Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 47 min ago

Security advisories for Wednesday

Wednesday 13th of January 2016 05:04:17 PM

Arch Linux has updated libxslt (denial of service).

Debian has updated isc-dhcp (denial of service).

Debian-LTS has updated claws-mail (code execution).

Fedora has updated openvpn (F22: multiple vulnerabilities), pitivi (F22: code execution), and shotwell (F23; F22: validate TLS certificates).

openSUSE has updated ffmpeg (Leap42.1: multiple vulnerabilities).

Slackware has updated dhcp (denial of service).

Ubuntu has updated isc-dhcp (denial of service) and libvirt (multiple vulnerabilities).

[$] User namespaces + overlayfs = root privileges

Wednesday 13th of January 2016 03:24:13 PM
The user namespaces feature is conceptually fairly straightforward—allow users to run as root in their own space, while limiting their privileges on the system outside that space—but the implementation has, perhaps unsurprisingly, proven to be quite tricky. There are some assumptions about user IDs and how they operate that are deeply wired into the kernel in various subsystems; shaking those out has taken some time, which led to some hesitation about enabling the feature in distribution kernels. But that reluctance has largely passed at this point, which makes the recent discovery of a root-privilege escalation using user namespaces and the overlay filesystem (overlayfs) that much more dangerous.

Subscribers can click below for the full story from this week's edition.

Ardour 4.6 released

Tuesday 12th of January 2016 11:44:32 PM
Version 4.6 of the Ardour audio editor is available. "4.6 includes some notable new features - deep support for the Presonus FaderPort control surface, Track/Bus duplication, a new Plugin sidebar for the Mixer window - as well as the usual dozens of fixes and improvements to all aspects of the application, particularly automation editing." The full list of enhancements is quite long; see the announcement for details.

Tuesday's security advisories

Tuesday 12th of January 2016 05:39:35 PM

Fedora has updated kernel (F23: multiple vulnerabilities), lighttpd (F23; F22: denial of service), nghttp2 (F22: code execution), qemu (F23: multiple vulnerabilities), and wireshark (F23: multiple vulnerabilities).

Mageia has updated bugzilla (multiple vulnerabilities), claws-mail (code execution), mariadb (multiple vulnerabilities), openvpn (multiple vulnerabilities), python-rsa (signature forgery), and ruby (code execution).

Red Hat has updated kernel (RHEL6.6: two vulnerabilities).

Ubuntu has updated oxide-qt (15.10, 15.04, 14.04: multiple vulnerabilities).

Ansible 2.0 released

Tuesday 12th of January 2016 04:05:40 PM
Version 2.0 of the Ansible configuration management system has been released. "This is by far one of the most ambitious Ansible releases to date, and it reflects an enormous amount of work by the community, which continues to amaze me. Approximately 300 users have contributed code to what has been known as 'v2' for some time, and 500 users have contributed code to modules since the last major Ansible release." New features include playbook-level exception handling, better error diagnostics, a new set of OpenStack modules, and more. See the changelog for more (terse) details.

Top 10 open source legal developments in 2015 (Opensource.com)

Tuesday 12th of January 2016 02:19:03 PM
Mark Radcliffe writes about important legal developments from 2015, including the first ruling on GPLv3 (in Germany): "In this case, the user cured its breach within the necessary period, but refused to sign a 'cease and desist' declaration which was sought by the plaintiff to ensure that the defendant would have an incentive not to breach the terms of the GPLv3 again. The court ruled that the reinstatement provision in Section 8 did not eliminate the plaintiff's right to a preliminary injunction to prevent further infringements, particularly if the defendant had refused to sign the plaintiff's cease-and-desist declaration."

Mozilla shutting down Persona

Tuesday 12th of January 2016 01:56:02 PM
Mozilla has announced that it will be shutting down the persona.org authentication service in November. It has been two years since Persona was "transitioned to community ownership"; now the other shoe has dropped. "Due to low, declining usage, we are reallocating the project’s dedicated, ongoing resources and will shut down the persona.org services that we run. Persona.org and related domains will be taken offline on November 30th, 2016." There is a set of "shutdown guidelines" to help sites still using Persona to transition to something else. (LWN looked at Persona in 2013).

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Monday 11th of January 2016 08:34:23 PM
Netcraft reports that the US Department of Defense (DoD) is still issuing SHA-1 signed certificates, and using them to secure connections to .mil websites. "The DoD is America's largest government agency, and is tasked with protecting the security of its country, which makes its continued reliance on SHA-1 particularly remarkable. Besides the well known security implications, this reliance could already prove problematic amongst the DoD's millions of employees. For instance, Mozilla Firefox 43 began rejecting all new SHA-1 certificates issued since 1 January 2016. When it encountered one of these certificates, the browser displayed an Untrusted Connection error, although this could be overridden. If DoD employees become accustomed to ignoring such errors, it could become much easier to carry out man-in-the-middle attacks against them."

Security updates for Monday

Monday 11th of January 2016 06:42:38 PM

Arch Linux has updated dhcpcd (denial of service), gajim (man-in-the-middle), wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), wireshark-qt (multiple vulnerabilities), and wordpress (cross-site scripting).

Debian has updated gnutls26 (signature forgery), openssl (signature forgery), perl (returns untainted strings), prosody (two vulnerabilities), sudo (privilege escalation), and xscreensaver (denial of service).

Debian-LTS has updated icu (information leak) and sudo (privilege escalation).

Fedora has updated kea (F23: denial of service), mod_nss (F23: enables insecure ciphersuites), and rsync (F23: unsafe destination path).

Mageia has updated armagetron (two vulnerabilities), kernel (multiple vulnerabilities), phpmyadmin (installation path disclosure), pitivi (code execution), and rtmpdump (code execution).

openSUSE has updated phpMyAdmin (Leap42.1, 13.2, 13.1: installation path disclosure), pitivi (Leap42.1, 13.2: code execution), and rubygem-mail, (Leap42.1, 13.2: SMTP injection).

Oracle has updated kernel 3.8.13 (OL7; OL6: denial of service), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities), kernel 2.6.32 (OL6; OL5: multiple vulnerabilities).

Red Hat has updated openstack-nova (RHELOSP5,6,7 for RHEL7; RHELOSP5 for RHEL6: information leak).

Ubuntu has updated firefox (signature forgery).

The 4.4 kernel is out

Sunday 10th of January 2016 11:48:21 PM
Linus has, as expected, announced the release of the 4.4 kernel. Some of the headline features in this release include the mlock2() system call with support for deferred memory locking, I/O polling in the block layer, the LightNVM patches for low-level control of solid-state storage devices, the ability for unprivileged users to load BPF programs into the kernel, and much more. Some more information can be found on the KernelNewbies 4.4 page.

More in Tux Machines

Leftovers: Gaming

Phoronix on Graphics

  • VLC Now Has Zero-Copy Support For GStreamer Video Decoding
    It was just last week we got to write about VLC 3.0 features and early planning for VLC 4.0 while this weekend in Git there is another feature to add to the list. The latest VLC development code now supports zero-copy GStreamer video decoding. With the zero-copy comes increased efficiency and performance.
  • NVIDIA GeForce GT 710: Trying NVIDIA's Newest Sub-$50 GPU On Linux
    The GeForce GT 710 is a cut-down version of the Kepler GK208, the already low-end core used by the lines of the GT 720 and GT 730 graphics cards as well as the mobile GT 720M/730M/735M/740M graphics processors. This really isn't a graphics card for gamers or anyone needing any serious GPU performance but rather as an upgrade for an entry-level system, someone just wanting to upgrade from their integrated graphics, and other minimally-demanding use-cases.
  • Mesa 11.2 Is Set For Branching In Just Two Weeks, Release In Just Over One Month
    The race is on to see if any of the Mesa/Gallium3D hardware drivers (or core Mesa itself) will reach any new version levels for Mesa 11.2.
  • AMD Is Looking At A Interoperability Interface For OpenCL Outside Of Mesa
    AMD's Marek Olšák has begun exploring an interoperability interface for OpenGL within Mesa and having a non-Mesa OpenCL implementation (not Clover OpenCL Gallium3D). Likely as part of their HSA work and hopefully in providing better AMD open-source OpenCL support aside from the (currently limited) Gallium3D Clover state tracker, Marek is trying to hash out an interface for allowing interoperability with "MesaGL" and a non-Mesa OpenCL driver.

FreeBSD 10.3 Now In Beta

FreeBSD developers have released today their first official development media for the upcoming FreeBSD 10.3. FreeBSD 10.3 Beta 1 is now available from their FTP server. Read more

today's leftovers