Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 4 min ago

[$] How many -stable patches introduce new bugs?

7 hours 25 min ago
The -stable kernel release process faces a contradictory set of constraints. Developers naturally want to get as many fixes into -stable as possible but, at the same time, there is a strong desire to avoid introducing new regressions there. Each -stable release is, after all, intended to be more stable than its predecessor. At times there have been complaints that -stable is too accepting and too prone to regressions, but not many specifics. But, it turns out, this is an area where at least a little bit of objective research can be done.

GitHub's 2015 Transparency Report

9 hours 33 min ago
GitHub has published its 2015 transparency report. "This 2015 report details the types of requests we receive for user accounts, user content, information about our users, and other such information, and how we process those requests. Transparency and trust are essential to GitHub and to the open source community, and giving you access to information about these requests can protect you, protect us, and help you feel safe as you work on GitHub." The report notes that a significant number of requests for removal of content are notices submitted under the Digital Millennium Copyright Act, or the DMCA.

Tuesday's security advisories

13 hours 52 min ago

Debian has updated kernel (multiple vulnerabilities).

Debian-LTS has updated movabletype-opensource (SQL injection) and spice (information disclosure).

Fedora has updated drupal7 (F23; F22: privilege escalation), gd (F24: three vulnerabilities), krb5 (F24: buffer overflow), nodejs (F24: unspecified), and phpMyAdmin (F24: multiple vulnerabilities).

Gentoo has updated icedtea-bin (multiple vulnerabilities) and kwalletd (misuse of crypto).

openSUSE has updated rsync (13.2: unsafe destination path).

SUSE has updated firefox, nss, nspr (SLE12-SP1: multiple vulnerabilities) and kernel (SLE12-SP1; SLE12: multiple vulnerabilities).

Ubuntu has updated kernel (16.04; 15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04; 15.10: multiple vulnerabilities), linux-snapdragon (16.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Reding: What's new for Tegra in Linux v4.7

Monday 27th of June 2016 10:58:19 PM
Thierry Reding looks at Tegra support in Linux 4.7. "The XUSB driver has been under development for a ridiculously long time. One of the reasons is that it relies on the XUSB pad controller to configure its pins as required by the board design. The XUSB pad controller is very likely one of the least-intuitive pieces of hardware I've ever encountered, and the attempts to come up with a device tree binding to describe it have been very numerous. We did finally settle on something earlier this year and after the existing code was updated for the new binding, we're finally able to support super-speed USB on Tegra124 and later." (Thanks to Martin Michlmayr)

Project Triforce: Run AFL on Everything!

Monday 27th of June 2016 10:36:06 PM
The developers of "Project Triforce," an effort to run the "american fuzzy lop" fuzz-testing tool in a system-wide manner, have posted a detailed description of what they are up to. "AFL is an awesome tool. The power of an easy to use, feedback-driven fuzzer has produced an absolutely staggering number of bugs. Still, at first AFL required being able to build the executable, something sadly not available on a lot of targets. With the addition of AFL's qemu_mode, it became possible to fuzz binaries without source, exposing a whole new world of targets to AFL. I'd been on a number of Linux container engagements recently where we'd managed to escape through kernel exploits. I fell asleep one night to several AFL screens running, and I awoke suddenly with a crazy idea: 'Run AFL on the Linux Kernel.'"

Open Source Projects as part of MOSS “Mission Partners” Program

Monday 27th of June 2016 09:25:42 PM
The Mozilla blog has announced the first recipients of its Mozilla Open Source Support (MOSS) “Mission Partners” awards. "For many years people with visual impairments and the legally blind have paid a steep price to access the Web on Windows-based computers. The market-leading software for screen readers costs well over $1,000. The high price is a considerable obstacle to keeping the Web open and accessible to all. The NVDA Project has developed an open source screen reader that is free to download and to use, and which works well with Firefox. NVDA aligns with one of the Mozilla Manifesto’s principles: “The Internet is a global public resource that must remain open and accessible.”" The NVDA project received $15,000. Other award recipients include Tor, Tails, Caddy, Mio, DNSSEC/DANE Chain Stapling, Godot Engine, and PeARS. (Thanks to Paul Wise)

Security updates for Monday

Monday 27th of June 2016 05:33:49 PM

Arch Linux has updated chromium (multiple vulnerabilities), libdwarf (multiple vulnerabilities), libpurple (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), vlc (code execution), and xerces-c (code execution).

Debian has updated libpdfbox-java (XML External Entity (XXE) attacks).

Debian-LTS has updated gimp (use-after-free), java-common (OpenJDK 6 no longer supported), libcommons-fileupload-java (denial of service), mysql-connector-java (information disclosure), nss (denial of service), and tomcat7 (denial of service).

Fedora has updated drupal7 (F24: privilege escalation), mirrormanager (F24; F23; F22: unspecified), optipng (F23: code execution), python (F23: man-in-the-middle attack), and qemu (F24: multiple vulnerabilities).

Gentoo has updated claws-mail (multiple vulnerabilities), freexl (multiple vulnerabilities), hostapd (multiple vulnerabilities), imagemagick (multiple vulnerabilities), libssh (multiple vulnerabilities), plib (code execution from 2011), and sudo (privilege escalation).

openSUSE has updated libarchive (13.2: denial of service), libav (Leap42.1: two vulnerabilities), libtasn1 (Leap42.1: denial of service), libtorrent-rasterbar (13.1: denial of service), mariadb (Leap42.1: multiple vulnerabilities), p7zip (Leap42.1: code execution), php5 (Leap42.1: multiple vulnerabilities), and rsync (Leap42.1: unsafe destination path).

Oracle has updated kernel 2.6.32 (OL6; OL5: privilege escalation).

Red Hat has updated kernel-rt (RHEMRG2.5: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: two vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Kernel prepatch 4.7-rc5

Monday 27th of June 2016 02:57:09 AM
The 4.7-rc5 kernel prepatch is out. "I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series."

A couple of unpleasant local kernel vulnerabilities

Saturday 25th of June 2016 03:17:26 PM
The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a set of netfilter fixes that, it has just been disclosed, fix a couple of severe local privilege-escalation vulnerabilities. Anybody who is running a site with user and network namespaces enabled will want to update their kernels in short order. The fixes were originally committed into 4.6-rc2 in April with no comment regarding their implications.

Three new stable kernels

Friday 24th of June 2016 08:33:14 PM

Greg Kroah-Hartman has released stable kernel updates 4.6.3, 4.4.14, and 3.14.73. Each contains important fixes throughout the tree.

Friday's security updates

Friday 24th of June 2016 02:18:41 PM

CentOS has updated kernel (C7: multiple vulnerabilities), libxml2 (C6; C7: multiple vulnerabilities), ocaml (C7: information leak), setroubleshoot (C7: multiple vulnerabilities), and setroubleshoot-plugins (C7: multiple vulnerabilities).

Fedora has updated python (F24: startTLS stripping), setroubleshoot (F24: code execution), and setroubleshoot-plugins (F24: code execution).

Oracle has updated kernel (O7: multiple vulnerabilities), libxml2 (O6; O7: multiple vulnerabilities), ocaml (O7: information leak), and setroubleshoot and setroubleshoot-plugins (O7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), and ocaml (RHEL7: information leak).

Scientific Linux has updated libxml2 (SL 6,7: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (SL7; SL6: multiple vulnerabilities).

SUSE has updated kernel (SLE11: multiple vulnerabilities).

Defending Our Brand (Let's Encrypt)

Thursday 23rd of June 2016 09:37:48 PM
It seems that the Comodo TLS certificate authority (CA) has filed for three trademarks using variations of "Let's Encrypt". As might be guessed, the Let's Encrypt project is less than pleased by Comodo trying to coopt its name. "Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization. If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web." [Thanks to Paul Wise.]

Xen 4.7 released

Thursday 23rd of June 2016 05:05:04 PM
Version 4.7 of the Xen hypervisor has been released. "With dozens of major improvements, many more bug fixes and small improvements, and significant improvements to Drivers and Devices, Xen Project 4.7 reflects a thriving community around the Xen Project Hypervisor." Some of the new features include live patching, better dom0 robustness, better migration support between non-identical hosts, scheduler improvements, and more. See the release notes for more information.

Thursday's security advisories

Thursday 23rd of June 2016 03:02:57 PM

Debian-LTS has updated squidguard (cross-site scripting).

Fedora has updated php-symfony-security-acl (F24: unspecified). Also, Fedora has sent out a reminder that Fedora 22 will reach its end of life on July 19.

Mageia has updated chromium-browser-stable (multiple vulnerabilities), kernel-linus (multiple vulnerabilities, one from 2013), kernel-tmb (multiple vulnerabilities, one from 2013), libimobiledevice (socket listening on all network interfaces), and python (three vulnerabilities).

openSUSE has updated libarchive (42.1: code execution), mariadb (13.2: many unspecified vulnerabilities), and obs-service-source_validator (42.1; 13.2: code execution).

Red Hat has updated libxml2 (RHEL6&7: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (RHEL7: three vulnerabilities).

[$] LWN.net Weekly Edition for June 23, 2016

Thursday 23rd of June 2016 02:41:35 AM
The LWN.net Weekly Edition for June 23, 2016 is available.

Sony agrees to pay millions to gamers to settle PS3 Linux debacle (ars technica)

Wednesday 22nd of June 2016 07:41:10 PM
Back in 2009, Sony removed the "install other OS" option from its PS3 game consoles, removing the ability to install Linux on those machines. It then went after developers who figured out how to jailbreak the device. Ars technica reports that Sony has now settled a class-action lawsuit over those actions. "Under the terms of the accord, which has not been approved by a California federal judge yet, gamers are eligible to receive $55 if they used Linux on the console. The proposed settlement, which will be vetted by a judge next month, also provides $9 to each console owner that bought a PS3 based on Sony's claims about 'Other OS' functionality." The lawyers, instead, get over $2 million.

Security advisories for Wednesday

Wednesday 22nd of June 2016 04:07:38 PM

CentOS has updated setroubleshoot (C6: multiple vulnerabilities) and setroubleshoot-plugins (C6: multiple vulnerabilities).

Debian-LTS has updated icedove (multiple vulnerabilities) and python2.7 (three vulnerabilities).

Fedora has updated expat (F24: multiple vulnerabilities), php-zendframework-zendxml (F23; F22: insecure ciphertexts), php-ZendFramework2 (F23; F22: insecure ciphertexts), and xen (F22: two vulnerabilities).

openSUSE has updated Chromium (13.1: multiple vulnerabilities), ImageMagick (Leap42.1: command execution), and vlc (Leap42.1; 13.2: multiple vulnerabilities).

Oracle has updated openssl (OL5: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (OL6: multiple vulnerabilities).

Red Hat has updated python-django-horizon (RHOSP8.0; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: cross-site scripting) and setroubleshoot and setroubleshoot-plugins (RHEL6: multiple vulnerabilities).

Elixir v1.3 released

Tuesday 21st of June 2016 08:05:29 PM
Version 1.3 of the Elixir programming language has been released. "Elixir v1.3 brings many improvements to the language, the compiler and its tooling, specially Mix (Elixir’s build tool) and ExUnit (Elixir’s test framework). The most notable additions are the new Calendar types, the new cross-reference checker in Mix, and the assertion diffing in ExUnit."

Announcing Flatpak

Tuesday 21st of June 2016 07:41:10 PM
Not to be left behind by a certain competing project, the developers of the Flatpak packaging system have put out a press release proclaiming its virtues. "The Linux desktop has long been held back by platform fragmentation. This has been a burden on developers, and creates a high barrier to entry for third party application developers. Flatpak aims to change all that. From the very start its primary goal has been to allow the same application to run across a myriad of Linux distributions and operating systems. In doing so, it greatly increases the number of users that application developers can easily reach."

Security updates for Tuesday

Tuesday 21st of June 2016 04:24:59 PM

Fedora has updated nfdump (F23; F22: multiple vulnerabilities) and webkitgtk4 (F22: two vulnerabilities).

openSUSE has updated ctdb (Leap42.1, 13.2: privilege escalation), libtorrent-rasterbar (Leap42.1, 13.2: denial of service), ntp (Leap42.1: multiple vulnerabilities), and kernel (Leap42.1: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Slackware has updated libarchive (multiple vulnerabilities) and pcre (denial of service).

SUSE has updated ctdb (SLE11-SP4: privilege escalation), libimobiledevice, usbmuxd (SLE12-SP1: sockets listening on INADDR_ANY), and php53 (SLES11-SP2: multiple vulnerabilities).

Ubuntu has updated dnsmasq (16.04, 15.10: denial of service), expat (two vulnerabilities), haproxy (16.04: denial of service), spice (16.04, 15.10, 14.04: two vulnerabilities), wget (code execution), and xmlrpc-c (12.04: multiple vulnerabilities).

More in Tux Machines

More From Red Hat Summit

Android Leftovers

Ubuntu 16.10 Alpha 1 to Come Only in Ubuntu MATE, Ubuntu Kylin & Lubuntu Flavors

In only two days from the moment of writing this article, we will be able to get a very early taste of the upcoming Ubuntu 16.10 (Yakkety Yak) operating system, as the first Alpha build should be released, as planned, on June 30, 2016. Read more

Lenovo and Red Hat advance partnership with telco push

Two Triangle tech titans are teaming up to create cloud solutions for the changing telco space: Lenovo and Red Hat. It’s not their first collaboration, says Brian Connors, vice president of next generation IT and business development in Lenovo’s Research Triangle Park-based Data Center Group. Red Hat even invested in Lenovo’s RTP executive briefing center, where its technology is currently “displayed prominently as customers come in." Read more