Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 1 min ago

Security updates for Friday

Friday 11th of August 2017 02:57:55 PM
Security updates have been issued by Arch Linux (firefox, flashplugin, lib32-flashplugin, libsoup, and varnish), Debian (freeradius, git, libsoup2.4, pjproject, postgresql-9.1, postgresql-9.4, postgresql-9.6, subversion, and xchat), Fedora (gsoap, irssi, knot-resolver, php-horde-horde, php-horde-Horde-Core, php-horde-Horde-Form, php-horde-Horde-Url, php-horde-kronolith, php-horde-nag, and php-horde-turba), Mageia (perl-XML-LibXML), Oracle (libsoup), Red Hat (firefox and libsoup), SUSE (kernel and libsoup), and Ubuntu (git, kernel, libsoup2.4, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-lts-trusty, linux-lts-xenial, php5, php7.0, and subversion).

Source-code management system security updates

Friday 11th of August 2017 02:09:10 PM
It turns out that even rather different source-code management systems can have similar vulnerabilities. This can be seen in the Git v2.14.1, Mercurial 4.3, and Subversion 1.9.7 releases (plus updates of older releases). In each case, it's possible to provide a malicious repository URL that ends up executing code; these URLs can be buried out of sight in existing repositories. Updating would be a good idea, regardless of which system you use.

[$] Scaling the kernel's MAINTAINERS file

Thursday 10th of August 2017 08:49:48 PM
The kernel's development community is large, to the point that it is often far from obvious who a given patch should be sent to. As the community has grown, it has developed mechanisms for tracking that information centered on a text file called MAINTAINERS. But now it would appear that this scalability mechanism has scalability problems of its own.

Security updates for Thursday

Thursday 10th of August 2017 01:29:54 PM
Security updates have been issued by Debian (firefox-esr), Fedora (cacti, community-mysql, and pspp), Mageia (varnish), openSUSE (mariadb, nasm, pspp, and rubygem-rubyzip), Oracle (evince, freeradius, golang, java-1.7.0-openjdk, log4j, NetworkManager and libnl3, pki-core, qemu-kvm, and X.org), Red Hat (flash-plugin), and Slackware (curl and mozilla).

[$] LWN.net Weekly Edition for August 10, 2017

Thursday 10th of August 2017 12:02:41 AM
The LWN.net Weekly Edition for August 10, 2017 is available.

[$] An alternative device-tree source language

Wednesday 9th of August 2017 07:27:27 PM
Device trees have become, in a relatively short time, the preferred way to inform the kernel of the available hardware on systems where that hardware is not discoverable — most ARM systems, among others. In short, a device tree is a textual description of a system's hardware that is compiled to a simple binary format and passed to the kernel by the bootloader. The source format for device trees has been established for a long time — longer than Linux has been using it. Perhaps it's time for a change, but a proposal for a new device-tree source format has generated a fair amount of controversy in the small corner of the community that concerns itself with such things.

Fedora 24 End Of Life

Wednesday 9th of August 2017 05:10:48 PM
Fedora 24 reached its end of life on August 8. There will be no more updates, including security updates. Please refer to this page for information about upgrades.

OSGeo-Live 11.0 Released

Wednesday 9th of August 2017 03:49:13 PM
OSGeo-Live is a live DVD/USB/VM distribution that includes a variety of open-source geospatial software. Version 11.0 is "a major reboot, with a refocus on leading applications and emphasis on quality over quantity. Less mature parts of the projects have been dropped with a targeted focus placed on upgrading and improving documentation."

Security updates for Wednesday

Wednesday 9th of August 2017 03:05:06 PM
Security updates have been issued by Mageia (atril, mpg123, perl-SOAP-Lite, and virtualbox), openSUSE (kernel and libzypp, zypper), Oracle (authconfig, bash, curl, gdm and gnome-session, ghostscript, git, glibc, gnutls, gtk-vnc, kernel, libreoffice, libtasn1, mariadb, openldap, openssh, pidgin, postgresql, python, qemu-kvm, samba, tcpdump, tigervnc and fltk, and tomcat), Red Hat (kernel, kernel-rt, openstack-neutron, and qemu-kvm), and SUSE (puppet and tcmu-runner).

[$] The coming WebKitGTK+ 2.4 apocalypse

Tuesday 8th of August 2017 09:49:03 PM
It is well understood that old and unmaintained software tends to be a breeding ground for security problems. These problems are never welcome, but they are particularly worrying when the software in question is a net-facing tool like a web browser. Standalone browsers are (hopefully) reasonably well maintained, but those are not the only web browsers out there; they can also be embedded into applications. The effort to do away with one unmaintained embedded browser is finally approaching its conclusion, but the change appears to have caught some projects unaware.

Firefox 55 released

Tuesday 8th of August 2017 06:50:15 PM
Firefox 55.0 has been released. From the release notes: "Today's release brings innovative functionality, improvements to core browser performance, and more proof that we’re committed to making Firefox better than ever. New features include support for WebVR, making Firefox the first Windows desktop browser to support VR experiences. Performance changes include significantly faster startup times when restoring lots of tabs and settings that let users take greater control of our new multi-process architecture. We’ve also upgraded the address bar to make finding what you want easier, with search suggestions and the integration of our one-click search feature, and safer, by prioritizing the secure - https - version of sites when possible."

Vetter: Why Github can't host the Linux Kernel Community

Tuesday 8th of August 2017 03:10:46 PM
Daniel Vetter describes how the kernel community scales and why he feels that the GitHub model tends not to work for the largest projects. "Unfortunately github doesn’t support this workflow, at least not natively in the github UI. It can of course be done with just plain git tooling, but then you’re back to patches on mailing lists and pull requests over email, applied manually. In my opinion that’s the single one reason why the kernel community cannot benefit from moving to github. There’s also the minor issue of a few top maintainers being extremely outspoken against github in general, but that’s a not really a technical issue. And it’s not just the linux kernel, it’s all huge projects on github in general which struggle with scaling, because github doesn’t really give them the option to scale to multiple repositories, while sticking to with a monotree."

Security updates for Tuesday

Tuesday 8th of August 2017 03:06:51 PM
Security updates have been issued by Fedora (cacti, freerdp, remmina, subversion, supervisor, webkitgtk4, and wireshark), Mageia (gdm, librsvg, php, libgd, and swftools), openSUSE (cacti, cacti-spine), Red Hat (java-1.7.0-openjdk and kernel), SUSE (kernel), and Ubuntu (freerdp, kernel, linux-lts-trusty, and shotwell).

[$] Escape from QuickBooks (with data in hand)

Monday 7th of August 2017 07:54:47 PM
When a small business contemplates getting away from a proprietary accounting tool like QuickBooks in favor of free software like GnuCash, the first order of business is usually finding a way to liberate that business's accounting data for input into a new system. Strangely enough, Intuit, the creator of QuickBooks, never quite got around to making that easy to do. But it turns out that, with a bit of effort, this move can be made. Getting there involves wandering through an undocumented wilderness; this article is at attempt to make things easier for the next people to come along.

Stable kernel updates

Monday 7th of August 2017 03:02:15 PM
Stable kernels 4.12.5, 4.9.41, and 4.4.80 have been released. All of them contain important fixes and users should upgrade.

Security updates for Monday

Monday 7th of August 2017 02:55:28 PM
Security updates have been issued by Debian (chromium-browser, kernel, libsndfile, and qemu), Fedora (php-PHPMailer, qpdf, qt5-qtwebengine, qt5-qtwebkit, and ruby), Mageia (evince), openSUSE (icoutils and poppler), Red Hat (log4j), SUSE (kernel), and Ubuntu (openvpn and tiff).

Kernel prepatch 4.13-rc4

Monday 7th of August 2017 01:32:19 PM
The 4.13-rc4 kernel prepatch is out for testing. "Anyway, nothing really stands out, and while I really hope that we'll see things calm down further, everything looks pretty much on track for a normal release. So go test things out. By now it should really be pretty safe."

[$] The NOVA filesystem

Friday 4th of August 2017 08:33:54 PM
Nonvolatile memory offers the promise of fast, byte-addressable storage that persists over power cycles. Taking advantage of that promise requires the imposition of some sort of directory structure so that the persistent data can be found. There are a few approaches to the implementation of such structures, but the usual answer is to employ a filesystem, since managing access to persistent data is what filesystems were created to do. But traditional filesystems are not a perfect match to nonvolatile memory, so there is a natural interest in new filesystems that were designed for this media from the beginning. The recently posted NOVA filesystem is a new entry in this race.

Git v2.14.0

Friday 4th of August 2017 06:53:51 PM
Git v2.14.0 has been released with several notable changes, many updates, and plenty of bug fixes. The release notes (below) contain the details.

Security updates for Friday

Friday 4th of August 2017 03:25:41 PM
Security updates have been issued by Fedora (evince and rt), Mageia (catdoc, freerdp, kernel, qpdf, R-base, spice, sqlite3, and tcpdump), SUSE (kernel and libzypp, zypper), and Ubuntu (linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, and linux-lts-xenial).

More in Tux Machines

Fedora: Fedora + Plasma + Unity, Design Interns, and New ISO Build

  • Fedora + Plasma + Unity = Nice looks?
    Hybrid things aren't usually the best option around. Like hybrid cars, for example. Technically, when you marry concepts, you change the energy state, and while this could make sense in that you blend the best of several worlds, when this is done in a forced manner over a short period of time rather than eons of evolution, you end with the worst bits as the product of your mutation. I read about the United theme for Plasma a few months ago, and given that I've spent a fair deal of time fiddling with themes and icons and fonts and making different desktop environments look prettier than their defaults, I was intrigued. So I decided to see whether the notion of having Plasma look like Unity is a sane option. Let us.  Fedora + Plasma + Unity = Nice looks? [...] What is thy point, Vanessa, the astute among you may ask? Well, I have nothing against United or its creators, but I did come to the conclusion that too much tweaking is worse than no tweaking, if this statement makes sense. I like the notion of trying to overcome the inherent problems in each desktop through the use of themes and extensions. After all, I've been doing that profusely for the past few months. But it gets undone when you cross the desktop environment space. Making Gnome better yes. Making Plasma better, absolutely. Unity as an overlay for Plasma, well tricky. There's too much disparity for you to be able to hide the underlying workflow mechanisms and UI philosophies. Then, every little inconsistency glares. You notice things you do not expect, and you get angry because there are certain things you do expect. Some transformations work quite well because they build on the foundations, e.g. various Gnome panels or Macbuntu. But Plasma has its own special charm and flow and making it into a weird version of Unity, which itself is a weird version of Gnome misses the bigger picture. And so, if you're asking me, Plasma and Unity are two separate worlds, best enjoyed in isolation. United is an interesting notion, but it also signifies the upper limit for my own wild ideas and tweaking. Yes, you can make it work, then again, it means taking away from the beauty and style of what these two desktops do, and that's not the purpose of my pimping guides. So we shall stop here, and explore other colors and shapes. Have fun, little penguins.
  • Fedora Design Interns 2017
    Here’s an update on internships. Older post linked to here. Quick recap: there’s been 2 long-term interns for Fedora design team since February, and one short-term guy, who came for 2 weeks at the beginning of June. Guys have been doing an amazing job, I can’t stress enough how happy I am to have them around.
  • F26-20170815 Updated ISOs released

today's howtos

Security: Hardware Back Doors, Microsoft Windows, Kronos

  • Hiding malware in boobytrapped replacement screens would undetectably compromise your mobile device
     

    On the one hand, if you let an untrusted stranger install hardware in your electronic device, you're opening yourself up to all kinds of potential mischief; on the other hand, an estimated one in five smartphones has a cracked screen and the easiest, most efficient and cheapest way to get that fixed is to go to your corner repair-shop.  

  • How hackers {sic} are targeting the shipping industry [iophk: "Microsoft TCO"]
     

    Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number.  

  • Locky ransomware is back from the dead with two new strains [iophk: "Windows TCO"]
     

    What hasn't changed, though, is the method of distribution.Rather than rifling through the trove of spilt US National Security Agency exploits, as the groups behind WannaCry and NotPetya did, Locky is distributed via phishing emails containing malicious Microsoft Office files or zipped attachments containing a malicious script.

  • Connected cars could have an airbag problem
     

    "It's not the car manufacturers' fault, and it's not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works," added Trend.

    [...] To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles."

  • Code chunk in Kronos malware used long before MalwareTech published it
    A chunk of code found in the Kronos bank-fraud malware originated more than six years before security researcher Marcus Hutchins is accused of developing the underlying code, a fellow security researcher said Friday. The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors' allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech—the online handle Hutchins used—complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.
  • Secret chips in replacement parts can completely hijack your phone’s security
    People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

Ubuntu: Themes and Icons, MAAS, Podcast and More

  • Some interesting Ubuntu themes and icons
    Well, I guess there isn't much to say. If you like the stock looks, ignore this article. If you find the defaults not colorful or fun enough, or you just plain like tweaking, then you might want to consider some of the stuff I've outlined here. My taste is subjective, of course, but then, I aim for simple, clean designs and pleasing art work. Overall, you have a plenty of good options here. More icons than themes. Vimix or Arc seem like neat choices for the latter, and among the sea of icons, Moka, Numix and Uniform seem to do a great job. And of course, Macbuntu. I wish there were more monochrome or accented icons, but that's something I still haven't found. Anyhow, I hope you like this silly little piece. If you have suggestions, please send them, just remember my aesthetics criteria - simplicity of installation, clean lines, no gradients, no bugs. That would be all for today, fellas.
  • 7 of the Best Icon Themes for Ubuntu
    On a hunt to find the best icon themes for Ubuntu? Well, you’ve come to the right post place! In this post we will show you some of the best icon themes for Ubuntu, ranging from modern, flat icon sets, to a circular icon pack carrying a colourful twist. Oh, and as this article is constantly updated you don’t need to fret about any of the links or information being out of date. Feel free to bookmark this list for future reference, or share it on social media.
  • MAAS Development Summary – August 18th, 2017
  • S10E24 – Fierce Hurried Start
  • conjure-up dev summary: aws native integration, vsphere <3, and ADDONS