Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 23 min ago

Krita 3.0 released

2 hours 34 min ago
Version 3.0 of the Krita painting application has been released. "Wrapping up a year of work, this is a really big release: animation support integrated into Krita’s core, Instant Preview for better performance painting and drawing with big brushes on big canvases, ported to the latest version of the Qt platform and too many bigger and smaller new features and improvements to mention!".

Kernel prepatch 4.7-rc1

Monday 30th of May 2016 04:49:11 PM
Linus has released 4.7-rc1 and closed the merge window for this release, saying "this time around we have a fairly big change to the vfs layer that allows filesystems (if they buy into it) to do readdir() and path component lookup in parallel within the same directory. That's probably the biggest conceptual vfs change we've had since we started doing cached pathname lookups using RCU." The code name has been changed to "Psychotic Stoned Sheep."

Oracle attorney says Google’s court victory might kill the GPL (ars technica)

Saturday 28th of May 2016 02:09:17 PM
Ars technica is carrying an editorial from Oracle's attorney in its fight with Google; it would seem that this ruling is the end of the world. "It is hard to see how GPL can survive such a result. In fact, it is hard to see how ownership of a copy of any software protected by copyright can survive this result. Software businesses now must accelerate their move to the cloud where everything can be controlled as a service rather than software. Consumers can expect to find decreasing options to own anything for themselves, decreasing options to control their data, decreasing options to protect their privacy."

OSI: Announcing the Open Source License API

Friday 27th of May 2016 09:52:25 PM

At its blog, the Open Source Initiative (OSI) announces the deployment of "a machine readable publication of OSI approved licenses" accessible via api.opensource.org. The service is designed to "store a central list of crosswalks and common identifiers to other services, allowing third parties who are already license-aware to provide their mappings, and pull OSI approval status programatically." Programs can query a license by its Software Package Data Exchange (SPDX) ID and determine whether or not it is OSI-approved. API wrappers are available for Python, Ruby, and Go.

Friday's security updates

Friday 27th of May 2016 03:36:26 PM

Arch Linux has updated libxml2 (multiple vulnerabilities).

Debian has updated libgd2 (multiple vulnerabilities).

Fedora has updated jenkins (F23; F22: multiple vulnerabilities).

openSUSE has updated docker (13.2: privilege escalation), libreoffice (13.2: multiple vulnerabilities), ntp (13.2: multiple vulnerabilities), and systemd (Leap 42.1: multiple vulnerabilities).

Ubuntu has updated eglibc, glibc (12.04, 14.04, 15.10: multiple vulnerabilities; regression).

Analog malicious hardware

Thursday 26th of May 2016 08:54:59 PM
Worth a read: this paper [PDF] From Kaiyuan Yang et al. on how an analog back door can be placed into a hardware platform like a CPU. "In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting [sic] a chip’s functionality). In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value. We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor."

Google beats Oracle—Android makes “fair use” of Java APIs (ars technica)

Thursday 26th of May 2016 08:46:13 PM
Ars technica reports that Google has prevailed against Oracle in its court battle over the use of the Java APIs in Android. "There was only one question on the special verdict form, asking if Google's use of the Java APIs was a 'fair use' under copyright law. The jury unanimously answered 'yes,' in Google's favor. The verdict ends the trial, which began earlier this month."

Security updates for Thursday

Thursday 26th of May 2016 04:09:43 PM

Debian-LTS has updated bozohttpd (two vulnerabilities, one from 2014), ruby-mail (SMTP injection), and xymon (multiple vulnerabilities). Also, the Debian-LTS team has announced that some packages will not be supported (libv8, mediawiki, sogo, and vlc) for Debian 7 ("wheezy"), so users of those should upgrade to Debian 8 ("jessie").

Red Hat has updated rh-mariadb100-mariadb (RHSC: many vulnerabilities).

Ubuntu has updated eglibc, glibc (15.10, 14.04, 12.04: multiple vulnerabilities, some from 2013 and 2014) and samba (16.04, 15.10, 14.04: regression in previous security fix).

[$] LWN.net Weekly Edition for May 26, 2016

Thursday 26th of May 2016 02:05:11 AM
The LWN.net Weekly Edition for May 26, 2016 is available.

Security advisories for Wednesday

Wednesday 25th of May 2016 04:00:24 PM

Arch Linux has updated libndp (man-in-the-middle attacks).

Fedora has updated kernel (F22: multiple vulnerabilities).

Red Hat has updated jq (RHOSP8: code execution).

Slackware has updated libarchive (code execution).

Ubuntu has updated php5, php7.0 (multiple vulnerabilities).

[$] Should distributors disable IPv4-mapped IPv6?

Wednesday 25th of May 2016 03:02:51 PM
By all accounts, the Internet's transition to IPv6 has been a slow affair. In recent years, though, perhaps inspired by the exhaustion of the IPv4 address space, IPv6 usage has been on the rise. There is a corresponding interest in ensuring that applications work with both IPv4 and IPv6. But, as a recent discussion on the OpenBSD mailing list has highlighted, a mechanism designed to ease the transition to an IPv6 network may also make the net less secure — and Linux distributions may be configured insecurely by default.

Mathewson: Mid-2016 Tor bug retrospective, with lessons for future coding

Wednesday 25th of May 2016 02:10:02 AM
On the Tor blog, Nick Mathewson reports on an informal survey he did for "severe" bugs in Tor over the last few years. It breaks down the 70 bugs he found into different categories that are correlated with some recommendations for ways to try to avoid them in the future. For example: "Recommendation 5.1: all backward compatibility code should have a timeout date. On several occasions we added backward compatibility code to keep an old version of Tor working, but left it enabled for longer than we needed to. This code has tended not to get the same regular attention it deserves, and has also tended to hold surprising deviations from the specification. We should audit the code that's there today and see what we can remove, and we should never add new code of this kind without adding a ticket and a comment planning to remove it." Many of the recommendations are likely applicable to other projects.

GitLab 8.8 released with Pipelines and .gitignore templates

Tuesday 24th of May 2016 06:46:48 PM
GitLab 8.8 has been released with pipeline visualization, .gitignore templates, the GitLab Container Registry, and more. "In this release, we are supercharging GitLab CI. First with Pipelines and now with GitLab Container Registry. GitLab Container Registry is a secure and private registry for Docker images. It isn't just a standalone registry; it's completely integrated with GitLab. In fact, our container registry is actually the first Docker registry that is fully-integrated with git repository management and comes out of the box with GitLab 8.8. So if you've upgraded, you already have it! Our integrated Container Registry requires no additional installation. It allows for easy upload and download of images from GitLab CI. And it's free."

Tuesday's security updates

Tuesday 24th of May 2016 03:46:45 PM

Debian has updated atheme-services (denial of service).

Fedora has updated gsi-openssh (F23: privilege escalation), imlib2 (F23; F22: multiple vulnerabilities), and websvn (F23; F22: cross-site scripting).

Mageia has updated glibc (multiple vulnerabilities), golang (denial of service), pcre (two vulnerabilities), and xerces-j2 (denial of service).

Red Hat has updated jq (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7: code execution) and kernel (RHEL6.6: two remote denial of service vulnerabilities).

SUSE has updated IBM Java 1.6.0 (SLES10-SP4: multiple vulnerabilities).

Repurposing Old Smartphones for Home Automation (Linux.com)

Monday 23rd of May 2016 08:27:07 PM
Linux.com has an interview with Dietrich Ayala about using old smartphones for home automation. "Ayala spent a lot of time studying the readouts from sensors, as well as from the phone’s microphone, camera, and, radios, that would enable a remote user to draw conclusions about what was happening at home. This contextual information could then be codified into more useful notifications. With ambient light, for example, if it suddenly goes dark in the daytime, maybe someone is standing over a device, explained Ayala. Feedback from the accelerometer can be analyzed to determine the difference between footsteps, an earthquake, or someone picking up the device. Scripts can use radio APIs to determine if a person moving around is carrying a phone with a potentially revealing Bluetooth signature."

Security advisories for Monday

Monday 23rd of May 2016 05:02:40 PM

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated extplorer (cross-site request forgery), graphicsmagick (multiple vulnerabilities), and imagemagick (multiple vulnerabilities).

Fedora has updated cacti (F23; F22: SQL injection), dosfstools (F23: two vulnerabilities), libksba (F22: denial of service), libndp (F23; F22: man-in-the-middle attacks), mingw-openssl (F23: multiple vulnerabilities), moodle (F23: multiple vulnerabilities), openvpn (F22: multiple vulnerabilities), pgpdump (F23; F22: denial of service), php-symfony (F23; F22: buffer overflow), qemu (F22: multiple vulnerabilities), rpm (F22: two vulnerabilities), thunderbird (F23: multiple vulnerabilities), and wordpress (F23; F22: two cross-site scripting vulnerabilities).

Mageia has updated apache-mod_nss (invalid handling of +CIPHER operator), bugzilla (cross-site scripting), jansson (denial of service), libgd (denial of service), libreoffice (code execution), networkmanager (information leak), openvpn (multiple vulnerabilities), p7zip (code execution), php-ZendFramework2 (insecure ciphertexts), and wpa_supplicant (two vulnerabilities).

openSUSE has updated kernel (Leap42.1: multiple vulnerabilities).

Oracle has updated docker-engine (OL7; OL6: privilege escalation) and kernel 3.8.13 (OL7; OL6: multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities), kernel 2.6.32 (OL6; OL5: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6.4: two remote denial of service vulnerabilities).

Scientific Linux has updated libndp (SL7: man-in-the-middle attacks).

Slackware has updated curl (server spoofing).

SUSE has updated firefox (SLE11-SP4,SP3: multiple vulnerabilities), java-1_6_0-ibm (SOSC5, SMP2.1, SM2.1, SLES11SP3,SP2: multiple vulnerabilities), and java-1_7_0-ibm (SOSC5, SMP2.1, SM2.1, SLES11SP3,SP2: multiple vulnerabilities).

Roundcube Webmail 1.2.0 released

Monday 23rd of May 2016 12:20:43 PM
Version 1.2.0 of the Roundcube web-based email system has been released. The headline feature this time around would appear to be support for encrypted mail with PGP; the encryption can be handled either centrally in the server, or in the browser via the "Mailvelope" browser plugin. A complete list of changes can be found in the changelog.

A report on the CoreOS remote SSH vulnerability

Friday 20th of May 2016 05:46:33 PM
For those who are curious about how the CoreOS remote SSH vulnerability came to be, the company has posted a detailed report. "This misconfiguration was abetted by confirmation bias. The expected outcome of the change to the CoreOS PAM configuration was for users who presented a password present in an authentication database to be successfully authenticated. Because of the pam_permit failure case explained above, this was the observed behavior in testing, so the change was assumed to be correct. No attempt was made to determine whether the observed behavior could be explained in some other way, such as the system allowing any presented password."

Security updates for Friday

Friday 20th of May 2016 02:22:00 PM

Arch Linux has updated bugzilla (cross-site scripting).

Debian has updated librsvg (three vulnerabilities).

Debian-LTS has updated expat (code execution) and libgd2 (denial of service).

Mageia has updated dhcpcd (code execution from 2014), expat (code execution), gdk-pixbuf2.0 (code execution), icu (code execution), imagemagick/ruby-rmagic (multiple vulnerabilities), libxml2 (two denial of service flaws), perl (denial of service), and xerces-c (code execution).

openSUSE has updated libksba (13.2: two vulnerabilities) and php5 (42.1: multiple vulnerabilities).

Red Hat has updated Red Hat OpenShift Enterprise 3.1 (unauthorized access) and Red Hat OpenShift Enterprise 3.2 (three vulnerabilities).

SUSE has updated openssl (SLE10: multiple vulnerabilities).

Linux containers vs. VMs: A security comparison (InfoWorld)

Friday 20th of May 2016 12:18:03 AM
Over at InfoWorld, Jim Reno compares the security of virtual machines (VMs) and containers. "Which is more secure?" is a question that is often asked, but the answer, of course, is "it depends". Reno analyzes the attack surface of each to help in the choosing between VMs and containers. "Many legacy VM applications treat VMs like bare metal. In other words, they have not adapted their architectures specifically for VMs or for security models not based on perimeter security. They might install many services on the same VM, run the services with root privileges, and have few or no security controls between services. Rearchitecting these applications (or more likely replacing them with newer ones) might use VMs to provide security separation between functional units, rather than simply as a means of managing larger numbers of machines. Containers are well suited for microservices architectures that “string together” large numbers of (typically) small services using standardized APIs. Such services often have a very short lifetime, where a containerized service is started on demand, responds to a request, and is destroyed, or where services are rapidly ramped up and down based on demand. That usage pattern is dependent on the fast instantiation that containers support. From a security perspective it has both benefits and drawbacks."

More in Tux Machines

Linux Emerging as Alternative to MS Windows

According to industry sources, Linux-based operation systems of Tmax OS and InfraWare are gaining much attention as alternatives to the Microsoft Windows. The latest version of the Linux has been significantly improved in terms of installation and use, providing a user interface similar to that of the Windows and coming with various software tools for documentation, multimedia utilization, etc. In addition, constraints on the Linux in the financial and public sectors are being removed one after another with Internet environments adopting Web standards. Under the circumstances, the software industry is expecting that the utilization of open-source operating systems will spread to the general consumer market as well as the enterprise market. Read more

NethServer 6.8 Linux Server Fights Spam with DNS-Based Blackhole List (DNSBL)

NethServer Community Manager Alessio Fattorini informs Softpedia today about the general availability of the first Beta release of the NethServer 6.8 server-oriented GNU/Linux operating system. Based on the recently released CentOS 6.8 operating system, which in turn builds on the freely distributed sources of the commercial Red Hat Enterprise Linux 6.8 distro, NethServer 6.8 is now in development as the newest long-term support release. Read more

Comparing live version upgrade methods

When I review a distribution I always begin by performing a fresh installation of the operating system. This gives the latest version of the project a chance to stand on its own without complications. However, many of us do not perform fresh installations on our operating systems each time we want to upgrade to the latest release. Some of us, in order to preserve settings or installed packages, prefer to upgrade our existing operating system without starting over from scratch. This week I decided to take five open source operating systems through an upgrade process from their penultimate release to their latest version. Read more

Porteus Kiosk 4.0 Modular Linux Web Kiosk Released, Drops Chrome 32-bit Support

Porteus Solutions' Tomasz Jokiel announced on May 30, 2016, the release of the final Porteus Kiosk 4.0.0 Web Kiosk operating system based on the latest GNU/Linux technologies and open-source software. Porteus Kiosk 4.0.0 comes three months after the release of the last maintenance build in the Porteus Kiosk 3.x series, introducing numerous new features and improvements. But first, let's take a quick look under the hood, as the OS is now powered by Linux kernel 4.4.11 LTS (Long Term Support), and it's based on the Mozilla Firefox 45.1.1 ESR and Google Chrome 50.0.2661.102 web browsers. Read more