Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 20 min ago

Friday's security updates

Friday 10th of April 2015 03:07:06 PM

Arch Linux has updated mediawiki (multiple vulnerabilities).

CentOS has updated xorg-x11-server (C7: information leak/denial of service).

Debian has updated dpkg (integrity-verification bypass).

Fedora has updated arj (F21: multiple vulnerabilities), echoping (F20; F21: multiple vulnerabilities), and python-dulwich (F20; F21: code execution).

Mageia has updated batik (M4: information leak), chromium-browser-stable (M4: multiple vulnerabilities), jakarta-taglibs-standard (M4: code execution), less (M4: information leak), mediawiki (M4: multiple vulnerabilities), openldap (M4: denial of service), qt-creator (M4: key-verification failure), suricata (M4: denial of service), and xerces-c (M4: denial of service).

Mandriva has updated arj (BS1: multiple vulnerabilities), less (BS1,2: information leak), mediawiki (BS1: multiple vulnerabilities), and ntp (BS1,2: multiple vulnerabilities).

Oracle has updated xorg-x11-server (O6; O7: information leak/denial of service).

Red Hat has updated qemu-kvm-rhev (RHEL OSP: privilege escalation) and xorg-x11-server (RHEL6,7: information leak/denial of service).

Scientific Linux has updated krb5 (SL6: multiple vulnerabilities).

SUSE has updated libXfont (SLE12: multiple vulnerabilities).

Ubuntu has updated dpkg (integrity-verification bypass).

X.org election results

Friday 10th of April 2015 11:38:27 AM
As was discussed in this LWN article, the X.Org Foundation recently held an election to choose four board members and decide whether to change the organization's by-laws to enable it to become a member of Software in the Public Interest (SPI). The results are now available. The board members elected are Peter Hutterer, Martin Peres, Rob Clark, and Daniel Vetter. The measure to change the by-laws did not pass, though, despite receiving only two "no" votes, because the required two-thirds majority was not reached.

Linux Foundation to host Let's Encrypt

Thursday 9th of April 2015 11:44:10 PM

The Linux Foundation (LF) has announced that it will serve as host of the Let's Encrypt project, as well as the Internet Security Research Group (ISRG). Let's Encrypt is the free, automated SSL/TLS certificate authority that was announced in November 2014 by the Electronic Frontier Foundation (EFF) to provide TLS certificates for every domain on the web. ISRG is the non-profit organization created to spearhead efforts like Let's Encrypt (which, as of now, is ISRG's only public project). In the LF announcement, executive director Jim Zemlin notes that "by hosting this important encryption project in a neutral forum we can accelerate the work towards a free, automated and easy security certification process that benefits millions of people around the world."

Thursday's security updates

Thursday 9th of April 2015 03:53:46 PM

Arch Linux has updated chrony (denial of service).

CentOS has updated krb5 (C6: multiple vulnerabilities).

Debian-LTS has updated arj (multiple vulnerabilities), checkpw (denial of service), libgcrypt11 (multiple vulnerabilities), and libgd2 (multiple vulnerabilities).

Fedora has updated drupal7-webform (F20; F21: unspecified vulnerability), firefox (F21: multiple vulnerabilities), powerpc-utils-python (F20; F21: code execution), and xterm (F20; F21: denial of service).

Mandriva has updated java-1.8.0-openjdk (BS2: multiple vulnerabilities).

Oracle has updated kernel (O5: multiple vulnerabilities) and krb5 (O6: denial of service).

Red Hat has updated krb5 (RHEL6: multiple vulnerabilities).

Ubuntu has updated kernel (12.04; 14.04; 14.10: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

[$] LWN.net Weekly Edition for April 9, 2015

Wednesday 8th of April 2015 11:48:01 PM
The LWN.net Weekly Edition for April 9, 2015 is available.

Security advisories for Wednesday

Wednesday 8th of April 2015 04:42:14 PM

Arch Linux has updated ntp (two vulnerabilities).

CentOS has updated kernel (C5: multiple vulnerabilities).

Debian has updated libxml2 (denial of service).

Fedora has updated setroubleshoot (F21; F20: privilege escalation) and texlive (F21: arbitrary file removal).

openSUSE has updated Chromium (13.2, 13.1: two vulnerabilities), libgit2 (13.2, 13.1: code execution), firefox, thunderbird (13.2, 13.1: multiple vulnerabilities), php5 (13.2, 13.1: multiple vulnerabilities), potrace (13.2, 13.1: denial of service), quassel (13.2, 13.1: denial of service), and subversion (13.2, 13.1: multiple vulnerabilities).

Red Hat has updated kernel (RHEL5: multiple vulnerabilities), novnc (RHEL OSP6.0: VNC session hijacking), openstack-nova (RHEL OSP6.0: cross-site websocket hijack attack), openstack-packstack (RHEL OSP6.0: root command execution), and installer (RHEL OSP6.0: root command execution).

Scientific Linux has updated kernel (C5: multiple vulnerabilities).

SUSE has updated xorg-x11-libs (SLE11 SP3: privilege escalation).

Ubuntu has updated libtasn1-3, libtasn1-6 (14.10, 14.04, 12.04, 10.04: denial of service) and mailman (14.10, 14.04, 12.04: path traversal attack).

Mourning Chris Yeoh

Wednesday 8th of April 2015 12:39:02 PM
From the OpenStack community comes the sad announcement of the passing of Chris Yeoh, a longtime free-software developer. "Chris was humble, helpful and honest. The OpenStack and broader Open Source communities are poorer for his passing." Those with memories of Chris are encouraged to contribute them to a collection being put together for his daughter.

[$] An update on the freedreno graphics driver

Wednesday 8th of April 2015 10:04:03 AM
The freedreno project was started by Rob Clark to create a free-software driver for the Adreno family of GPUs, which are used by the Qualcomm Snapdragon system-on-chip (SoC) family. He presented a status report on the project, along with some history and future plans, at the Embedded Linux Conference, which was held in San Jose, CA, March 23-25.

Click below (subscribers only) for the full report from ELC 2015.

Post-Cryptanalysis, TrueCrypt Alternatives Step Forward (Threat Post)

Tuesday 7th of April 2015 11:10:24 PM
Threat Post takes a look at two TrueCrypt forks, VeraCrypt and CipherShed. Although TrueCrypt development was discontinued last year, the code underwent a two phase audit and passed with a relatively clean bill of health. "VeraCrypt and CipherShed have addressed many of the shortcomings identified not only by the audit, but by others who have scrutinized the TrueCrypt code in recent years. VeraCrypt’s [Mounir] Idrassi, for example, said he replaced TrueCrypt’s lone support of the RIPEMD-160 algorithm with SHA-256 support for system encryption. He said VeraCrypt has also tried to simplify the build process, especially for Linux and Mac OS X systems, so that other less common configurations could be used." The results of the audit of TrueCrypt are available in PDF format; phase 1 was completed in February 2014, and phase 2 was completed March 2015.

Tuesday's security updates

Tuesday 7th of April 2015 04:34:21 PM

Arch Linux has updated tor (denial of service).

Debian has updated arj (multiple vulnerabilities), libgd2 (denial of service), mailman (path traversal attack), and tor (denial of service).

Debian-LTS has updated mailman (path traversal attack) and tor (denial of service).

Fedora has updated chicken (F21; F20: buffer overflow), kernel (F20: multiple vulnerabilities), libxml2 (F21: denial of service), and seamonkey (F21; F20: multiple vulnerabilities).

Gentoo has updated firefox (multiple vulnerabilities).

Mandriva has updated cups-filters (MBS2.0: remote command execution), libtasn1 (MBS1.0, MBS2.0: denial of service), and python-django (MBS1.0: cross-site scripting).

Red Hat has updated kernel (RHEL6.5: multiple vulnerabilities).

Ubuntu has updated firefox (14.10, 14.04, 12.04: certificate verification bypass) and oxide-qt (14.10, 14.04: multiple vulnerabilities).

Kernel prepatch 4.0-rc7

Tuesday 7th of April 2015 09:25:19 AM
Linus has released 4.0-rc7 after a delay of a couple of days for the holiday. "But it's still pretty small, and things are on track for 4.0 next weekend. There's a tiny chance that I'll decide to delay 4.0 by a week just because I'm traveling the week after, and I might want to avoid opening the merge window. We'll see how I feel about it next weekend."

Linux Australia server breach

Monday 6th of April 2015 07:15:53 PM
Linux Australia has reported a breach on the Conference Management (Zookeepr) hosting server. This server hosted the conference systems for linux.conf.au 2013, 2014 and 2015, and for PyCon Australia 2013 and 2014. "The database dumps which occurred during the breach include information provided during conference registration - First and Last Names, physical and email addresses, and any phone contact details provided, as well as a hashed version of the user password. As Zookeepr uses a third party credit card payment gateway for credit card processing, the database dumps do not contain any credit card or banking details."

Security advisories for Monday

Monday 6th of April 2015 05:07:54 PM

Arch Linux has updated firefox (certificate verification bypass), java-batik (information leak), and thunderbird (multiple vulnerabilities).

Fedora has updated firefox (F20: multiple vulnerabilities), freeipa (F21: two vulnerabilities), glpi (F21; F20: privilege escalation), lasso (F21; F20: denial of service), mingw-libzip (F21; F20: code execution), mingw-qt5-qtbase (F21; F20: denial of service), mingw-qt5-qtdeclarative (F21; F20: denial of service), mingw-qt5-qtgraphicaleffects (F21; F20: denial of service), mingw-qt5-qtimageformats (F21; F20: denial of service), mingw-qt5-qtlocation (F21; F20: denial of service), mingw-qt5-qtmultimedia (F21; F20: denial of service), mingw-qt5-qtquick1 (F21; F20: denial of service), mingw-qt5-qtscript (F21; F20: denial of service), mingw-qt5-qtsensors (F21; F20: denial of service), mingw-qt5-qtsvg (F21; F20: denial of service), mingw-qt5-qttools (F21; F20: denial of service), mingw-qt5-qttranslations (F21; F20: denial of service), mingw-qt5-qtwebkit (F21; F20: denial of service), mingw-qt5-qtwinextras (F21; F20: denial of service), moodle (F21; F20: multiple vulnerabilities), osc (F21; F20: command injection), patch (F20: multiple vulnerabilities), PyYAML (F21; F20: denial of service), rt (F21: multiple vulnerabilities), slapi-nis (F21: multiple vulnerabilities), thunderbird (F21: multiple vulnerabilities), and tor (F21; F20: denial of service).

Mageia has updated cups-filters (remote command execution), novnc (VNC session hijacking), and php, libzip (multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: two vulnerabilities).

10 Years of Git: An Interview with Git Creator Linus Torvalds (Linux.com)

Monday 6th of April 2015 05:01:08 PM
Linux.com talks with Linus Torvalds about the development of Git. "Just to pick an example: the concept of 'merging' was generally considered to be something really quite painful and hard in most SCM's. You'd plan your merges, because they were big deals. That's not acceptable to me, since I commonly do tens of merges a day when in the merge window, and even then, the biggest overhead shouldn't be the merge itself, it should be testing the result. The 'git' part of the merge is just a couple of seconds, it should take me much longer just to write the merge explanation message."

Tor Summer of Privacy

Friday 3rd of April 2015 10:02:03 PM

The Tor Project and the Electronic Frontier Foundation (EFF) have announced a mentoring program entitled the "Tor Summer of Privacy" (TorSoP). Akin to the Google Summer of Code, TorSoP will provide financial support and mentorship for a group of students to work on privacy-related free software. Three student positions are available this year; applications will be accepted through April 10. More details (including project ideas) are provided on the TorSoP page.

Rust 1.0 beta released

Friday 3rd of April 2015 08:07:28 PM

The Rust team at Mozilla Research has announced the first beta release of Rust 1.0. The release notes detail a number of important changes, but the announcement adds some additional noteworthy items. "The Beta release also marks a turning point in our approach to stability. During the alpha cycle, the use of unstable APIs and language features was permitted, but triggered a warning. As of the Beta release, the use of unstable APIs will become an error (unless you are using Nightly builds or building from source)." A new continuous-integration infrastructure has also been deployed. The final release is currently expected around May 15.

Friday's security updates

Friday 3rd of April 2015 04:22:04 PM

Arch Linux has updated libtasn1 (denial of service).

Debian has updated icedove (multiple vulnerabilities).

Fedora has updated drupal7-ctools (F20; F21: multiple vulnerabilities), firefox (F21: multiple vulnerabilities), icu (F21: multiple vulnerabilities), and texlive (F20: arbitrary file removal).

Mageia has updated firefox, thunderbird (M4: multiple vulnerabilities), iceape (M4: multiple vulnerabilities), libtasn1 (M4: denial of service), mercurial (M4: command injection), mongodb (M4: denial of service), and python-django (M4: multiple vulnerabilities).

Mandriva has updated icu (BS1: multiple vulnerabilities) and subversion (BS1, BS2: multiple vulnerabilities).

SUSE has updated kernel (SLE12: multiple vulnerabilities).

Ubuntu has updated thunderbird (12.04, 14.04, 14.10: multiple vulnerabilities).

What to Expect When You're Expecting: PHP 7, Part 1 (Engine Yard)

Friday 3rd of April 2015 09:16:03 AM
The Engine Yard blog has an introduction to the changes coming in the PHP 7 release. "My personal favorite addition to PHP 7 is the addition of the Combined Comparison Operator, <=>,otherwise known as the spaceship operator. [...] It effectively works like strcmp(), or version_compare(), returning -1 if the left operand is smaller than the right, 0 if they are equal, and 1 if the left is greater than the right. The major difference being that it can be used on any two operands, not just strings, but also integers, floats, arrays, etc."

Android security state of the union

Thursday 2nd of April 2015 09:25:51 PM
Google has announced the issuing of a lengthy report [PDF] on the state of Android security. "In 2014, the Android platform made numerous significant improvements in platform security technology, including enabling deployment of full disk encryption, expanding the use of hardware- protected cryptography, and improving the Android application sandbox with an SELinux- based Mandatory Access Control system (MAC). Developers were also provided with improved tools to detect and react to security vulnerabilities, including the nogotofail project and the SecurityProvider. We provided device manufacturers with ongoing support for fixing security vulnerabilities in devices, including development of 79 security patches, and improved the ability to respond to potential vulnerabilities in key areas, such as the updateable WebView in Android 5.0."

Open Crypto Audit gives TrueCrypt a passing grade

Thursday 2nd of April 2015 07:17:42 PM

At his blog, cryptographer Matt Green announced that the Open Crypto Audit project's review of the now-abandoned TrueCrypt encryption tool is complete, and that "based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances." TrueCrypt was abruptly abandoned by its anonymous developers in 2014, leading some to suspect that a serious vulnerability had been discovered. The final Open Crypto Audit report [PDF] suggests otherwise, which is good news for users as well as for the multiple open-source projects that have subsequently developed TrueCrypt-compatibility support.

More in Tux Machines

KaOS 2015.04 is here -- Download the KDE-focused Linux distro now!

There are too many Linux distributions nowadays. Choice and variety is wonderful, but in this case, it spreads resources very thin. Linux-based operating systems might be further along by now if more developers came together to work on projects. For someone new to Linux, finding a distro can be a daunting task. Many of the releases are simply noise, making it hard to find the quality operating systems. KaOS is one of those quality operating systems. It is a wonderful Linux distribution that focuses on KDE. Quite frankly, if you are a KDE purist, this should be on your radar. To cerebrate the two-year anniversary of the distro, the team releases 2015.04. Whether you are a Linux noob, or even an an expert, you should give it a try. Read more

What Your CIO Needs to Know About Open Source

Today’s businesses are becoming increasingly familiar with the many benefits of open source software. In fact, 74 percent of IT professionals, in the U.S. alone, agree that the software offers better quality of continuity and control than that of proprietary. However, some CIOs are still skeptical about adopting open source software into their IT infrastructure as they’ve grown accustomed to their proprietary software vendors. Read more

Elementary OS Freya 0.3 review

Elementary OS is a Linux desktop distribution that’s being primed as a “fast and open replacement for Windows and OS X.” It’s safe to say that that’s the goal of every Linux distribution. Some distributions have, to a large extent, succeeded, while some are partially or completely misguided. Elementary OS, even though it’s still just at version 0.3, belongs to the first group. Some of the design decisions make it slightly painful to use, but as a unit, the distribution is moving in the right direction. Will it ever get to the point where it replaces Windows and OS X for all users? No, because there’ll always be those that love Windows and Mac OS X no matter what. And there are still applications that have no real alternatives in Linux. Read more

Evolving KDE: Lehman’s Laws of Software Evolution In The Community

The board of KDE eV has launched a new initiative to ensure that KDE remains awesome and relevant for the foreseeable future. Unlike previous approaches it is not a point-in-time solution, it is a continuous process of improvement. And it is a good thing. Previously, I have written/spoken a lot about the role of Brooks’ Law in the context of Free Software. Brooks’ Law teaches us to be careful about the management of growth in our communities. Especially treated in consideration with the grossly under appreciated Conway’s Law. There are, of course, other laws of Software Engineering that apply to Free Software development. Read more