecture updates, and the remainder is "misc": filesystems, scheduler, mm, etc. The bulk of the drivers is GPU updates, but there's a smattering of rdma, hwmon, Xen, gpio, sound. The architecture side is powerpc, x86, some arm64, and some noise all over from some MM cleanups.. Go out and test. By -rc5, we really should be starting to be getting fairly ready. And please, if Thorsten Leemhuis is tracking one of your regressions, can you make sure to double-check it and see if it remains? It's lovely to have a regression tracker again, but it would also be really good to make sure that the ones that are solved get closed. Linus

Android Leftovers

The Internet Without Connection, Free Endless OS For Emerging Markets

There are four billion people on the planet without PCs or access to affordable personal computers. That figure should surely be tempered with some contextualization i.e. not everybody actually wants to have an Internet connection and many traditional, native or bucolic ways of live do still exist on the planet. Regardless, there are a batch of global initiatives in existence which seek to give computer access to every man, woman and especially child. Endless OS is one such project. The free operating system has been designed explicitly to work in the expensive or restrictive Internet data conditions that often exist in emerging markets where fabulously affordable broadband has yet to arrive. The software itself is built to provide useful information and educational content, with or without an Internet connection. Read more