Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 30 min ago

Mathewson: Mid-2016 Tor bug retrospective, with lessons for future coding

Wednesday 25th of May 2016 02:10:02 AM
On the Tor blog, Nick Mathewson reports on an informal survey he did for "severe" bugs in Tor over the last few years. It breaks down the 70 bugs he found into different categories that are correlated with some recommendations for ways to try to avoid them in the future. For example: "Recommendation 5.1: all backward compatibility code should have a timeout date. On several occasions we added backward compatibility code to keep an old version of Tor working, but left it enabled for longer than we needed to. This code has tended not to get the same regular attention it deserves, and has also tended to hold surprising deviations from the specification. We should audit the code that's there today and see what we can remove, and we should never add new code of this kind without adding a ticket and a comment planning to remove it." Many of the recommendations are likely applicable to other projects.

GitLab 8.8 released with Pipelines and .gitignore templates

Tuesday 24th of May 2016 06:46:48 PM
GitLab 8.8 has been released with pipeline visualization, .gitignore templates, the GitLab Container Registry, and more. "In this release, we are supercharging GitLab CI. First with Pipelines and now with GitLab Container Registry. GitLab Container Registry is a secure and private registry for Docker images. It isn't just a standalone registry; it's completely integrated with GitLab. In fact, our container registry is actually the first Docker registry that is fully-integrated with git repository management and comes out of the box with GitLab 8.8. So if you've upgraded, you already have it! Our integrated Container Registry requires no additional installation. It allows for easy upload and download of images from GitLab CI. And it's free."

Tuesday's security updates

Tuesday 24th of May 2016 03:46:45 PM

Debian has updated atheme-services (denial of service).

Fedora has updated gsi-openssh (F23: privilege escalation), imlib2 (F23; F22: multiple vulnerabilities), and websvn (F23; F22: cross-site scripting).

Mageia has updated glibc (multiple vulnerabilities), golang (denial of service), pcre (two vulnerabilities), and xerces-j2 (denial of service).

Red Hat has updated jq (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7: code execution) and kernel (RHEL6.6: two remote denial of service vulnerabilities).

SUSE has updated IBM Java 1.6.0 (SLES10-SP4: multiple vulnerabilities).

Repurposing Old Smartphones for Home Automation (Linux.com)

Monday 23rd of May 2016 08:27:07 PM
Linux.com has an interview with Dietrich Ayala about using old smartphones for home automation. "Ayala spent a lot of time studying the readouts from sensors, as well as from the phone’s microphone, camera, and, radios, that would enable a remote user to draw conclusions about what was happening at home. This contextual information could then be codified into more useful notifications. With ambient light, for example, if it suddenly goes dark in the daytime, maybe someone is standing over a device, explained Ayala. Feedback from the accelerometer can be analyzed to determine the difference between footsteps, an earthquake, or someone picking up the device. Scripts can use radio APIs to determine if a person moving around is carrying a phone with a potentially revealing Bluetooth signature."

Security advisories for Monday

Monday 23rd of May 2016 05:02:40 PM

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated extplorer (cross-site request forgery), graphicsmagick (multiple vulnerabilities), and imagemagick (multiple vulnerabilities).

Fedora has updated cacti (F23; F22: SQL injection), dosfstools (F23: two vulnerabilities), libksba (F22: denial of service), libndp (F23; F22: man-in-the-middle attacks), mingw-openssl (F23: multiple vulnerabilities), moodle (F23: multiple vulnerabilities), openvpn (F22: multiple vulnerabilities), pgpdump (F23; F22: denial of service), php-symfony (F23; F22: buffer overflow), qemu (F22: multiple vulnerabilities), rpm (F22: two vulnerabilities), thunderbird (F23: multiple vulnerabilities), and wordpress (F23; F22: two cross-site scripting vulnerabilities).

Mageia has updated apache-mod_nss (invalid handling of +CIPHER operator), bugzilla (cross-site scripting), jansson (denial of service), libgd (denial of service), libreoffice (code execution), networkmanager (information leak), openvpn (multiple vulnerabilities), p7zip (code execution), php-ZendFramework2 (insecure ciphertexts), and wpa_supplicant (two vulnerabilities).

openSUSE has updated kernel (Leap42.1: multiple vulnerabilities).

Oracle has updated docker-engine (OL7; OL6: privilege escalation) and kernel 3.8.13 (OL7; OL6: multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities), kernel 2.6.32 (OL6; OL5: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6.4: two remote denial of service vulnerabilities).

Scientific Linux has updated libndp (SL7: man-in-the-middle attacks).

Slackware has updated curl (server spoofing).

SUSE has updated firefox (SLE11-SP4,SP3: multiple vulnerabilities), java-1_6_0-ibm (SOSC5, SMP2.1, SM2.1, SLES11SP3,SP2: multiple vulnerabilities), and java-1_7_0-ibm (SOSC5, SMP2.1, SM2.1, SLES11SP3,SP2: multiple vulnerabilities).

Roundcube Webmail 1.2.0 released

Monday 23rd of May 2016 12:20:43 PM
Version 1.2.0 of the Roundcube web-based email system has been released. The headline feature this time around would appear to be support for encrypted mail with PGP; the encryption can be handled either centrally in the server, or in the browser via the "Mailvelope" browser plugin. A complete list of changes can be found in the changelog.

A report on the CoreOS remote SSH vulnerability

Friday 20th of May 2016 05:46:33 PM
For those who are curious about how the CoreOS remote SSH vulnerability came to be, the company has posted a detailed report. "This misconfiguration was abetted by confirmation bias. The expected outcome of the change to the CoreOS PAM configuration was for users who presented a password present in an authentication database to be successfully authenticated. Because of the pam_permit failure case explained above, this was the observed behavior in testing, so the change was assumed to be correct. No attempt was made to determine whether the observed behavior could be explained in some other way, such as the system allowing any presented password."

Security updates for Friday

Friday 20th of May 2016 02:22:00 PM

Arch Linux has updated bugzilla (cross-site scripting).

Debian has updated librsvg (three vulnerabilities).

Debian-LTS has updated expat (code execution) and libgd2 (denial of service).

Mageia has updated dhcpcd (code execution from 2014), expat (code execution), gdk-pixbuf2.0 (code execution), icu (code execution), imagemagick/ruby-rmagic (multiple vulnerabilities), libxml2 (two denial of service flaws), perl (denial of service), and xerces-c (code execution).

openSUSE has updated libksba (13.2: two vulnerabilities) and php5 (42.1: multiple vulnerabilities).

Red Hat has updated Red Hat OpenShift Enterprise 3.1 (unauthorized access) and Red Hat OpenShift Enterprise 3.2 (three vulnerabilities).

SUSE has updated openssl (SLE10: multiple vulnerabilities).

Linux containers vs. VMs: A security comparison (InfoWorld)

Friday 20th of May 2016 12:18:03 AM
Over at InfoWorld, Jim Reno compares the security of virtual machines (VMs) and containers. "Which is more secure?" is a question that is often asked, but the answer, of course, is "it depends". Reno analyzes the attack surface of each to help in the choosing between VMs and containers. "Many legacy VM applications treat VMs like bare metal. In other words, they have not adapted their architectures specifically for VMs or for security models not based on perimeter security. They might install many services on the same VM, run the services with root privileges, and have few or no security controls between services. Rearchitecting these applications (or more likely replacing them with newer ones) might use VMs to provide security separation between functional units, rather than simply as a means of managing larger numbers of machines. Containers are well suited for microservices architectures that “string together” large numbers of (typically) small services using standardized APIs. Such services often have a very short lifetime, where a containerized service is started on demand, responds to a request, and is destroyed, or where services are rapidly ramped up and down based on demand. That usage pattern is dependent on the fast instantiation that containers support. From a security perspective it has both benefits and drawbacks."

Berkus: Changing PostgreSQL Version Numbering

Thursday 19th of May 2016 06:16:47 PM
On his blog, Josh Berkus asks about the effects of changing how PostgreSQL numbers its releases. There is talk of moving from an x.y.z scheme to an x.y scheme, where x would increase every year to try to reduce "the need to explain to users that 9.5 to 9.6 is really a major version upgrade requiring downtime". He is wondering what impacts that will have on users, tools, scripts, packaging, and so on. "The problem is the first number, in that we have no clear criteria when to advance it. Historically, we've advanced it because of major milestones in feature development: crash-proofing for 7.0, Windows port for 8.0, and in-core replication for 9.0. However, as PostgreSQL's feature set matures, it has become less and less clear on what milestones would be considered "first digit" releases. The result is arguments about version numbering on the mailing lists every year which waste time and irritate developers."

Stable kernels 4.5.5, 4.4.11, and 3.14.70

Thursday 19th of May 2016 02:42:19 PM
Greg Kroah-Hartman has released the 4.5.5, 4.4.11, and 3.14.70 stable kernels. Users of those series should upgrade.

Thursday's security advisories

Thursday 19th of May 2016 02:39:00 PM

Arch Linux has updated p7zip (two code execution flaws).

Debian has updated swift-plugin-s3 (replay attack).

Debian-LTS has updated icedove (armhf: three vulnerabilities), nss (multiple vulnerabilities), and phpmyadmin (multiple vulnerabilities).

Mageia has updated cacti (two SQL injection flaws), chromium-browser-stable (multiple vulnerabilities), dosfstools (two vulnerabilities), libarchive (code execution), libksba (three vulnerabilities), libndp (man-in-the-middle attacks), mariadb (multiple vulnerabilities), moodle (multiple vulnerabilities), qemu (multiple vulnerabilities), and xymon (multiple vulnerabilities).

openSUSE has updated php5 (13.2: multiple vulnerabilities).

SUSE has updated firefox (SLE10: multiple vulnerabilities).

Ubuntu has updated firefox (fix to previous security update), oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities), and thunderbird (multiple vulnerabilities).

[$] LWN.net Weekly Edition for May 19, 2016

Thursday 19th of May 2016 03:05:38 AM
The LWN.net Weekly Edition for May 19, 2016 is available.

Security advisories for Wednesday

Wednesday 18th of May 2016 05:23:53 PM

Arch Linux has updated expat (code execution) and lib32-expat (code execution).

CentOS has updated libndp (C7: man-in-the-middle attacks).

Debian has updated expat (code execution).

Debian-LTS has updated libidn (information disclosure), librsvg (denial of service), and xen (multiple vulnerabilities).

Fedora has updated dhcp (F22: denial of service).

openSUSE has updated cacti (Leap42.1, 13.2: SQL injection), Chromium (SPH for SLE12: multiple vulnerabilities), go (Leap42.1: two vulnerabilities), GraphicsMagick (Leap42.1, 13.2: multiple vulnerabilities), imlib2 (13.2: multiple vulnerabilities), libressl (13.2: multiple vulnerabilities), librsvg (Leap42.1, 13.2: denial of service), mercurial (Leap42.1, 13.2: code execution), mysql-community-server (Leap42.1, 13.2: multiple vulnerabilities), ntp (Leap42.1: multiple vulnerabilities), ocaml (13.2: information leak), poppler (13.2: denial of service), and proftpd (Leap42.1, 13.2: weak key usage).

Oracle has updated kernel (OL6: multiple vulnerabilities), kernel 4.1.12 (OL7; OL6: three vulnerabilities), libndp (OL7: man-in-the-middle attacks), and qemu-kvm (OL6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: privilege escalation) and thunderbird (SL5,7: two vulnerabilities).

SUSE has updated xen (SLE12: multiple vulnerabilities).

Ubuntu has updated expat (code execution), libarchive (code execution), libksba (multiple vulnerabilities), and samba (12.04: regression in previous update).

Docker 1.11: The first runtime built on containerd and based on OCI technology

Tuesday 17th of May 2016 10:41:13 PM
Docker Engine 1.11 has been released, built on runC and containerd. "runC is the first implementation of the Open Containers Runtime specification and the default executor bundled with Docker Engine. Thanks to the open specification, future versions of Engine will allow you to specify different executors, thus enabling the ecosystem of alternative execution backends without any changes to Docker itself. By separating out this piece, an ecosystem partner can build their own compliant executor to the specification, and make it available to the user community at any time – without being dependent on the Engine release schedule or wait to be reviewed and merged into the codebase."

Tuesday's security advisories

Tuesday 17th of May 2016 03:59:09 PM

Debian has updated imagemagick (multiple vulnerabilities) and libndp (man-in-the-middle attacks).

Debian-LTS has updated squid3 (multiple vulnerabilities).

Fedora has updated ioprocess (F23; F22: invalid md5sum), libarchive (F23: code execution), libksba (F23: denial of service), and owncloud (F23; F22: undisclosed vulnerabilities).

Gentoo has updated chromium (multiple vulnerabilities).

openSUSE has updated atheme (Leap42.1, 13.2: two vulnerabilities), flash-player (13.2; 13.1; 11.4: multiple vulnerabilities), quagga (Leap42.1, 13.2: denial of service), quassel (Leap42.1, 13.2: denial of service), and varnish (13.2: access control bypass).

Red Hat has updated libndp (RHEL7: man-in-the-middle attacks).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities) and ntp (SOSC5, SMP2.1, SM2.1, SLE11-SP3, SLE11-SP2: multiple vulnerabilities).

Ubuntu has updated kernel (16.04; 15.10; 14.04: privilege escalation), libndp (16.04, 15.10: man-in-the-middle attacks), linux-lts-trusty (12.04: privilege escalation), linux-lts-utopic (14.04: privilege escalation), linux-lts-vivid (14.04: privilege escalation), linux-lts-wily (14.04: privilege escalation), linux-lts-xenial (14.04: privilege escalation), linux-raspi2 (16.04; 15.10: privilege escalation), and linux-snapdragon (16.04: privilege escalation).

Yubico: Secure hardware vs. open source

Tuesday 17th of May 2016 02:58:22 PM
Yubico has posted a blog entry defending the company's decision to switch to closed-source code in the Yubikey 4 product. "If you have to pick only one, is it more important to have the source code available for review or to have a product that includes serious countermeasures for attacks against the integrity of your keys?"

See also: Konstantin Ryabitsev's response to this posting. "When it comes to any hardware, we must at some point trust the manufacturer -- unless we have very large budgets that would allow us to fully monitor every step of the manufacturing process. In the absence of such large budgets, we must base our trust on the company's prior record and their willingness to work with the community to show that their hands are clean and their intentions are pure. Putting out a blackbox proprietary device after all the good will you have built up with NEOs sends the exact opposite message."

Pomerantz and Peek: Fifty shades of open

Monday 16th of May 2016 11:00:51 PM
Jeffrey Pomerantz and Robin Peek seek to disambiguate the word "open", as it is used or misused today. Examples include open source, open access, open society, open knowledge, open government, and so on. "From the common ancestor Free Software, the term “open” diversified, filling a wide range of niches. The Open Source Definition gave rise to a number of other definitions, articulating openness for everything from hardware to knowledge. Inspired by the political philosophy of openness, the Open Society Institute funded the meeting at which the Budapest Open Access Initiative declaration was created. Open Access then gave rise to a wide range of other opens concerned with scholarship, publication, and cultural heritage generally. This spread of openness can be seen as the diversification of a powerful idea into a wide range of resources and services. It can also be seen more importantly as the arrival, society-wide, of an idea whose time has come ... an idea with political, legal, and cultural impacts." (Thanks to Paul Wise)

Security updates for Monday

Monday 16th of May 2016 04:35:38 PM

Arch Linux has updated glibc (two vulnerabilities), lib32-glibc (two vulnerabilities), and thunderbird (multiple vulnerabilities).

CentOS has updated thunderbird (C5: two vulnerabilities).

Debian has updated icedove (three vulnerabilities), jansson (denial of service), libidn (information disclosure), and xerces-c (code execution).

Debian-LTS has updated dosfstools (two vulnerabilities), icedove (three vulnerabilities), jansson (denial of service), python-tornado (side-channel attack), and wpa (two vulnerabilities).

Fedora has updated botan (F23; F22: three vulnerabilities), community-mysql (F23; F22: multiple vulnerabilities), gd (F22: code execution), jackson-dataformat-xml (F23; F22: XXE attack), kernel (F22: multiple vulnerabilities), ocaml (F23: code execution), openvpn (F23: multiple vulnerabilities), and qemu (F23: multiple vulnerabilities).

Mageia has updated jackson-dataformat-xml (XXE attack) and ntp (multiple vulnerabilities).

openSUSE has updated Chromium (Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated file (OL6: multiple vulnerabilities), icedtea-web (OL6: applet execution), and ntp (OL6: multiple vulnerabilities).

SUSE has updated ImageMagick (SLE11: code execution) and java-1_6_0-ibm (SLEMLS12: multiple vulnerabilities).

Major remote SSH security issue in CoreOS Linux Alpha

Monday 16th of May 2016 01:09:36 PM
Should you happen to be running a CoreOS alpha release in an exposed setting, you'll want to have a look at this advisory and do a quick upgrade. "A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected."

More in Tux Machines

OpenSUSE 42.2 Alpha

Android/Chromebook

  • No more Android Wear watches says Samsung, Tizen all the way !
    Samsung has been getting pretty serious about its Smartwatches and has certainly excelled with its latest creation, the Tizen based Gear S2. The company has had a little dabble with Android wear in the past, with the Galaxy Gear Live, and since has been focusing on Tizen. According to a report from Fast Company stating that “no more Samsung Android Wear devices are in development or being planned.” This is according to a Samsung executive. The report goes further to say that Samsung executives are going with Tizen because it’s “far more battery-efficient than Android Wear” and “the standard OS on other Samsung products from TVs to refrigerators.”
  • Are games too easy to pirate on Android?
    It's long been known that game developers make much more money on iOS than they do on Google's Android platform. The most recent example of this is Monument Valley. The developers of the game posted an article on Medium with infographics that show that 73% of their revenue comes from iOS, while only 17% comes from Android.
  • Google Trust API Will Replace Your Passwords With A ‘Trust Score’
    In the wake of increasing security threats and password leaks, Google is working on Project Abacus that will introduce Trust API in Android devices. This API will calculate your Trust Score and use them to give you access to various services. This score will be calculated by using a variety of user patterns.
  • Monument Valley in Numbers: Year 2
  • And the winners of the Google Play Awards are…
  • Why are Chromebooks outselling Macs?
  • Fancy ChromiumOS, Ubuntu, And Android TV All-In-One System
    If you are looking for a mini PC that is capable of running ChromiumOS, Ubuntu LTS, and Android TV operating systems, you may be interested in a new mini desktop computer system that has been created by Dylan Callahan. The Fancy mini PC is a “handcrafted personal computer” that is now available to purchase price to $225 plus shipping and is powered by a Quad Core x86 2.0 Ghz processor supported by 4K AMD Radeon graphics that is supported by 4GB of DDR3 RAM.

Leftovers: OSS

  • Linksys Sees Value Open Source Market for WRT Wireless Routers
    The wireless router world remains safe for open source -- at least for users of certain Linksys Wi-Fi devices, which will still allow the installation of open source firmware like DD-WRT after new FCC rules take effect next week. Here's the back story: Last fall, the Federal Communications Commissions (FCC) introduced new regulations that required device manufacturers to ensure "that third parties are not able to reprogram the device to operate outside the parameters for which the device was certified." Those rules go into effect June 2.
  • Keynote: How Enterprises are Leveraging Open Source Analytics Platforms
    In this Keynote, Luciano Resende, Architect, Spark Technology Center at IBM, will showcase Open source Analytic platforms. Luciano will also discuss how they are being leveraged by different organizations to upend their competition, as well as enable new use cases.
  • Verizon’s Open Source Network Points Way For Enterprises
  • An open source toolbox for pure mathematics
    The field of pure mathematics has always depended on computers to make tables, prove theorems and explore new theories. Today, computer aided experiments and the use of databases relying on computer calculations are part of the pure mathematician's standard toolbox. In fact, these tools have become so important that some areas of mathematics are now completely dependent on them.
  • Asa Dotzler: My New Role @ Mozilla
    After a couple of years working on Mozilla’s mobile operating system project, I’m coming back to Firefox! I’ll be doing some familiar things and some new things. My official title is Product Manager, Firefox Roadmap and Community. What that means, first and foremost, is that I’ll be returning as our storyteller, making sure that we’re communicating regularly about where Firefox is heading, and that we’re fully engaged with Firefox users, fans, and contributors.

Big Data and Databases