Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 4 min ago

Security advisories for Wednesday

Wednesday 19th of November 2014 05:46:50 PM

CentOS has updated libvirt (C6: multiple vulnerabilities) and libXfont (C7: multiple vulnerabilities).

Debian has updated php5 (out-of-bounds read flaw) and php5 (regression in previous update).

Fedora has updated drupal7-ckeditor (F20; F19: cross-site scripting), geary (F20: TLS certificate issues), icecream (F20; F19: code execution), and nrpe (F20: code execution).

Mandriva has updated curl (information leak), dbus (multiple vulnerabilities), and gnutls (code execution).

openSUSE has updated dbus-1 (13.2, 13.1; 12.3: denial of service) and polarssl (13.2: two vulnerabilities).

Red Hat has updated kernel (RHEL6.4: denial of service), libvirt (RHEL6: multiple vulnerabilities), and libXfont (RHEL6,7: multiple vulnerabilities).

Scientific Linux has updated libvirt (SL6: multiple vulnerabilities) and libXfont (SL6,7: multiple vulnerabilities).

Today's Debian technical committee resignation: Ian Jackson

Wednesday 19th of November 2014 01:34:19 PM
Ian Jackson has announced his immediate resignation from the Debian technical committee. "While it is important that the views of the 30-40% of the project who agree with me should continue to be represented on the TC, I myself am clearly too controversial a figure at this point to do so. I should step aside to try to reduce the extent to which conversations about the project's governance are personalised. And, speaking personally, I am exhausted." (Thanks to Mattias Mattsson).

Results for the Debian init system coupling GR

Wednesday 19th of November 2014 12:12:52 AM
The preliminary results have been announced for the Debian general resolution on init system coupling. The winning option was #4, the one saying that no general resolution is required in this situation. So there will be no change in Debian policy resulting from this vote.

EFF: Let's Encrypt

Tuesday 18th of November 2014 10:15:09 PM
The Electronic Frontier Foundation (EFF) is helping to launch a new non-profit organization that will offer free server certificates beginning in summer 2015. "Let's Encrypt is a new free certificate authority, which will begin issuing server certificates in 2015. Server certificates are the anchor for any website that wants to offer HTTPS and encrypted traffic, proving that the server you are talking to is the server you intended to talk to. But these certificates have historically been expensive, as well as tricky to install and bothersome to update. The Let's Encrypt authority will offer server certificates at zero cost, supported by sophisticated new security protocols. The certificates will have automatic enrollment and renewal, and there will be publicly available records of all certificate issuance and revocation." Let's Encrypt will be overseen by the Internet Security Research Group (ISRG), a California public benefit corporation.

Tuesday's security updates

Tuesday 18th of November 2014 05:05:46 PM

CentOS has updated libxfont (C6: multiple vulnerabilities), mariadb (C7: multiple vulnerabilities), and mysql55-mysql (C5: multiple vulnerabilities).

Fedora has updated oath-toolkit (F20: denial of service), python-requests-kerberos (F20; F19: authentication bypass), and qpid-cpp (F19: xml exchange can be induced to make http requests).

openSUSE has updated flash-player (13.2, 13.1, 12.3: multiple vulnerabilities) and libreoffice (13.2: code execution).

Red Hat has updated bash Shift_JIS (RHEL5.9: multiple vulnerabilities).

Scientific Linux has updated mariadb (SL7: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities).

Ubuntu has updated mountall (14.10: privilege escalation).

Live kernel patching for SUSE Enterprise Linux

Tuesday 18th of November 2014 02:27:14 PM
SUSE has announced that it is now using kGraft to make live kernel patches available for its enterprise distribution. "Unlike some other Linux kernel live patching technologies, SUSE Linux Enterprise Live Patching doesn't require stopping the whole system while it performs the patching. And because it is a fully open source solution, it allows for easy code review of the patch sources. SUSE is engaging with the upstream community to help ensure a sustainable future for kernel live patching on Linux in general and SUSE Linux Enterprise specifically."

Linux for lettuce (Opensource.com)

Monday 17th of November 2014 09:26:24 PM
Opensource.com covers the founding of the Open Source Seed Initiative (OSSI) and its continuing efforts to apply the concepts of open-source to plant breeding, in an increasingly patent encumbered space. "OSSI’s de facto leader is Jack Kloppenburg, a social scientist at the University of Wisconsin who has been involved with issues concerning plant genetic resources since the 1980s. He has published widely about the concept behind OSSI, and his words are now echoed (even copied verbatim) by public plant-breeding advocates in Germany, France, and India. As he explains it, for most of human history, seeds have naturally been part of the commons—those natural resources that are inherently public, like air or sunshine. But with the advent of plant-related intellectual property and the ownership it enables, this particular part of the commons has become a resource to be mined for private gain. Thus the need for a protected commons—open source seed. Inspired by open source software, OSSI’s idea is to use “the master’s tools” of intellectual property, but in ways the master never intended: to create and enforce an ethic of sharing."

Colin Watson resigns from Debian Technical Committee

Monday 17th of November 2014 05:44:49 PM
Colin Watson announced his resignation from the Debian Technical Committee before Russ. "I appreciate that the timing is such that this looks like a response to Joey's mails, or perhaps to some other recent discussions. That isn't the case. I've been doing a good deal of refactoring of my life recently as a result of realising that I was burning out, and right now it's important that I make an effort to spend my Debian time on things I find relaxing rather than things I've been finding stressful." (Thanks to Jeff Schroeder)

Security advisories for Monday

Monday 17th of November 2014 05:15:27 PM

Debian has updated libgcrypt11 (side-channel attack).

Fedora has updated kde-workspace (F20; F19: privilege escalation), kernel (F19: multiple vulnerabilities), and konversation (F20; F19: information disclosure).

Gentoo has updated wget (symlink attack).

Mageia has updated dbus (denial of service), gnutls (code execution), kernel (MG4; MG3: multiple vulnerabilities), kernel-linus (MG4; MG3: multiple vulnerabilities), kernel-tmb (MG4; MG3: multiple vulnerabilities), and kernel-vserver (MG4: multiple vulnerabilities).

Red Hat has updated mariadb (RHEL7: multiple vulnerabilities), mariadb55-mariadb (RHSCL1: multiple vulnerabilities), and mysql55-mysql (RHEL5; RHSCL1: multiple vulnerabilities).

Scientific Linux has updated mysql55-mysql (SL5: multiple vulnerabilities).

Slackware has updated mozilla (multiple vulnerabilities).

Russ Allbery leaves the Debian technical committee

Monday 17th of November 2014 02:04:35 PM
Another resignation in the Debian camp: Russ Allbery has become the second member of the project's technical committee to leave that committee. "I think project governance is a hard problem, and a worthwhile problem, and I hope that someone with good ideas will step forward and work on that problem. Debian is one of the largest free software projects, and one that faces a large number of hard decisions. If we can do that work well, it would be a valuable contribution to the broader community. But, right now, I don't feel like I'm helping that process, and at times am making it worse."

Fog Heen: Resigning as a Debian systemd maintainer

Monday 17th of November 2014 01:54:09 PM
Here are Tollef Fog Heen's comments following his resignation as one of the systemd maintainers in Debian. "I've been a DD for almost 14 years, I should be able to weather any storm, shouldn't I? It turns out that no, the mountain does get worn down by the rain. It's not a single hurtful comment here and there. There's a constant drum about this all being some sort of conspiracy and there are sometimes flares where people wish people involved in systemd would be run over by a bus or just accusations of incompetence."

Kernel prepatch 3.18-rc5

Monday 17th of November 2014 01:42:30 PM
Linus has released the 3.18-rc5 prepatch. "So we still have a few pending issues, but things look fairly normal. We've still got a few weeks to go before final, and the more you can test, the better off we'll be."

CyanogenMod 11 M12

Friday 14th of November 2014 09:33:50 PM
CyanogenMod has announced a new milestone release of the 11.0 "KitKat" branch. The announcement also looks forward to the 12.0 "Lollipop" branch. "No doubt the big news at the beginning of November was the release of the Android 5.0 Lollipop source code. AOSP began seeing the code on the 3rd, and completed the majority of the push on the 4th, with some remaining stragglers seeing code uploaded midday on the 12th. Work on CM12 began in earnest at the end of last week, and you can now successfully sync and build the work in progress against a handful of devices."

Stable kernel updates

Friday 14th of November 2014 08:25:07 PM
Greg Kroah-Hartman has released three stable kernels; 3.17.3, 3.14.24, and 3.10.60. All of them contain lots of important fixes throughout the tree.

Security advisories for Friday

Friday 14th of November 2014 04:25:04 PM

Fedora has updated aircrack-ng (F20; F19: multiple vulnerabilities), gnutls (F20: three vulnerabilities), and python3 (F19: three vulnerabilities).

Mageia has updated claws-mail (M4: SSL certificate verification botch), curl (information leak), flash-player-plugin (many vulnerabilities), getmail (three vulnerabilities), kdebase4-workspace (M3: privilege escalation), libreoffice (M4; M3: two vulnerabilities), and ruby (denial of service).

openSUSE has updated openssl (13.2: multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (OL6; OL5: two vulnerabilities) and kernel 3.8.13 (OL7; OL6: two vulnerabilities).

SUSE has updated flash-player (SLE12: three vulnerabilities) and java-1_7_0-openjdk (SLE12: multiple vulnerabilities).

Linux Security Distros Compared: Tails vs. Kali vs. Qubes (Lifehacker)

Friday 14th of November 2014 12:53:43 AM
Three security-oriented Linux distributions are compared and contrasted over at Lifehacker. The three (Tails, Kali Linux, and Qubes OS) have distinct use cases that are surveyed in the article. "The crux of Tails is anonymity. While it has cryptographic tools in place, its main purpose is to anonymize everything you're during online. This is great for most people, but it doesn't give you the freedom to do stupid things. If you log into your Facebook account under your real name, it's still going to be obvious who you are and remaining anonymous on an online community is a lot harder than it seems."

The Long and Winding Road (Mageia Blog)

Thursday 13th of November 2014 11:40:16 PM
Over on the Mageia Blog, Rémi Verschelde explains why the Mageia 5 Beta 1 took a month and a half longer than planned—but is now available. Upgrading to RPM 4.12 during the release process caused some problems, but there were other troubles along the way. "Still, while fixing our core tools during this first mass rebuild, some important changes were made to our RPM setup. As a consequence, half of the rebuilt packages (the ones built before our RPM setup changes) were lacking some important metadata. We then decided to do a second mass rebuild in October, which went quite fine apart from some issues with the Java stack. It was already late October when the first Beta 1 ISOs could be spun and delivered to the QA team for pre-release testing." Beta 2 has been pushed back to December 16, with a final release of Mageia 5 expected on January 31.

Thursday's security updates

Thursday 13th of November 2014 02:37:55 PM

Debian has updated iceweasel (multiple vulnerabilities).

openSUSE has updated docker, go (13.2: two vulnerabilities) and libreoffice (13.1: code execution).

Red Hat has updated flash-plugin (RHEL5&6: many vulnerabilities).

SUSE has updated OpenSSL (SLECT10; SLE11: multiple vulnerabilities) and wget (SLE10SP4; SLE11SP2, SLE11SP1: code execution).

Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).

[$] LWN.net Weekly Edition for November 13, 2014

Thursday 13th of November 2014 01:33:37 AM
The LWN.net Weekly Edition for November 13, 2014 is available.

Security advisories for Wednesday

Wednesday 12th of November 2014 05:55:42 PM

CentOS has updated gnutls (C7: code execution), kdenetwork (C7: multiple vulnerabilities), kernel (C6: multiple vulnerabilities), and libvncserver (C7; C6: multiple vulnerabilities).

Debian has updated file (out-of-bounds read flaw) and nss (code execution).

Fedora has updated deluge (F20: deluge-web is vulnerable to POODLE), mokutil (F20; F19: multiple vulnerabilities), Pound (F20: multiple vulnerabilities), shim-signed (F20; F19: multiple vulnerabilities), and tnftp (F20: command execution).

Mageia has updated apt (code execution) and php (out-of-bounds read flaw).

openSUSE has updated ImageMagick (13.2, 13.1, 12.3: multiple vulnerabilities), konversation (13.2: information disclosure), libserf (13.2, 13.1, 12.3: man-in-the-middle attack), pidgin (13.2: multiple vulnerabilities), and sssd (13.2: restriction bypass).

Oracle has updated gnutls (OL7: code execution), kdenetwork (OL7: multiple vulnerabilities), kernel (OL6: multiple vulnerabilities), and libvncserver (OL7; OL6: multiple vulnerabilities).

Red Hat has updated gnutls (RHEL7: code execution), kdenetwork (RHEL7: multiple vulnerabilities), kernel (RHEL6: multiple vulnerabilities), and libvncserver (RHEL6,7: multiple vulnerabilities).

Scientific Linux has updated gnutls (SL7: code execution), kdenetwork (SL7: multiple vulnerabilities), kernel (SL6: multiple vulnerabilities), and libvncserver (SL6,7: multiple vulnerabilities).

SUSE has updated spacewalk-branding (SUSE Manager1.7: clarify CVE audit).

Ubuntu has updated cinder (14.04: information disclosure), keystone (14.04: information disclosure), neutron (14.04: denial of service), and nova (14.04: two vulnerabilities).

More in Tux Machines

today's howtos

Leftovers: Gaming

Make Your Mark on the World With Linux

Linux and FOSS have already changed the world, and we're just at the beginning. This is a great time to learn to be a maker, in contrast to being a mere consumer. Clicking buttons on a smartphone is not being tech-savvy; hacking and building the phone is. Some people give Make Magazine the credit for launching the Maker Movement. Whether they launched it or just gave it a name, it is a real phenomenon, a natural evolution of do-it-yourselfers, inventors, and hackers in every generation. Remember Popular Mechanics, Popular Science, Hands-On (for Shopsmith projects), photography magazines, woodworking magazines, electronics...remember Heathkit? Remember when Radio Shack was still an electronics store? How about Edmund Scientific? That is still a wonderful playground of anatomical models, microscopes, telescopes, dinosaurs, prisms, lenses, chemistry sets, lasers, geology stuff, and tons more. All of these still exist, and have moved online like everything else. It's a feast of riches, plus we have all the cool new stuff that Make Magazine covers. This is absolutely the best time to be a curious tech adventurer. Read more

XnConvert Review – An Image Batch Processor like No Other

XnConvert is batch image processor that has been designed to work on multiple operating systems. It comes with a Linux client and it's one of the few tools of its kind on this platform. Let us now take a closer look at the application to see why it's incredibly useful. Read more