Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 52 min ago

Z-Wave protocol specification now public

Friday 2nd of September 2016 10:58:35 PM

The Z-Wave wireless home-automation protocol has been released to the public. In years past, the specification was only available to purchasers of the Z-Wave Alliance's development kit, forcing open-source implementations to reverse-engineer the protocol. The official press release notes that there are several such projects, including OpenZWave; Z-Wave support is also vital to higher-level Internet-of-Things abstraction systems like AllJoyn.

Friday's security updates

Friday 2nd of September 2016 03:43:20 PM

Arch Linux has updated chromium (multiple vulnerabilities) and webkit2gtk (multiple vulnerabilities).

Debian has updated libidn (multiple vulnerabilities).

Debian-LTS has updated mailman (password disclosure).

Fedora has updated canl-c (F24; F23: proxy manipulation), krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).

openSUSE has updated karchive (SLE12: command execution).

Oracle has updated ipa (O7; O6: denial of service).

Suspect in kernel.org breakin arrested

Friday 2nd of September 2016 02:08:15 PM
The US Department of Justice has announced that it has arrested a suspect in the 2011 kernel.org breakin. "[Donald Ryan] Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorized access to the four servers by using the credentials of an individual associated with the Linux Kernel Organization. According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers."

Contemplating the possible retirement of Apache OpenOffice

Friday 2nd of September 2016 07:02:15 AM
Outgoing Apache OpenOffice project management committee (PMC) chair Dennis Hamilton has begun the discussion of a possible (note possible at this point) shutdown of the project. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue. In responses to concerns raised in June, the PMC is currently tasked by the ASF Board to account for this inability and to provide a remedy. An indicator of the seriousness of the Board's concern is the PMC been requested to report to the Board every month, starting in August, rather than quarterly, the normal case. One option for remedy that must be considered is retirement of the project. The request is for the PMC's consideration among other possible options." (Thanks to James Hogarth.)

Also of interest is this note on how the handling of CVE-2016-1513 went.

OpenBSD 6.0

Thursday 1st of September 2016 08:54:59 PM
OpenBSD 6.0 has been released. An EFI bootloader has been added to the armv7 platform along with other improvements for that platform. Also in this release, new and improved hardware support, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements, and more. The announcement also contains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, and LibreSSL 2.4.2.

Thursday's security updates

Thursday 1st of September 2016 03:08:51 PM

Debian-LTS has updated cacti (authentication bypass).

Mageia has updated eog (M5: out-of-bounds write), python3/python (M5: HTTPoxy attack), redis (M5: information leak), and webkit2 (M5: multiple vulnerabilities).

openSUSE has updated cracklib (Leap 42.1: code execution), gd (13.2: out-of-bounds read), and libgcrypt (13.2: flawed random number generation).

Red Hat has updated ipa (RHEL 6,7: denial of service).

Slackware has updated mozilla thunderbird (14.1, 14.2: unspecified vulnerabilities).

Building a new Tor that can resist next-generation state surveillance (ars technica)

Thursday 1st of September 2016 09:07:23 AM
Here's a lengthy ars technica article on efforts to replace Tor with something more secure. "As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users."

[$] LWN.net Weekly Edition for September 1, 2016

Thursday 1st of September 2016 01:39:30 AM
The LWN.net Weekly Edition for September 1, 2016 is available.

[$] The kernel community confronts GPL enforcement

Wednesday 31st of August 2016 07:11:04 PM
Some of the most important discussions associated with the annual Kernel Summit do not happen at the event itself; instead, they unfold prior to the summit on the planning mailing list. There is value in learning what developers feel needs to be talked about and, often, important issues can be resolved before the summit itself takes place. That list has just hosted (indeed, is still hosting as of this writing) a voluminous discussion on license enforcement that was described by some participants as being "pointless" or worse. But that discussion has served a valuable purpose: it has brought to the light a debate that has long festered under the surface, and it has clarified where some of the real disagreements lie.

Apache OpenOffice CVE-2016-1513 hotfix released

Wednesday 31st of August 2016 05:45:51 PM
LWN covered a memory corruption vulnerability (CVE-2016-1513) in Apache OpenOffice that was disclosed before a fix was available. Now a hotfix for the problem has been released. "The official Apache OpenOffice security bulletin was announced on July 21, 2016. Affected is Apache OpenOffice 4.1.2 and older on all platforms and all languages. OpenOffice.org versions are also affected. The Apache OpenOffice project recommends to update to the latest version 4.1.2 and then to download and install the Zip file from the table below. Please follow the installation instructions in the respective Readme file." (Thanks to Cesar Eduardo Barros)

Security advisories for Wednesday

Wednesday 31st of August 2016 04:48:40 PM

Arch Linux has updated mupdf (denial of service).

Debian has updated libarchive (multiple vulnerabilities) and tryton-server (two vulnerabilities).

Debian-LTS has updated tiff (multiple vulnerabilities).

Fedora has updated krb5 (F23: denial of service).

Mageia has updated bsdiff (denial of service), ctdb (privilege escalation), curl (three vulnerabilities), fontconfig (privilege escalation), gnupg/libgcrypt (flawed random number generation), kernel-linus (multiple vulnerabilities), kernel-tmb (multiple vulnerabilities), mupdf (denial of service), nettle/nettle2.7 (information leak), openssh (three vulnerabilities), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), postgresql (two vulnerabilities), and python-django (cross-site scripting).

openSUSE has updated libqt4 (Leap42.1: unsafe SSL ciphers).

Red Hat has updated rh-postgresql94-postgresql (RHSCL: two vulnerabilities).

SUSE has updated firefox (SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04: multiple vulnerabilities), and linux-snapdragon (16.04: multiple vulnerabilities).

More in Tux Machines

Proxmox VE 4.3 released

Proxmox Server Solutions GmbH today announced the general availability of Proxmox Virtual Environment 4.3. The hyper-converged open source server virtualization solution enables users to create and manage LXC containers and KVM virtual machines on the same host, and makes it easy to set up highly available clusters as well as to manage network and storage via an integrated web-based management interface. The new version of Proxmox VE 4.3 comes with a completely new comprehensive reference documentation. The new docu framework allows a global as well as contextual help function. Proxmox users can access and download the technical documentation via the central help-button (available in various formats like html, pdf and epub). A main asset of the new documentation is that it is always version specific to the current user’s software version. Opposed to the global help, the contextual help-button shows the user the documentation part he currently needs. Read more

Games for GNU/Linux

Security News

  • Tuesday's security updates
  • New Open Source Linux Ransomware Divides Infosec Community
    Following our investigation into this matter, and seeing the vitriol-filled reaction from some people in the infosec community, Zaitsev has told Softpedia that he decided to remove the project from GitHub, shortly after this article's publication. The original, unedited article is below.
  • Fax machines' custom Linux allows dial-up hack
    Party like it's 1999, phreakers: a bug in Epson multifunction printer firmware creates a vector to networks that don't have their own Internet connection. The exploit requirements are that an attacker can trick the victim into installing malicious firmware, and that the victim is using the device's fax line. The firmware is custom Linux, giving the printers a familiar networking environment for bad actors looking to exploit the fax line as an attack vector. Once they're in that ancient environment, it's possible to then move onto the network to which the the printer's connected. Yves-Noel Weweler, Ralf Spenneberg and Hendrik Schwartke of Open Source Training in Germany discovered the bug, which occurs because Epson WorkForce multifunction printers don't demand signed firmware images.
  • Google just saved the journalist who was hit by a 'record' cyberattack
    Google just stepped in with its massive server infrastructure to run interference for journalist Brian Krebs. Last week, Krebs' site, Krebs On Security, was hit by a massive distributed denial-of-service (DDoS) attack that took it offline, the likes of which was a "record" that was nearly double the traffic his host Akamai had previously seen in cyberattacks. Now just days later, Krebs is back online behind the protection of Google, which offers a little-known program called Project Shield to help protect independent journalists and activists' websites from censorship. And in the case of Krebs, the DDoS attack was certainly that: The attempt to take his site down was in response to his recent reporting on a website called vDOS, a service allegedly created by two Israeli men that would carry out cyberattacks on behalf of paying customers.
  • Krebs DDoS aftermath: industry in shock at size, depth and complexity of attack
    “This attack didn’t stop, it came in wave after wave, hundreds of millions of packets per second,” says Josh Shaul, Akamai’s vice president of product management, when Techworld spoke to him. “This was different from anything we’ve ever seen before in our history of DDoS attacks. They hit our systems pretty hard.” Clearly still a bit stunned, Shaul describes the Krebs DDoS as unprecedented. Unlike previous large DDoS attacks such as the infamous one carried out on cyber-campaign group Spamhaus in 2013, this one did not use fancy amplification or reflection to muster its traffic. It was straight packet assault from the old school.
  • iOS 10 makes it easier to crack iPhone back-ups, says security firm
    INSECURITY FIRM Elcomsoft has measured the security of iOS 10 and found that the software is easier to hack than ever before. Elcomsoft is not doing Apple any favours here. The fruity firm has just launched the iPhone 7, which has as many problems as it has good things. Of course, there are no circumstances when vulnerable software is a good thing, but when you have just launched that version of the software, it is really bad timing. Don't hate the player, though, as this is what Elcomsoft, and what Apple, are supposed to be doing right. "We discovered a major security flaw in the iOS 10 back-up protection mechanism. This security flaw allowed us to develop a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) back-ups made by iOS 10 devices," said Elcomsoft's Oleg Afonin in a blog post.
  • After Tesla: why cybersecurity is central to the car industry's future
    The news that a Tesla car was hacked from 12 miles away tells us that the explosive growth in automotive connectivity may be rapidly outpacing automotive security. This story is illustrative of two persistent problems afflicting many connected industries: the continuing proliferation of vulnerabilities in new software, and the misguided view that cybersecurity is separate from concept, design, engineering and production. This leads to a ‘fire brigade approach’ to cybersecurity where security is not baked in at the design stage for either hardware or software but added in after vulnerabilities are discovered by cybersecurity specialists once the product is already on the market.

Ofcom blesses Linux-powered, open source DIY radio ‘revolution’

Small scale DAB radio was (quite literally) conceived in an Ofcom engineer’s garden shed in Brighton, on a Raspberry Pi, running a full open source stack, in his spare time. Four years later, Ofcom has given the thumbs up to small scale DAB after concluding that trials in 10 UK cities were judged to be a hit. We gave you an exclusive glimpse into the trials last year, where you could compare the specialised proprietary encoders with the Raspberry Pi-powered encoders. “We believe that there is a significant level of demand from smaller radio stations for small scale DAB, and that a wider roll-out of additional small scale services into more geographic areas would be both technically possible and commercially sustainable,” notes Ofcom. Read more