Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 21 min ago

KVM Matures, and the Use Cases Multiply (Linux.com)

10 hours 38 min ago
Over at Linux.com, Adam Jollans has a report from the recently completed KVM Forum that was held in Düsseldorf, Germany October 14-16. He looks at a talk that he gave on KVM's relationship to OpenStack and the open cloud, a new white paper on KVM [PDF], and a panel on network function virtualization (NFV): "In the past, communications networks have been built with specific routers, switches and hubs with the configuration of all the components being manual and complex. The idea now is to take that network function, put it into software running on standard hardware. The discussion touched on the demands – in terms of latency, throughput, and packet jitter – that network function virtualization places on KVM when it is being run on general purpose hardware and used to support high data volume. There was a lively discussion about how to get fast communication between the virtual machines as well as issues such as performance and sharing memory, as attendees drilled down into how KVM could be applied in new ways."

Stable kernels 3.17.2, 3.16.7, 3.14.23, and 3.10.59

13 hours 15 min ago
Greg Kroah-Hartman has announced the release of four new stable kernels: 3.17.2, 3.16.7, 3.14.23, and 3.10.59. As always, they contain important fixes and users of those series should update. Note that 3.16.7 is the last stable kernel in the 3.16 series; users should upgrade to 3.17 soon.

Security advisories for Thursday

15 hours 8 min ago

Debian has updated dokuwiki (multiple vulnerabilities).

Red Hat has updated v8314-v8 (i.e. V8) (SC1: multiple vulnerabilities, several from 2013).

Slackware has updated wget (code execution).

Ubuntu has updated php5 (multiple vulnerabilities) and systemd-shim (14.10: denial of service).

[$] LWN.net Weekly Edition for October 30, 2014

Thursday 30th of October 2014 12:53:55 AM
The LWN.net Weekly Edition for October 30, 2014 is available.

A "highly critical public service announcement" from Drupal

Wednesday 29th of October 2014 08:03:30 PM
The Drupal project has put out an advisory that if you haven't already patched the recent SQL injection vulnerability, it's probably too late. "Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."

Security advisories for Wednesday

Wednesday 29th of October 2014 04:27:48 PM

CentOS has updated kernel (C7: multiple vulnerabilities).

Debian has updated iceweasel (multiple vulnerabilities).

Fedora has updated file (F20: out-of-bounds read flaw), seamonkey (F20: multiple vulnerabilities), webkitgtk3 (F20: disable SSLv3 to address POODLE), and wpa_supplicant (F20: command execution).

Mageia has updated kde4 (MG4: multiple vulnerabilities), konversation (information disclosure), mythtv (SSDP reflection attacks), php-ZendFramework (multiple vulnerabilities), quassel (information disclosure), and zabbix (local file inclusion).

Mandriva has updated wget (symlink attack) and wpa_supplicant (command execution).

openSUSE has updated openssl (13.1, 12.3: multiple vulnerabilities) and libxml2 (13.1, 12.3: denial of service).

Oracle has updated kernel (OL7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: multiple vulnerabilities).

[$] A Debian init system GR flurry

Wednesday 29th of October 2014 02:28:27 PM
One might have hoped that that Debian systemd debate would have wound down several months ago, after the technical committee decided the default init system question and especially after Matthew Vernon's general resolution on init system choice was withdrawn due to a lack of seconds. The Debian community, it seemed, was tired of this discussion and ready to move on. Given a few months to rest, though, even old, tiresome subjects can once again seem worthy of discussion. So now we have a return of the init system choice resolution — along with three alternatives of varying scope.

Release for CentOS-6.6 i386 and x86_64

Tuesday 28th of October 2014 07:38:19 PM
CentOS 6.6 has been released. "There are many fundamental changes in this release, compared with the past CentOS-6 releases, and we highly recommend everyone study the upstream Release Notes as well as the upstream Technical Notes about the changes and how they might impact your installation. (See the 'Further Reading' section of the [CentOS release notes])."

Tuesday's security updates

Tuesday 28th of October 2014 06:00:38 PM

Debian has updated torque (denial of service).

Fedora has updated devscripts (F20: directory traversal), drupal7 (F20; F19: SQL injection), kernel (F20: multiple vulnerabilities), kernel (F20: more KVM vulnerabilities), php (F19: three vulnerabilities), php-ZendFramework2 (F20: multiple vulnerabilities), phpMyAdmin (F20: cross-site scripting), python (F19: buffer overflow), python-oauth2 (F20; F19: two vulnerabilities), rubygem-httpclient (F20; F19: allows ssl negotiation), and sddm (F20: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple vulnerabilities), nginx (virtual host confusion attacks), php (three vulnerabilities), qemu (MG4: multiple vulnerabilities), wget (symlink attack), and wpa_supplicant, hostapd (command execution).

Mandriva has updated mariadb (multiple vulnerabilities).

openSUSE has updated flash-player (multiple vulnerabilities) and perl-Email-Address (denial of service).

Ubuntu has updated pidgin (14.10, 14.04, 12.04: multiple vulnerabilities).

First Jessie based Debian Edu alpha released

Tuesday 28th of October 2014 02:27:03 PM
The first alpha release of Debian Edu (also known as Skolelinux) is available for testing. "Would you like to give your school's computer a longer life? Are you tired of sneaker administration, running from computer to computer reinstalling the operating system? Would you like to administrate all the computers in your school using only a couple of hours every week? Check out Debian Edu Jessie!"

The Canonical Distribution of Ubuntu OpenStack

Tuesday 28th of October 2014 02:23:45 PM
Canonical has announced a new OpenStack-oriented distribution. "Based on Canonical’s industry-leading OpenStack reference architecture and building on Ubuntu’s leading position as the most widely used OpenStack platform, the Canonical Distribution gives users the widest range of commercially-supported vendor options for storage, software-defined networking and hypervisor from Canonical and its OpenStack partners. It then automates the creation and management of a reference OpenStack based on those choices."

Note that some conditions apply: "The Canonical Distribution of Ubuntu OpenStack is now available as a public beta, free for up to 10 physical and 10 virtual machines." See this page for more information.

Season of KDE 2014

Monday 27th of October 2014 07:57:44 PM
The Season of KDE is a community outreach program, much like Google Summer of Code. "It is meant for people who could not get into Google Summer of Code for various reasons, or people who simply prefer a differently structured, somewhat less constrained program. Season of KDE is managed by the same team of admins and mentors that takes care of Google Summer of Code and Google Code-in matters for KDE, with the same level of quality and care." The student application deadline is October 31. The mentor application deadline is November 5.

SUSE Linux Enterprise 12 Now Available

Monday 27th of October 2014 05:50:47 PM
SUSE has announced the release of SUSE Linux Enterprise 12. "New products based on SUSE Linux Enterprise 12 feature enhancements that more readily enable system uptime, improve operational efficiency and accelerate innovation. The foundation for all SUSE data center operating systems and extensions, SUSE Linux Enterprise meets the performance requirements of data centers with mixed IT environments, while reducing the risk of technological obsolescence and vendor lock-in." SUSE Linux Enterprise Server is available for x86_64, IBM Power Systems, and IBM System z.

Security advisories for Monday

Monday 27th of October 2014 03:33:48 PM

Debian has updated libtasn1-3 (multiple vulnerabilities) and libxml2 (denial of service).

Fedora has updated sysklogd (F20; F19: denial of service).

Mageia has updated drupal (SQL injection), firefox, thunderbird (multiple vulnerabilities), java-1.7.0-openjdk (multiple vulnerabilities), mariadb (multiple vulnerabilities), and pidgin (multiple vulnerabilities).

Ubuntu has updated libxml2 (14.04, 12.04, 10.04: denial of service).

Qubes OS release 2 available

Monday 27th of October 2014 01:09:09 PM
Release 2 of the Qubes OS secure desktop system is available. The biggest change, perhaps, is support for "fully virtualized AppVMs"; these allow running any operating system in a fully virtualized mode under Qubes. Other additions include secure audio input to AppVMs (allowing Skype to be run in a sandbox, evidently), policy control over the clipboard, an improved secure backup infrastructure, improved hardware support, and more.

Kernel prepatch 3.18-rc2

Monday 27th of October 2014 10:11:04 AM
The second 3.18 prepatch is available for testing. "I had hoped that the rc1 release would mean that a few stragglers would quickly surface, and then the rest of the rc would be more normal. But no, I had straggling merge-window pull requests come in all week, and rc2 is bigger than I'd like." Perhaps the most significant of those requests was for the overlayfs union filesystem, which has finally been merged after years of trying.

Taiga, a new open source project management tool with focus on usability (Opensource.com)

Friday 24th of October 2014 07:50:18 PM
Opensource.com takes a look at the Taiga project management tool. "It started with the team at Kaleidos, a Madrid-based company that builds software for both large corporations and startups. Though much of their time is spent working for clients, several times a year they break off for their own Personal Innovation Weeks (ΠWEEK). These are weeklong hack-a-thons dedicated to personal improvement and prototyping internal ideas of all sorts. While there, they unanimously decided to solve the biggest of their own problems: project management. Taiga was born, and by early 2014, the team at Kaleidos was already using Taiga for all their internal projects. Taiga Agile, LLC was formed in February 2014 to give the project a formal structure, and the source code was made available at GitHub."

Friday's security advisories

Friday 24th of October 2014 04:51:43 PM

Debian has updated pidgin (multiple vulnerabilities).

Mageia has updated ctags (denial of service), ejabberd (incorrectly allows unencrypted connections), iceape (multiple vulnerabilities), libxml2 (denial of service), lua (code execution), openssl (multiple vulnerabilities), and phpmyadmin (cross-site scripting).

Mandriva has updated ctags (denial of service), ejabberd (incorrectly allows unencrypted connections), java-1.7.0-openjdk (multiple vulnerabilities), libxml2 (denial of service), lua (code execution), openssl (multiple vulnerabilities), and phpmyadmin (cross-site scripting).

Red Hat has updated kernel (RHEL6.5: denial of service).

Ubuntu has updated openjdk-7 (14.10: multiple vulnerabilities).

openSUSE Factory and Tumbleweed to merge

Friday 24th of October 2014 01:13:35 PM
The openSUSE project has announced that the "Factory" and "Tumbleweed" distributions will merge into a single rolling distribution (called "Tumbleweed"). There is also an FAQ posting about the merger. "With the vast improvements to the Factory development process over the last 2 years, we effectively found ourselves as a project with not one, but two rolling release distributions in addition to our main regular release distribution. GregKH signalled his intention to stop maintaining Tumbleweed as a 'rolling-released based on the current release'. It seemed a natural decision then to bring both the Factory rolling release and Tumbleweed rolling release together, so we can consolidate our efforts and make openSUSE's single rolling release as stable and effective as possible."

Garrett: Linux Container Security

Thursday 23rd of October 2014 08:59:20 PM
Matthew Garrett considers the security of Linux containers on his blog. While the attack surface of containers is likely to always be larger than that of hypervisors, that difference may not matter in practice, but it's going to take some work to get there: I suspect containers can be made sufficiently secure that the attack surface size doesn't matter. But who's going to do that work? As mentioned, modern container deployment tools make use of a number of kernel security features. But there's been something of a dearth of contributions from the companies who sell container-based services. Meaningful work here would include things like:
  • Strong auditing and aggressive fuzzing of containers under realistic configurations
  • Support for meaningful nesting of Linux Security Modules in namespaces
  • Introspection of container state and (more difficult) the host OS itself in order to identify compromises
These aren't easy jobs, but they're important, and I'm hoping that the lack of obvious development in areas like this is merely a symptom of the youth of the technology rather than a lack of meaningful desire to make things better. But until things improve, it's going to be far too easy to write containers off as a "convenient, cheap, secure: choose two" tradeoff. That's not a winning strategy.

More in Tux Machines

4MLinux Rescue Edition 10.1 Beta Helps Users with Data Recovery

4MLinux Rescue Edition, a special distribution that includes a wide set of system maintenance and recovery applications, has advanced to version 10.1 Beta and is now ready for testing. Read more

Watch a working Project Ara prototype demonstrated ahead of Spiral 2 reveal

The engineers behind Project Ara are trying to make the last smartphone you'll ever need. Their design for a modular device has users slotting components — a camera, extra storage space, a Wi-Fi connector — into their phones, as and when they need them. It's an ambitious scheme, but engineers working at NK Labs in Boston have already produced a working prototype, which they showed off to modular smartphone evangelist Dave Hakkens during a recent visit. Read more

Interview with Jessica Tallon of PyPump

There are several interesting projects out there which use PyPump. With my day job as a GNU MediaGoblin developer, we're going to be using it as a way of communicating between servers as a part of our federation effort. A great use I've seen is PumpMigrate, which will migrate one pump.io account to another. Another little utility that I wrote over the course of a weekend is p, which was made to be an easy way of making a quick post, bulk uploading photos, or anything you can script with the shell. Read more

Black Lab Education Desktop 6.0.1 to Be Supported Until 2022

There are numerous Linux distributions that are oriented towards education, but you can never have too many in a domain such as this one. It's based on the Black Lab Professional Desktop, which is a very good and powerful solution. Interestingly enough, Black Lab Linux is actually based on Ubuntu, and the latest one uses the 14.04.1 base (Trusty Tahr). Just like the base that is used for this distribution, the desktop environment used is GNOME 3, but with a few extensions to make it somewhat different from the stock version and to provide users with better functionality. One of the most interesting aspects of this operating system is the fact that it has a very long support period, which, in theory, it should end in 2022. Read more