Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 34 min ago

Synfig Studio 1.0

5 hours 53 min ago
Synfig Studio 1.0 has been released. This version features a reworked UI, a full-featured bone system to create cutout animation, advanced image distortion, a new Cutout Tool, sound support, and more.

Security advisories for Monday

7 hours 50 min ago

Arch Linux has updated clamav (multiple vulnerabilities) and squid (certificate validation bypass).

Debian has updated jqueryui (cross-site scripting), libphp-snoopy (command execution), libxml-libxml-perl (information disclosure), owncloud (multiple vulnerabilities), ruby1.8 (man-in-the-middle attack), ruby1.9.1 (man-in-the-middle attack), and ruby2.1 (man-in-the-middle attack).

Debian-LTS has updated xorg-server (denial of service).

Fedora has updated clamav (F21: multiple vulnerabilities), curl (F21: multiple vulnerabilities), ikiwiki (F21; F20: cross-site scripting), mingw-libtiff (F21: two vulnerabilities), proftpd (F20: unauthenticated copying of files), qt3 (F21; F20: code execution), and xen (F21; F20: information leak).

Mageia has updated 389-ds-base (access control bypass), cherokee (authentication bypass), chromium-browser-stable (multiple vulnerabilities), curl (multiple vulnerabilities), directfb (two vulnerabilities), fcgi (denial of service), python-pip (two vulnerabilities), ruby (man-in-the-middle attack), and subversion (multiple vulnerabilities).

Mandriva has updated curl (MBS2.0; MBS1.0: multiple vulnerabilities).

Kernel prepatch 4.1-rc2

Monday 4th of May 2015 03:57:38 AM
The second 4.1 prepatch is out for testing. "As usual, it's a mixture of driver fixes, arch updates (with s390 really standing out due to that one prng commit), and some filesystem and networking."

OpenBSD 5.7

Friday 1st of May 2015 05:50:30 PM
OpenBSD 5.7 has been released. This version includes improved hardware support, network stack improvements, installer improvements, security and bug fixes, and more. OpenSSH 6.8, LibreSSL, and other packages have also seen improvements and bug fixes.

Security advisories for Friday

Friday 1st of May 2015 04:02:05 PM

Arch Linux has updated perl-xml-libxml (information disclosure).

Debian has updated chromium-browser (multiple vulnerabilities).

Debian-LTS has updated libjson-ruby (denial of service), libxml-libxml-perl (information disclosure), squid (denial of service), xdg-utils (command execution), and xorg-server (information leak/denial of service).

Mageia has updated kernel (multiple vulnerabilities), kernel-linus (multiple vulnerabilities), libreoffice (code execution), ppp (denial of service), and quassel (SQL injection).

openSUSE has updated wpa_supplicant (13.2, 13.1: code execution).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and kernel (RHEL5.6: privilege escalation).

Scientific Linux has updated 389-ds-base (SL7: access control bypass).

SUSE has updated kernel (SLES10 SP4: multiple vulnerabilities).

Mozilla: Deprecating Non-Secure HTTP

Friday 1st of May 2015 01:10:03 AM
The Mozilla community has declared its intent to phase out "non-secure" (not encrypted with TLS) web access. "Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. We expect to be making some proposals to the W3C WebAppSec Working Group soon."

Apache SpamAssassin 3.4.1 released

Thursday 30th of April 2015 08:43:40 PM
The Apache SpamAssassin 3.4.1 release is out. "Highlights include: Improved automation to help combat spammers that are abusing new top level domains; Tweaks to the SPF support to block more spoofed emails; Increased character set normalization to make rules easier to develop, block more international spam and stop spammers from using alternate character sets to bypass tests; Continued refinement to the native IPv6 support; and Improved Bayesian classification with better debugging and attachment hashing."

Unboxing Linux/Mumblehard: Muttering spam from your servers (WeLiveSecurity)

Thursday 30th of April 2015 06:40:23 PM
WeLiveSecurity reports that ESET researchers have revealed a family of Linux malware that stayed under the radar for more than 5 years. They are calling it Linux/Mumblehard. "There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average. Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines."

Debian GNU/Hurd 2015 released

Thursday 30th of April 2015 05:22:15 PM
Debian GNU/Hurd 2015 has been released. "This is a snapshot of Debian "sid" at the time of the stable Debian "jessie" release (April 2015), so it is mostly based on the same sources. It is not an official Debian release, but it is an official Debian GNU/Hurd port release."

Thursday's security updates

Thursday 30th of April 2015 04:34:10 PM

Debian has updated curl (information leak), elasticsearch (directory traversal), and icecast2 (denial of service).

Debian-LTS has updated curl (two vulnerabilities), openjdk-6 (multiple vulnerabilities), php5 (multiple vulnerabilities), and qt4-x11 (multiple vulnerabilities).

Fedora has updated ax25-tools (F21; F20: denial of service), fcgi (F21; F20: denial of service), FlightGear (F21: unspecified vulnerability), FlightGear-data (F21: unspecified vulnerability), mailman (F21: path traversal attack), mksh (F21; F20: multiple issues), pdns (F21; F20: denial of service), pdns-recursor (F21; F20: denial of service), and qt (F21: multiple vulnerabilities).

Mandriva has updated glibc (MBS2.0, MBS1.0: two vulnerabilities) and sqlite3 (MBS2.0, MBS1.0: three vulnerabilities).

openSUSE has updated DirectFB (13.2, 13.1: two vulnerabilities).

Ubuntu has updated curl (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities), EC2 kernel (10.04: privilege escalation), kernel (14.10; 14.04; 12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: denial of service).

[$] LWN.net Weekly Edition for April 30, 2015

Thursday 30th of April 2015 01:04:14 AM
The LWN.net Weekly Edition for April 30, 2015 is available.

New stable kernels

Wednesday 29th of April 2015 04:51:35 PM
Greg KH has released stable kernels 4.0.1, 3.19.6, 3.14.40, and 3.10.76. All of them contain important fixes.

Security advisories for Wednesday

Wednesday 29th of April 2015 04:28:22 PM

Arch Linux has updated chromium (multiple vulnerabilities) and dovecot (denial of service).

CentOS has updated 389-ds-base (C7: access control bypass).

Debian-LTS has updated jruby (denial of service).

Fedora has updated libreoffice (F21: code execution) and yourls (F21; F20: cross-site scripting).

Mandriva has updated lftp (MBS1.0: man-in-the-middle attack), libksba (MBS1.0, MBS2.0: denial of service), ntop (MBS1.0: cross-site-scripting), and t1utils (MBS1.0: multiple vulnerabilities).

openSUSE has updated curl (13.2, 13.1: multiple vulnerabilities) and python-Pillow (13.2: denial of service).

Oracle has updated 389-ds-base (OL7: access control bypass).

GNU Mailman 3.0 released

Tuesday 28th of April 2015 11:52:30 PM

GNU Mailman 3.0 has been released. "Over seven years in development, Mailman 3 represents a major new version, redesigned as a suite of cooperating components which can be used to mix and match however you want. The core engine is now backed by a relational database and exposes its functionality to other components via an administrative REST+JSON API. Our new web user interface, Postorius is Django-based, as is our new archiver HyperKitty. The core requires Python 3.4 while Postorius and HyperKitty require Python 2.7. LWN looked at Mailman 3.0 in March, and at HyperKitty in April 2014.

[$] The programming talent myth

Tuesday 28th of April 2015 11:27:27 PM

Jacob Kaplan-Moss is known for his work on Django but, as he would describe in his PyCon 2015 keynote, many think he had more to do with its creation than he actually did. While his talk ranged quite a bit, the theme covered something that software development organizations—and open source projects—may be grappling with: a myth about developer performance and how it impacts the industry. It was a thought-provoking talk that was frequently punctuated by applause; these are the kinds of issues that the Python community tries to confront head on, so the talk was aimed well.

KDE Ships Plasma 5.3

Tuesday 28th of April 2015 05:18:46 PM
KDE has announced the release of Plasma 5.3. This release features improved power management, better Bluetooth capabilities, improved Plasma widgets, a tech preview of the Plasma Media Center, big steps towards Wayland support, and more.

Tuesday's security updates

Tuesday 28th of April 2015 04:35:36 PM

Fedora has updated curl (F20: multiple vulnerabilities), firefox (F21: code execution), icu (F21; F20: multiple vulnerabilities), java-1.8.0-openjdk (F20: multiple vulnerabilities), ntp (F21: multiple vulnerabilities), ruby (F21: man-in-the-middle attack), and xulrunner (F21: code execution).

Mandriva has updated java-1.7.0-openjdk (MBS1.0: multiple vulnerabilities).

Red Hat has updated qemu-kvm-rhev (RHELOSP: privilege escalation).

Ubuntu has updated network-manager (15.04, 14.10, 14.04: information disclosure) and oxide-qt (15.04, 14.10, 14.04: multiple vulnerabilities).

Garrett: Reducing power consumption on Haswell and Broadwell systems

Monday 27th of April 2015 08:44:15 PM
Matthew Garrett looked into why Linux systems consume too much power on recent Intel chipsets and wrote up his results — a reduction of idle power use on his laptop from 8.5W to 5W. "This trend is likely to continue. As systems become more integrated we're going to have to pay more attention to the interdependencies in order to obtain the best possible power consumption, and that means that distribution vendors are going to have to spend some time figuring out what these dependencies are and what the appropriate default policy is for their users."

Security advisories for Monday

Monday 27th of April 2015 05:18:43 PM

Arch Linux has updated curl (multiple vulnerabilities) and wpa_supplicant (code execution).

Debian has updated chromium-browser (multiple vulnerabilities), kernel (multiple vulnerabilities), libreoffice (code execution), openjdk-6 (multiple vulnerabilities), openjdk-7 (multiple vulnerabilities), and wpa (code execution).

Fedora has updated cherokee (F21; F20: authentication bypass), chrony (F20: multiple vulnerabilities), php (F20: multiple vulnerabilities), qt5-qtbase (F21; F20: multiple vulnerabilities), resteasy (F20: XML eXternal Entity (XXE) attacks), spatialite-tools (F20: multiple vulnerabilities), sqlite (F20: multiple vulnerabilities), wesnoth (F21; F20: information leak), wpa_supplicant (F21: code execution), and zarafa (F21; F20: denial of service).

Mageia has updated php (three vulnerabilities) and wordpress (multiple vulnerabilities).

Mandriva has updated asterisk (MBS1.0: SSL server spoofing), glusterfs (MBS2.0: denial of service), librsync (MBS1.0: file checksum collision), perl-Module-Signature (MBS1.0: multiple vulnerabilities), php (MBS1.0, MBS2.0: multiple vulnerabilities), qemu (MBS1.0, MBS2.0: denial of service), setup (MBS2.0: information disclosure), and tor (MBS1.0: denial of service).

openSUSE has updated java-1_7_0-openjdk (13.2: multiple vulnerabilities), java-1_8_0-openjdk (13.2: multiple vulnerabilities), and ntp (13.2, 13.1: two vulnerabilities).

Ubuntu has updated autofs (14.10: privilege escalation), libreoffice (14.10, 14.04, 12.04: two vulnerabilities), and tcpdump (14.10, 14.04, 12.04: multiple vulnerabilities).

Kernel prepatch 4.1-rc1

Monday 27th of April 2015 01:36:21 AM
The 4.1-rc1 prepatch is out. Linus says: "No earth-shattering new features come to mind, even if initial support for ACPI on arm64 looks funny. Depending on what you care about, your notion of 'big new feature' may differ from mine, of course. There's a lot of work all over, and some of it might just make a big difference to your use cases." What he doesn't mention is that, in the end, kdbus was not merged for this development cycle.

More in Tux Machines

Ubuntu 15.04 Received Very Well by Linux Community

Canonical released Ubuntu 15.04 a couple of weeks ago, and it seems that it's been a success. The community is mostly reporting a nice experience, which is important since this is the first Ubuntu release that uses systemd instead of upstart. Read more

The current state of Drupal security

Greg Knaddison has worked for big consulting firms, boutique software firms, startups, professional service firms, and former Drupal Security Team leader. He is currently the director of Engineering at CARD.com and a Drupal Association advisory board member. Michael Hess works with the University of Michigan School of Information and the UM Medical Center teaching three courses on content management platforms and overseeing the functionality of hundreds of campus websites. He serves in a consulting and development role for many other university departments and is the current Drupal Security Team leader. He also consults with BlueCross on large-scale medical research projects. Hess is a graduate of the University of Michigan School of Information with a master's degree in information. Read more

Ultimate Boot CD Live Aims to Become a Parted Magic Replacement, Based on Debian

The development team behind the popular UBCD (Ultimate Boot CD) project have announced recently that they are working on a Live version of Ultimate Boot CD, which is currently based on the Debian GNU/Linux operating system and has the ultimate goal of becoming a Parted Magic replacement. Read more

Linux Kernel 3.14.40 LTS Arrives with ARM Improvements, Updated Drivers

Linux kernel 3.14.40 LTS arrived a few days ago, as announced by Greg Kroah-Hartman on the kernel mailinglist, and it brings a number of important improvements to the ARM and PowerPC architectures, as well as several updated drivers. Read more