Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 50 min 47 sec ago

Security advisories for Monday

7 hours 27 min ago

Arch Linux has updated wireshark-cli (multiple vulnerabilities).

Debian has updated mupdf (two denial of service flaws).

Debian-LTS has updated eog (out-of-bounds write), quagga (two vulnerabilities), ruby-actionpack-3.2 (multiple vulnerabilities), and ruby-activesupport-3.2 (denial of service).

Fedora has updated lcms2 (F24: heap memory leak), uClibc (F24: code execution), and webkitgtk4 (F24: multiple vulnerabilities).

openSUSE has updated Firefox (13.1: buffer overflow), firefox, nss (Leap42.1, 13.2: buffer overflow), phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities), and typo3-cms-4_5 (Leap42.1, 13.2: three vulnerabilities).

Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and kernel 4.1.12 (OL7; OL6: multiple vulnerabilities).

Böck: Multiple vulnerabilities in RPM – and a rant

11 hours 19 min ago
Hanno Böck performed some fuzz testing on the dpkg and RPM package managers and reported the results; it seems that one of the projects has been rather more responsive than the other in fixing these issues. "The development process of RPM seems to be totally chaotic, it's neither clear where one reports bugs nor where one gets the latest code and security bugs don't get fixed within a reasonable time. There's been some recent events that make me feel especially worried about this..." It seems that some of the maintenance issues with RPM may not have improved greatly since they were reported here ten years ago.

Kernel prepatch 4.8-rc4

14 hours 16 min ago
The 4.8-rc4 kernel prepatch is out. "Everything looks normal, and it's been a bit quieter than rc3 too, so hopefully we're well into the "it's calming down" phase. Although with the usual timing-related fluctuation (different maintainers stagger their pulls differently), it's hard to tell a trend yet."

[$] Trying out openSUSE Tumbleweed

Saturday 27th of August 2016 05:22:13 AM
While distribution-hopping is common among newcomers to Linux, longtime users tend to settle into a distribution they like and stay put thereafter. In the end, Linux distributions are more alike than different, and one's time is better spent getting real work done rather than looking for a shinier version of the operating system. Your editor, however, somehow never got that memo; that's what comes from ignoring Twitter, perhaps. So there is a new distribution on the main desktop machine; this time around it's openSUSE Tumbleweed.

Nextcloud 10 released

Friday 26th of August 2016 07:20:32 PM
Nextcloud 10 has been released with new features for system administrators to control and direct the flow of data between users on a Nextcloud server. "Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations."

The long-awaited Maru OS source release

Friday 26th of August 2016 05:52:46 PM
The Maru OS handset distribution that includes an Ubuntu desktop (reviewed here in April) is finally available in source form. "If you're interested in contributing in general, please check out the project's GitHub (https://github.com/maruos/maruos), get up and running with the developer guide (https://github.com/maruos/maruos/wiki/Developer-Guide), and join the developer group (https://groups.google.com/forum/#!forum/maru-os-dev)"

Security advisories for Friday

Friday 26th of August 2016 04:51:25 PM

Arch Linux has updated mediawiki (multiple vulnerabilities).

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).

Debian has updated flex (code execution), imagemagick (multiple vulnerabilities), quagga (two vulnerabilities), and rails (cross-site scripting).

Fedora has updated gnupg (F24: flawed random number generation), openvpn (F24: information disclosure), and rubygem-actionview (F24; F23: cross-site scripting).

Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).

OpenSSL 1.1.0 released

Friday 26th of August 2016 12:24:05 PM
Version 1.1.0 of the OpenSSL TLS library is available. A list of changes can be found on this page; they include a new threading API, a number of new algorithms and the removal of a number of older ones, pipelining (parallel processing) support, extended master secret support, and more.

Rintel: NetworkManager 1.4: with better privacy and easier to use

Thursday 25th of August 2016 08:30:39 PM
Lubomir Rintel takes a look at new features in NetworkManager 1.4. "It is now possible to randomize the MAC address of Ethernet devices to mitigate possibility of tracking. The users can choose between different policies; use a completely random address, or just use different addresses in different networks. For Wi-Fi devices, the same randomization modes are now supported and does no longer require support from wpa-supplicant." Also a newly added API for using configuration snapshots that automatically roll back after a timeout, IPv6 tokenized interface identifiers can be configured, new features in nmcli, and more are covered. (Thanks to Paul Wise)

Thursday's security updates

Thursday 25th of August 2016 04:23:48 PM

Fedora has updated eog (F23: out-of-bounds write).

openSUSE has updated ImageMagick (Leap42.1: three vulnerabilities).

Red Hat has updated qemu-kvm-rhev (RHOSP9: two vulnerabilities) and Red Hat OpenShift Enterprise 2.2.10 (RHOSE: multiple vulnerabilities).

Ubuntu has updated eog (out-of-bounds write), harfbuzz (16.04, 14.04: two vulnerabilities), and libidn (multiple vulnerabilities).

[$] LWN.net Weekly Edition for August 25, 2016

Thursday 25th of August 2016 02:24:03 AM
The LWN.net Weekly Edition for August 25, 2016 is available.

[$] 25 Years of Linux — so far

Wednesday 24th of August 2016 04:26:21 PM
On August 25, 1991, an obscure student in Finland named Linus Benedict Torvalds posted a message to the comp.os.minix Usenet newsgroup saying that he was working on a free operating system as a project to learn about the x86 architecture. He cannot possibly have known that he was launching a project that would change the computing industry in fundamental ways. Twenty-five years later, it is fair to say that none of us foresaw where Linux would go — a lesson that should be taken to heart when trying to imagine where it might go from here.

In Memory of Jonathan “avenj” Portnoy

Wednesday 24th of August 2016 03:52:23 PM
The Gentoo community is mourning the loss of Jonathan Portnoy. "Jon was an active member of the International Gentoo community, almost since its founding in 1999. He was still active until his last day. His passing has struck us deeply and with disbelief. We all remember him as a vivid and enjoyable person, easy to reach out to and energetic in all his endeavors."

Wednesday's security updates

Wednesday 24th of August 2016 02:56:31 PM

CentOS has updated kernel (C6: TCP injection).

Debian-LTS has updated libgcrypt11 (flawed random number generation).

Fedora has updated eog (F24: out-of-bounds write), kernel (F23: use-after-free), mariadb (F23: multiple vulnerabilities), mingw-lcms2 (F24: heap memory leak), postgresql (F23: multiple vulnerabilities), and python (F23: proxy injection).

openSUSE has updated libidn (Leap 42.1: multiple vulnerabilities) and kernel (13.2: multiple vulnerabilities).

Oracle has updated kernel (O6: TCP injection).

Red Hat has updated kernel (RHEL 7.1: multiple vulnerabilities; RHEL6: TCP injection) and qemu-kvm-rhev (RHOSP8: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: TCP injection).

Slackware has updated gnupg (flawed random number generation), kernel (14.2: TCP injection), and libgcrypt (flawed random number generation).

KDevelop 5.0 released

Wednesday 24th of August 2016 12:31:38 AM

Version 5.0.0 of the KDevelop integrated development environment (IDE) has been released, marking the end of a two-year development cycle. The highlight is a move to Clang for C and C++ support: "The most prominent change certainly is the move away from our own, custom C++ analysis engine. Instead, C and C++ code analysis is now performed by clang." The announcement goes on to describe other benefits of using Clang, such as more accurate diagnostics and suggested fixes for many syntax errors. KDevelop has also been ported to KDE Frameworks 5 and Qt 5, which opens up the possibility of Windows releases down the line.

Tuesday's security updates

Tuesday 23rd of August 2016 02:35:45 PM

Arch Linux has updated libgcrypt (information disclosure).

Fedora has updated kernel (F24: use-after-free vulnerability), pagure (F24: cross-site scripting), and postgresql (F24: multiple vulnerabilities).

Red Hat has updated qemu-kvm-rhev (RHEL7 OSP5; RHEL7 OSP7; RHEL6 OSP5; RHEL7 OSP6: multiple vulnerabilities).

SUSE has updated MozillaFirefox (SLE12: multiple vulnerabilities).

Android 7.0 "Nougat" released

Monday 22nd of August 2016 07:06:12 PM
Google has announced that the Android 7.0 release has started rolling out to recent-model Nexus devices. "It introduces a brand new JIT/AOT compiler to improve software performance, make app installs faster, and take up less storage. It also adds platform support for Vulkan, a low-overhead, cross-platform API for high-performance, 3D graphics. Multi-Window support lets users run two apps at the same time, and Direct Reply so users can reply directly to notifications without having to open the app. As always, Android is built with powerful layers of security and encryption to keep your private data private, so Nougat brings new features like File-based encryption, seamless updates, and Direct Boot." See this page for a video-heavy description of new features.

Stable kernels 4.7.2, 4.4.19, and 3.14.77

Monday 22nd of August 2016 01:27:03 PM
Greg Kroah-Hartman has announced the release of the 4.7.2, 4.4.19, and 3.14.77 stable kernels. As usual, they contain fixes throughout the tree and users of those series should upgrade.

Monday's security advisories

Monday 22nd of August 2016 01:22:28 PM

Arch Linux has updated linux-lts (connection hijacking).

CentOS has updated kernel (C7: connection hijacking).

Debian-LTS has updated cracklib2 (code execution) and suckless-tools (screen lock bypass).

Fedora has updated firewalld (F24: authentication bypass), glibc (F24: denial of service on armhfp), knot (F24; F23: denial of service), libgcrypt (F24: bad random number generation), and perl (F23: privilege escalation).

openSUSE has updated apache2-mod_fcgid (42.1, 13.2: proxy injection), gd (13.2: multiple vulnerabilities), iperf (SPHfSLE12; 42.1, 13.2: denial of service), pdns (42.1, 13.2: denial of service), python3 (42.1, 13.2: multiple vulnerabilities), roundcubemail (42.1; 13.2; 13.1: multiple vulnerabilities, two from 2015), and typo3-cms-4_7 (42.1, 13.2: three vulnerabilities from 2013 and 2014).

Scientific Linux has updated kernel (SL7: connection hijacking) and python (SL6&7: three vulnerabilities).

Kernel prepatch 4.8-rc3

Monday 22nd of August 2016 11:36:15 AM
The 4.8-rc3 kernel prepatch is out. "It all looks pretty sane, I'm not seeing anything hugely scary here."

More in Tux Machines

Avidemux 2.6.13 Open-Source Video Editor Gets AAC/ADTS Import and Export

The developers of the Avidemux open-source and cross-platform video editor software have announced a new maintenance update in the 2.6 series, bringing multiple improvements, bug fixes, and a handful of new features. Read more

5 Best Linux Distros for Security

Security is nothing new to Linux distributions. Linux distros have always emphasized security and related matters like firewalls, penetration testing, anonymity, and privacy. So it is hardly surprising that security conscious distributions are common place. For instance, Distrowatch lists sixteen distros that specialize in firewalls, and four for privacy. Most of these specialty security distributions, however, share the same drawback: they are tools for experts, not average users. Only recently have security distributions tried to make security features generally accessible for desktop users. Read more

Linux Foundation and Linux

  • How IoTivity and AllJoyn Could Combine
    At the Embedded Linux Conference in April, Open Connectivity Foundation (OCF) Executive Director Mike Richmond concluded his keynote on the potential for interoperability between the OCF’s IoTivity IoT framework and the AllSeen Alliance’s AllJoyn spec by inviting to the stage Greg Burns, the chief architect of AllJoyn. Burns briefly shared his opinion that not only was there no major technical obstacle to combining these two major open source IoT specs, but that by taking the best of both standards, a hybrid could emerge that improves upon both. Later in the day, Burns gave a technical overview of how such a hybrid could be crafted in “Evolving a Best-of-Breed IoT Framework.” (See video below.) Burns stated in both talks that his opinions in no way reflect the official position of OCF or the AllSeen Alliance. At the time of the ELC talk in April, Burns had recently left his job as VP of Engineering at Qualcomm and Chair of the Technical Steering Committee at the AllSeen Alliance to take on the position of Chief IoT Software Technologist in the Open Source Technology Center at Intel Corp.
  • ​Linus Torvalds' love-hate relationship with the GPL
    Linux's founder appreciates what the GNU General Public License has given Linux, but he doesn't appreciate how some open-source lawyers are trying to enforce it in court.
  • Linus Torvalds reflects on 25 years of Linux
    LinuxCon North America concluded in Toronto, Canada on August 25th, the day Linux was celebrating its 25th anniversary. Linus Torvalds, the creator of Linux, and Dirk Hohndel, VP and chief of open source at VMware, sat down for a conversation at the event and reflected upon the past 25 years. Here are some of the highlights of that conversation.
  • 6 things you should know from Linux's first 25 years
    Red Hat was founded in 1993, two years after Linux was announced and the company has been one of the top contributors to Linux. There is a symbiotic relationship between the company and the project. Whitehurst pointed out that it’s hard to talk about the history of Red Hat without talking about Linux and vice versa.
  • There Is Talk Of Resuming OpenChrome VIA KMS/DRM Driver Development
    Two or so years back or so it was looking hopeful that the mainline Linux kernel would finally have a proper VIA DRM/KMS driver for the unfortunate ones still have VIA x86 hardware and using the integrated graphics. However, that work was ultimately abandoned but there is talk of it being restored.

Security News

  • New FairWare Ransomware targeting Linux Computers [Ed: probably just a side effect of keeping servers unpatched]
    A new attack called FaireWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, probably just upload it to a server under their control.
  • How do we explain email to an "expert"?
    This has been a pretty wild week, more wild than usual I think we can all agree. The topic I found the most interesting wasn't about one of the countless 0day flaws, it was a story from Slate titled: In Praise of the Private Email Server The TL;DR says running your own email server is a great idea. Almost everyone came out proclaiming it a terrible idea. I agree it's a terrible idea, but this also got me thinking. How do you explain this to someone who doesn't really understand what's going on? There are three primary groups of people. 1) People who know they know nothing 2) People who think they're experts 3) People who are actually experts
  • Why the term “zero day” needs to be in your brand’s cybersecurity vocabulary
    Linux is “open source” which means anyone can look at the code and point out flaws. In that sense, I’d say Linus Torvalds doesn’t have to be as omniscient as Tim Cook. Linux source code isn’t hidden behind closed doors. My understanding is, all the Linux code is out there for anyone to see, naked for anyone to scrutinize, which is why certain countries feel safer using it–there’s no hidden agenda or secret “back door” lurking in the shadows. Does that mean Android phones are safer? That’s up for debate.