Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 25 min ago

Thursday's security updates

Thursday 4th of December 2014 06:20:23 PM

CentOS has updated firefox (C5; C6; C7: multiple vulnerabilities), nss (C5; C6; C7: protocol downgrade), thunderbird (C5; C6: multiple vulnerabilities), and wpa_supplicant (C7: command execution).

Debian has updated iceweasel (multiple vulnerabilities), jasper (code execution), qemu (privilege escalation), qemu-kvm (privilege escalation), and tcpdump (multiple vulnerabilities).

Fedora has updated firefox (F20: multiple vulnerabilities), tcpdump (F19: multiple vulnerabilities), teeworlds (F19; F20: denial of service), thunderbird (F20: multiple vulnerabilities), util-linux (F20: command injection), and wireshark (F20: multiple vulnerabilities).

Mageia has updated firefox, thunderbird (M4: multiple vulnerabilities), libreoffice (M4: code execution), mediawiki (M4: multiple vulnerabilities), and sddm (M4: multiple vulnerabilities).

Oracle has updated firefox (O5; O6: multiple vulnerabilities) and wpa_supplicant (O7: command execution).

Red Hat has updated wget (RHEL6.5: code execution) and wpa_supplicant (RHEL7: command execution).

Scientific Linux has updated firefox (multiple vulnerabilities), nss, nss-util, nss-softokn (protocol downgrade), thunderbird (SL6: multiple vulnerabilities), and wpa_supplicant (SL7: command execution).

Ubuntu has updated eglibc, glibc (10.04, 12.04, 14.04, 14.10: multiple vulnerabilities), tcpdump (10.04, 12.04, 14.04, 14.10: multiple vulnerabilities), and thunderbird (12.04, 14.04, 14.10: multiple vulnerabilities).

[$] LWN.net Weekly Edition for December 4, 2014

Thursday 4th of December 2014 01:21:21 AM
The LWN.net Weekly Edition for December 4, 2014 is available.

[$] Moving some of Python to GitHub?

Wednesday 3rd of December 2014 06:06:47 PM
Over the years, Python's source repositories have moved a number of times, from CVS on SourceForge to Subversion at Python.org and, eventually, to Mercurial (aka hg), still on Python Software Foundation (PSF) infrastructure. But the new Python.org site code lives at GitHub (thus in a Git repository) and it looks like more pieces of Python's source may be moving in that direction. While some are concerned about moving away from a Python-based DVCS (i.e. Mercurial) into a closed-source web service, there is a strong pragmatic streak in the Python community that may be winning out.

Security advisories for Wednesday

Wednesday 3rd of December 2014 05:46:19 PM

Debian has updated wordpress (multiple vulnerabilities).

Fedora has updated drupal6 (F20; F19: two vulnerabilities), drupal7 (F20; F19: denial of service), lsyncd (F20; F19: command injection), mariadb-galera (F20: multiple vulnerabilities), and wordpress (F20; F19: multiple vulnerabilities).

Oracle has updated firefox (OL7: multiple vulnerabilities), nss (OL7; OL6; OL5: man-in-the-middle attack), and thunderbird (OL6: multiple vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities), kernel-rt (RHE MRG: multiple vulnerabilities), mariadb-galera (RHEL OSP for RHEL7; RHEL OSP for RHEL6: multiple vulnerabilities), nss (RHEL5,6,7: man-in-the-middle attack), openstack-neutron (RHEL OSP for RHEL7; RHEL OSP for RHEL6: denial of service), openstack-trove (RHEL OSP for RHEL7: information disclosure), qemu-kvm-rhev (RHEL OSP for RHEL7: information leak), and thunderbird (RHEL5,6,7: multiple vulnerabilities).

Slackware has updated mozilla (multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: code execution), IBM Java (SLE11 SP2: multiple vulnerabilities), and java-1_7_1-ibm (SLE12: multiple vulnerabilities).

Ubuntu has updated firefox (14.10, 14.04, 12.04: multiple vulnerabilities) and mod-wsgi (14.10, 14.04, 12.04: privilege escalation).

Announcing netdev 0.1

Tuesday 2nd of December 2014 09:19:13 PM
"Netdev" is a new conference aimed at networking developers; it will be held February 14 to 17 in balmy Ottawa, Canada. The call for papers is open now, with a submission deadline of January 10. "Netdev 0.1 (year 0, conference 1) is a community-driven conference geared towards Linux netheads. Linux kernel networking and user space utilization of the interfaces to the Linux kernel networking subsystem are the focus. If you are using Linux as a boot system for proprietary networking, then this conference may not be for you."

Update: the conference organizers have posted more information on the CFP and the types of proposals they are looking for.

The Impact of the Linux Philosophy (Opensource.com)

Tuesday 2nd of December 2014 09:04:35 PM
Starting with the premise that all operating systems have a philosophy, this article on Opensource.com looks at the Linux philosophy and how it differs from other operating systems. "Imagine for a moment the chaos and frustration that would result from attempting to use a nail gun that asked you if you really wanted to shoot that nail and would not allow you to pull the trigger until you said the word “yes” aloud. Linux allows you to use the nail gun as you choose. Other operating systems let you know that you can use nails but don't tell you what tool is used to insert the nails let alone allow you to put your own finger on the trigger."

LCA 2015 and InternetNZ Diversity Program

Tuesday 2nd of December 2014 08:44:38 PM
LCA 2015 and InternetNZ are supporting diversity at linux.conf.au. "The InternetNZ Diversity Programme is one of the many ways we ensure that the LCA 2015 continues to be an open and welcoming conference for everyone. Together with InternetNZ this program has been created to assist under-represented delegates who contribute to the Open Source community but, without financial assistance, would not be able to attend LCA 2015."

Security updates for Tuesday

Tuesday 2nd of December 2014 06:03:28 PM

Debian has updated openvpn (denial of service).

Fedora has updated curl (F20: information leak), erlang (F20: command injection), phpMyAdmin (F20; F19: multiple vulnerabilities), python-django14 (F20; F19: multiple vulnerabilities), python-eyed3 (F20; F19: insecure tmpfile use), wget (F19: symlink attack), and xen (F20; F19: multiple vulnerabilities).

Mageia has updated gnome-shell (lock screen bypass), tcpdump (two vulnerabilities), and teeworlds (information leak).

Scientific Linux has updated ruby (SL7; SL6: multiple vulnerabilities).

Ubuntu has updated openvpn (14.10, 14.04, 12.04: denial of service).

New features in Git 2.2.0

Tuesday 2nd of December 2014 02:15:23 PM
The "Atlassian Developers" site has a summary of interesting features in the recent Git 2.2.0 release, including signed pushes. "This is an important step in preventing man-in-the-middle attacks and any other unauthorized updates to your repository's refs. git push has learnt the --signed flag which applies your GPG signature to a "push certificate" sent over the wire during the push invocation. On the server-side, git receive-pack (the command that handles incoming git pushes) has learnt to verify GPG-signed push certificates. Failed verifications can be used to reject pushes and those that succeed can be logged in a file to provide an audit log of when and who pushed particular ref updates or objects to your git server."

Firefox 34 released

Monday 1st of December 2014 08:00:29 PM
Mozilla has released Firefox 34. This version changes the default search engine, includes the Firefox Hello real-time communication client, implements HTTP/2 (draft14) and ALPN, disables SSLv3, and more. See the release notes for details.

Rocket, a new container runtime from CoreOS

Monday 1st of December 2014 07:02:00 PM
CoreOS has announced that it is moving away from Docker and toward "Rocket," a new container runtime that it has developed. "Unfortunately, a simple re-usable component is not how things are playing out. Docker now is building tools for launching cloud servers, systems for clustering, and a wide range of functions: building images, running images, uploading, downloading, and eventually even overlay networking, all compiled into one monolithic binary running primarily as root on your server. The standard container manifesto was removed. We should stop talking about Docker containers, and start talking about the Docker Platform. It is not becoming the simple composable building block we had envisioned."

[$] A preview of darktable 1.6

Monday 1st of December 2014 06:43:32 PM

The darktable project recently announced the first release-candidate (RC) builds for its upcoming version 1.6 release. The new version will add a slideshow presentation tool to darktable's primary photo-editing features, plus several new image operations and support for new digital cameras. This time, several of the additions add to darktable's automatic adjustment capabilities, making the application a bit more friendly for users who are new to high-end photo editing.


Security advisories for Monday

Monday 1st of December 2014 05:37:52 PM

CentOS has updated ruby (C7; C6: multiple vulnerabilities).

Debian has updated flac (multiple vulnerabilities), libvncserver (multiple vulnerabilities), mutt (denial of service), openjdk-7 (multiple vulnerabilities), and ppp (privilege escalation).

Mageia has updated flac (multiple vulnerabilities) and geary (TLS certificate issues).

SUSE has updated IBM Java (SLE11 SP3: multiple vulnerabilities).

Ubuntu has updated ppp (privilege escalation).

Kernel prepatch 3.18-rc7

Monday 1st of December 2014 01:13:28 PM
The 3.18-rc7 prepatch is out. Linus seems happy enough, despite the persistent lockup problem that has defied all debugging attempts so far. "At the same time, with the holidays coming up, and the problem _not_ being a regression, I suspect that what will happen is that I'll release 3.18 on time in a week, because delaying it will either mess up the merge window and the holiday season, or I'd have to delay it a *lot*."

More in Tux Machines

Popcorn Time Makes Watching Movies Safer with Integrated VPN

Popcorn Time, an application that lets users stream movies and TV shows directly from torrents without having to download them, has been upgraded to version 0.3.6 and is now available for download. Read more

4MRecover 11.0 Beta OS Can Help Users Recover Lost Files

4MRecover 11.0 Beta, a new distribution based on 4MLinux that is designed to be used specifically for file recovery, is now available for download and testing. Read more

Android Leftovers

Will New Google Android Live TV Outfox Apple?

Google then rolled out its $35 Chromecast dongle, a streaming device, in mid-2013. Google's new Android TV operating system is expected to make it easier for software developers to move apps from mobile devices to TVs. Read more