Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 28 min ago

OpenSSH 7.3 released

Monday 1st of August 2016 02:15:05 PM
OpenSSH 7.3 is out. This release fixes a number of security issues (mostly related to timing attacks) and adds a handful of new minor features. The developers also warn that RSA keys less than 1024 bits will be refused in a near-future release.

The July 2016 Android security bulletin

Monday 1st of August 2016 01:14:30 PM
The Android security bulletin for July covers the issues that have recently been fixed for supported Android devices. "The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files." There are several dozen CVE numbers listed overall, including 31 Qualcomm-specific vulnerabilities dating as far back as 2013.

Pagès: GIMP 2.9.4 and our vision for GIMP future

Saturday 30th of July 2016 09:52:41 PM
Jehan Pagès writes about the current GIMP development release and the plan from here. "I want to imagine a future where most big graphics program integrates GEGL, where Blender for instance would have GEGL as the new implementation of nodes, with image processing graphs which can be exchanged between programs, where darktable would share buffers with GIMP so that images can be edited in one program and updated in real time in the other, and so on. Well of course the short/mid-term improvements will be non-destructive editing with live preview on high bit depth images, and that’s already awesomely cool right?" See also the announcement for more information on the GIMP 2.9.4 release.

SPI board election results are available

Friday 29th of July 2016 11:24:27 PM

Software in the Public Interest (SPI) has completed its 2016 board elections. There were two open seats on the board in addition to four board members whose terms were expiring. The six newly elected members of the board are Luca Filipozzi, Joerg Jaspert, Jimmy Kaplowitz, Andrew Tridgell, Valerie Young, and Martin Zobel-Helas. The full results, including voter statistics, are also available.

Friday's security updates

Friday 29th of July 2016 02:27:41 PM

Debian-LTS has updated cakephp (denial of service) and perl (multiple vulnerabilities).

Fedora has updated drupal7-views (F24; F23: access bypass), golang (F24; F23: denial of service), java-1.8.0-openjdk (F24; F23: multiple vulnerabilities), php-guzzlehttp-guzzle (F24; F23: proxy injection), and php-guzzlehttp-guzzle6 (F24; F23: proxy injection).

Slackware has updated libidn (3.0, 13.1, 13.37, 14.0, 14.1, 14.2: multiple vulnerabilities).

SUSE has updated libarchive (SLE 12: multiple vulnerabilities).

Ingebrigtsen: The End of Gmane?

Thursday 28th of July 2016 03:54:00 PM
On his blog, Gmane creator and maintainer Lars Magne Ingebrigtsen warns that the email-to-news (and web) gateway may be disappearing soon. The site, which is hosted by his employer, has been under a distributed denial of service (DDoS) attack for the last few weeks, but there are other problems as well. "And now the DDoS stuff, which I have no idea why is happening, but I can only assume that somebody is angry about something. Probably me being a wise ass. So… it’s been 14 years… I’m old now. I almost threw up earlier tonight because I’m so stressed about the situation. I should retire and read comic books and watch films. Oh, and the day job. Work, work, work. Oh, and Gnus. I’m thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don’t want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess…" The site, which has been relied on by many (including LWN) since it started in 2002, is down now and it appears to be unclear when (or if) it will be back.

Security advisories for Thursday

Thursday 28th of July 2016 03:45:21 PM

Debian has updated xen (multiple vulnerabilities, one from 2015).

Debian-LTS has updated tardiff (two vulnerabilities from 2015).

Fedora has updated httpd (F23: HTTP redirect), libarchive (F24: code execution), and libvirt (F23: authentication bypass).

openSUSE has updated dropbear (42.1, 13.2: multiple vulnerabilities), go (13.2: HTTP request smuggling flaws from 2015), karchive (42.1, 13.2: code execution), mbedtls (42.1: three vulnerabilities), python (42.1, 13.2: three vulnerabilities), and tiff (13.2: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (multiple vulnerabilities).

[$] LWN.net Weekly Edition for July 28, 2016

Thursday 28th of July 2016 12:26:20 AM
The LWN.net Weekly Edition for July 28, 2016 is available.

[$] One-time passwords and GnuPG with Nitrokey

Wednesday 27th of July 2016 09:24:36 PM

A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.

Stable kernel updates

Wednesday 27th of July 2016 08:18:41 PM
Greg Kroah-Hartman has released stable kernels 4.6.5, 4.4.16, and 3.14.74. All of them contain important fixes.

A statement from the Tor project

Wednesday 27th of July 2016 05:10:16 PM
Shari Steele has posted a statement from the Tor project on the results of an investigation into the allegations of harassment (and worse) within Tor and how the project will respond. "I am pleased, therefore, to announce that both the Tor Project and the Tor community are taking active steps to strengthen our ability to handle problems of unprofessional behavior. Specifically, the Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints, and an internal complaint review process. They were recently approved by Tor’s board of directors, and they will be rolled out internally this week."

Security advisories for Wednesday

Wednesday 27th of July 2016 04:14:50 PM

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), samba (C7: crypto downgrade), and samba4 (C6: crypto downgrade).

Debian has updated libgd2 (denial of service), mariadb-10.0 (multiple vulnerabilities), and php5 (multiple vulnerabilities).

Debian-LTS has updated libgd2 (denial of service).

Mageia has updated apache (HTTP redirect), harfbuzz (multiple vulnerabilities), libgd (three vulnerabilities), libidn (multiple vulnerabilities), libupnp (unauthenticated access), libxml2 (multiple vulnerabilities), mariadb (multiple vulnerabilities), mupdf (denial of service), php/xmlrpc-epi/timezone (multiple vulnerabilities), sudo (race condition), tomcat/apache-commons-fileupload (denial of service), and virtualbox (allows local users to affect availability).

Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.7: privilege escalation).

Scientific Linux has updated samba (SL7: crypto downgrade) and samba4 (SL6: crypto downgrade).

Ubuntu has updated kde4libs (15.10, 14.04, 16.04: command execution) and openjdk-8 (16.04: multiple vulnerabilities).

More in Tux Machines

KDevelop 5.0.0 release

Almost two years after the release of KDevelop 4.7, we are happy to announce the immediate availability of KDevelop 5.0. KDevelop is an integrated development environment focusing on support of the C++, Python, PHP and JavaScript/QML programming languages. Many important changes and refactorings were done for version 5.0, ensuring that KDevelop remains maintainable and easy to extend and improve over the next years. Highlights include much improved new C/C++ language support, as well as polishing for Python, PHP and QML/JS. Read more

CoreOS 1068.10.0 Released with Many systemd Fixes, Still Using Linux Kernel 4.6

Today, August 23, 2016, the development team behind the CoreOS security-oriented GNU/Linux operating system have released the CoreOS 1068.10.0 stable update, along with new ISO images for all supported platforms. Read more

SUSE Linux and openSUSE Leap to Offer Better Support for ARM Systems Using EFI

The YaST development team at openSUSE and SUSE is reporting on the latest improvements that should be available in the upcoming openSUSE Leap 42.2 and SUSE Linux Enterprise 12 Service Pack 2 operating systems. Read more

Create modular server-side Java apps direct from mvn modules with diet4j instead of an app server

In the latest release, the diet4j module framework for Java has learned to run modular Java apps using the Apache jsvc daemon (best known from running Tomcat on many Linux distros). If org.example.mydaemon is your top Maven project, all you do is specify it as the root module for your jsvc invocation, and diet4j figures out the dependencies when jsvc starts. An example systemd.service file is available.