Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 44 min ago

A set of stable kernel updates

Saturday 23rd of January 2016 10:30:10 PM
The 4.3.4, 4.1.16, 3.14.59, and 3.10.95 stable kernel updates have been released. They are the first in just over one month, and they contain a fair number of important fixes.

Hutterer: Is Wayland ready yet?

Friday 22nd of January 2016 06:14:07 PM
On his blog, Peter Hutterer answers the perennial "is Wayland ready yet?" question by pointing out that it really is not the right question. "The protocol is stable and has been for a while. But not every compositor and/or toolkit/application speak Wayland yet, so it may not be sufficient for your use-case. So rather than asking 'Is Wayland ready yet', you should be asking: 'Can I run GNOME/KDE/Enlightenment/etc. under Wayland?' That is the right question to ask, and the answer is generally 'It depends what you expect to work flawlessly.' This also means 'people working on Wayland' is often better stated as 'people working on Wayland support in ....'. "

Friday's security updates

Friday 22nd of January 2016 05:32:32 PM

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities) and java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian has updated fuse (privilege escalation).

Fedora has updated libsndfile (F22: two vulnerabilities), python-rsa (F23: signature forgery), and rsync (F22: file overwrite from 2014).

Mageia has updated dhcpcd (denial of service).

openSUSE has updated bind (42.1; 13.2: denial of service), cgit (42.1, 13.2: three vulnerabilities), giflib (13.2: code execution), and libxml2 (42.1: denial of service).

Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and java-1.8.0-openjdk (OL6: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (SL6; SL5&7: multiple vulnerabilities) and java-1.8.0-openjdk (SL7: multiple vulnerabilities).

Ubuntu has updated perl (15.10, 15.04: taint botch) and rsync (file overwrite from 2014).

LWN reaches voting age

Friday 22nd of January 2016 04:18:00 PM
Just a quick note to point out that the very first LWN Weekly Edition came out on January 22, 1998. So we have now been at it for eighteen years. To say we would have been surprised by that idea in 1998 is a serious understatement. Many thanks to LWN's reader community for keeping us going for all this time!

Zemlin on the Linux Foundation's by-law changes

Friday 22nd of January 2016 02:24:00 PM
Linux Foundation leader Jim Zemlin explains the recent changes in the organization's by-laws. "First, The Linux Foundation Board structure has not changed. The same individuals remain as directors, and the same ratio of corporate to community directors continues as well. What we did do was to act on a long-discussed perception that the value we provide to individual supporters could be improved, for the first time in a decade. And that the process for recruiting community directors should be changed to be in line with other leading organizations in our community and industry." He also speaks out against the personal attacks that have appeared in conversations about this change.

Rust 1.6 released

Thursday 21st of January 2016 10:59:45 PM
Version 1.6 of the Rust programming language has been released. "The largest new feature in 1.6 is that libcore is now stable! Rust’s standard library is two-tiered: there’s a small core library, libcore, and the full standard library, libstd, that builds on top of it. libcore is completely platform agnostic, and requires only a handful of external symbols to be defined. Rust’s libstd builds on top of libcore, adding support for memory allocation, I/O, and concurrency. Applications using Rust in the embedded space, as well as those writing operating systems, often eschew libstd, using only libcore. libcore being stabilized is a major step towards being able to write the lowest levels of software using stable Rust."

Thursday's security advisories

Thursday 21st of January 2016 06:05:19 PM

Arch Linux has updated bind (two vulnerabilities) and libdwarf (information leak).

Fedora has updated kernel (F23: two vulnerabilities) and prosody (F23; F22: two vulnerabilities).

Mageia has updated bind (two vulnerabilities), cacti (three vulnerabilities), dhcp (denial of service), encfs (code execution from 2014), kernel (privilege escalation), kernel-linus (privilege escalation), kernel-tmb (privilege escalation), moodle (two vulnerabilities), and perl, perl-PathTools (taint botch).

Oracle has updated java-1.8.0-openjdk (OL7: multiple vulnerabilities), kernel (OL5: unspecified), kernel 3.8.13 (OL7; OL6: privilege escalation), and kernel 4.1.12 (OL7; OL6: privilege escalation).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-openjdk (RHEL6; RHEL5&7: multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-openjdk (RHEL7; RHEL6: multiple vulnerabilities), and java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities).

Scientific Linux has updated java-1.8.0-openjdk (SL6: multiple vulnerabilities).

SUSE has updated bind (SLE12: denial of service) and kernel (SLE12SP1: privilege escalation).

[$] LWN.net Weekly Edition for January 21, 2016

Thursday 21st of January 2016 02:43:13 AM
The LWN.net Weekly Edition for January 21, 2016 is available.

Garrett: Linux Foundation quietly drops community representation

Thursday 21st of January 2016 12:57:17 AM
On his blog, Matthew Garrett has noted that the Linux Foundation (LF) has dropped the community representatives to its board that were elected by the individual LF members. "The by-laws were amended to drop the clause that permitted individual members to elect any directors. Section 3.3(a) now says that no affiliate members may be involved in the election of directors, and section 5.3(d) still permits at-large directors but does not require them[2]. The old version of the bylaws are here - the only non-whitespace differences are in sections 3.3(a) and 5.3(d). These changes all happened shortly after Karen Sandler [executive director of the Software Freedom Conservancy] announced that she planned to stand for the Linux Foundation board during a presentation last September [YouTube link]. A short time later, the "Individual membership" program was quietly renamed to the "Individual supporter" program and the promised benefit of being allowed to stand for and participate in board elections was dropped (compare the old page to the new one)." Garrett speculates that the GPL enforcement suit that the Software Freedom Conservancy is funding against VMware, which is an LF member, is ultimately behind the move. He also notes (the [2] above) that there is still a community representative from the Technical Advisory Board (TAB) that sits on the LF board.

Dutch consumer group sues Samsung over Android updates (OSNews)

Wednesday 20th of January 2016 07:52:30 PM
OSNews reports that the Dutch consumer protection advocacy agency Consumentenbond has sued Samsung, demanding updates for its Android phones. "The Consumentenbond had been in talks with Samsung about this issue for a while now, but no positive outcome was reached, and as such, they saw no other option but to file suit. The Consumentenbond is demanding that Samsung provides two years of updates for all its Android devices, with the two-year period starting not at the date of market introduction of the device, but at the date of sale. This means that devices introduced one or even more years ago that are still being sold should still get two years' worth of updates starting today." (Thanks to Paolo Bonzini)

[$] OpenSSH and the dangers of unused code

Wednesday 20th of January 2016 07:33:54 PM

Unused code is untested code, which probably means that it harbors bugs—sometimes significant security bugs. That lesson has been reinforced by the recent OpenSSH "roaming" vulnerability. Leaving a half-finished feature only in the client side of the equation might seem harmless on a cursory glance but, of course, is not. Those who mean harm can run servers that "implement" the feature to tickle the unused code. Given that the OpenSSH project has a strong security focus (and track record), it is truly surprising that a blunder like this could slip through—and keep slipping through for roughly six years.

Subscribers can click below to read the full story from the week's edition.

Security advisories for Wednesday

Wednesday 20th of January 2016 05:47:05 PM

Arch Linux has updated kernel (privilege escalation).

CentOS has updated kernel (C5: two remote denial of service vulnerabilities).

Debian has updated bind9 (denial of service) and ecryptfs-utils (privilege escalation).

Debian-LTS has updated bind9 (denial of service), ecryptfs-utils (privilege escalation), and librsvg (out-of-bounds heap read).

Fedora has updated libxmp (F23; F22: multiple vulnerabilities), mbedtls (F23; F22: memory leak), qemu (F22: multiple vulnerabilities), and radicale (F23; F22: multiple vulnerabilities).

openSUSE has updated cups-filters (Leap42.1: code execution).

Oracle has updated kernel (OL5: two remote denial of service vulnerabilities).

Scientific Linux has updated kernel (SL5: two remote denial of service vulnerabilities).

SUSE has updated bind (SLE12-SP1: denial of service).

Ubuntu has updated bind9 (denial of service), ecryptfs-utils (privilege escalation), kernel (15.10; 15.04; 14.04: privilege escalation), libxml2 (two vulnerabilities), linux-lts-trusty (12.04: privilege escalation), linux-lts-utopic (14.04: privilege escalation), linux-lts-vivid (14.04: privilege escalation), linux-lts-wily (14.04: privilege escalation), and linux-raspi2 (15.10: privilege escalation).

Linux Kernel ROP - Ropping your way to #

Wednesday 20th of January 2016 03:22:19 PM
This article from Cysec Labs starts a series explaining how return-oriented programming (ROP) can be used to exploit vulnerabilities in the kernel. "ROP techniques take advantage of code misalignment to identify new gadgets. This is possible due to x86 language density, i.e., the x86 instruction set is large enough (and instructions have different lengths), that almost any sequence of bytes can be interpreted as a valid instruction."

The State Of Meteor Part 1: What Went Wrong

Wednesday 20th of January 2016 02:44:55 PM
Back in 2014, LWN looked at the Meteor web application framework. Now, Meteor's developers are contemplating why it failed to take over the world. "New developers love how easy it is to get started with it, but can get discouraged when they start struggling with more complex apps. And purely from a financial standpoint, it’s hard to build a sustainable business on the back of new developers hacking on smaller apps. On the other hand, many of the more experienced developers who’d be able to handle (and help solve) Meteor’s trickier challenges are turned off by its all-in-one approach, and never even give it a chance in the first place." They promise the imminent unveiling of a new approach that is going to address these problems.

CyanogenMod shutting down WhisperPush

Wednesday 20th of January 2016 12:32:52 AM
The CyanogenMod developers have announced that they will be shutting down the WhisperPush secure messaging system (covered here in 2013). "We’ve ultimately made the decision that we will no longer be supporting WhisperPush functionality directly within CyanogenMod. Further, WhisperPush services will be end-of-lifed beginning Feb 1st 2016. As this is a server side implementation, all branches of CM from CM10.2 and forward will be affected."

[$] An interview with Joey Hess

Tuesday 19th of January 2016 07:35:06 PM
Two of the earliest figures in the Linux community were Lars Wirzenius and Joey Hess. So when the former offered us an interview with the latter, we were quick to accept. Click below (subscribers only) for Joey's views on his departure from Debian, Haskell development, off-the-grid living, and more.

Tuesday's security updates

Tuesday 19th of January 2016 04:03:57 PM

Debian has updated kernel (multiple vulnerabilities, including one from 2013).

Debian-LTS has updated isc-dhcp (denial of service), passenger (environment variable injection), and srtp (denial of service).

openSUSE has updated mbedtls (42.1: signature forgery), perl-Module-Signature (13.2, 13.1: multiple vulnerabilities), and polarssl (13.2: signature forgery).

Red Hat has updated kernel (RHEL5: two remote denial of service vulnerabilities) and kernel (RHEL6.2: two denial of service vulnerabilities).

SUSE has updated samba (SLE11SP4, SLE11SP3: multiple vulnerabilities) and kernel (SLE12: multiple vulnerabilities).

An unpleasant local kernel vulnerability

Tuesday 19th of January 2016 02:41:31 PM
Perception Point discloses a use-after-free vulnerability in the kernel's keyring subsystem; it is exploitable for local privilege escalation. "If a process causes the kernel to leak 0x100000000 references to the same object, it can later cause the kernel to think the object is no longer referenced and consequently free the object. If the same process holds another legitimate reference and uses it after the kernel freed the object, it will cause the kernel to reference deallocated, or a reallocated memory. This way, we can achieve a use-after-free, by using the exact same bug from before. A lot has been written on use-after-free vulnerability exploitation in the kernel, so the following steps wouldn’t surprise an experienced vulnerability researcher." This bug, introduced in 3.8, looks like a good one to patch quickly; of course, for vast numbers of users of mobile and embedded systems, that may not be an option.

Wingo: Unboxing in Guile

Tuesday 19th of January 2016 02:19:53 PM
Here is a long and detailed post from Andy Wingo on how he improved numerical performance in the Guile language by carefully removing runtime type information ("unboxing"). "If Guile did native compilation, it would always be a win to unbox any integer operation, if only because you would avoid polymorphism or any other potential side exit. For bignums that are within the unboxable range, the considerations are similar to the floating-point case: allocation costs dominate, so unboxing is almost always a win, provided that you avoid double-boxing. Eliminating one allocation can pay off a lot of instruction dispatch."

Mycroft: Linux’s Own AI (Linux.com)

Monday 18th of January 2016 11:02:11 PM
Swapnil Bhartiya takes a look at Mycroft AI and talks with CTO Ryan Sipes, on Linux.com. "Earlier this month, the developers released the Adapt intent parser as open source. When many people look at Mycroft, they think voice recognition is the important piece, but the brain of Mycroft is the Adapt intent. It takes natural language, analyzes the ultimate sentence, and then decides what action needs to be taken. That means when someone says “turn the lights off in the conference room,” Adapt grabs the intent “turn off” and identifies the entity as “conference room.” So, it makes a decision and then reaches out to whatever device is controlling the lights in the conference rooms and tells it to turn them off. That’s complex work. And, the Mycroft developers just open sourced the biggest and most powerful piece of their software."

More in Tux Machines

Android Leftovers

Linux Devices

Red Hat and Fedora

GitHub's Atom and GitHub Enterprise 2.5

  • GitHub's Atom 1.5 Hackable Text Editor Out Now, Atom 1.6 Enters Beta Testing
    On February 9, 2016, GitHub's devs made some big announcements for its awesome and acclaimed Atom open-source hackable text editor, which reached stable version 1.5 for all supported operating systems.
  • Big? GitHub Enterprise 2.5 thinks massive
    Keeping up its push to be an enterprise presence, GitHub has announced the latest version of the for-pay, enterprise edition of its code-hosting platform. The company says GitHub Enterprise 2.5's focus is "companies operating at massive scale" -- enterprises with more than 10,000 developers and exponential year-over-year growth. The new toolset for GitHub Enterprise 2.5 helps large teams add new users, collaborate safely on large projects, and deal with GitHub-related performance issues that can crop up around such large projects.