Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 6 hours 1 min ago

The initial bus1 patch posting

10 hours 3 min ago
The bus1 message-passing mechanism is the successor to the "kdbus" project; it was covered here in August. The patches have now been posted for review. "While bus1 emerged out of the kdbus project, bus1 was started from scratch and the concepts have little in common. In a nutshell, bus1 provides a capability-based IPC system, similar in nature to Android Binder, Cap'n Proto, and seL4."

Security advisories for Wednesday

12 hours 41 min ago

CentOS has updated kernel (C6: privilege escalation).

Debian has updated asterisk (multiple vulnerabilities) and nginx (privilege escalation).

Debian-LTS has updated nspr (information disclosure), nss (information disclosure), potrace (multiple vulnerabilities), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).

Fedora has updated perl-Image-Info (F24; F23: information disclosure).

Mageia has updated graphicsmagick (three vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), mpg123 (denial of service), and tor (denial of service).

openSUSE has updated GraphicsMagick (Leap42.1; 13.2: multiple vulnerabilities), guile (13.2: two vulnerabilities), guile1 (Leap42.1; 13.2: information disclosure), firefox (Leap42.1, 13.2: two vulnerabilities), qemu (Leap42.1: multiple vulnerabilities), quagga (Leap42.1: stack overrun), and kernel (13.2: multiple vulnerabilities).

Oracle has updated kernel (OL6: privilege escalation).

Red Hat has updated kernel (RHEL6; RHEL6.7: privilege escalation) and kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities).

Scientific Linux has updated kernel (SL6: privilege escalation).

Ubuntu has updated nginx (16.10, 16.04, 14.04: privilege escalation).

Flatpak 0.6.13

Tuesday 25th of October 2016 06:37:37 PM
Flatpak 0.6.13 has been released. Major changes include a change in command line arguments for install/update/uninstall, application runtime dependencies are checked/downloaded, remote-add and install --from now supports uris, flatpak run can now launch a runtime directly, and more.

Tuesday's security updates

Tuesday 25th of October 2016 04:11:45 PM

Arch Linux has updated linux-grsec (privilege escalation) and ocaml (information leak).

CentOS has updated kernel (C7: privilege escalation).

Debian has updated php5 (multiple vulnerabilities) and virtualbox (end of support).

Debian-LTS has updated ghostscript (multiple vulnerabilities).

Fedora has updated bind (F23: denial of service), bind99 (F23: denial of service), and libass (F24: three vulnerabilities).

Mageia has updated php (multiple vulnerabilities).

openSUSE has updated quagga (13.2: stack overrun) and virtualbox (13.2: multiple unspecified vulnerabilities).

Oracle has updated kernel (OL7: privilege escalation).

Red Hat has updated bind (RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service).

Scientific Linux has updated kernel (SL7: privilege escalation).

SUSE has updated quagga (SLE12-SP1: stack overrun).

Ubuntu has updated linux-raspi2 (16.10: privilege escalation), mysql-5.5, mysql-5.7 (multiple unspecified vulnerabilities), and quagga (stack overrun).

[$] Dealing with automated SSH password-guessing

Monday 24th of October 2016 10:41:41 PM
Just about everyone who runs a Unix server on the internet uses SSH for remote access, and almost everyone who does that will be familiar with the log footprints of automated password-guessing bots. Although decently-secure passwords do much to harden a server against such attacks, the costs of dealing with the continual stream of failed logins can be considerable. There are ways to mitigate these costs.

Valgrind-3.12.0 is available

Monday 24th of October 2016 06:22:28 PM
Valgrind 3.12.0 has been released. "3.12.0 is a feature release with many improvements and the usual collection of bug fixes. This release adds support for POWER ISA 3.0, improves instruction set support on ARM32, ARM64 and MIPS, and provides support for the latest common components (kernel, gcc, glibc). There are many smaller refinements and new features. The release notes below give more details." There will be a Valgrind developer room at FOSDEM in Brussels, Belgium, on February 4, 2017. The call for participation is open until December 1.

Security advisories for Monday

Monday 24th of October 2016 05:20:17 PM

Arch Linux has updated chromium (multiple vulnerabilities), kernel (privilege escalation), linux-lts (privilege escalation), python-django (cross-site request forgery), and python2-django (cross-site request forgery).

CentOS has updated bind (C6; C5: denial of service) and bind97 (C5: denial of service).

Debian has updated kdepimlibs (HTML injection).

Debian-LTS has updated kdepimlibs (HTML injection).

Fedora has updated guile (F23: two vulnerabilities), kernel (F24; F23: privilege escalation), php (F24; F23: multiple vulnerabilities), and php-pecl-zip (F24; F23: multiple vulnerabilities).

Mageia has updated 389-ds-base (information disclosure), c-ares (code execution), guile (two vulnerabilities), openjpeg (denial of service), and php-ZendFramework (SQL injection).

openSUSE has updated Chromium (Leap42.1, 13.2: multiple vulnerabilities), dbus-1 (Leap42.1: code execution), gd (13.2: denial of service), kdump (Leap42.1: denial of service), php5 (13.2: three vulnerabilities), kernel (Leap42.1; 13.1: multiple vulnerabilities), tor (Leap42.1, 13.2: denial of service), and X (Leap42.1: multiple vulnerabilities).

Oracle has updated bind (OL6; OL5: denial of service), bind97 (OL5: multiple vulnerabilities), and kernel 4.1.12 (OL7; OL6: privilege escalation), kernel 3.8.13 (OL7; OL6: privilege escalation), kernel 2.6.39 (OL6; OL5: privilege escalation).

Red Hat has updated kernel (RHEL7: privilege escalation).

SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities), qemu (SLE12-SP1: multiple vulnerabilities), and kernel (SLE12-SP1; SLE12; SLE11-SP4; SLE11-SP3; SLE11-SP2: privilege escalation).

The Linux Foundation Technical Advisory Board election

Monday 24th of October 2016 02:36:01 PM
The Linux Foundation's Technical Advisory Board provides the development community (primarily the kernel development community) with a voice in the Foundation's decision-making process. Among other things, the TAB chair holds a seat on the Foundation's board of directors. The next TAB election will be held on November 2 at the Kernel Summit in Santa Fe, NM; five TAB members (½ of the total) will be selected there. The nomination process is open until voting begins; anybody interested in serving on the TAB is encouraged to throw their hat into the ring.

Kernel prepatch 4.9-rc2

Monday 24th of October 2016 01:08:12 AM
The second 4.9 prepatch is out for testing, and Linus is asking for people to test one feature in particular: "My favorite new feature that I called out in the rc1 announcement (the virtually mapped stacks) is possibly implicated in some crashes that Dave Jones has been trying to figure out, so if you want to be helpful and try to see if you can give more data, please make sure to enable CONFIG_VMAP_STACK."

More stable kernel updates

Saturday 22nd of October 2016 03:33:46 PM
The 4.8.4, 4.7.10, and 4.4.27 stable updates are out. These would appear to contain the usual fixes. Note that 4.7.10 is the end of the line for the 4.7.x series.

[$] Dirty COW and clean commit messages

Friday 21st of October 2016 05:08:07 PM
We live in an era of celebrity vulnerabilities; at the moment, an unpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking its turn on the runway. This one is more disconcerting than many due to its omnipresence and the ease with which it can be exploited. But there is also some unhappiness in the wider community about how this vulnerability has been handled by the kernel development community. It may well be time for the kernel project to rethink its approach to serious security problems.

Friday's security updates

Friday 21st of October 2016 02:50:26 PM

Debian-LTS has updated bind9 (denial of service).

Fedora has updated libgit2 (F23: two vulnerabilities).

Mageia has updated kernel (three vulnerabilities), libtiff (multiple vulnerabilities, two from 2015), and openslp (code execution).

openSUSE has updated dbus-1 (13.2: code execution), ghostscript-library (42.1: three vulnerabilities, one from 2013), roundcubemail (42.1: two vulnerabilities), and squidGuard (42.1: cross-site scripting from 2015).

Red Hat has updated bind (RHEL6&5: denial of service) and bind97 (RHEL5: denial of service).

Scientific Linux has updated bind (SL6&5: denial of service) and bind97 (SL5: denial of service).

Ubuntu has updated bind9 (12.04: denial of service).

Ranking the Web With Radical Transparency (

Thursday 20th of October 2016 11:29:53 PM interviews Sylvain Zimmer, founder of the Common Search project, which is an effort to create an open web search engine. "Being transparent means that you can actually understand why our top search result came first, and why the second had a lower ranking. This is why people will be able to trust us and be sure we aren't manipulating results. However for this to work, it needs to apply not only to the results themselves but to the whole organization. This is what we mean by 'radical transparency.' Being a nonprofit doesn't automatically clear us of any ulterior motives, we need to go much further. As a community, we will be able to work on the ranking algorithm collaboratively and in the open, because the code is open source and the data is publicly available. We think that this means the trust in the fairness of the results will actually grow with the size of the community."

More information about Dirty COW (aka CVE-2016-5195)

Thursday 20th of October 2016 09:12:39 PM
The security hole fixed in the 4.8.3, 4.7.9, and 4.4.26 stable kernel updates has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.

Security advisories for Thursday

Thursday 20th of October 2016 03:49:08 PM

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian has updated kernel (multiple vulnerabilities, one from 2015).

Debian-LTS has updated kernel (multiple vulnerabilities, one from 2015) and libxvmc (code execution).

Fedora has updated glibc-arm-linux-gnu (F23: denial of service) and perl-DBD-MySQL (F23: denial of service).

Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), and java-1.8.0-oracle (RHEL7&6: multiple vulnerabilities).

Scientific Linux has updated java-1.8.0-openjdk (SL7&6: multiple vulnerabilities).

SUSE has updated quagga (SLE11: code execution).

Ubuntu has updated kernel (12.04; 14.04; 16.04; 16.10: privilege escalation), linux-lts-trusty (12.04: privilege escalation), linux-lts-xenial (14.04: privilege escalation), linux-raspi2 (16.04: privilege escalation), linux-snapdragon (16.04: privilege escalation), and linux-ti-omap4 (12.04: privilege escalation).

An important set of stable kernel updates

Thursday 20th of October 2016 01:44:39 PM
The 4.8.3, 4.7.9, and 4.4.26 stable kernel updates have been released. There's nothing in the announcements to indicate this, but they all contain a fix for CVE-2016-5195, a bug that can allow local attackers to overwrite files they should not have write access to. So the "all users must upgrade" message seems more than usually applicable this time around.

[$] Weekly Edition for October 20, 2016

Thursday 20th of October 2016 12:02:41 AM
The Weekly Edition for October 20, 2016 is available.

Security advisories for Wednesday

Wednesday 19th of October 2016 04:52:17 PM

Debian has updated quagga (stack overrun) and tor (denial of service).

Debian-LTS has updated dwarfutils (multiple vulnerabilities), guile-2.0 (two vulnerabilities), libass (two vulnerabilities), libgd2 (two vulnerabilities), libxv (insufficient validation), and tor (denial of service).

Fedora has updated epiphany (F24: unspecified), ghostscript (F24; F23: multiple vulnerabilities), glibc-arm-linux-gnu (F24: denial of service), guile (F24: two vulnerabilities), libgit2 (F24: two vulnerabilities), openssh (F23: null pointer dereference), qemu (F24: multiple vulnerabilities), and webkitgtk4 (F24: unspecified).

Mageia has updated asterisk (denial of service), flash-player-plugin (multiple vulnerabilities), kernel (multiple vulnerabilities), and mailman (password disclosure).

Red Hat has updated java-1.8.0-openjdk (RHEL6, 7: multiple vulnerabilities), kernel (RHEL6.7: use-after-free), and mariadb-galera (RHOSP8: SQL injection/privilege escalation).

Live kernel patches for Ubuntu

Wednesday 19th of October 2016 02:33:54 PM
Canonical has announced the availability of a live kernel patch service for the 16.04 LTS release. "It’s the best way to ensure that machines are safe at the kernel level, while guaranteeing uptime, especially for container hosts where a single machine may be running thousands of different workloads." Up to three systems can be patched for free; the service requires a fee thereafter. There is a long FAQ about the service in this blog post; it appears to be based on the mainline live-patching functionality with some Canonical add-ons.

Kügler: Plasma’s road ahead

Tuesday 18th of October 2016 07:36:01 PM
Sebastian Kügler reports on KDE's Plasma team meeting. "We took this opportunity to also look and plan ahead a bit further into the future. In what areas are we lacking, where do we want or need to improve? Where do we want to take Plasma in the next two years?" Specific topics include release schedule changes, UI and theming improvements, feature backlog, Wayland, mobile, and more. (Thanks to Paul Wise)

More in Tux Machines

TheSSS 20.0 Server-Oriented Linux Distro Ships with Linux Kernel 4.4.17, PHP 5.6

4MLinux developer Zbigniew Konojacki informs Softpedia today, October 26, 2016, about the release and immediate availability of version 20.0 of his server-oriented TheSSS (The Smallest Server Suite) GNU/Linux distribution. Read more

Ubuntu 17.04 (Zesty Zapus) Daily Build ISO Images Are Now Available for Download

Now that the upcoming Ubuntu 17.04 (Zesty Zapus) operating system is officially open for development, the first daily build ISO images have published in the usual places for early adopters and public testers. Read more

Today in Techrights

OSS Leftovers

  • Chain Releases Open Source Blockchain Solution for Banks
    Chain, a San Francisco-based Blockchain startup, launched the Chain Core Developer Edition, which is a distributed ledger infrastructure built for banks and financial institutions to utilize the Blockchain technology in mainstream finance. Similar to most cryptocurrency networks like Bitcoin, developers and users are allowed to run their applications and platforms on the Chain Core testnet, a test network sustained and supported by leading institutions including Microsoft and the Initiative for Cryptocurrency and Contracts (IC3), which is operated by Cornell University, UC Berkeley and University of Illinois.
  • Netflix Upgrades its Powerful "Chaos Monkey" Open Cloud Utility
    Few organizations have the cloud expertise that Netflix has, and it may come as a surprise to some people to learn that Netflix regularly open sources key, tested and hardened cloud tools that it has used for years. We've reported on Netflix open sourcing a series of interesting "Monkey" cloud tools as part of its "simian army," which it has deployed as a series satellite utilities orbiting its central cloud platform. Netflix previously released Chaos Monkey, a utility that improves the resiliency of Software as a Service by randomly choosing to turn off servers and containers at optimized tims. Now, Netflix has announced the upgrade of Chaos Monkey, and it's worth checking in on this tool.
  • Coreboot Lands More RISC-V / lowRISC Code
    As some early post-Coreboot 4.5 changes are some work to benefit fans of the RISC-V ISA.
  • Nextcloud Advances with Mobile Moves
    The extremely popular ownCloud open source file-sharing and storage platform for building private clouds has been much in the news lately. CTO and founder of ownCloud Frank Karlitschek resigned from the company a few months ago. His open letter announcing the move pointed to possible friction created as ownCloud moved forward as a commercial entity as opposed to a solely community focused, open source project. Karlitschek had a plan, though. He is now out with a fork of ownCloud called Nextcloud, and we've reported on strong signs that this cloud platform has a bright future. In recent months, the company has continued to advance Nextcloud. Along with Canonical and Western Digital, the partners have launched an Ubuntu Core Linux-based cloud storage and Internet of Things device called Nextcloud Box, which we covered here. Now, Nextcloud has moved forward with some updates to its mobile strategy. Here are details.
  • Using Open Source for Data
    Bryan Liles, from DigitalOcean, explains about many useful open source big data tools in this eight minute video. I learned about Apache Mesos, Apache Presto, Google Kubernetes and more.