Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 15 min ago

Security advisories for Wednesday

Wednesday 23rd of November 2016 05:27:04 PM

Debian has updated tomcat7 (multiple vulnerabilities), tomcat8 (multiple vulnerabilities), and vim (code execution).

Debian-LTS has updated moin (cross-site scripting), tiff (multiple vulnerabilities), and vim (code execution).

Gentoo has updated adobe-flash (multiple vulnerabilities), chromium (multiple vulnerabilities), poppler (code execution), rpcbind (denial of service), tar (file overwrite), and testdisk (code execution).

Mageia has updated bash (code execution), flex (buffer overflow), libssh2 (insecure ssh sessions), libxslt (code execution), and tre (code execution).

openSUSE has updated dovecot22 (information disclosure), gnuchess (code execution), monit (two vulnerabilities), sudo (13.2: privilege escalation), and tar (13.2: file overwrite).

Oracle has updated ipsilon (OL7: information leak/denial of service) and memcached (OL7; OL6: multiple vulnerabilities).

Red Hat has updated memcached (RHEL7; RHEL6: code execution).

Scientific Linux has updated 389-ds-base (SL6: multiple vulnerabilities), firefox (SL5,6,7: multiple vulnerabilities), kernel (SL6: two vulnerabilities), memcached (SL6: code execution), nss and nss-util (SL5,6,7: multiple vulnerabilities), and policycoreutils (SL6,7: sandbox escape).

Slackware has updated ntp (multiple vulnerabilities).

SUSE has updated java-1_8_0-openjdk (SLE12-SP1,2: multiple vulnerabilities) and pacemaker (SLE12-SP2: two vulnerabilities).

Ubuntu has updated gst-plugins-good0.10, gst-plugins-good1.0 (code execution), python2.7, python3.2, python3.4, python3.5 (16.04, 14.04, 12.04: multiple vulnerabilities), and tar (file overwrite).

Fedora 25 released

Tuesday 22nd of November 2016 02:51:12 PM
The Fedora 25 release is now available "The Fedora Project is pleased to announce the immediate availability of Fedora 25, the next big step our journey into the containerized, modular future!" See the announcement and the release notes for details on the many changes in this release.

Cinnamon 3.2 released

Tuesday 22nd of November 2016 12:06:36 AM
Clement Lefebvre has announced the release of Cinnamon 3.2. This version has QT 5.7+ support, support for libinput touchpads as well as synaptics, and many more changes across the stack.

What’s new in Fedora 25 Workstation (Fedora Magazine)

Monday 21st of November 2016 11:07:46 PM
Fedora Magazine has a brief overview of the changes to be found in the workstation version of the Fedora 25 release. "Wayland now replaces the old X11 display server by default. Its goal is to provide a smoother, richer experience when navigating Fedora Workstation. Like all software, there may still be some bugs. You can still choose the old X11 server if required."

Security advisories for Monday

Monday 21st of November 2016 07:48:12 PM

Arch Linux has updated drupal (multiple vulnerabilities), php (multiple vulnerabilities), slock (screen locking bypass), and w3m (multiple vulnerabilities).

CentOS has updated 389-ds-base (C6: multiple vulnerabilities), firefox (C6; C5: multiple vulnerabilities), java-1.7.0-openjdk (C5: multiple vulnerabilities), kernel (C6: two vulnerabilities), nss (C6; C5: multiple vulnerabilities), nss-util (C6: multiple vulnerabilities), and policycoreutils (C6: sandbox escape).

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated drupal7 (multiple vulnerabilities), gst-plugins-bad0.10 (multiple vulnerabilities), sniffit (privilege escalation), and wireshark (multiple vulnerabilities).

Fedora has updated 389-ds-base (F25: information leak), ansible (F25: two vulnerabilities), bind (F25: denial of service), bind99 (F25: denial of service), chromium (F25; F23: multiple vulnerabilities), chromium-native_client (F25: multiple vulnerabilities), curl (F25: multiple vulnerabilities), docker (F25; F25: access bypass), dracut (F25: information disclosure), firefox (F25 (v49.02); F25 (V50.0); F23: multiple vulnerabilities), ghostscript (F25: two vulnerabilities), icu (F25: code execution), java-1.8.0-openjdk-aarch32 (F25: multiple vulnerabilities), kernel (F25; F24: denial of service), libgit2 (F25: unspecified), libwebp (F25: integer overflows), mingw-gnutls (F25: information leak), mingw-libwebp (F25: integer overflows), mingw-nettle (F25: information leak), moodle (F25: multiple vulnerabilities), python-cryptography (F25; F24; F23: bad key generation), python-django (F25: two vulnerabilities), quagga (F25: multiple vulnerabilities), sudo (F25: privilege escalation), tomcat (F25: multiple vulnerabilities), tre (F25: code execution), and xen (F25: multiple vulnerabilities) (Note: Fedora 25 will be released tomorrow).

Gentoo has updated imlib2 (multiple vulnerabilities), mit-krb5 (multiple vulnerabilities), mongodb (denial of service), and qemu (multiple vulnerabilities).

openSUSE has updated java-1_8_0-openjdk (13.2: multiple vulnerabilities), firefox, nss (Leap42.2, Leap42.1, 13.2: multiple vulnerabilities), and php5 (13.2: use after free).

Oracle has updated kernel 4.1.12 (OL7; OL6: multiple vulnerabilities), kernel 3.8.13 (OL7; OL6: multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities).

Red Hat has updated ipsilon (RHEL7: information leak/denial of service).

Slackware has updated firefox (multiple vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities) and imagemagick (multiple vulnerabilities).

Stable kernels 4.8.10 and 4.4.34

Monday 21st of November 2016 03:38:38 PM
As expected, the 4.8.10 and 4.4.34 stable kernel updates have been released. Each contains another set of important fixes.

Kernel prepatch 4.9-rc6

Sunday 20th of November 2016 10:29:12 PM
Linus has released the 4.9-rc6 kernel prepatch for testing. "We're getting further in the rc series, and while things have stayed pretty calm, I'm not sure if we're quite there yet. There's a few outstanding issues that just shouldn't be issues at rc6 time, so we'll just have to see. This may be one of those releases that have an rc8, which considering the size of 4.9 is perhaps not that unusual."

Stable kernel updates 4.8.9 and 4.4.33

Saturday 19th of November 2016 02:42:38 PM
The stable kernel machine continues to produce updates; the latest are 4.8.9 and 4.4.33. Each contains the usual set of important fixes. Note that 4.8.10 and 4.4.34 are already in the review process; they can be expected on or after November 21.

Security updates for Friday

Friday 18th of November 2016 04:10:23 PM

Debian has updated drupal7 (multiple vulnerabilities) and gst-plugins-bad1.0 (code execution).

Debian-LTS has updated akonadi (denial of service) and curl (multiple vulnerabilities).

Mageia has updated derby (information leak), dracut (information leak), gnuchess (code execution from 2015), irssi (information leak), libtiff (multiple vulnerabilities), memcached (three code execution flaws), python-pillow (two vulnerabilities), resteasy (code execution), sudo (privilege escalation), systemd (denial of service), tar (file overwrite), and wireshark (multiple vulnerabilities).

openSUSE has updated ghostscript (42.1: regression in previous security update), GraphicsMagick (42.1, 13.2: denial of service), ImageMagick (13.2: denial of service), jasper (42.2, 42.1: multiple vulnerabilities, some from 2015, 2014, and 2008), memcached (42.2; 42.1, 13.2: three code execution flaws), otrs (42.2, 13.2:), php5 (42.2; 42.1: three vulnerabilities), and util-linux (42.1: denial of service).

Ubuntu has updated openjdk-7 (14.04: multiple vulnerabilities).

LinuxCon + CloudOpen + ContainerCon Become The Linux Foundation Open Source Summit for 2017

Thursday 17th of November 2016 08:25:50 PM
The Linux Foundation has announced that it is consolidating three conferences under one name going forward. LinuxCon, CloudOpen, and ContainerCon join together under the "Linux Foundation Open Source Summit" name. For 2017, that encompasses three events: OSS Japan in Tokyo May 31-June 2, OSS North America in Los Angeles September 11-13, and OSS Europe in Prague October 23-25. "The Linux Foundation Open Source Summit in North America and Europe will also contain a brand new event, Community Leadership Conference. Attendees will have access to sessions across all events in a single venue, enabling them to collaborate and share information across a wide range of open source topics and areas of technology. They can take advantage of not only unparalleled educational opportunities, but also an expo hall, networking activities, hackathons, additional co-located events and The Linux Foundation’s diversity initiatives, including free childcare, nursing rooms, non-binary restrooms and a diversity luncheon."

Mission Improbable: Hardening Android for Security And Privacy (Tor blog)

Thursday 17th of November 2016 08:02:26 PM
The Tor blog has a post about the refresh of its Tor-enabled Android phone prototype, which is now in a workable state though it still has some rough edges. There is also a worrisome trend that the post highlights: "It is unfortunate that Google seems to see locking down Android as the only solution to the fragmentation and resulting insecurity of the Android platform. We believe that more transparent development and release processes, along with deals for longer device firmware support from SoC vendors, would go a long way to ensuring that it is easier for good OEM players to stay up to date. Simply moving more components to Google Play, even though it will keep those components up to date, does not solve the systemic problem that there are still no OEM incentives to update the base system. Users of old AOSP base systems will always be vulnerable to library, daemon, and operating system issues. Simply giving them slightly more up to date apps is a bandaid that both reduces freedom and does not solve the root security problems. Moreover, as more components and apps are moved to closed source versions, Google is reducing its ability to resist the demand that backdoors be introduced. It is much harder to backdoor an open source component (especially with reproducible builds and binary transparency) than a closed source one."

Security updates for Thursday

Thursday 17th of November 2016 03:56:46 PM

Arch Linux has updated firefox (multiple vulnerabilities), libgit2 (two vulnerabilities), python-django (two vulnerabilities), and python2-django (two vulnerabilities).

Debian has updated firefox-esr (multiple vulnerabilities).

Fedora has updated bind99 (F24: two vulnerabilities), firefox (F24: multiple vulnerabilities), and kernel (F24: denial of service).

Gentoo has updated libuv (privilege escalation from 2015).

Mageia has updated nss, firefox (multiple vulnerabilities).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and nss and nss-util (OL7; OL6; OL5: two vulnerabilities).

Red Hat has updated openssl (RHEL6: denial of service).

[$] LWN.net Weekly Edition for November 17, 2016

Thursday 17th of November 2016 01:05:56 AM
The LWN.net Weekly Edition for November 17, 2016 is available.

Farewell to Rob Collins

Wednesday 16th of November 2016 05:36:31 PM
The EuroPython Society shares the sad news that Rob Collins has passed away. "Many of you may know Rob from the sponsored massage sessions he regularly ran at EuroPython in recent years and which he continued to develop, taking them from a single man setup (single threaded process) to a group of people setup by giving workshops (multiprocessing) and later on by passing on his skills to more leaders (removing the GIL) to spread wellness and kindness throughout our conference series."

Security advisories for Wednesday

Wednesday 16th of November 2016 05:01:33 PM

Debian has updated akonadi (denial of service), gst-plugins-bad0.10 (code execution), and moin (cross-site scripting).

Debian-LTS has updated mysql-5.5 (multiple unspecified vulnerabilities) and postgresql-9.1 (PostgreSQL 9.1 is eol, users are encouraged to upgrade).

Mageia has updated libarchive (unspecified).

openSUSE has updated pcre (13.2: multiple vulnerabilities).

Oracle has updated 389-ds-base (OL6: three vulnerabilities) and kernel (OL6: multiple vulnerabilities).

Red Hat has updated 389-ds-base (RHEL6: three vulnerabilities), atomic-openshift (RHOSCP3.3: redirect network traffic), atomic-openshift-utils (RHOSCP3.2,3.3: code execution), firefox (RHEL5,6,7: multiple vulnerabilities), kernel (RHEL6: two vulnerabilities), and nss and nss-util (RHEL5,6,7: three vulnerabilities).

Microsoft joins The Linux Foundation

Wednesday 16th of November 2016 04:35:08 PM
The Linux Foundation has announced that Microsoft has joined as a platinum member. "From cloud computing and networking to gaming, Microsoft has steadily increased its engagement in open source projects and communities. The company is currently a leading open source contributor on GitHub and earlier this year announced several milestones that indicate the scope of its commitment to open source development."

Firefox 50.0

Tuesday 15th of November 2016 08:48:59 PM
Mozilla has released Firefox 50.0. This version features improved performance for SDK extensions or extensions using the SDK module loader, added download protection for a large number of executable file types, added option to Find in page that allows users to limit search to whole words only, and more. See the release notes for details.

Two stable kernel updates

Tuesday 15th of November 2016 06:25:07 PM
Stable kernels 4.8.8 and 4.4.32 have been released. Both of them contain important fixes and users should upgrade.

Security updates for Tuesday

Tuesday 15th of November 2016 05:45:16 PM

Arch Linux has updated shutter (code execution).

Debian-LTS has updated sudo (privilege escalation).

Fedora has updated libgit2 (F24: unspecified), memcached (F24; F23: code execution), python-django (F24: two vulnerabilities), and tre (F24; F23: code execution).

Gentoo has updated libpng (multiple vulnerabilities), polkit (privilege escalation), tnftp (command execution from 2014), xen (multiple vulnerabilities), and xinetd (privilege escalation from 2013).

openSUSE has updated Chromium (SPH for SLE12; Leap42.2, Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated policycoreutils (OL7; OL6: sandbox escape).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), qemu-kvm-rhev (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: denial of service), rh-mysql56-mysql (RHSCL: multiple vulnerabilities), and rh-php56 (RHSCL: multiple vulnerabilities).

The "cryptsetup initrd root shell" vulnerability

Tuesday 15th of November 2016 03:58:04 PM
Hector Marco and Ismael Ripoll report a discouraging vulnerability in many encrypted disk setups: simply running up too many password failures will eventually result in a root shell. "This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse."

More in Tux Machines

Linux Graphics

  • LibRetro's Vulkan PlayStation PSX Renderer Released
    A few days back I wrote about a Vulkan renderer for a PlayStation emulator being worked on and now the code to that Vulkan renderer is publicly available. For those wanting to relive some PlayStation One games this week or just looking for a new test case for Vulkan drivers, the Vulkan renderer for the LibRetro Beetle/Mednafen PSX emulator is now available, months after the LibRetro folks made a Vulkan renderer for the Nintendo 64 emulator.
  • Etnaviv DRM Updates Submitted For Linux 4.10
    The Etnaviv DRM-Next pull request is not nearly as exciting as MSM getting Adreno 500 series support, a lot of Intel changes, or the numerous AMDGPU changes, but it's not bad either for a community-driven, reverse-engineered DRM driver for the Vivante graphics cores.
  • Mesa 12.0.4 Being Prepped For Ubuntu 16.10/16.04
    Ubuntu is preparing Mesa 12.0.4 for Ubuntu Xenial and Yakkety users. It's not as great as Mesa 13, but at least there are some important fixes back-ported. Mesa 12.0.4 is exciting for dozens of bug fixes, including the work to offer better RadeonSI performance. But with Mesa 12.0.4 you don't have the RADV Vulkan driver, OpenGL 4.5, or the other exciting Mesa 13 work.

Games for GNU/Linux

Mageia 5.1 Released, Tumbleweed's Latest, Most Secure

The Mageia project today announced the release of stopgap version 5.1, an updated "respin" of 5.0 and all updates. The Daily Dot posted their picks for the most sure operating systems and the Hectic Geek is "quite pleased" with Fedora 25. Matthew Garrett chimed in on Ubuntu unofficial images and Dedoimedo reviewed Fedora-based Chapeau 24. Read more

SparkyLinux 4.5 is out

There is an update of SparkyLinux 4.5 “Tyche” available now. As before, Sparky “Home” editions provide fully featured operating system based on Debian ‘testing’ with desktops of your choice: LXDE, LXQt, KDE, MATE and Xfce. Read more