Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 42 min ago

Security advisories for Thursday

Thursday 17th of July 2014 03:57:34 PM

Debian has updated davfs2 (privilege escalation).

Fedora has updated lz4 (F20; F19: denial of service/possible code execution), python (F19: information leak), and python3 (F19: information leak).

Gentoo has updated gnupg (denial of service) and xen (many vulnerabilities).

openSUSE has updated flash-player (11.4: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (OL6; OL5: multiple vulnerabilities).

Red Hat has updated openstack-neutron (OSP4.0: two vulnerabilities).

SUSE has updated firefox (SLE10SP4, SLE10SP3: multiple vulnerabilities), kernel (SLE11SP3; SLE11SP3; SLE11SP3; SLERTE11SP3; SLERTE11SP3: many vulnerabilities, including one from 2012), and lzo (SLE11SP3: denial of service/possible code execution).

Ubuntu has updated EC2 kernel (10.04: three vulnerabilities), kernel (14.04; 13.10; 12.04; 10.04: multiple vulnerabilities), linux-lts-quantal (12.04: multiple vulnerabilities), linux-lts-raring (12.04: multiple vulnerabilities), linux-lts-saucy (12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-ti-omap4 (12.04: multiple vulnerabilities), and mysql-5.5 (14.04, 12.04: unidentified vulnerabilities).

[$] LWN.net Weekly Edition for July 17, 2014

Thursday 17th of July 2014 01:00:53 AM
The LWN.net Weekly Edition for July 17, 2014 is available.

[$] Genealogy research with Gramps

Wednesday 16th of July 2014 05:40:53 PM

Genealogy is a fairly popular pursuit, and those wishing to use open-source software in their hobby have their choice cut-out for them—Gramps is the only complete, actively-developed free-software solution. The project was started in 2001 and initially known as GRAMPS; the first stable release was in 2004. The latest, version 4.1.0 ("Name go in book") was released on June 18.

Security advisories for Wednesday

Wednesday 16th of July 2014 04:17:17 PM

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities).

Fedora has updated libXfont (F20: multiple vulnerabilities).

openSUSE has updated flash-player (13.1, 12.3: multiple vulnerabilities).

Red Hat has updated java-1.7.0-openjdk (RHEL6&7; RHEL5: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (SL6; SL5: multiple vulnerabilities).

SUSE has updated struts (code execution).

Ubuntu has updated file (14.04, 13.10, 12.04, 10.04: multiple vulnerabilities), libav (13.10, 12.04: code execution), miniupnpc (14.04, 13.10, 12.04: denial of service), and transmission (14.04, 13.10, 12.04: code execution).

2014 Linux Security Summit schedule published

Tuesday 15th of July 2014 11:56:01 PM
James Morris has a blog post announcing that the schedule for this year's Linux Security Summit (LSS) is now available. It starts with a keynote from James Bottomley of Parallels, then there are seven refereed talks, as well as other sessions: "Discussion session topics include Trusted Kernel Lock-down Patch Series, led by Kees Cook; and EXT4 Encryption, led by Michael Halcrow & Ted Ts’o. There’ll be kernel security subsystem updates from the SELinux, AppArmor, Smack, and Integrity maintainers. The break-out sessions are open format and a good opportunity to collaborate face-to-face on outstanding or emerging issues." LSS will be held August 18-19 in Chicago, overlapping the first two days of the Kernel Summit and it is followed by LinuxCon North America; all are being held in the same location.

OpenSSL fork LibreSSL is declared “unsafe for Linux” (Ars Technica)

Tuesday 15th of July 2014 10:25:46 PM
Ars Technica reports that a security researcher has found what he calls a "catastrophic failure" in the Linux version of LibreSSL. "The failure results in cases where the same 16-bit PID is used to designate two or more processes. Linux ensures that a process can never have the same ID as the child process it spawned, but it remains possible for a process to have the same PID as its grandparent process. The condition appears to be an edge case, but it's one that may be possible if the Linux fork_rand program forks enough times to produce identical PIDs. OpenSSL, the open-source program LibreSSL aims to replace, has ways to recover from such cases. LibreSSL does not, at least not on Linux."

Update: This issue has been fixed in LibreSSL 2.0.2.

KDE Plasma 5.0

Tuesday 15th of July 2014 04:12:00 PM
KDE has announced the release of Plasma 5.0. "Plasma 5.0 introduces a new major version of KDE's workspace offering. The new Breeze artwork concept introduces cleaner visuals and improved readability. Central work-flows have been streamlined, while well-known overarching interaction patterns are left intact. Plasma 5.0 improves support for high-DPI displays and ships a converged shell, able to switch between user experiences for different target devices. Changes under the hood include the migration to a new, fully hardware-accelerated graphics stack centered around an OpenGL(ES) scenegraph. Plasma is built using Qt 5 and Frameworks 5."

Tuesday's security updates

Tuesday 15th of July 2014 03:37:35 PM

Red Hat has updated ror40-rubygem-activerecord (RHSC1: SQL injection) and ruby193-rubygem-activerecord (RHSC1: SQL injection).

SUSE has updated flash-player (SLED11SP3: multiple vulnerabilities).

Google's "Project Zero"

Tuesday 15th of July 2014 01:29:37 PM
Google's newly announced Project Zero is focused on making the net as a whole safer from attackers. "We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We'll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment." Their policy of only reporting bugs to the vendor looks like it could result in the burying of inconvenient vulnerabilities, but presumably they have thought about that.

[$] Filesystem notification, part 2: A deeper investigation of inotify

Monday 14th of July 2014 11:20:58 PM
In the first article in this series, we briefly looked at the original Linux filesystem notification API, dnotify, and noted a number of its limitations. We then turned our attention to its successor, inotify, and saw how the design of the newer API addressed various problems with the dnotify API while providing a number of other benefits as well. At first glance, inotify seems to provide a complete solution for the task of creating an application that reliably monitors the state of a filesystem. However, we are about to see that this isn't quite the case.

Subscribers can check out the next article in guest author Michael Kerrisk's series by clicking below.

Justin Miller on how Mapbox runs like an open source project (Opensource.com)

Monday 14th of July 2014 07:01:27 PM
Opensource.com has been running a series of interviews with OSCON speakers. In this article Justin Miller, a developer at Mapbox, talks with Michael Harrison.

[Michael] Mapbox is "running a business like you would run an open source project." Can you elaborate on what that means?

[Justin] This is the meat of my talk, but basically, the organization is flat and open. People join in on projects based on interest and available time, or start their own projects based on an idea and the ability to convince a couple coworkers that it's a worthwhile effort. If you have an idea for improvement, talk is cheap and putting in the code to demonstrate its potential is preferred. It's a very exciting way to choose direction and participation and lets everyone engage based on their interests and skill set. And nearly everything we write, anything that's easily reusable by someone else, is completely open source.

Security advisories for Monday

Monday 14th of July 2014 04:32:35 PM

Fedora has updated claws-mail (F20: code execution), claws-mail-plugins (F20: code execution), docker-io (F20; F19: privilege escalation), openstack-nova (F20: privilege escalation), and pnp4nagios (F20; F19: cross-site scripting).

openSUSE has updated python (13.1, 12.3: missing boundary check).

Slackware has updated php (multiple vulnerabilities).

Kernel prepatch 3.16-rc5

Monday 14th of July 2014 01:56:11 PM
Linus has sent out the 3.16-rc5 prepatch. "Things are looking normal, and as usual, I _wish_ there was a bit less churn going on since it's getting fairly late in the rc cycle, but honestly, it's not like there is anything that really raises any eyebrows here."

First Release of LibreSSL Portable Available

Friday 11th of July 2014 09:03:48 PM

OpenBSD Journal is reporting that the first release of LibreSSL Portable is available for download from OpenBSD project servers. LibreSSL is the OpenSSL fork started in April by members of the OpenBSD development community after the "Heartbleed" vulnerability; the "Portable" version is designed to run on operating systems other than OpenBSD itself, including Linux. The announcement calls this release "an initial release to allow the community to start using and providing feedback;" it is tagged as version 2.0.0.

Friday's security updates

Friday 11th of July 2014 03:55:01 PM

Debian has updated eglibc (privilege escalation), libav (code execution), and libxml2 (denial of service).

Fedora has updated ansible (F19; F20: unspecified vulnerability) and kernel (F20: multiple vulnerabilities).

Mandriva has updated apache-mod_wsgi (BS1: multiple vulnerabilities), asterisk (BS1: multiple vulnerabilities), and samba (BS1: multiple vulnerabilities).

Day: Sandboxed applications for GNOME

Thursday 10th of July 2014 11:43:03 PM
In the first of a two-part series, GNOME contributor Allan Day looks at sandboxed applications for the GNOME desktop. In this installment, he looks at the benefits of application sandboxes from a couple of different angles. "Security and privacy, I think, are core beliefs for Free Software. Users should be able to trust us to have their interests at heart, and should be able to have more faith in our products than proprietary alternatives. Ironically, though, the Free Software desktop world hasn’t done a great job at security. It is actually pretty scary what a malicious desktop application could do if it wants to. We rely on transparency and good faith to ensure that applications do not infringe on user privacy, rather than robust technical architecture."

Boyer: At the playground

Thursday 10th of July 2014 10:57:53 PM
Fedora kernel team member Josh Boyer, writes about a Fedora kernel-playground Copr (Cool Other Project Repository) on his blog. The idea is to provide an unsupported kernel that has some new features for those who want to help develop and test them. "OK, now that we have that out of the way, let's talk about what is actually in kernel-playground. At the moment there are two additions on top of the standard rawhide kernel; overlayfs (v22) and kdbus. Overlayfs is one of the top competing "union" filesystems out there, and has actually been posted for review for the past few releases. It has the best chance of landing upstream sometime this decade, and there has been interest in it for quite a while. I believe things like Docker would also be able to make use of it as a backend. I'll track upstream submissions and update accordingly. kdbus is of course the thing that Lennart Poettering and Kay Sievers have been talking about at various conferences for a while now. It is the in-kernel d-bus replacement. It has not been submitted for upstream review yet, but systemd already has support for it and things seem to be progressing well there."

Security updates for Thursday

Thursday 10th of July 2014 04:26:18 PM

CentOS has updated lzo (C7: denial of service/possible code execution), samba (C7: three vulnerabilities), samba, samba3x (C6; C5: two vulnerabilities), and tomcat6 (C6: multiple vulnerabilities).

Debian has updated phpmyadmin (multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

Mandriva has updated gd (BS1.0: denial of service), liblzo (BS1.0: denial of service/possible code execution), and python (BS1.0: information leak).

Oracle has updated samba, samba3x (OL6; OL5: two vulnerabilities) and tomcat6 (OL6: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL5&6: multiple vulnerabilities), lzo (RHEL6&7: denial of service/possible code execution), samba (RHEL7: three vulnerabilities), samba, samba3x (RHEL5&6: two vulnerabilities), and tomcat6 (RHEL6: multiple vulnerabilities).

Scientific Linux has updated lzo (SL6: denial of service/possible code execution), samba and samba3x (SL5&6: two vulnerabilities), and tomcat6 (SL6: multiple vulnerabilities).

Ubuntu has updated php5 (multiple vulnerabilities).

[$] LWN.net Weekly Edition for July 10, 2014

Thursday 10th of July 2014 01:36:55 AM
The LWN.net Weekly Edition for July 10, 2014 is available.

Andrew Tanenbaum retires

Wednesday 9th of July 2014 10:21:19 PM
Professor Andrew Tanenbaum, creator of MINIX, is retiring after 43 years at the Vrije Universiteit in the Netherlands. He will give a final lecture at the VU on October 23, which will be followed by a reception. (Thanks to Michael Kerrisk.)