Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 48 min ago

Friday's security updates

Friday 3rd of June 2016 02:23:31 PM

Debian has updated libxml2 (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), libgd (M5: multiple vulnerabilities), nginx (M5: denial of service), pgpdump (M5: buffer overrun), and php (M5: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Ubuntu has updated nginx (14.04, 15.10, 16.04: denial of service).

LWN.net Weekly Edition for June 3, 2016

Friday 3rd of June 2016 12:19:33 AM
The LWN.net Weekly Edition for June 3, 2016 is available.

Patents and the open-source community

Thursday 2nd of June 2016 07:05:17 PM

At OSCON 2016 in Austin, a panel of invited experts debated the always-thorny subject of how open-source software projects deal with patents. The panel was packed, featuring representatives from the free-software world, commerce, and the legal community, so there was scarcely enough time to move through the prepared topics in the time allotted, much less to take questions from the audience. But the discussion was able to highlight a number of current issues, including patent abolition, implicit patent licenses, and where the open-source community should focus its efforts to improve matters.

Security advisories for Thursday

Thursday 2nd of June 2016 07:04:45 PM

Arch Linux has updated nginx (denial of service) and nginx-mainline (denial of service).

Debian has updated nginx (denial of service).

Debian-LTS has updated gdk-pixbuf (buffer overflows), graphicsmagick (command execution), and imagemagick (command execution).

Fedora has updated compat-nettle27 (F23: improper cryptographic calculations), dosfstools (F22: two vulnerabilities), gd (F23: two vulnerabilities), kernel (F23; F22: multiple vulnerabilities), libimobiledevice (F22: sockets listening on INADDR_ANY), libusbmuxd (F22: sockets listening on INADDR_ANY), and phpMyAdmin (F23: three vulnerabilities).

SUSE has updated java-1_8_0-ibm (SLE12-SP1: multiple vulnerabilities) and ntp (SOSC5, SMP2.1, SM2.1, SLE11-SP2,3: multiple vulnerabilities).

Ubuntu has updated imagemagick (multiple vulnerabilities).

[$] PostgreSQL 9.6 Beta and PGCon 2016

Thursday 2nd of June 2016 04:13:18 PM
PostgreSQL's annual developer conference, PGCon, took place in May, which made it a good place to get a look at the new PostgreSQL features coming in version 9.6. The first 9.6 beta was released just the week before and several contributors demonstrated key changes at the conference in Ottawa. For many users, this was the first time to see the finished versions of features that had been under development for months or years.

Nextcloud launches

Thursday 2nd of June 2016 01:26:38 PM
For those who have been wondering about the exodus from ownCloud, the announcement of a company called "Nextcloud" should make things clear. "Started by the well known open source file sync and share developer Frank Karlitschek and joined by the most active contributors to his previous project, building on its mature code base, we offer a more reliable and sustainable solution for users and customers. We will develop a drop-in replacement for that legacy code base over the coming weeks, providing the bug fixes and security hardening all users need and the Enterprise Subscription capabilities enterprise customers require." See also this blog post from Jos Poortvliet.

[$] Containers, pseudo TTYs, and backward compatibility

Wednesday 1st of June 2016 11:12:00 PM
There is no doubt that the addition of container technologies to Linux has created a lot of value, allowing workloads to be effectively and efficiently isolated from each other. Implementing these technologies presents a number of challenges, particularly as much of Linux and Unix was designed to use singletons: objects of which there could never ever be more than one, such as host names, network routing tables, or process-ID namespaces. Containers require this design approach to be revised as they need multiple instances of these objects. A singleton that has been causing problems recently is the set of pseudo terminals (TTYs).

Click below (subscribers only) for the full article from Neil Brown.

Hertz: Abusing privileged and unprivileged Linux containers

Wednesday 1st of June 2016 10:55:13 PM
This white paper by Jesse Hertz [PDF] examines various ways to compromise and escape from containers on Linux systems. "A common configuration for companies offering PaaS solutions built on containers is to have multiple customers’ containers running on the same physical host. By default, both LXC and Docker setup container networking so that all containers share the same Linux virtual bridge. These containers will be able to communicate with each other. Even if this direct network access is disabled (using the –icc=false flag for Docker, or using iptables rules for LXC), containers aren’t restricted for link-layer traffic. In particular, it is possible (and in fact quite easy) to conduct an ARP spoofing attack on another container within the same host system, allowing full middle-person attacks of the targeted container’s traffic."

Fresh stable kernels

Wednesday 1st of June 2016 10:22:13 PM
Greg KH has released stable kernels 4.6.1, 4.5.6, 4.4.12, and 3.14.71. All of them contain important fixes.

Announcing the Open Source License API

Wednesday 1st of June 2016 06:46:32 PM
The Open Source Initiative (OSI) has announced the Open Source License API, to "allow third parties to become license-aware, and give organizations the ability to clearly determine if a license is, in fact, an Open Source license, from the authoritative source regarding Open Source licenses, the OSI."

The CoreOS "Torus" distributed storage system

Wednesday 1st of June 2016 05:33:11 PM
CoreOS has announced a new project called Torus which is creating a distributed storage system for containers. "At its core, Torus is a library with an interface that appears as a traditional file, allowing for storage manipulation through well-understood basic file operations. Coordinated and checkpointed through etcd’s consensus process, this distributed file can be exposed to user applications in multiple ways. Today, Torus supports exposing this file as block-oriented storage via a Network Block Device (NBD). We also expect that in the future other storage systems, such as object storage, will be built on top of Torus as collections of these distributed files, coordinated by etcd." The project is quite young, and the current release is a "prototype version."

Security advisories for Wednesday

Wednesday 1st of June 2016 04:39:52 PM

Debian has updated chromium-browser (multiple vulnerabilities) and imagemagick (command execution).

Debian-LTS has updated php5 (multiple vulnerabilities) and ruby-activemodel-3.2 (validation bypass).

openSUSE has updated dosfstools (Leap42.1, 13.2: two vulnerabilities), gdk-pixbuf (Leap42.1: three vulnerabilities), libarchive (13.2: code execution), openssh (Leap42.1: three vulnerabilities), p7zip (13.2: code execution), putty (Leap42.1, 13.2: code execution), and virtualbox (Leap42.1; 13.2: unspecified).

Oracle has updated ntp (OL7; OL6: multiple vulnerabilities), openssl (OL5: multiple vulnerabilities), squid (OL7; OL6: multiple vulnerabilities), and squid34 (OL6: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Scientific Linux has updated openssl (SL5: code execution).

SUSE has updated cyrus-imapd (SLES12-SP1; SLE11-SP4: multiple vulnerabilities) and java-1_6_0-ibm (SLEM for LS12: multiple vulnerabilities).

Ubuntu has updated dosfstools (two vulnerabilities), kernel (14.04: multiple vulnerabilities), libgd2 (multiple vulnerabilities), and lxd (16.04, 15.10: two vulnerabilities).

More in Tux Machines

Hands on with KaOS Linux: Not just another derivative distro

For an application first demonstrated a year ago, GigJam still feels tantalizingly unfinished, with a limited number of services you can connect to, frustrating bugs when connecting to Microsoft's own services, no way to work offline and an interface you're unlikely to figure out without reading the documentation (and even then may find frustrating). It's also a fascinating glimpse into what the Microsoft Graph can unlock. The ability to filter your CRM leads information based on your meetings, or your email based on your unfulfilled orders, or your tasks based on the emails about what you're supposed to be doing -- and share that view with your colleagues -- could make you hugely productive. The ability to see the PowerPoint and the Word document you're going to use in a meeting, along with the emails everyone has had from the people you're meeting with so you know what they care about, could be a great way to prepare for the meeting. And you can do all that without sharing more information than you want (probably). It's a fantastic idea, but Microsoft really needs to improve the execution. Read more

Mutter Updated for GNOME 3.20 to Fix the X11/Wayland Copy and Paste Interaction

The GNOME developers are always hard at work patching bugs in the popular desktop environment used by default in many GNU/Linux operating systems, and today they've updated the GNOME Shell and Mutter components. Read more

Whitehurst: Free OSS Red Hat's biggest competition in Asia

Red Hat still faces a major challenge convincing organisations to pay for its services, especially in markets such as China where there is widespread use of free, open source alternatives, says CEO Jim Whitehurst. Read more

Red Hat CEO issues call to arms for open source participation

Broadening the strength and depth of the open source community has always been a goal that has been supported by vendors and businesses alike, but a call to arms for a greater participation was the message that Red Hat wanted to get across at its annual summit. The Red Hat Summit in San Francisco was an opportunity for CEO Jim Whitehurst to talk about the ideology of open source during his keynote presentation, and a message of changing hierarchies underpinned much of what he said. Read more