Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 34 min 13 sec ago

Help Make Open Source Secure (The Mozilla Blog)

Friday 10th of June 2016 06:34:25 PM
On The Mozilla blog, Chris Riley announces the "Secure Open Source" (SOS) fund to provide money to help with the security of open-source software. "The SOS Fund will provide security auditing, remediation, and verification for key open source software projects. The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs. But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the Internet. Security is a process. To have substantial and lasting benefit, we need to invest in education, best practices, and a host of other areas. Yet we hope that this fund will provide needed short-term benefits and industry momentum to help strengthen open source projects." SOS sounds similar in scope to the Core Infrastructure Initiative (CII) set up by the Linux Foundation.

Security advisories for Friday

Friday 10th of June 2016 02:48:01 PM

Arch Linux has updated gnutls (arbitrary file overwrite), haproxy (denial of service), and lib32-gnutls (arbitrary file overwrite).

Debian has updated firefox-esr (multiple vulnerabilities) and p7zip (code execution).

Debian-LTS has updated p7zip (code execution) and samba (regression in previous security fix).

Fedora has updated docker (F23: privilege escalation) and firefox (F22: multiple vulnerabilities).

SUSE has updated bind (two vulnerabilities) and libxml2 (SLE12: multiple vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities), kernel (16.04; 15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04; 15.10: multiple vulnerabilities), linux-snapdragon (16.04: code execution), linux-ti-omap4 (12.04: multiple vulnerabilities), and squid3 (multiple vulnerabilities).

KDE neon User Edition 5.6 Available now (KDE.News)

Thursday 9th of June 2016 10:50:48 PM
The first version of KDE neon, which is a distribution based on Ubuntu 16.04 that is meant to be a stable platform on which to try the latest Plasma desktop, has been released. "KDE neon User Edition 5.6 is based on the latest version of Plasma 5.6 and intends to showcase the latest KDE technology on a stable foundation. It is a continuously updated installable image that can be used not just for exploration and testing but as the main operating system for people enthusiastic about the latest desktop software. It comes with a slim selection of apps, assuming the user's capacity to install her own applications after installation, to avoid cruft and meaningless weight to the ISO. The KDE neon team will now start adding all of KDE's applications to the neon archive. Since the announcement of the project four months ago the team has been working on rolling out our infrastructure, using current best-practice devops technologies. A continuous integration Jenkins system scans the download servers for new releases and automatically fires up computers with Docker instances to build packages. We work in the open and as a KDE project any KDE developer has access to our packaging Git repository and can make fixes, improvements and inspect our work."

Thursday's security updates

Thursday 9th of June 2016 04:36:30 PM

Fedora has updated firefox (F23: multiple vulnerabilities), gnutls (F23: arbitrary file overwrite), and kernel (F23: denial of service).

Mageia has updated firefox (multiple vulnerabilities).

openSUSE has updated ImageMagick (13.2: command execution).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated firefox (multiple vulnerabilities).

Scientific Linux has updated file (SL6: multiple vulnerabilities from 2014), icedtea-web (SL6: two vulnerabilities), ntp (SL6: multiple vulnerabilities, one from 2014), openssh (SL6: multiple vulnerabilities), openssl (SL6: multiple vulnerabilities), qemu-kvm (SL6: code execution), and thunderbird (SL6: two vulnerabilities).

Tschacher: Typosquatting programming language package managers

Thursday 9th of June 2016 01:32:13 PM
Nikolai Tschacher demonstrates how easy it is to run arbitrary code by way of "typosquatting" uploads to programming language download sites. "Because everybody can upload any package on PyPi, it is possible to create packages which are typo versions of popular packages that are prone to be mistyped. And if somebody unintentionally installs such a package, the next question comes intuitively: Is it possible to run arbitrary code and take over the computer during the installation process of a package?" He tried an experiment and was able to run a little program that phoned home from thousands of systems.

[$] LWN.net Weekly Edition for June 9, 2016

Thursday 9th of June 2016 12:52:54 AM
The LWN.net Weekly Edition for June 9, 2016 is available.

Maru OS now freely available

Wednesday 8th of June 2016 11:33:57 PM
The Maru OS handset distribution (reviewed here in April) has moved out of the beta-test period and is now freely downloadable without an invitation. Maru functions as both an Android handset and an Ubuntu desktop (when connected to an external monitor). For now, it remains limited to Nexus 5 handsets. "Now that the beta program is over, I’m finally turning my attention to the open-source project so we can expand device support with the help of the community. Let’s get Maru in the hands of a lot more people!"

Stable kernel updates

Wednesday 8th of June 2016 05:05:50 PM
Greg Kroah-Hartman has released stable kernels 4.6.2, 4.5.7, 4.4.13, and 3.14.72. This is the last 4.5.y stable kernel release. Users of the 4.5 kernel series should upgrade to the 4.6 kernel series.

Security advisories for Wednesday

Wednesday 8th of June 2016 04:39:25 PM

Arch Linux has updated firefox (multiple vulnerabilities), qemu (multiple vulnerabilities), qemu-arch-extra (multiple vulnerabilities), and subversion (two vulnerabilities).

CentOS has updated spice (C7: two vulnerabilities) and spice-server (C6: two vulnerabilities).

Debian has updated expat (two vulnerabilities) and vlc (code execution).

Debian-LTS has updated expat (two vulnerabilities), libpdfbox-java (XML External Entity attacks), and libxstream-java (XML External Entity attacks).

Fedora has updated openslp (F23; F22: denial of service).

Mageia has updated chromium-browser-stable/libpng (multiple vulnerabilities), libxslt (two vulnerabilities), and ntp (multiple vulnerabilities).

openSUSE has updated expat (Leap42.1: code execution), gd (13.2: information leak), glibc (13.2: multiple vulnerabilities), GraphicsMagick (Leap42.1; 13.2: command execution), libimobiledevice, libusbmuxd (Leap42.1, 13.2: sockets listening on INADDR_ANY), libksba (Leap42.1: denial of service), and php5 (Leap42.1: multiple vulnerabilities).

SUSE has updated expat (SLE11-SP4: code execution).

The Qt Automotive Suite launches

Wednesday 8th of June 2016 02:02:20 PM
The Qt Blog announces the launch of the Qt Automotive Suite. "With cumulative experience from over 20 automotive projects it was noted how Qt is really well suited to the needs of building IVIs and Instrument Clusters, that there were already millions of vehicles on the road with Qt inside, and that there were a lot of ongoing projects. There was though a feeling that things could be even better, that there were still a few things holding back the industry, contributing to the sense that shipped IVI systems could be built faster, cheaper and with a higher quality."

[$] Distributors ponder a systemd change

Tuesday 7th of June 2016 10:56:49 PM
Linux users tend to pride themselves on their position at the leading edge of a fast-moving development community. But, in truth, much of what we do is rooted in many decades of Unix tradition, and we tend to get grumpy when young developers show up and start changing things around. A recent change of default in systemd represents such a change and the kind of response that it brings out; as a result, Linux distributors are going to have to make a decision on whether they should preserve the way things have always worked or make a change that, while potentially disruptive to users, is arguably a step toward more predictable, controllable, and secure behavior.

Firefox 47

Tuesday 7th of June 2016 04:26:27 PM
Firefox 47 has been released. This version enables the VP9 video codec for users with fast machines, plays embedded YouTube videos with HTML5 video if Flash is not installed, and more. There is a blog post about these and other improvements. "Now, we are making it even easier to access synced tabs directly in your desktop Firefox browser. If you’re logged into your Firefox Account, you will see all open tabs from your smartphone or other computers within the sidebar. In the sidebar you can also search for specific tabs quickly and easily." See the release notes for more information.

Tuesday's security updates

Tuesday 7th of June 2016 03:38:55 PM

Debian has updated spice (two vulnerabilities).

Debian-LTS has updated dhcpcd5 (code execution) and nss (cipher-downgrade attacks).

Fedora has updated glibc (F23: denial of service), nginx (F23: denial of service), and qemu (F22: multiple vulnerabilities).

openSUSE has updated clamav-database (Leap42.1: database refresh).

Oracle has updated spice (OL7: two vulnerabilities) and spice-server (OL6: two vulnerabilities).

Red Hat has updated glibc (RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities), spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).

Scientific Linux has updated spice (SL7: two vulnerabilities) and squid (SL7: multiple vulnerabilities).

SUSE has updated expat (SLE12-SP1: code execution).

Ubuntu has updated libxml2 (multiple vulnerabilities) and oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities).

Open Build Service 2.7 released

Monday 6th of June 2016 08:25:21 PM
Open Build Service 2.7 has been released. "Three large features around the topic of integrating external resources made it into this release. We worked on automatic tracking of moving repositories of development versions like Fedora Rawhide, distribution updates or rolling Linux releases like Arch. A change to the OBS git integration to enable developers to work on continuous builds. And last but not least an experimental KIWI import that can be used to easily migrate your images from SUSE studio."

Security updates for Monday

Monday 6th of June 2016 04:07:54 PM

Arch Linux has updated chromium (multiple vulnerabilities), ntp (multiple vulnerabilities), and webkit2gtk (code execution).

Debian has updated chromium-browser (multiple vulnerabilities), mariadb-10.0 (multiple vulnerabilities), and samba (regression in previous update).

Debian-LTS has updated libxml2 (multiple vulnerabilities).

Fedora has updated php (F22: multiple vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), roundcubemail (F23; F22: cross-site scripting), sudo (F23: information leak), and xen (F23: multiple vulnerabilities).

Gentoo has updated gnupg (multiple vulnerabilities), libjpeg-turbo (information leak), puppet-agent (multiple vulnerabilities), and putty (multiple vulnerabilities).

openSUSE has updated Chromium (Leap42.1; 13.2: multiple vulnerabilities).

Slackware has updated ntp (multiple vulnerabilities).

SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities).

Kernel prepatch 4.7-rc2

Monday 6th of June 2016 01:00:56 AM
The second 4.7 prepatch is now available for testing. Linus says: "There's a late non-fix I took even though the merge window is over, because I've been wanting it for a while. I doubt anybody notices the actual effects of a pty change/cleanup that means that our old disgusting DEVPTS_MULTIPLE_INSTANCES kernel config option is gone, because the cleanup means that it is no longer needed." For details on this change, see this article from last week's Kernel Page.

Wolf: Stop it with those short PGP key IDs!

Friday 3rd of June 2016 11:12:13 PM

At his blog, Gunnar Wolf urges developers to stop using "short" (eight hex-digit) PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild. The possibility of short-ID collisions has been known for a while, but it is still disconcerting to see in the wild. "Those three keys are not (yet?) uploaded to the keyservers, though... But we can expect them to appear at any point in the future. We don't know who is behind this, or what his purpose is. We just know this looks very evil."

Wolf goes on to note that short IDs are not merely human-readable conveniences, but are actually used to identify PGP keys in some software programs. To mitigate the risk, he recommends configuring GnuPG to never shows short IDs, to ensure that other programs do not consume short IDs, and to "only sign somebody else's key if you see and verify its full fingerprint. [...] And there are surely many other important recommendations. But this is a good set of points to start with."

Friday's security updates

Friday 3rd of June 2016 02:23:31 PM

Debian has updated libxml2 (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), libgd (M5: multiple vulnerabilities), nginx (M5: denial of service), pgpdump (M5: buffer overrun), and php (M5: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Ubuntu has updated nginx (14.04, 15.10, 16.04: denial of service).

LWN.net Weekly Edition for June 3, 2016

Friday 3rd of June 2016 12:19:33 AM
The LWN.net Weekly Edition for June 3, 2016 is available.

Patents and the open-source community

Thursday 2nd of June 2016 07:05:17 PM

At OSCON 2016 in Austin, a panel of invited experts debated the always-thorny subject of how open-source software projects deal with patents. The panel was packed, featuring representatives from the free-software world, commerce, and the legal community, so there was scarcely enough time to move through the prepared topics in the time allotted, much less to take questions from the audience. But the discussion was able to highlight a number of current issues, including patent abolition, implicit patent licenses, and where the open-source community should focus its efforts to improve matters.

More in Tux Machines

Five reasons to switch from Windows to Linux

Linux has been in the ascendancy ever since the open source operating system was released, and has been improved and refined over time so that a typical distribution is now a polished and complete package comprising virtually everything the user needs, whether for a server or personal system. Much of the web runs on Linux, and a great many smartphones, and numerous other systems, from the Raspberry Pi to the most powerful supercomputers. So is it time to switch from Windows to Linux? Here are five reasons why. Read more

today's leftovers

Leftovers: OSS and Sharing

Security Leftovers

  • Chrome vulnerability lets attackers steal movies from streaming services
    A significant security vulnerability in Google technology that is supposed to protect videos streamed via Google Chrome has been discovered by researchers from the Ben-Gurion University of the Negev Cyber Security Research Center (CSRC) in collaboration with a security researcher from Telekom Innovation Laboratories in Berlin, Germany.
  • Large botnet of CCTV devices knock the snot out of jewelry website
    Researchers have encountered a denial-of-service botnet that's made up of more than 25,000 Internet-connected closed circuit TV devices. The researchers with Security firm Sucuri came across the malicious network while defending a small brick-and-mortar jewelry shop against a distributed denial-of-service attack. The unnamed site was choking on an assault that delivered almost 35,000 HTTP requests per second, making it unreachable to legitimate users. When Sucuri used a network addressing and routing system known as Anycast to neutralize the attack, the assailants increased the number of HTTP requests to 50,000 per second.
  • Study finds Password Misuse in Hospitals a Steaming Hot Mess
    Hospitals are pretty hygienic places – except when it comes to passwords, it seems. That’s the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments – with the bad behavior being driven by necessity rather than malice.
  • Why are hackers increasingly targeting the healthcare industry?
    Cyber-attacks in the healthcare environment are on the rise, with recent research suggesting that critical healthcare systems could be vulnerable to attack. In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identify theft. This personal data often contains information regarding a patient’s medical history, which could be used in targeted spear-phishing attacks.
  • Making the internet more secure
  • Beyond Monocultures
  • Dodging Raindrops Escaping the Public Cloud