Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 46 min ago

Thanksgiving security updates

5 hours 30 min ago

A whole bunch of security updates for the US Thanksgiving holiday.

Debian has updated openjdk-6 (?:).

Fedora has updated clamav (F19: two vulnerabilities, one from 2013) and tcpdump (F20: three vulnerabilities).

Gentoo has updated squid (three vulnerabilities).

Mageia has updated asterisk (two vulnerabilities), avidemux (multiple vulnerabilities), drupal (two vulnerabilities), flash-player-plugin (code execution), glibc (code execution), icecast (information leak), libksba (denial of service), perl-Mojolicious (code execution), phpmyadmin (multiple vulnerabilities), ruby-httpclient (SSL downgrade protection), and wordpress (multiple vulnerabilities).

Mandriva has updated glibc (BS1.0: code execution), icecast (BS1.0: information leak), and kernel (BS1.0: multiple vulnerabilities).

openSUSE has updated file (13.2, 13.1, 12.3: code execution), flashplayer (11.4: code execution), rubygem-actionpack-3_2 (13.2, 13.1, 12.3: two information leaks), and rubygem-sprockets (13.2; 13.1, 12.3: directory traversal).

Oracle has updated ruby (OL7; OL6: three vulnerabilities).

Red Hat has updated flash-plugin (RHEL5&6: code execution), ruby (RHEL7; RHEL6: three vulnerabilities), ruby193-ruby (RHSC1: three vulnerabilities), and ruby200-ruby (RHSC1: three vulnerabilities).

Ubuntu has updated clamav (two vulnerabilities).

Mapping the world with open source (Opensource.com)

Wednesday 26th of November 2014 05:45:59 PM
Opensource.com talks with Paul Ramsey, senior strategist at the open source company Boundless. "Boundless is the “Red Hat of geospatial”, which says a bit about our business model, but doesn’t really explain our technology. GIS professionals and IT professionals (and, really, anyone with a custom mapping problem) use our tools to store their data, in a spatial SQL database (PostGIS), publish maps and data over the web (GeoServer), and view or edit data in web browsers (OpenLayers) or on the desktop (QGIS). Basically, our tools let developers build web applications that understand and can attractively visualize location. We help people take spatial data out of the GIS department and use it to improve workflows and make decisions anywhere in the organization. This is part of what we see as a move towards what we call Spatial IT, where spatial data is used to empower decision-making across an enterprise."

Security advisories for Wednesday

Wednesday 26th of November 2014 04:50:52 PM

Debian has updated wireshark (multiple vulnerabilities).

Mageia has updated clamav (two vulnerabilities) and perl-Plack (information disclosure).

Mandriva has updated libvncserver (multiple vulnerabilities) and phpmyadmin (multiple vulnerabilities).

openSUSE has updated rubygem-sprockets-2_1 (directory traversal), rubygem-sprockets-2_2 (directory traversal), and wireshark (multiple vulnerabilities).

Red Hat has updated RHOSE (two vulnerabilities).

Ubuntu has updated squid3 (14.10, 14.04: denial of service).

Tuesday's security updates

Tuesday 25th of November 2014 05:20:38 PM

CentOS has updated libXfont (C5: multiple vulnerabilities).

Fedora has updated kde-runtime (F20: code execution) and moodle (F20: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple vulnerabilities) and graphicsmagick (denial of service).

Mandriva has updated ffmpeg (multiple vulnerabilities), imagemagick (multiple vulnerabilities), and ruby (multiple vulnerabilities).

openSUSE has updated ImageMagick (13.2, 13.1, 12.3: denial of service) and zeromq (13.2: man-in-the-middle attack).

Oracle has updated libXfont (OL5: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and libXfont (RHEL5: multiple vulnerabilities).

Scientific Linux has updated libXfont (SL5: multiple vulnerabilities).

SUSE has updated firefox (SLES10 SP4: multiple vulnerabilities).

Ubuntu has updated EC2 kernel (10.04: two vulnerabilities), kde-runtime (12.04: code execution), kernel (10.04; 12.04; 14.04; 14.10: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

[$] Some 3.18 development statistics

Tuesday 25th of November 2014 03:38:03 PM
As of the 3.18-rc6 release, 11,186 non-merge changesets have been pulled into the mainline repository for the 3.18 development cycle. That makes this release about 1,000 changesets smaller than its immediate predecessors, but still not a slow development cycle by any means. Since this cycle is getting close to its end, it's a good time to look at where the code that came into the mainline during this cycle came from.

Four-year-old comment security bug affects 86 percent of WordPress sites (Ars Technica)

Monday 24th of November 2014 09:44:43 PM
Ars Technica reports on a recently discovered bug in WordPress 3 sites that could be used to launch malicious script-based attacks on site visitors’ browsers. "The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication—the default setting for WordPress—this could allow anyone to post malicious scripts within comments that could target site visitors or administrators. A proof of concept attack developed by Klikki Oy was able to hijack a WordPress site administrator’s session and create a new WordPress administrative account with a known password, change the current administrative password, and launch malicious PHP code on the server. That means an attacker could essentially lock the existing site administrator out and hijack the WordPress installation for malicious purposes." WordPress 4.0 is not vulnerable to the attack.

Security advisories for Monday

Monday 24th of November 2014 05:48:06 PM

Fedora has updated clamav (F20: denial of service), facter (F20: privilege escalation), libreoffice (F20: code execution), libvirt (F20: multiple vulnerabilities), libxml2 (F19: denial of service), owncloud (F19: security restriction bypass), php-sabredav-Sabre_CalDAV (F19: security restriction bypass), php-sabredav-Sabre_CardDAV (F19: security restriction bypass), php-sabredav-Sabre_DAV (F19: security restriction bypass), php-sabredav-Sabre_DAVACL (F19: security restriction bypass), php-sabredav-Sabre_HTTP (F19: security restriction bypass), php-sabredav-Sabre_VObject (F19: security restriction bypass), polarssl (F20; F19: two vulnerabilities), python (F19: script execution), python-pillow (F20; F19: multiple vulnerabilities), and wget (F20: symlink attack).

Gentoo has updated aircrack-ng (multiple vulnerabilities), ansible (code execution), asterisk (multiple vulnerabilities), and openswan (denial of service).

Mageia has updated imagemagick (multiple vulnerabilities), moodle (multiple vulnerabilities), and polarssl (two vulnerabilities).

Mandriva has updated krb5 (ticket forgery), libvirt (information disclosure), php-smarty (two vulnerabilities), qemu (multiple vulnerabilities), srtp (denial of service), and wireshark (multiple vulnerabilities).

openSUSE has updated openssl (TLS handshake problem).

SUSE has updated firefox (SLES11 SP2: multiple vulnerabilities).

Kernel prepatch 3.18-rc6

Monday 24th of November 2014 02:39:25 PM
The 3.18-rc6 prepatch is out, right on schedule. Linus says: "Steady progress towards final release, although we still have a big unknown worry in a regression that Dave Jones reported and that we haven't solved yet. In the process of chasing that one down, there's been a fair amount of looking at various low-level details, and that found some dubious issues, but no smoking gun yet."

Introducing AcousticBrainz

Friday 21st of November 2014 10:09:54 PM

MusicBrainz, the not-for-profit project that maintains an assortment of "open content" music metadata databases, has announced a new effort named AcousticBrainz. AcousticBrainz is designed to be an open, crowd-sourced database cataloging various "audio features" of music, including "low-level spectral information such as tempo, and additional high level descriptors for genres, moods, keys, scales and much more." The data collected is more comprehensive than MusicBrainz's existing AcoustID database, which deals only with acoustic fingerprinting for song recognition. The new project is a partnership with the Music Technology Group at Universitat Pompeu Fabra, and uses that group's free-software toolkit Essentia to perform its acoustic analyses. A follow-up post digs into the AcousticBrainz analysis of the project's initial 650,000-track data set, including examinations of genre, mood, key, and other factors.

A Friday kernel collection

Friday 21st of November 2014 09:05:48 PM

Greg Kroah-Hartman has released three new stable kernels: 3.10.61, 3.14.25, and 3.17.4, each containing important updates and fixes.

Version 2 of the kdbus patches posted

Friday 21st of November 2014 06:22:09 PM
The second version of the kdbus patches have been posted to the Linux kernel mailing list by Greg Kroah-Hartman. The biggest change since the original patch set (which we looked at in early November) is that kdbus now provides a filesystem-based interface (kdbusfs) rather than the /dev/kdbus device-based interface. There are lots of other changes in response to v1 review comments as well. "kdbus is a kernel-level IPC implementation that aims for resemblance to [the] protocol layer with the existing userspace D-Bus daemon while enabling some features that couldn't be implemented before in userspace."

Friday's security updates

Friday 21st of November 2014 04:07:37 PM

CentOS has updated libxml2 (C5: denial of service).

Debian has updated drupal7 (multiple vulnerabilities).

Fedora has updated kernel (F20: multiple vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities).

Mageia has updated boinc-client (denial of service), ffmpeg (M3; M4: multiple vulnerabilities), hawtjni (M3: code execution), kdebase4-runtime, kwebkitpart (code execution), kdebase4-workspace (M4: privilege escalation), kdenetwork4 (M3: multiple vulnerabilities), kernel (M3; M4: multiple vulnerabilities), kernel-vserver (M3: multiple vulnerabilities), krb5 (ticket forgery), libvirt (information disclosure), php-smarty (M3; M4: code execution), privoxy (denial of service), python-djblets (M4: multiple vulnerabilities), python-imaging, python-pillow (multiple vulnerabilities), qemu (M4: multiple vulnerabilities), ruby (multiple vulnerabilities), srtp (M3: denial of service), and wireshark (multiple vulnerabilities).

Mandriva has updated asterisk (BS1: multiple vulnerabilities).

openSUSE has updated gnutls (multiple vulnerabilities) and libvirt (password leak).

Oracle has updated bash (O5; O6; O7: multiple vulnerabilities), libvirt (O6: multiple vulnerabilities), libXfont (O6; O7: multiple vulnerabilities), libxml2 (O5: denial of service), mariadb (O7: multiple vulnerabilities), and mysql55-mysql (O5: multiple vulnerabilities).

Red Hat has updated java-1.5.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL6: multiple vulnerabilities), java-1.7.1-ibm (RHEL6,7: multiple vulnerabilities), and libxml2 (RHEL5: denial of service).

Scientific Linux has updated libxml2 (SL5: denial of service).

Ubuntu has updated apparmor (14.04: privilege escalation) and ruby1.8, ruby1.9.1, ruby2.0, ruby2.1 (12.04, 14.04, 14.10: denial of service).

McKenney: Stupid RCU Tricks: rcutorture Catches an RCU Bug

Thursday 20th of November 2014 09:30:34 PM
On his blog, Paul McKenney investigates a bug in read-copy update (RCU) in preparation for the 3.19 merge window. "Of course, we all have specific patches that we are suspicious of. So my next step was to revert suspect patches and to otherwise attempt to outguess the bug. Unfortunately, I quickly learned that the bug is difficult to reproduce, requiring something like 100 hours of focused rcutorture testing. Bisection based on 100-hour tests would have consumed the remainder of 2014 and a significant fraction of 2015, so something better was required. In fact, something way better was required because there was only a very small number of failures, which meant that the expected test time to reproduce the bug might well have been 200 hours or even 300 hours instead of my best guess of 100 hours."

Security advisories for Thursday

Thursday 20th of November 2014 04:53:15 PM

Mandriva has updated clamav (BS1.0: denial of service from 2013) and php-ZendFramework (BS1.0: authentication bypass).

openSUSE has updated emacs (13.1: multiple vulnerabilities).

Red Hat has updated java-1.6.0-ibm (RHEL5&6: multiple vulnerabilities) and java-1.7.0-ibm (RHEL5: multiple vulnerabilities).

SUSE has updated firefox (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated oxide-qt (14.10, 14.04: multiple vulnerabilities).

[$] LWN.net Weekly Edition for November 20, 2014

Thursday 20th of November 2014 12:55:32 AM
The LWN.net Weekly Edition for November 20, 2014 is available.

Mozilla drops Google in favor of a multiple-search-partner plan

Thursday 20th of November 2014 12:32:19 AM

Mozilla has announced that it is not renewing the longstanding arrangement with Google that made Google the default search engine in Firefox in exchange for a sizable payment. Instead, when the current deal ends, Firefox will adopt different default search engines in different regions, a move described as a "more local and flexible approach to increase choice and innovation on the Web." Yahoo will be the default search engine in the United States, Yandex in Russia, and Baidu in China.

Mozilla CEO Chris Beard frames this change in terms of Mozilla's independence and non-commercial status. "This is why our independence matters. Being non-profit lets us make different choices. Choices that keep the Web open, everywhere and independent." The Yahoo deal, at least, lasts for five years, and one of the conditions was that Yahoo will support Mozilla's Do Not Track header. Google will remain a pre-installed search engine option, and will continue to provide Firefox's Safe Browsing and Geolocation features.

[$] A Firefox OS 2.0 preview on the Flame

Wednesday 19th of November 2014 07:21:55 PM

Mozilla has rolled out a preview of the next major milestone in Firefox OS, its HTML-driven mobile operating system. The upcoming release is branded Firefox OS 2.0 and incorporates a number of significant changes. The preview was released first as an over-the-air update available for the Flame developer phone; since I had recently acquired such a device, I decided to take a look.

Tracing Summit 2014 videos available

Wednesday 19th of November 2014 06:33:46 PM
Videos from the Tracing Summit, that was held in Düsseldorf, Germany last month, are available on YouTube. They are also linked from the schedule.

Security advisories for Wednesday

Wednesday 19th of November 2014 05:46:50 PM

CentOS has updated libvirt (C6: multiple vulnerabilities) and libXfont (C7: multiple vulnerabilities).

Debian has updated php5 (out-of-bounds read flaw) and php5 (regression in previous update).

Fedora has updated drupal7-ckeditor (F20; F19: cross-site scripting), geary (F20: TLS certificate issues), icecream (F20; F19: code execution), and nrpe (F20: code execution).

Mandriva has updated curl (information leak), dbus (multiple vulnerabilities), and gnutls (code execution).

openSUSE has updated dbus-1 (13.2, 13.1; 12.3: denial of service) and polarssl (13.2: two vulnerabilities).

Red Hat has updated kernel (RHEL6.4: denial of service), libvirt (RHEL6: multiple vulnerabilities), and libXfont (RHEL6,7: multiple vulnerabilities).

Scientific Linux has updated libvirt (SL6: multiple vulnerabilities) and libXfont (SL6,7: multiple vulnerabilities).

Today's Debian technical committee resignation: Ian Jackson

Wednesday 19th of November 2014 01:34:19 PM
Ian Jackson has announced his immediate resignation from the Debian technical committee. "While it is important that the views of the 30-40% of the project who agree with me should continue to be represented on the TC, I myself am clearly too controversial a figure at this point to do so. I should step aside to try to reduce the extent to which conversations about the project's governance are personalised. And, speaking personally, I am exhausted." (Thanks to Mattias Mattsson).

More in Tux Machines

Python 3 Support Added To The GNOME Shell

The GNOME Shell 3.15.2 release fixes some visual glitching, improves the layout of the extension installation dialog, supports the CSS margin property, and offers other bug fixes and minor enhancements. Most notable to GNOME Shell 3.15.2 though is there's finally Python 3 support. Many GNOME components have long ported their Python 2 code to Python 3 while GNOME Shell's Python support has just received the Py3 treatment. Details on GNOME's overall Python 3 porting work can be found via this Wiki page. Read more

Clonezilla Live 2.3.1-15 Now Available with Check for 32-bit Libraries

Clonezilla Live is a Linux distribution based on DRBL, Partclone, and udpcast that lets users perform bare metal backup and recovery with ease. The developers have just upgraded the system and it's now at version 2.3.1-15. Read more

Workaround Found for Annoying Workspace Switcher Bug in Ubuntu 14.10

The virtual desktops on Ubuntu systems have been working very well in the last few editions, but it looks like there is a problem in Ubuntu 14.10, at least for the system I'm running. The desktop locks up with the workspace switcher activated. Read more

Inside Cisco's OpenStack Cloud Strategy

Cisco first got involved with the open-source OpenStack cloud platform in 2011 with the Bexar release and initially was focused mostly on networking. Over the last several years, Cisco's OpenStack involvement and product portfolio have grown beyond just networking. Read more