Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 19 min ago

Security updates for Monday

Monday 6th of March 2017 05:16:53 PM
Security updates have been issued by Arch Linux (curl), CentOS (ipa, kernel, and qemu-kvm), Debian (munin, ruby-zip, and zabbix), Fedora (bind99, gtk-vnc, jenkins, jenkins-remoting, kdelibs, kf5-kio, libcacard, libICE, libXdmcp, and vim), openSUSE (php5), Oracle (kernel), Red Hat (ansible and openshift-ansible and rpm-ostree and rpm-ostree-client), and Ubuntu (munin).

Kernel prepatch 4.11-rc1

Monday 6th of March 2017 05:22:42 AM
The first 4.11 kernel prepatch is out, and the merge window is closed for this development cycle. "This looks like a fairly regular release. It's on the smallish side, but mainly just compared to 4.9 and 4.10 - so it's not really _unusually_ small (in recent kernels, 4.1, 4.3, 4.5, 4.7 and now 4.11 all had about the same number of commits in the merge window)." There were 10,960 non-merge commits pulled in the end, so it's definitely not unusually small.

How Threat Modeling Helps Discover Security Vulnerabilities (Red Hat Security Blog)

Friday 3rd of March 2017 08:19:29 PM
Over at the Red Hat Security Blog, Hooman Broujerdi looks at threat modeling as a tool to help create more secure software. "Threat modeling is a systematic approach for developing resilient software. It identifies the security objective of the software, threats to it, and vulnerabilities in the application being developed. It will also provide insight into an attacker's perspective by looking into some of the entry and exit points that attackers are looking for in order to exploit the software. [...] Although threat modeling appears to have proven useful for eliminating security vulnerabilities, it seems to have added a challenge to the overall process due to the gap between security engineers and software developers. Because security engineers are usually not involved in the design and development of the software, it often becomes a time consuming effort to embark on brainstorming sessions with other engineers to understand the specific behavior, and define all system components of the software specifically as the application gets complex. [...] While it is important to model threats to a software application in the project life cycle, it is particularly important to threat model legacy software because there's a high chance that the software was originally developed without threat models and security in mind. This is a real challenge as legacy software tends to lack detailed documentation. This, specifically, is the case with open source projects where a lot of people contribute, adding notes and documents, but they may not be organized; consequently making threat modeling a difficult task."

Francis: The story of Firefox OS

Friday 3rd of March 2017 03:49:25 PM
Ben Francis has posted a detailed history of the Firefox OS project. "For me it was never about Firefox OS being the third mobile platform. It was always about pushing the limits of web technologies to make the web a more competitive platform for app development. I think we certainly achieved that, and I would argue our work contributed considerably to the trends we now see around Progressive Web Apps. I still believe the web will win in the end. "

Security updates for Friday

Friday 3rd of March 2017 02:34:09 PM
Security updates have been issued by Debian (munin), Fedora (kernel, libXdmcp, and xrdp), Mageia (ming, quagga, util-linux, and webkit2), Oracle (ipa, kernel, and qemu-kvm), Red Hat (ipa, kernel, kernel-rt, python-oslo-middleware, and qemu-kvm), Scientific Linux (ipa, kernel, and qemu-kvm), and Ubuntu (munin, php7, and w3m).

FSFE: What happened in Munich

Friday 3rd of March 2017 12:30:13 AM
The Free Software Foundation Europe has put out a release providing its view of the decision in Munich to possibly back away from its free-software-based infrastructure. "Since this decision was reached, the majority of media have reported that a final call was made to halt LiMux and switch back to Microsoft software. This is, however, not an accurate representation of the outcome of the city council meeting. We studied the available documentation and our impression is that the last word has not been spoken."

Security updates for Thursday

Thursday 2nd of March 2017 03:01:07 PM
Security updates have been issued by Debian (imagemagick, libquicktime, munin, and qemu), Fedora (cxf, netpbm, and vim), openSUSE (ImageMagick, php7, and util-linux), and Red Hat (kernel and openstack-puppet-modules).

LWN.net Weekly Edition for March 2, 2017

Thursday 2nd of March 2017 02:12:19 AM
The LWN.net Weekly Edition for March 2, 2017 is available.

Security updates for Wednesday

Wednesday 1st of March 2017 04:35:43 PM
Security updates have been issued by CentOS (qemu-kvm), Debian (bind9, libquicktime, mupdf, qemu-kvm, and tnef), Fedora (mupdf, rpm, tomcat, util-linux, and xen), openSUSE (gstreamer and gstreamer-plugins-base), Oracle (qemu-kvm), Red Hat (qemu-kvm), Scientific Linux (qemu-kvm), SUSE (kernel and xen), and Ubuntu (libgd2).

MySQL 8 is coming (Opensource.com)

Tuesday 28th of February 2017 07:42:14 PM
Opensource.com takes a look at changes to MySQL 8.0. "Ever open up a directory of a MySQL schema and see all those files—.frm, .myi, .myd, and the like? Those files hold some of the metadata on the database schemas. Twenty years ago, it was a good way to go, but InnoDB is a crash proof storage engine and can hold all that metadata safely. This means file corruption of a .frm file is not going to stall your work. Developers also removed the file system's maximum number of files as the limiting factor to your number of databases; you can now have literally have millions of tables in your database."

[$] The case of the prematurely freed SKB

Tuesday 28th of February 2017 07:41:11 PM
CVE-2017-6074 is the vulnerability identifier for a use-after-free bug in the kernel's network stack. This vulnerability is apparently exploitable in local privilege-escalation attacks. The problem, introduced in 2005, is easily fixed, but it points at a couple of shortcomings in the kernel development process; as a result, it would not be surprising if more bugs of this variety were to turn up in the near future.

Security updates for Tuesday

Tuesday 28th of February 2017 04:58:51 PM
Security updates have been issued by Debian (apache2, libplist, and tnef), Fedora (firebird, kernel, and vim), Red Hat (java-1.6.0-ibm, java-1.7.0-ibm, java-1.7.1-ibm, kernel, and qemu-kvm-rhev), SUSE (php53 and xen), and Ubuntu (tiff).

Subversion SHA1 collision problem statement

Tuesday 28th of February 2017 04:27:23 PM
Users of the Subversion source-code management system may want to take a look at this post from Mark Phippard. He explains how hash collisions can corrupt a repository and a couple of short-term workarounds. "The quick summary if you do not want to read this entire post is that the problem is really not that bad. If you run into it there are solutions to resolve it and you are not going to run into it in normal usage. There will also likely be some future updates to Subversion that avoid it entirely so if you regularly update your server and client when new releases come out you are probably safe not doing anything and just waiting for an update to happen."

[$] Moving Git past SHA-1

Monday 27th of February 2017 06:56:43 PM
The SHA-1 hash algorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumed that this would happen before too long. On February 23, Google announced that it had succeeded at this task. While the technique used is computationally expensive, this event has clarified what most developers have known for some time: it is time to move away from SHA-1. While the migration has essentially been completed in some areas (SSL certificates, for example), there are still important places where it is heavily used, including at the core of the Git source-code management system. Unsurprisingly, the long-simmering discussion in the Git community on moving away from SHA-1 is now at a full boil.

More in Tux Machines

DragonFly BSD 4.8 Released with EFI & eMMC Support, Improved Kernel Performance

The developers of the DragonFly BSD operating system were proud to announce today, March 27, 2017, the release and immediate availability for download of DragonFly BSD 4.8. Read more Also: DragonFlyBSD 4.8 Released With Performance Improvements, EFI Support & More DragonFly BSD 4.8

Lesser known but still handy Linux commands

Some Linux commands that might not be sitting in your top favorites list can still come in very handy in a number of ways. In today's post, we're going to examine some interesting though somewhat unusual command options. Read more

FreeRTOS-based remote I/O module links to IBM Bluemix and Watson IoT

Artila’s “RIO-2010BM” remote digital I/O device runs FreeRTOS on a Cortex-M3, offers isolated inputs, and supports IBM’s Bluemix and Watson IoT platforms. Like Artila Electronics’ RIO-2015PG, the RIO-2010BM is a remote I/O module that runs FreeRTOS on an MCU, and offers isolated digital I/O. The device is designed specifically for transmitting Modbus/TCP remote data to the IBM Bluemix service and IBM’s Watson IoT cloud-based analytics platform. Read more

Linux Devices