Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 46 min 10 sec ago

Debian Project mourns the loss of Kristoffer H. Rose

8 hours 16 min ago
Ana Guerrero Lopez sadly reports that Kristoffer H. Rose died on September 17. "Kristoffer was a Debian contributor from the very early days of the project, and the upstream author of several packages that are still in the Debian archive nowadays, such as the LaTeX package Xy-pic and FlexML. On his return to the project after several years' absence, many of us had the pleasure of meeting Kristoffer during DebConf15 in Heidelberg. The Debian Project honours his good work and strong dedication to Debian and Free Software. Kristoffer's broad technical knowledge and his ability to share that knowledge with others will be missed. The contributions of Kristoffer will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others."

Security advisories for Wednesday

8 hours 25 min ago

Arch Linux has updated bind (denial of service), lib32-openssl (denial of service), and openssl (denial of service).

Debian has updated bind9 (two denial of service flaws).

Fedora has updated jansson (F24; F23: denial of service) and openssl (F24: multiple vulnerabilities).

Mageia has updated autotrace (code execution), firefox/rootcerts/nss (multiple vulnerabilities), gnutls (certificate verification bypass), graphicsmagick (multiple vulnerabilities), pdns (three denial of service flaws), thunderbird (multiple vulnerabilities), wget (two vulnerabilities), and zookeeper (buffer overflow).

openSUSE has updated bind (Leap42.1, 13.2: denial of service), freerdp (Leap42.1; 13.2: two vulnerabilities), and openssl (Leap42.1: multiple vulnerabilities).

Oracle has updated kvm (OL5: two vulnerabilities) and openssl (OL7; OL6: multiple vulnerabilities).

Red Hat has updated bind (RHEL5,6,7: denial of service), bind97 (RHEL5: denial of service), kernel (RHEL6.6: information leak), and kvm (RHEL5: two vulnerabilities).

Slackware has updated bind (denial of service).

SUSE has updated bind (SLE12-SP1; SLES12; SOSC5, SMP2.1, SM2.1, SLE11-SP4: denial of service), mariadb (SLE12-SP1; SLES12: SQL injection/privilege escalation), openssl (SLE12-SP1: multiple vulnerabilities), and php5 (SLESDK12-SP1, SLEM12: multiple vulnerabilities).

Ubuntu has updated bind9 (denial of service) and Pillow (14.04: multiple vulnerabilities).

Firefox OS, B2G OS, and Gecko

Tuesday 27th of September 2016 06:31:07 PM
Ari Jaaksi and David Bryant posted a note to the B2G (Boot to Gecko) OS community looking at the end of Firefox OS development and at what happens to the code base going forward. "In the spring and summer of 2016 the Connected Devices team dug deeper into opportunities for Firefox OS. They concluded that Firefox OS TV was a project to be run by our commercial partner and not a project to be led by Mozilla. Further, Firefox OS was determined to not be sufficiently useful for ongoing Connected Devices work to justify the effort to maintain it. This meant that development of the Firefox OS stack was no longer a part of Connected Devices, or Mozilla at all. Firefox OS 2.6 would be the last release from Mozilla. Today we are announcing the next phase in that evolution. While work at Mozilla on Firefox OS has ceased, we very much need to continue to evolve the underlying code that comprises Gecko, our web platform engine, as part of the ongoing development of Firefox. In order to evolve quickly and enable substantial new architectural changes in Gecko, Mozilla’s Platform Engineering organization needs to remove all B2G-related code from mozilla-central. This certainly has consequences for B2G OS. For the community to continue working on B2G OS they will have to maintain a code base that includes a full version of Gecko, so will need to fork Gecko and proceed with development on their own, separate branch." (Thanks to Paul Wise)

Tuesday's security updates

Tuesday 27th of September 2016 03:31:02 PM

Arch Linux has updated gnutls (certificate verification bypass), lib32-gnutls (certificate verification bypass), lib32-openssl (multiple vulnerabilities), openssl (multiple vulnerabilities), and wireshark-cli (multiple vulnerabilities).

Debian has updated jackrabbit (cross-site request forgery) and python-django (cross-site request forgery).

Debian-LTS has updated firefox-esr (multiple vulnerabilities).

Fedora has updated community-mysql (F24: SQL injection/privilege escalation).

openSUSE has updated firefox, nss (13.1: multiple vulnerabilities) and openssl (13.2: multiple vulnerabilities).

Red Hat has updated openssl (RHEL6,7: multiple vulnerabilities).

Slackware has updated openssl (denial of service).

SUSE has updated openssl (SLES12: multiple vulnerabilities).

Ubuntu has updated python-django (cross-site request forgery).

[$] Systemd programming, 30 months later

Tuesday 27th of September 2016 02:11:24 PM

Some time ago, we published a pair of articles about systemd programming that extolled the value of providing high-quality unit files in upstream packages. The hope was that all distributions would use them and that problems could be fixed centrally rather than each distribution fixing its own problems independently. Now, 30 months later, it seems like a good time to see how well that worked out for nfs-utils, the focus of much of that discussion. Did distributors benefit from upstream unit files, and what sort of problems were encountered?

Announcing the KDE Advisory Board

Monday 26th of September 2016 09:21:30 PM
KDE e.V. introduces the KDE Advisory Board. "One of the core goals of the Advisory Board is to provide KDE with insights into the needs of the various organizations that surround us. We are very aware that we need the ability to combine our efforts for greater impact and the only way we can do that is by adopting a more diverse view from outside of our organization on topics that are relevant to us. This will allow all of us to benefit from one another's experience."

Security advisories for Monday

Monday 26th of September 2016 04:23:59 PM

Debian has updated imagemagick (code execution), libarchive (three vulnerabilities), openssl (regression in previous update), and unadf (two vulnerabilities).

Debian-LTS has updated dropbear (two vulnerabilities), dwarfutils (two vulnerabilities), mactelnet (code execution), openssl (multiple vulnerabilities), and policycoreutils (sandbox escape).

Fedora has updated bash (F24; F23: code execution) and firefox (F24; F23: multiple vulnerabilities).

Gentoo has updated bundler (installs malicious gem files) and qemu (multiple vulnerabilities).

Mageia has updated gdk-pixbuf2.0 (denial of service), golang (denial of service), libarchive (file overwrite), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), and wireshark (multiple vulnerabilities).

openSUSE has updated curl (Leap42.1: multiple vulnerabilities), flash-player (13.1: multiple vulnerabilities), gd (Leap42.1: multiple vulnerabilities), gtk2 (Leap42.1; 13.2: code execution), firefox, nss (Leap42.1, 13.2: multiple vulnerabilities), samba (Leap42.1: crypto downgrade), thunderbird (13.1: multiple vulnerabilities), tiff (13.1: multiple vulnerabilities), and wpa_supplicant (Leap42.1: multiple vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Ubuntu has updated openssl (regression in previous update).

OpenSSL security advisory for September 26

Monday 26th of September 2016 01:12:27 PM
This OpenSSL security advisory is notable in that it's the second one in four days; sites that updated after the first one may need to do so again. "This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification."

Kernel prepatch 4.8-rc8

Monday 26th of September 2016 01:04:15 PM
The 4.8-rc8 kernel prepatch is out. "Things actually did start to calm down this week, but I didn't get the feeling that there was no point in doing one final rc, so here we are. I expect the final 4.8 release next weekend, unless something really unexpected comes up."

Prodromou: Adopt a pump.io server

Monday 26th of September 2016 08:27:59 AM

Evan Prodromou, creator of identi.ca and pump.io, has put a call out for interested parties to adopt the administration of public pump.io microblogging servers, which he is currently funding out of his own pocket. "Almost all of them are on $5/month Digital Ocean droplets, which makes them relatively cheap for a single person to support. If you decide you want to adopt a server, E14N will sell you the domain and all the software and data for $1. But you'll be obligated to keep the server running pump.io for at least a year, and if you decide you don't want to run it, you have to sell it back to me." There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other pump.io instances. He notes that one important exception is the identi.ca site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.

Stable kernel updates 4.7.5 and 4.4.22

Saturday 24th of September 2016 02:02:46 PM
The 4.7.5 and 4.4.22 stable kernel updates are available. These are relatively large updates containing the usual important fixes.

Mitchell: The MIT License, Line by Line

Friday 23rd of September 2016 04:11:19 PM

At his blog, Kyle E. Mitchell ("who is not your attorney") takes a close, line-by-line reading of the popular MIT software license. The details he points out begin on line one with the license's title: "'The MIT License' is a not a single license, but a family of license forms derived from language prepared for releases from the Massachusetts Institute of Technology. It has seen a lot of changes over the years, both for the original projects that used it, and also as a model for other projects. The Fedora Project maintains a kind of cabinet of MIT license curiosities, with insipid variations preserved in plain text like anatomical specimens in formaldehyde, tracing a wayward kind of evolution."

Despite the license being only 171 words, Mitchell finds quite a bit to expand on, such as the ambiguities of the phrase "to deal in the Software without restriction": "As a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn’t clear whether The MIT License includes a patent license. The general language 'deal in' and some of the example verbs, especially 'use', point toward a patent license, albeit a very unclear one. The fact that the license comes from the copyright holder, who may or may not have patent rights in inventions in the software, as well as most of the example verbs and the definition of 'the Software' itself, all point strongly toward a copyright license." Nevertheless, Mitchell notes, "despite some crusty verbiage and lawyerly affectation, one hundred and seventy one little words can get a hell of a lot of legal work done."

Friday's security updates

Friday 23rd of September 2016 01:55:01 PM

Debian has updated firefox-esr (multiple vulnerabilities).

Debian-LTS has updated wordpress (multiple vulnerabilities).

Fedora has updated distribution-gpg-keys (F23: privilege escalation), mock (F23: privilege escalation), openvas-libraries (F24; F23: multiple vulnerabilities), openvas-scanner (F24; F23: denial of service), and shiro (F24: access control bypass).

openSUSE has updated pdns (13.2, Leap 42.1: multiple vulnerabilities).

Oracle has updated kernel (4.1.12 O6; O7: multiple vulnerabilities; 3.8.13 O7; O6: multiple vulnerabilities; 2.6.39 O6; O5: multiple vulnerabilities).

Slackware has updated openssl (14.0, 14.1, 14.2, -current: multiple vulnerabilities) and pidgin (13.0, 13.1, 13.137, 14.0, 14.1: mysterious vulnerabilities).

Ubuntu has updated openssl (12.04, 14.04, 16.04: multiple vulnerabilities).

Garrett: Microsoft aren't forcing Lenovo to block free operating systems

Thursday 22nd of September 2016 08:03:35 PM
Matthew Garrett looks at the real problem behind the inability of some Lenovo laptops to run Linux. "The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID" mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred."

A pile of security updates for Thursday

Thursday 22nd of September 2016 07:17:15 PM
Arch Linux has updated firefox (multiple vulnerabilities), irssi (code execution), and tomcat7 (proxy injection).

CentOS has updated firefox (C5, C6, C7: multiple vulnerabilities).

Debian has updated wireshark (LTS: dissector vulnerabilities), irssi (denial of service), and openssl (multiple vulnerabilities).

Fedora has updated drupal7-google_analytics (F23, F24: cross-site scripting), drupal7-panels (F23, F24: multiple vulnerabilities), jasper (F23: multiple code-execution vulnerabilities), mod_cluster (F24: "remote exploits"), nodejs-string-dot-prototype-dot-repeat (F23: "update for security reasons"), php-horde-Horde-Mime-Viewer (F23, F24: cross-site scripting), php-horde-Horde-Text-Filter (F23, F24: cross-site scripting), and xen (F23: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (29 CVEs), curl (code execution), file-roller (file deletion), flash-player-plugin (26 CVEs), icu (code execution), jsch (path traversal vulnerability), libksba (denial of service), nodejs (remote code execution), slock (lock bypass), and tomcat (traffic redirection).

openSUSE has updated opera (multiple vulnerabilities).

Oracle has updated firefox (OL5, OL6, OL7: multiple vulnerabilities).

Scientific Linux has updated firefox (SL5-7: multiple vulnerabilities).

Slackware has updated irssi (denial of service), pidgin (17 CVE numbers), and firefox (multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm (SLES12: three CVEs described as "Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment"), and java-1_6-0-ibm (SLES11: one unspecified vulnerability).

Ubuntu has updated firefox (multiple vulnerabilities), gdk-pixbuf (code execution), irssi (denial of service), and thunderbird (code execution).

Note that there appear to be differences of opinion as to whether the irssi vulnerability can be exploited for code execution.

[$] LWN.net Weekly Edition for September 22, 2016

Thursday 22nd of September 2016 01:18:35 AM
The LWN.net Weekly Edition for September 22, 2016 is available.

GNOME 3.22 released

Wednesday 21st of September 2016 06:36:39 PM
The GNOME Project has announced the release of GNOME 3.22, "Karlsruhe". "This release brings comprehensive Flatpak support. GNOME Software can install and update Flatpaks, GNOME Builder can create them, and the desktop provides portal implementations to enable sandboxed applications. Improvements to core GNOME applications include support for batch renaming in Files, sharing support in GNOME Photos, an updated look for GNOME Software, a redesigned keyboard settings panel, and many more."

[$] BBR congestion control

Wednesday 21st of September 2016 04:39:57 PM
Congestion-control algorithms are unglamorous bits of code that allow network protocols (usually TCP) to maximize the throughput of any given connection while simultaneously sharing the available bandwidth equitably with other users. New algorithms tend not to generate a great deal of excitement; the addition of TCP New Vegas during the 4.8 merge window drew little fanfare, for example. The BBR (Bottleneck Bandwidth and RTT) algorithm just released by Google, though, is attracting rather more attention; it moves away from the mechanisms traditionally used by these algorithms in an attempt to get better results in a network characterized by wireless links, meddling middleboxes, and bufferbloat.

Security advisories for Wednesday

Wednesday 21st of September 2016 03:36:21 PM

Arch Linux has updated curl (code execution), lib32-curl (code execution), and lib32-jansson (denial of service).

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated unadf (two vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities).

SUSE has updated mysql (SLE11-SP3,4: multiple unspecified vulnerabilities).

CouchDB 2.0 released

Wednesday 21st of September 2016 02:52:59 PM
The Apache CouchDB database project has announced its 2.0 release. New features include clustering support, a new query language, a new administrative interface, and more. "CouchDB 2.0 is 99% API compatible with the 1.x series and most applications should continue to just work."

More in Tux Machines

Android Leftovers

  • Goodbye QWERTY: BlackBerry stops making hardware
    BlackBerry CEO John Chen has been hinting at this move for almost a year now: today BlackBerry announced it will no longer design hardware. Say goodbye to all the crazy hardware QWERTY devices, ultra-wide phones, and unique slider designs. Speaking to investors, BlackBerry CEO John Chen described the move as a "pivot to software," saying, "The company plans to end all internal hardware development and will outsource that function to partners. This allows us to reduce capital requirements and enhance return on invested capital." The "Outsourcing to partners" plan is something we've already seen with the "BlackBerry" DTEK50, which was just a rebranded Alcatel Idol 4. Chen is now betting the future of the company on software, saying, "In Q2, we more than doubled our software revenue year over year and delivered the highest gross margin in the company's history. We also completed initial shipments of BlackBerry Radar, an end-to-end asset tracking system, and signed a strategic licensing agreement to drive global growth in our BBM consumer business." BlackBerry never effectively responded to the 2007 launch of the iPhone and the resulting transition to modern touchscreen smartphones. BlackBerry took swings with devices like the BlackBerry Storm in 2008, its first touchscreen phone; and the BlackBerry Z10 in 2013, the first BlackBerry phone with an OS designed for touch, but neither caught on. BlackBerry's first viable competitor to the iPhone didn't arrive until it finally switched to Android in 2015 with the BlackBerry Priv. It was the first decent BlackBerry phone in some time, but the high price and subpar hardware led to poor sales.
  • Oracle's 'Gamechanger' Evidence Really Just Evidence Of Oracle Lawyers Failing To Read
    Then on to the main show: Oracle's claim that Google hid the plans to make Android apps work on Chrome OS. Google had revealed to Oracle its "App Runtime for Chrome" (ARC) setup, and it was discussed by Oracle's experts, but at Google I/O, Google revealed new plans for apps to run in Chrome OS that were not using ARC, but rather a brand new setup, which Google internally referred to as ARC++. Oracle argued that Google only revealed to them ARC, but not ARC++ and that was super relevant to the fair use argument, because it showed that Android was replacing more than just the mobile device market for Java. But, here's Oracle's big problem: Google had actually revealed to Oracle the plans for ARC++. It appears that Oracle's lawyers just missed that fact. Ouch.
  • Understanding Android's balance between openness and security
    At the 2016 Structure Security conference, Google's Adrian Ludwig talked about the balance between keeping Android as open as possible, while also keeping it secure.
  • Google's Nougat Android update hits the sweet spot: Software 'isn't flashy, but still pretty handy'
    Nougat, Google's latest update of its Android smartphone software, isn't particularly flashy; you might not even notice what's different about it at first. But it offers a number of practical time-saving features, plus a few that could save money — and perhaps even your life. Nougat is starting to appear on phones, including new ones expected from Google next week.
  • How to change the home screen launcher on Android
  • Andromeda: Chrome OS and Android will merge
  • Sale of Kodi 'fully-loaded' streaming boxes faces legal test
  • Android boxes: Middlesbrough man to be first to be prosecuted for selling streaming kits

Endless OS 3.0 is out!

So our latest and greatest Endless OS is out with the new 3.0 version series! The shiny new things include the use of Flatpak to manage the applications; a new app center (GNOME Software); a new icon set; a new Windows installer that gives you the possibility of installing Endless OS in dual-boot; and many bug fixes. Read more

Expandable, outdoor IoT gateway runs Android on i.MX6

VIA’s “Artigo A830” IoT gateway runs Android on an i.MX6 DualLite SoC and offers HDMI, GbE, microSD, numerous serial and USB ports, plus -20 to 60° operation. As the name suggests, the VIA Technologies Artigo A830 Streetwise IoT Platform is designed for outdoor Internet of Things gateway applications. These are said to include smart lockers, vending machines, information kiosks, and signage devices that run “intensive multimedia shopping, entertainment, and navigation applications.” The outdoors focus is supported with an extended -20 to 60°C operating range, as well as surge and ESD protection for surviving challenges such as a nearby lightning strike. Read more

Mercedes and Kia add new Android Auto models

Buying a new car comes with myriad of considerations. Is it fuel efficient? Is it safe? Will it play nicely with my phone? People sometimes neglect the last one, but you're going to be carrying the phone literally every time you get in the car, so why not make sure? Mercedes and Kia seem to get that. They've added support for Android Auto to a ton of new cars today. Read more