Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 9 min ago

Security updates for Thursday

10 hours 51 min ago

Debian has updated libpam-sshauth (privilege escalation) and libtasn1-6 (denial of service).

Debian-LTS has updated mplayer (code execution).

Fedora has updated dhcp (F23: denial of service), obs-signd (F23: improper user ID matching), and openssl (F23: multiple vulnerabilities).

Mageia has updated subversion (two vulnerabilities).

openSUSE has updated java-1_7_0-openjdk (13.1: multiple vulnerabilities), libopenssl0_9_8 (13.1; 11.4: multiple vulnerabilities), and openssl (13.2; 13.1; 11.4: multiple vulnerabilities).

SUSE has updated compat-openssl097g (SLE11: multiple vulnerabilities) and openssl (SLE12: multiple vulnerabilities).

Ubuntu has updated lcms2 (14.04: denial of service from 2013), openjdk-7 (15.10, 14.04: multiple vulnerabilities), openjdk-8 (16.04: multiple vulnerabilities), and samba (regression in previous security fix).

[$] LWN.net Weekly Edition for May 5, 2016

Thursday 5th of May 2016 12:11:32 AM
The LWN.net Weekly Edition for May 5, 2016 is available.

New stable kernels

Wednesday 4th of May 2016 10:29:05 PM
Greg Kroah-Hartman has released stable kernels 4.5.3, 4.4.9, and 3.14.68. All contain important fixes throughout the tree.

[$] Caravel data visualization

Wednesday 4th of May 2016 08:51:16 PM

One aspect of the heavily hyped Internet of Things (IoT) that can easily get overlooked is that each of the Things one hooks up to the Internet invariably spews out a near non-stop stream of data. While commercial IoT users—such as utility companies—generally have a well-established grasp of what data interests them and how to process it, the DIY crowd is better served by flexible tools that make exploring and transforming data easy. Airbnb maintains an open-source Python utility called Caravel that provides such tools. There are many alternatives, of course, but Caravel does a good job at ingesting data and smoothly molding it into nice-looking interactive graphs—with a few exceptions.

Security advisories for Wednesday

Wednesday 4th of May 2016 04:49:36 PM

Arch Linux has updated imlib2 (multiple vulnerabilities), jasper (multiple vulnerabilities), lib32-openssl (multiple vulnerabilities), and openssl (multiple vulnerabilities).

CentOS has updated kernel (C6: two vulnerabilities).

Debian has updated openssl (multiple vulnerabilities).

Debian-LTS has updated asterisk (multiple vulnerabilities), extplorer (cross-site scripting), minissdpd (denial of service), and openssl (multiple vulnerabilities).

Fedora has updated cacti (F23; F22: three vulnerabilities).

openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2: multiple vulnerabilities), giflib (Leap42.1: denial of service), java-1_7_0-openjdk (13.2: multiple vulnerabilities), java-1_8_0-openjdk (13.2: multiple vulnerabilities), jq (Leap42.1; 13.2: heap buffer overflow), libgcrypt (Leap42.1: key leak), firefox, nss (Leap42.1, 13.2: multiple vulnerabilities), wireshark (Leap42.1, 13.2: multiple vulnerabilities), xerces-j2 (13.2: denial of service), and yast2-users (Leap42.1: empty passwords fields in /etc/shadow).

Oracle has updated kernel (OL6: two vulnerabilities).

Red Hat has updated java-1.8.0-ibm (RHEL7: multiple vulnerabilities), jenkins (RHOSE3.1: multiple vulnerabilities), and kernel (RHEL6: two vulnerabilities).

Scientific Linux has updated kernel (SL6: two vulnerabilities).

Slackware has updated openssl (multiple vulnerabilities).

SUSE has updated openssl (SLE12: multiple vulnerabilities), openssl1 (SLES11: multiple vulnerabilities), and kernel (SLE11-SP3, SOSC5, SMP2.1: multiple vulnerabilities).

[$] task_diag and statx()

Wednesday 4th of May 2016 09:24:36 AM
The interfaces supported by Linux to provide access to information about processes and files have literally been around for decades. One might think that, by this time, they would have reached a state of relative perfection. But things are not so perfect that developers are deterred from working on alternatives; the motivating factor in the two cases studied here is the same: reducing the cost of getting information out of the kernel while increasing the range of information that is available.

Click below (subscribers only) for the full article from this week's Kernel Page.

De Maré: Mercurial 3.7 and 3.8

Wednesday 4th of May 2016 09:12:07 AM
Mercurial revision-control system developer Mathias De Maré summarizes the changes in the 3.7 and 3.8 releases. "Mercurial 3.7 had a major focus on performance. This is — to a large degree — due to large users like Facebook and Mozilla working on both performance and scalability."

The Linux Embedded Development Environment launches

Wednesday 4th of May 2016 08:30:44 AM
The Linux Embedded Development Environment (or LEDE) project, a fork (or "spinoff") of OpenWrt, has announced its existence. "We are building an embedded Linux distribution that makes it easy for developers, system administrators or other Linux enthusiasts to build and customize software for embedded devices, especially wireless routers. [...] Members of the project already include a significant share of the most active members of the OpenWrt community. We intend to bring new life to Embedded Linux development by creating a community with a strong focus on transparency, collaboration and decentralisation." The new project lives at lede-project.org. (Thanks to Mattias Mattsson).

Linux Kernel BPF JIT Spraying (grsecurity forums)

Tuesday 3rd of May 2016 05:33:02 PM
Over at the grsecurity forums, Brad Spengler writes about a recently released proof of concept attack on the kernel using JIT spraying. "What happened next was the hardening of the BPF interpreter in grsecurity to prevent such future abuse: the previously-abused arbitrary read/write from the interpreter was now restricted only to the interpreter buffer itself, and the previous warn on invalid BPF instructions was turned into a BUG() to terminate execution of the exploit. I also then developed GRKERNSEC_KSTACKOVERFLOW which killed off the stack overflow class of vulns on x64. A short time later, there was work being done upstream to extend the use of BPF in the kernel. This new version was called eBPF and it came with a vastly expanded JIT. I immediately saw problems with this new version and noticed that it would be much more difficult to protect -- verification was being done against a writable buffer and then translated into another writable buffer in the extended BPF language. This new language allowed not just arbitrary read and write, but arbitrary function calling." The protections in the grsecurity kernel will thus prevent this attack. In addition, the newly released RAP feature for grsecurity, which targets the elimination of return-oriented programming (ROP) vulnerabilities in the kernel, will also ensure that "the fear of JIT spraying goes away completely", he said.

Security advisories for Tuesday

Tuesday 3rd of May 2016 04:08:42 PM

Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and smarty3 (code execution).

Fedora has updated php (F23: multiple vulnerabilities).

Gentoo has updated git (multiple vulnerabilities).

Oracle has updated mercurial (OL7: two vulnerabilities).

Scientific Linux has updated mercurial (SL7: two vulnerabilities).

Slackware has updated mercurial (code execution).

Ubuntu has updated libtasn1-3, libtasn1-6 (15.10, 14.04, 12.04: denial of service), libtasn1-6 (16.04: denial of service), openssl (multiple vulnerabilities), poppler (15.10, 14.04, 12.04: multiple vulnerabilities), and firefox (12.04: denial of service).

May Android security bulletin

Tuesday 3rd of May 2016 06:44:41 AM
The Android security bulletin for May is available. It lists 40 different CVE numbers addressed by the May over-the-air update; the bulk of those are at a severity level of "high" or above. "Partners were notified about the issues described in the bulletin on April 04, 2016 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. We will revise this bulletin with the AOSP links when they are available. The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

Intl. Day Against DRM is Tuesday

Monday 2nd of May 2016 09:36:27 PM
The International Day Against DRM is May 3. "Participate in person at one of the planned events, or join us Tuesday on dayagainstdrm.org for ways to take action against DRM. There will also be a list of discounted ebook offerings from stores participating in the Day."

Security updates for Monday

Monday 2nd of May 2016 06:03:30 PM

Arch Linux has updated firefox (multiple vulnerabilities).

CentOS has updated mercurial (C7: two vulnerabilities).

Debian has updated botan1.10 (multiple vulnerabilities), chromium-browser (multiple vulnerabilities), poppler (code execution), and tardiff (two vulnerabilities).

Debian-LTS has updated botan1.10 (multiple vulnerabilities), gdk-pixbuf (two vulnerabilities), mysql-5.5 (multiple vulnerabilities), poppler (code execution), and subversion (two vulnerabilities).

Fedora has updated ansible (F23; F22: code execution), firefox (F23: multiple vulnerabilities), gd (F23: code execution), openvas-cli (F23: cross-site scripting), openvas-gsa (F23: cross-site scripting), openvas-libraries (F23: cross-site scripting), openvas-manager (F23: cross-site scripting), openvas-scanner (F23: cross-site scripting), roundcubemail (F23; F22: multiple vulnerabilities), and xen (F23; F22: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple vulnerabilities), firefox (multiple vulnerabilities), pgpdump (denial of service), php (multiple vulnerabilities), php-ZendFramework (multiple vulnerabilities), and roundcubemail (three vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL7: multiple vulnerabilities), mercurial (RHEL7: two vulnerabilities), and rh-mysql56-mysql (RHSCL: multiple vulnerabilities).

Slackware has updated ntp (multiple vulnerabilities), php (multiple vulnerabilities), and subversion (two vulnerabilities).

Ubuntu has updated ubuntu-core-launcher (16.04: code execution).

A guide to inline assembly code in GCC

Monday 2nd of May 2016 07:59:38 AM
The "linux-insides" series of articles has gained an overview of inline assembly in GCC. "I've decided to write this to consolidate my knowledge related to inline assembly here. As inline assembly statements are quite common in the Linux kernel and we may see them in linux-insides parts sometimes, I thought that it would be useful if we would have a special part which contains descriptions of the more important aspects of inline assembly. Of course you may find comprehensive information about inline assembly in the official documentation, but I like the rules all in one place."

Kernel prepatch 4.6-rc6

Monday 2nd of May 2016 07:41:40 AM
The 4.6-rc6 kernel prepatch is out. Linus says: "Things continue to be fairly calm, although I'm pretty sure I'll still do an rc7 in this series." As of this prepatch the code name has been changed to "Charred Weasel."

Devuan Jessie beta released

Saturday 30th of April 2016 01:45:10 PM
The Devuan community has finally gotten a beta release out for testing. "Debian GNU+Linux [sic] is a fork of Debian without systemd, on its way to become much more than that. This Beta release marks an important milestone towards the sustainability and the continuation of Devuan as an universal base distribution."

WebExtensions in Firefox 48

Friday 29th of April 2016 10:45:38 PM

At the Mozilla blog, Andy McKay announces that the browser maker has officially declared WebExtensions ready to use for add-on development. "With the release of Firefox 48, we feel WebExtensions are in a stable state. We recommend developers start to use the WebExtensions API for their add-on development." The WebExtensions support released for Firefox 48 includes improvements to the "alarms, bookmarks, downloads, notifications, webNavigation, webRequest, windows and tabs" APIs, support for a new Content Security Policy that limits where resources can be loaded from, and support in Firefox for Android. LWN looked at the WebExtensions API in December.

Friday's security updates

Friday 29th of April 2016 04:07:13 PM

Debian has updated subversion (multiple vulnerabilities).

Fedora has updated i7z (F23: denial of service).

openSUSE has updated php5 (Leap 42.1: multiple vulnerabilities).

SUSE has updated ntp (SLE11; SLE12: multiple vulnerabilities).

The ACM 2015 technical awards

Friday 29th of April 2016 07:34:27 AM
The Association for Computing Machinery has announced the recipients of its 2015 technical awards. They are Brent Walters, Michael Luby, Eric Horvitz, and: "Richard Stallman, recipient of the ACM Software System Award for the development and leadership of GCC (GNU Compiler Collection), which has enabled extensive software and hardware innovation, and has been a lynchpin of the free software movement."

X.Org votes to join SPI

Thursday 28th of April 2016 03:08:22 PM

The results of the X.Org election are in. There were two things up for a vote: four seats on the board of directors and amending the bylaws to join Software in the Public Interest (SPI). Unlike last year's election, this year's vote met the required 2/3 approval to join SPI (61 voters out of 65 members, with 54 voting "Yes", 4 "No", and 3 "Abstain"). In addition, Egbert Eich, Alex Deucher, Keith Packard, and Bryce Harrington were elected to the board.

More in Tux Machines

The 2016 Open Source Jobs Report

Red Hat News

  • Want to work in Release Engineering in Europe?
    Red Hat Release Engineering is hiring in Europe.
  • Red Hat targets midmarket with Keating, Tech Data partnerships
    Red Hat Canada has unveiled a new approach to reach the lower end of the enterprise and the upper midmarket in partnership with Keating Technologies and Tech Data Canada. Under the program, Keating will work with the vendor to uncover and qualify leads in the $500 million to $1.0 billion market. Once fully developed, those leads will be handed over to existing Red Hat Canada partners to close the deal, and will be fulfilled through Tech Data.
  • Gulf Air creates private cloud to support open-source big data engine
    Bahrain’s national carrier is using Red Hat Enterprise Linux, Red Hat JBoss Enterprise Application Platform, and Red Hat Storage as a platform for its Arabic Sentiment Analysis system, which monitors people’s comments through their social media posts.
  • Fedora Pune meetup April 2016
    I actually never even announced the April meetup, but we had in total 13 people showing up for the meet. We moved the meet to my office from our usual space as I wanted to use the white board. At beginning I showed some example code about how to write unittests, and how are we using Python3 unittests in our Fedora Cloud/Atomic images automatically. Anwesha arranged some soft drinks, and snacks for everyone.

Android Leftovers

“LEDE” OpenWrt fork promises greater openness

A “Linux Embedded Development Environment” (LEDE) fork of the lightweight, router-oriented OpenWrt Linux distribution vows greater transparency and inclusiveness. Some core developers of the OpenWrt community has forked off into a Linux Embedded Development Environment (LEDE) group. LEDE is billed as both a “reboot” and “spinoff” of the lightweight, router-focused distribution that aims to build an open source embedded Linux distro that “makes it easy for developers, system administrators or other Linux enthusiasts to build and customize software for embedded devices, especially wireless routers.” Read more