Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 51 min ago

Friday's security updates

Friday 3rd of February 2017 04:48:10 PM

Arch Linux has updated qt5-webengine (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).

CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).

Debian-LTS has updated ntfs-3g (privilege escalation) and svgsalamander (server-side request forgery).

Fedora has updated openldap (F25: unintended cipher usage from 2015), and wavpack (F25: multiple vulnerabilities).

Mageia has updated openafs (information leak) and pdns-recursor (denial of service).

openSUSE has updated java-1_8_0-openjdk (42.2, 42.1: multiple vulnerabilities), mupdf (42.2; 42.1: three vulnerabilities), phpMyAdmin (42.2, 42.1: multiple vulnerabilities, one from 2015), and Wireshark (42.2: two denial of service flaws).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated libtiff (SL7&6: multiple vulnerabilities, one from 2015) and thunderbird (multiple vulnerabilities).

Ubuntu has updated kernel (16.10; 14.04; 12.04: multiple vulnerabilities), kernel, linux-raspi2, linux-snapdragon (16.04: two vulnerabilities), linux-lts-trusty (12.04: code execution), linux-lts-xenial (14.04: two vulnerabilities), and tomcat (14.04, 12.04: regression in previous update).

Announcing Rust 1.15

Thursday 2nd of February 2017 10:56:59 PM
The Rust team has released version 1.15 of the Rust programming language, which adds a custom derive feature. "These kinds of libraries are extremely powerful, but rely on custom derive for ergonomics. While these libraries worked on Rust stable previously, they were not as nice to use, so much so that we often heard from users “I only use nightly because of Serde and Diesel.” The use of custom derive is one of the most widely used nightly-only features. As such, RFC 1681 was opened in July of last year to support this use-case. The RFC was merged in August, underwent a lot of development and testing, and now reaches stable today!"

Dz: Seccomp sandboxing not enabled for acme-client

Thursday 2nd of February 2017 09:10:58 PM
In the acme-client-portable repository at GitHub, developer Kristaps Dz has a rather stinging indictment of trying to use seccomp sandboxing for the portable version of acme-client, which is a client program for getting Let's Encrypt certificates. He has disabled seccomp filtering in the default build for a number of reasons. "So I might use mmap, but the system call is mmap2? Great. This brings us to the second and larger problem. The C library. There are several popular ones on Linux: glibc, musl, uClibc, etc. Each of these is free to implement any standard function (like mmap, above) in any way. So while my code might say read, the C library might also invoke fstat. Great. In general, section 2 calls (system calls) map evenly between system call name and function name. (Except as noted above... and maybe elsewhere...) However, section 3 is all over the place. The strongest differences were between big functions like getaddrinfo(2). Then there's local modifications. And not just between special embedded systems. But Debian and Arch, both using glibc and both on x86_64, have different kernels installed with different features. Great. Less great for me and seccomp." (Thanks to Paul Wise.)

Stable kernels 4.9.7 and 4.4.46 have been released

Thursday 2nd of February 2017 04:00:00 PM
The 4.9.7 and 4.4.46 kernels have been released by Greg Kroah-Hartman. They contain fixes throughout the tree and users of those kernel series should upgrade.

Thursday's security advisories

Thursday 2nd of February 2017 03:53:26 PM

Debian has updated ntfs-3g (privilege escalation).

Debian-LTS has updated openssl (three vulnerabilities).

Fedora has updated jasper (F25: code execution), moodle (F24: multiple vulnerabilities), and percona-xtrabackup (F25; F24: information disclosure).

Mageia has updated libxpm (code execution), pdns (multiple vulnerabilities), python-pycrypto (denial of service from 2013), and wireshark (two denial of service flaws).

openSUSE has updated bzrtp (42.2, 42.1: man-in-the-middle vulnerability), firefox (42.2, 42.1: multiple vulnerabilities), nginx (42.2, 42.1; SPH for SLE12: denial of service), seamonkey (42.2, 42.1: code execution), and thunderbird (42.2, 42.1; SPH for SLE12: multiple vulnerabilities).

Red Hat has updated rabbitmq-server (OSP8.0: denial of service from 2015) and thunderbird (multiple vulnerabilities).

Ubuntu has updated gnutls26, gnutls28 (multiple vulnerabilities), irssi (multiple vulnerabilities), iucode-tool (16.10, 16.04: code execution), libxpm (code execution), and ntfs-3g (16.10, 16.04: privilege escalation).

The GNOME Foundation gets a new director

Thursday 2nd of February 2017 12:41:44 AM
The GNOME Foundation's long search for a new executive director has finally come to an end: Neil McGovern has taken the job. "McGovern is an experienced leader in Free Software projects and is best known for his role as Debian Project Leader from 2014-15. He has been on the Boards of numerous organizations, including Software in the Public Interest, Inc. and the Open Rights Group."

[$] LWN.net Weekly Edition for February 2, 2017

Thursday 2nd of February 2017 12:13:09 AM
The LWN.net Weekly Edition for February 2, 2017 is available.

Krita 3.1.2 released

Wednesday 1st of February 2017 07:36:27 PM
Version 3.1.2 of the Krita painting application has been released. This version features audio support for animations along with other improvements and bug fixes. "Audio is not yet available in the Linux appimages. It is an experimental feature, with no guarantee that it works correctly yet — we need your feedback!"

[$] Three new FOSS umbrella organizations in Europe

Wednesday 1st of February 2017 06:45:41 PM
Last year, three new umbrella organizations for free and open-source software (and hardware) projects emerged in Europe. Their aim is to cater to the needs of the community by providing a legal entity for projects to join, leaving the projects free to focus on technical and community tasks. These organizations (Public Software CIC, [The Commons Conservancy], and the Center for the Cultivation of Technology) will take on the overhead of actually running a legal entity themselves.

Security advisories for Wednesday

Wednesday 1st of February 2017 04:48:52 PM

Arch Linux has updated salt (two vulnerabilities).

CentOS has updated libtiff (C7; C6: multiple vulnerabilities).

Debian has updated libgd2 (multiple vulnerabilities), ruby-archive-tar-minitar (file overwrites), and wordpress (multiple vulnerabilities).

Debian-LTS has updated ikiwiki (three vulnerabilities), libplist (two vulnerabilities), and wordpress (multiple vulnerabilities).

Gentoo has updated pcsc-lite (privilege escalation).

openSUSE has updated openssh (42.2: multiple vulnerabilities).

Oracle has updated libtiff (OL7; OL6: multiple vulnerabilities).

Red Hat has updated libtiff (RHEL6,7: multiple vulnerabilities).

SUSE has updated gnutls (SLE12-SP1,2: multiple vulnerabilities) and java-1_8_0-openjdk (SLE12-SP1,2: multiple vulnerabilities).

Ubuntu has updated openssl (multiple vulnerabilities).

LEDE v17.01.0-rc1 released

Wednesday 1st of February 2017 03:28:58 PM
The LEDE project, working on a fork of the OpenWrt router distribution, has announced its first release candidate. "With this release, the LEDE development team closes out an intense effort to modernize many parts of OpenWrt and incorporate many new modules, packages, and technologies." Click below for a terse list of changes; they include the significant WiFi performance improvements described in this article.

LibreOffice 5.3 released

Wednesday 1st of February 2017 03:08:05 PM
Version 5.3 of the LibreOffice office suite is out. "LibreOffice 5.3 represents a significant step forward in the evolution of the software: it offers an introduction to new features such as online with collaborative editing, which increase the competitive positioning of the application, and at the same time provides incremental improvements, to make the program more reliable, interoperable and user friendly."

Open-Sourcing Google Earth Enterprise

Tuesday 31st of January 2017 09:21:07 PM
Google has announced that Google Earth Enterprise (GEE) will be published on GitHub under the Apache2 license in March. GEE is an enterprise product that allows developers to build and host their own private maps and 3D globes. This release includes GEE Fusion, GEE Server, and GEE Portable Server source code. "Feedback is important to us and we’ve heard from our customers that GEE remains in-use in mission-critical applications. Many customers have not transitioned to other technologies. Open-sourcing GEE allows our customer community to continue to improve and evolve the project in perpetuity. Note that the Google Earth Enterprise Client, Google Maps JavaScript® API V3 and Google Earth API will not be open sourced. The Enterprise Client will continue to be made available and updated. However, since GEE Fusion and GEE Server are being open-sourced, the imagery and terrain quadtree implementations used in these products will allow third-party developers to build viewers that can consume GEE Server Databases." (Thanks to Paul Wise)

Time To Upgrade Your Python: TLS v1.2 Will Soon Be Mandatory

Tuesday 31st of January 2017 08:53:20 PM
The Python Software Foundation has announced that python.org and related sites will begin disabling the old TLS versions 1.0 and 1.1. "This change was imposed on us by our content delivery network, Fastly, in response to a change imposed on them by the Payment Card Industry Security Standards Council. In order to continue serving websites that take credit card payments, Fastly is required to disable the old, insecure versions of TLS. Since the PSF's servers, including PyPI, use Fastly, the old versions of TLS will be disabled as well."

Security updates for Tuesday

Tuesday 31st of January 2017 05:46:21 PM

Debian has updated chromium-browser (multiple vulnerabilities).

Debian-LTS has updated libarchive (denial of service), ruby-archive-tar-minitar (file overwrites), and tcpdump (multiple vulnerabilities).

Fedora has updated flatpak (F24: sandbox escape), irssi (F25; F24: multiple vulnerabilities), kernel (F25; F24: multiple vulnerabilities), and python-crypto (F25; F24: denial of service).

Gentoo has updated ansible (code execution) and harfbuzz (multiple vulnerabilities).

openSUSE has updated lcms2 (42.1: heap memory leak) and virtualbox (42.1: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7.2: two vulnerabilities), kernel (RHEL6.6; RHEL6.2 (code execution), and nagios (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL6; RHELOSP5 for RHEL7: multiple vulnerabilities).

SUSE has updated kernel (SLE11-SP2: multiple vulnerabilities).

KDE Plasma 5.9 released

Tuesday 31st of January 2017 03:29:36 PM
The KDE project has announced the release of the Plasma 5.9 desktop environment with a number of new features. "Global Menus have returned. KDE's pioneering feature to separate the menu bar from the application window allows for new user interface paradigm with either a Plasma Widget showing the menu or neatly tucked away in the window bar."

How to get up and running with sweet Orange Pi (Opensource.com)

Monday 30th of January 2017 08:48:24 PM
David Egts reviews the Orange Pi at Opensource.com. "Compared to a $5 Raspberry Pi Zero, the Orange Pi Zero is only a few dollars more expensive, but it is much more useful out of the box because it has onboard Internet connectivity and four CPU cores instead of one. This onboard networking capability also makes the Orange Pi Zero a better gift than a Raspberry Pi Zero because the Raspberry Pi Zero needs Micro-USB-to-USB adapters and a Wi-Fi USB adapter to connect to the Internet. When giving IoT devices as gifts, you want the recipient to enjoy the product as quickly and easily as possible, instead of giving something incomplete that will just end up on a shelf."

Security advisories for Monday

Monday 30th of January 2017 06:33:10 PM

Arch Linux has updated chromium (multiple vulnerabilities), firefox (multiple vulnerabilities), kernel (privilege escalation), lib32-openssl (three vulnerabilities), libimobiledevice (access restriction bypass), linux-lts (privilege escalation), linux-zen (privilege escalation), openssl (three vulnerabilities), and thunderbird (multiple vulnerabilities).

Debian has updated lcms2 (heap memory leak), openssl (three vulnerabilities), and tcpdump (multiple vulnerabilities).

Debian-LTS has updated bind9 (three denial of service flaws), imagemagick (multiple vulnerabilities), libgd2 (three vulnerabilities), tiff3 (invalid tiff files), and zoneminder (information leak, authentication bypass).

Fedora has updated fedmsg (F24: insufficient signature validation), firefox (F24: multiple vulnerabilities), flatpak (F25: sandbox escape), ghostscript (F25; F24: denial of service), ikiwiki (F25; F24: three vulnerabilities), libXpm (F24: code execution), mapserver (F25; F24: code execution), and pdns (F25; F24: multiple vulnerabilities).

Gentoo has updated a2ps (code execution from 2014), ark (code execution), chromium (multiple vulnerabilities), ffmpeg (multiple vulnerabilities), firewalld (authentication bypass), freeimage (two vulnerabilities, one from 2015), libpng (NULL dereference bug), libXpm (code execution), perl (multiple vulnerabilities, two from 2015), and squashfs-tools (two vulnerabilities from 2015).

Mageia has updated 389-ds-base (denial of service), libvncserver (two vulnerabilities), mbedtls (two vulnerabilities), nvidia-current, ldetect-lst (three vulnerabilities), opus (code execution), pcsc-lite (privilege escalation), python-bottle (CRLF attacks), and shadow-utils (two vulnerabilities).

openSUSE has updated gstreamer-0_10-plugins-base (42.1: code execution), gstreamer-plugins-base (42.2: code execution), and rabbitmq-server (42.2: authentication bypass).

SUSE has updated gnutls (SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities).

Kernel prepatch 4.10-rc6

Monday 30th of January 2017 02:49:06 PM
The 4.10-rc6 kernel prepatch is out for testing. Linus is worried that the patch activity has increased this time around. "It's still not all that big by historical standards, since 4.10 has generally been pretty calm, but it's a bit distressing. I was hoping to do the usual 'rc7 is the last rc' release schedule for once (with both 4.8 and 4.9 pushing out to rc8), and I really want things to calm down for that to happen." The codename has changed again, now it's "Fearless Coyote".

Shutting down FTP services (kernel.org)

Sunday 29th of January 2017 06:40:09 PM
Kernel.org has announced that it will be shutting down FTP access to its archives in two stages: March 1 will see the end of ftp.kernel.org, while December 1 is the termination date for mirrors.kernel.org.

Let's face it -- while kinda neat and convenient, offering a public NFS/CIFS server was a Pretty Bad Idea, not only because both these protocols are pretty terrible over high latency connections, but also because of important security implications.

Well, 19 years later we're thinking it's time to terminate another service that has important protocol and security implications -- our FTP servers. Our decision is driven by the following considerations:

  1. The protocol is inefficient and requires adding awkward kludges to firewalls and load-balancing daemons
  2. FTP servers have no support for caching or accelerators, which has significant performance impacts
  3. Most software implementations have stagnated and see infrequent updates
All kernel.org FTP services will be shut down by the end of this year.

More in Tux Machines

Security Leftovers

  • Atom Installer
    One thing that I miss about using Ubuntu is PPA’s there are lot’s of PPA in Ubuntu and you can hack around and install all types of software which are required for your usage. In the Fedora side of the world there are copr repos but they don’t have as many repos as in Ubuntu and you can’t build non-free software (don’t get me wrong here, I love FREEdom software but couldn’t resist not using some beautiful non-free applications such as Sublime). I am creating a work around for this by using shell scripts which are open source (cc0) but when those scripts are executed they install non-free software on your system.
  • MKVToolNix 9.9.0 MKV Manipulation Tool Released with New GUI Improvements, More
    MKVToolNix developer Moritz Bunkus announced today, February 20, 2017, the release and general availability of MKVToolNix 9.9.0 "Pick Up" for all supported platforms, including GNU/Linux, macOS, and Microsoft Windows. MKVToolNix 9.9.0 represents a month of hard work, during which the developer managed to add a bunch of new and interesting features, fix as many bugs reported by users since last month's MKVToolNix 9.8.0 point release, as well as to improve the build system, especially in regards to the man pages of the software.
  • Chakra GNU/Linux Users Get KDE Plasma 5.9.2 and KDE Applications 16.12.2, More
    The developers behind the Chakra GNU/Linux operating system have announced today the immediate availability of all the latest KDE technologies released this month in the stable repositories of the distribution. Yes, we're talking about the KDE Plasma 5.9.2 desktop environment, KDE Applications 16.12.2 software suite, KDE Frameworks 5.31.0, and KDE Development Platform 4.14.29, all of which can be found in your Chakra GNU/Linux's repos if you want to run the newest KDE software.

today's howtos

Leftovers: Ubuntu

  • IOTA: IoT revolutionized with a Ledger
    Ever since the introduction of digital money, the world quickly came to realize how dire and expensive the consequences of centralized systems are. Not only are these systems incredibly expensive to maintain, they are also “single points of failures” which expose a large number of users to unexpected service interruptions, fraudulent activities and vulnerabilities that can be exploited by malicious hackers. Thanks to Blockchain, which was first introduced through Bitcoin in 2009, the clear benefits of a decentralized and “trustless” transactional settlement system became apparent. No longer should expensive trusted third parties be used for handling transactions, instead, the flow of money should be handled in a direct, Peer-to-Peer fashion. This concept of a Blockchain (or more broadly, a distributed ledger) has since then become a global phenomenon attracting billions of dollars in investments to further develop the concept.
  • Return Home and Unify: My Case for Unity 8
  • Can netbooks be cool again?
    Earlier this week, my colleague Chaim Gartenberg covered a laptop called the GPD Pocket, which is currently being funded on Indiegogo. As Chaim pointed out, the Pocket’s main advantage is its size — with a 7-inch screen, the thing is really, really small — and its price, a reasonable $399. But he didn’t mention that the Pocket is the resurrection of one of the most compelling, yet fatally flawed, computing trends of the ‘00s: the netbook. So after ten years, are netbooks finally cool again? That might be putting it too strongly, but I’m willing to hope.

Linux Devices

  • Compact, rugged module runs Linux or Android on Apollo Lake
    Ubiqcomm’s 95 x 95mm, Apollo Lake-based “COM-AL6C” COM offers 4K video along with multiple SATA, USB, GbE, and PCIe interfaces, plus -40 to 85°C operation. Ubiqconn Technology Inc. has announced a “COM-AL6C” COM Express Type 6 Compact form factor computer-on-module built around Intel’s Apollo Lake processors and designed to withstand the rigors of both fixed and mobile industrial applications. The module offers a choice among three Intel Apollo Lake processors: the quad-core Atom x5-E3930, quad-core x5-E3940, and dual-core x7-E3950, which are clocked at up to 2.0GHz burst and offer TDPs from 6.5 to 12 Watts.
  • Internet-enable your microcontroller projects for under $6 with ESP8266
    To get started with IoT (the Internet of Things), your device needs, well, an Internet connection. Base Arduino microcontrollers don't have Internet connectivity by default, so you either need to add Ethernet, Wi-Fi shields, or adapters to them, or buy an Arduino that has built-in Internet connectivity. In addition to complexity, both approaches add cost and consume the already-precious Arduino flash RAM for program space, which limits what you can do. Another approach is to use a Raspberry Pi or similar single-board computer that runs a full-blown operating system like Linux. The Raspberry Pi is a solid choice in many IoT use cases, but it is often overkill when all you really want to do is read a sensor and send the reading up to a server in the cloud. Not only does the Raspberry Pi potentially drive up the costs, complexity, and power consumption of your project, but it is running a full operating system that needs to be patched, and it has a much larger attack surface than a simple microcontroller. When it comes to IoT devices and security, simpler is better, so you can spend more time making and less time patching what you already made.
  • Blinkenlights!
  • Blinkenlights, part 2
  • Blinkenlights, part 3
  • [Older] Shmoocon 2017: The Ins And Outs Of Manufacturing And Selling Hardware
    Every day, we see people building things. Sometimes, useful things. Very rarely, this thing becomes a product, but even then we don’t hear much about the ins and outs of manufacturing a bunch of these things or the economics of actually selling them. This past weekend at Shmoocon, [Conor Patrick] gave the crowd the inside scoop on selling a few hundred two factor authentication tokens. What started as a hobby is now a legitimate business, thanks to good engineering and abusing Amazon’s distribution program.
  • 1.8 Billion Mobile Internet Users NEVER use a PC, 200 Million PC Internet Users never use a mobile phone. Understanding the 3.5 Billion Internet Total Audience
    As I am working to finish the 2017 Edition of the TomiAhonen Almanac (last days now) I always get into various updates of numbers, that remind me 'I gotta tell this story'.. For example the internet user numbers. We have the December count by the ITU for year 2016, that says the world has now 3.5 Billion internet users in total (up from 3.2 Billion at the end of year 2015). So its no 'drama' to know what is 'that' number. The number of current internet total users is yes, 3.5 Billion, almost half of the planet's total population (47%).