Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 6 min ago

Thursday's security advisories

Thursday 4th of February 2016 03:45:42 PM

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated nodejs-is-my-json-valid (F23: denial of service), phpmyadmin (F23: multiple vulnerabilities), and prosody (F22: insecure key handling).

Gentoo has updated qemu (multiple vulnerabilities).

Slackware has updated mozilla (unspecified), mplayer (file contents leak), openssl (cipher downgrade), and php (three vulnerabilities).

[$] LWN.net Weekly Edition for February 4, 2016

Thursday 4th of February 2016 01:23:49 AM
The LWN.net Weekly Edition for February 4, 2016 is available.

Security advisories for Wednesday

Wednesday 3rd of February 2016 05:18:10 PM

Arch Linux has updated lib32-nettle (improper cryptographic calculations) and nettle (improper cryptographic calculations).

Debian has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated openstack-heat (F23: denial of service) and openstack-swift (F23: denial of service).

openSUSE has updated kernel (13.2: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7.1: multiple vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (15.10, 14.04, 12.04: multiple vulnerabilities).

Catanzaro: On WebKit security updates

Tuesday 2nd of February 2016 08:57:33 PM
Michael Catanzaro describes the sad state of WebKit security on Linux distributions and the challenges of security support for such a complex package in general. "We regularly receive bug reports from users with very old versions of WebKit, who trust their distributors to handle security for them and might not even realize they are running ancient, unsafe versions of WebKit. I strongly recommend using a distribution that releases WebKitGTK+ updates shortly after they’re released upstream. That is currently only Arch and Fedora. (You can also safely use WebKitGTK+ in Debian testing — except during its long freeze periods — and Debian unstable, and maybe also in openSUSE Tumbleweed. Just be aware that the stable releases of these distributions are currently not receiving our security updates.)" Lots of information here, worth a read for anybody interested in the topic.

Tuesday's security advisories

Tuesday 2nd of February 2016 05:54:31 PM

Arch Linux has updated curl (authentication bypass), lib32-curl (authentication bypass), python-django (permission bypass), and python2-django: permission bypass).

Fedora has updated bind (F22: two denial of service flaws), chrony (F22: packet modification), curl (F22: authentication bypass), firefox (F22: multiple vulnerabilities), and qemu (F22: multiple vulnerabilities).

openSUSE has updated firefox (13.1: multiple vulnerabilities), privoxy (Leap42.1, 13.2; 13.1: two denial of service flaws), seamonkey (Leap42.1, 13.2; 13.1: multiple vulnerabilities), firefox (Leap42.1, 13.2: multiple vulnerabilities), and xulrunner (Leap42.1: code execution).

Red Hat has updated java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiple vulnerabilities), and redis (RHELOSP7-OT; RHELOSP7; RHELOSP6: denial of service).

Ubuntu has updated kernel (15.10; 15.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: multiple vulnerabilities), openjdk-6 (12.04: multiple vulnerabilities), and openjdk-7 (15.10, 15.04, 14.04: multiple vulnerabilities).

[$] Whole-house audio with free hardware and software

Monday 1st of February 2016 10:55:22 PM
The Black Forest fire destroyed over 500 Colorado houses in June 2013; one of those belonged to longtime Debian developer Bdale Garbee. As he reported during his talk at the 2016 linux.conf.au Multimedia and Music miniconf, the house has been redesigned and rebuilt and life is generally better now. Part of the rebuilding process included the incorporation of a whole-house audio system; naturally, Bdale took a unique approach to that task. His talk showed what can be done when one starts from scratch — and doesn't mind designing a circuit board along the way.

Fifteen years of SELinux

Monday 1st of February 2016 07:52:13 PM
This Red Hat blog post celebrates the fifteenth anniversary of the first SELinux release. "With the question of open source security long behind us, we are now focused on providing an even more flexible security model through SELinux. With the rise of composite, distributed applications that can span hundreds of physical and virtual machines as well as disparate cloud instances and Linux container deployments, one-off usage of SELinux is not enough. Instead, we are focused on providing “defense in depth” for modern computing scenarios, effectively building and deploying SELinux policies at each level of the datacenter."

Security updates for Monday

Monday 1st of February 2016 06:28:59 PM

CentOS has updated qemu-kvm (C7; C6: code execution).

Debian has updated freetype (denial of service), privoxy (two denial of service flaws), prosody (insecure handling of dialback keys), radicale (two vulnerabilities), and rails (multiple vulnerabilities).

Debian-LTS has updated gosa (code injection), mysql-5.5 (multiple vulnerabilities), phpmyadmin (two vulnerabilities), prosody (two vulnerabilities), and tiff (multiple vulnerabilities).

Fedora has updated curl (F23: authentication bypass), firefox (F23: multiple vulnerabilities), gsi-openssh (F22: multiple vulnerabilities), imlib2 (F23: denial of service), kernel (F23; F22: multiple vulnerabilities), krb5 (F23: three vulnerabilities), moodle (F23; F22: two vulnerabilities), nginx (F23: multiple vulnerabilities), ntp (F23: multiple vulnerabilities), openssl (F23: two vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), privoxy (F23; F22: two denial of service flaws), webkitgtk4 (F22: multiple vulnerabilities), and xen (F22: multiple vulnerabilities).

Gentoo has updated openssl (multiple vulnerabilities).

openSUSE has updated ecryptfs-utils (Leap42.1; 13.1: two vulnerabilities), giflib (Leap42.1: heap-based buffer overflow), and kernel (13.1: multiple vulnerabilities).

Kernel prepatch 4.5-rc2

Monday 1st of February 2016 02:52:59 AM
The 4.5-rc2 kernel prepatch is out. Linus says things aren't going so slowly anymore: "As late as Friday, I was planning on talking about how nice it is to see this new trend of tiny rc2 releases, because there really hadn't been very many pull requests at all. But it turns out the pull requests were just heavily skewed to the end of the week, and 4.5-rc2 isn't particularly small after all. It pretty much doubled over the weekend." Still, he seems to think that things are working well enough.

The stable update stream continues

Sunday 31st of January 2016 07:56:00 PM
The 4.4.1, 4.3.5, and 4.1.17 stable kernel updates are out. These contain a relatively large number of changes as Greg Kroah-Hartman continues to work through the patch backlog.

KDE neon announced

Sunday 31st of January 2016 07:48:56 PM
The KDE neon project — which arguably could be seen as a replacement for the Kubuntu distribution — has been announced at FOSDEM. "More than ever people expect a stable desktop with cutting-edge features, all in a package which is easy to use and ready to make their own. KDE Neon is the intersection of these needs using a stable Ubuntu long-term release as its core, packaging the hottest software fresh from the KDE Community ovens. Compute knowing you have a solid foundation and enjoy the features you experience in the world's most customisable desktop."

New stable kernels

Friday 29th of January 2016 11:07:20 PM

Greg Kroah-Hartman has released stable kernels 3.14.60 and 3.10.96, each containing important updates throughout the tree.

Friday's security updates

Friday 29th of January 2016 03:27:18 PM

Arch Linux has updated lib32-openssl (multiple vulnerabilities) and openssl (multiple vulnerabilities).

Debian has updated mysql-5.5 (multiple vulnerabilities).

Fedora has updated gsi-openssh (F23: multiple vulnerabilities), krb5 (F23: information leak), and xen (F23: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), chrony (M5: packet modification), firefox (M5: code execution), lxc (M5: directory traversal), ntp (M5: multiple vulnerabilities), owncloud (M5: multiple vulnerabilities), and srtp (M5: denial of service).

openSUSE has updated java-1_7_0-openjdk (Leap 42.1: multiple vulnerabilities) and kernel (Leap 42.1: multiple vulnerabilities).

Oracle has updated qemu-kvm (O7; O6: code execution).

Red Hat has updated qemu-kvm (RHEL6; RHEL7: code execution) and qemu-kvm-rhev (RHEL7 OSP5; RHEL6 OSP5; RHEL7 OSP7; RHEL7 OSP6: multiple vulnerabilities).

Scientific Linux has updated qemu-kvm (SL6; SL7: code execution).

Ubuntu has updated openssl (15.10: information leak).

NSA Hacker Chief Explains How to Keep Him Out of Your System (Wired)

Thursday 28th of January 2016 08:08:21 PM
Wired reports on a talk at the USENIX Enigma conference by Rob Joyce of the US National Security Agency (NSA). Joyce is the head of the NSA's Tailored Access Operations, which is tasked with breaking into the systems of adversaries and sometimes allies. He spoke about ways to thwart the NSA and other nation-state-level attackers. "'We put the time in …to know [that network] better than the people who designed it and the people who are securing it,' he said. 'You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You'd be surprised about the things that are running on a network vs. the things that you think are supposed to be there.'"

Thursday's security advisories

Thursday 28th of January 2016 03:47:18 PM

Arch Linux has updated nginx (three denial of service flaws).

Debian has updated iceweasel (three vulnerabilities) and openjdk-7 (multiple vulnerabilities).

openSUSE has updated chromium (13.1: multiple vulnerabilities), java-1_7_0-openjdk (13.2: multiple vulnerabilities), java-1_8_0-openjdk (42.1; 13.2: multiple vulnerabilities), java7 (13.1: multiple vulnerabilities), and openldap2 (42.1: two vulnerabilities).

Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), and firefox (OL7; OL6; OL5: two code execution flaws).

Red Hat has updated bind (RHEL6.4, 6.5: four denial of service flaws, including one from 2014) and bind (RHEL6.6: three denial of service flaws).

Scientific Linux has updated bind (denial of service), bind97 (SL5: denial of service), and firefox (two code execution flaws).

SUSE has updated java-1_7_0-openjdk (SLE12; SLE11: multiple vulnerabilities) and openldap2 (Studio Onsite 1.3: two vulnerabilities).

Ubuntu has updated curl (authentication bypass) and oxide-qt (15.10, 15.04, 14.04: multiple vulnerabilities).

LWN.net Weekly Edition for January 28, 2016

Thursday 28th of January 2016 01:12:14 AM
The LWN.net Weekly Edition for January 28, 2016 is available.

[$] The Linux Foundation changes its bylaws

Wednesday 27th of January 2016 05:44:17 PM
The Linux Foundation's board of directors is not usually a hotbed of controversy; for the most part it does its work in the background, quietly going about the business of directing the non-profit organization. In mid-January that all changed. The bylaws that governed how some at-large board seats were allocated were changed, which caused quite an uproar within the Linux world. While there is speculation about the motive for the change—as well as an official statement of sorts—it certainly seems like the whole thing could have been handled a lot better.

Subscribers can click below for the full story from this week's edition.

Security advisories for Wednesday

Wednesday 27th of January 2016 05:37:04 PM

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and firefox (C7; C6; C5: code execution).

Debian has updated chromium-browser (multiple vulnerabilities), curl (authentication bypass), and virtualbox (multiple vulnerabilities).

Debian-LTS has updated nginx (denial of service), radicale (multiple vulnerabilities), and tiff (code execution).

Fedora has updated cgit (F23: three vulnerabilities), kernel (F23: multiple vulnerabilities), and perl-PathTools (F22: returns untainted strings).

Gentoo has updated adobe-flash (multiple vulnerabilities), opensmtpd (multiple vulnerabilities), and webkit-gtk (multiple vulnerabilities).

openSUSE has updated Chromium (SPH SLE12; Leap42.1, 13.2: multiple vulnerabilities), openldap (13.1: two vulnerabilities), php5 (13.2: three vulnerabilities), and tiff (Leap42.1: denial of service).

Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated bind (RHEL5,6,7: denial of service), bind97 (RHEL5: denial of service), chromium-browser (RHEL6: multiple vulnerabilities), firefox (RHEL5,6,7: code execution), and RHOSE (multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).

SUSE has updated java-1_8_0-openjdk (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities).

Firefox 44 released

Tuesday 26th of January 2016 07:58:19 PM
Firefox 44.0 has been released. With this version Firefox can get push notifications from your favorite sites. This release also features improved warning pages for certificate errors and untrusted connections, H.264 is enabled if the system decoder is available, if MP4/H.264 are not supported WebM/VP9 video support is enabled, the brotli compression format via HTTPS content-encoding is supported, and more. See the release notes for details.

The Linux Test Project has been released for January 2016

Tuesday 26th of January 2016 06:09:28 PM
The Linux Test Project test suite stable release for January 2016 is available. There were 191 patches by 29 authors merged since the previous release. Some notable changes include rewritten and new cgroup tests for cpuacct and pids controllers, rewritten basic cgroup functional and stress tests, new userns07 test for user namespaces, new syscall tests, and more.

More in Tux Machines

Kernel Space: Linux, Graphics

  • Linux kernel bug delivers corrupt TCP/IP data to Mesos, Kubernetes, Docker containers
    The Linux Kernel has a bug that causes containers that use veth devices for network routing (such as Docker on IPv6, Kubernetes, Google Container Engine, and Mesos) to not check TCP checksums. This results in applications incorrectly receiving corrupt data in a number of situations, such as with bad networking hardware. The bug dates back at least three years and is present in kernels as far back as we’ve tested. Our patch has been reviewed and accepted into the kernel, and is currently being backported to -stable releases back to 3.14 in different distributions (such as Suse, and Canonical). If you use containers in your setup, I recommend you apply this patch or deploy a kernel with this patch when it becomes available. Note: Docker’s default NAT networking is not affected and, in practice, Google Container Engine is likely protected from hardware errors by its virtualized network.
  • Performance problems
    Just over a year ago I implemented an optimization to the SPI core code in Linux that avoids some needless context switches to a worker thread in the main data path that most clients use. This was really nice, it was simple to do but saved a bunch of work for most drivers using SPI and made things noticeably faster. The code got merged in v4.0 and that was that, I kept on kicking a few more ideas for optimizations in this area around but that was that until the past month.
  • Compute Shader Code Begins Landing For Gallium3D
    Samuel Pitoiset began pushing his Gallium3D Mesa state tracker changes this morning for supporting compute shaders via the GL_ARB_compute_shader extension. Before getting too excited, the hardware drivers haven't yet implemented the support. It was back in December that core Mesa received its treatment for compute shader support and came with Intel's i965 driver implementing CS.
  • Libav Finally Lands VDPAU Support For Accelerated HEVC Decoding
    While FFmpeg has offered hardware-accelerated HEVC decoding using NVIDIA's VDPAU API since last summer, this support for the FFmpeg-forked libav landed just today. In June was when FFmpeg added support to its libavcodec for handling HEVC/H.265 video decoding via NVIDIA's Video Decode and Presentation API for Unix interface. Around that same time, developer Philip Langdale who had done the FFmpeg patch, also submitted the patch for Libav for decoding HEVC content through VDPAU where supported.

Unixstickers, Linux goes to Washington, Why Linux?

  • Unixstickers sent me a package!
    There's an old, popular saying, beware geeks bearing gifts. But in this case, I was pleased to see an email in my inbox, from unixstickers.com, asking me if I was interested in reviewing their products. I said ye, and a quick few days later, there was a surprise courier-delivered envelope waiting for me in the post. Coincidentally - or not - the whole thing happened close enough to the 2015 end-of-the-year holidays to classify as poetic justice. On a slightly more serious note, Unixstickers is a company shipping T-shirts, hoodies, mugs, posters, pins, and stickers to UNIX and Linux aficionados worldwide. Having been identified one and acquired on the company's PR radar, I am now doing a first-of-a-kind Dedoimedo non-technical technical review of merchandise related to our favorite software. So not sure how it's gonna work out, but let's see.
  • Linux goes to Washington: How the White House/Linux Foundation collaboration will work
    No doubt by now you've heard about the Obama Administration's newly announced Cybersecurity National Action Plan (CNAP). You can read more about it on CIO.com here and here. But what you may not know is that the White House is actively working with the Linux and open source community for CNAP. In a blog post Jim Zemlin, the executive director of the Linux Foundation said, “In the proposal, the White House announced collaboration with The Linux Foundation’s Core Infrastructure Initiative (CII) to better secure Internet 'utilities' such as open-source software, protocols and standards.”
  • Why Linux?
    Linux may inspire you to think of coders hunched over their desks (that are littered with Mountain Dew cans) while looking at lines of codes, faintly lit by the yellow glow of old CRT monitors. Maybe Linux sounds like some kind of a wild cat and you have never heard the term before. Maybe you have use it every day. It is an operating system loved by a few and misrepresented to many.

RebeccaBlackOS 2016-02-08 Review. Why? Because it’s Friday.

These are the types of problems found in an independent distro build from scratch. I cannot understand how a system built on Debian could be this buggy and apparently have zero VM support which Debian comes with by default. I can take some solace in the fact that it was built by one person and that one person is a Rebecca Black fan but as far as a Linux Distribution is concerned there is not much here. Some could say “Well its not supposed to be taken as a serious Distribution.” True except it is listed and kept up with on DistroWatch therefor it should be held as a system ready distribution especially when it was not released as a beta or an RC. If this distribution is ever going to be considered a real platform it has a long way to go. I give it about as many thumbs down as the Rebecca Black Friday video. Read more

Android More Leftovers