Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 56 min ago

Introducing open source DC/OS

Wednesday 20th of April 2016 05:03:54 PM
Mesosphere has announced the release of DC/OS under the Apache License 2.0. "DC/OS derives from Mesosphere’s Datacenter Operating System, a commercial product built around Apache Mesos. Open sourcing DCOS has always been part of our strategic roadmap and we’re proud to have collaborated with our launch partners for today’s unveiling. DC/OS is a software platform that’s 100 percent open source, comprised of more than 30 component technologies, including Apache Mesos and Marathon. Some of the technologies were always open source, including Mesos, while others were previously proprietary code developed by Mesosphere, such as the GUI and our Minuteman load balancer." Over 60 partner companies participated in the open source release.

Security advisories for Wednesday

Wednesday 20th of April 2016 03:59:02 PM

Fedora has updated kernel (F23: three vulnerabilities).

openSUSE has updated apparmor (13.1: profile updates), samba (13.1; 11.4: multiple vulnerabilities), and tiff (13.1: denial of service).

SUSE has updated samba (SLES10-SP4: three vulnerabilities) and kernel (SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated firefox (regressions in previous update).

[$] Persistent-memory error handling

Wednesday 20th of April 2016 02:19:48 PM
One of the key advantages of persistent memory is that it is, for lack of a better word, persistent; data stored there will be available for recall in the future, regardless of whether the system has remained up in the meantime. But, like memory in general, persistent memory can fail for a number of reasons and, given the quantities in which it is expected to be deployed, failures are a certainty. How should the operating system and applications deal with errors in persistent memory? One of the first plenary sessions at the 2016 Linux Storage, Filesystem, and Memory-Management Summit, led by Jeff Moyer, took on this question.

Tuesday's security updates

Tuesday 19th of April 2016 04:02:14 PM

Fedora has updated libreswan (F22: denial of service).

openSUSE has updated systemd (13.2: two vulnerabilities).

The Android Security 2015 Annual Report

Tuesday 19th of April 2016 01:30:18 PM
Google has announced the availability of the Android security 2015 year in review [PDF]. "Android’s open source model has also allowed device manufacturers to introduce new security capabilities. Samsung KNOX, for example, has taken advantage of unique hardware capabilities to strengthen the root of trust on Samsung devices. Samsung has also introduced new kernel monitoring capabilities on their Android devices. Samsung is not unique in their contributions to the Android ecosystem. Blackberry has worked to enhance the security of their devices by enabling kernel hardening and other features in the Blackberry PRIV. CopperheadOS has both introduced security improvements to their own version of Android and made significant contributions to the Android Open Source Project. These are just some of the various contributions made possible through open sourcing that improved the Android ecosystem in 2015."

Schaller: Fedora Workstation Phase 1 – Homestretch

Tuesday 19th of April 2016 10:52:51 AM
Christian Schaller celebrates the completion of the (informal) first phase of the Fedora Workstation project. "Another major piece of engineering that is coming to a close is moving major applications such as Firefox, LibreOffice and Eclipse to GTK3. This was needed both to get these applications able to run natively on Wayland, but it also enabled us to make them work nicely for HiDPI. This has also played out into how GTK3 have positioned itself which to be a toolkit dedicated to pushing the Linux desktop forward and helping that quickly adapt and adopt to changes in the technology landscape."

Garrett: Remembering David MacKay

Monday 18th of April 2016 10:01:32 PM
Matthew Garrett remembers David MacKay, shortly after his passing. "I was already aware of the importance of free software in terms of developers, but working with David made it clear to me how important it was to users as well. A community formed around Dasher, helping us improve it and allowing us to develop support for new use cases that made the difference between someone being able to type at two words per minute and being able to manage twenty. David saw that this collaborative development would be vital to creating something bigger than his original ideas, and it succeeded in ways he couldn't have hoped for." (Thanks to Paul Wise)

Security updates for Monday

Monday 18th of April 2016 04:36:06 PM

Arch Linux has updated chromium (multiple vulnerabilities) and libtasn1 (denial of service).

Debian has updated fuseiso (two vulnerabilities), openssh (privilege escalation), and tomcat7 (multiple vulnerabilities).

Fedora has updated firefox (F23: multiple vulnerabilities) and xerces-c (F22: code execution).

openSUSE has updated Chromium (Leap42.1; 13.1: multiple vulnerabilities), gcc5 (Leap42.1: predictable random values), krb5 (Leap42.1: null pointer dereference), mercurial (Leap42.1: three vulnerabilities), optipng (Leap42.1; 13.2: three vulnerabilities), perl-YAML-LibYAML (Leap42.1: three vulnerabilities, one from 2013), samba (13.2: multiple vulnerabilities), and tiff (13.2: denial of service).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities) and samba (multiple vulnerabilities).

SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities) and openssl (SOSC5&SM2.1: multiple vulnerabilities).

Ubuntu has updated optipng (multiple vulnerabilities) and samba (multiple vulnerabilities).

How Badlock was discovered and fixed

Monday 18th of April 2016 01:14:53 PM
This post on the Red Hat Enterprise Linux blog describes the discovery and repair of the "Badlock" vulnerability. One begins to understand a little better why it took as long as it did. "The code was rewritten; in March 2016 the changes needed to fix all eight CVEs amounted to about 200 individual patches against a development version of Samba, with about half of those responsible for fixing CVE-2015-5370. When backported to previous stable Samba versions, they needed additional hundred patches. To oldest supported Samba version — about four hundred patches. What started as an individual snowflake became an avalanche but it wasn’t finished yet."

[$] Maru: a pocket desktop

Monday 18th of April 2016 11:50:43 AM
It appears to be widely accepted that the Linux desktop has achieved limited success at best, while the Linux palmtop — in the form of Android — has been wildly successful. The two classes of systems are generally thought of as being quite different, but it is worth remembering that the handsets we carry now have more computing power than the desktop systems we were using in the recent past. Given the right peripherals, an Android handset should be more than capable of providing a reasonable desktop experience. The Maru distribution is an experiment intended to prove that point by turning a smartphone device into a portable Debian desktop.

Kernel prepatch 4.6-rc4

Monday 18th of April 2016 11:17:05 AM
The 4.6-rc4 kernel prepatch is out for testing. "So there really isn't anything particularly interesting here. Just like I like it in the rc series. Let's hope it stays that way."

Brauch: Processing scientific data in Python and numpy, but doing it fast

Friday 15th of April 2016 08:56:27 PM
On his blog, Sven Brauch has some suggestions on how to use NumPy to process scientific data and how to avoid some pitfalls that will ruin its performance. "In general, copying data is cheap. But if your program simulates 25 million particles, each having a float64 location in 3d, you already have 8*3*25e6 = 600 MB of data. Thus, if you write r = r + v*dt, you will copy 1.2 GB of data around in memory: once 600 MB to calculate v*dt, and again to calculate r+(v*dt), and only then the result is written back to r. This can really become a major bottleneck if you aren’t careful. Fortunately, it is usually easy to circumvent; instead of writing r = r+dv, write r += dv. Instead of a = 3*a + b, write a *= 3; a+= b. This avoids the copying completely. For calculating v*dt and adding it to r, the situation is a bit more tricky; one good idea is to just have the unit of v be such that you don’t need to multiply by dt. If that is not possible, it might even be worth it to keep a copy of v which is multiplied by dt already, and update that whenever you update v. This is advantageous if only few v values change per step of your simulation. I would not recommend writing it like this everywhere though, it’s often not worth the loss in readability; just for really large arrays and when the code is executed frequently."

Costa: Designing a Userspace Disk I/O Scheduler for Modern Datastores: the Scylla example (Part 1)

Friday 15th of April 2016 05:22:55 PM
Over at the Scylla blog, Glauber Costa looks at why a high-performance datastore application might want to do its own I/O scheduling. "If one is using a threaded approach for managing I/O, a thread can be assigned to a different priority group by tools such as ionice. However, ionice only allows us to choose between general concepts like real-time, best-effort and idle. And while Linux will try to preserve fairness among the different actors, that doesn’t allow any fine tuning to take place. Dividing bandwidth among users is a common task in network processing, but it is usually not possible with disk I/O without resorting to infrastructure like cgroups. More importantly, modern designs like the Seastar framework used by Scylla to build its infrastructure may stay away from threads in favor of a thread-per-core design in the search for better scalability. In the light of these considerations, can a userspace application like Scylla somehow guarantee that all actors are served according to the priorities we would want them to obey?"

Friday's security advisories

Friday 15th of April 2016 03:10:35 PM

Arch Linux has updated lhasa (code execution).

Debian has updated chromium-browser (multiple vulnerabilities).

Fedora has updated cryptopp (F24: information disclosure), libtasn1 (F24: denial of service), poppler (F23: code execution), qpid-proton (F23: TLS to plaintext downgrade), and samba (F24: multiple vulnerabilities).

openSUSE has updated java-1_7_0-openjdk (13.1: sandbox bypass).

Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

Thursday 14th of April 2016 07:00:41 PM
Over at the Freedom to Tinker blog, guest poster Vitaly Shmatikov, who is a professor at Cornell Tech, writes about his study [PDF] of what URL shortening means for the security and privacy of cloud services. "TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments."

Security updates for Thursday

Thursday 14th of April 2016 02:55:11 PM

Debian has updated samba (multiple vulnerabilities) and samba (regression in previous update).

Fedora has updated samba (F23; F22: multiple vulnerabilities).

Mageia has updated apache-commons-collections (code execution), imlib2 (three vulnerabilities), mercurial (three vulnerabilities), optipng (two vulnerabilities), postgresql (two vulnerabilities), python-pillow (code execution), and thunderbird (unspecified).

openSUSE has updated lhasa (42.1; 13.2: code execution) and quagga (password disclosure).

SUSE has updated samba (SLE11SP2: multiple vulnerabilities).

[$] LWN.net Weekly Edition for April 14, 2016

Thursday 14th of April 2016 12:44:46 AM
The LWN.net Weekly Edition for April 14, 2016 is available.

Security advisories for Wednesday

Wednesday 13th of April 2016 05:40:53 PM

CentOS has updated samba (C6; C5: multiple vulnerabilities), ipa (C7; C6: multiple vulnerabilities), libldb (C7; C6: multiple vulnerabilities), libtalloc (C7; C6: multiple vulnerabilities), libtdb (C7; C6: multiple vulnerabilities), libtevent (C7; C6: multiple vulnerabilities), openchange (C7; C6: multiple vulnerabilities), samba (C7: multiple vulnerabilities), samba4 (C6: multiple vulnerabilities), and samba3x (C5: multiple vulnerabilities).

Fedora has updated imlib2 (F23: two vulnerabilities), libreswan (F23: denial of service), and xerces-c (F23: code execution).

openSUSE has updated mercurial (13.2: three vulnerabilities) and samba (Leap42.1: multiple vulnerabilities).

Oracle has updated samba (OL6; OL5: multiple vulnerabilities), samba and samba4 (OL7; OL6: multiple vulnerabilities), and samba3x (OL5: multiple vulnerabilities).

Red Hat has updated samba (RHEL7.1; RHEL6; RHEL6.2,6.4,6.5,6.6; RHEL5; RHEL5.6,5.9; RHEL4: multiple vulnerabilities), samba, samba4 (RHEL6,7: multiple vulnerabilities), samba3x (RHEL5; RHEL5.6,5.9: multiple vulnerabilities), and samba4 (RHEL6.2,6.5,6.6: multiple vulnerabilities).

Scientific Linux has updated samba (SL6; SL5: multiple vulnerabilities), samba, samba4 (SL6,7: multiple vulnerabilities), and samba3x (SL5: multiple vulnerabilities).

SUSE has updated samba (SLE12-SP1; SLE12; SLE11-SP4,SP3: multiple vulnerabilities) and kernel (SLE12-SP1: multiple vulnerabilities).

CoreOS "Ignition" released

Wednesday 13th of April 2016 04:06:45 PM
CoreOS has announced the release of its "Ignition" provisioning tool. "At the the most basic level, Ignition is a tool for manipulating disks during early boot. This includes partitioning disks, formatting partitions, writing files, and configuring users." It runs as the first process — before systemd — to get the system into the proper shape before the ordinary boot process takes over.

[$] OpenBMC, a distribution for baseboard management controllers

Tuesday 12th of April 2016 11:21:29 PM

The Intelligent Platform Management Interface (IPMI) is a set of system-management-and-monitoring APIs typically implemented on server motherboards via an embedded system-on-chip (SoC) that functions completely outside of the host system's BIOS and operating system. While it is intended as a convenience for those who must manage dozens or hundreds of servers in a remote facility, IPMI has been called out for its potential as a serious hole in server security. At the 2016 Embedded Linux Conference in San Diego, Tian Fang presented Facebook's recent work on OpenBMC, a Linux distribution designed to replace proprietary IPMI implementations with an open-source alternative built around standard facilities like SSH.

More in Tux Machines

Leftovers: OSS

Security Leftovers

  • Security updates for Thursday
  • OpenSSL patches two high-severity flaws
    OpenSSL has released versions 1.0.2h and 1.0.1t of its open source cryptographic library, fixing multiple security vulnerabilities that can lead to traffic being decrypted, denial-of-service attacks, and arbitrary code execution. One of the high-severity vulnerabilities is actually a hybrid of two low-risk bugs and can cause OpenSSL to crash.
  • Linux Foundation Advances Security Efforts via Badging Program
    The Linux Foundation Core Infrastructure Initiative's badging program matures, as the first projects to achieve security badges are announced.
  • Linux Foundation tackles open source security with new badge program
  • WordPress Plugin ‘Ninja Forms’ Security Vulnerability
    FOSS Force has just learned from Wordfence, a security company that focuses on the open source WordPress content management platform, that a popular plugin used by over 500,000 sites, Ninja Forms, contains serious security vulnerabilities.
  • Preparing Your Network for the IoT Revolution
    While there is no denying that IP-based connectivity continues to become more and more pervasive, this is not a fundamentally new thing. What is new is the target audience is changing and connectivity is becoming much more personal. It’s no longer limited to high end technology consumers (watches and drones) but rather, it is showing up in nearly everything from children’s toys to kitchen appliances (yes again) and media devices. The purchasers of these new technology-enabled products are far from security experts, or even security aware. Their primary purchasing requirements are ease of use.
  • regarding embargoes
    Yesterday I jumped the gun committing some patches to LibreSSL. We receive advance copies of the advisory and patches so that when the new OpenSSL ships, we’re ready to ship as well. Between the time we receive advance notice and the public release, we’re supposed to keep this information confidential. This is the embargo. During the embargo time we get patches lined up and a source tree for each cvs branch in a precommit state. Then we wait with our fingers on the trigger. What happened yesterday was I woke up to a couple OpenBSD developers talking about the EBCDIC CVE. Oh, it’s public already? Check the OpenSSL git repo and sure enough, there are a bunch of commits for embargoed issues. Pull the trigger! Pull the trigger! Launch the missiles! Alas, we didn’t look closely enough at the exact issues fixed and had missed the fact that only low severity issues had been made public. The high severity issues were still secret. We were too hasty.
  • Medical Equipment Crashes During Heart Procedure Because of Antivirus Scan [Ed: Windows]
    A critical medical equipment crashed during a heart procedure due to a timely scan triggered by the antivirus software installed on the PC to which the said device was sending data for logging and monitoring.
  • Hotel sector faces cybercrime surge as data breaches start to bite
    Since 2014, things have become a lot more serious with a cross section of mostly US hotels suffering major breaches during Point-of-Sale (POS) terminals. Panda Security lists a string of attacks on big brands including on Trump Hotels, Hilton Worldwide, Hyatt, Starwood, Rosen Hotels & Resorts as well two separate attacks on hotel management outfit White Lodging and another on non-US hotel Mandarin Oriental.

Android Leftovers

today's howtos