Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 41 min ago

De Raadt: Important SSH patch coming soon

Thursday 14th of January 2016 03:03:25 PM
Theo de Raadt suggests that a significant OpenSSH security issue is about to be exposed; the message reads, in full: "Important SSH patch coming soon. For now, every on all operating systems, please do the following: Add undocumented 'UseRoaming no' to ssh_config or use '-oUseRoaming=no' to prevent upcoming #openssh client bug CVE-2016-0777. More later."

Update: that important patch appears to be OpenSSH 7.1p2, available now. "The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys." There are a few other security fixes there as well.

Update 2: see the Qualys advisory for vast amounts of detail.

[$] LWN.net Weekly Edition for January 14, 2016

Thursday 14th of January 2016 01:13:30 AM
The LWN.net Weekly Edition for January 14, 2016 is available.

Qt open source licensing changed

Wednesday 13th of January 2016 06:41:36 PM
The Qt Company has announced changes to the open source licensing and product structure of the Qt cross-platform application development framework. "New versions of Qt will be licensed under a commercial license, GPLv2, GPLv3, and LGPLv3, but no longer under LGPLv2.1. The updated open source licenses better ensure end user freedom when using open source licensed versions of Qt. LGPLv3 explicitly forbids the distribution of closed embedded devices. Distributing software under these terms includes a patent grant to all receivers of the software. Commercial Qt licensing removes these requirements and includes professional technical support from The Qt Company."

Security advisories for Wednesday

Wednesday 13th of January 2016 05:04:17 PM

Arch Linux has updated libxslt (denial of service).

Debian has updated isc-dhcp (denial of service).

Debian-LTS has updated claws-mail (code execution).

Fedora has updated openvpn (F22: multiple vulnerabilities), pitivi (F22: code execution), and shotwell (F23; F22: validate TLS certificates).

openSUSE has updated ffmpeg (Leap42.1: multiple vulnerabilities).

Slackware has updated dhcp (denial of service).

Ubuntu has updated isc-dhcp (denial of service) and libvirt (multiple vulnerabilities).

[$] User namespaces + overlayfs = root privileges

Wednesday 13th of January 2016 03:24:13 PM
The user namespaces feature is conceptually fairly straightforward—allow users to run as root in their own space, while limiting their privileges on the system outside that space—but the implementation has, perhaps unsurprisingly, proven to be quite tricky. There are some assumptions about user IDs and how they operate that are deeply wired into the kernel in various subsystems; shaking those out has taken some time, which led to some hesitation about enabling the feature in distribution kernels. But that reluctance has largely passed at this point, which makes the recent discovery of a root-privilege escalation using user namespaces and the overlay filesystem (overlayfs) that much more dangerous.

Subscribers can click below for the full story from this week's edition.

Ardour 4.6 released

Tuesday 12th of January 2016 11:44:32 PM
Version 4.6 of the Ardour audio editor is available. "4.6 includes some notable new features - deep support for the Presonus FaderPort control surface, Track/Bus duplication, a new Plugin sidebar for the Mixer window - as well as the usual dozens of fixes and improvements to all aspects of the application, particularly automation editing." The full list of enhancements is quite long; see the announcement for details.

Tuesday's security advisories

Tuesday 12th of January 2016 05:39:35 PM

Fedora has updated kernel (F23: multiple vulnerabilities), lighttpd (F23; F22: denial of service), nghttp2 (F22: code execution), qemu (F23: multiple vulnerabilities), and wireshark (F23: multiple vulnerabilities).

Mageia has updated bugzilla (multiple vulnerabilities), claws-mail (code execution), mariadb (multiple vulnerabilities), openvpn (multiple vulnerabilities), python-rsa (signature forgery), and ruby (code execution).

Red Hat has updated kernel (RHEL6.6: two vulnerabilities).

Ubuntu has updated oxide-qt (15.10, 15.04, 14.04: multiple vulnerabilities).

Ansible 2.0 released

Tuesday 12th of January 2016 04:05:40 PM
Version 2.0 of the Ansible configuration management system has been released. "This is by far one of the most ambitious Ansible releases to date, and it reflects an enormous amount of work by the community, which continues to amaze me. Approximately 300 users have contributed code to what has been known as 'v2' for some time, and 500 users have contributed code to modules since the last major Ansible release." New features include playbook-level exception handling, better error diagnostics, a new set of OpenStack modules, and more. See the changelog for more (terse) details.

Top 10 open source legal developments in 2015 (Opensource.com)

Tuesday 12th of January 2016 02:19:03 PM
Mark Radcliffe writes about important legal developments from 2015, including the first ruling on GPLv3 (in Germany): "In this case, the user cured its breach within the necessary period, but refused to sign a 'cease and desist' declaration which was sought by the plaintiff to ensure that the defendant would have an incentive not to breach the terms of the GPLv3 again. The court ruled that the reinstatement provision in Section 8 did not eliminate the plaintiff's right to a preliminary injunction to prevent further infringements, particularly if the defendant had refused to sign the plaintiff's cease-and-desist declaration."

Mozilla shutting down Persona

Tuesday 12th of January 2016 01:56:02 PM
Mozilla has announced that it will be shutting down the persona.org authentication service in November. It has been two years since Persona was "transitioned to community ownership"; now the other shoe has dropped. "Due to low, declining usage, we are reallocating the project’s dedicated, ongoing resources and will shut down the persona.org services that we run. Persona.org and related domains will be taken offline on November 30th, 2016." There is a set of "shutdown guidelines" to help sites still using Persona to transition to something else. (LWN looked at Persona in 2013).

More in Tux Machines

Raspberry Pi: New NOOBS and Raspbian releases

The Release Notes are available, and don't indicate that there are very large changes in this release, just some nice incremental updates, bug fixes, and general cleanup. There may be some interesting internal changes; we'll have to wait for the official announcement to hear about that. Read more

Tunir 0.13 is released and one year of development

I have started Tunir on Jan 12 2015, means it got more than one year of development history. At the beginning it was just a project to help me out with Fedora Cloud image testing. But it grew to a point where it is being used as the Autocloud backend to test Fedora Cloud, and Vagrant images. We will soon start testing the Fedora AMI(s) too using the same. Within this one year, there were total 7 contributors to the project. In total we are around 1k lines of Python code. I am personally using Tunir for various other projects too. One funny thing from the code commits timings, no commit on Sundays :) Read more

Andy Rubin Unleashed Android on the World. Now Watch Him Do the Same With AI

Now that Rubin had shepherded smartphones from concept to phenomenon, they no longer held much interest. As an engineering problem, they had been solved. Sure, entrepreneurs kept launching new apps, but for someone who considered engineering an art, that was like adding a few brushstrokes atop layers of dried paint. Rubin wanted to touch canvas again—and he could see a fresh one unfurling in front of him. Read more

Building a culture of more pluggable open source

If there is one word that often percolates conversations hailing the benefits of open source, it is choice. We often celebrate many of the 800+ Linux distributions, the countless desktops, applications, frameworks, and more. Choice, it would seem, is a good thing. Interestingly, choice is also an emotive thing. Read more