LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
Updated: 1 hour 27 min ago
Security updates have been issued by Debian (python-django), Fedora (firebird), openSUSE (pidgin and ruby2.2, ruby2.3), Red Hat (v8), Scientific Linux (bash, coreutils, curl, glibc, gnutls, kernel, libguestfs, ocaml, openssh, qemu-kvm, quagga, samba, samba4, subscription-manager, and wireshark), and Ubuntu (lightdm, linux-hwe, linux-lts-trusty, linux-lts-xenial, linux-ti-omap4, and python-django).
In a second-day plenary session at the 2017 Linux Storage, Filesystem, and
Memory-Management Summit, Fred Knight updated the
attendees on what has happened in the storage standards world over the last
year. While the transports (e.g. Fibre Channel, Ethernet) and the SCSI
protocol have not seen a ton
of changes over the last year, the NVM Express (NVMe) standards have had a
lot of action.
Matthias Klumpp looks
future of the Debian derivative Tanglu. "So, what actually is the way forward? First, maybe I have the chance to find a few people willing to work on tasks in Tanglu. It’s a fun project, and I learned a lot while working on it. Tanglu also possesses some unique properties few other Debian derivatives have, like being built from source completely (allowing us things like swapping core components or compiling with more hardening flags, switching to newer KDE Plasma and GNOME faster, etc.). Second, if we do not have enough manpower, I think converting Tanglu into a rolling-release distribution might be the only viable way to keep the project running. A rolling release scheme creates much less effort for us than making releases (especially time-based ones!). That way, users will have a constantly updated and secure Tanglu system with machines doing most of the background work."
Error handling during writeback is something of a mess in Linux these days,
Jeff Layton said in his plenary session to open the second day of the 2017
Linux Storage, Filesystem, and Memory Management Summit. He has
investigated the situation and wanted to discuss it with attendees. He also
presented a proposal for a way to make things better.
As it has evolved over the years, Android has acquired some hacks in
how it handles its filesystems. Ted Ts'o would like to see those hacks
eliminated, so he led a session at LSFMM 2017 to look at the problem and
see what, if any, upstream-acceptable solution could be found.
The Association for Computing Machinery (ACM) has announced
that Sir Tim Berners-Lee is the recipient of the 2016 ACM A.M. Turing Award. "Berners-Lee was cited for inventing the World Wide Web, the first web browser, and the fundamental protocols and algorithms allowing the Web to scale. Considered one of the most influential computing innovations in history, the World Wide Web is the primary tool used by billions of people every day to communicate, access information, engage in commerce, and perform many other important activities."
Kdenlive is a video editing tool. This status
covers what the project has been working on and where they need
more help. "Since the beginning of the year, we have been working on a big refactoring/rewrite of some of the core parts of Kdenlive. Being more than 10 years old, some parts of our code had become messy and impossible to maintain. Not to mention the difficulty in adding new features.
Part of the process involves improving the architecture of the code, adding some tests, and switching the timeline code from QGraphicsView to the more recent QML framework. This should hopefuly improve stability, allow further developments and also more flexibility in the display and user interaction of the timeline."
lengthy and detailed description
of how the Project Zero team reverse
engineered Broadcom's proprietary WiFi processor and developed a remote
code execution exploit. "All that said and done, the introduction of
Wi-Fi FullMAC chips does not come without a cost. Introducing these new
pieces of hardware, running proprietary and complex code bases, may weaken
the overall security of the devices and introduce vulnerabilities which
could compromise the entire system."
Security updates have been issued by Debian (collectd, curl, and tryton-server), Fedora (kernel and pcs), Mageia (jhead, munin, mxml, phpmyadmin, pidgin, and wget), openSUSE (geotiff), Red Hat (kernel), SUSE (kernel and ruby19), and Ubuntu (nagios3).
The Linux Foundation has announced
that the FRRouting project has come under the LF umbrella.
"FRRouting (FRR) is an IP routing protocol suite for Unix and Linux
platforms which includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM,
and RIP, and the community is working to make this the best routing
protocol stack available. FRR is rooted in the Quagga project and includes
the fundamentals that made Quagga so popular as well as a ton of recent
enhancements that greatly improve on that foundation." It is a fork
that originally went
under the name "Cumulus private Quagga".
Android Security Bulletin
provides a discouragingly long list of
vulnerabilities fixed in the latest update (for those with devices
sufficiently well supported to receive them). "The most severe of
these issues is a Critical security vulnerability that could enable remote
code execution on an affected device through multiple methods such as
email, web browsing, and MMS when processing media files." There's
also a fix for CVE-2016-10229, which is a remotely exploitable
vulnerability in the UDP stack that was fixed
in the 4.5 and 4.4.21 kernels. Those kernels were not vulnerable as the
result of other work, but older kernels with backported fixes (Android
kernels, for example) were.
We are getting closer to being able to do unprivileged mounts inside
containers, but there are still some pieces that do not work well in that
scenario. In particular, the user IDs (and group IDs) that are embedded
into filesystem images are problematic for this use case. James Bottomley
led a discussion on the problem in a session at the 2017 Linux Storage,
Filesystem, and Memory-Management Summit.
, and Scientific Linux
have announced the
end-of-life for version 5 of their enterprise Linux offering. As of March
31, 2017 there will be no more updates, including security updates.
Security updates have been issued by Fedora (samba) and openSUSE (ceph).
kernel prepatch has been
released for testing. "Ok, things have definitely started to calm
down, let's hope it stays this way and it wasn't just a fluke this
system call tries to do too many things, Miklos Szeredi said at the start
of a filesystem-only discussion at LSFMM 2017. He has been interested in
cleaning that up for a long time. So he wanted to discuss some ideas he
had for a new interface to mount filesystems.
Security updates have been issued by Debian (ejabberd, jhead, and samba), Fedora (chromium, drupal8, empathy, erlang, firefox, icoutils, kernel, knot-resolver, libICE, libupnp, libXdmcp, links, mbedtls, moodle, mupdf, ntp, openslp, R, rkward, rpy, sane-backends, sscg, tcpreplay, thunderbird, and webkitgtk4), Mageia (kernel, kernel-linus, and kernel-tmb), openSUSE (apache2, Chromium, kernel, and virglrenderer), Oracle (kernel), and Slackware (samba).
Crunchy Data has announced
the availability of a "security technical implementation guide" for the
PostgreSQL database management system. "While the STIG was authored
for the benefit of the U.S. Government, the DISA PostgreSQL STIG offers
security-conscious enterprises a comprehensive guide for the configuration
and operation of open source PostgreSQL. Enterprises can refer to the STIG
as for guidance on PostgreSQL security best practices they consider open
source PostgreSQL as an alternative to proprietary, closed source, database
The Scientific Linux project has announced that Scientific Linux 5 has reached its end of life. "After March 31 2017 Scientific Linux 5 will not receive further updates
and the files will be archived.
The existing files will be moved into
purposes after March 31 2017.
This will break existing yum repos and kickstarts using the official
When Andreas Dilger proposed the statx() topic for the 2017 Linux
Storage, Filesystem, and Memory-Management Summit, the system call had
still not been merged. But that all changed in the 4.11 development cycle when Al Viro merged the
system call to provide additional file information. So, unlike
years, the discussion was not about how to merge such a system call but,
instead, how to extend statx() for additional file information.