Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 42 min ago

Study Highlights Serious Security Threat to Many Internet Users (UCR Today)

Tuesday 9th of August 2016 07:22:55 PM
UCR Today reports that researchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) in Linux that enables attackers to hijack users’ internet communications remotely. "The UCR researchers didn’t rely on chance, though. Instead, they identified a subtle flaw (in the form of ‘side channels’) in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties. This means that given any two arbitrary machines on the internet, a remote blind attacker, without being able to eavesdrop on the communication, can track users’ online activity, terminate connections with others and inject false material into their communications."

The People’s Code (White House blog)

Tuesday 9th of August 2016 06:56:29 PM
US Chief Information Officer Tony Scott introduces the Federal Source Code Policy, on the White House blog. "By making source code available for sharing and re-use across Federal agencies, we can avoid duplicative custom software purchases and promote innovation and collaboration across Federal agencies. By opening more of our code to the brightest minds inside and outside of government, we can enable them to work together to ensure that the code is reliable and effective in furthering our national objectives. And we can do all of this while remaining consistent with the Federal Government’s long-standing policy of technology neutrality, through which we seek to ensure that Federal investments in IT are merit-based, improve the performance of our government, and create value for the American people." (Thanks to David A. Wheeler)

Security advisories for Tuesday

Tuesday 9th of August 2016 04:36:03 PM

Arch Linux has updated curl (three vulnerabilities).

Debian has updated chromium-browser (multiple vulnerabilities) and fontconfig (privilege escalation).

Debian-LTS has updated libreoffice (code execution) and python-django (rebase to 1.4.x).

Fedora has updated bind99 (F23: denial of service), ca-certificates (F23: certificate update), dhcp (F23: denial of service), dnsmasq (F23: denial of service), flex (F24: buffer overflow), fontconfig (F24: privilege escalation), kernel (F24; F23: two vulnerabilities), libidn (F23: multiple vulnerabilities), libreswan (F23: unspecified), nodejs-tough-cookie (F24: denial of service), pdns (F24: denial of service), perl-CGI-Emulate-PSGI (F24; F23: HTTP redirect), perl-Module-Load-Conditional (F24; F23: privilege escalation), v8 (F24; F23: denial of service), and xen (F23: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple vulnerabilities), firefox (multiple vulnerabilities), and openntpd/busybox (denial of service).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), kernel (RHEL6.4: privilege escalation), nodejs010-nodejs-minimatch (RHSCL: denial of service), and rh-nodejs4-nodejs-minimatch (RHSCL: denial of service).

SUSE has updated kernel (SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated curl (three vulnerabilities).

Christoph Hellwig's case against VMware dismissed

Tuesday 9th of August 2016 02:32:37 PM
The GPL-infringement case brought against VMware by Christoph Hellwig in Germany has been dismissed by the court; the ruling is available in German and English. The decision seems to be based entirely on uncertainty over where his copyrights actually lie and not on the infringement claims. "Nonetheless, these questions (on which the legal interest of the parties and their counsel presumably focus) can and must remain unanswered. This is because the very first requirement for conducting an examination, namely that code possibly protected for the Plaintiff as a holder of adapter’s copyright has been used in the Defendant’s product, cannot be established. " The ruling will be appealed.

Vice-President’s Report — The State of the GNOME Foundation

Monday 8th of August 2016 09:51:57 PM
Jeff Fortin Tam reports on the state of the GNOME Foundation. "Generally speaking, this year was a bit less intense than the one before it (we didn’t have to worry about a legal battle with a giant corporation this time around!) although we did end up touching a fair amount of legal matters, such as trademark agreements. One big item we got cleared was the Ubuntu GNOME trademark agreement. We also welcomed businesses that wanted to sell GNOME-related merchandise, you can find them listed here—supporting them by purchasing GNOME-related items also supports the Foundation with a small percentage shared as royalties." (Thanks to Paul Wise)

Lumina Desktop 1.0.0 released

Monday 8th of August 2016 09:41:57 PM
Version 1.0.0 of the Lumina Desktop Environment has been released. "After roughly four years of development, I am pleased to announce the first official release of the Lumina desktop environment! This release is an incredible realization of the initial idea of Lumina – a simple and unobtrusive desktop environment meant for users to configure to match their individual needs." Lumina is a from-scratch, BSD-licensed desktop system.

Security updates for Monday

Monday 8th of August 2016 04:39:53 PM

Arch Linux has updated glibc (two denial of service vulnerabilities), lib32-glibc (two denial of service vulnerabilities), and libupnp (unauthenticated access).

Debian has updated kde4libs (command execution) and lighttpd (man-in-the-middle attacks).

Debian-LTS has updated mongodb (two vulnerabilities), mupdf (denial of service), and openjdk-7 (multiple vulnerabilities).

Fedora has updated curl (F24: three vulnerabilities), firefox (F23: multiple vulnerabilities), libgcrypt (F23: key leak), and xen (F24: multiple vulnerabilities).

Mageia has updated ruby-eventmachine (denial of service).

openSUSE has updated bsdiff (Leap42.1, 13.2: denial of service), Chromium (Leap42.1, 13.2; SPH for SLE12: multiple vulnerabilities), java-1_8_0-openjdk (13.2: multiple vulnerabilities), libvirt (Leap42.1: authentication bypass), redis (Leap42.1, 13.2; SPH for SLE12: information leak), and wireshark (Leap42.1, 13.2: multiple vulnerabilities).

Slackware has updated curl (three vulnerabilities), firefox (multiple vulnerabilities), openssh (two vulnerabilities), and stunnel (two vulnerabilities).

Check Point's "QuadRooter" vulnerabilities

Monday 8th of August 2016 02:13:06 PM
Check Point has discovered four local-root vulnerabilities in Qualcomm-based Android devices and is hyping the result as "QuadRooter". "QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device." Actually getting the report requires registration. All four vulnerabilities are in Android-specific code; three of them are in out-of-tree modules (kgsl and ipc_router); the fourth is in the "ashmem" code in the staging tree.

Kernel prepatch 4.8-rc1

Monday 8th of August 2016 01:58:33 AM
Linus has released the 4.8-rc1 prepatch and closed the merge window for this development cycle — sort of. "I actually still have a few pull requests pending in my inbox that I just wanted to take another look at before merging, but the large bulk of the merge window material has been merged, and I wanted to make sure there aren't any new ones coming in." A total of 11,618 non-merge changesets were pulled during the merge window.

Let's Encrypt will be trusted by Firefox 50

Friday 5th of August 2016 11:48:38 PM

The Let's Encrypt project, which provides a free SSL/TLS certificate authority (CA), has announced that Mozilla has accepted the project's root key into the Mozilla root program and will be trusted by default as of Firefox 50. This is a step forward from Let's Encrypt's earlier status. "In order to start issuing widely trusted certificates as soon as possible, we partnered with another CA, IdenTrust, which has a number of existing trusted roots. As part of that partnership, an IdenTrust root 'vouches for' the certificates that we issue, thus making our certificates trusted. We’re incredibly grateful to IdenTrust for helping us to start carrying out our mission as soon as possible. However, our plan has always been to operate as an independently trusted CA. Having our root trusted directly by the Mozilla root program represents significant progress towards that independence." The project has also applied for inclusion the CA trust roots maintained by Apple, Microsoft, Google, Oracle, and Blackberry. News on those programs is still pending.

Friday's security updates

Friday 5th of August 2016 04:08:32 PM

Arch Linux has updated firefox (multiple vulnerabilities), jdk7-openjdk (multiple vulnerabilities), jre7-openjdk (multiple vulnerabilities), and jre7-openjdk-headless (multiple vulnerabilities).

Debian has updated openjdk-7 (multiple vulnerabilities).

Debian-LTS has updated curl (multiple vulnerabilities) and mysql-5.5 (multiple vulnerabilities).

Fedora has updated collectd (F23; F24: code execution), dietlibc (F23; F24: insecure default PATH), perl (F24: privilege escalation), perl-DBD-MySQL (F24: code execution), and python-autobahn (F24: insecure origin validation).

openSUSE has updated MozillaFirefox, mozilla-nss (13.2, Leap 42.1: multiple vulnerabilities).

Oracle has updated kernel (O7; O6: multiple vulnerabilities; O7; O6; O6; O5: privilege escalation) and squid (O6: code execution).

Scientific Linux has updated squid (SL6: code execution).

SUSE has updated kernel (SLE12-LP: multiple vulnerabilities).

Ubuntu has updated firefox (12.04, 14.04, 16.04: multiple vulnerabilities), libreoffice (12.04: code execution), oxide-qt (14.04, 16.04: multiple vulnerabilities), and qemu, qemu-kvm (12.04, 14.04, 16.04: multiple vulnerabilities).

The GNU C Library version 2.24 is now available

Friday 5th of August 2016 12:04:31 AM
The 2.24 version of the GNU C Library (glibc) has been released. It comes with lots of bug fixes, including five for security vulnerabilities (four stack overflows and a memory leak). Some deprecated features have been removed, as well as deprecating the readdir_r() and readdir64_r() functions in favor of readdir() and readdir64(). There are also additions to the math library (nextup*() and nextdown*()) to return the next representable value toward either positive or negative infinity.

Breaking through censorship barriers, even when Tor is blocked (Tor Blog)

Thursday 4th of August 2016 11:53:10 PM
The Tor Blog looks at using Pluggable Transports to avoid country-level Tor blocking. There are some new easy-to-follow graphical directions for using the transports. "Many repressive governments and authorities benefit from blocking their users from having free and open access to the internet. They can simply get the list of Tor relays and block them. This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship. This is why we've developed methods to connect to the network and bypass censorship. These methods are called Pluggable Transports (PTs). Pluggable Transports are a type of bridge to the Tor network. They take advantage of various transports and make encrypted traffic to Tor look like not-interesting or garbage traffic. Unlike normal relays, bridge information is kept secret and distributed between users via BridgeDB."

Security updates for Thursday

Thursday 4th of August 2016 05:06:17 PM

CentOS has updated firefox (C5: multiple vulnerabilities) and squid (C6: code execution).

Debian has updated firefox-esr (multiple vulnerabilities) and wordpress (multiple vulnerabilities).

Debian-LTS has updated collectd (regression in previous security update), firefox-esr (multiple vulnerabilities), and libsys-syslog-perl (privilege escalation).

Fedora has updated firefox (F24: multiple vulnerabilities) and pbuilder (F24; F23: file overwrite).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated squid (RHEL6: code execution).

Scientific Linux has updated firefox (multiple vulnerabilities), golang (SL7: denial of service), kernel (SL7: three vulnerabilities, one from 2015), and libtiff (SL7: multiple vulnerabilities, including some from 2014 and 2015).

SUSE has updated hawk2 (SLE12: clickjacking prevention).

[$] LWN.net Weekly Edition for August 4, 2016

Thursday 4th of August 2016 01:30:06 AM
The LWN.net Weekly Edition for August 4, 2016 is available.

Some news from LWN

Wednesday 3rd of August 2016 09:26:54 PM
It has been some time since our last update on the state of LWN itself. That's somewhat by design, as we'd rather be writing about the community and the code than ourselves. Occasionally, though, we do like to update our readers and subscribers on the state of the operation, especially when there is some news to report, as is the case now.

Security advisories for Wednesday

Wednesday 3rd of August 2016 04:50:24 PM

CentOS has updated firefox (C7; C6: multiple vulnerabilities), golang (C7: denial of service), kernel (C7: three vulnerabilities), and libtiff (C7; C6: multiple vulnerabilities).

Debian has updated curl (three vulnerabilities).

Debian-LTS has updated libidn (three vulnerabilities), libreoffice (code execution), and lighttpd (man-in-the-middle attacks).

Fedora has updated libreswan (F24: unspecified) and python-django (F24; F23: cross-site scripting).

Mageia has updated chromium-browser-stable (multiple vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), php-ZendFramework (SQL injection), and wireshark (multiple vulnerabilities).

Oracle has updated golang (OL7: denial of service), kernel (OL7: three vulnerabilities), and libtiff (OL7; OL6: multiple vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities), golang (RHEL7: denial of service), kernel (RHEL7: three vulnerabilities), kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities), libtiff (RHEL7; RHEL6: multiple vulnerabilities), and ntp (RHEL6.7: multiple vulnerabilities).

Scientific Linux has updated libtiff (SL6: multiple vulnerabilities).

Ubuntu has updated php5, php7.0 (multiple vulnerabilities).

LibreOffice 5.2 released

Wednesday 3rd of August 2016 01:49:14 PM
The LibreOffice 5.2 release is out. "LibreOffice 5.2 provides document classification according to the TSCP standard, and a set of improved forecasting functions in Calc. In addition, multiple signature descriptions are now supported, along with import and export of signatures from OOXML files. Interoperability features have also been improved, with better Writer import filters for DOCX and RTF files, and the added support for Word for DOS legacy documents." There's a lot more; see the release notes [PDF] for an illustrated list.

See also: this post from Michael Meeks on the last year of LibreOffice development.

[$] Statistics from the 4.7 development cycle

Tuesday 2nd of August 2016 08:10:59 PM
The 4.7 kernel was released on July 24, so longtime readers might be wondering where the usual development statistics are. We're running a little late this time around, but for good reason — Greg Kroah-Hartman obtained information from a large number of developers on who they work for, and we're now able to use that information to produce better numbers. Of course, the overall story hasn't changed a whole lot — kernel development is relatively boring and predictable these days — but each cycle still has a few noteworthy points.

Click below (subscribers only) for the full article from this week's Kernel Page.

Firefox 48 released

Tuesday 2nd of August 2016 06:39:22 PM
Firefox 48 is out, featuring process separation (e10s) for some users, mandatory add-ons signatures, stable WebExtensions, enhanced download protection, and more. See the release notes for details.

More in Tux Machines

Red Hat Enterprise Linux 7.3 Beta Adds NVDIMM Support, Improves Security

Today, August 25, 2016, Red Hat announced that version 7.3 of its powerful Red Hat Enterprise Linux operating system is now in development, and a Beta build is available for download and testing. Red Hat Enterprise Linux 7.3 Beta brings lots of improvements and innovations, support for new hardware devices, and improves the overall security of the Linux kernel-based operating system used by some of the biggest enterprises and organizations around the globe. Among some of the major new features implemented in the Red Hat Enterprise Linux 7.3 release, we can mention important networking improvements, and support for Non-Volatile Dual In-line Memory Modules (NVDIMMs). Read more Also: CentOS 6 Linux OS Receives Important Kernel Security Update from Red Hat Release of Red Hat Virtualization 4 Offers New Functionality for Workloads

Ubuntu 16.10 Beta 1 Released, Available to Download Now

The Ubuntu 16.10 Beta 1 releases are now available to download. You know the drill by now: {num} Ubuntu flavors, some freshly pressed ISOs, plenty of new bugs to find and no guarantees that things won’t go boom. Read more Also: Ubuntu 16.10 Beta Launches for Opt-in Flavors, Adds GCC 6.2 and LibreOffice 5.2

Games for GNU/Linux

PC-BSD Becomes TrueOS, FreeBSD 11.0 Reaches RC2

  • More Details On PC-BSD's Rebranding As TrueOS
    Most Phoronix readers know PC-BSD as the BSD operating system derived from FreeBSD that aims to be user-friendly on the desktop side and they've done a fairly good job at that over the years. However, the OS has been in the process of re-branding itself as TrueOS. PC-BSD has been offering "TrueOS Server" for a while now as their FreeBSD-based server offering. But around the upcoming FreeBSD 11.0 release they are looking to re-brand their primary desktop download too now as TrueOS.
  • FreeBSD 11.0-RC2 Arrives With Fixes
    The second release candidate to the upcoming FreeBSD 11 is now available for testing. FreeBSD 11.0-RC2 ships with various bug fixes, several networking related changes, Clang compiler fixes, and other updates. FreeBSD 11.0 is bringing updated KMS drivers, Linux binary compatibility layer improvements, UEFI improvements, Bhyve virtualization improvements, and a plethora of other work. Those not yet familiar with FreeBSD 11 can see the what's new guide.