Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 26 min ago

What's new in OpenStack in 2016: A look at the Newton release (Opensource.com)

Friday 2nd of December 2016 09:13:37 PM
Over at Opensource.com, Rich Bowen gives an overview of the changes in the OpenStack Newton release that was made in October. In it, he looks at each of sub-projects and highlights some of the changes for them that were in the release, which is also useful as a kind high-level guide to some of the various sub-projects and their roles. "With a product as large as OpenStack, summarizing what's new in a particular release is challenging. (See the full release notes for more details.) Each deployment of OpenStack might use a different combination of services and projects, and so will care about different updates. Added to that, the release notes for the various projects tend to be extremely technical in nature, and often don't do a great job of calling out the changes that will actually be noticed by either operators or users."

BitUnmap: Attacking Android Ashmem (Project Zero blog)

Friday 2nd of December 2016 08:24:23 PM
Google's Project Zero blog has a detailed look at exploiting a vulnerability in Android's ashmem shared-memory facility. "The mismatch between the mmap-ed and munmap-ed length provides us with a great exploitation primitive! Specifically, we could supply a short length for the mmap operation and a longer length for the munmap operation - thus resulting in deletion of an arbitrarily large range of virtual memory following our bitmap object. Moreover, there’s no need for the deleted range to contain one continuous memory mapping, since the range supplied in munmap simply ignores unmapped pages. Once we delete a range of memory, we can then attempt to “re-capture” that memory region with controlled data, by causing another allocation in the remote process. By doing so, we can forcibly “free” a data structure and replace its contents with our own chosen data -- effectively forcing a use-after-free condition."

Stable kernels 4.8.12 and 4.4.36

Friday 2nd of December 2016 04:06:59 PM
The 4.8.12 and 4.4.36 stable kernels have been released. As always, users of those kernel series should upgrade.

Security updates for Friday

Friday 2nd of December 2016 04:02:53 PM

Arch Linux has updated firefox (two vulnerabilities) and thunderbird (code execution).

CentOS has updated thunderbird (C6; C5: code execution).

Debian-LTS has updated firefox-esr (multiple vulnerabilities), imagemagick (multiple vulnerabilities, many from 2014 and 2015), monit (cross-site request forgery), tomcat6 (multiple vulnerabilities), and tomcat7 (multiple vulnerabilities).

Fedora has updated calamares (F25; F24: encryption bypass), jenkins (F25: code execution), jenkins-remoting (F25: code execution), moin (F25; F24; F23: cross-site scripting flaws), mujs (F23: multiple vulnerabilities), and zathura-pdf-mupdf (F23: multiple vulnerabilities).

Gentoo has updated davfs2 (privilege escalation from 2013) and gnupg (flawed random number generation).

openSUSE has updated libtcnative-1-0 (42.2, 42.1: SSL improvements) and pacemaker (42.2: two vulnerabilities).

Oracle has updated firefox (OL7; OL6; OL5: code execution).

Red Hat has updated firefox (code execution).

SUSE has updated kernel (SLE11: multiple vulnerabilities, some from 2013 and 2015) and ImageMagick (SLE11: multiple vulnerabilities, some from 2014 and 2015).

Ubuntu has updated ghostscript (multiple vulnerabilities, one from 2013) and oxide-qt (16.10, 16.04, 14.04: multiple vulnerabilities).

Google's OSS-Fuzz project

Thursday 1st of December 2016 05:52:35 PM
The Google security blog announces the OSS-Fuzz project, which performs continuous fuzz testing of free-software project repositories. "OSS-Fuzz has already found 150 bugs in several widely used open source projects (and churns ~4 trillion test cases a week). With your help, we can make fuzzing a standard part of open source development, and work with the broader community of developers and security testers to ensure that bugs in critical open source applications, libraries, and APIs are discovered and fixed."

Ardour 5.5 released

Thursday 1st of December 2016 05:34:23 PM
Version 5.5 of the Ardour audio editor has been released. "Among the notable new features are support for VST 2.4 plugins on OS X, the ability to have MIDI input follow MIDI track selection, support for Steinberg CC121, Avid Artist & Artist Mix Control surfaces, 'fanning out' of instrument outputs to new tracks/busses and the often requested ability to do horizontal zoom via vertical dragging on the rulers."

Thursday's security advisories

Thursday 1st of December 2016 04:24:21 PM

Debian has updated firefox-esr (code execution).

Debian-LTS has updated gst-plugins-good0.10 (three code execution flaws).

Gentoo has updated imagemagick (multiple vulnerabilities) and php (multiple vulnerabilities, one from 2015).

openSUSE has updated bash (42.1: multiple vulnerabilities, two from 2014) and libcares2 (13.2: code execution).

Slackware has updated firefox (code execution) and thunderbird (code execution).

Ubuntu has updated c-ares (code execution), firefox (two vulnerabilities), imagemagick (multiple vulnerabilities), kernel (16.10; 16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-ti-omap4 (12.04: code execution), and thunderbird (multiple vulnerabilities).

Trouble at Cyanogen

Thursday 1st of December 2016 03:50:59 PM
Cyanogen Inc. has put out a terse press release announcing the departure of founder (and CyanogenMod creator) Steve Kondik. See this rather less terse Android Police article for Kondik's view of the matter. The future of the CyanogenMod distribution seems unclear at this point; if it goes forward, it may have to do so with a different name.

[$] LWN.net Weekly Edition for December 1, 2016

Thursday 1st of December 2016 12:02:10 AM
The LWN.net Weekly Edition for December 1, 2016 is available.

Security advisories for Wednesday

Wednesday 30th of November 2016 05:08:16 PM

Arch Linux has updated neovim (code execution).

Debian has updated hdf5 (multiple vulnerabilities).

Fedora has updated drupal7 (F25; F24; F23: multiple vulnerabilities), p7zip (F25: denial of service), teeworlds (F25; F24; F23: code execution), and vagrant (F25; F24; F23: nfs export insertion).

Mageia has updated jenkins-remoting (code execution) and teeworlds (code execution).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

SUSE has updated vim (SLE12-SP2; SLE11-SP4: code execution).

[$] The Emacs dumper dispute

Wednesday 30th of November 2016 04:17:13 PM
As covered here in January, changes to the GNU C Library's memory-allocation routines have broken the "unexec" method used to build the Emacs editor. Fixing this problem has proved to be more challenging than originally thought; that issue has now come to a head in a disagreement that could cost the Emacs community one of its maintainers.

Git 2.11 released

Tuesday 29th of November 2016 10:11:07 PM
The Git project has announced the release of Git 2.11.0. This version prints longer abbreviated SHA-1 names and has better tools for dealing with ambiguous short SHA-1s, it's faster at accessing delta chains, and has other performance enhancements, and much more. The release notes contain more details.

Tuesday's security updates

Tuesday 29th of November 2016 04:37:39 PM

CentOS has updated expat (C6: code execution) and memcached (C6: code execution).

openSUSE has updated ffmpeg (Leap42.2: heap corruption) and virtualbox (Leap42.2: multiple unspecified vulnerabilities).

Oracle has updated expat (OL7; OL6: code execution).

Red Hat has updated expat (RHEL6,7: code execution) and thunderbird (RHEL5,6,7: multiple vulnerabilities).

SUSE has updated mariadb (SLE12-SP1,2; SLES12: multiple vulnerabilities) and qemu (SLES12: multiple vulnerabilities).

Ubuntu has updated python-cryptography (16.10, 16.04: bad key generation) and vim (code execution).

Time is running out for NTP (InfoWorld)

Monday 28th of November 2016 10:44:39 PM
InfoWorld looks at the underfunded NTP project. "NTP is more than 30 years old—it may be the oldest codebase running on the internet. Despite some hiccups, it continues to work well. But the project’s future is uncertain because the number of volunteer contributors has shrunk, and there’s too much work for one person—principal maintainer Harlan Stenn—to handle. When there is limited support, the project has to pick and choose what tasks it can afford to complete, which slows down maintenance and stifles innovation."

Security advisories for Monday

Monday 28th of November 2016 05:43:11 PM

Arch Linux has updated lib32-libtiff (multiple vulnerabilities), libtiff (multiple vulnerabilities), and ntp (multiple vulnerabilities).

Debian has updated icu (multiple vulnerabilities) and imagemagick (three vulnerabilities).

Debian-LTS has updated irssi (information disclosure), libsoap-lite-perl (XML expansion), and mcabber (roster push attack).

Fedora has updated bind (F23: denial of service) and python-tornado (F25: XSRF protection bypass).

Mageia has updated bzip2 (denial of service), chromium-browser-stable (multiple vulnerabilities), clamav (three vulnerabilities), giflib (denial of service), icu (two vulnerabilities), kernel-4.4.32 (code execution), libtiff (two vulnerabilities), lighttpd (man-in-the-middle attacks), and perl-Email-Address (denial of service).

openSUSE has updated wireshark (Leap42.2: multiple vulnerabilities).

SUSE has updated kernel (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated gst-plugins-good0.10, gst-plugins-good1.0 (incomplete fix in previous update).

Welte: Ten years anniversary of Openmoko

Monday 28th of November 2016 03:01:22 PM
Harald Welte looks back at the Openmoko phone with a ten-year perspective (and an almost unreadable low-contrast web page). "So yes, the smartphone world is much more restricted, locked-down and proprietary than it was back in the Openmoko days. If we had been more successful then, that world might be quite different today. It was a lost opportunity to make the world embrace more freedom in terms of software and hardware."

Kernel prepatch 4.9-rc7

Sunday 27th of November 2016 11:47:56 PM
The 4.9-rc7 kernel prepatch is out. Linus says that things are shaping up and it is possible, but perhaps not likely, that the final 4.9 release will happen on December 4. "I basically reserve the right to make up my mind next weekend."

Stable kernels 4.8.11 and 4.4.35

Sunday 27th of November 2016 04:14:01 PM
Greg Kroah-Hartman has announced the release of the 4.8.11 and 4.4.35 stable kernels. As usual, they contain fixes throughout the kernel tree and users of those kernel series should upgrade.

Friday's security updates

Friday 25th of November 2016 04:40:03 PM

Arch Linux has updated tomcat6 (two vulnerabilities), wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).

Debian has updated gst-plugins-good0.10 (three vulnerabilities) and gst-plugins-good1.0 (three vulnerabilities).

Debian-LTS has updated libgc (code execution) and xen (multiple vulnerabilities).

Fedora has updated bind99 (F23: two vulnerabilities), ghostscript (F23: two vulnerabilities), icu (F25; F24: code execution), kernel (F23: multiple vulnerabilities), moodle (F24; F23: three vulnerabilities), mujs (F25; F24: multiple vulnerabilities), perl-DBD-MySQL (F24: out of bounds read), sudo (F23: privilege escalation), and zathura-pdf-mupdf (F25; F24: multiple vulnerabilities).

openSUSE has updated java-1_7_0-openjdk (13.2: multiple vulnerabilities).

SUSE has updated kvm (SLE11: multiple vulnerabilities).

Ubuntu has updated lxc (16.10, 16.04, 14.04: directory traversal) and moin (three vulnerabilities).

The UK is about to wield unprecedented surveillance powers (The Verge)

Wednesday 23rd of November 2016 08:20:04 PM
The Verge looks at legislation in the UK that would allow police and intelligence agencies to legally spy on its own people. "The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and awaits only the formality of royal assent before it becomes law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary."

More in Tux Machines

today's leftovers

  • How fast is KVM? Host vs virtual machine performance!
  • Kernel maintenance, Brillo style
    Brillo, he said, is a software stack for the Internet of things based on the Android system. These deployments bring a number of challenges, starting with the need to support a different sort of hardware than Android normally runs on; target devices may have no display or input devices, but might well have "fun buses" to drive interesting peripherals. The mix of vendors interested in this area is different; handset vendors are present, but many more traditional embedded vendors can also be found there. Brillo is still in an early state of development.
  • Reviewing Project Management Service `Wrike` And Seems Interesting
    I have been testing some services for our project and found this amazing service, thought why not share it with you guys, it might be useful for you. Project management is a term that in some respects appears common, yet in practice still seems to be limited to large companies. While this may be true, the foundations of project management are actually rather simple and can be adopted by anyone, in any industry. One of the major requirements you need to consider when selecting a good project management software is the ability to run and operate it on the go via your mobile devices. Other factors include the ability to access the software from any platform whether it be Linux, Mac, or Windows. This can be achieved when the project management software is web-based. Wrike is a software that does of all this.
  • World Wine News Issue 403
  • OSVR on Steam, Unity drops legacy OpenGL, and more gaming news
  • GNOME Core Apps Hackfest 2016
    This November from Friday 25 to Sunday 27 was held in Berlin the GNOME Core Apps Hackfest. My focus during this hackfest was to start implementing a widget for the series view of the Videos application, following a mockup by Allan Day.
  • Worth Watching: What Will Happen to Red Hat Inc Next? The Stock Just Declined A Lot
  • Vetr Inc. Lowers Red Hat Inc. (RHT) to Buy
  • Redshift functionality on Fedora 25 (GNOME + Wayland). Yes, it's possible!
    For those who can't live without screen colour shifting technology such as Redshift or f.lux, myself being one of them, using Wayland did pose the challenge of having these existing tools not working with the Xorg replacement. Thankfully, all is not lost and it is possible even right now. Thanks to a copr repo, it's particularly easy on Fedora 25. One of the changes that comes with Wayland is there is currently no way for third-party apps to modify screen gamma curves. Therefore, no redshift apps, such as Redshift itself (which I recently covered here) will work while running under Wayland.
  • My Free Software Activities in November 2016
  • Google's ambitious smartwatch vision is failing to materialise
    In February this year, Google's smartwatch boss painted me a rosy picture of the future of wearable technology. The wrist is, David Singleton said, "the ideal place for the power of Google to help people with their lives."
  • Giving Thanks (along with a Shipping Update)
    Mycroft will soon be available as a pre-built Raspberry Pi 3 image for any hobbyist to use. The new backend we have been quietly building is emerging from beta, making the configuration and management of you devices simple. We are forming partnerships to get Mycroft onto laptops, desktops and other devices in the world. Mycroft will soon be speaking to you throughout your day.
  • App: Ixigo Indian Rail Train PNR Status for Tizen Smart Phones
    Going on a train journey in India? Ixigo will check the PNR status, the train arrival and departure & how many of the particular tickets are left that you can purchase. You can also do a PNR status check to make sure that your seat is booked and confirmed.

Networking and Servers

  • How We Knew It Was Time to Leave the Cloud
    In my last infrastructure update, I documented our challenges with storage as GitLab scales. We built a CephFS cluster to tackle both the capacity and performance issues of NFS and decided to replace PostgreSQL standard Vacuum with the pg_repack extension. Now, we're feeling the pain of running a high performance distributed filesystem on the cloud.
  • Hype Driven Development
  • SysAdmins Arena in a nutshell
    Sysadmins can use the product to improve their skills or prepare for an interview by practicing some day to day job scenarios. There is an invitation list opened for the first testers of the product.

Desktop GNU/Linux

  • PINEBOOK Latest News: Affordable Linux Laptop at Only $89 Made by Raspberry Pi Rival, PINE
    PINE, the rival company of Raspberry Pi and maker of the $20 Pine A64, has just announced its two below $100-priced Linux laptops, known as PINEBOOK. The affordable Linux laptop is powered by Quad-Core ARM Cortex A53 64-bit processor and comes with an 11.6" or 14" monitor.
  • Some thoughts about options for light Unix laptops
    I have an odd confession: sometimes I feel (irrationally) embarrassed that despite being a computer person, I don't have a laptop. Everyone else seems to have one, yet here I am, clearly behind the times, clinging to a desktop-only setup. At times like this I naturally wind up considering the issue of what laptop I might get if I was going to get one, and after my recent exposure to a Chromebook I've been thinking about this once again. I'll never be someone who uses a laptop by itself as my only computer, so I'm not interested in a giant laptop with a giant display; giant displays are one of the things that the desktop is for. Based on my experiences so far I think that a roughly 13" laptop is at the sweet spot of a display that's big enough without things being too big, and I would like something that's nicely portable.
  • What is HiDPI and Why Does it Matter?

Google and Mozilla

  • Google Rolls Out Continuous Fuzzing Service For Open Source Software
    Google has launched a new project for continuously testing open source software for security vulnerabilities. The company's new OSS-Fuzz service is available in beta starting this week, but at least initially it will only be available for open source projects that have a very large user base or are critical to global IT infrastructure.
  • Mozilla is doing well financially (2015)
    Mozilla announced a major change in November 2014 in regards to the company's main revenue stream. The organization had a contract with Google in 2014 and before that had Google pay Mozilla money for being the default search engine in the Firefox web browser. This deal was Mozilla's main source of revenue, about 329 million US Dollars in 2014. The change saw Mozilla broker deals with search providers instead for certain regions of the world.