Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 18 min ago

Friday's security advisories

Friday 24th of October 2014 04:51:43 PM

Debian has updated pidgin (multiple vulnerabilities).

Mageia has updated ctags (denial of service), ejabberd (incorrectly allows unencrypted connections), iceape (multiple vulnerabilities), libxml2 (denial of service), lua (code execution), openssl (multiple vulnerabilities), and phpmyadmin (cross-site scripting).

Mandriva has updated ctags (denial of service), ejabberd (incorrectly allows unencrypted connections), java-1.7.0-openjdk (multiple vulnerabilities), libxml2 (denial of service), lua (code execution), openssl (multiple vulnerabilities), and phpmyadmin (cross-site scripting).

Red Hat has updated kernel (RHEL6.5: denial of service).

Ubuntu has updated openjdk-7 (14.10: multiple vulnerabilities).

openSUSE Factory and Tumbleweed to merge

Friday 24th of October 2014 01:13:35 PM
The openSUSE project has announced that the "Factory" and "Tumbleweed" distributions will merge into a single rolling distribution (called "Tumbleweed"). There is also an FAQ posting about the merger. "With the vast improvements to the Factory development process over the last 2 years, we effectively found ourselves as a project with not one, but two rolling release distributions in addition to our main regular release distribution. GregKH signalled his intention to stop maintaining Tumbleweed as a 'rolling-released based on the current release'. It seemed a natural decision then to bring both the Factory rolling release and Tumbleweed rolling release together, so we can consolidate our efforts and make openSUSE's single rolling release as stable and effective as possible."

Garrett: Linux Container Security

Thursday 23rd of October 2014 08:59:20 PM
Matthew Garrett considers the security of Linux containers on his blog. While the attack surface of containers is likely to always be larger than that of hypervisors, that difference may not matter in practice, but it's going to take some work to get there: I suspect containers can be made sufficiently secure that the attack surface size doesn't matter. But who's going to do that work? As mentioned, modern container deployment tools make use of a number of kernel security features. But there's been something of a dearth of contributions from the companies who sell container-based services. Meaningful work here would include things like:
  • Strong auditing and aggressive fuzzing of containers under realistic configurations
  • Support for meaningful nesting of Linux Security Modules in namespaces
  • Introspection of container state and (more difficult) the host OS itself in order to identify compromises
These aren't easy jobs, but they're important, and I'm hoping that the lack of obvious development in areas like this is merely a symptom of the youth of the technology rather than a lack of meaningful desire to make things better. But until things improve, it's going to be far too easy to write containers off as a "convenient, cheap, secure: choose two" tradeoff. That's not a winning strategy.

Schaller: GStreamer Conference 2014 talks online

Thursday 23rd of October 2014 08:29:15 PM
On his blog, Christian Schaller announced the availability of videos from the recently completed GStreamer Conference. "For those of you who like me missed this years GStreamer Conference the recorded talks are now available online thanks to Ubicast. Ubicast has been a tremendous partner for GStreamer over the years making sure we have high quality talk recordings online shortly after the conference ends. So be sure to check out this years batch of great GStreamer talks."

Ubuntu 14.10 (Utopic Unicorn) released

Thursday 23rd of October 2014 07:13:17 PM
Ubuntu has announced its latest release: 14.10 "Utopic Unicorn". As usual, it comes with versions for server, desktop, and cloud, along with multiple official "flavors": Kubuntu, Lubuntu, Mythbuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu Studio, and Xubuntu. All of the varieties come with a 3.16 kernel and many more new features: "Ubuntu Desktop has seen incremental improvements, with newer versions of GTK and Qt, updates to major packages like Firefox and LibreOffice, and improvements to Unity, including improved High-DPI display support. Ubuntu Server 14.10 includes the Juno release of OpenStack, alongside deployment and management tools that save devops teams time when deploying distributed applications - whether on private clouds, public clouds, x86 or ARM servers, or on developer laptops. Several key server technologies, from MAAS to Ceph, have been updated to new upstream versions with a variety of new features." More information can be found in the release notes.

Security updates for Thursday

Thursday 23rd of October 2014 02:40:11 PM

Fedora has updated java-1.7.0-openjdk (F19: multiple vulnerabilities) and php (F20: three vulnerabilities).

Mandriva has updated php (BS1.0: code execution).

Oracle has updated java-1.8.0-openjdk (OL6: multiple vulnerabilities) and wireshark (OL5: multiple vulnerabilities).

Red Hat has updated openstack-glance (OSP4: denial of service), openstack-heat (OSP4: information leak), openstack-keystone (OSP4: two vulnerabilities), openstack-neutron (OSP4: denial of service), openstack-nova (OSP4: privilege escalation), openstack-packstack (OSP4: unexpected firewall disable), and python-backports-ssl_match_hostname (OSP4: denial of service from 2013).

Scientific Linux has updated java-1.6.0-openjdk (multiple vulnerabilities), java-1.7.0-openjdk (SL7, SL6; SL5: multiple vulnerabilities), libxml2 (SL7, SL6: denial of service), openssh (SL6: two vulnerabilities), rsyslog5 and rsyslog (SL6, SL5: denial of service), trousers (SL6: denial of service from 2012), and wireshark (SL7, SL6; SL5: multiple vulnerabilities).

SUSE has updated kernel (SLE11SP3; SLE11SP3: multiple vulnerabilities, one from 2013).

Ubuntu has updated openjdk-7 (14.04: multiple vulnerabilities) and pollinate (14.04: certificate refresh).

Ten years of Ubuntu (ars technica)

Thursday 23rd of October 2014 12:25:16 PM
Here's a lengthy ars technica retrospective on Ubuntu's first ten years. "As you'll soon see in this look at the desktop distro through the years, Linux observers sensed there was something special about Ubuntu nearly from the start. However, while a Linux OS that genuinely had users in mind was quickly embraced, Ubuntu's ten-year journey since is a microcosm of the major Linux events of the last decade—encompassing everything from privacy concerns and Windows resentment to server expansion and hopes of convergence."

[$] LWN.net Weekly Edition for October 23, 2014

Thursday 23rd of October 2014 12:30:24 AM
The LWN.net Weekly Edition for October 23, 2014 is available.

[$] Where to store your encrypted data

Wednesday 22nd of October 2014 05:04:22 PM
In a talk entitled "Lies, Damned Lies, and Remotely Hosted Encrypted Data", Kolab Systems CEO Georg Greve outlined the thinking and investigation that the company did before deciding on where to store its customers' encrypted data. The talk, which was given at LinuxCon Europe in Düsseldorf, Germany, looked at various decisions that need to be made when determining where and how to store data on the internet. It comes down to a number of factors, including the legal framework of the country in question and physical security for the systems storing the data.

Security advisories for Wednesday

Wednesday 22nd of October 2014 04:49:40 PM

CentOS has updated libxml2 (C7: denial of service), qemu-kvm (C7: information leak), rsyslog (C5: denial of service), and wireshark (C7; C5: multiple vulnerabilities).

Fedora has updated bugzilla (F20; F19: multiple vulnerabilities), java-1.8.0-openjdk (F19: multiple vulnerabilities), and perl-Mojolicious (F20; F19: parameter injection attack).

openSUSE has updated getmail (13.1, 12.3: multiple vulnerabilities) and wpa_supplicant (13.1; 12.3: command execution).

Oracle has updated kernel (OL6: multiple vulnerabilities), rsyslog (OL6: denial of service), rsyslog7 (OL6: denial of service), and wireshark (OL7; OL6: multiple vulnerabilities).

Red Hat has updated wireshark (RHEL6,7; RHEL5: multiple vulnerabilities).

[$] The future of the realtime patch set

Tuesday 21st of October 2014 06:17:31 PM

In a followup to last year's report on the future of realtime Linux, Thomas Gleixner once again summarized the status of the long-running patch set. The intervening year did not result in the industry stepping up to fund further work, which led Gleixner to declare that realtime Linux is now just his hobby. That means new releases will be done as his time allows and may eventually lead to dropping the patch set altogether if the widening gap between mainline and realtime grows too large.

Subscribers can click below for the full report of Gleixner's talk at this year's Linux Plumbers Conference.

Tuesday's security updates

Tuesday 21st of October 2014 04:06:26 PM

Debian has updated mysql-5.5 (multiple vulnerabilities).

Mandriva has updated bugzilla (multiple vulnerabilities), kernel (multiple vulnerabilities), mediawiki (cross-site scripting), perl (denial of service), python (buffer overflow), and rsyslog (two vulnerabilities).

Oracle has updated qemu-kvm (OL7: information leak) and rsyslog5 (OL5: denial of service).

Red Hat has updated qemu-kvm (RHEL7: information leak) and rsyslog (RHEL5,6: denial of service).

Scientific Linux has updated qemu-kvm (SL7: information leak).

Slackware has updated openssh (SSHFP-checking disabled).

Emacs 24.4 released

Tuesday 21st of October 2014 12:25:12 PM
Version 24.4 of the Emacs editor is out. New features this time around include a built-in web browser (unfortunately named "eww"), better multi-monitor support, the ability to save and restore the state of frames and windows, digital signatures on Emacs Lisp packages, access control list support, and much more. See the NEWS file for all the details.

Debian Project mourns the loss of Peter Miller

Tuesday 21st of October 2014 12:20:56 AM
The Debian Project recently learned that community member Peter Miller died last July. "Peter was a relative newcomer to the Debian project, but his contributions to Free and Open Source Software goes back the the late 1980s. Peter was significant contributor to GNU gettext as well as being the main upstream author and maintainer of other projects that ship as part of Debian, including, but not limited to srecord, aegis and cook. Peter was also the author of the paper "Recursive Make Considered Harmful"."

Shuttleworth: V is for Vivid

Tuesday 21st of October 2014 12:16:07 AM
Ubuntu 14.10 "Utopic Unicorn" is due to be released this week. That marks 10 years of Ubuntu releases, beginning with Ubuntu 4.10 "Warty Warthog". In this article Mark Shuttleworth announces the name of what will the 15.04 release. "This verbose tract is a venial vanity, a chance to vector verbal vibes, a map of verdant hills to be climbed in months ahead. Amongst those peaks I expect we’ll find new ways to bring secure, free and fabulous opportunities for both developers and users. This is a time when every electronic thing can be an Internet thing, and that’s a chance for us to bring our platform, with its security and its long term support, to a vast and important field. In a world where almost any device can be smart, and also subverted, our shared efforts to make trusted and trustworthy systems might find fertile ground. So our goal this next cycle is to show the way past a simple Internet of things, to a world of Internet things-you-can-trust."

The FSF opens nominations for the 17th annual Free Software Awards

Monday 20th of October 2014 05:50:32 PM
The Free Software Foundation (FSF) and the GNU Project have announced the opening of nominations for the 17th annual Free Software Awards. The Free Software Awards include the Award for the Advancement of Free Software and the Award for Projects of Social Benefit. "In the case of both awards, previous winners are not eligible for nomination, but renomination of other previous nominees is encouraged. Only individuals are eligible for nomination for the Advancement of Free Software Award (not projects), and only projects can be nominated for the Social Benefit Award (not individuals). For a list of previous winners, please visit https://www.fsf.org/awards."

Security advisories for Monday

Monday 20th of October 2014 04:47:09 PM

Debian has updated iceweasel (multiple vulnerabilities).

Fedora has updated glibc (F19: multiple vulnerabilities), gnome-shell (F20: lock screen bypass), kernel (F19: multiple vulnerabilities), libxml2 (F20: denial of service), openssl (F20; F19: multiple vulnerabilities), openstack-glance (F20: denial of service), and torque (F20; F19: authentication bypass).

openSUSE has updated bash (13.1; 12.3: multiple vulnerabilities).

Oracle has updated libxml2 (OL6: denial of service).

Kernel prepatch 3.18-rc1

Monday 20th of October 2014 11:58:09 AM
In a relatively predictable move, Linus has released 3.18-rc1 and closed the 3.18 merge window sooner than expected. He has, however, said that he will be more than usually open to post-rc1 pull requests from people who "grovel a bit." "There is also at least one pull request that I am hoping to get asap and planning on still pulling, ie I'm very much still hoping to get overlayfs finally merged." In the end, 9,711 non-merge changesets found their way into the mainline repository during this merge window.

Interview: Thomas Voß of Mir (Linux Voice)

Friday 17th of October 2014 06:37:30 PM

Linux Voice has an interview with Canonical's Thomas Voß, the technical architect of the Mir display server. The interview deals largely with background topics, such as the Mir team's decision to standardize on an API rather than define a protocol, and the various languages to support. "Obviously there are disadvantages to having only one graphics language, but the benefits outweigh the disadvantages. And I think that’s a common theme in the industry. Android made the same decision to go that way. Even Wayland to a certain degree has been doing that. They have to support EGL and GL, simply because it’s very convenient for app developers and toolkit developers – an open graphics language. That was the part that inspired us, and we wanted to have this one graphics language and support it well."

Friday's security updates

Friday 17th of October 2014 04:09:02 PM

CentOS has updated openssl (C5: protocol downgrade) and openssl (C6, C7: multiple vulnerabilities).

Debian has updated openssl (multiple vulnerabilities).

Fedora has updated firefox (F20: multiple vulnerabilities), java-1.7.0-openjdk (F20: multiple vulnerabilities), java-1.8.0-openjdk (F20: multiple vulnerabilities), kernel (F20: multiple vulnerabilities), php-ZendFramework (F19; F20: multiple vulnerabilities), and thunderbird (F20: multiple vulnerabilities).

Oracle has updated cups (O6: multiple vulnerabilities), file (O6: multiple vulnerabilities), firefox (O5; O6: multiple vulnerabilities), glibc (O6: multiple vulnerabilities), java-1.6.0-openjdk (O6: multiple vulnerabilities), java-1.7.0-openjdk (O6: multiple vulnerabilities), krb5 (O6: multiple vulnerabilities), libxml2 (O7: denial of service), openssh (O6: multiple vulnerabilities), openssl (O5; O6; O7: multiple vulnerabilities), thunderbird (O6: multiple vulnerabilities), and trousers (O6: denial of service).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), libxml2 (RHEL6,7: denial of service), openssl (RHEL5: protocol downgrade), openssl (RHEL6,7: multiple vulnerabilities), and rsyslog7 (RHEL6: denial of service).

Scientific Linux has updated openssl (SL5: protocol downgrade) and openssl (SL6,7:multiple vulnerabilities ).

Ubuntu has updated openjdk-6 (10.04, 12.04: multiple vulnerabilities) and openssl (multiple vulnerabilities).

More in Tux Machines

Leftovers: Gaming

The First Vivid-Based Ubuntu Touch Image Has Been Released

As I have previously announced, the Ubuntu Touch development branch is based on Ubuntu 15.04 Vivid Vervet, while the Ubuntu RTM branch is still using Ubuntu 14.10 Utopic Unicorn as code base, because it has already received stability improvements and will by default on the first Ubuntu powered Meizu phone. Currently, all the new features are implemented on the Ubuntu-Devel branch, the RTM one receiving only fixes. Read more

Security-Minded Qubes OS Will Satisfy Your Yen for Xen

It has advanced far beyond the primitive proof of concept demonstrated more than four years ago. Release 2 (beta), which arrived in late September, is a powerful desktop OS. Qubes succeeds in seamless integrating security by isolation into the user experience. However, comparing Qubes to a typical Linux distro is akin to comparing the Linux OS to Unix. Read more

Sad News! ;-)

So, XP is dead, “7” is dying, “8” is a zombie, and “10” is vapourware with nowhere to call home. M$ continues layoffs. POOF! It all falls down. In the meantime Google and the OEMs will crank out many millions of ChromeBooks. Canonical, Linpus, RedHat, Suse… and the OEMs will crank out many millions of GNU/Linux PCs. Several OEMs will crank out many millions of GNU/Linux thin clients. Android/Linux will reverberate with another billion or so units of small cheap computers(tablets, smartphones). This looks like good news to me. Read more