Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 3 hours 22 min ago

Patent troll claims HTTPS websites infringe crypto patent, sues everybody (Ars Technica)

Tuesday 1st of December 2015 08:11:32 PM
CryptoPeak Solutions is suing many tech and retail giants, claiming their HTTPS websites infringe an encryption patent titled "Auto-Escrowable and Auto-Certifiable Cryptosystems". Ars Technica reports: "The latest batch of cases was lodged November 25. The cases name AT&T, Costco, Expedia, GoPro, Groupon, Netflix, Pinterest, Shutterfly, Starwood Hotels, Target, and Yahoo, among others. All the lawsuits include virtually identical language. "Defendant has committed direct infringement by its actions that comprise using one or more websites that utilize Elliptic Curve Cryptography (“ECC”) Cipher Suites for the Transport Layer Security (“TLS”) protocol (the “Accused Instrumentalities”)," according to the lawsuits."

Tuesday's security updates

Tuesday 1st of December 2015 05:35:43 PM

Debian-LTS has updated libphp-snoopy (command execution).

Fedora has updated ca-certificates (F22: certificate update), grub2 (F22: Secure Boot circumvention), imapsync (F23; F22; F21: information leak), libxml2 (F22: multiple vulnerabilities), perl-HTML-Scrubber (F23; F22; F21: cross-site scripting), rpm (F22: denial of service), and wget (F23: information leak).

Oracle has updated apache-commons-collections (OL7: code execution) and jakarta-commons-collections (OL6: code execution).

Red Hat has updated apache-commons-collections (RHEL7: code execution), jakarta-commons-collections (RHEL6: code execution), and rh-java-common-apache-commons-collections (RHSCL2: code execution).

Scientific Linux has updated apache-commons-collections (SL7: code execution) and jakarta-commons-collections (SL6: code execution).

Ubuntu has updated gnutls26 (14.04, 12.04: padding oracle attack) and thunderbird (15.10, 15.04, 14.04, 12.04: multiple vulnerabilities).

Thunderbird to be separated from Mozilla

Tuesday 1st of December 2015 04:42:04 PM
Mozilla leader Mitchell Baker has announced that the Thunderbird email client project will, eventually, be spun out of Mozilla. "Therefore I believe Thunderbird should would thrive best by separating itself from reliance on Mozilla development systems and in some cases, Mozilla technology. The current setting isn’t stable, and we should start actively looking into how we can transition in an orderly way to a future where Thunderbird and Firefox are un-coupled."

Security advisories for Monday

Monday 30th of November 2015 05:54:16 PM

Debian-LTS has updated imagemagick (denial of service), libsndfile (multiple vulnerabilities), libxml2 (multiple vulnerabilities), and nss (code execution).

Fedora has updated abrt (F23: two vulnerabilities), mingw-libpng (F23; F22; F21: denial of service), python-pycurl (F22: use-after-free vulnerability), and seamonkey (F21: multiple vulnerabilities).

Mageia has updated lightdm (denial of service), python-cryptography (denial of service), and thunderbird (multiple vulnerabilities).

openSUSE has updated cyrus-imapd (Leap42.1, 13.2: two vulnerabilities), ffmpeg (Leap42.1: multiple vulnerabilities), GnuPG (13.2, 13.1: two vulnerabilities), libksba (Leap42.1: denial of service), libpng12 (Leap42.1: two vulnerabilities), libpng16 (Leap42.1: denial of service), libsndfile (Leap42.1: multiple vulnerabilities), ppp (Leap42.1, 13.2, 13.1: denial of service), and virtualbox (13.1: two vulnerabilities).

Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities) and thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).

Garrett: What is hacker culture?

Monday 30th of November 2015 03:30:46 PM
Matthew Garrett argues that meritocracy does not work as intended in development communities. "When people criticise meritocracy, they're not criticising the concept of treating contributions based on their merit. They're criticising the idea that humans are sufficiently self-aware that they will be able to identify and reject every subconscious prejudice that will affect their treatment of others. It's not a criticism of a desirable goal, it's a criticism of a flawed implementation."

Kernel prepatch 4.4-rc3

Monday 30th of November 2015 03:18:24 PM
The 4.4-rc3 kernel prepatch is out for testing. "I don't think there's anything particularly exciting, although that obviously depends on whether some particular issue ended up affecting you or not. Most of it is pretty tiny random fixups."

Ubuntu Community Council election results posted

Friday 27th of November 2015 11:30:03 PM

The 2015 Ubuntu Community Council (CC) elections have been concluded. The results of the vote, as announced on the Ubuntu Fridge blog, are the seven individuals who will serve on the CC for the next two years: Daniel Holbach, Laura Czajkowski, Svetlana Belkin, Michael Hall, Scarlett Clark, C de-Avillez, and Marco Ceppi. A detailed account of the ballot results, complete with links to each candidate's biographical page, is also online.

Friday's security updates

Friday 27th of November 2015 04:19:11 PM

CentOS has updated thunderbird (C5; C6: multiple vulnerabilities).

Debian-LTS has updated libcommons-collections3-java (code execution) and smokeping (cross-site scripting).

Fedora has updated libxml2 (F23: multiple vulnerabilities) and pcre (F23: denial of service).

Mageia has updated libsndfile (M5: buffer overflow), libxml2 (M5: multiple vulnerabilities), python-m2crypto (M5: denial of service), python-pygments (M5: command injection), and tigervnc (M5: multiple vulnerabilities).

Thanksgiving day security updates

Thursday 26th of November 2015 08:45:19 PM

Happy Thanksgiving to those who celebrate it, from all of us here at LWN. Happy November 26 to everyone else :)

Debian has updated dpkg (code execution), nspr (code execution), python-django (information disclosure), and smokeping (code execution).

Debian-LTS has updated eglibc (two vulnerabilities), python-django (information disclosure), and redmine (multiple vulnerabilities).

Fedora has updated abrt (F21: information disclosure), jenkins (F22: three vulnerabilities), jenkins-remoting (F22: three vulnerabilities), and libreport (F21: information disclosure).

openSUSE has updated libpng12 (13.2, 13.1: two vulnerabilities), libpng16 (13.2, 13.1: denial of service), and strongswan (authentication bypass).

Oracle has updated abrt and libreport (OL7: multiple vulnerabilities), glibc (OL7; OL7: multiple vulnerabilities), kernel (OL7: multiple vulnerabilities), NetworkManager (OL7: denial of service), sssd (OL7: unspecified), and tigervnc (OL7: two vulnerabilities).

Red Hat has updated git19-git (RHSC2: code execution), java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities), ntp (RHEL6: denial of service), and thunderbird (multiple vulnerabilities).

SUSE has updated kernel (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated dpkg (code execution) and openjdk-7 (15.10, 15.04, 14.04: unspecified vulnerability).

Software Freedom Conservancy Launches 2015 Fundraiser

Wednesday 25th of November 2015 05:04:43 PM
Software Freedom Conservancy has announced a major fundraising effort. "Pointing to the difficulty of relying on corporate funding while pursuing important but controversial issues, like GPL compliance, Conservancy has structured its fundraiser to increase individual support. The organization needs at least 750 annual Supporters to continue its basic community services and 2500 to avoid hibernating its enforcement efforts. If Conservancy does not meet its goals, it will be forced to radically restructure and wind down a substantial portion of its operations."

Security advisories for Wednesday

Wednesday 25th of November 2015 05:04:17 PM

Debian has updated libcommons-collections3-java (unsanitized input data) and symfony (two vulnerabilities).

Debian-LTS has updated putty (memory corruption).

Fedora has updated grub2 (F23: Secure Boot circumvention), krb5 (F21: multiple vulnerabilities), libpng10 (F23; F22; F21: two vulnerabilities), sblim-sfcb (F23; F22; F21: denial of service), and wpa_supplicant (F22: denial of service).

Slackware has updated pcre (code execution).

SUSE has updated linux-3.12.32 (SLELP12: two vulnerabilities), linux-3.12.36 (SLELP12: two vulnerabilities), linux-3.12.38 (SLELP12: two vulnerabilities), linux-3.12.39 (SLELP12: two vulnerabilities), linux-3.12.43 (SLELP12: two vulnerabilities), linux-3.12.44 (SLELP12: two vulnerabilities), and linux-3.12.44 (SLELP12: two vulnerabilities).

Ubuntu has updated icedtea-web (15.10, 15.04, 14.04: applet execution) and python-django (15.10, 15.04, 14.04, 12.04: information disclosure).

[$] A journal for MD/RAID5

Tuesday 24th of November 2015 09:48:12 PM
RAID5 support in the MD driver has been part of mainline Linux since 2.4.0 was released in early 2001. During this time it has been used widely by hobbyists and small installations, but there has been little evidence of any impact on the larger or "enterprise" sites. Anecdotal evidence suggests that such sites are usually happier with so-called "hardware RAID" configurations where a purpose-built computer, whether attached by PCI or fibre channel or similar, is dedicated to managing the array. This situation could begin to change with the 4.4 kernel, which brings some enhancements to the MD driver that should make it more competitive with hardware-RAID controllers.

Security updates for Tuesday

Tuesday 24th of November 2015 06:12:17 PM

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated libsndfile (F22; F21: buffer overflow), mingw-freeimage (F23; F22: integer overflow), rpm (F23: denial of service), wpa_supplicant (F21: denial of service), and zarafa (F21: two vulnerabilities, one from 2012).

Oracle has updated autofs (OL7: privilege escalation), binutils (OL7: multiple vulnerabilities), chrony (OL7: multiple vulnerabilities), cpio (OL7: denial of service), cups-filters (OL7: multiple vulnerabilities), curl (OL7: multiple vulnerabilities), file (OL7: multiple vulnerabilities), grep (OL7: heap buffer overrun), grub2 (OL7: Secure Boot circumvention), krb5 (OL7: two vulnerabilities), libreport (OL6: data leak), libssh2 (OL7: information leak), net-snmp (OL7: denial of service), netcf (OL7: denial of service), ntp (OL7: multiple vulnerabilities), openhpi (OL7: world writable /var/lib/openhpi directory), openldap (OL7: unintended cipher usage), openssh (OL7: two vulnerabilities), python (OL7: multiple vulnerabilities), rest (OL7: denial of service), rubygem-bundler and rubygem-thor (OL7: installs malicious gem files), squid (OL7: certificate validation bypass), unbound (OL7: denial of service), wireshark (OL7: multiple vulnerabilities), and xfsprogs (OL7: information disclosure).

Scientific Linux has updated libreport (SL6: data leak).

SUSE has updated firefox (SLES10SP4: multiple vulnerabilities).

Red Hat Enterprise Linux 7.2

Monday 23rd of November 2015 08:34:03 PM
Red Hat has announced the release of Red Hat Enterprise Linux 7.2. "New features and capabilities focus on security, networking, and system administration, along with a continued emphasis on enterprise-ready tooling for the development and deployment of Linux container-based applications. In addition, Red Hat Enterprise Linux 7.2 includes compatibility with the new Red Hat Insights, an add-on operational analytics offering designed to increase IT efficiency and reduce downtime through the proactive identification of known risks and technical issues."

Security advisories for Monday

Monday 23rd of November 2015 05:42:06 PM

Debian has updated openjdk-7 (unspecified vulnerability).

Fedora has updated cyrus-imapd (F21: largely unspecified), gdm (F23: denial of service), jenkins (F23: multiple vulnerabilities), jenkins-remoting (F23: multiple vulnerabilities), kernel (F21: multiple vulnerabilities), libpng (F23: denial of service), m2crypto (F21: denial of service), pdns (F21: denial of service), perl-IPTables-Parse (F21: predictable temporary file names), postgresql (F22: two vulnerabilities), python-rauth (F23: unspecified vulnerability), and xen (F23; F22; F21: denial of service).

openSUSE has updated Chromium (SUSE Package Hub for SLE12; Leap42.1, 13.2, 13.1: information leak), docker (Leap42.1: two vulnerabilities), and miniupnpc (Leap42.1, 13.2, 13.1: code execution).

Red Hat has updated abrt, libreport (RHEL7: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiple vulnerabilities), and libreport (RHEL6: data leak).

Gräßlin: Looking at the security of Plasma/Wayland

Monday 23rd of November 2015 03:44:56 PM
Martin Gräßlin looks at the security of the Plasma desktop running under Wayland; it's better than X11, but with some ground yet to cover. "Now imagine you want to write a key logger in a Plasma/Wayland world. How would you do it? I asked myself this question recently, thought about it, found a possible solution and had a key logger in less than 10 minutes: ouch."

GIMP is 20 Years Old, What’s Next? (Libre Graphics World)

Monday 23rd of November 2015 03:19:07 PM
This Libre Graphics World article looks at the challenges faced by the 20-year-old GIMP project. "If you've been following GIMP's progress over recent years, you couldn't help yourself noticing the decreasing activity in terms of both commits (a rather lousy metric) and amount of participants (a more sensible one). 'GIMP is dying', say some. 'GIMP developers are slacking', say others. 'You've got to go for crowdfunding' is yet another popular notion. And no matter what, there's always a few whitebearded folks who would blame the team for not going with changes from the FilmGIMP branch. So what's actually going on and what's the outlook for the project?"

Kernel prepatch 4.4-rc2

Monday 23rd of November 2015 02:54:50 PM
The second 4.4 prepatch is out for testing. Linus says: "Things are looking fairly normal in 4.4-land, with no huge surprises in rc2. There were a couple of late features: parisc hugepage support and some late slub bulk allocator patches were not only merged at the end of the week, but they strictly speaking should have been merge window things."

Poettering: Introducing sd-event

Friday 20th of November 2015 09:33:50 PM
Lennart Poettering introduces the sd-event API for the implementation of event loops. "sd-event.h, of course, is not the first event loop API around, and it doesn't implement any really novel concepts. When we started working on it we tried to do our homework, and checked the various existing event loop APIs, maybe looking for candidates to adopt instead of doing our own, and to learn about the strengths and weaknesses of the various implementations existing. Ultimately, we found no implementation that could deliver what we needed, or where it would be easy to add the missing bits: as usual in the systemd project, we wanted something that allows us access to all the Linux-specific bits, instead of limiting itself to the least common denominator of UNIX."

Friday's security updates

Friday 20th of November 2015 05:42:41 PM

Debian has updated lxc (code execution).

Debian-LTS has updated nspr (code execution).

Mageia has updated dovecot (M5: denial of service), gcc (M5: predictable random values), kernel (M5: multiple vulnerabilities), latex2rtf (M5: code execution), libpng/libpng12 (M5: denial of service), and uglify-js (M5: malicious code obfuscation).

openSUSE has updated krb5 (13.1, 13.2: memory corruption) and libksba (13.1, 13.2: denial of service).

Red Hat has updated autofs (RHEL7: privilege escalation), binutils (RHEL7: multiple vulnerabilities), chrony (RHEL7: multiple vulnerabilities), cpio (RHEL7: code execution), cups-filters (RHEL7: multiple vulnerabilities), curl (RHEL7: multiple vulnerabilities), file (RHEL7: multiple vulnerabilities), glibc (RHEL7: multiple vulnerabilities; RHEL7: privilege escalation), grep (RHEL7: heap buffer overrun), grub2 (RHEL7: Secure Boot circumvention), kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), krb5 (RHEL7: multiple vulnerabilities), libssh2 (RHEL7: denial of service), net-snmp (RHEL7: denial of service), netcf (RHEL7: denial of service), NetworkManager (RHEL7: multiple vulnerabilities), ntp (RHEL7: multiple vulnerabilities), openhpi (RHEL7: world writable /var/lib/openhpi directory), openldap (RHEL7: unintended cipher usage), openssh (RHEL7: multiple vulnerabilities), pacemaker (RHEL7: privilege escalation), pcs (RHEL7: denial of service), python (RHEL7: multiple vulnerabilities), realmd (RHEL7: unsanitized input), rest (RHEL7: denial of service), rubygem-bundler, rubygem-thor (RHEL7: code execution), squid (RHEL7: certificate validation bypass), sssd (RHEL7: memory leak), tigervnc (RHEL7: multiple vulnerabilities), unbound (RHEL7: denial of service), wireshark (RHEL7: multiple vulnerabilities), and xfsprogs (RHEL7: information leak).

Ubuntu has updated libpng (multiple vulnerabilities).

More in Tux Machines

Chrome Remote Desktop is used on Deepin 15 for remote assistance

If you’ve installed the latest pre-stable edition of Deepin 15 (Deepin 2015), which I just wrote about earlier today (see Deepin 15. This could be the best Linux desktop distribution of the year), a module you’ll find in the Control Center, is Remote Assistance. Read more

Itty bitty ARM module starts at $27

Variscite’s rugged, 50 x 25mm “DART-6UL” COM runs Linux on an i.MX6 UltraLite SoC, offers NAND, eMMC, and wireless, and starts at $27 in volume. In April, Variscite announced the world’s smallest i.MX6 computer-on-module with its 50 x 20mm, Freescale i.MX6-based DART-MX6. At 50 x 25mm, the DART-6UL doesn’t quite match those dimensions, but it offers greater power efficiency, making it well suited for IoT applications and battery-powered devices. Variscite claims it consumes only 5mA in suspend mode. Read more