Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 1 hour 57 min ago

Security updates for Friday

Friday 18th of November 2016 04:10:23 PM

Debian has updated drupal7 (multiple vulnerabilities) and gst-plugins-bad1.0 (code execution).

Debian-LTS has updated akonadi (denial of service) and curl (multiple vulnerabilities).

Mageia has updated derby (information leak), dracut (information leak), gnuchess (code execution from 2015), irssi (information leak), libtiff (multiple vulnerabilities), memcached (three code execution flaws), python-pillow (two vulnerabilities), resteasy (code execution), sudo (privilege escalation), systemd (denial of service), tar (file overwrite), and wireshark (multiple vulnerabilities).

openSUSE has updated ghostscript (42.1: regression in previous security update), GraphicsMagick (42.1, 13.2: denial of service), ImageMagick (13.2: denial of service), jasper (42.2, 42.1: multiple vulnerabilities, some from 2015, 2014, and 2008), memcached (42.2; 42.1, 13.2: three code execution flaws), otrs (42.2, 13.2:), php5 (42.2; 42.1: three vulnerabilities), and util-linux (42.1: denial of service).

Ubuntu has updated openjdk-7 (14.04: multiple vulnerabilities).

LinuxCon + CloudOpen + ContainerCon Become The Linux Foundation Open Source Summit for 2017

Thursday 17th of November 2016 08:25:50 PM
The Linux Foundation has announced that it is consolidating three conferences under one name going forward. LinuxCon, CloudOpen, and ContainerCon join together under the "Linux Foundation Open Source Summit" name. For 2017, that encompasses three events: OSS Japan in Tokyo May 31-June 2, OSS North America in Los Angeles September 11-13, and OSS Europe in Prague October 23-25. "The Linux Foundation Open Source Summit in North America and Europe will also contain a brand new event, Community Leadership Conference. Attendees will have access to sessions across all events in a single venue, enabling them to collaborate and share information across a wide range of open source topics and areas of technology. They can take advantage of not only unparalleled educational opportunities, but also an expo hall, networking activities, hackathons, additional co-located events and The Linux Foundation’s diversity initiatives, including free childcare, nursing rooms, non-binary restrooms and a diversity luncheon."

Mission Improbable: Hardening Android for Security And Privacy (Tor blog)

Thursday 17th of November 2016 08:02:26 PM
The Tor blog has a post about the refresh of its Tor-enabled Android phone prototype, which is now in a workable state though it still has some rough edges. There is also a worrisome trend that the post highlights: "It is unfortunate that Google seems to see locking down Android as the only solution to the fragmentation and resulting insecurity of the Android platform. We believe that more transparent development and release processes, along with deals for longer device firmware support from SoC vendors, would go a long way to ensuring that it is easier for good OEM players to stay up to date. Simply moving more components to Google Play, even though it will keep those components up to date, does not solve the systemic problem that there are still no OEM incentives to update the base system. Users of old AOSP base systems will always be vulnerable to library, daemon, and operating system issues. Simply giving them slightly more up to date apps is a bandaid that both reduces freedom and does not solve the root security problems. Moreover, as more components and apps are moved to closed source versions, Google is reducing its ability to resist the demand that backdoors be introduced. It is much harder to backdoor an open source component (especially with reproducible builds and binary transparency) than a closed source one."

Security updates for Thursday

Thursday 17th of November 2016 03:56:46 PM

Arch Linux has updated firefox (multiple vulnerabilities), libgit2 (two vulnerabilities), python-django (two vulnerabilities), and python2-django (two vulnerabilities).

Debian has updated firefox-esr (multiple vulnerabilities).

Fedora has updated bind99 (F24: two vulnerabilities), firefox (F24: multiple vulnerabilities), and kernel (F24: denial of service).

Gentoo has updated libuv (privilege escalation from 2015).

Mageia has updated nss, firefox (multiple vulnerabilities).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and nss and nss-util (OL7; OL6; OL5: two vulnerabilities).

Red Hat has updated openssl (RHEL6: denial of service).

[$] Weekly Edition for November 17, 2016

Thursday 17th of November 2016 01:05:56 AM
The Weekly Edition for November 17, 2016 is available.

Farewell to Rob Collins

Wednesday 16th of November 2016 05:36:31 PM
The EuroPython Society shares the sad news that Rob Collins has passed away. "Many of you may know Rob from the sponsored massage sessions he regularly ran at EuroPython in recent years and which he continued to develop, taking them from a single man setup (single threaded process) to a group of people setup by giving workshops (multiprocessing) and later on by passing on his skills to more leaders (removing the GIL) to spread wellness and kindness throughout our conference series."

Security advisories for Wednesday

Wednesday 16th of November 2016 05:01:33 PM

Debian has updated akonadi (denial of service), gst-plugins-bad0.10 (code execution), and moin (cross-site scripting).

Debian-LTS has updated mysql-5.5 (multiple unspecified vulnerabilities) and postgresql-9.1 (PostgreSQL 9.1 is eol, users are encouraged to upgrade).

Mageia has updated libarchive (unspecified).

openSUSE has updated pcre (13.2: multiple vulnerabilities).

Oracle has updated 389-ds-base (OL6: three vulnerabilities) and kernel (OL6: multiple vulnerabilities).

Red Hat has updated 389-ds-base (RHEL6: three vulnerabilities), atomic-openshift (RHOSCP3.3: redirect network traffic), atomic-openshift-utils (RHOSCP3.2,3.3: code execution), firefox (RHEL5,6,7: multiple vulnerabilities), kernel (RHEL6: two vulnerabilities), and nss and nss-util (RHEL5,6,7: three vulnerabilities).

Microsoft joins The Linux Foundation

Wednesday 16th of November 2016 04:35:08 PM
The Linux Foundation has announced that Microsoft has joined as a platinum member. "From cloud computing and networking to gaming, Microsoft has steadily increased its engagement in open source projects and communities. The company is currently a leading open source contributor on GitHub and earlier this year announced several milestones that indicate the scope of its commitment to open source development."

Firefox 50.0

Tuesday 15th of November 2016 08:48:59 PM
Mozilla has released Firefox 50.0. This version features improved performance for SDK extensions or extensions using the SDK module loader, added download protection for a large number of executable file types, added option to Find in page that allows users to limit search to whole words only, and more. See the release notes for details.

Two stable kernel updates

Tuesday 15th of November 2016 06:25:07 PM
Stable kernels 4.8.8 and 4.4.32 have been released. Both of them contain important fixes and users should upgrade.

Security updates for Tuesday

Tuesday 15th of November 2016 05:45:16 PM

Arch Linux has updated shutter (code execution).

Debian-LTS has updated sudo (privilege escalation).

Fedora has updated libgit2 (F24: unspecified), memcached (F24; F23: code execution), python-django (F24: two vulnerabilities), and tre (F24; F23: code execution).

Gentoo has updated libpng (multiple vulnerabilities), polkit (privilege escalation), tnftp (command execution from 2014), xen (multiple vulnerabilities), and xinetd (privilege escalation from 2013).

openSUSE has updated Chromium (SPH for SLE12; Leap42.2, Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated policycoreutils (OL7; OL6: sandbox escape).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), qemu-kvm-rhev (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: denial of service), rh-mysql56-mysql (RHSCL: multiple vulnerabilities), and rh-php56 (RHSCL: multiple vulnerabilities).

The "cryptsetup initrd root shell" vulnerability

Tuesday 15th of November 2016 03:58:04 PM
Hector Marco and Ismael Ripoll report a discouraging vulnerability in many encrypted disk setups: simply running up too many password failures will eventually result in a root shell. "This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse."

KDE neon users may want to reinstall

Monday 14th of November 2016 10:14:29 PM
The KDE Project has a little problem to report for users of the KDE neon distribution: "The package archive used by KDE neon was incorrectly configured allowing anyone to upload packages to it. There is no reason to think that anyone actually did so but as a precaution we have emptied the archives and removed ISOs built before this date." Once the process of rebuilding the archive is complete, users are recommended to upgrade to the new versions, or, better, simply reinstall.

The Linux Foundation's Core Infrastructure Initiative Renews Funding for Reproducible Builds Project

Monday 14th of November 2016 10:10:21 PM
The Core Infrastructure Initiative (CII) has announced continued financial support for the Reproducible Builds Project. "The grant extends the contribution to include Debian developers Chris Lamb, Mattia Rizzolo, Ximin Luo and Vagrant Cascadian, as well as extending funding for Holger Levsen. Furthermore, this contribution adds support for Ed Maste, working with FreeBSD." (Thanks to Paul Wise)

[$] Topics in live kernel patching

Monday 14th of November 2016 08:42:31 PM
Getting live-patching capabilities into the mainline kernel has been a multi-year process. Basic patching support was merged for the 4.0 release, but further work has been stalled over disagreements on how the consistency model — the code ensuring that a patch is safe to apply to a running kernel — should work. The addition of kernel stack validation has addressed the biggest of the objections, so, arguably, it is time to move forward. At the 2016 Linux Plumbers Conference, developers working on live patching got together to discuss current challenges and future directions.

Click below (subscribers only) for the full report from LPC 2016.

Security advisories for Monday

Monday 14th of November 2016 05:12:04 PM

CentOS has updated java-1.7.0-openjdk (C6: multiple vulnerabilities), libgcrypt (C6: flawed random number generation), and pacemaker (C6: privilege escalation).

Debian has updated mariadb-10.0 (multiple vulnerabilities) and terminology (command execution).

Fedora has updated bind (F24: denial of service), mingw-libwebp (F24: integer overflows), sudo (F24: privilege escalation), and tomcat (F24; F23: multiple vulnerabilities).

Mageia has updated libwmf (denial of service), monit (cross-site request forgery), python-cryptography (returns empty byte-string), and quagga (stack overrun).

openSUSE has updated flash-player (13.1: multiple vulnerabilities), mysql-community-server (Leap42.2: multiple vulnerabilities), and opera (Leap42.2; Leap42.1: multiple vulnerabilities).

Red Hat has updated policycoreutils (RHEL6,7: sandbox escape).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities) and mysql (SLE11-SP4: three vulnerabilities).

Kernel prepatch 4.9-rc5

Sunday 13th of November 2016 07:27:53 PM
The 4.9-rc5 kernel prepatch is out. Linus says: "Things have definitely gotten smaller, so a normal release schedule (with rc7 being the last one) is still looking possible despite the large size of 4.9. But let's see how things work out over the next couple of weeks. In the meantime, there's a lot of normal fixes in here, and we just need more testing."

Security Exercises (Linux Journal)

Friday 11th of November 2016 08:54:23 PM
Over at Linux Journal, Susan Sons has a lengthy article on security exercises, which are a way to test the readiness of a project or organization for some kind of security problem. "Scheduling exercises at a predictable time and reminding others when it will happen prevents confusion among staff. It is wise to begin with low-impact exercises (more on this below) that don't leverage production systems, and move on to higher-potential-impact exercises only when the organization's infrastructure and personnel have had most of the bugs shaken out. If something as small as a runaway process on a single server can seriously impact your business, it's better to find out at a planned time with all hands on deck than at 4am on a holiday when no one who knows what to do can be reached. The whole point of security exercises is to increase resilience: raise the threshold of what is normal for your team to deal with, what your systems can shrug off." She followed that article up with some example security exercises.

Security updates for Friday

Friday 11th of November 2016 04:54:44 PM

Debian has updated pillow (two vulnerabilities).

Fedora has updated jasper (F23: multiple vulnerabilities), kdepimlibs (F23: three vulnerabilities), libXi (F23: two vulnerabilities), and xen (F23: multiple vulnerabilities).

Mageia has updated freeimage (two vulnerabilities, one from 2015).

openSUSE has updated curl (42.1: multiple vulnerabilities), flash-player (13.2: multiple vulnerabilities), gd (42.1: three vulnerabilities), ImageMagick (42.1: multiple vulnerabilities, some from 2014 and 2015), and mysql-community-server (42.1, 13.2: multiple vulnerabilities, many unspecified).

Oracle has updated 389-ds-base (OL7: unspecified), bind (OL7: denial of service), curl (OL7: TLS botch), dhcp (OL7: unspecified), firewalld (OL7: authentication bypass), fontconfig (OL7: privilege escalation), gimp (OL7: code execution), glibc (OL7: code execution), java-1.7.0-openjdk (OL7: unspecified), kernel (OL7: multiple vulnerabilities, some from 2013 and 2015), krb5 (OL7: two vulnerabilities), libgcrypt (OL7: bad random numbers), libguestfs (OL7: information leak from 2015), libreoffice (OL7: code execution), libreswan (OL7: denial of service), libvirt (OL7: three vulnerabilities, two from 2015), mariadb (OL7: privilege escalation), mod_nss (OL7: cipher choosing botch), nettle (OL7: multiple vulnerabilities, three from 2015), NetworkManager (OL7: information leak), ntp (OL7: multiple vulnerabilities from 2015), openssh (OL7: privilege escalation from 2015), php (OL7: multiple vulnerabilities), poppler (OL7: code execution from 2015), postgresql (OL7: two vulnerabilities), python (OL7: code execution), qemu-kvm (OL7: two vulnerabilities), resteasy-base (OL7: code execution), squid (OL7: multiple vulnerabilities), sudo (OL7: information disclosure), systemd (OL7: denial of service), tomcat (OL7: multiple vulnerabilities, three from 2015), util-linux (OL7: denial of service), and wget (OL7: code execution).

Ubuntu has updated kernel (16.10; 16.04: denial of service), kernel (14.04: multiple vulnerabilities, one from 2014 and 2015), kernel (12.04: two vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities, one from 2014 and 2015), linux-lts-xenial (14.04: denial of service), linux-raspi2 (16.10: denial of service), linux-snapdragon (16.04: denial of service), and linux-ti-omap4 (12.04: two vulnerabilities).

Fedora 25 to have MP3 playback

Thursday 10th of November 2016 10:50:18 PM
Christian Schaller writes that, after all these years, a stock Fedora system will be able to play MP3 files. "I know this has been a big wishlist item for a long time for a lot of people so I am really happy that we are finally in a position to fulfill that wish. You should be able to download the mp3 plugin on day 1 through GNOME Software or through the missing codec installer in various GStreamer applications. For Fedora Workstation 26 I would not be surprised if we decide to ship it on the install media."

More in Tux Machines

Leftovers: GNU/Linux

  • Internal Multi-Threading Arrives For Gallium3D's Direct3D 9 "Nine"
  • Another nasty Linux kernel bug surfaces [Ed: Did you know that local priv. escalation is a “nasty” bug? CVE isn’t so sexy. Give it a logo, name, and Web site maybe? Look what a disgusting thing the security ‘industry’ and reporting have become…]
  • Don't have a Dirty COW, man: Android gets full kernel hijack patch
  • Day trip in Cape Town, part 2
    Let me get some interesting tit-bits not related to the day-trip out-of-the-way first – I don’t know whether we had full access to see all parts of fuller hall or not. Couple of days I was wondering around Fuller Hall, specifically next to where clothes were pressed. Came to know of the laundry service pretty late but still was useful. Umm… next to where the ladies/gentleman pressed our clothes, there is a stairway which goes down. In fact even on the opposite side there is a stairway which goes down. I dunno if other people explored them or not.
  • IGEL Introduces Revolutionary Micro Thin Client
  • Samsung Gear Manager for S3 / S2 and non-Samsung Android devices
    The Samsung Gear S3 has made its way to many markets including the US, Europe, and the far east. If you have a Samsung Galaxy Device then you can download the Gear Manager App, that is used to connect to the smartwatch with the phone, from Galaxy Apps Store. If you are using a non-Samsung device you have to do things a little differently. [...] Whilst we wait for the iOS Gear Manager app to become available users are using the Leaked version that became available. Hopefully, we won’t have to wait too long now for the official version.

Leftovers: Games and Software

Leftovers: OSS and Sharing

  • Lenovo Cloud Director: Open Source Technologies Are The Glue That Binds The Hybrid Cloud
    Hardware giant Lenovo is banking on a future where both public and private clouds are critical in driving IT innovation, and the glue binding those hybrid environments is mostly open source technologies. Dan Harmon, Lenovo's group director of cloud and software-defined infrastructure, encouraged solution providers attending the NexGen Cloud Conference & Expo on Wednesday to explore opportunities to engage Lenovo as its products stock the next generation of cloud data centers. Both public and private clouds are growing rapidly and will dominate the market by 2020, Harmon told attendees of the conference produced by CRN parent The Channel Company.
  • Cloudera Ratchets Up its Training for Top Open Source Data Solutions
    Recently, we've taken note of the many organizations offering free or low cost Hadoop and Big Data training. MIT and MapR are just a couple of the players making waves in this space. Recently, Cloudera announced a catalog of online, self-paced training classes covering the company's entire portfolio of industry-standard Apache Hadoop and Apache Spark training courses. The courses, according to Cloudera, allow you to learn about the latest big data technologies "in a searchable environment anytime, anywhere." Now, Cloudera has announced an updated lineup of training courses and performance-based certification exams for data analysts, database administrators, and developers. The expanded training offerings address the skills gap around many top open source technologies, such as Apache Impala (incubating), Apache Spark, Apache Kudu, Apache Kafka and Apache Hive.
  • Netflix’s open-source project Hollow, NVIDIA’s deep learning kits for educators, and new IBM Bluemix integrations—SD Times news digest: Dec. 6, 2016
  • Open governance enhances the value of land use policy software
    In December 2015, the COP21 Paris Agreement saw many countries commit to reducing greenhouse gas emissions through initiatives in the land sector. In this context, emissions estimation systems will be key in ensuring these targets are met. Such solutions would not only be capable of assessing past trends but also of supporting target setting, tracking progress and helping to develop scenarios to inform policy decisions.
  • Blender Institute collaborate with Lulzbot in the name of open source
    Blender Institute, a platform for 3D design and animation, are collaborating with Lulzbot 3D printers. This project a continuation of Lulzbot and Blender Institute’s approach to open source and aimed at enhancing collaboration. The Blender Institute in Amsterdam, the Netherlands, is an important figure in the Free and Open Source Software community (FOSS). Providing open source design tool software for 3D movies, games, and visual effects. While Lulzbot, a product line of Aleph Objects take an open source approach to hardware through their 3D printers.
  • Bluetooth 5 Specification Released

Remembering Linux Installfests

Ah, yes. I remember the good old days when you had to be a real man or woman to install Linux, and the first time you tried you ended up saying something like “Help!” or maybe “Mommmmyyyyy!” Really, kids, that’s how it was. Stacks of floppies that took about 7,000 hours to download over your 16 baud connection. Times sure have changed, haven’t they? I remember Caldera advertising that their distribution autodetected 1,500 different monitors. I wrote an article titled “Monitor Number 1501,” because it didn’t detect my monitor. And sound. Getting sound going in Linux took mighty feats of systemic administsationish strength. Mere mortals could not do it. And that’s why we had installfests: so mighty Linux he-men and she-women could come down from the top of Slackware Mountain or the Red Hat Volcano and share their godlike wisdom with us. We gladly packed up our computers and took them to the installfest location (often at a college, since many Linux-skilled people were collegians) and walked away with Linuxized computers. Praise be! Read more