Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 22 min ago

KDE neon users may want to reinstall

Monday 14th of November 2016 10:14:29 PM
The KDE Project has a little problem to report for users of the KDE neon distribution: "The package archive used by KDE neon was incorrectly configured allowing anyone to upload packages to it. There is no reason to think that anyone actually did so but as a precaution we have emptied the archives and removed ISOs built before this date." Once the process of rebuilding the archive is complete, users are recommended to upgrade to the new versions, or, better, simply reinstall.

The Linux Foundation's Core Infrastructure Initiative Renews Funding for Reproducible Builds Project

Monday 14th of November 2016 10:10:21 PM
The Core Infrastructure Initiative (CII) has announced continued financial support for the Reproducible Builds Project. "The grant extends the contribution to include Debian developers Chris Lamb, Mattia Rizzolo, Ximin Luo and Vagrant Cascadian, as well as extending funding for Holger Levsen. Furthermore, this contribution adds support for Ed Maste, working with FreeBSD." (Thanks to Paul Wise)

[$] Topics in live kernel patching

Monday 14th of November 2016 08:42:31 PM
Getting live-patching capabilities into the mainline kernel has been a multi-year process. Basic patching support was merged for the 4.0 release, but further work has been stalled over disagreements on how the consistency model — the code ensuring that a patch is safe to apply to a running kernel — should work. The addition of kernel stack validation has addressed the biggest of the objections, so, arguably, it is time to move forward. At the 2016 Linux Plumbers Conference, developers working on live patching got together to discuss current challenges and future directions.

Click below (subscribers only) for the full report from LPC 2016.

Security advisories for Monday

Monday 14th of November 2016 05:12:04 PM

CentOS has updated java-1.7.0-openjdk (C6: multiple vulnerabilities), libgcrypt (C6: flawed random number generation), and pacemaker (C6: privilege escalation).

Debian has updated mariadb-10.0 (multiple vulnerabilities) and terminology (command execution).

Fedora has updated bind (F24: denial of service), mingw-libwebp (F24: integer overflows), sudo (F24: privilege escalation), and tomcat (F24; F23: multiple vulnerabilities).

Mageia has updated libwmf (denial of service), monit (cross-site request forgery), python-cryptography (returns empty byte-string), and quagga (stack overrun).

openSUSE has updated flash-player (13.1: multiple vulnerabilities), mysql-community-server (Leap42.2: multiple vulnerabilities), and opera (Leap42.2; Leap42.1: multiple vulnerabilities).

Red Hat has updated policycoreutils (RHEL6,7: sandbox escape).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities) and mysql (SLE11-SP4: three vulnerabilities).

Kernel prepatch 4.9-rc5

Sunday 13th of November 2016 07:27:53 PM
The 4.9-rc5 kernel prepatch is out. Linus says: "Things have definitely gotten smaller, so a normal release schedule (with rc7 being the last one) is still looking possible despite the large size of 4.9. But let's see how things work out over the next couple of weeks. In the meantime, there's a lot of normal fixes in here, and we just need more testing."

Security Exercises (Linux Journal)

Friday 11th of November 2016 08:54:23 PM
Over at Linux Journal, Susan Sons has a lengthy article on security exercises, which are a way to test the readiness of a project or organization for some kind of security problem. "Scheduling exercises at a predictable time and reminding others when it will happen prevents confusion among staff. It is wise to begin with low-impact exercises (more on this below) that don't leverage production systems, and move on to higher-potential-impact exercises only when the organization's infrastructure and personnel have had most of the bugs shaken out. If something as small as a runaway process on a single server can seriously impact your business, it's better to find out at a planned time with all hands on deck than at 4am on a holiday when no one who knows what to do can be reached. The whole point of security exercises is to increase resilience: raise the threshold of what is normal for your team to deal with, what your systems can shrug off." She followed that article up with some example security exercises.

Security updates for Friday

Friday 11th of November 2016 04:54:44 PM

Debian has updated pillow (two vulnerabilities).

Fedora has updated jasper (F23: multiple vulnerabilities), kdepimlibs (F23: three vulnerabilities), libXi (F23: two vulnerabilities), and xen (F23: multiple vulnerabilities).

Mageia has updated freeimage (two vulnerabilities, one from 2015).

openSUSE has updated curl (42.1: multiple vulnerabilities), flash-player (13.2: multiple vulnerabilities), gd (42.1: three vulnerabilities), ImageMagick (42.1: multiple vulnerabilities, some from 2014 and 2015), and mysql-community-server (42.1, 13.2: multiple vulnerabilities, many unspecified).

Oracle has updated 389-ds-base (OL7: unspecified), bind (OL7: denial of service), curl (OL7: TLS botch), dhcp (OL7: unspecified), firewalld (OL7: authentication bypass), fontconfig (OL7: privilege escalation), gimp (OL7: code execution), glibc (OL7: code execution), java-1.7.0-openjdk (OL7: unspecified), kernel (OL7: multiple vulnerabilities, some from 2013 and 2015), krb5 (OL7: two vulnerabilities), libgcrypt (OL7: bad random numbers), libguestfs (OL7: information leak from 2015), libreoffice (OL7: code execution), libreswan (OL7: denial of service), libvirt (OL7: three vulnerabilities, two from 2015), mariadb (OL7: privilege escalation), mod_nss (OL7: cipher choosing botch), nettle (OL7: multiple vulnerabilities, three from 2015), NetworkManager (OL7: information leak), ntp (OL7: multiple vulnerabilities from 2015), openssh (OL7: privilege escalation from 2015), php (OL7: multiple vulnerabilities), poppler (OL7: code execution from 2015), postgresql (OL7: two vulnerabilities), python (OL7: code execution), qemu-kvm (OL7: two vulnerabilities), resteasy-base (OL7: code execution), squid (OL7: multiple vulnerabilities), sudo (OL7: information disclosure), systemd (OL7: denial of service), tomcat (OL7: multiple vulnerabilities, three from 2015), util-linux (OL7: denial of service), and wget (OL7: code execution).

Ubuntu has updated kernel (16.10; 16.04: denial of service), kernel (14.04: multiple vulnerabilities, one from 2014 and 2015), kernel (12.04: two vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities, one from 2014 and 2015), linux-lts-xenial (14.04: denial of service), linux-raspi2 (16.10: denial of service), linux-snapdragon (16.04: denial of service), and linux-ti-omap4 (12.04: two vulnerabilities).

Fedora 25 to have MP3 playback

Thursday 10th of November 2016 10:50:18 PM
Christian Schaller writes that, after all these years, a stock Fedora system will be able to play MP3 files. "I know this has been a big wishlist item for a long time for a lot of people so I am really happy that we are finally in a position to fulfill that wish. You should be able to download the mp3 plugin on day 1 through GNOME Software or through the missing codec installer in various GStreamer applications. For Fedora Workstation 26 I would not be surprised if we decide to ship it on the install media."

Stable kernels 4.8.7 and 4.4.31

Thursday 10th of November 2016 04:18:14 PM
The 4.8.7 and 4.4.31 stable kernels have been released. As usual, they contain multiple important fixes; users of 4.8.x and 4.4.x should upgrade.

Thursday's security advisories

Thursday 10th of November 2016 03:15:31 PM

Fedora has updated chromium (F24: multiple vulnerabilities), chromium-native_client (F24: multiple vulnerabilities), dracut (F24: information disclosure), jasper (F24: multiple vulnerabilities), and xen (F24: multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities), kernel (multiple vulnerabilities), and mariadb (multiple vulnerabilities).

Red Hat has updated kernel (RHEL7.2: denial of service) and systemd (RHEL7.2: denial of service).

SUSE has updated php5 (SLE12: three vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).

[$] LWN.net Weekly Edition for November 10, 2016

Thursday 10th of November 2016 01:04:38 AM
The LWN.net Weekly Edition for November 10, 2016 is available.

[$] A year with Notmuch mail

Wednesday 9th of November 2016 05:37:29 PM
Neil Brown writes: "For a little longer than a year now, I have been using Notmuch as my primary means of reading email. Though the experience has not been without some annoyances, I feel that it has been a net improvement and expect to keep using Notmuch for quite some time." Click below (subscribers only) for his full report.

Security advisories for Wednesday

Wednesday 9th of November 2016 04:10:29 PM

Debian has updated libxslt (code execution).

Fedora has updated dbus (F23: code execution), firefox (F23: two vulnerabilities), and pacemaker (F23: privilege escalation).

openSUSE has updated mariadb (13.2: multiple vulnerabilities) and nodejs (Leap42.1, 13.2: code execution).

Red Hat has updated flash-plugin (RHEL5,6: multiple vulnerabilities).

Scientific Linux has updated libgcrypt (SL6: flawed random number generation) and pacemaker (SL6: privilege escalation).

[$] Making WiFi fast

Tuesday 8th of November 2016 09:04:03 PM
Dave Täht has been working to save the Internet for the last six years (at least). Recently, his focus has been on improving the performance of networking over WiFi — performance that has been disappointing for as long as anybody can remember. The good news, as related in his 2016 Linux Plumbers Conference talk, is that WiFi can be fixed, and the fixes aren't even all that hard to do. Users with the right hardware and a willingness to run experimental software can have fast WiFi now, and it should be available for the rest of us before too long.

digiKam 5.3.0 is published

Tuesday 8th of November 2016 07:29:20 PM
The digiKam Software Collection 5.3.0 has been released. This version is available as an AppImage bundle. "AppImage is an open-source project dedicated to provide a simple way to distribute portable software as compressed binary file, that standard user can run as well, without to install special dependencies. All is included into the bundle, as last Qt5 and KF5 frameworks. AppImage use Fuse file-system, which is de-compressed into a temporary directory to start the application. You don't need to install digiKam on your system to be able to use it. Better, you can use the official digiKam from your Linux distribution in parallel, and test the new version without any conflict with one used in production. This permit to quickly test a new release without to wait an official package dedicated for your Linux box. Another AppImage advantage is to be able to provide quickly a pre-release bundle to test last patches applied to source code, outside the releases plan."

SUSE Linux Enterprise 12 SP2

Tuesday 8th of November 2016 06:25:52 PM
The second service pack for SUSE Linux Enterprise Server, Desktop and other products, has been released. Highlights include software defined networking and network function virtualization, the new SUSE Package Hub for package updates, the ability to skip service pack releases (e.g. upgrade from SLES 12 to SLES 12-SP2), architecture support for AArch64 and Raspberry Pi, and much more.

Security updates for Tuesday

Tuesday 8th of November 2016 05:05:08 PM

Debian has updated mat (information leak) and openjdk-7 (multiple vulnerabilities).

Debian-LTS has updated python-imaging (two vulnerabilities).

Fedora has updated ansible (F24: two vulnerabilities), ghostscript (F24: two vulnerabilities), icu (F24: code execution), java-1.8.0-openjdk-aarch32 (F24: multiple vulnerabilities), and kernel (F24: two vulnerabilities).

openSUSE has updated bind (Leap42.1; 13.2: denial of service).

Oracle has updated java-1.7.0-openjdk (OL6; OL5: multiple vulnerabilities) and libgcrypt (OL6: flawed random number generation).

Red Hat has updated chromium-browser (RHEL6: memory leak), libgcrypt (RHEL6,7: flawed random number generation), pacemaker (RHEL6: privilege escalation), and qemu-kvm-rhev (RHOSP8; RHOSP9: denial of service).

Scientific Linux has updated java-1.7.0-openjdk (SL5,6: multiple vulnerabilities).

First 64-bit Orange Pi slips in under $20 (HackerBoards.com)

Monday 7th of November 2016 10:39:08 PM
HackerBoards takes a look at the 64-bit Orange Pi. "Shenzhen Xunlong is keeping up its prolific pace in spinning off new Allwinner SoCs into open source SBCs, and now it has released its first 64-bit ARM model, and one of the cheapest quad-core -A53 boards around. The Orange Pi PC 2 runs Linux or Android on a new Allwinner H5 SoC featuring four Cortex-A53 cores and a more powerful Mali-450 GPU."

Security advisories for Monday

Monday 7th of November 2016 05:01:28 PM

Debian has updated mysql-5.5 (multiple unspecified vulnerabilities).

Debian-LTS has updated libdatetime-timezone-perl (update tzdata), libxslt (code execution), memcached (multiple vulnerabilities, one from 2013), openjdk-7 (multiple vulnerabilities), and tzdata (update tzdata).

Fedora has updated 389-ds-base (F24: information leak), curl (F24: multiple vulnerabilities), firefox (F24: two vulnerabilities), and pacemaker (F24: privilege escalation).

Mageia has updated libtomcrypt (signature forgery), python-django (two vulnerabilities), and tomcat (multiple vulnerabilities).

openSUSE has updated chromium (SPH for SLE12; Leap42.1, 13.2: memory leak), dbus-1 (13.1: denial of service), jasper (13.1: multiple vulnerabilities), libraw (Leap42.1: memory leak), libxml2 (13.2: code execution), and firefox (13.1: two vulnerabilities).

Red Hat has updated java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities) and java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities).

More in Tux Machines

Linux 4.9-rc8

So if anybody has been following the git tree, it should come as no surprise that I ended up doing an rc8 after all: things haven't been bad, but it also hasn't been the complete quiet that would have made me go "no point in doing another week". Extra kudos to Arnd, who actually root-caused the incredibly annoying "modversions do not work with new versions of binutils", bisecting it to a particular change to symbol handling in binutils, and then adding a small one-liner patch to the kernel to work around the issue. We already had other workarounds in place, but it's always good to know exactly what in the tool chain changed to cause things like this. Read more Also: Linux Kernel 4.9 Slated for December 11 Release as Linus Torvalds Outs RC8 Linux 4.9-rc8 Kernel Released