Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 37 min ago

Security advisories for Monday

Monday 11th of July 2016 05:09:20 PM

Arch Linux has updated thunderbird (code execution).

Fedora has updated community-mysql (F24: unspecified), davfs2 (F24: unspecified), gimp (F23: use-after-free), krb5 (F23: buffer overflow), and nodejs-ws (F24; F23: denial of service).

Gentoo has updated libpcre (multiple vulnerabilities) and squid (multiple vulnerabilities).

Mageia has updated drupal (privilege escalation), libreoffice (code execution), libvirt (authentication bypass), mbedtls (three vulnerabilities), spice (two vulnerabilities), struts (two vulnerabilities), and tcpreplay (denial of service).

openSUSE has updated glibc (Leap42.1: multiple vulnerabilities), libircclient (13.1: insecure cipher suites), and thunderbird (SPH for SLE12; Leap42.1, 13.2; 13.1: multiple vulnerabilities).

Red Hat has updated thunderbird (RHEL5,6,7: code execution).

SUSE has updated GraphicsMagick (SSO1.3, SLE11-SP4: multiple vulnerabilities), ImageMagick (SLE12-SP1; SLE11-SP4: many vulnerabilities), kvm (SLES11-SP4: multiple vulnerabilities), and kernel (SLERTE12-SP1: multiple vulnerabilities).

Kernel prepatch 4.7-rc7

Monday 11th of July 2016 12:24:58 PM
Linus has released the 4.7-rc7 kernel prepatch. "Anyway, there's a couple of regressions still being looked at, but unless anything odd happens, this is going to be the last rc. However, due to my travel schedule, I won't be doing the final 4.7 next weekend, and people will have two weeks to report (and fix) any remaining bugs. Yeah, that's the ticket. My travel schedule isn't screwing anything up, instead think of it as you guys getting a BONUS WEEK! Yay!"

See the current list of reported regressions for the known issues remaining in the 4.7 kernel.

[$] Python's os.urandom() in the absence of entropy

Sunday 10th of July 2016 02:29:20 PM
Python applications, like those written in other languages, often need to obtain random data for purposes ranging from cryptographic key generation to initialization of scientific models. For years, the standard way of getting that data is via a call to os.urandom(), which is documented to "return a string of n random bytes suitable for cryptographic use." An enhancement in Python 3.5 caused a subtle change in how os.urandom() behaves on Linux systems, leading to some long, heated discussions about how randomness should be obtained in Python programs. When the dust settles, Python benevolent dictator for life (BDFL) Guido van Rossum will have the unenviable task of choosing between two competing proposals.

Portals: Using GTK+ in a Flatpak

Friday 8th of July 2016 05:09:51 PM
On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox. "Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system. Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t. Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access. Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system. The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox."

Security updates for Friday

Friday 8th of July 2016 02:02:51 PM

Debian-LTS has updated clamav (update to 0.99.2), icu (three vulnerabilities, two from 2015), and tcpreplay (denial of service).

openSUSE has updated php5 (13.2: multiple vulnerabilities, one from 2015).

Slackware has updated samba (crypto downgrade).

LWN.net Weekly Edition for July 8, 2016

Friday 8th of July 2016 01:23:28 AM
The LWN.net Weekly Edition for July 8, 2016 is available.

10 million Android phones infected by all-powerful auto-rooting apps (Ars Technica)

Thursday 7th of July 2016 10:09:36 PM
Ars Technica reports on the "HummingBad" malware that has infected millions of Android devices: "Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android." The article is based on a report [PDF] from Check Point, though the article notes that "researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices".

Thursday's security advisories

Thursday 7th of July 2016 01:11:52 PM

Debian has updated horizon (two vulnerabilities, one from 2015).

openSUSE has updated ImageMagick (13.2: many vulnerabilities, lots from 2014 and 2015) and qemu (42.1: many vulnerabilities, lots from 2015).

Scientific Linux has updated ocaml (SL7: information leak from 2015).

Ubuntu has updated tomcat8 (16.04: denial of service). In addition, Ubuntu has announced the end of life for 15.10 on July 28 and the end of life for 14.04.x hardware-enablement (HWE) stacks on August 4.

Debian Edu / Skolelinux Jessie

Wednesday 6th of July 2016 05:41:53 PM
The Debian Edu team has announced Debian Edu 8+edu0 "Jessie", the latest Debian Edu / Skolelinux release. Debian Edu, also known as Skolelinux, provides a complete solution for schools. Debian Edu 8 is based on Debian 8 "Jessie", update 8.5. "Do you have to administrate a computer lab or a whole school network? Would you like to install servers, workstations and laptops which will then work together? Do you want the stability of Debian with network services already preconfigured? Do you wish to have a web-based tool to manage systems and several hundred or even more user accounts? Have you asked yourself if and how older computers could be used? Then Debian Edu is for you. The teachers themselves or their technical support can roll out a complete multi-user multi-machine study environment within a few days. Debian Edu comes with hundreds of applications pre-installed, but you can always add more packages from Debian."

digiKam 5.0.0 is published

Wednesday 6th of July 2016 05:36:16 PM
The digiKam team has announced the release of digiKam Software Collection 5.0.0. "This release marks almost complete port of the application to Qt5. All Qt4/KDE4 code has been removed and many parts have been re-written, reviewed, and tested. Porting to Qt5 required a lot of work, as many important APIs had to be changed or replaced by new ones. In addition to code porting, we introduced several changes and optimizations, especially regarding dependencies on the KDE project. Although digiKam is still a KDE desktop application, it now uses many Qt dependencies instead of KDE dependencies. This simplifies the porting job on other operating systems, code maintenance, while reducing the sensitivity of API changes from KDE project."

LWN weekly edition one day late this week

Wednesday 6th of July 2016 04:51:47 PM
Those who are anxiously awaiting this week's edition later today (or tomorrow, depending on time zone) will have to wait another day. The US Independence Day holiday fell on Monday, so LWN staff took that day off for barbecues, fireworks, and other festivities. That means the edition will go out sometime in the early morning hours UTC on Friday, July 8. For those who celebrated the holiday, we hope you had a great one; for those who didn't, we certainly hope you had a great day too! We will be back on our normal schedule next week.

Security advisories for Wednesday

Wednesday 6th of July 2016 04:37:33 PM

Arch Linux has updated libarchive (code execution), libreoffice-fresh (code execution), and xerces-c (denial of service).

Debian-LTS has updated sqlite3 (information leak).

Fedora has updated mingw-xerces-c (F23; F22: three vulnerabilities) and xerces-c (F23; F22: two vulnerabilities).

Mageia has updated gimp (use-after-free), iperf (denial of service), libarchive (multiple vulnerabilities), libgd (multiple vulnerabilities), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), pidgin (multiple vulnerabilities), squidguard (cross-site scripting), and xerces-c (denial of service).

openSUSE has updated cronic (Leap42.1, 13.2: predictable temporary files), libircclient (Leap42.1; 13.2: insecure cipher suites), and xerces-c (13.2: code execution).

SUSE has updated xen (SLE11-SP3: multiple vulnerabilities - some from 2013).

Ubuntu has updated gimp (15.10, 14.04, 12.04: use-after-free), libimobiledevice (16.04, 15.10, 14.04: sockets listening on INADDR_ANY), libusbmuxd (16.04, 15.10: sockets listening on INADDR_ANY), and tomcat6, tomcat7 (multiple vulnerabilities).

[$] Kernel documentation with Sphinx, part 1: how we got here

Wednesday 6th of July 2016 03:13:40 AM

The last time LWN looked at formatted kernel documentation in January, it seemed like the merging of AsciiDoc support for the kernel's structured source-code documentation ("kernel-doc") comments, was imminent. As Jonathan Corbet, in the capacity of the kernel documentation maintainer, wrote: "A good-enough solution that exists now should not be held up overly long in the hopes that vague ideas for something else might turn into real, working code." Sometimes, however, the threat that something not quite perfect might be merged is enough to motivate people to turn those vague ideas into something real.

Subscribers can click below to see the full story by guest author (and the developer behind most of the Sphinx work) Jani Nikula.

KDE Plasma 5.7 Release

Tuesday 5th of July 2016 07:18:30 PM
KDE Plasma 5.7 has been released. This release features the return of the agenda view in the calendar, improvements to the Volume Control applet allow volume control on a per-application basis, improved Wayland support, and more. "This release brings Plasma closer to the new windowing system Wayland. Wayland is the successor of the decades-old X11 windowing system and brings many improvements, especially when it comes to tear-free and flicker-free rendering as well as security. The development of Plasma 5.7 for Wayland focused on quality in the Wayland compositor KWin. Over 5,000 lines of auto tests were added to KWin and another 5,000 lines were added to KWayland which is now released as part of KDE Frameworks 5."

Security updates for Tuesday

Tuesday 5th of July 2016 05:41:42 PM

Debian has updated gimp (use-after-free), kernel (multiple vulnerabilities), libvirt (authentication bypass), tomcat7 (denial of service), and wireshark (multiple vulnerabilities).

Debian-LTS has updated pidgin (multiple vulnerabilities).

Fedora has updated gimp (F24: use-after-free), kernel (F23: multiple vulnerabilities), libreoffice (F23: code execution), mbedtls (F24: three vulnerabilities), mediawiki (F24; F23: multiple vulnerabilities), mingw-xerces-c (F24: three vulnerabilities), ntp (F23; F22: multiple vulnerabilities), php (F24; F23; F22: multiple vulnerabilities), php-pecl-zip (F24; F23; F22: two vulnerabilities), phpMyAdmin (F23; F22: multiple vulnerabilities), pypy (F24; F23: startTLS stripping attack), pypy3 (F24: two vulnerabilities), python3 (F23: two vulnerabilities), qemu (F23; F22: multiple vulnerabilities), setroubleshoot-plugins (F23: command injection), and xerces-c (F24: two vulnerabilities).

openSUSE has updated gimp (Leap42.1, 13.2: use-after-free), GraphicsMagick (13.2: multiple vulnerabilities), kinit (Leap42.1, 13.2: privilege escalation), and spice (Leap42.1; 13.2: two vulnerabilities).

Red Hat has updated nodejs010-node-gyp and nodejs010-nodejs-qs (RHSCL: denial of service) and openstack-ironic (RHOSP7 for RHEL7; RHOSP8: authentication bypass).

Slackware has updated thunderbird (multiple vulnerabilities).

Kernel prepatch 4.7-rc6

Monday 4th of July 2016 09:16:19 PM
The 4.7-rc6 kernel prepatch is out, right on schedule. "I'd love to tell you that things are calming down, and we're shrinking, but that would be a lie. It's not like this is a huge rc, but it's definitely bigger than the previous rc's were. I don't think that's necessarily a big problem, it seems to be mostly timing."

Slackware 14.2

Friday 1st of July 2016 10:36:43 PM
Slackware Linux Project has announced the release of Slackware version 14.2. "Slackware 14.2 brings many updates and enhancements, among which you'll find two of the most advanced desktop environments available today: Xfce 4.12.1, a fast and lightweight but visually appealing and easy to use desktop environment, and KDE 4.14.21 (KDE 4.14.3 with kdelibs-4.14.21) a stable release of the 4.14.x series of the award- winning KDE desktop environment. These desktops utilize eudev, udisks, and udisks2, and many of the specifications from freedesktop.org which allow the system administrator to grant use of various hardware devices according to users' group membership so that they will be able to use items such as USB flash sticks, USB cameras that appear like USB storage, portable hard drives, CD and DVD media, MP3 players, and more, all without requiring sudo, the mount or umount command. Just plug and play. Slackware's desktop should be suitable for any level of Linux experience." See the release notes for more details.

Rails 5.0 is available

Friday 1st of July 2016 10:13:36 PM

Rails 5.0 has been released. The announcement highlights two new features, the Action Cable framework for handling WebSockets and an "API mode" for interfacing with client-side JavaScript. Development of the latter feature is ongoing; progress can be tracked in the JSONAPI::Resources repository. There are quite a few other new features to be found in the update as well; the release announcement provides links to detailed ChangeLogs for various subprojects.

Friday's security updates

Friday 1st of July 2016 02:13:27 PM

Debian-LTS has updated libvirt (authentication bypass), qemu (multiple vulnerabilities), qemu-kvm (multiple vulnerabilities), roundcube (cross-site scripting), wget (code execution), and wireshark (multiple vulnerabilities).

Fedora has updated kernel (F24: multiple vulnerabilities), python-django-horizon (F23: cross-site scripting), python3 (F24: StartTLS stripping), squidGuard (F22; F23; F24: cross-site scripting), struts (F23; F24: multiple vulnerabilities), and wordpress (F22; F23; F24: multiple vulnerabilities).

SUSE has updated kernel (SLE11; SLE12; SLE12 GA: multiple vulnerabilities).

Ubuntu has updated oxide-qt (14.04, 15.10, 16.04: multiple vulnerabilities).

Linux Mint 18 Cinnamon and MATE editions released

Thursday 30th of June 2016 11:59:44 PM
Linux Mint 18 has been released with Cinnamon and MATE editions. "Linux Mint 18 is a long term support release which will be supported until 2021. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use." The MATE edition has MATE 1.14 along with many other updates listed on the What's New page. The Cinnamon edition has Cinnamon 3.0 (which we recently reviewed) and lots of other new packages described on its What's New page. The release notes pages (MATE, Cinnamon) also have important information on the releases.

More in Tux Machines

Why open source programming languages are crushing proprietary peers

It's no secret that open source now dominates big data infrastructure. From Kubernetes to Hadoop to MongoDB, "No dominant platform-level software infrastructure has emerged in the last ten years in closed-source, proprietary form," as Cloudera chief strategy officer Mike Olson reminded us. Read more

CORD becomes a Linux Foundation project

Central Office Re-architected as a Data Center (CORD), an open source integrated solutions platform for service providers leveraging merchant silicon, white boxes, and open source platforms such as Open Network Operating System (ONOS), OpenStack, Docker, and the cloud operating system XOS, is now part of the Linux Foundation as a new independent project. The Linux foundation is already home to many open source networking projects, including OpenDaylight and ONOS, so CORD is a natural fit for the non-profit foundation. Read more

Google beefs Linux up kernel defenses in Android

Future versions of Android will be more resilient to exploits thanks to developers' efforts to integrate the latest Linux kernel defenses into the operating system. Android's security model relies heavily on the Linux kernel that sits at its core. As such, Android developers have always been interested in adding new security features that are intended to prevent potentially malicious code from reaching the kernel, which is the most privileged area of the operating system. Read more

Fork YOU! Sure, take the code. Then what?

There's an old adage in the open source world – if you don't like it, fork it. This advice, often given in a flippant manner, makes it seem like forking a piece of software is not a big deal. Indeed, forking a small project you find on GitHub is not a big deal. There's even a handy button to make it easy to fork it. Unlike many things in programming though, that interaction model, that simplicity of forking, does not scale. There is no button next to Debian that says Fork it! Thinking that all you need to do to make a project yours is to fork it is a fundamental misunderstanding of what large free/open source projects are – at their hearts, they are communities. One does not simply walk into Debian and fork it. One can, on the other hand, walk out of a project, bring all the other core developers along, and essentially leave the original an empty husk. This is what happened when LibreOffice forked away from the once-mighty OpenOffice; it's what happened when MariaDB split from MySQL; and it's what happened more recently when the core developers behind ownCloud left the company and forked the code to start their own project, Nextcloud. They also, thankfully, dropped the silly lowercase first letter thing. Nextcloud consists of the core developers who built ownCloud, but who were not, and, judging by the very public way this happened, had not been, in control of the direction of the product for some time. Read more