Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 22 min ago

OpenBSD 5.7

Friday 1st of May 2015 05:50:30 PM
OpenBSD 5.7 has been released. This version includes improved hardware support, network stack improvements, installer improvements, security and bug fixes, and more. OpenSSH 6.8, LibreSSL, and other packages have also seen improvements and bug fixes.

Security advisories for Friday

Friday 1st of May 2015 04:02:05 PM

Arch Linux has updated perl-xml-libxml (information disclosure).

Debian has updated chromium-browser (multiple vulnerabilities).

Debian-LTS has updated libjson-ruby (denial of service), libxml-libxml-perl (information disclosure), squid (denial of service), xdg-utils (command execution), and xorg-server (information leak/denial of service).

Mageia has updated kernel (multiple vulnerabilities), kernel-linus (multiple vulnerabilities), libreoffice (code execution), ppp (denial of service), and quassel (SQL injection).

openSUSE has updated wpa_supplicant (13.2, 13.1: code execution).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and kernel (RHEL5.6: privilege escalation).

Scientific Linux has updated 389-ds-base (SL7: access control bypass).

SUSE has updated kernel (SLES10 SP4: multiple vulnerabilities).

Mozilla: Deprecating Non-Secure HTTP

Friday 1st of May 2015 01:10:03 AM
The Mozilla community has declared its intent to phase out "non-secure" (not encrypted with TLS) web access. "Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. We expect to be making some proposals to the W3C WebAppSec Working Group soon."

Apache SpamAssassin 3.4.1 released

Thursday 30th of April 2015 08:43:40 PM
The Apache SpamAssassin 3.4.1 release is out. "Highlights include: Improved automation to help combat spammers that are abusing new top level domains; Tweaks to the SPF support to block more spoofed emails; Increased character set normalization to make rules easier to develop, block more international spam and stop spammers from using alternate character sets to bypass tests; Continued refinement to the native IPv6 support; and Improved Bayesian classification with better debugging and attachment hashing."

Unboxing Linux/Mumblehard: Muttering spam from your servers (WeLiveSecurity)

Thursday 30th of April 2015 06:40:23 PM
WeLiveSecurity reports that ESET researchers have revealed a family of Linux malware that stayed under the radar for more than 5 years. They are calling it Linux/Mumblehard. "There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average. Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines."

Debian GNU/Hurd 2015 released

Thursday 30th of April 2015 05:22:15 PM
Debian GNU/Hurd 2015 has been released. "This is a snapshot of Debian "sid" at the time of the stable Debian "jessie" release (April 2015), so it is mostly based on the same sources. It is not an official Debian release, but it is an official Debian GNU/Hurd port release."

Thursday's security updates

Thursday 30th of April 2015 04:34:10 PM

Debian has updated curl (information leak), elasticsearch (directory traversal), and icecast2 (denial of service).

Debian-LTS has updated curl (two vulnerabilities), openjdk-6 (multiple vulnerabilities), php5 (multiple vulnerabilities), and qt4-x11 (multiple vulnerabilities).

Fedora has updated ax25-tools (F21; F20: denial of service), fcgi (F21; F20: denial of service), FlightGear (F21: unspecified vulnerability), FlightGear-data (F21: unspecified vulnerability), mailman (F21: path traversal attack), mksh (F21; F20: multiple issues), pdns (F21; F20: denial of service), pdns-recursor (F21; F20: denial of service), and qt (F21: multiple vulnerabilities).

Mandriva has updated glibc (MBS2.0, MBS1.0: two vulnerabilities) and sqlite3 (MBS2.0, MBS1.0: three vulnerabilities).

openSUSE has updated DirectFB (13.2, 13.1: two vulnerabilities).

Ubuntu has updated curl (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities), EC2 kernel (10.04: privilege escalation), kernel (14.10; 14.04; 12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: denial of service).

[$] LWN.net Weekly Edition for April 30, 2015

Thursday 30th of April 2015 01:04:14 AM
The LWN.net Weekly Edition for April 30, 2015 is available.

New stable kernels

Wednesday 29th of April 2015 04:51:35 PM
Greg KH has released stable kernels 4.0.1, 3.19.6, 3.14.40, and 3.10.76. All of them contain important fixes.

Security advisories for Wednesday

Wednesday 29th of April 2015 04:28:22 PM

Arch Linux has updated chromium (multiple vulnerabilities) and dovecot (denial of service).

CentOS has updated 389-ds-base (C7: access control bypass).

Debian-LTS has updated jruby (denial of service).

Fedora has updated libreoffice (F21: code execution) and yourls (F21; F20: cross-site scripting).

Mandriva has updated lftp (MBS1.0: man-in-the-middle attack), libksba (MBS1.0, MBS2.0: denial of service), ntop (MBS1.0: cross-site-scripting), and t1utils (MBS1.0: multiple vulnerabilities).

openSUSE has updated curl (13.2, 13.1: multiple vulnerabilities) and python-Pillow (13.2: denial of service).

Oracle has updated 389-ds-base (OL7: access control bypass).

GNU Mailman 3.0 released

Tuesday 28th of April 2015 11:52:30 PM

GNU Mailman 3.0 has been released. "Over seven years in development, Mailman 3 represents a major new version, redesigned as a suite of cooperating components which can be used to mix and match however you want. The core engine is now backed by a relational database and exposes its functionality to other components via an administrative REST+JSON API. Our new web user interface, Postorius is Django-based, as is our new archiver HyperKitty. The core requires Python 3.4 while Postorius and HyperKitty require Python 2.7. LWN looked at Mailman 3.0 in March, and at HyperKitty in April 2014.

[$] The programming talent myth

Tuesday 28th of April 2015 11:27:27 PM

Jacob Kaplan-Moss is known for his work on Django but, as he would describe in his PyCon 2015 keynote, many think he had more to do with its creation than he actually did. While his talk ranged quite a bit, the theme covered something that software development organizations—and open source projects—may be grappling with: a myth about developer performance and how it impacts the industry. It was a thought-provoking talk that was frequently punctuated by applause; these are the kinds of issues that the Python community tries to confront head on, so the talk was aimed well.

KDE Ships Plasma 5.3

Tuesday 28th of April 2015 05:18:46 PM
KDE has announced the release of Plasma 5.3. This release features improved power management, better Bluetooth capabilities, improved Plasma widgets, a tech preview of the Plasma Media Center, big steps towards Wayland support, and more.

Tuesday's security updates

Tuesday 28th of April 2015 04:35:36 PM

Fedora has updated curl (F20: multiple vulnerabilities), firefox (F21: code execution), icu (F21; F20: multiple vulnerabilities), java-1.8.0-openjdk (F20: multiple vulnerabilities), ntp (F21: multiple vulnerabilities), ruby (F21: man-in-the-middle attack), and xulrunner (F21: code execution).

Mandriva has updated java-1.7.0-openjdk (MBS1.0: multiple vulnerabilities).

Red Hat has updated qemu-kvm-rhev (RHELOSP: privilege escalation).

Ubuntu has updated network-manager (15.04, 14.10, 14.04: information disclosure) and oxide-qt (15.04, 14.10, 14.04: multiple vulnerabilities).

Garrett: Reducing power consumption on Haswell and Broadwell systems

Monday 27th of April 2015 08:44:15 PM
Matthew Garrett looked into why Linux systems consume too much power on recent Intel chipsets and wrote up his results — a reduction of idle power use on his laptop from 8.5W to 5W. "This trend is likely to continue. As systems become more integrated we're going to have to pay more attention to the interdependencies in order to obtain the best possible power consumption, and that means that distribution vendors are going to have to spend some time figuring out what these dependencies are and what the appropriate default policy is for their users."

Security advisories for Monday

Monday 27th of April 2015 05:18:43 PM

Arch Linux has updated curl (multiple vulnerabilities) and wpa_supplicant (code execution).

Debian has updated chromium-browser (multiple vulnerabilities), kernel (multiple vulnerabilities), libreoffice (code execution), openjdk-6 (multiple vulnerabilities), openjdk-7 (multiple vulnerabilities), and wpa (code execution).

Fedora has updated cherokee (F21; F20: authentication bypass), chrony (F20: multiple vulnerabilities), php (F20: multiple vulnerabilities), qt5-qtbase (F21; F20: multiple vulnerabilities), resteasy (F20: XML eXternal Entity (XXE) attacks), spatialite-tools (F20: multiple vulnerabilities), sqlite (F20: multiple vulnerabilities), wesnoth (F21; F20: information leak), wpa_supplicant (F21: code execution), and zarafa (F21; F20: denial of service).

Mageia has updated php (three vulnerabilities) and wordpress (multiple vulnerabilities).

Mandriva has updated asterisk (MBS1.0: SSL server spoofing), glusterfs (MBS2.0: denial of service), librsync (MBS1.0: file checksum collision), perl-Module-Signature (MBS1.0: multiple vulnerabilities), php (MBS1.0, MBS2.0: multiple vulnerabilities), qemu (MBS1.0, MBS2.0: denial of service), setup (MBS2.0: information disclosure), and tor (MBS1.0: denial of service).

openSUSE has updated java-1_7_0-openjdk (13.2: multiple vulnerabilities), java-1_8_0-openjdk (13.2: multiple vulnerabilities), and ntp (13.2, 13.1: two vulnerabilities).

Ubuntu has updated autofs (14.10: privilege escalation), libreoffice (14.10, 14.04, 12.04: two vulnerabilities), and tcpdump (14.10, 14.04, 12.04: multiple vulnerabilities).

Kernel prepatch 4.1-rc1

Monday 27th of April 2015 01:36:21 AM
The 4.1-rc1 prepatch is out. Linus says: "No earth-shattering new features come to mind, even if initial support for ACPI on arm64 looks funny. Depending on what you care about, your notion of 'big new feature' may differ from mine, of course. There's a lot of work all over, and some of it might just make a big difference to your use cases." What he doesn't mention is that, in the end, kdbus was not merged for this development cycle.

Debian 8 "Jessie" released

Sunday 26th of April 2015 03:42:49 AM
Debian 8, codenamed "Jessie", has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. "With this broad selection of packages and its traditional wide architecture support, Debian once again stays true to its goal of being the universal operating system. It is suitable for many different use cases: from desktop systems to netbooks; from development servers to cluster systems; and for database, web, or storage servers. At the same time, additional quality assurance efforts like automatic installation and upgrade tests for all packages in Debian's archive ensure that "Jessie" fulfills the high expectations that users have of a stable Debian release."

Rust Once, Run Everywhere

Friday 24th of April 2015 07:24:39 PM

The Rust blog has posted a guide to using Rust's foreign function interface (FFI) with C code. Highlighted in particular are Rust's safe abstractions, which are said to impose no costs. "Most features in Rust tie into its core concept of ownership, and the FFI is no exception. When binding a C library in Rust you not only have the benefit of zero overhead, but you are also able to make it safer than C can! Bindings can leverage the ownership and borrowing principles in Rust to codify comments typically found in a C header about how its API should be used."

Friday's security updates

Friday 24th of April 2015 02:59:12 PM

Arch Linux has updated powerdns (denial of service) and powerdns-recursor (denial of service).

Debian-LTS has updated subversion (multiple vulnerabilities).

Fedora has updated lcms (F20: denial of service) and php (F21: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (M4: multiple vulnerabilities), chrony (M4: multiple vulnerabilities), lftp (M4: SSL server spoofing), libksba (M4: denial of service), ntop (M4: cross-site scripting), setup (M4: information disclosure), and t1utils (M4: multiple vulnerabilities).

openSUSE has updated firefox (13.1; 13.2: code execution) and socat (13.1: denial of service).

Oracle has updated kernel (kernel 3.8.18 (O6, O7); kernel 2.6.39 (O5, O6); kernel 2.6.32 (O5, O6): multiple vulnerabilities).

Red Hat has updated novnc (RHEL OSP4: VNC session hijacking).

Ubuntu has updated firefox (code execution), usb-creator (12.04, 14.04, 14.10; 15.04: privilege escalation), and wpa_supplicant (14.04, 14.10: code execution).

More in Tux Machines

PC-BSD 10.1.2-RC1 Now Available

The PC-BSD team is pleased to announce the availability of RC1 images for the upcoming quarterly 10.1.2 release. Please test these images out and report any issues found on our bug tracker. Read more

Entroware Announces Aura, a Tiny PC That Runs Ubuntu or Ubuntu MATE 15.04

Entroware introduced today, May 2, their first mini-PC called Aura and powered by Canonical's recently released Ubuntu 15.04 (Vivid Vervet) computer operating system, or the popular Ubuntu MATE 15.04 flavor. Read more

Ubuntu-Based Black Lab Linux Enterprise Desktop 6.5 RC2 Released with KDE 4.14, MATE 1.8

Roberto J. Dohnert, the lead developer of Black Lab Linux and owner of Black Lab Software, announced the immediate availability for download and testing of the second and last Release Candidate (RC) version of the forthcoming Black Lab Enterprise Desktop 6.5 computer operating system based on Ubuntu. Read more Also: Black Lab Linux Will Standardize on the KDE Desktop Environment

today's leftovers

  • Kodi 15.0 Isengard Beta 1 Officially Released
    Kodi, a media player and entertainment hub that was named XBMC until a few months ago, has been upgraded to version 15.0 Beta 1 and is now ready for download and testing.
  • RcppArmadillo 0.5.100.1.0
    A new minor release 5.100.1 of Armadillo was released by Conrad yesterday. Armadillo is a powerful and expressive C++ template library for linear algebra aiming towards a good balance between speed and ease of use with a syntax deliberately close to a Matlab.
  • How many Chrome OS devices do you own?
    Chrome OS devices have proven to be quite popular with Chromebooks, Chromeboxes and Chromecast devices all regularly showing up in Amazon's various bestseller lists, and also getting good ratings and reviews by the people who have bought them.
  • Lucid sleep in the free desktop
    One of the areas I'm currently working on is what Google calls Lucid Sleep, which is basically the ability of performing work while the machine is in a low power state such as suspend. I'm writing this blog post because there has been interest on this in different communities and the discussion is currently a bit dispersed.
  • A Request for Help from a Linux Community Member in Nepal
    At the Linux Foundation we focus many of our programs on personalizing and connecting the talented network of Linux developers and users in all corners of the globe. Everyday we are witness to the Linux community innovating irrespective of geographic boundary; that is why this week we were moved by an email we received from one of our community asking for help.
  • Quicklisp and debian
    Common Lisp users are very happy to use Quicklisp when it comes to downloading and maintaining dependencies between their own code and the librairies it is using.
  • Qt4's status and Qt4's webkit removal in Stretch
    Hi everyone! As you might know Qt4 has been deprecated (in the sense "you better start to port your code") since Qt5's first release in December 19th 2012. Since that point on Qt4 received only bugfixes. Upstream is about to release the last point release, 4.8.7. This means that only severe bugs like security ones will get a chance to get solved.
  • LinuxFest NorthWest 2015, ownCloud 8 for stable Fedora / EPEL
    The Fedora booth was extra fun this year. As well as the OLPC XO systems we usually have there (which always do a great job of attracting attention), Brian Monroe set up a whole music recording system running out of a Fedora laptop, with a couple of guitars, bass, keyboard, and even a little all-in-one electronic drum…thing. He had multitrack recording via Ardour and guitar effects from Guitarix. This was a great way to show off the capabilities of Fedora Jam, and was very popular all weekend – sometimes it seemed like every third person who came by was ready to crank out a few guitar chords, and we had several bass players and drummers too. I spent a lot of time away from the booth, but even when I was there we had pretty much a full band going quite often.
  • Rugged, Linux-ready PC/104-Plus SBC offers onboard DAQ
    Diamond’s “Aries” is a Linux-friendly, Atom E3800 based PC/104-Plus SBC for data acquisition, featuring SATA, mSATA, mini-PCIe, and -40 to 85°C support.