Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 53 min ago

Security updates for Thursday

Thursday 28th of August 2014 02:38:30 PM

Debian has updated s3ql (code execution).

Mageia has updated x11vnc (code execution).

openSUSE has updated phpMyAdmin (13.1, 12.3: multiple vulnerabilities) and python3 (12.3: two vulnerabilities).

Ubuntu has updated squid3 (14.04, 12.04: denial of service).

2014 Kernel OPW internship report

Thursday 28th of August 2014 12:59:44 PM
Sarah Sharp has posted an update on the kernel internships managed through the Outreach Program for Women, with an emphasis on what past participants are doing now. "Many people may be disappointed that those three OPW alumni aren’t working on open source, but I’m overjoyed that these women have found jobs in the technology sector. This fact is heartening to me because many of the women that participate in OPW were working in retail before their internship. To be able to move into the technology sector is a giant step in the right direction, and I’m happy that the OPW program could be a part of that."

PHP 5.6.0 released

Thursday 28th of August 2014 12:35:38 PM
The PHP 5.6.0 release is available. There's a number of new features, including constant scalar expressions, a new "..." operator for both variadic functions and sequence unpacking, an exponentiation operator, an integrated interactive debugger, and more. See the PHP 5.6.0 migration guide for more information.

[$] LWN.net Weekly Edition for August 28, 2014

Thursday 28th of August 2014 12:46:43 AM
The LWN.net Weekly Edition for August 28, 2014 is available.

[$] Visual legerdemain abounds in G'MIC 1.6.0

Wednesday 27th of August 2014 09:59:35 PM
A new stable release of the G'MIC image-processing framework was recently released. Version 1.6.0 adds a number of new commands and filters useful for manipulating image data, as well as changes to the codebase that will hopefully make G'MIC easier to integrate into other applications.

Click below (subscribers only) for a look at the G'MIC 1.6.0 release and associated GIMP plugin.

Security advisories for Wednesday

Wednesday 27th of August 2014 04:33:20 PM

Debian has updated eglibc (code execution).

Fedora has updated jakarta-commons-httpclient (F20; F19: SSL server spoofing), krb5 (F19: code execution), mediawiki (F20; F19: multiple vulnerabilities), python-pillow (F20; F19: denial of service), and sks (F20; F19: cross-site scripting).

Mageia has updated file (denial of service), grub2 (denial of service/possible code execution), harbour (denial of service/possible code execution), icecream (denial of service/possible code execution), italc (denial of service/possible code execution), kdenetwork4 (MG3: denial of service/possible code execution), libvncserver (denial of service/possible code execution), and serf (information leak).

Red Hat has updated devtoolset-2-httpcomponents-client (RHDT2: SSL server spoofing), kernel (RHEL6.4 EUS: multiple vulnerabilities), and ror40-rubygem-activerecord (RHSCL1: strong parameter protection bypass).

MediaGoblin 0.7.0 released

Wednesday 27th of August 2014 12:16:46 PM
Version 0.7.0 of the MediaGoblin media publishing platform is available. New features include initial federation support, a switch to a responsive CSS system, a "featured media" option, bulk uploading via the command line, and more. "Well we’re excited to announce that the first piece towards MediaGoblin federation has landed! We don’t have server-to-server federation working yet, but we do have the first parts of the Pump API in place: you can now use the Pump API as a media upload API!"

Cluetrain at Fifteen (Linux Journal)

Tuesday 26th of August 2014 11:13:55 PM
Doc Searls looks back over the fifteen years that have passed since he (along with Chris Locke, David Weinberger and Rick Levine) wrote "The Cluetrain Manifesto". "What we had in mind was much fresher to me in the Summer of 2000, when I worked with Jason Schumaker, another Linux Journal editor, on an interview about Cluetrain and its relevance to Linux. What we ended up with was too long for both the magazine and our website at the time, so the project got sidelined and eventually buried in archival directories, where it stayed until this morning, when I found it during a search for something else. Reading it, I realized that I had come across a kind of time capsule."

Tuesday's security advisory

Tuesday 26th of August 2014 03:54:47 PM
Today we have only one security advisory. Ubuntu has updated openjdk-7 (14.04: fixes a regression in a previous update).

The poisoned NUL byte, 2014 edition (Project Zero)

Tuesday 26th of August 2014 01:15:17 PM
For those interested in the gory details of a complex exploit, Google's Project Zero page describes the process of getting arbitrary code execution from a single NUL byte written to the heap by glibc in an off-by-one error. "The main point of going to all this effort is to steer industry narrative away from quibbling about whether a given bug might be exploitable or not. In this specific instance, we took a very subtle memory corruption with poor levels of attacker control over the overflow, poor levels of attacker control over the heap state, poor levels of attacker control over important heap content and poor levels of attacker control over program flow. Yet still we were able to produce a decently reliable exploit! And there’s a long history of this over the evolution of exploitation: proclamations of non-exploitability that end up being neither advisable nor correct."

Kernel prepatch 3.17-rc2

Tuesday 26th of August 2014 12:28:26 PM
Linus has released 3.17-rc2 a little later than might have been expected. "So I deviated from my normal Sunday schedule partly because there wasn't much there (I blame the KS and LinuxCon), but partly due to sentimental reasons: Aug 25 is the anniversary of the original Linux announcement ('Hello everybody out there using minix'), so it's just a good day for release announcements."

LinuxCon and CloudOpen 2014 Keynote Videos Available

Monday 25th of August 2014 08:52:38 PM
Videos of the keynotes for LinuxCon NA and CloudOpen are available. "The event started Wednesday, Aug. 20, with Executive Director Jim Zemlin's “State of Linux” keynote at 9 a.m. Central, followed by a panel discussion of Linux kernel developers that included Linux Creator Linus Torvalds."

Security advisories for Monday

Monday 25th of August 2014 05:04:34 PM

CentOS has updated mod_wsgi (C7: privilege escalation).

Debian has updated mediawiki (two vulnerabilities) and python-django (multiple vulnerabilities).

Fedora has updated file (F20: denial of service), fish (F20; F19: multiple vulnerabilities), libserf (F20: information leak), pen (F20: unspecified vulnerability), php-htmlpurifier-htmlpurifier (F20; F19: "Hash Length Extension" attack), phpMyAdmin (F20: multiple vulnerabilities), ppp (F20: privilege escalation), rubygem-activerecord (F20; F19: SQL injection), struts (F20: code execution), wordpress (F19: multiple vulnerabilities), and xen (F20; F19: denial of service).

Mageia has updated ansible (MG4: multiple vulnerabilities), bugzilla (cross-site request forgery), busybox (denial of service/possible code execution), jakarta-commons-httpclient (MG4; MG3: SSL server spoofing), and mednafen (denial of service/possible code execution).

openSUSE has updated IPython (13.1, 12.3: code execution), libgcrypt (13.1, 12.3: side-channel attack), and libserf, subversion (13.1, 12.3: multiple vulnerabilities).

Oracle has updated mod_wsgi (OL7: privilege escalation).

Red Hat has updated mod_wsgi (RHEL7: privilege escalation).

[$] Kernel.org news: two-factor authentication and more

Monday 25th of August 2014 04:33:38 PM
Kernel developers depend heavily on kernel.org for the hosting of Git repositories and the management of patch flow in general, so it is not surprising that the annual Kernel Summit sets aside a slot to discuss what is happening with this site. In recent years, there has been a lot of change to discuss, mostly relating to the reorganization of kernel.org management resulting from the compromise of the site in 2011. The 2014 kernel.org discussion, run by Konstantin Ryabitsev, shows that, in a lot of ways, the pace of change is slowing, but the kernel.org maintainers are still working to improve their support and make it more secure.

More in Tux Machines

KDE: Simple by Default, Powerful When Needed

KDE (back when it was still the name of the desktop environment) and our applications historically stood for powerful features and great flexibility and customizeability. This is what our users love about our software, this is why they choose Plasma and KDE software instead of one of the other Free desktop offerings. And it is also something they would fight tooth and nail for if we wanted to take it away (as many a KDE maintainer who dared to remove a feature he thought was unnecessary can tell). Read more

BitTorrent Bleep alpha released for Android

As an alpha it still has some issues “As with any Alpha, there are some known issues and bugs to work out. Android users will need to set the app to “Wi-Fi Only” unless you have an unlimited data plan; this is only for the time being while we iron out and issue related to battery and data-plan. And while you can move a username from desktop to mobile, Bleep does not yet support moving an existing account from Android to the desktop. And while you can receive messages on multiple devices; messages sent will not be seen across all devices. As with our previous release, communications happen only when all parties are online – you cannot send offline photos or group chats asynchronously.” Read more

During Akademy 2014

This year there were lot of fast track (10 minutes) talks on different areas around KDE. All of them were quite interesting, some of them are: Bruno Coudoin talked about how and why GCompris moved to QtQuick with the support of KDE. What all challenges project faced while moving from GTK to Qt. Daniel Vrátil talked about his one year journey with Akonadi Martin Gräßlin gave an overview of current state of Kwin in adding Wayland support and future plans. Kevin Ottens talked about KDE craftsmen where analysis was on the way we handle our software production, how can we make our software even better. Kai Uwe Broulik talked about current status of Qt port on Android and iOS. Currently, 3 iOS apps in Apple store and 8 Android apps in Google play since December 2013. Read more

Leftovers: Software