Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 14 min ago

Reding: What's new for Tegra in Linux v4.7

Monday 27th of June 2016 10:58:19 PM
Thierry Reding looks at Tegra support in Linux 4.7. "The XUSB driver has been under development for a ridiculously long time. One of the reasons is that it relies on the XUSB pad controller to configure its pins as required by the board design. The XUSB pad controller is very likely one of the least-intuitive pieces of hardware I've ever encountered, and the attempts to come up with a device tree binding to describe it have been very numerous. We did finally settle on something earlier this year and after the existing code was updated for the new binding, we're finally able to support super-speed USB on Tegra124 and later." (Thanks to Martin Michlmayr)

Project Triforce: Run AFL on Everything!

Monday 27th of June 2016 10:36:06 PM
The developers of "Project Triforce," an effort to run the "american fuzzy lop" fuzz-testing tool in a system-wide manner, have posted a detailed description of what they are up to. "AFL is an awesome tool. The power of an easy to use, feedback-driven fuzzer has produced an absolutely staggering number of bugs. Still, at first AFL required being able to build the executable, something sadly not available on a lot of targets. With the addition of AFL's qemu_mode, it became possible to fuzz binaries without source, exposing a whole new world of targets to AFL. I'd been on a number of Linux container engagements recently where we'd managed to escape through kernel exploits. I fell asleep one night to several AFL screens running, and I awoke suddenly with a crazy idea: 'Run AFL on the Linux Kernel.'"

Open Source Projects as part of MOSS “Mission Partners” Program

Monday 27th of June 2016 09:25:42 PM
The Mozilla blog has announced the first recipients of its Mozilla Open Source Support (MOSS) “Mission Partners” awards. "For many years people with visual impairments and the legally blind have paid a steep price to access the Web on Windows-based computers. The market-leading software for screen readers costs well over $1,000. The high price is a considerable obstacle to keeping the Web open and accessible to all. The NVDA Project has developed an open source screen reader that is free to download and to use, and which works well with Firefox. NVDA aligns with one of the Mozilla Manifesto’s principles: “The Internet is a global public resource that must remain open and accessible.”" The NVDA project received $15,000. Other award recipients include Tor, Tails, Caddy, Mio, DNSSEC/DANE Chain Stapling, Godot Engine, and PeARS. (Thanks to Paul Wise)

Security updates for Monday

Monday 27th of June 2016 05:33:49 PM

Arch Linux has updated chromium (multiple vulnerabilities), libdwarf (multiple vulnerabilities), libpurple (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), vlc (code execution), and xerces-c (code execution).

Debian has updated libpdfbox-java (XML External Entity (XXE) attacks).

Debian-LTS has updated gimp (use-after-free), java-common (OpenJDK 6 no longer supported), libcommons-fileupload-java (denial of service), mysql-connector-java (information disclosure), nss (denial of service), and tomcat7 (denial of service).

Fedora has updated drupal7 (F24: privilege escalation), mirrormanager (F24; F23; F22: unspecified), optipng (F23: code execution), python (F23: man-in-the-middle attack), and qemu (F24: multiple vulnerabilities).

Gentoo has updated claws-mail (multiple vulnerabilities), freexl (multiple vulnerabilities), hostapd (multiple vulnerabilities), imagemagick (multiple vulnerabilities), libssh (multiple vulnerabilities), plib (code execution from 2011), and sudo (privilege escalation).

openSUSE has updated libarchive (13.2: denial of service), libav (Leap42.1: two vulnerabilities), libtasn1 (Leap42.1: denial of service), libtorrent-rasterbar (13.1: denial of service), mariadb (Leap42.1: multiple vulnerabilities), p7zip (Leap42.1: code execution), php5 (Leap42.1: multiple vulnerabilities), and rsync (Leap42.1: unsafe destination path).

Oracle has updated kernel 2.6.32 (OL6; OL5: privilege escalation).

Red Hat has updated kernel-rt (RHEMRG2.5: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: two vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Kernel prepatch 4.7-rc5

Monday 27th of June 2016 02:57:09 AM
The 4.7-rc5 kernel prepatch is out. "I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series."

A couple of unpleasant local kernel vulnerabilities

Saturday 25th of June 2016 03:17:26 PM
The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a set of netfilter fixes that, it has just been disclosed, fix a couple of severe local privilege-escalation vulnerabilities. Anybody who is running a site with user and network namespaces enabled will want to update their kernels in short order. The fixes were originally committed into 4.6-rc2 in April with no comment regarding their implications.

Three new stable kernels

Friday 24th of June 2016 08:33:14 PM

Greg Kroah-Hartman has released stable kernel updates 4.6.3, 4.4.14, and 3.14.73. Each contains important fixes throughout the tree.

Friday's security updates

Friday 24th of June 2016 02:18:41 PM

CentOS has updated kernel (C7: multiple vulnerabilities), libxml2 (C6; C7: multiple vulnerabilities), ocaml (C7: information leak), setroubleshoot (C7: multiple vulnerabilities), and setroubleshoot-plugins (C7: multiple vulnerabilities).

Fedora has updated python (F24: startTLS stripping), setroubleshoot (F24: code execution), and setroubleshoot-plugins (F24: code execution).

Oracle has updated kernel (O7: multiple vulnerabilities), libxml2 (O6; O7: multiple vulnerabilities), ocaml (O7: information leak), and setroubleshoot and setroubleshoot-plugins (O7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), and ocaml (RHEL7: information leak).

Scientific Linux has updated libxml2 (SL 6,7: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (SL7; SL6: multiple vulnerabilities).

SUSE has updated kernel (SLE11: multiple vulnerabilities).

Defending Our Brand (Let's Encrypt)

Thursday 23rd of June 2016 09:37:48 PM
It seems that the Comodo TLS certificate authority (CA) has filed for three trademarks using variations of "Let's Encrypt". As might be guessed, the Let's Encrypt project is less than pleased by Comodo trying to coopt its name. "Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization. If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web." [Thanks to Paul Wise.]

Xen 4.7 released

Thursday 23rd of June 2016 05:05:04 PM
Version 4.7 of the Xen hypervisor has been released. "With dozens of major improvements, many more bug fixes and small improvements, and significant improvements to Drivers and Devices, Xen Project 4.7 reflects a thriving community around the Xen Project Hypervisor." Some of the new features include live patching, better dom0 robustness, better migration support between non-identical hosts, scheduler improvements, and more. See the release notes for more information.

Thursday's security advisories

Thursday 23rd of June 2016 03:02:57 PM

Debian-LTS has updated squidguard (cross-site scripting).

Fedora has updated php-symfony-security-acl (F24: unspecified). Also, Fedora has sent out a reminder that Fedora 22 will reach its end of life on July 19.

Mageia has updated chromium-browser-stable (multiple vulnerabilities), kernel-linus (multiple vulnerabilities, one from 2013), kernel-tmb (multiple vulnerabilities, one from 2013), libimobiledevice (socket listening on all network interfaces), and python (three vulnerabilities).

openSUSE has updated libarchive (42.1: code execution), mariadb (13.2: many unspecified vulnerabilities), and obs-service-source_validator (42.1; 13.2: code execution).

Red Hat has updated libxml2 (RHEL6&7: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (RHEL7: three vulnerabilities).

[$] LWN.net Weekly Edition for June 23, 2016

Thursday 23rd of June 2016 02:41:35 AM
The LWN.net Weekly Edition for June 23, 2016 is available.

Sony agrees to pay millions to gamers to settle PS3 Linux debacle (ars technica)

Wednesday 22nd of June 2016 07:41:10 PM
Back in 2009, Sony removed the "install other OS" option from its PS3 game consoles, removing the ability to install Linux on those machines. It then went after developers who figured out how to jailbreak the device. Ars technica reports that Sony has now settled a class-action lawsuit over those actions. "Under the terms of the accord, which has not been approved by a California federal judge yet, gamers are eligible to receive $55 if they used Linux on the console. The proposed settlement, which will be vetted by a judge next month, also provides $9 to each console owner that bought a PS3 based on Sony's claims about 'Other OS' functionality." The lawyers, instead, get over $2 million.

Security advisories for Wednesday

Wednesday 22nd of June 2016 04:07:38 PM

CentOS has updated setroubleshoot (C6: multiple vulnerabilities) and setroubleshoot-plugins (C6: multiple vulnerabilities).

Debian-LTS has updated icedove (multiple vulnerabilities) and python2.7 (three vulnerabilities).

Fedora has updated expat (F24: multiple vulnerabilities), php-zendframework-zendxml (F23; F22: insecure ciphertexts), php-ZendFramework2 (F23; F22: insecure ciphertexts), and xen (F22: two vulnerabilities).

openSUSE has updated Chromium (13.1: multiple vulnerabilities), ImageMagick (Leap42.1: command execution), and vlc (Leap42.1; 13.2: multiple vulnerabilities).

Oracle has updated openssl (OL5: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (OL6: multiple vulnerabilities).

Red Hat has updated python-django-horizon (RHOSP8.0; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: cross-site scripting) and setroubleshoot and setroubleshoot-plugins (RHEL6: multiple vulnerabilities).

Elixir v1.3 released

Tuesday 21st of June 2016 08:05:29 PM
Version 1.3 of the Elixir programming language has been released. "Elixir v1.3 brings many improvements to the language, the compiler and its tooling, specially Mix (Elixir’s build tool) and ExUnit (Elixir’s test framework). The most notable additions are the new Calendar types, the new cross-reference checker in Mix, and the assertion diffing in ExUnit."

Announcing Flatpak

Tuesday 21st of June 2016 07:41:10 PM
Not to be left behind by a certain competing project, the developers of the Flatpak packaging system have put out a press release proclaiming its virtues. "The Linux desktop has long been held back by platform fragmentation. This has been a burden on developers, and creates a high barrier to entry for third party application developers. Flatpak aims to change all that. From the very start its primary goal has been to allow the same application to run across a myriad of Linux distributions and operating systems. In doing so, it greatly increases the number of users that application developers can easily reach."

Security updates for Tuesday

Tuesday 21st of June 2016 04:24:59 PM

Fedora has updated nfdump (F23; F22: multiple vulnerabilities) and webkitgtk4 (F22: two vulnerabilities).

openSUSE has updated ctdb (Leap42.1, 13.2: privilege escalation), libtorrent-rasterbar (Leap42.1, 13.2: denial of service), ntp (Leap42.1: multiple vulnerabilities), and kernel (Leap42.1: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Slackware has updated libarchive (multiple vulnerabilities) and pcre (denial of service).

SUSE has updated ctdb (SLE11-SP4: privilege escalation), libimobiledevice, usbmuxd (SLE12-SP1: sockets listening on INADDR_ANY), and php53 (SLES11-SP2: multiple vulnerabilities).

Ubuntu has updated dnsmasq (16.04, 15.10: denial of service), expat (two vulnerabilities), haproxy (16.04: denial of service), spice (16.04, 15.10, 14.04: two vulnerabilities), wget (code execution), and xmlrpc-c (12.04: multiple vulnerabilities).

Fedora 24 released

Tuesday 21st of June 2016 02:28:18 PM
After several schedule slips, the Fedora 24 release is available. "The Fedora Project has embarked on a great journey... redefining what an operating system should be for users and developers. Such innovation does not come overnight, and Fedora 24 is one big step on the road to the next generation of Linux distributions. But that does not mean that Fedora 24 is some 'interim' release; there are great new features for Fedora users to deploy in their production environments right now!" See the Fedora 24 approved features list for an idea of what's in this release.

Horn: Exploiting Recursion in the Linux Kernel

Tuesday 21st of June 2016 02:04:26 AM
On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. "However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they're still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064."

[$] Transport-level protocols in user space

Monday 20th of June 2016 09:31:48 PM
The Linux networking developers have long held a strong opinion about user-space protocol implementations: they should be avoided in favor of making the in-kernel implementation better. So it might be surprising to see a veteran networking developer post a patch set aimed at making user-space implementations easier. A look at this patch and its motivations shines an interesting light on changes that are taking place in the networking world.

More in Tux Machines

Steven J. Vaughan-Nichols on Red Hat

  • ​Red Hat's JBoss moves to the cloud
    At Red Hat Summit in San Francisco, Red Hat announced the release of Red Hat JBoss Enterprise Application Platform (EAP) 7. The company also introduced the JBoss Core Services Collection to help developers create JBoss enterprise applications.
  • ​Open-source Microsoft protocol aims to be a programming standard
    Microsoft -- yes, Microsoft -- announced at the DevNation conference in San Francisco that it's releasing an open-source language server protocol. More interesting still, this is being done in concert with Codenvy and Red Hat.
  • ​Red Hat makes container development easier
    In San Francisco at Red Hat Summit, Red Hat announced the release of the Red Hat Container Development Kit 2.1 (RHCDK). This new developer kit, one of the many free programming tool kits Red Hat offers its Linux customers, is meant to enable programmers to easily create enterprise-ready containerized applications which target both OpenShift 3 development and Red Hat Enterprise Linux (RHEL) environments.

SFLC represents FOSS developers at the OECD 2016 Ministerial Meeting on the Digital Economy: Innovation, Growth and Social Prosperity

On 21-23 June 2016, Ministers and stakeholders gathered in Cancún, Mexico, for an OECD Ministerial Meeting on the Digital Economy: Innovation, Growth and Social Prosperity, to move the digital agenda forward in four key policy areas foundational to the growth of the digital economy. Our Legal Director, Mishi Choudhary represented the United States civil society at the OECD Ministerial Panel on The Economic and Social Benefits of Internet Openness, chaired by the Canadian Minister of Innovation, Science, and Economic Development Hon’ble Navdeep Singh Bains. Read more

Today in Techrights