Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 6 min ago

Security updates for Wednesday

3 hours 28 min ago
Security updates have been issued by CentOS (qemu-kvm), Debian (bind9, libquicktime, mupdf, qemu-kvm, and tnef), Fedora (mupdf, rpm, tomcat, util-linux, and xen), openSUSE (gstreamer and gstreamer-plugins-base), Oracle (qemu-kvm), Red Hat (qemu-kvm), Scientific Linux (qemu-kvm), SUSE (kernel and xen), and Ubuntu (libgd2).

MySQL 8 is coming (Opensource.com)

Tuesday 28th of February 2017 07:42:14 PM
Opensource.com takes a look at changes to MySQL 8.0. "Ever open up a directory of a MySQL schema and see all those files—.frm, .myi, .myd, and the like? Those files hold some of the metadata on the database schemas. Twenty years ago, it was a good way to go, but InnoDB is a crash proof storage engine and can hold all that metadata safely. This means file corruption of a .frm file is not going to stall your work. Developers also removed the file system's maximum number of files as the limiting factor to your number of databases; you can now have literally have millions of tables in your database."

[$] The case of the prematurely freed SKB

Tuesday 28th of February 2017 07:41:11 PM
CVE-2017-6074 is the vulnerability identifier for a use-after-free bug in the kernel's network stack. This vulnerability is apparently exploitable in local privilege-escalation attacks. The problem, introduced in 2005, is easily fixed, but it points at a couple of shortcomings in the kernel development process; as a result, it would not be surprising if more bugs of this variety were to turn up in the near future.

Security updates for Tuesday

Tuesday 28th of February 2017 04:58:51 PM
Security updates have been issued by Debian (apache2, libplist, and tnef), Fedora (firebird, kernel, and vim), Red Hat (java-1.6.0-ibm, java-1.7.0-ibm, java-1.7.1-ibm, kernel, and qemu-kvm-rhev), SUSE (php53 and xen), and Ubuntu (tiff).

Subversion SHA1 collision problem statement

Tuesday 28th of February 2017 04:27:23 PM
Users of the Subversion source-code management system may want to take a look at this post from Mark Phippard. He explains how hash collisions can corrupt a repository and a couple of short-term workarounds. "The quick summary if you do not want to read this entire post is that the problem is really not that bad. If you run into it there are solutions to resolve it and you are not going to run into it in normal usage. There will also likely be some future updates to Subversion that avoid it entirely so if you regularly update your server and client when new releases come out you are probably safe not doing anything and just waiting for an update to happen."

[$] Moving Git past SHA-1

Monday 27th of February 2017 06:56:43 PM
The SHA-1 hash algorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumed that this would happen before too long. On February 23, Google announced that it had succeeded at this task. While the technique used is computationally expensive, this event has clarified what most developers have known for some time: it is time to move away from SHA-1. While the migration has essentially been completed in some areas (SSL certificates, for example), there are still important places where it is heavily used, including at the core of the Git source-code management system. Unsurprisingly, the long-simmering discussion in the Git community on moving away from SHA-1 is now at a full boil.

Security updates for Monday

Monday 27th of February 2017 04:42:27 PM
Security updates have been issued by Debian (apache2, radare2, and shadow), Mageia (firebird, libevent, and php-tcpdf), and openSUSE (chromium).

Stable kernels 4.9.13 and 4.4.52 (and 4.10.1)

Sunday 26th of February 2017 03:24:54 PM
The 4.9.13 and 4.4.52 stable kernels are out; these relatively small updates contain the usual set of important fixes.

Update: the 4.10.1 update is out as well (thanks to Thorsten Leemhuis).

Some weekend security updates

Sunday 26th of February 2017 03:24:24 PM
Security updates have been issued by CentOS (kernel and qemu-kvm), Debian (bind9, cakephp, munin, and shadow), Fedora (python-cjson, python-PyMySQL, quagga, util-linux, and xen), Mageia (kernel kmod and kernel-tmb), Oracle (kernel), Red Hat (kernel), and Scientific Linux (kernel).

Linus on Git and SHA-1

Saturday 25th of February 2017 07:49:50 PM
Linus Torvalds has posted a lengthy explanation of why the recently created SHA-1 collision is not an emergency for Git users. "In the pdf examples, the pdf format acted as the 'black box', and what you see is the printout which has only a very indirect relationship to the pdf encoding. But if you use git for source control like in the kernel, the stuff you really care about is source code, which is very much a transparent medium. If somebody inserts random odd generated crud in the middle of your source code, you will absolutely notice." That said, he notes that there is work in progress to move away from SHA-1.

[It seems that subversion users have an additional set of concerns; see this bug report conversation for the scary story.]

Cloudflare Reverse Proxies are Dumping Uninitialized Memory

Friday 24th of February 2017 06:47:17 PM
Thanks to Josh Triplett for sending us this Google Project Zero report about a dump of unitialized memory caused by Cloudflare's reverse proxies. "A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers. We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security. "

Security updates for Friday

Friday 24th of February 2017 04:08:23 PM
Security updates have been issued by Debian (libreoffice and phpmyadmin), Fedora (kopete and xrdp), Oracle (kernel and qemu-kvm), Red Hat (kernel and qemu-kvm), Scientific Linux (kernel and qemu-kvm), and Ubuntu (LibreOffice and php7.0).

Memory Error Detection Using GCC (Red Hat Developers blog)

Thursday 23rd of February 2017 07:47:27 PM
Over at the Red Hat Developers blog, Martin Sebor looks at some new (or enhanced) warnings available in GCC 7 that will help catch various types of memory errors. For example: "The -Wformat-overflow=level option detects certain and likely buffer overflow in calls to the sprintf family of formatted output functions. The option starts by determining the size of the destination buffer, which can be allocated either statically or dynamically. It then iterates over directives in the format string, calculating the number of bytes each result in output. For integer directives like %i and %x it tries to determine either the exact value of the argument or its range of values and uses the result to calculate the exact or minimum and maximum number of bytes the directive can produce. Similarly for floating point directives such as %a and %f, and string directives such as %s. When it determines that the likely number of bytes a directive results in will not fit in the space remaining in the destination buffer it issues a warning."

Ancient local privilege escalation vulnerability in the kernel announced

Thursday 23rd of February 2017 06:22:34 PM
Andrey Konovalov has announced the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller fuzzer (which LWN looked at around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). "[At] this point we have a use-after-free on some_object. An attacker can control what object that would be and overwrite it's content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel. I'll publish an exploit in a few days, giving people time to update."

Stable kernels 4.9.12 and 4.4.51

Thursday 23rd of February 2017 06:00:37 PM
Greg Kroah-Hartman has announced the release of the 4.9.12 and 4.4.51 stable kernels. As usual, there are important fixes in the updates and users of those kernels should upgrade.

Security updates for Thursday

Thursday 23rd of February 2017 04:20:06 PM
Security updates have been issued by Arch Linux (bzip2, kernel, and linux-zen), CentOS (kernel), Debian (bitlbee, kernel, and tomcat7), Fedora (diffoscope, mujs, pcre, plasma-desktop, and tomcat), Mageia (libpcap/tcpdump and spice), openSUSE (gd, kernel, libquicktime, and libXpm), Oracle (kernel), Red Hat (kernel, kernel-rt, and python-oslo-middleware), SUSE (php5 and util-linux), and Ubuntu (imagemagick).

LEDE v17.01.0 final

Thursday 23rd of February 2017 03:47:38 PM
The final version of the LEDE router distribution's 17.01.0 release is now available. "LEDE 17.01.0 "Reboot" incorporates thousands of commits over the last nine months of effort. With this release, the LEDE development team closes out an intense effort to modernize many parts of OpenWrt and incorporate many new modules, packages, and technologies." LWN recently reviewed a release-candidate version of LEDE 17.01.

Announcing the first SHA1 collision

Thursday 23rd of February 2017 02:36:36 PM
The Google security blog carries the news of the first deliberately constructed SHA-1 hash collision. "We started by creating a PDF prefix specifically crafted to allow us to generate two documents with arbitrary distinct visual contents, but that would hash to the same SHA-1 digest. In building this theoretical attack in practice we had to overcome some new challenges. We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed." The SHA-1 era is truly coming to an end, even if most attackers lack access to the computing resources needed for this particular exploit.

[$] LWN.net Weekly Edition for February 23, 2017

Thursday 23rd of February 2017 01:02:40 AM
The LWN.net Weekly Edition for February 23, 2017 is available.

Turunen: Qt Roadmap for 2017

Wednesday 22nd of February 2017 07:20:14 PM
Tuukka Turunen presents a roadmap for Qt. "Qt 3D was first released with Qt 5.7 and in Qt 5.8 the focus was mostly on stability and performance. With Qt 5.9 we are providing many new features which significantly improve the functionality of Qt 3D. Notable new features include support for mesh morphing and keyframe animations, using Qt Quick items as a texture for 3D elements, as well as support for physically based rendering and particles. There are also multiple smaller features and improvements throughout the Qt 3D module."

More in Tux Machines

F2FS Feature Work For The Linux 4.11 Kernel

The Flash-Friendly File-System (F2FS) will see new features introduced with the Linux 4.11 kernel. F2FS for Linux 4.11 is making use of a separate thread for discards to avoid latency problems during checkpoints and fstrim, some prep work for open-channel SSD support, on-disk bitmaps are being introduced, and various other changes. Read more

Q4OS 1.8.3, Orion

New update of stable Q4OS 'Orion' desktop is available. Bunch of important packages updates and security patches has been delivered, as well as improvements of the native Q4OS update manager application. All the changes are available for existing Q4OS users via the automatic update process. Work on the next major version, Q4OS 2.3 'Scorpion' continues as the Debian Project also nears end of development cycle for the Debian GNU/Linux 9 'Strech' operating system, upon which Q4OS 2.3 will be based. The release date is preliminarily scheduled at about the turn of April and May 2017. Q4OS 'Scorpion' will be supported at least five years from the official release date. Read more

Games for GNU/Linux

today's howtos