LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 38 min ago

Tuesday's security updates

Tue, 01/04/2014 - 4:56pm

CentOS has updated wireshark (C6; C5: multiple vulnerabilities).

Debian has updated a2ps (multiple vulnerabilities), mediawiki (corrects a problem with a previous update), and openswan (two vulnerabilities).

Mageia has updated 389-ds-base (privilege escalation), file (denial of service), iceape (multiple vulnerabilities), mutt (code execution), openssh (restriction bypass), perltidy (insecure temporary file creation), and stunnel (private key leak).

Oracle has updated wireshark (OL6; OL5: multiple vulnerabilities).

Red Hat has updated wireshark (RHEL6; RHEL5: multiple vulnerabilities).

Scientific Linux has updated wireshark (SL6; SL5: multiple vulnerabilities).

Ubuntu has updated linux-lts-raring (12.04 LTS: multiple vulnerabilities).

Stable kernel updates

Mon, 31/03/2014 - 9:07pm
Stable kernels 3.13.8, 3.10.35, and 3.4.85 have been released. All contain important fixes.

Karen Sandler joins Conservancy's Management Team

Mon, 31/03/2014 - 6:43pm
Software Freedom Conservancy has announced that Karen M. Sandler is the Conservancy's new Executive Director. "Bradley M. Kuhn, outgoing Executive Director, gratefully passes the torch to his long-time colleague Karen Sandler. While Kuhn's work as Conservancy's President and on its Board of Directors remain unchanged, Kuhn's new full-time staff role is titled “Distinguished Technologist”."

GNOME News announces Karen's departure as GNOME Foundation Executive Director. "Though Karen will no longer be the GNOME Foundation Executive Director, she will still be a part of the GNOME project. She has announced her intention to run for the Board of Directors, and wrote “I will stay on as pro bono counsel, and of course I’ll continue volunteering in other ways.”"

Open Build Service 2.5 released

Mon, 31/03/2014 - 6:21pm
Open Build Service 2.5 has been released. "With this release you can plug OBS into your continuous integration/delivery chain thanks to the new token API that let's you trigger builds from revision control systems like github. 2.5 further merges the Web UI and API into one single Ruby on Rails app, so it is easier for you to maintain, easier for us to extend and most important way snappier to use for your packagers. This release also begins to unify the various places where you can configure things into the OBS API, introduces an integrated comment and notification system and saves your OBS servers some cycles by automatically cleaning up left over branches."

Security advisories for Monday

Mon, 31/03/2014 - 4:16pm

Debian has updated libspring-java (two vulnerabilities) and mediawiki (multiple vulnerabilities).

Fedora has updated curl (F20; F19: wrong re-use of connections in libcurl), httpd (F20: denial of service), k4dirstat (F20; F19: command execution), moodle (F20; F19: multiple vulnerabilities), seamonkey (F20: multiple vulnerabilities), and udisks (F20: privilege escalation).

Slackware has updated curl (multiple vulnerabilities), httpd (multiple vulnerabilities), firefox (multiple vulnerabilities), nss (incorrect wildcard certificate handling), thunderbird (multiple vulnerabilities), openssh (restriction bypass), and seamonkey (multiple vulnerabilities).

The 3.14 kernel is out

Mon, 31/03/2014 - 4:13am
Linus has released the 3.14 kernel. "So we had a few fairly late changes that I could have done without, but the changelog from -rc8 is still pretty small, and I'm feeling pretty good about it all." Headline features in this release include user-space lock debugging, the deadline scheduler, event triggers in the tracing subsystem, the zram swap subsystem, and various networking changes including the heavy-hitter filter, the PIE packet scheduler and TCP auto corking. See the KernelNewbies 3.14 page for details.

Sailfish OS builds available for Nexus 4

Fri, 28/03/2014 - 9:36pm

Owners of Nexus 4 mobile phones now have yet another open source operating system that they can install: Sailfish OS, the Maemo/MeeGo descendant being developed by the team at Jolla. As a post at JollaUsers.com notes, an email went out to mailing list subscribers announcing the availability of "Early Adopter" Sailfish OS images for the Nexus 4. The builds are far from complete; as the release notes explain, voice calls are not yet enabled, nor are "Sensors, Device clock/alarms, Reset device, Bluetooth, USB control + MTP, Bluetooth, WLAN hotspot, Camera (photography, video recording), and video playback. Nevertheless, Sailfish OS is now on its way to a wider range of devices, and users have another Linux-based mobile platform to experiment with.

Friday's security updates

Fri, 28/03/2014 - 2:03pm

Debian has updated postfixadmin (privilege escalation).

Fedora has updated kernel (F19; F20: multiple vulnerabilities) and samba (F19: multiple vulnerabilities).

SUSE has updated kernel (multiple vulnerabilities).

Best Quotes from the Linux Kernel Developer Panel (Linux.com)

Thu, 27/03/2014 - 11:45pm
Linux.com presents a few quotes from the Kernel Developer Panel at the Linux Foundation Collaboration Summit. Kernel developers Greg Kroah-Hartman, Jens Axboe, Dave Chinner, Matthew Garrett, and Mel Gorman participated in the panel discussion, moderated by Jon Corbet. A video accompanies the article.

The Linux kernel is one of the largest collaborative software projects in the history of the world and has almost nothing in the way of formalized management structure. We have people who have a strong operating systems background who have been contributing code, and then we have people like me. I have a background in fruit fly genetics and yet someone lets me get close to the Linux kernel; this seems wrong. And then we have people who are genuinely kids in their bedroom. It's a miracle it works as well as it does. We should be astonished that we're able to get it so right so much of the time. -- Matthew Garrett

Thursday's security advisories

Thu, 27/03/2014 - 4:32pm

CentOS has updated samba (C6: multiple vulnerabilities).

Debian has updated libxalan2-java (information disclosure/code execution), libyaml (code execution), libyaml-libyaml-perl (code execution), ruby-actionmailer-3.2 (denial of service), and ruby-actionpack-3.2 (multiple vulnerabilities).

Fedora has updated file (F20: denial of service) and file (F19: code execution).

Gentoo has updated grep (code execution) and PlRPC (code execution).

SUSE has updated crowbar-barclamp-network (doesn't enforce security groups) and IBM Java 6 (multiple vulnerabilities).

Ubuntu has updated samba (password guessing attacks).

[$] LWN.net Weekly Edition for March 27, 2014

Thu, 27/03/2014 - 12:07am
The LWN.net Weekly Edition for March 27, 2014 is available.

Linux Storage, Filesystem, and Memory Management Summit coverage

Wed, 26/03/2014 - 11:44pm

Somewhat more than half of LWN's coverage of this year's LSFMM Summit is now available. Subscribers can have a look at a wide range of topics that were discussed on March 24 and 25 in Napa, California. More coverage will be added to the page as it becomes available.

[$] Facebook and the kernel

Wed, 26/03/2014 - 7:45pm
As one of the plenary sessions on the first day of the Linux Storage, Filesystem, and Memory Management (LSFMM) Summit, Btrfs developer Chris Mason presented on how his new employer, Facebook, uses the Linux kernel. He shared some of the eye-opening numbers that demonstrate just how much processing Facebook does using Linux, along with some of the "pain points" the company has with the kernel.

Subscribers can click below for a report on the talk from this week's edition.

GNOME 3.12 Released

Wed, 26/03/2014 - 6:23pm
GNOME 3.12 is out. "This is an exciting release for GNOME, and brings many new features and improvements, including app folders, enhanced system status and high-resolution display support. This release also includes new and redesigned applications for video, software, editing, sound recording and internet relay chat. Under the hood, support for using Wayland instead of X has progressed significantly." More information can be found in the release notes.

Security updates for Wednesday

Wed, 26/03/2014 - 4:34pm

CentOS has updated kernel (C6: multiple vulnerabilities).

Gentoo has updated libupnp (multiple vulnerabilities).

openSUSE has updated firefox (13.1, 12.3: multiple vulnerabilities), lighttpd (13.1, 12.3: two vulnerabilities), and nginx (13.1: code execution).

Oracle has updated kernel (OL6: multiple vulnerabilities) and samba (OL6; OL5: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: multiple vulnerabilities) and samba and samba3x (SL5&6: multiple vulnerabilities).

SUSE has updated gnutls (certificate verification issues), openssl-certs (certificate update), and Xen (multiple vulnerabilities).

Full Disclosure Mailing List: A Fresh Start

Wed, 26/03/2014 - 2:28pm
The full-disclosure mailing list is back. Nmap developer Fyodor has announced that he is resurrecting the list after its abrupt closure in mid-March. "The new list must be run by and for the security community in a vendor-neutral fashion. It will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users. As before, this will be a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature, light (versus restrictive) moderation, and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts won't be tolerated!"

Mozilla's "rr" debugger

Wed, 26/03/2014 - 12:00pm
Robert O'Callahan has posted an announcement of a new record-and-replay debugger (called rr) from the Mozilla project. "It's difficult to communicate the feeling of debugging with rr, but if you've ever done something wrong during debugging (e.g. stepped too far) and had that 'crap! Now I have to start all over again' sinking feeling --- rr does away with that. Everything you already learned about the execution --- e.g. the addresses of the objects that matter --- remains valid when you start the next replay. Your understanding of the execution increases monotonically."