Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 5 min ago

Tor Project Elects All-New Board of Directors

Wednesday 13th of July 2016 07:39:17 PM
The Tor Project has announced a new board of directors. "As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the best possible leadership. The importance of Tor's mission requires it; the public standing of the organization makes it possible; and we are committed to achieve it. We had that duty in mind when we conducted an Executive Director search last year, and appreciate the leadership Shari Steele has brought. To support her, we further believe that it is time that we pass the baton of board oversight as the Tor Project moves into its second decade of operations."

Security updates for Wednesday

Wednesday 13th of July 2016 03:47:37 PM

CentOS has updated kernel (C6: privilege escalation).

Fedora has updated python (F24: heap corruption), python3 (F24: heap corruption), and squid (F24; F23: multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

Oracle has updated kernel (OL6: privilege escalation).

Red Hat has updated kernel (RHEL7: denial of service) and kernel (RHEL6: privilege escalation).

Scientific Linux has updated thunderbird (SL5,6,7: code execution).

Ubuntu has updated pidgin (15.10, 14.04, 12.04: multiple vulnerabilities).

SPI 2015 Annual Report

Tuesday 12th of July 2016 11:18:40 PM
Software in the Public Interest has announced its 2015 Annual Report (PDF), covering the 2015 calendar year. The annual report covers SPI's finances, elections, board members, committees, associated projects, and other significant changes throughout the year.

Herman: Shipping Rust in Firefox

Tuesday 12th of July 2016 08:14:04 PM
Dave Herman reports that with Firefox 48, Mozilla will ship its first Rust component to all desktop platforms. "One of the first groups at Mozilla to make use of Rust was the Media Playback team. Now, it’s certainly easy to see that media is at the heart of the modern Web experience. What may be less obvious to the non-paranoid is that every time a browser plays a seemingly innocuous video (say, a chameleon popping bubbles), it’s reading data delivered in a complex format and created by someone you don’t know and don’t trust. And as it turns out, media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in Web browsers’ implementation code. This makes a memory-safe programming language like Rust a compelling addition to Mozilla’s tool-chest for protecting against potentially malicious media content on the Web."

Tuesday's security advisories

Tuesday 12th of July 2016 04:19:50 PM

CentOS has updated thunderbird (C7; C6; C5: code execution).

Debian-LTS has updated drupal7 (open redirect vulnerability) and graphicsmagick (two vulnerabilities).

Fedora has updated expat (F22: multiple vulnerabilities), gnutls (F24: certificate verification vulnerability), gsi-openssh (F24: support GSI authentication), httpd (F24: authentication bypass), krb5 (F22: buffer overflow), mbedtls (F23: three vulnerabilities), pdfbox (F23: XML External Entity (XXE) attacks), pypy3 (F23; F22: two vulnerabilities), python (F22: startTLS stripping attack), python3 (F22: startTLS stripping attack), and samba (F24: crypto downgrade).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Ubuntu has updated libgd2 (multiple vulnerabilities), nspr (denial of service), and nss (denial of service).

Gräßlin: Multi-screen woes in Plasma 5.7

Monday 11th of July 2016 11:22:17 PM
On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. "Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows. Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it. Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry."

Two new stable kernels

Monday 11th of July 2016 08:12:01 PM
Greg Kroah-Hartman has released stable kernels 4.6.4 and 4.4.15. Both of them contain important fixes.

Security advisories for Monday

Monday 11th of July 2016 05:09:20 PM

Arch Linux has updated thunderbird (code execution).

Fedora has updated community-mysql (F24: unspecified), davfs2 (F24: unspecified), gimp (F23: use-after-free), krb5 (F23: buffer overflow), and nodejs-ws (F24; F23: denial of service).

Gentoo has updated libpcre (multiple vulnerabilities) and squid (multiple vulnerabilities).

Mageia has updated drupal (privilege escalation), libreoffice (code execution), libvirt (authentication bypass), mbedtls (three vulnerabilities), spice (two vulnerabilities), struts (two vulnerabilities), and tcpreplay (denial of service).

openSUSE has updated glibc (Leap42.1: multiple vulnerabilities), libircclient (13.1: insecure cipher suites), and thunderbird (SPH for SLE12; Leap42.1, 13.2; 13.1: multiple vulnerabilities).

Red Hat has updated thunderbird (RHEL5,6,7: code execution).

SUSE has updated GraphicsMagick (SSO1.3, SLE11-SP4: multiple vulnerabilities), ImageMagick (SLE12-SP1; SLE11-SP4: many vulnerabilities), kvm (SLES11-SP4: multiple vulnerabilities), and kernel (SLERTE12-SP1: multiple vulnerabilities).

Kernel prepatch 4.7-rc7

Monday 11th of July 2016 12:24:58 PM
Linus has released the 4.7-rc7 kernel prepatch. "Anyway, there's a couple of regressions still being looked at, but unless anything odd happens, this is going to be the last rc. However, due to my travel schedule, I won't be doing the final 4.7 next weekend, and people will have two weeks to report (and fix) any remaining bugs. Yeah, that's the ticket. My travel schedule isn't screwing anything up, instead think of it as you guys getting a BONUS WEEK! Yay!"

See the current list of reported regressions for the known issues remaining in the 4.7 kernel.

[$] Python's os.urandom() in the absence of entropy

Sunday 10th of July 2016 02:29:20 PM
Python applications, like those written in other languages, often need to obtain random data for purposes ranging from cryptographic key generation to initialization of scientific models. For years, the standard way of getting that data is via a call to os.urandom(), which is documented to "return a string of n random bytes suitable for cryptographic use." An enhancement in Python 3.5 caused a subtle change in how os.urandom() behaves on Linux systems, leading to some long, heated discussions about how randomness should be obtained in Python programs. When the dust settles, Python benevolent dictator for life (BDFL) Guido van Rossum will have the unenviable task of choosing between two competing proposals.

Portals: Using GTK+ in a Flatpak

Friday 8th of July 2016 05:09:51 PM
On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox. "Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system. Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t. Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access. Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system. The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox."

Security updates for Friday

Friday 8th of July 2016 02:02:51 PM

Debian-LTS has updated clamav (update to 0.99.2), icu (three vulnerabilities, two from 2015), and tcpreplay (denial of service).

openSUSE has updated php5 (13.2: multiple vulnerabilities, one from 2015).

Slackware has updated samba (crypto downgrade).

LWN.net Weekly Edition for July 8, 2016

Friday 8th of July 2016 01:23:28 AM
The LWN.net Weekly Edition for July 8, 2016 is available.

10 million Android phones infected by all-powerful auto-rooting apps (Ars Technica)

Thursday 7th of July 2016 10:09:36 PM
Ars Technica reports on the "HummingBad" malware that has infected millions of Android devices: "Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android." The article is based on a report [PDF] from Check Point, though the article notes that "researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices".

Thursday's security advisories

Thursday 7th of July 2016 01:11:52 PM

Debian has updated horizon (two vulnerabilities, one from 2015).

openSUSE has updated ImageMagick (13.2: many vulnerabilities, lots from 2014 and 2015) and qemu (42.1: many vulnerabilities, lots from 2015).

Scientific Linux has updated ocaml (SL7: information leak from 2015).

Ubuntu has updated tomcat8 (16.04: denial of service). In addition, Ubuntu has announced the end of life for 15.10 on July 28 and the end of life for 14.04.x hardware-enablement (HWE) stacks on August 4.

Debian Edu / Skolelinux Jessie

Wednesday 6th of July 2016 05:41:53 PM
The Debian Edu team has announced Debian Edu 8+edu0 "Jessie", the latest Debian Edu / Skolelinux release. Debian Edu, also known as Skolelinux, provides a complete solution for schools. Debian Edu 8 is based on Debian 8 "Jessie", update 8.5. "Do you have to administrate a computer lab or a whole school network? Would you like to install servers, workstations and laptops which will then work together? Do you want the stability of Debian with network services already preconfigured? Do you wish to have a web-based tool to manage systems and several hundred or even more user accounts? Have you asked yourself if and how older computers could be used? Then Debian Edu is for you. The teachers themselves or their technical support can roll out a complete multi-user multi-machine study environment within a few days. Debian Edu comes with hundreds of applications pre-installed, but you can always add more packages from Debian."

digiKam 5.0.0 is published

Wednesday 6th of July 2016 05:36:16 PM
The digiKam team has announced the release of digiKam Software Collection 5.0.0. "This release marks almost complete port of the application to Qt5. All Qt4/KDE4 code has been removed and many parts have been re-written, reviewed, and tested. Porting to Qt5 required a lot of work, as many important APIs had to be changed or replaced by new ones. In addition to code porting, we introduced several changes and optimizations, especially regarding dependencies on the KDE project. Although digiKam is still a KDE desktop application, it now uses many Qt dependencies instead of KDE dependencies. This simplifies the porting job on other operating systems, code maintenance, while reducing the sensitivity of API changes from KDE project."

LWN weekly edition one day late this week

Wednesday 6th of July 2016 04:51:47 PM
Those who are anxiously awaiting this week's edition later today (or tomorrow, depending on time zone) will have to wait another day. The US Independence Day holiday fell on Monday, so LWN staff took that day off for barbecues, fireworks, and other festivities. That means the edition will go out sometime in the early morning hours UTC on Friday, July 8. For those who celebrated the holiday, we hope you had a great one; for those who didn't, we certainly hope you had a great day too! We will be back on our normal schedule next week.

Security advisories for Wednesday

Wednesday 6th of July 2016 04:37:33 PM

Arch Linux has updated libarchive (code execution), libreoffice-fresh (code execution), and xerces-c (denial of service).

Debian-LTS has updated sqlite3 (information leak).

Fedora has updated mingw-xerces-c (F23; F22: three vulnerabilities) and xerces-c (F23; F22: two vulnerabilities).

Mageia has updated gimp (use-after-free), iperf (denial of service), libarchive (multiple vulnerabilities), libgd (multiple vulnerabilities), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), pidgin (multiple vulnerabilities), squidguard (cross-site scripting), and xerces-c (denial of service).

openSUSE has updated cronic (Leap42.1, 13.2: predictable temporary files), libircclient (Leap42.1; 13.2: insecure cipher suites), and xerces-c (13.2: code execution).

SUSE has updated xen (SLE11-SP3: multiple vulnerabilities - some from 2013).

Ubuntu has updated gimp (15.10, 14.04, 12.04: use-after-free), libimobiledevice (16.04, 15.10, 14.04: sockets listening on INADDR_ANY), libusbmuxd (16.04, 15.10: sockets listening on INADDR_ANY), and tomcat6, tomcat7 (multiple vulnerabilities).

[$] Kernel documentation with Sphinx, part 1: how we got here

Wednesday 6th of July 2016 03:13:40 AM

The last time LWN looked at formatted kernel documentation in January, it seemed like the merging of AsciiDoc support for the kernel's structured source-code documentation ("kernel-doc") comments, was imminent. As Jonathan Corbet, in the capacity of the kernel documentation maintainer, wrote: "A good-enough solution that exists now should not be held up overly long in the hopes that vague ideas for something else might turn into real, working code." Sometimes, however, the threat that something not quite perfect might be merged is enough to motivate people to turn those vague ideas into something real.

Subscribers can click below to see the full story by guest author (and the developer behind most of the Sphinx work) Jani Nikula.

More in Tux Machines

Mozilla Thunderbird 45 Finally Lands in the Main Ubuntu Linux Repositories

After a long wait, Canonical has finally decided that it was time to upgrade the Mozilla Thunderbird software on all of its supported Ubuntu Linux operating systems, where it is used as the default email and news client. Read more

KDE Leftovers

  • Double Post – Lakademy and Randa 2016
    I Have a few favorites kde conventions that I really love to participate. Randa and Lakademy are always awesome, both are focused on hacking, and I surely do love to hack. On LaKademy I spend my days working on subsurface, reworking on the interface, trying to make it more pleasant to the eye, In Randa I worked on KDevelop and Marble, but oh my…
  • Plasma’s Publictransport applet’s porting status
    You might remember that I spoke about Plasma’s Publictransport applet getting some reworking during the summer. It’s been over a month since I made that announcement on my blog and while ideally, I’d have liked to have blogged every week about my work, I haven’t really been able to. This is largely down to the fact that I was occupied with work on a project back at my university and I shifted back to home from my hostel as well, after finishing four years of undergraduate studies.
  • KDE Community Working Group 2016
  • KDE Brasil Telegram group and IRC United
    That’s why the KDE Irc channel now has a bot that will forward all messages to our Telegram Channel and vice-versa, this way all the new cool kids can talk to all the old geeks around and continue to make the KDE awesome in their platform of choice.
  • Wiki, what’s going on? (Part 7)
    Tears followed by joy and happiness, discussions followed by great moments all together, problems followed by their solution and enthusiasm. Am I talking about my family? More or less, because actually I am talking about a family: the WikiToLearn community!
  • Kubuntu 16.04.1 LTS Update Out
    The first point release update to our LTS release 16.04 is out now. This contains all the bugfixes added to 16.04 since its first release in April. Users of 16.04 can run the normal update procedure to get these bugfixes.
  • Kubuntu Podcast #14 – UbPorts interview with Marius Gripsgard
  • KDStateMachineEditor 1.1.0 released
    KDStateMachineEditor is a Qt-based framework for creating Qt State Machine metacode using a graphical user interface. It works on all major platforms and is now available as part of the Qt Auto suite.
  • KDAB contributions to Qt 5.7
    The star of Qt 5.7 is the first stable release of Qt 3D 2.0. The new version of Qt 3D is a total redesign of its architecture into a modern and streamlined 3D engine, exploiting modern design patterns such as entity-component systems, and capable to scale due to the heavily threaded design. This important milestone was the result of a massive effort done by KDAB in coordination with The Qt Company.
  • Krita 3.0.1 Development Builds
    Because of unforeseen circumstances, we had to rejig our release schedule, there was no release last week. Still, we wanted to bring you a foretaste of some of the goodies that are going to be in the 3.0.1 release, which is now planned for September 5th. There’s lots to play with, here, from bug fixes (the double dot in file names is gone, the crash with cheap tablets is gone, a big issue with memory leaks in the graphics card is solved), to features (soft-proofing, among others). There may also be new bugs, and not all new features may be working correctly. Export to animated gif or video clips is still in development, and probably will not work well outside the developers’ computer.
  • KDE blowing out candles on FISL 17!
    My talk was the next. Its title was “20 anos de KDE: de Desktop a Guarda-Chuva de Projetos” (20 years of KDE: From Desktop to Project Umbrella). I presented the evolution process of our community, which led it from a desktop project to a incubator community. For those who did not attend the event the talk was recorded and it is available here. Below I also make available the slides of my presentation:
  • LabPlot 2.3.0 released
    Less then four months after the last release and after a lot of activity in our repository during this time, we’re happy to announce the next release of LabPlot with a lot of new features. So, be prepared for a long post.

Ubuntu tablet and smartphone: a personal "mini" review

So when Ubuntu and Canonical revealed they were partnering with actual, big manufacturers for Ubuntu mobile devices, a spark of hope was rekindled in my heart. Let it be clear, I am by no means an Ubuntu user, not even a fan. I left the fold nearly a decade ago, after having spent quite some time using and contributing to Kubuntu (to the point of becoming a certified “member” even, though I never ascended to the Council). In terms of loyalties and usage, I am a KDE user (and “helper”) foremost. I use Fedora because it just works for me, for now. So, yes, an Ubuntu Touch device would be another compromise for me, but it would be the smallest one. Or so I hoped. Read more

Ubuntu 16.04.1 LTS Released for Desktop, Server, and Cloud with All Flavors

Canonical has announced the first point release of the Ubuntu 16.04 LTS (Xenial Xerus) operating system, finally allowing users of Ubuntu 14.04.4 LTS (Trusty Tahr) to upgrade their installations. Read more