Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 7 min ago

Tuesday's security advisories

Tuesday 12th of July 2016 04:19:50 PM

CentOS has updated thunderbird (C7; C6; C5: code execution).

Debian-LTS has updated drupal7 (open redirect vulnerability) and graphicsmagick (two vulnerabilities).

Fedora has updated expat (F22: multiple vulnerabilities), gnutls (F24: certificate verification vulnerability), gsi-openssh (F24: support GSI authentication), httpd (F24: authentication bypass), krb5 (F22: buffer overflow), mbedtls (F23: three vulnerabilities), pdfbox (F23: XML External Entity (XXE) attacks), pypy3 (F23; F22: two vulnerabilities), python (F22: startTLS stripping attack), python3 (F22: startTLS stripping attack), and samba (F24: crypto downgrade).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Ubuntu has updated libgd2 (multiple vulnerabilities), nspr (denial of service), and nss (denial of service).

Gräßlin: Multi-screen woes in Plasma 5.7

Monday 11th of July 2016 11:22:17 PM
On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. "Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows. Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it. Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry."

Two new stable kernels

Monday 11th of July 2016 08:12:01 PM
Greg Kroah-Hartman has released stable kernels 4.6.4 and 4.4.15. Both of them contain important fixes.

Security advisories for Monday

Monday 11th of July 2016 05:09:20 PM

Arch Linux has updated thunderbird (code execution).

Fedora has updated community-mysql (F24: unspecified), davfs2 (F24: unspecified), gimp (F23: use-after-free), krb5 (F23: buffer overflow), and nodejs-ws (F24; F23: denial of service).

Gentoo has updated libpcre (multiple vulnerabilities) and squid (multiple vulnerabilities).

Mageia has updated drupal (privilege escalation), libreoffice (code execution), libvirt (authentication bypass), mbedtls (three vulnerabilities), spice (two vulnerabilities), struts (two vulnerabilities), and tcpreplay (denial of service).

openSUSE has updated glibc (Leap42.1: multiple vulnerabilities), libircclient (13.1: insecure cipher suites), and thunderbird (SPH for SLE12; Leap42.1, 13.2; 13.1: multiple vulnerabilities).

Red Hat has updated thunderbird (RHEL5,6,7: code execution).

SUSE has updated GraphicsMagick (SSO1.3, SLE11-SP4: multiple vulnerabilities), ImageMagick (SLE12-SP1; SLE11-SP4: many vulnerabilities), kvm (SLES11-SP4: multiple vulnerabilities), and kernel (SLERTE12-SP1: multiple vulnerabilities).

Kernel prepatch 4.7-rc7

Monday 11th of July 2016 12:24:58 PM
Linus has released the 4.7-rc7 kernel prepatch. "Anyway, there's a couple of regressions still being looked at, but unless anything odd happens, this is going to be the last rc. However, due to my travel schedule, I won't be doing the final 4.7 next weekend, and people will have two weeks to report (and fix) any remaining bugs. Yeah, that's the ticket. My travel schedule isn't screwing anything up, instead think of it as you guys getting a BONUS WEEK! Yay!"

See the current list of reported regressions for the known issues remaining in the 4.7 kernel.

[$] Python's os.urandom() in the absence of entropy

Sunday 10th of July 2016 02:29:20 PM
Python applications, like those written in other languages, often need to obtain random data for purposes ranging from cryptographic key generation to initialization of scientific models. For years, the standard way of getting that data is via a call to os.urandom(), which is documented to "return a string of n random bytes suitable for cryptographic use." An enhancement in Python 3.5 caused a subtle change in how os.urandom() behaves on Linux systems, leading to some long, heated discussions about how randomness should be obtained in Python programs. When the dust settles, Python benevolent dictator for life (BDFL) Guido van Rossum will have the unenviable task of choosing between two competing proposals.

Portals: Using GTK+ in a Flatpak

Friday 8th of July 2016 05:09:51 PM
On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox. "Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system. Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t. Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access. Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system. The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox."

Security updates for Friday

Friday 8th of July 2016 02:02:51 PM

Debian-LTS has updated clamav (update to 0.99.2), icu (three vulnerabilities, two from 2015), and tcpreplay (denial of service).

openSUSE has updated php5 (13.2: multiple vulnerabilities, one from 2015).

Slackware has updated samba (crypto downgrade).

LWN.net Weekly Edition for July 8, 2016

Friday 8th of July 2016 01:23:28 AM
The LWN.net Weekly Edition for July 8, 2016 is available.

10 million Android phones infected by all-powerful auto-rooting apps (Ars Technica)

Thursday 7th of July 2016 10:09:36 PM
Ars Technica reports on the "HummingBad" malware that has infected millions of Android devices: "Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android." The article is based on a report [PDF] from Check Point, though the article notes that "researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices".

Thursday's security advisories

Thursday 7th of July 2016 01:11:52 PM

Debian has updated horizon (two vulnerabilities, one from 2015).

openSUSE has updated ImageMagick (13.2: many vulnerabilities, lots from 2014 and 2015) and qemu (42.1: many vulnerabilities, lots from 2015).

Scientific Linux has updated ocaml (SL7: information leak from 2015).

Ubuntu has updated tomcat8 (16.04: denial of service). In addition, Ubuntu has announced the end of life for 15.10 on July 28 and the end of life for 14.04.x hardware-enablement (HWE) stacks on August 4.

Debian Edu / Skolelinux Jessie

Wednesday 6th of July 2016 05:41:53 PM
The Debian Edu team has announced Debian Edu 8+edu0 "Jessie", the latest Debian Edu / Skolelinux release. Debian Edu, also known as Skolelinux, provides a complete solution for schools. Debian Edu 8 is based on Debian 8 "Jessie", update 8.5. "Do you have to administrate a computer lab or a whole school network? Would you like to install servers, workstations and laptops which will then work together? Do you want the stability of Debian with network services already preconfigured? Do you wish to have a web-based tool to manage systems and several hundred or even more user accounts? Have you asked yourself if and how older computers could be used? Then Debian Edu is for you. The teachers themselves or their technical support can roll out a complete multi-user multi-machine study environment within a few days. Debian Edu comes with hundreds of applications pre-installed, but you can always add more packages from Debian."

digiKam 5.0.0 is published

Wednesday 6th of July 2016 05:36:16 PM
The digiKam team has announced the release of digiKam Software Collection 5.0.0. "This release marks almost complete port of the application to Qt5. All Qt4/KDE4 code has been removed and many parts have been re-written, reviewed, and tested. Porting to Qt5 required a lot of work, as many important APIs had to be changed or replaced by new ones. In addition to code porting, we introduced several changes and optimizations, especially regarding dependencies on the KDE project. Although digiKam is still a KDE desktop application, it now uses many Qt dependencies instead of KDE dependencies. This simplifies the porting job on other operating systems, code maintenance, while reducing the sensitivity of API changes from KDE project."

LWN weekly edition one day late this week

Wednesday 6th of July 2016 04:51:47 PM
Those who are anxiously awaiting this week's edition later today (or tomorrow, depending on time zone) will have to wait another day. The US Independence Day holiday fell on Monday, so LWN staff took that day off for barbecues, fireworks, and other festivities. That means the edition will go out sometime in the early morning hours UTC on Friday, July 8. For those who celebrated the holiday, we hope you had a great one; for those who didn't, we certainly hope you had a great day too! We will be back on our normal schedule next week.

Security advisories for Wednesday

Wednesday 6th of July 2016 04:37:33 PM

Arch Linux has updated libarchive (code execution), libreoffice-fresh (code execution), and xerces-c (denial of service).

Debian-LTS has updated sqlite3 (information leak).

Fedora has updated mingw-xerces-c (F23; F22: three vulnerabilities) and xerces-c (F23; F22: two vulnerabilities).

Mageia has updated gimp (use-after-free), iperf (denial of service), libarchive (multiple vulnerabilities), libgd (multiple vulnerabilities), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), pidgin (multiple vulnerabilities), squidguard (cross-site scripting), and xerces-c (denial of service).

openSUSE has updated cronic (Leap42.1, 13.2: predictable temporary files), libircclient (Leap42.1; 13.2: insecure cipher suites), and xerces-c (13.2: code execution).

SUSE has updated xen (SLE11-SP3: multiple vulnerabilities - some from 2013).

Ubuntu has updated gimp (15.10, 14.04, 12.04: use-after-free), libimobiledevice (16.04, 15.10, 14.04: sockets listening on INADDR_ANY), libusbmuxd (16.04, 15.10: sockets listening on INADDR_ANY), and tomcat6, tomcat7 (multiple vulnerabilities).

[$] Kernel documentation with Sphinx, part 1: how we got here

Wednesday 6th of July 2016 03:13:40 AM

The last time LWN looked at formatted kernel documentation in January, it seemed like the merging of AsciiDoc support for the kernel's structured source-code documentation ("kernel-doc") comments, was imminent. As Jonathan Corbet, in the capacity of the kernel documentation maintainer, wrote: "A good-enough solution that exists now should not be held up overly long in the hopes that vague ideas for something else might turn into real, working code." Sometimes, however, the threat that something not quite perfect might be merged is enough to motivate people to turn those vague ideas into something real.

Subscribers can click below to see the full story by guest author (and the developer behind most of the Sphinx work) Jani Nikula.

KDE Plasma 5.7 Release

Tuesday 5th of July 2016 07:18:30 PM
KDE Plasma 5.7 has been released. This release features the return of the agenda view in the calendar, improvements to the Volume Control applet allow volume control on a per-application basis, improved Wayland support, and more. "This release brings Plasma closer to the new windowing system Wayland. Wayland is the successor of the decades-old X11 windowing system and brings many improvements, especially when it comes to tear-free and flicker-free rendering as well as security. The development of Plasma 5.7 for Wayland focused on quality in the Wayland compositor KWin. Over 5,000 lines of auto tests were added to KWin and another 5,000 lines were added to KWayland which is now released as part of KDE Frameworks 5."

Security updates for Tuesday

Tuesday 5th of July 2016 05:41:42 PM

Debian has updated gimp (use-after-free), kernel (multiple vulnerabilities), libvirt (authentication bypass), tomcat7 (denial of service), and wireshark (multiple vulnerabilities).

Debian-LTS has updated pidgin (multiple vulnerabilities).

Fedora has updated gimp (F24: use-after-free), kernel (F23: multiple vulnerabilities), libreoffice (F23: code execution), mbedtls (F24: three vulnerabilities), mediawiki (F24; F23: multiple vulnerabilities), mingw-xerces-c (F24: three vulnerabilities), ntp (F23; F22: multiple vulnerabilities), php (F24; F23; F22: multiple vulnerabilities), php-pecl-zip (F24; F23; F22: two vulnerabilities), phpMyAdmin (F23; F22: multiple vulnerabilities), pypy (F24; F23: startTLS stripping attack), pypy3 (F24: two vulnerabilities), python3 (F23: two vulnerabilities), qemu (F23; F22: multiple vulnerabilities), setroubleshoot-plugins (F23: command injection), and xerces-c (F24: two vulnerabilities).

openSUSE has updated gimp (Leap42.1, 13.2: use-after-free), GraphicsMagick (13.2: multiple vulnerabilities), kinit (Leap42.1, 13.2: privilege escalation), and spice (Leap42.1; 13.2: two vulnerabilities).

Red Hat has updated nodejs010-node-gyp and nodejs010-nodejs-qs (RHSCL: denial of service) and openstack-ironic (RHOSP7 for RHEL7; RHOSP8: authentication bypass).

Slackware has updated thunderbird (multiple vulnerabilities).

Kernel prepatch 4.7-rc6

Monday 4th of July 2016 09:16:19 PM
The 4.7-rc6 kernel prepatch is out, right on schedule. "I'd love to tell you that things are calming down, and we're shrinking, but that would be a lie. It's not like this is a huge rc, but it's definitely bigger than the previous rc's were. I don't think that's necessarily a big problem, it seems to be mostly timing."

More in Tux Machines

today's leftovers

  • iTWire - Microsoft to reduce global workforce
  • Microsoft Faces Two Lawsuits For Aggressive Windows 10 Upgrade Campaign
    The series of lawsuits against Microsoft doesn’t seem to terminate sooner.
  • Controlling access to the memory cache
    Access to main memory from the processor is mediated (and accelerated) by the L2 and L3 memory caches; developers working on performance-critical code quickly learn that cache utilization can have a huge effect on how quickly an application (or a kernel) runs. But, as Fenghua Yu noted in his LinuxCon Japan 2016 talk, the caches are a shared resource, so even a cache-optimal application can be slowed by an unrelated task, possibly running on a different CPU. Intel has been working on a mechanism that allows a system administrator to set cache-sharing policies; the talk described the need for this mechanism and how access to it is implemented in the current patch set.
  • Why Blockchain Matters
    If your familiarity with Bitcoin and Blockchain is limited to having heard about the trial of Silk Road’s Ross Ulbricht, you can be forgiven -- but your knowledge is out of date. Today, Bitcoin and especially Blockchain are moving into the mainstream, with governments and financial institutions launching experiments and prototypes to understand how they can take advantage of the unique characteristics of the technology.
  • Our Third Podcast, with Cybik, is Out Now
    Cybik comes back on how he came to know and use Linux in the first place, his gaming habits, how he got involved into the Skullgirls port, and shares with us his outlook on the Linux gaming landscape. The podcast is just an hour long and you can either download it below, and use our RSS feed (that has the additional benefit of making it easy for you to get new episodes from now on):
  • GSoC: final race and multi-disc implementation
    It’s been a while since I wrote a post here. A lot has happened since then. Now Gnome-games fully supports PlayStation games, with snapshoting capabilities. The next thing I’m working on is multi-disc support, specially for PlayStation titles. So far, there’s a working propotity although a lot needs to be re-engineered and polished. This last part of the project has involved working both in UI, persistance and logic layers.
  • This Week in GTK+ – 11
    In this last week, the master branch of GTK+ has seen 22 commits, with 6199 lines added and 1763 lines removed.
  • [Solus] Replacement of Release Schedule
    In the not so distant past, Solus followed a static point release model. Our most current release at this time is 1.2, with a 1.2.1 planned to drop in the near future. However, we also recently announced our move to a rolling release model. As such, these two schools of thought are in contradiction of one another.
  • First release of official ArchStrike ISO files! [Ed: last week]
  • July ’16 security fixes for Java 8
    On the heels of Oracle’s July 2016 security updates for Java 8, the icedtea folks have released version 3.1.0 of their build framework so that I could create packages for OpenJDK 8u101_b13 or “Java 8 Update 101 Build 13” (and the JRE too of course).
  • Pipelight update
    I decided to do an update of my “pipelight” package. I had not looked at it for a long time, basically because I do not use it anymore, but after I upgraded my “wine” package someone asked if I could please write up what could be done for wine-pipelight. As you know, pipelight is a Linux plugin wrapper for Mozilla-compatible browsers which lets you install and use Windows plugins on Linux. This configuration enables you to access online services which would otherwise be unavailable to you on a Linux platform. The pipelight plugin wrapper uses wine to load the Windows software.
  • Red Hat, Inc. (NYSE:RHT) Current Analyst Ratings
  • Friday Session Wrap for Red Hat, Inc. (NYSE:RHT)
  • Fedora @ EuroPython 2016 - event report
  • Android 7.0 Nougat could be release as soon as next month
  • Android gains anti-spam caller ID feature
  • Amazon Cloud Revenue Hits $2.9B
  • ServerMania – Discover High Availability Cloud Computing, powered by OpenStack
    Cloud computing is fast growing in the world of computer and Internet technology, many companies, organizations and even individuals are opting for shared pool of computing resources and services. For starters, Cloud computing is a type of Internet-based computing where users consume hosted services on shared server resources. There are fundamentally three types of cloud computing available today: private, public and hybrid cloud computing.

Leftovers: OSS and Sharing

  • Student survey data shows Open Source training uptake amongst women and young people remains extreme
    Future Cert, the UK and Ireland representative for the LPI (Linux Professional Institute), is calling for more awareness of Open Source software training amongst the under 21s and especially women, which the industry is so desperately in need of. New figures from a recent Future Cert student survey reveals that the number of women and young people taking LPI Certification in Open Source computing remains extremely low. Of those questioned, 98% were male, and just 2% were female, taking an LPI exam. This figure is significantly less than an already low figure of around 15% to 17% of women in IT careers in general. It raises the question, what does the industry need to do to make an Open Source career attractive to women?
  • Quality in open source: testing CRIU
    Checkpoint/Restore In Userspace, or CRIU, is a software tool for Linux that allows freezing a running application (or part of it) and checkpointing it to disk as a collection of files. The files can then be used to restore and run the application from the point where it was frozen. The distinctive feature of the CRIU project is that it is mainly implemented in user space. Back in 2012, when Andrew Morton accepted the first checkpoint/restore (C/R) patches to the Linux kernel, the idea to implement saving and restoring of running processes in user space seemed kind of crazy. Yet, four years later, not only is CRIU working, it has also attracted more and more attention. Before CRIU, there had been other attempts to implement checkpoint/restore in Linux (DMTCP, BLCR, OpenVZ, CKPT, and others), but none were merged into the mainline. Meanwhile CRIU survived, which attests to its viability. Some time ago, I implemented support for the Test Anything Protocol format into the CRIU test runner; creating that patch allowed me to better understand the nature of the CRIU testing process. Now I want to share this knowledge with LWN readers. [...] The CRIU tests are quite easy to use and available for everyone. Moreover, the CRIU team has a continuous-integration system that consists of Patchwork and Jenkins, which run the required test configurations per-patch and per-commit. Patchwork also allows the team to track the status of patch sets to make the maintainer's work easier. The developers from the team always keep an eye on regressions. If a commit breaks a tree, the patches in question will not be accepted.
  • Open-source Wire messenger gets encrypted screen-sharing
    Chat app Wire has been rapidly adding feature as of late as it looks to gain some traction against the myriad of competitors out there. The latest trick in its arsenal is screen sharing. Now you can click on the new screen-sharing button to, well, share your screen during a call (if you’re on a desktop, that is). It works during group chats too and, as with all Wire communications, is encrypted end-to-end. Wire believes it’s the first messaging app to include end-to-end encryption.
  • SPI board election results are available
    Software in the Public Interest (SPI) has completed its 2016 board elections. There were two open seats on the board in addition to four board members whose terms were expiring. The six newly elected members of the board are Luca Filipozzi, Joerg Jaspert, Jimmy Kaplowitz, Andrew Tridgell, Valerie Young, and Martin Zobel-Helas. The full results, including voter statistics, are also available.
  • SFK 2016 - Call for Speakers
    Software Freedom Kosova is an annual international conference in Kosovo organized to promote free/libre open source software, free culture and open knowledge, now in its 7th edition. It is organized by FLOSSK, a non governmental, not for profit organization, dedicated to promote software freedom and related philosophies.
  • Microsoft's Next Open Source Target Could Be PowerShell: Report
  • Open-source drug discovery project advances drug development
  • The First-Ever Test of Open-Source Drug-Discovery
  • Open-Source Drug Discovery a Success
  • CNS - Open-Source Project Spurs New Drug Discoveries
    Medicines for Malaria Venture, a nonprofit group based in Geneva, Switzerland, distributed 400 diverse compounds with antimalarial activity — called the Malaria Box — to 200 labs in 30 nations in late 2011. The findings from subsequent studies and analyses were published Thursday in the journal PLOS Pathogens. Distributing the Malaria Box to various labs enabled scientists to analyze the compounds and develop findings that have led to more than 30 new drug-development projects for a variety of diseases. As a stipulation to receiving the samples, the various research groups had to deposit the information from their studies in the public domain.
  • Wire and Launchkit go open source, a water flow monitoring system, and more news
  • Apache, astsu, Biscuit, Python, Puppet 4, systemd & more!
  • The Onion Omega2: The Latest Router Dev Board
  • Build a $700 open source bionic prosthesis with new tutorial by Nicolas Huchet of Bionico
    The 3D printing community has already successfully taken over the market for cosmetic prostheses, as fantastic initiatives like E-NABLE have proven. But the world of bionics is a different place and just a handful of makers have gone there with any form of success, such as the very inspiring Open Bionics. But even 3D printed bionic prostheses are definitely within our reach, as French open source fanatic Nicolas Huchet of Bionico has proven. Though by no means a making expert himself, he 3D printed his own open source bionic hand during a three month residency at FabLab Berlin and has now shared all the files – including an extensive tutorial – online. This means you can now 3D print your very own bionic prosthesis at home for just $700.
  • BCN3D Technologies develops open source 3D printed 'Moveo' robotic arm for schools
    Designed from scratch and developed by BCN3D engineers in collaboration with the Generalitat de Catalunya’s Departament d’Ensenyament (Department of Education), the BCN3D Moveo is an Arduino Mega 2560-powered, 3D printed robotic arm which could enable schools and colleges in Spain and elsewhere to teach students the basics of robotics, mechanical design, and industrial programming. When the Departament d’Ensenyament approached BCN3D one year ago regarding the possibility of an educative robotics project, the tech organization jumped at the chance to get on board.

Security Leftovers

10 hot Android smartphones that got price cuts recently

With numerous smartphone getting launched each month, brands always adjust prices to give slightly competitive edge to older smartphone models and also to clear inventories. Here are 10 smartphones that got price cuts recently. Read more