Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 9 min ago

[$] Bus1: a new Linux interprocess communication proposal

Wednesday 17th of August 2016 07:44:33 PM
Anyone who has been paying attention to Linux kernel development in recent years would be aware that IPC — interprocess communication — is not a solved problem. There are certainly many partial solutions, from pipes and signals, through sockets and shared memory, to more special-purpose solutions like Cross Memory Attach and Android's binder. But it seems there are still some use cases that aren't fully addressed by current solutions, leading to new solutions being occasionally proposed to try to meet those needs. The latest proposal is called "bus1".

Security updates for Wednesday

Wednesday 17th of August 2016 04:02:33 PM

Fedora has updated curl (F23: three vulnerabilities), drupal7-theme-zen (F24; F23: cross-site scripting), mingw-libarchive (F24: code execution), mingw-xz (F24: code execution), pulp (F24: two vulnerabilities), pulp-docker (F24: two vulnerabilities), pulp-ostree (F24: two vulnerabilities), pulp-puppet (F24: two vulnerabilities), pulp-python (F24: two vulnerabilities), and pulp-rpm (F24: two vulnerabilities).

Red Hat has updated kernel (RHEL6.2: privilege escalation).

Scientific Linux has updated mariadb (SL7: multiple unspecified vulnerabilities), php (SL7: proxy injection), and qemu-kvm (SL7: two vulnerabilities).

SUSE has updated squid3 (SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated openjdk-7 (14.04: multiple vulnerabilities).

Stable kernel updates

Tuesday 16th of August 2016 09:28:00 PM
Stable kernels 4.7.1, 4.6.7, 4.4.18, and 3.14.76 have been released. All contain important fixes. This is the last 4.6.y kernel, users should upgrade to 4.7.1 now.

Go 1.7 released

Tuesday 16th of August 2016 05:36:55 PM
Version 1.7 of the Go language has been released. "There is one tiny language change in this release. The section on terminating statements clarifies that to determine whether a statement list ends in a terminating statement, the 'final non-empty statement' is considered the end, matching the existing behavior of the gc and gccgo compiler toolchains." On the other hand, there appear to be significant optimization improvements; see the release notes for details.

Security advisories for Tuesday

Tuesday 16th of August 2016 03:52:04 PM

Debian-LTS has updated extplorer (archive traversal).

Fedora has updated jasper (F24: multiple vulnerabilities) and kernel (F24; F23: denial of service).

openSUSE has updated harfbuzz (Leap42.1, 13.2: multiple vulnerabilities) and squid (Leap42.1: multiple vulnerabilities).

Oracle has updated kernel 4.1.12 (OL7; OL6: information disclosure), kernel 3.8.13 (OL7; OL6: information disclosure).

SUSE has updated php5 (SLE11-SP2: multiple vulnerabilities).

Ubuntu has updated openssh (two vulnerabilities).

Google is developing an OS called “Fuchsia,” runs on All the Things (Android Police)

Monday 15th of August 2016 07:22:28 PM
Android Police takes a look at a new OS from Google. "Enter “Fuchsia.” Google’s own description for it on the project’s GitHub page is simply, “Pink + Purple == Fuchsia (a new Operating System)”. Not very revealing, is it? When you begin to dig deeper into Fuchsia’s documentation, everything starts to make a little more sense. First, there’s the Magenta kernel based on the ‘LittleKernel’ project. Just like with Linux and Android, the Magenta kernel powers the larger Fuchsia operating system. Magenta is being designed as a competitor to commercial embedded OSes, such as FreeRTOS or ThreadX." Fuchsia also uses the Flutter user interface, the Dart programming language, and Escher, "a renderer that supports light diffusion, soft shadows, and other visual effects, with OpenGL or Vulkan under the hood".

Monday's security advisories

Monday 15th of August 2016 04:16:24 PM

Arch Linux has updated kernel (information disclosure), linux-grsec (information disclosure), and postgresql (two vulnerabilities).

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated openssh (denial of service) and wireshark (multiple vulnerabilities).

Fedora has updated chromium (F24: multiple vulnerabilities) and drupal7-entity_translation (F24; F23: cross-site scripting).

openSUSE has updated GraphicsMagick (Leap42.1: multiple vulnerabilities), ImageMagick (13.2: three vulnerabilities), and php5 (13.2: multiple vulnerabilities).

Scientific Linux has updated php (SL6: proxy injection).

SUSE has updated firefox, nspr, nss (SLE11-SP2: multiple vulnerabilities) and kernel (SLE11-SP2: multiple vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (regression in previous update).

Kernel prepatch 4.8-rc2

Monday 15th of August 2016 12:46:20 PM
The second 4.8 prepatch has been released. Linus says: "Nothing really strange seems to be going on, so please just go out and test it and report any problems you encounter. It's obviously fairly early in the rc series, but I don't think there was anything particularly worrisome this merge window, so don't be shy."

OpenMandriva Lx 3.0 released

Saturday 13th of August 2016 07:49:57 PM
The OpenMandriva Lx 3.0 release is available. "OpenMandriva Lx is a cutting edge distribution compiled with LLVM/clang. Combined with the high level of optimisation used for both code and linking (by enabling LTO) used in its building, this gives the OpenMandriva desktop an unbelievably crisp response to operations on the KDE Plasma 5 desktop which makes it a pleasure to use."

Ardour 5.0 released

Friday 12th of August 2016 11:40:13 PM
The Ardour audio workstation has released its 5.0 version. There are many new features in the release, including a tabbed user interface, Lua scripting, built-in plugins, and new themes. "Ardour 5.0 is now available for Linux, OS X and Windows. This is a major release focused on substantial changes to the GUI and major new features related to mixing, plugin use, tempo maps, scripting and more. As usual, there are also hundreds of bug fixes. Ardour 5.0 can be parallel-installed with older versions of the program, and does not use the same preference files. It will load sessions from Ardour 2, 3 and 4, though with some potential minor changes."

Lefkowitz: The One Python Library Everyone Needs

Friday 12th of August 2016 09:14:40 PM
Twisted developer Glyph Lefkowitz writes about the attrs library for Python, which he calls "my favorite mandatory Python library". Instead of a lot of boilerplate to handle attributes in classes, attrs makes it far easier. "It lets you say what you mean directly with a declaration rather than expressing it in a roundabout imperative recipe. Instead of “I have a type, it’s called MyType, it has a constructor, in the constructor I assign the property ‘A’ to the parameter ‘A’ (and so on)”, you say “I have a type, it’s called MyType, it has an attribute called a”, and behavior is derived from that fact, rather than having to later guess about the fact by reverse engineering it from behavior (for example, running dir on an instance, or looking at self.__class__.__dict__)."

Security updates for Friday

Friday 12th of August 2016 05:07:32 PM

CentOS has updated mariadb (C7: multiple unspecified vulnerabilities), php (C7; C6: proxy injection), and qemu-kvm (C7: two vulnerabilities).

Debian has updated icedove (multiple vulnerabilities) and postgresql-9.4 (two vulnerabilities).

Debian-LTS has updated nettle (?:).

Fedora has updated perl-DBD-MySQL (F23: code execution from 2015), python (F24: proxy injection), and python3 (F24: proxy injection).

openSUSE has updated go (42.1, 13.2; SPH: denial of service), hawk2 (42.1: clickjacking prevention), java-1_7_0-openjdk (42.1; 13.2: multiple vulnerabilities), java-1_8_0-openjdk (42.1: multiple vulnerabilities), libarchive (42.1: multiple vulnerabilities, many from 2015), OpenJDK7 (13.1: multiple vulnerabilities), pcre2 (42.1: code execution), sqlite3 (42.1: information leak), and wget (13.2: code execution).

Oracle has updated mariadb (OL7: multiple unspecified vulnerabilities), php (OL7; OL6: proxy injection), and qemu-kvm (OL7: two vulnerabilities).

Red Hat has updated mariadb (RHEL7: multiple unspecified vulnerabilities), mariadb55-mariadb (RHSC: multiple unspecified vulnerabilities), php (RHEL7; RHEL6: proxy injection), php54-php (RHSC: proxy injection), php55-php (RHSC: proxy injection), qemu-kvm (RHEL7: two vulnerabilities), Red Hat OpenShift Enterprise (two vulnerabilities), rh-mariadb100-mariadb (RHSC: multiple unspecified vulnerabilities), rh-mysql56-mysql (RHSC: multiple unspecified vulnerabilities), and rh-php56-php (RHSC: proxy injection).

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open (Ars Technica)

Thursday 11th of August 2016 10:04:21 PM
Ars Techica is reporting on a mistake by Microsoft that resulted in providing a "golden key" to circumvent Secure Boot. The "key" is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a "rather funky website" (viewing the source of that page is a good way to avoid the visual and audio funkiness). "The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled. And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse." As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.

Update: For some more detail, see Matthew Garrett's blog post .

Security advisories for Thursday

Thursday 11th of August 2016 02:33:23 PM

Arch Linux has updated jq (code execution from 2015) and websvn (cross-site scripting).

Debian-LTS has updated postgresql-9.1 (two vulnerabilities).

Gentoo has updated optipng (three vulnerabilities).

openSUSE has updated typo3 (13.1: three vulnerabilities from 2013 and 2014) and firefox, mozilla-nss (13.1: many vulnerabilities).

Red Hat has updated java-1.7.0-ibm (RHEL5: two vulnerabilities), java-1.7.1-ibm (RHEL6&7: two vulnerabilities), java-1.8.0-ibm (RHEL6&7: two vulnerabilities), and python-django (RHOSP8; RHOSP7; RHEL7: cross-site scripting).

Scientific Linux has updated qemu-kvm (SL6: denial of service).

Ubuntu has updated libgd2 (16.04, 14.04: three vulnerabilities) and xmlrpc-epi (16.04: code execution).

[$] LWN.net Weekly Edition for August 11, 2016

Thursday 11th of August 2016 12:03:01 AM
The LWN.net Weekly Edition for August 11, 2016 is available.

[$] The TCP "challenge ACK" side channel

Wednesday 10th of August 2016 09:14:14 PM
Side-channel attacks against various kinds of protocols (typically networking or cryptographic) are both dangerous and often hard for developers and reviewers to spot. They are generally passive attacks, which makes them hard to detect as well. A recent paper [PDF] describes in detail one such attack against the kernel's TCP networking stack; the bug (CVE-2016-5696) has existed since Linux 3.6, which was released in 2012. Ironically, the bug was introduced because Linux has implemented a countermeasure against another type of attack.

Stable kernel updates

Wednesday 10th of August 2016 08:45:26 PM
The 4.6.6, 4.4.17, and 3.14.75 stable kernel updates have been released. Each contains the usual set of fixes and updates.

The first public Kirigami release

Wednesday 10th of August 2016 03:58:08 PM
The KDE project has announced the first public release of the Kirigami interface framework. "Now, with KDE’s focus expanding beyond desktop and laptop computers into the mobile and embedded sector, our QWidgets-based components alone are not sufficient anymore. In order to allow developers to easily create Qt-based applications that run on any major mobile or desktop operating system (including our very own existing Plasma Desktop and upcoming Plasma Mobile, of course), we have created a framework that extends Qt Quick Controls: Welcome Kirigami!"

Security advisories for Wednesday

Wednesday 10th of August 2016 03:54:50 PM

CentOS has updated qemu-kvm (C6: denial of service).

Debian-LTS has updated fontconfig (privilege escalation) and mongodb (problem in previous update).

Fedora has updated lighttpd (F24; F23: man-in-the-middle attacks) and openssh (F24: denial of service).

Oracle has updated qemu-kvm (OL6: multiple vulnerabilities).

Red Hat has updated qemu-kvm (RHEL6: denial of service).

SUSE has updated java-1_7_0-openjdk (SLE12-SP1: multiple vulnerabilities), java-1_8_0-openjdk (SLE12-SP1: multiple vulnerabilities), php53 (SLE11-SP4: multiple vulnerabilities), squid3 (SLE11-SP4: multiple vulnerabilities), and kernel (SLE11-SP4: three vulnerabilities).

Ubuntu has updated kernel (16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04: multiple vulnerabilities), linux-snapdragon (16.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

EFF Announces 2016 Pioneer Award Winners

Tuesday 9th of August 2016 09:11:34 PM
The Electronic Frontier Foundation (EFF) has announced the winners of the 2016 Pioneer Awards: "Malkia Cyril of the Center for Media Justice, data protection activist Max Schrems, the authors of the “Keys Under Doormats” report that counters calls to break encryption, and the lawmakers behind CalECPA—a groundbreaking computer privacy law for Californians."

More in Tux Machines

'Open' Processor

  • 25-core open source chip could pave way for monster 200,000-core PC
    PRINCETON UNIVERSITY BOFFINS have developed a 25-core open source processor that can be scaled to create a monster 200,000-core PC stuffed with 8,000 64-bit chips. The chip is called Piton after the metal spikes driven by rock climbers into mountain sides, and was presented at the Hot Chips symposium on high-performance computing in Cupertino this week.
  • New microchip demonstrates efficiency and scalable design
    Researchers at Princeton University have built a new computer chip that promises to boost performance of data centers that lie at the core of online services from email to social media. [...] Other Princeton researchers involved in the project since its 2013 inception are Yaosheng Fu, Tri Nguyen, Yanqi Zhou, Jonathan Balkind, Alexey Lavrov, Matthew Matl, Xiaohua Liang, and Samuel Payne, who is now at NVIDIA. The Princeton team designed the Piton chip, which was manufactured for the research team by IBM. Primary funding for the project has come from the National Science Foundation, the Defense Advanced Research Projects Agency, and the Air Force Office of Scientific Research.
  • Manycore ‘Piton’ Climbs Toward 200,000-Core Peak

Android Leftovers

Lubuntu 16.10 Beta Out Now with Linux Kernel 4.4 LTS and the Latest LXDE Desktop

As part of today's Ubuntu 16.10 (Yakkety Yak) Beta launch, Simon Quigley from the Lubuntu Linux team released the first Beta build of the upcoming Lubuntu 16.10 operating system. Read more Also: Ubuntu MATE 16.10 (Yakkety Yak) Beta Removes the Heads-Up Display (HUD) Feature Ubuntu GNOME 16.10 Beta 1 Released with GNOME 3.20 and GNOME 3.22 Beta Apps Ubuntu 16.10 "Yakkety Yak" Beta Released, Ubuntu GNOME Has Experimental Wayland

Facebook open sources its computer vision tools