Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 33 min ago

Thursday's security updates

Thursday 12th of January 2017 06:26:14 PM

Debian has updated bind9 (three vulnerabilities), ikiwiki (three vulnerabilities), and python-pysaml2 (XML external entity attack).

Debian-LTS has updated libav (two vulnerabilities).

Fedora has updated compat-guile18 (F25; F24: insecure directory creation), mingw-flac (F25: three vulnerabilities from 2015), qpid-java (F25: information disclosure), and springframework-security (F25: security constraint bypass).

openSUSE has updated flash-player (13.2: multiple vulnerabilities).

Red Hat has updated memcached (RHMAP4.2: two vulnerabilities).

Slackware has updated bind (denial of service), gnutls (multiple vulnerabilities), and irssi (multiple vulnerabilities).

SUSE has updated bind (SLE12-SP2,SP1; SLE12; SLE11-SP4,SP3: three vulnerabilities) and flash-player (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated bind9 (three vulnerabilities) and libvncserver (two vulnerabilities).

[$] LWN.net Weekly Edition for January 12, 2017

Thursday 12th of January 2017 02:18:25 AM
The LWN.net Weekly Edition for January 12, 2017 is available.

CVE-2016-9587: an unpleasant Ansible vulnerability

Wednesday 11th of January 2017 11:03:32 PM
The Ansible project is currently posting release candidates for the 2.1.4 and 2.2.1 releases. They fix an important security bug: "CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)." Until this release is made, it would make sense to be especially careful about running Ansible against systems that might have been compromised.

Update: see this advisory for much more detailed information.

[$] Python 2.8?

Wednesday 11th of January 2017 06:11:07 PM

The appearance of a "Python 2.8" got the attention of the Python core developers in early December. It is based on Python 2.7, with features backported from Python 3.x. In general, there was little support for the effort—core developers tend to clearly see Python 3 as the way forward—but no opposition to it either. The Python license makes it clear that these kinds of efforts are legal and even encouraged—any real opposition to the project lies in its name.

Subscribers can click below for the full article from this week's edition.

Security updates for Wednesday

Wednesday 11th of January 2017 05:37:51 PM

Debian has updated icedove (multiple vulnerabilities).

Debian-LTS has updated tomcat7 (information disclosure).

Gentoo has updated bind (denial of service), botan (two vulnerabilities), c-ares (code execution), dbus (denial of service), expat (multiple vulnerabilities, one from 2012), flex (code execution), nginx (privilege escalation), ntfs3g (privilege escalation from 2015), p7zip (two code execution flaws), pgbouncer (two vulnerabilities), phpBB (two vulnerabilities), phpmyadmin (multiple vulnerabilities), vim (code execution), and vzctl (insecure ploop-based containers from 2015).

openSUSE has updated jasper (42.2, 42.1: multiple vulnerabilities).

Oracle has updated kernel (OL6: three vulnerabilities).

Red Hat has updated flash-plugin (RHEL6: multiple vulnerabilities), kernel (RHEL6.7: code execution), and kernel (RHEL6: three vulnerabilities).

SUSE has updated freeradius-server (SLE12-SP1,2: insufficient certificate verification) and LibVNCServer (SLE11-SP4: two vulnerabilities).

Ubuntu has updated kernel (16.10; 16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-xenial (14.04: three vulnerabilities), linux-raspi2 (16.10; 16.04: two vulnerabilities), linux-snapdragon (16.04: two vulnerabilities), linux-ti-omap4 (12.04: two vulnerabilities), and webkit2gtk (16.04: multiple vulnerabilities).

Kadlec: The MongoDB hack and the importance of secure defaults

Wednesday 11th of January 2017 05:09:53 PM
Tim Kadlec looks at the ongoing MongoDB compromises and how they came to be. "Before version 2.6.0, that wasn’t true. By default, MongoDB was left open to remote connections. Authentication is also not required by default, which means that out of the box installs of MongoDB before version 2.6.0 happily accept unauthenticated remote connections."

digiKam 5.4.0 is released

Tuesday 10th of January 2017 05:45:44 PM
The digiKam team has announced the release of version 5.4.0 of the digiKam Software Collection, a photo editing system. "This version introduces several improvements to the similarity search engine and a complete re-write of video file support." Under the hood, digiKam has been fully ported to the QtAV framework to handle video and audio files.

Synfig 1.2.0 released

Tuesday 10th of January 2017 05:29:19 PM
Synfig Studio 1.2.0, a 2D animation system, has been released. This version features a completely rewritten render engine and new lipsync features, along with many improvements and bugfixes.

Tuesday's security advisories

Tuesday 10th of January 2017 04:53:04 PM

Arch Linux has updated icoutils (code execution).

CentOS has updated gstreamer-plugins-bad-free (C7: three code execution vulnerabilities), gstreamer-plugins-good (C7: multiple vulnerabilities), gstreamer1-plugins-bad-free (C7: multiple vulnerabilities), and gstreamer1-plugins-good (C7: multiple vulnerabilities).

Debian-LTS has updated python-crypto (denial of service).

Gentoo has updated adobe-flash (multiple vulnerabilities), python (two vulnerabilities), and tiff (multiple vulnerabilities).

Mageia has updated nvidia304, nvidia340 (three vulnerabilities) and xen (multiple vulnerabilities).

openSUSE has updated irssi (42.2, 42.1, 13.2; SPH for SLE12: multiple vulnerabilities).

Scientific Linux has updated subscription-manager (SL7: information disclosure).

[$] The long road to getrandom() in glibc

Monday 9th of January 2017 10:33:57 PM
The GNU C library (glibc) 2.25 release is expected to be available at the beginning of February; among the new features in this release will be a wrapper for the Linux getrandom() system call. One might well wonder why getrandom() is only appearing in this release, given that kernel support arrived with the 3.17 release in 2014 and that the glibc project is supposed to be more receptive to new features these days. A look at the history of this particular change highlights some of the reasons why getting new features into glibc is still hard.

Kernel prepatch 4.10-rc3

Sunday 8th of January 2017 11:21:08 PM
The 4.10-rc3 kernel prepatch is available for testing. Linus says: "It still feels a bit smaller than a usual rc3, but for the first real rc after the merge window (ie I'd compare it to a regular rc2), it's fairly normal."

Vault CFP deadline approaching

Saturday 7th of January 2017 08:03:51 PM
The Vault Storage and Filesystems conference will be held March 22 and 23 in Cambridge, MA, USA, immediately after the Linux Storage, Filesystem, and Memory-Management Summit. The call for presentations expires on January 14, and the conference organizers would really like to get a few more proposals in before then. Developers interested in speaking at a technical Linux event are encourage to sign up.

(Also, don't forget the LWN CFP deadlines calendar, which is a good way to stay on top of conference proposal deadlines.)

My WATCH runs GNU/Linux And It Is Amazing (LearntEmail)

Friday 6th of January 2017 08:45:59 PM
The LearntEmail blog has a look at running AsteroidOS on the LG Watch Urbane smartwatch. "It looks like a watch, it smells like a watch, but it runs like a normal computer. Wayland, systemd, polkit, dbus and friends look very friendly to hacking. Even Qt is better than android, but that's debatable. My next project - run Gtk+ on the watch :)" (Thanks to Paul Wise.)

Security updates for Friday

Friday 6th of January 2017 04:52:34 PM

Debian-LTS has updated pcsc-lite (privilege escalation).

Fedora has updated flac (F25: three vulnerabilities from 2015), pcsc-lite (F25: privilege escalation), php-PHPMailer (F25: code execution), subversion (F25: denial of service), thunderbird (F25: multiple vulnerabilities), and tinymce (F25: cross-site scripting).

Mageia has updated bash (code execution), thunderbird (multiple vulnerabilities), tor (denial of service), and unrtf (code execution).

openSUSE has updated kopete (SPH for SLE12; 42.2, 42.1, 13.2: encryption botch).

Red Hat has updated puppet-tripleo (OSP10.0: access restriction bypass).

Ubuntu has updated exim4 (information leak).

Stable kernel updates 4.9.1, 4.8.16, and 4.4.40

Friday 6th of January 2017 01:20:18 PM
The 4.9.1, 4.8.16, and 4.4.40 stable kernel updates have been released; each contains the usual collection of important fixes.

Security updates for Thursday

Thursday 5th of January 2017 06:33:02 PM

Debian has updated libvncserver (two vulnerabilities) and pcsc-lite (privilege escalation).

Debian-LTS has updated python-crypto (DLA-773-3; DLA-773-2: regression(s?) in previous security update for CVE-2013-7459).

Fedora has updated bzip2 (F24: denial of service), libpng (F24: denial of service), and seamonkey (F24: multiple vulnerabilities).

openSUSE has updated ImageMagick (42.2, 42.1: multiple vulnerabilities), libgme (42.2, 42.1: multiple vulnerabilities), and thunderbird (13.1: multiple vulnerabilities).

Oracle has updated ghostscript (OL7; OL6: multiple vulnerabilities, one from 2013), gstreamer-plugins-bad-free (OL7: three vulnerabilities), gstreamer-plugins-good (OL7: multiple vulnerabilities), gstreamer1-plugins-bad-free (OL7: multiple vulnerabilities), and gstreamer1-plugins-good (OL7: multiple vulnerabilities).

Red Hat has updated gstreamer-plugins-bad-free (RHEL7: three vulnerabilities), gstreamer-plugins-good (RHEL7: multiple vulnerabilities), gstreamer1-plugins-bad-free (RHEL7: multiple vulnerabilities), and gstreamer1-plugins-good (RHEL7: multiple vulnerabilities).

Scientific Linux has updated gstreamer-plugins-bad-free (SL7: three vulnerabilities), gstreamer-plugins-good (SL7: multiple vulnerabilities), gstreamer1-plugins-bad-free (SL7: multiple vulnerabilities), and gstreamer1-plugins-good (SL7: multiple vulnerabilities).

Ubuntu has updated nss (three vulnerabilities).

[$] LWN.net Weekly Edition for January 5, 2017

Thursday 5th of January 2017 02:31:34 AM
The LWN.net Weekly Edition for January 5, 2017 is available.

[$] Moving on from net-tools

Wednesday 4th of January 2017 07:00:56 PM
Old habits die hard, even when support for the tools required by those habits ended over a decade ago. It is not surprising for users to cling to the tools they learned early in their careers, even when they are told that it is time to move on. A recent discussion on the Debian development list showed the sort of stress that this kind of inertia can put on a distribution and explored the options that distributors have to try to nudge their users toward more supportable solutions.

Grumpy: Go running Python

Wednesday 4th of January 2017 06:27:27 PM
The Google Open Source Blog introduces the Grumpy project. "Grumpy is an experimental Python runtime for Go. It translates Python code into Go programs, and those transpiled programs run seamlessly within the Go runtime. We needed to support a large existing Python codebase, so it was important to have a high degree of compatibility with CPython (quirks and all). The goal is for Grumpy to be a drop-in replacement runtime for any pure-Python project."

Security updates for Wednesday

Wednesday 4th of January 2017 05:15:12 PM

Arch Linux has updated lib32-curl (two vulnerabilities), lib32-libcurl-compat (two vulnerabilities), lib32-libcurl-gnutls (two vulnerabilities), libcurl-compat (two vulnerabilities), libcurl-gnutls (two vulnerabilities), and pcsclite (privilege escalation).

CentOS has updated ghostscript (C7; C6: multiple vulnerabilities).

Debian has updated libphp-phpmailer (regression in previous update).

Debian-LTS has updated libphp-phpmailer (code execution) and libvncserver (two vulnerabilities).

Fedora has updated borgbackup (F25; F24: two vulnerabilities) and freeipa (F24: two vulnerabilities).

Gentoo has updated firefox (multiple vulnerabilities).

Mageia has updated kernel-linus (multiple vulnerabilities), kernel-tmb (multiple vulnerabilities), libupnp (code execution), and python-html5lib (cross-site scripting).

openSUSE has updated dnsmasq (42.2, 42.1: denial of service), samba (42.2; 42.1: three vulnerabilities), and wget (42.2, 42.1: race condition).

Red Hat has updated ghostscript (RHEL7; RHEL6: multiple vulnerabilities), kernel (RHEL7.1: denial of service), and systemd (RHEL7.1: denial of service).

Scientific Linux has updated ghostscript (SL7; SL6: multiple vulnerabilities) and ipa (SL7: two vulnerabilities).

More in Tux Machines

Canonical Patches Nvidia Graphics Drivers Vulnerability in All Ubuntu Releases

It's time to update your Ubuntu Linux operating system if you have a Nvidia graphics card running the Nvidia Legacy 340 or 304 binary X.Org drivers provided on the official software repositories. Read more

Long-term Embedded Linux Maintenance andd New Device From CompuLab

  • Long-term Embedded Linux Maintenance Made Easier
    The good old days when security breaches only happened to Windows folk are fading fast. Malware hackers and denial of service specialists are increasingly targeting out of date embedded Linux devices, and fixing Linux security vulnerabilities was the topic of several presentations at the Embedded Linux Conference Europe (ELCE) in October. One of the best attended was “Long-Term Maintenance, or How to (Mis-)Manage Embedded Systems for 10+ Years” by Pengutronix kernel hacker Jan Lübbe. After summarizing the growing security threats in embedded Linux, Lübbe laid out a plan to keep long-life devices secure and fully functional. “We need to move to newer, more stable kernels and do continuous maintenance to fix critical vulnerabilities,” said Lübbe. “We need to do the upstreaming and automate processes, and put in place a sustainable workflow. We don’t have any more excuses for leaving systems in the field with outdated software.”
  • CompuLab Has Upgraded Their Small Form Factor "IPC" Line To Kabylake
    HARDWARE -- Our friends and Linux-friendly PC vendor, CompuLab, have announced a new "IPC" line-up of their small form factor computers now with Intel Kabylake processors. In the past on Phoronix we tested CompuLab's Intense-PC (IPC) and then the IPC2 with Haswell processors, among other innovative PCs from CompuLab. Now they are rolling out the IPC3 with Intel's latest Kabylake processors.
  • Fanless mini-PC runs Linux Mint on Kaby Lake
    Compulab launched a rugged “IPC3” mini-PC that runs Linux on dual-core, 7th Gen Core i7/i5 CPUs, and also debuted three GbE-equipped FACE expansion modules. Compulab has opened pre-orders starting at $693 for the first mini-PCs we’ve seen to offer the latest, 14nm-fabricated 7th Generation Intel Core “Kaby Lake” processors. The passively cooled, 190 x 160 x 40mm IPC3 (Intense PC 3), which is available in up to industrial temperature ranges, follows two generations of similarly sized IPC2 mini-PCs. There’s the still available, 4th Gen “Haswell” based IPC2 from 2014 and the apparently discontinued 5th Gen “Broadwell” equipped IPC2 from 2015.
  • Compulab IPC3 is a tiny, fanless PC with Intel Kaby Lake CPU
    Compulab is an Israeli company that makes small, fanless computers for home or commercial use. The company’s latest mini PC aimed at enterprise/industrial usage is called the IPC3, and it has a die-cast aluminum case with built-in heat sinks for passive cooling and measures about 7.4″ x 6.3″ x 1.6″.

Games for GNU/Linux

  • Imperium Galactica II: Alliances released for Linux & SteamOS, seems native too
    Imperium Galactica II: Alliances [GOG, Steam] just released for Linux & SteamOS and it looks like it's a native version. Note: My friends at GOG sent over a copy, so big thanks to them. There's no sign of DOSBox or Wine and I had no idea this game had ever been ported to Linux. Pretty awesome really for a game like this to get a proper Linux build when it gets a new release.
  • Nearly five years after the Kickstarter, Carmageddon still isn’t on Linux despite the stretch goal being reached
    The problem here, for me, is that they later did a revamp of the title called Carmageddon: Max Damage. This was to fix some problems, boost sales again and port it to consoles. Carmageddon: Max Damage also never made it to Linux. Fun fact, they actually released a trailer where they just run over a ton of penguins, make from that what you will: Not saying this was trolling the entire Linux gaming community, but it sure felt like it after their previous trolling attempts directed at our official Twitter account.
  • Valve Rolls Out New Steam Client Stable Update with Promised Linux Changes, More
    Today Valve announced the availability of a new stable update of the Steam Client for all supported platforms, including the company's SteamOS operating system for Steam Machines, as well as GNU/Linux, macOS, and Microsoft Windows. Bringing all the new features during the Beta stages of development, the new Steam Client update improves the interaction between the Steam runtime and your GNU/Linux distribution's libraries. This is a huge and long-anticipated milestone for the Steam Client, which, unfortunately, did not work out-of-the-box on all Linux-based operating systems.

Robolinux 8.7.1 Linux OS Is Out and It's Based on Debian GNU/Linux 8.7 "Jessie"

The developers of the Robolinux GNU/Linux distribution have announced today, January 18, 2017, the release and immediate availability of a new stable update based on the latest Debian GNU/Linux 8 "Jessie" operating system series. Still offering a free installer, the Robolinux 8.7.1 "Raptor" edition is now available for download with the usual Cinnamon, MATE 3D, Xfce 3D, and LXDE flavors. It's based on the recently released Debian GNU/Linux 8.7.1 "Jessie" operating system, which means that it ships with its newest Linux 3.16 kernel and over 170 bug fixes and security patches. The GRUB bootloader and login screens have been refreshed too. Read more