LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
Updated: 6 hours 19 min ago
Security updates have been issued by Arch Linux (curl), CentOS (ipa, kernel, and qemu-kvm), Debian (munin, ruby-zip, and zabbix), Fedora (bind99, gtk-vnc, jenkins, jenkins-remoting, kdelibs, kf5-kio, libcacard, libICE, libXdmcp, and vim), openSUSE (php5), Oracle (kernel), Red Hat (ansible and openshift-ansible and rpm-ostree and rpm-ostree-client), and Ubuntu (munin).
The first 4.11 kernel prepatch
is out, and
the merge window is closed for this development cycle. "This looks
like a fairly regular release. It's on the smallish side, but mainly just
compared to 4.9 and 4.10 - so it's not really _unusually_ small (in recent
kernels, 4.1, 4.3, 4.5, 4.7 and now 4.11 all had about the same number of
commits in the merge window)." There were 10,960 non-merge commits
pulled in the end, so it's definitely not unusually small.
Over at the Red Hat Security Blog, Hooman Broujerdi looks at threat modeling
as a tool to help create more secure software. "Threat modeling is a systematic approach for developing resilient software. It identifies the security objective of the software, threats to it, and vulnerabilities in the application being developed. It will also provide insight into an attacker's perspective by looking into some of the entry and exit points that attackers are looking for in order to exploit the software.
Although threat modeling appears to have proven useful for eliminating security vulnerabilities, it seems to have added a challenge to the overall process due to the gap between security engineers and software developers. Because security engineers are usually not involved in the design and development of the software, it often becomes a time consuming effort to embark on brainstorming sessions with other engineers to understand the specific behavior, and define all system components of the software specifically as the application gets complex.
While it is important to model threats to a software application in the project life cycle, it is particularly important to threat model legacy software because there's a high chance that the software was originally developed without threat models and security in mind. This is a real challenge as legacy software tends to lack detailed documentation. This, specifically, is the case with open source projects where a lot of people contribute, adding notes and documents, but they may not be organized; consequently making threat modeling a difficult task."
Ben Francis has posted a
detailed history of the Firefox OS project
"For me it was never about Firefox OS being the third mobile platform. It
was always about pushing the limits of web technologies to make the web a
more competitive platform for app development. I think we certainly
achieved that, and I would argue our work contributed considerably to the
trends we now see around Progressive Web Apps. I still believe the web will
win in the end. "
Security updates have been issued by Debian (munin), Fedora (kernel, libXdmcp, and xrdp), Mageia (ming, quagga, util-linux, and webkit2), Oracle (ipa, kernel, and qemu-kvm), Red Hat (ipa, kernel, kernel-rt, python-oslo-middleware, and qemu-kvm), Scientific Linux (ipa, kernel, and qemu-kvm), and Ubuntu (munin, php7, and w3m).
The Free Software Foundation Europe has put out a release providing its
view of the decision in Munich to possibly back away from its
"Since this decision was reached, the majority of media have reported
that a final call was made to halt LiMux and switch back to Microsoft
software. This is, however, not an accurate representation of the
outcome of the city council meeting. We studied the available
documentation and our impression is that the last word has not been
Security updates have been issued by Debian (imagemagick, libquicktime, munin, and qemu), Fedora (cxf, netpbm, and vim), openSUSE (ImageMagick, php7, and util-linux), and Red Hat (kernel and openstack-puppet-modules).
The LWN.net Weekly Edition for March 2, 2017 is available.
Security updates have been issued by CentOS (qemu-kvm), Debian (bind9, libquicktime, mupdf, qemu-kvm, and tnef), Fedora (mupdf, rpm, tomcat, util-linux, and xen), openSUSE (gstreamer and gstreamer-plugins-base), Oracle (qemu-kvm), Red Hat (qemu-kvm), Scientific Linux (qemu-kvm), SUSE (kernel and xen), and Ubuntu (libgd2).
Opensource.com takes a look
at changes to MySQL 8.0. "Ever open up a directory of a MySQL schema and see all those files—.frm, .myi, .myd, and the like? Those files hold some of the metadata on the database schemas. Twenty years ago, it was a good way to go, but InnoDB is a crash proof storage engine and can hold all that metadata safely. This means file corruption of a .frm file is not going to stall your work. Developers also removed the file system's maximum number of files as the limiting factor to your number of databases; you can now have literally have millions of tables in your database."
is the vulnerability identifier
for a use-after-free bug in the kernel's network stack. This vulnerability
is apparently exploitable in local privilege-escalation attacks. The
problem, introduced in 2005, is easily fixed, but it points at a couple of
shortcomings in the kernel development process; as a result, it would not
be surprising if more bugs of this variety were to turn up in the near
Security updates have been issued by Debian (apache2, libplist, and tnef), Fedora (firebird, kernel, and vim), Red Hat (java-1.6.0-ibm, java-1.7.0-ibm, java-1.7.1-ibm, kernel, and qemu-kvm-rhev), SUSE (php53 and xen), and Ubuntu (tiff).
Users of the Subversion source-code management system may want to take a
look at this
post from Mark Phippard
. He explains how hash collisions can corrupt a
repository and a couple of short-term workarounds. "The quick
summary if you do not want to read this entire post is that the problem is
really not that bad. If you run into it there are solutions to resolve it
and you are not going to run into it in normal usage. There will also
likely be some future updates to Subversion that avoid it entirely so if
you regularly update your server and client when new releases come out you
are probably safe not doing anything and just waiting for an update to
algorithm has been known for at least a decade to be
weak; while no generated hash collisions had been reported, it was assumed
that this would happen before too long. On February 23, Google announced
that it had succeeded at this task. While the technique used is
computationally expensive, this event has clarified what most developers
have known for some time: it is time to move away from SHA-1. While the
migration has essentially been completed in some areas (SSL certificates,
for example), there are still important places where it is heavily used,
including at the core of the Git source-code management system.
Unsurprisingly, the long-simmering discussion in the Git community on
moving away from SHA-1 is now at a full boil.