Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 37 min ago

Thursday's security advisories

Thursday 8th of September 2016 05:54:20 PM

Debian-LTS has updated icu (code execution) and roundcube (three vulnerabilities, one each from 2015 and 2014).

openSUSE has updated libsrtp (42.1: denial of service from 2015), libstorage (42.1: password disclosure), and libtcnative-1-0 (42.1: cipher downgrade from 2015).

Red Hat has updated Kibana (RHOS3: two vulnerabilities).

Scientific Linux has updated thunderbird (multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm (SLE11: three unspecified vulnerabilities).

[$] What's next for Apache OpenOffice

Thursday 8th of September 2016 09:00:39 AM
Concerns about the viability of the Apache OpenOffice (AOO) project are not new; they had been in the air for a while by the time LWN looked at the project's development activity in early 2015. Since then, though, the worries have grown more pronounced, especially after AOO's recent failure to produce a release with an important security fix nearly one year after being notified of the vulnerability. The result is an internal discussion on whether the project should be "retired," or whether it will find a way to turn its fortunes around.

[$] An asynchronous Internet in GNOME

Thursday 8th of September 2016 04:57:31 AM

At GUADEC 2016 in Karlsruhe, Germany, Jonathan Blandford challenged the GNOME project to rethink how its desktop software uses network access. The GNOME desktop assumes Internet connectivity is always available, which has the side effect of making the software stack considerably less useful and, indeed, usable to people who live in those places regarded as the developing world.

Weekly edition one day late this week

Wednesday 7th of September 2016 06:43:12 PM
Last Monday was the Labor Day holiday in the US, so the LWN crew took the day off to celebrate. As a result, the weekly edition will be published one day late this week. It will be available on Friday, sometime shortly after midnight UTC.

Stable kernel updates

Wednesday 7th of September 2016 04:05:48 PM
Stable kernels 4.7.3, 4.4.20, and 3.14.78 have been released with the usual set of important fixes. There will be one more 3.14.x kernel release before this kernel series hits its end-of-life.

Wednesday's security advisories

Wednesday 7th of September 2016 03:56:53 PM

Debian has updated charybdis (incorrect SASL authentication).

Debian-LTS has updated libtomcrypt (signature forgery).

Fedora has updated 389-ds-base (F23: information disclosure), libgcrypt (F23: flawed random number generation), libksba (F23: denial of service), and mediawiki (F24; F23: multiple vulnerabilities).

openSUSE has updated Chromium (Leap42.1: multiple vulnerabilities), thunderbird (SPH for SLE12; Leap42.1, 13.2: multiple vulnerabilities), and tomcat (Leap42.1: two vulnerabilities).

Red Hat has updated postgresql92-postgresql (RHSCL: two vulnerabilities) and rh-postgresql95-postgresql (RHSCL: two vulnerabilities).

SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities).

Git v2.10.0

Tuesday 6th of September 2016 08:21:06 PM
Git 2.10 has been released, with lots of updates to the user interface and workflows, performance enhancements, and much more. See the announcement for details.

Danko: Next steps for Gmane

Tuesday 6th of September 2016 07:01:41 PM
LWN previously reported that Gmane creator and maintainer Lars Magne Ingebrigtsen shut down the website and was contemplating shutting down the service entirely. Martin Danko now reports that Gmane has a new maintainer. "I petitioned some of our directors to allow us to offer to take it over and in the end we entered into agreement with Lars to take over Gmane. The assets of Gmane have been placed into a UK company Gmane Ltd. As part of the agreement, we have received the INN spool with all the articles but none of the code that drives the site. We’ve started rebuilding parts of the site just to get it back online, its not perfect and there are pieces missing but we’re working on building all the functionality back into the site." (Thanks to Brian Thomas)

Security advisories for Tuesday

Tuesday 6th of September 2016 05:08:54 PM

Arch Linux has updated thunderbird (code execution).

CentOS has updated ipa (C7; C6: denial of service) and thunderbird (C7; C6; C5: code execution).

Debian has updated chromium-browser (multiple vulnerabilities), flex (regression in previous update), and kernel (multiple vulnerabilities).

Debian-LTS has updated jsch (path traversal), kernel (multiple vulnerabilities), and tiff3 (multiple vulnerabilities).

Fedora has updated ca-certificates (F23: certificate update), ganglia (F24; F23: cross-site scripting), glibc (F23: denial of service), kernel (F24; F23: two vulnerabilities), lcms2 (F23: heap memory leak), and phpMyAdmin (F24: multiple vulnerabilities).

openSUSE has updated curl (13.2: three vulnerabilities), dosfstools (Leap42.1: two vulnerabilities), eog (Leap42.1, 13.2: out-of-bounds write), and xerces-c (Leap42.1: two vulnerabilities).

Oracle has updated thunderbird (OL7; OL6: code execution).

Red Hat has updated kernel (RHEL6.7; RHEL6.5: information leak) and thunderbird (RHEL5,6,7: code execution).

Scientific Linux has updated ipa (SL6,7: denial of service).

SUSE has updated kernel (SOSC5, SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).

LLVM 3.9 released

Tuesday 6th of September 2016 08:37:11 AM
Version 3.9 of the LLVM compiler suite is out. "This release is the result of the LLVM community's work over the past six months, including ThinLTO, new libstdc++ ABI compatibility, support for all OpenCL 2.0 and all non-offloading OpenMP 4.5 features, clang-include-fixer, many new clang-tidy checks, significantly improved ELF linking with lld, identical code folding and initial LTO support in lld, as well as improved optimization, many bug fixes and more."

Anticipating KDE's 20th anniversary

Tuesday 6th of September 2016 06:38:55 AM
The announcement of a project to develop the "Kool Desktop Environment" went out on October 14, 1996. As the 20th anniversary of that announcement approaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "This book presents 37 stories about the technical, social and cultural aspects that shaped the way the KDE community operates today. It has been written as part of the 20th anniversary of KDE. From community founders and veterans to newcomers, with insights from different perspectives and points of view, the book provides you with a thrilling trip through the history of such an amazing geek family."

Kernel prepatch 4.8-rc5

Monday 5th of September 2016 06:56:07 AM
The 4.8-rc5 kernel prepatch is available for testing. "So rc5 is noticeably bigger than rc4 was, and my hope last week that we were starting to calm down and shrink the releases seems to have been premature. [...] Not that any of this looks worrisome per se, but if things don't start calming down from now, this may be one of those releases that will need an rc8. We'll see."

Z-Wave protocol specification now public

Friday 2nd of September 2016 10:58:35 PM

The Z-Wave wireless home-automation protocol has been released to the public. In years past, the specification was only available to purchasers of the Z-Wave Alliance's development kit, forcing open-source implementations to reverse-engineer the protocol. The official press release notes that there are several such projects, including OpenZWave; Z-Wave support is also vital to higher-level Internet-of-Things abstraction systems like AllJoyn.

Friday's security updates

Friday 2nd of September 2016 03:43:20 PM

Arch Linux has updated chromium (multiple vulnerabilities) and webkit2gtk (multiple vulnerabilities).

Debian has updated libidn (multiple vulnerabilities).

Debian-LTS has updated mailman (password disclosure).

Fedora has updated canl-c (F24; F23: proxy manipulation), krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).

openSUSE has updated karchive (SLE12: command execution).

Oracle has updated ipa (O7; O6: denial of service).

Suspect in kernel.org breakin arrested

Friday 2nd of September 2016 02:08:15 PM
The US Department of Justice has announced that it has arrested a suspect in the 2011 kernel.org breakin. "[Donald Ryan] Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorized access to the four servers by using the credentials of an individual associated with the Linux Kernel Organization. According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers."

Contemplating the possible retirement of Apache OpenOffice

Friday 2nd of September 2016 07:02:15 AM
Outgoing Apache OpenOffice project management committee (PMC) chair Dennis Hamilton has begun the discussion of a possible (note possible at this point) shutdown of the project. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue. In responses to concerns raised in June, the PMC is currently tasked by the ASF Board to account for this inability and to provide a remedy. An indicator of the seriousness of the Board's concern is the PMC been requested to report to the Board every month, starting in August, rather than quarterly, the normal case. One option for remedy that must be considered is retirement of the project. The request is for the PMC's consideration among other possible options." (Thanks to James Hogarth.)

Also of interest is this note on how the handling of CVE-2016-1513 went.

OpenBSD 6.0

Thursday 1st of September 2016 08:54:59 PM
OpenBSD 6.0 has been released. An EFI bootloader has been added to the armv7 platform along with other improvements for that platform. Also in this release, new and improved hardware support, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements, and more. The announcement also contains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, and LibreSSL 2.4.2.

Thursday's security updates

Thursday 1st of September 2016 03:08:51 PM

Debian-LTS has updated cacti (authentication bypass).

Mageia has updated eog (M5: out-of-bounds write), python3/python (M5: HTTPoxy attack), redis (M5: information leak), and webkit2 (M5: multiple vulnerabilities).

openSUSE has updated cracklib (Leap 42.1: code execution), gd (13.2: out-of-bounds read), and libgcrypt (13.2: flawed random number generation).

Red Hat has updated ipa (RHEL 6,7: denial of service).

Slackware has updated mozilla thunderbird (14.1, 14.2: unspecified vulnerabilities).

Building a new Tor that can resist next-generation state surveillance (ars technica)

Thursday 1st of September 2016 09:07:23 AM
Here's a lengthy ars technica article on efforts to replace Tor with something more secure. "As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users."

[$] LWN.net Weekly Edition for September 1, 2016

Thursday 1st of September 2016 01:39:30 AM
The LWN.net Weekly Edition for September 1, 2016 is available.

More in Tux Machines

Kernel Backports and Graphics

  • [Older] Backports and long-term stable kernels
  • What’s New in Wayland and Weston 1.12?
    The Wayland core protocol documentation has received numerous refinements to improve its clarity and consistency. Along with this, many blank areas of the protocol documentation have been fleshed out. A new wl_display_add_protocol logger API provides a new, interactive way to debug requests; along with this are new APIs for examining clients and their resources. This is analogous to using WAYLAND_DEBUG=1, but more powerful since it allows run time review of log data such as through a UI view. There have been improvements to how the protocol XML scanner handles version identification in protocol headers. This enables better detection and fallback handling when compositors and clients support differt versions of their protocols.
  • XDC2016 Wraps Up After Many Wayland, X.Org & Mesa Discussions
    The 2016 X.Org Developers' Conference (XDC2016) wrapped up Friday in Helsinki, Finland. Here is a summary of the major happenings for those that may have missed it or didn't yet watch the video streams.

IBM Claims “New Linux Based Power System Server Kicks Butt

today's howtos

Leftovers: Ubuntu

  • Ubuntu Phone, Sep 2016 - Vorsprung durch Touch
    The Ubuntu Phone is getting better, and with every new iteration of the OTA, my little BQ Aquaris E4.5 is gaining more speed and functionality. Like in the air force, with an avionics upgrade, which transforms ancient wings into a powerful and modern bird of prey. Only the pace of advancement is lagging behind the market. See what Android and iOS can do, even Windows Phone, and you realize how late and insufficiently meaningful the Ubuntu Phone really is. This has to change, massively. This latest round does bring some fine goods to the table - more speed and stability, better icons, more overall visual polish, incremental improvements in the applications and the scopes. But that's not enough to win the heart of the average user. A more radical, app-centric effort is required. More focus on delivering the mobile experience, be it as it may. Ubuntu cannot revolutionalize that which is already considered the past. It can only join the club and enjoy the benefits of a well-established reality. And that is a kickass app stack that makes the touch device worth using in the first place. Still, it's not all gloomy. E4.5 is a better product now than it was a year ago, fact. Ubuntu Phone is a better operating system than it was even this spring, fact. So maybe one day we will see Ubuntu become an important if not dominant player in the phone and tablet space. It sure is heading in the right direction, my only fear is the availability of resources to pull off this massive rehaul that is needed to make it stand up to the old and proven giants. And that's it really. If you're keen on Linux (not Android) making it in the mobile world, do not forget to check my Ubuntu tablet review! Especially the convergence piece. On that merry note, you do remember that I'm running a wicked contest this year, too? He/she who reads my books might get a chance to win an M10 tablet. Indeed. Off you go, dear readers. Whereas I will now run the same set of tests we did here on the Aquaris tablet, and see how it likes the OTA-12 upgrade. The end.
  • Ubuntu 16.10 Unity 8 - new window snapping feature
  • Ubuntu Online Summit for Ubuntu 17.04 is Taking Place In Mid-November
  • Ubuntu Online Summit: 15-16 November 2016