Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 17 min 45 sec ago

[$] GitHub unveils its Licenses API

Wednesday 11th of March 2015 08:18:15 PM

Since opening its doors in 2008, GitHub has grown to become the largest active project-hosting service for open-source software. But it has also attracted a fair share of criticism for some of its implementation choices—with one of the leading complaints being that it takes a lax approach to software licensing. That, in turn, leads to a glut of repositories bearing little or no licensing details. The company recently announced a new tool to help combat the license-confusion issue: a site-wide API for querying and reporting license information. Whether that API is up to the task, however, remains to be seen.

Security advisories for Wednesday

Wednesday 11th of March 2015 04:26:57 PM

CentOS has updated bind (C6: denial of service).

Debian has updated libssh2 (information leak), mod-gnutls (restriction bypass), and xen (multiple vulnerabilities).

Debian-LTS has updated axis (verification bypass).

Mageia has updated gnupg, libgcrypt (information leak), icu (code execution), pngcrush (denial of service), and vsftpd (unauthorized access).

openSUSE has updated autofs (13.2, 13.1: privilege escalation), glusterfs (13.1: denial of service), percona-toolkit (13.2, 13.1: man-in-the-middle attack), and putty (13.2, 13.1: information disclosure).

Oracle has updated bind (OL6: denial of service).

Red Hat has updated bind (RHEL6,7: denial of service).

Ubuntu has updated ecryptfs-utils (information disclosure) and icu (12.04: regression in previous update).

[$] Allowing small allocations to fail

Wednesday 11th of March 2015 12:47:32 AM
As Michal Hocko noted at the beginning of his session at the 2015 Linux Storage, Filesystem, and Memory Management Summit, the news that the memory-management code will normally retry small allocations indefinitely rather than returning a failure status came as a surprise to many developers. In this session, the assembled group attempted to come up with ways to safely change this behavior. Click below (subscribers only) for the full report from LSFMM 2015.

Exploiting the DRAM rowhammer bug to gain kernel privileges

Tuesday 10th of March 2015 09:21:15 PM
The Project Zero blog looks at the "Rowhammer" bug. "“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory." (Thanks to Paul Wise)

VMware update to GPL-enforcement suit

Tuesday 10th of March 2015 08:04:51 PM
VMware has published a statement on the lawsuit filed by Christoph Hellwig alleging copyright infringement. "On March 5, 2015, Software Freedom Conservancy (SFC) announced a lawsuit in Germany, filed by Christoph Hellwig against VMware, alleging a failure to comply with the General Public License (GPL). We believe the lawsuit is without merit, and we are disappointed that the SFC and plaintiff have resorted to litigation given the considerable efforts we have made to understand and address their concerns. We see huge value in supporting multiple development methodologies, including free and open source software, and we appreciate the crucial role of free and open source software in the data center. In particular, VMware devotes significant effort supporting customer usage of Linux and F/OSS based software stacks and workloads." LWN recently covered the lawsuit. (Thanks to Emmanuel Seyman)

Fedora 22 Alpha released

Tuesday 10th of March 2015 07:12:23 PM
The Fedora Project has announced the release of Fedora 22 Alpha. "The Alpha release contains all the exciting features of Fedora 22's editions in a form that anyone can help test. This testing, guided by the Fedora QA team, helps us target and identify bugs. When these bugs are fixed, we make a Beta release available. A Beta release is code-complete and bears a very strong resemblance to the third and final release. The final release of Fedora 22 is expected in May."

Tuesday's security updates

Tuesday 10th of March 2015 05:19:23 PM

Mandriva has updated kernel (multiple vulnerabilities).

Oracle has updated 389-ds-base (OL7: multiple vulnerabilities), glibc (OL7: multiple vulnerabilities), hivex (OL7: privilege escalation), openssh (OL7: two vulnerabilities), and pcre (OL7: information leak).

Red Hat has updated qpid-cpp (RHE MRG for RHEL7; RHE MRG for RHEL6; RHE MRG for RHEL5: multiple vulnerabilities).

Scientific Linux has updated 389-ds-base (SL6: information disclosure).

Ubuntu has updated apache2 (multiple vulnerabilities), oxide-qt (14.10, 14.04: multiple vulnerabilities), and firefox (14.10, 14.04, 12.04: regression in previous update).

The kernel's code of conflict

Monday 9th of March 2015 05:41:30 PM
A brief "code of conflict" was merged into the kernel's documentation directory for the 4.0-rc3 release. The idea is to describe the parameters for acceptable discourse without laying down a lot of rules; it also names the Linux Foundation's technical advisory board as a body to turn to in case of unacceptable behavior. This document has been explicitly acknowledged by a large number of prominent kernel developers.

Security advisories for Monday

Monday 9th of March 2015 05:06:55 PM

Debian-LTS has updated konversation (information disclosure), libarchive (directory traversal), and redcloth (cross-site scripting).

Fedora has updated cabextract (F21; F20: privilege escalation), kernel (F21: denial of service), krb5 (F20: multiple vulnerabilities), lftp (F20: automatically accepting ssh keys), libpng10 (F21; F20: two vulnerabilities), and qt3 (F21; F20: denial of service).

Gentoo has updated dbus (denial of service), freetype (multiple vulnerabilities), glibc (multiple vulnerabilities), and php (multiple vulnerabilities).

Mageia has updated apache (denial of service), jython (code execution), librsvg (multiple vulnerabilities), mapserver (command execution), and putty, filezilla (information disclosure).

Mandriva has updated rpm (code execution).

openSUSE has updated libmspack (13.2, 13.1: denial of service), thunderbird (13.2, 13.1: multiple vulnerabilities), and tiff (13.2, 13.1: multiple vulnerabilities).

SUSE has updated firefox (SLE11 SP3; SLE11 SP2,SP1, SLES10 SP4: multiple vulnerabilities).

Ubuntu has updated icu (12.04: regression in previous update).

Kernel prepatch 4.0-rc3

Monday 9th of March 2015 01:17:19 PM
The 4.0-rc3 prepatch is out. "Back on track with a Sunday afternoon release schedule, since there was nothing particularly odd going on this week, and no last-minute bugs that I knew of and wanted to get fixed holding things up."

Three Debian technical committee appointments

Monday 9th of March 2015 01:10:52 PM
Debian project leader Lucas Nussbaum has confirmed the appointment of three new members to the Debian technical committee. The new members are Didier Raboud, Tollef Fog Heen, and Sam Hartman; they will be replacing Ian Jackson, Russ Allbery, and Colin Watson.

A pile of stable kernel updates

Sunday 8th of March 2015 03:19:28 PM
The 3.19.1, 3.18.9, 3.14.35, and 3.10.71 stable kernel updates are available; each contains a relatively large set of important fixes.

Edmundson: High DPI Progress

Friday 6th of March 2015 09:30:10 PM

At his blog, David Edmundson writes about the state of high-DPI support in KDE. "For some applications supporting high DPI has been easy. It is a single one line in KWrite, and suddenly all icons look spot on with no regressions. For applications such as Dolphin which do a lot more graphical tasks, this has not been so trivial. There are a lot of images involved, and a lot of complicated code around caching these which conflicts with the high resolution support without some further work." He is personally tracking the progress of many applications, but notes that there are many unsolved issues. "There are still many applications without a frameworks release even in the upcoming 15.04 applications release. Even in the next applications release in 15.08 August we are still unlikely to see a released PIM stack. Is it a good idea to add an option into our UIs that improves some applications at the cost of consistency? It's not an easy answer." This update is Edmunsdon's second post on the subject; the first, from November 2014, is also quite informative.

Friday's security updates

Friday 6th of March 2015 04:58:59 PM

Debian has updated libarchive (directory traversal).

Debian-LTS has updated eglibc (multiple vulnerabilities).

Fedora has updated gnupg (F21: multiple vulnerabilities), libjpeg-turbo (F20; F21: denial of service), and qt (F20: denial of service).

Gentoo has updated jasper (multiple vulnerabilities).

Mageia has updated dokuwiki (M4: access control circumvention), maradns (M4: denial of service), python (M4: missing hostname check), vlc (M4: code execution), and vorbis-tools (M4: multiple vulnerabilities).

openSUSE has updated chromium (13.1, 13.2: multiple vulnerabilities) and php5 (13.1, 13.2: multiple vulnerabilities).

Oracle has updated 389-ds-base (O6: information disclosure).

Red Hat has updated 389-ds-base (RHEL6; RHEl7: information disclosure), chromium-browser (RHEL6: multiple vulnerabilities), firefox (RHEL7: multiple vulnerabilities), glibc (RHEL7: multiple vulnerabilities), gnome-shell, mutter, clutter, cogl (RHEL7: denial of service), hivex (RHEL7: code execution), httpd (RHEL7: multiple vulnerabilities), ipa (RHEL7: multiple vulnerabilities), kernel (RHEL7: multiple vulnerabilities), krb5 (RHEL7: multiple vulnerabilities), libreoffice (RHEL7: multiple vulnerabilities), libvirt (RHEL7: multiple vulnerabilities), openssh (RHEL7: multiple vulnerabilities), openstack-glance (RHEL OSP6: denial of service), pcre (RHEL7: denial of service), powerpc-utils (RHEL7: information disclosure), ppc64-diag (RHEL7: information disclosure), qemu-kvm (RHEL7: multiple vulnerabilities), qemu-kvm-rhev (RHEL OSP6: buffer overflow), redhat-access-plugin-openstack (RHEL OSP6: information disclosure), thunderbird (RHEL7: multiple vulnerabilities), and virt-who (RHEL7: credentials disclosure).

Slackware has updated samba (14.1: code execution).

SUSE has updated PHP 5.3 (SLES11: multiple vulnerabilities).

Samba 4.2.0 released

Thursday 5th of March 2015 11:55:57 PM
The Samba team has announced the first release in the new stable 4.2.x series. This release adds transparent file compression, access to "Snapper" snapshots via the Windows Explorer "previous versions" dialog, better clustering support, and much more. This release also marks the end of support for Samba 3.

[$] A GPL-enforcement suit against VMware

Thursday 5th of March 2015 05:05:39 PM
When Karen Sandler, the executive director of the Software Freedom Conservancy, spoke recently at the Linux Foundation's Collaboration Summit, she spent some time on the Linux Compliance Project, an effort to improve compliance with the Linux kernel's licensing rules. This project, launched with some fanfare in 2012, has been relatively quiet ever since. Karen neglected to mention that this situation was about to change; that had to wait for the announcement on March 5 of the filing of a lawsuit against VMware alleging copyright infringement for its use of kernel code.

Subscribers can click below for the full story.

Thursday's security updates

Thursday 5th of March 2015 03:59:12 PM

Fedora has updated bind (F21; F20: denial of service), lftp (F21: automatically accepting ssh keys), and rubygem-actionpack (F20: two information leaks).

openSUSE has updated vsftpd (13.2, 13.1: access restriction bypass).

Ubuntu has updated icu (14.10, 14.04, 12.04: multiple vulnerabilities, some from 2013).

[$] LWN.net Weekly Edition for March 5, 2015

Thursday 5th of March 2015 01:55:24 AM
The LWN.net Weekly Edition for March 5, 2015 is available.

[$] A look at EasyNAS

Wednesday 4th of March 2015 06:24:14 PM
Thus far, this series on network-attached storage (NAS) distributions has looked at three different approaches to the problem. OpenMediaVault provides a NAS server using traditional Linux filesystems, Rockstor bases everything on the Btrfs filesystem, and FreeNAS is a FreeBSD-based system using ZFS. This fourth (and probably final) installment in this series goes back to Btrfs with a look at EasyNAS, which is another attempt to make the unique features of Btrfs available in a dedicated NAS distribution.

Security advisories for Wednesday

Wednesday 4th of March 2015 05:07:58 PM

Debian has updated icedove (multiple vulnerabilities).

Debian-LTS has updated unace (code execution).

Fedora has updated arc (F21; F20: directory traversal), e2fsprogs (F21; F20: code execution), glibc (F21; F20: multiple vulnerabilities), php (F20: multiple vulnerabilities), and qt (F21: denial of service).

Mageia has updated php (multiple vulnerabilities).

Mandriva has updated bind (denial of service) and freetype2 (many vulnerabilities).

openSUSE has updated apache2 (13.2: denial of service), postgresql93 (13.2: multiple vulnerabilities), and python-rope (13.2, 13.1: unauthorized pickle.load).

Red Hat has updated foreman-proxy (RHEL OSP Foreman; RHEL OSP4.0: restriction bypass).

SUSE has updated php5 (SLE12: two vulnerabilities).

Ubuntu has updated kernel (14.04: regression in previous update) and linux-lts-trusty (12.04: regression in previous update).

More in Tux Machines

today's howtos

Android Leftovers

Embedded Linux Keeps on Growing, IoT Next Big Win

As I noted at the beginning of this year, open source has won, even if it's not finished. That's easy to show at the top end, since Linux currently runs 485 of the top 500 supercomputers in the world. But at the other end of the spectrum, data has been harder to come by. That makes a new post on Linux.com reporting on the embedded sector particularly welcome. Here's the key finding. Read more

Samsung Galaxy S6 and S6 Edge Review: All Hail the New Android Smartphone Kings

Samsung’s Galaxy S6 and Galaxy S6 Edge flagship phones are finally here. They are beautiful phones (unlike the uninspired Galaxy S5). The S6 Edge, with its unique curved screen, is especially eye-catching. But the S6 and S6 Edge have more than just good looks. Both pack powerful processors, gorgeous 5.1-inch displays, and the best smartphone cameras on the market. Throw in a new mobile payment system that lets you use your S6 anywhere you can use a standard credit card, and the Galaxy S6 and S6 Edge are the new Android smartphone kings. Read more