Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 7 min ago

[$] Visual legerdemain abounds in G'MIC 1.6.0

Wednesday 27th of August 2014 09:59:35 PM
A new stable release of the G'MIC image-processing framework was recently released. Version 1.6.0 adds a number of new commands and filters useful for manipulating image data, as well as changes to the codebase that will hopefully make G'MIC easier to integrate into other applications.

Click below (subscribers only) for a look at the G'MIC 1.6.0 release and associated GIMP plugin.

Security advisories for Wednesday

Wednesday 27th of August 2014 04:33:20 PM

Debian has updated eglibc (code execution).

Fedora has updated jakarta-commons-httpclient (F20; F19: SSL server spoofing), krb5 (F19: code execution), mediawiki (F20; F19: multiple vulnerabilities), python-pillow (F20; F19: denial of service), and sks (F20; F19: cross-site scripting).

Mageia has updated file (denial of service), grub2 (denial of service/possible code execution), harbour (denial of service/possible code execution), icecream (denial of service/possible code execution), italc (denial of service/possible code execution), kdenetwork4 (MG3: denial of service/possible code execution), libvncserver (denial of service/possible code execution), and serf (information leak).

Red Hat has updated devtoolset-2-httpcomponents-client (RHDT2: SSL server spoofing), kernel (RHEL6.4 EUS: multiple vulnerabilities), and ror40-rubygem-activerecord (RHSCL1: strong parameter protection bypass).

MediaGoblin 0.7.0 released

Wednesday 27th of August 2014 12:16:46 PM
Version 0.7.0 of the MediaGoblin media publishing platform is available. New features include initial federation support, a switch to a responsive CSS system, a "featured media" option, bulk uploading via the command line, and more. "Well we’re excited to announce that the first piece towards MediaGoblin federation has landed! We don’t have server-to-server federation working yet, but we do have the first parts of the Pump API in place: you can now use the Pump API as a media upload API!"

Cluetrain at Fifteen (Linux Journal)

Tuesday 26th of August 2014 11:13:55 PM
Doc Searls looks back over the fifteen years that have passed since he (along with Chris Locke, David Weinberger and Rick Levine) wrote "The Cluetrain Manifesto". "What we had in mind was much fresher to me in the Summer of 2000, when I worked with Jason Schumaker, another Linux Journal editor, on an interview about Cluetrain and its relevance to Linux. What we ended up with was too long for both the magazine and our website at the time, so the project got sidelined and eventually buried in archival directories, where it stayed until this morning, when I found it during a search for something else. Reading it, I realized that I had come across a kind of time capsule."

Tuesday's security advisory

Tuesday 26th of August 2014 03:54:47 PM
Today we have only one security advisory. Ubuntu has updated openjdk-7 (14.04: fixes a regression in a previous update).

The poisoned NUL byte, 2014 edition (Project Zero)

Tuesday 26th of August 2014 01:15:17 PM
For those interested in the gory details of a complex exploit, Google's Project Zero page describes the process of getting arbitrary code execution from a single NUL byte written to the heap by glibc in an off-by-one error. "The main point of going to all this effort is to steer industry narrative away from quibbling about whether a given bug might be exploitable or not. In this specific instance, we took a very subtle memory corruption with poor levels of attacker control over the overflow, poor levels of attacker control over the heap state, poor levels of attacker control over important heap content and poor levels of attacker control over program flow. Yet still we were able to produce a decently reliable exploit! And there’s a long history of this over the evolution of exploitation: proclamations of non-exploitability that end up being neither advisable nor correct."

Kernel prepatch 3.17-rc2

Tuesday 26th of August 2014 12:28:26 PM
Linus has released 3.17-rc2 a little later than might have been expected. "So I deviated from my normal Sunday schedule partly because there wasn't much there (I blame the KS and LinuxCon), but partly due to sentimental reasons: Aug 25 is the anniversary of the original Linux announcement ('Hello everybody out there using minix'), so it's just a good day for release announcements."

LinuxCon and CloudOpen 2014 Keynote Videos Available

Monday 25th of August 2014 08:52:38 PM
Videos of the keynotes for LinuxCon NA and CloudOpen are available. "The event started Wednesday, Aug. 20, with Executive Director Jim Zemlin's “State of Linux” keynote at 9 a.m. Central, followed by a panel discussion of Linux kernel developers that included Linux Creator Linus Torvalds."

Security advisories for Monday

Monday 25th of August 2014 05:04:34 PM

CentOS has updated mod_wsgi (C7: privilege escalation).

Debian has updated mediawiki (two vulnerabilities) and python-django (multiple vulnerabilities).

Fedora has updated file (F20: denial of service), fish (F20; F19: multiple vulnerabilities), libserf (F20: information leak), pen (F20: unspecified vulnerability), php-htmlpurifier-htmlpurifier (F20; F19: "Hash Length Extension" attack), phpMyAdmin (F20: multiple vulnerabilities), ppp (F20: privilege escalation), rubygem-activerecord (F20; F19: SQL injection), struts (F20: code execution), wordpress (F19: multiple vulnerabilities), and xen (F20; F19: denial of service).

Mageia has updated ansible (MG4: multiple vulnerabilities), bugzilla (cross-site request forgery), busybox (denial of service/possible code execution), jakarta-commons-httpclient (MG4; MG3: SSL server spoofing), and mednafen (denial of service/possible code execution).

openSUSE has updated IPython (13.1, 12.3: code execution), libgcrypt (13.1, 12.3: side-channel attack), and libserf, subversion (13.1, 12.3: multiple vulnerabilities).

Oracle has updated mod_wsgi (OL7: privilege escalation).

Red Hat has updated mod_wsgi (RHEL7: privilege escalation).

[$] Kernel.org news: two-factor authentication and more

Monday 25th of August 2014 04:33:38 PM
Kernel developers depend heavily on kernel.org for the hosting of Git repositories and the management of patch flow in general, so it is not surprising that the annual Kernel Summit sets aside a slot to discuss what is happening with this site. In recent years, there has been a lot of change to discuss, mostly relating to the reorganization of kernel.org management resulting from the compromise of the site in 2011. The 2014 kernel.org discussion, run by Konstantin Ryabitsev, shows that, in a lot of ways, the pace of change is slowing, but the kernel.org maintainers are still working to improve their support and make it more secure.

Day: New Human Interface Guidelines for GNOME and GTK+

Friday 22nd of August 2014 09:25:59 PM

At his blog, Allan Day announces the preliminary availability of a brand-new edition of the GNOME Human Interface Guidelines (HIG). Prepared for the upcoming GNOME 3.14 release, this is the first major overhaul of the GNOME HIG in some time. Day notes: "There is a downside to all the experimentation that has been happening in software design in recent years, of course – it can often be a bewildering space to navigate. This is where the HIG comes in. Its goal is to help developers and designers take advantage of the new abilities at their disposal, without losing their way in the process. This is reflected in the structure of the new HIG: the guidelines don’t enforce a single template on which applications have to be based, but presents a series of patterns and elements which can be drawn upon." He also emphasizes that the new HIG, despite its name, is not a GNOME-only document, but is designed to aid interface design in other GTK+ applications, too.

Calibre 2.0 released

Friday 22nd of August 2014 08:14:03 PM
Version 2.0 of the Calibre electronic book management tool has been released. There is a long list of new features since the 1.0 release. "The biggest new feature is an e-book editor, capable of editing ebooks in both the EPUB and AZW3 (Kindle) formats."

Friday's security updates

Friday 22nd of August 2014 03:21:21 PM

Debian has updated python-imaging (denial of service).

Mageia has updated krb5 (multiple vulnerabilities) and sdcc (denial of service).

Ubuntu has updated ceilometer (14.04: information leak), glance (14.04: denial of service), horizon (14.04: multiple vulnerabilities), keystone (14.04: multiple vulnerabilities), neutron (14.04: multiple vulnerabilities), and nova (14.04: information leak).

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

Thursday 21st of August 2014 10:40:57 PM

The Free Software Foundation blog has posted an article detailing a newly discovered government surveillance project as well as a new technological countermeasure. The surveillance project is known as HACIENDA, as is reportedly a multi-national effort "to map every server in twenty-seven countries, employing a technique known as port scanning." The countermeasure, developed by Julian Kirsch, Christian Grothoff, Jacob Appelbaum, and Holger Kenn, is called TCP Stealth. According to the TCP Stealth whitepaper, the system "replaces the traditional random TCP SQN number with a token that authenticates the client and (optionally) the first bytes of the TCP payload. Clients and servers can enable TCP Stealth by explicitly setting a socket option or linking against a library that wraps existing network system calls." A Linux implementation of the scheme is available.

Thursday's security updates

Thursday 21st of August 2014 05:46:48 PM

Debian has updated libstruts1.2-java (code execution) and php5 (multiple vulnerabilities).

Fedora has updated drupal7 (F19; F20: denial of service), drupal7-date (F19; F20: cross-site scripting), libndp (F19; F20: code execution), and wordpress (F20: denial of service).

Mageia has updated catfish (M3; M4: privilege escalation), gpgme (code execution), phpmyadmin (multiple vulnerabilities), python-imaging, python-pillow (denial of service), and subversion (M3; M4: information leak).

openSUSE has updated openstack-neutron (13.1: access restriction bypass), apache2 (12.3; 13.1: multiple vulnerabilities), apache2-mod_security2 (rules bypass), krb5, (code execution), openssl (multiple vulnerabilities), python (12.3; 13.1: information leak), python3 (13.1: information leak), and samba (13.1: multiple vulnerabilities).

Red Hat has updated openstack-nova (RHEL OpenStack: multiple vulnerabilities).

Ubuntu has updated oxide-qt (14.04: multiple vulnerabilities).

Linux Foundation Technical Advisory Board election results

Thursday 21st of August 2014 04:09:40 PM
The results from the Linux Foundation TAB election have been announced; the five open seats went to Chris Mason, John Linville, H. Peter Anvin, Grant Likely, and Kristen Accardi.

More in Tux Machines

Alice is killing the trolls -- but expect patent lawyers to strike back

Open source software developers rejoice: Alice Corp. v CLS Bank is fast becoming a landmark decision for patent cases in the United States. The Court of Appeals for the Federal Circuit, which handles all appeals for patent cases in the United States, has often been criticized for its handling of these cases -- Techdirt describes it as "the rogue patent court, captured by the patent bar." But following the Alice decision, the Court of Appeals seems to have changed. Read more

How to Give your Smartphone the Android L Look

Android L is Google's latest mobile operating system. Apart from a complete UI overhaul, this version brings along a myriad of performance improvements. Compared to its competitor iOS 8, Android L outperforms the Apple mobile operating system in design and performance. Though there is no clear announcement as to when Android L will be reaching our devices, its Material Design has slowly started catching up among app developers. Furthermore, many apps have come up that let you completely change the Android smartphone’s user interface to match that of Android L. Although many of those apps are annoyingly hard to use, some of them make the job really simple. Below, we'll show you how to make the most out of such apps and then transform your phone’s UI to completely match the Android L look. Read more

Webconverger 26 Is a Secure Kiosk OS That Doesn't Store Any Data

Webconverger is a distribution designed and developed with a single goal in mind, namely to provide the best Kiosk experience possible. This means that people will be able to use that OS as a regular system, although its functionality will be limited and it will be impossible to install any other apps. This is a very helpful solution if this is a public PC, like in a library or a cafe, and it preserves the quality of the installation for a very long time. Because users can't interact with it on a deeper level, the operating system will remain stable and it will be pretty much the same like in the first day that it was used. Read more

Today in Techrights