Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 3 hours 47 min ago

Ubuntu Community Council election results posted

Friday 27th of November 2015 11:30:03 PM

The 2015 Ubuntu Community Council (CC) elections have been concluded. The results of the vote, as announced on the Ubuntu Fridge blog, are the seven individuals who will serve on the CC for the next two years: Daniel Holbach, Laura Czajkowski, Svetlana Belkin, Michael Hall, Scarlett Clark, C de-Avillez, and Marco Ceppi. A detailed account of the ballot results, complete with links to each candidate's biographical page, is also online.

Friday's security updates

Friday 27th of November 2015 04:19:11 PM

CentOS has updated thunderbird (C5; C6: multiple vulnerabilities).

Debian-LTS has updated libcommons-collections3-java (code execution) and smokeping (cross-site scripting).

Fedora has updated libxml2 (F23: multiple vulnerabilities) and pcre (F23: denial of service).

Mageia has updated libsndfile (M5: buffer overflow), libxml2 (M5: multiple vulnerabilities), python-m2crypto (M5: denial of service), python-pygments (M5: command injection), and tigervnc (M5: multiple vulnerabilities).

Thanksgiving day security updates

Thursday 26th of November 2015 08:45:19 PM

Happy Thanksgiving to those who celebrate it, from all of us here at LWN. Happy November 26 to everyone else :)

Debian has updated dpkg (code execution), nspr (code execution), python-django (information disclosure), and smokeping (code execution).

Debian-LTS has updated eglibc (two vulnerabilities), python-django (information disclosure), and redmine (MV).

Fedora has updated abrt (F21: information disclosure), jenkins (F22: three vulnerabilities), jenkins-remoting (F22: three vulnerabilities), and libreport (F21: information disclosure).

openSUSE has updated libpng12 (13.2, 13.1: two vulnerabilities), libpng16 (13.2, 13.1: denial of service), and strongswan (authentication bypass).

Oracle has updated abrt and libreport (OL7: MV), glibc (OL7; OL7: MV), kernel (OL7: MV), NetworkManager (OL7: denial of service), sssd (OL7: unspecified), and tigervnc (OL7: two vulnerabilities).

Red Hat has updated git19-git (RHSC2: code execution), java-1.5.0-ibm (RHEL5&6: MV), ntp (RHEL6: denial of service), and thunderbird (MV).

SUSE has updated kernel (SLE11SP3: MV).

Ubuntu has updated dpkg (code execution) and openjdk-7 (15.10, 15.04, 14.04: unspecified vulnerability).

Software Freedom Conservancy Launches 2015 Fundraiser

Wednesday 25th of November 2015 05:04:43 PM
Software Freedom Conservancy has announced a major fundraising effort. "Pointing to the difficulty of relying on corporate funding while pursuing important but controversial issues, like GPL compliance, Conservancy has structured its fundraiser to increase individual support. The organization needs at least 750 annual Supporters to continue its basic community services and 2500 to avoid hibernating its enforcement efforts. If Conservancy does not meet its goals, it will be forced to radically restructure and wind down a substantial portion of its operations."

Security advisories for Wednesday

Wednesday 25th of November 2015 05:04:17 PM

Debian has updated libcommons-collections3-java (unsanitized input data) and symfony (two vulnerabilities).

Debian-LTS has updated putty (memory corruption).

Fedora has updated grub2 (F23: Secure Boot circumvention), krb5 (F21: multiple vulnerabilities), libpng10 (F23; F22; F21: two vulnerabilities), sblim-sfcb (F23; F22; F21: denial of service), and wpa_supplicant (F22: denial of service).

Slackware has updated pcre (code execution).

SUSE has updated linux-3.12.32 (SLELP12: two vulnerabilities), linux-3.12.36 (SLELP12: two vulnerabilities), linux-3.12.38 (SLELP12: two vulnerabilities), linux-3.12.39 (SLELP12: two vulnerabilities), linux-3.12.43 (SLELP12: two vulnerabilities), linux-3.12.44 (SLELP12: two vulnerabilities), and linux-3.12.44 (SLELP12: two vulnerabilities).

Ubuntu has updated icedtea-web (15.10, 15.04, 14.04: applet execution) and python-django (15.10, 15.04, 14.04, 12.04: information disclosure).

[$] A journal for MD/RAID5

Tuesday 24th of November 2015 09:48:12 PM
RAID5 support in the MD driver has been part of mainline Linux since 2.4.0 was released in early 2001. During this time it has been used widely by hobbyists and small installations, but there has been little evidence of any impact on the larger or "enterprise" sites. Anecdotal evidence suggests that such sites are usually happier with so-called "hardware RAID" configurations where a purpose-built computer, whether attached by PCI or fibre channel or similar, is dedicated to managing the array. This situation could begin to change with the 4.4 kernel, which brings some enhancements to the MD driver that should make it more competitive with hardware-RAID controllers.

Security updates for Tuesday

Tuesday 24th of November 2015 06:12:17 PM

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated libsndfile (F22; F21: buffer overflow), mingw-freeimage (F23; F22: integer overflow), rpm (F23: denial of service), wpa_supplicant (F21: denial of service), and zarafa (F21: two vulnerabilities, one from 2012).

Oracle has updated autofs (OL7: privilege escalation), binutils (OL7: multiple vulnerabilities), chrony (OL7: multiple vulnerabilities), cpio (OL7: denial of service), cups-filters (OL7: multiple vulnerabilities), curl (OL7: multiple vulnerabilities), file (OL7: multiple vulnerabilities), grep (OL7: heap buffer overrun), grub2 (OL7: Secure Boot circumvention), krb5 (OL7: two vulnerabilities), libreport (OL6: data leak), libssh2 (OL7: information leak), net-snmp (OL7: denial of service), netcf (OL7: denial of service), ntp (OL7: multiple vulnerabilities), openhpi (OL7: world writable /var/lib/openhpi directory), openldap (OL7: unintended cipher usage), openssh (OL7: two vulnerabilities), python (OL7: multiple vulnerabilities), rest (OL7: denial of service), rubygem-bundler and rubygem-thor (OL7: installs malicious gem files), squid (OL7: certificate validation bypass), unbound (OL7: denial of service), wireshark (OL7: multiple vulnerabilities), and xfsprogs (OL7: information disclosure).

Scientific Linux has updated libreport (SL6: data leak).

SUSE has updated firefox (SLES10SP4: multiple vulnerabilities).

Red Hat Enterprise Linux 7.2

Monday 23rd of November 2015 08:34:03 PM
Red Hat has announced the release of Red Hat Enterprise Linux 7.2. "New features and capabilities focus on security, networking, and system administration, along with a continued emphasis on enterprise-ready tooling for the development and deployment of Linux container-based applications. In addition, Red Hat Enterprise Linux 7.2 includes compatibility with the new Red Hat Insights, an add-on operational analytics offering designed to increase IT efficiency and reduce downtime through the proactive identification of known risks and technical issues."

Security advisories for Monday

Monday 23rd of November 2015 05:42:06 PM

Debian has updated openjdk-7 (unspecified vulnerability).

Fedora has updated cyrus-imapd (F21: largely unspecified), gdm (F23: denial of service), jenkins (F23: multiple vulnerabilities), jenkins-remoting (F23: multiple vulnerabilities), kernel (F21: multiple vulnerabilities), libpng (F23: denial of service), m2crypto (F21: denial of service), pdns (F21: denial of service), perl-IPTables-Parse (F21: predictable temporary file names), postgresql (F22: two vulnerabilities), python-rauth (F23: unspecified vulnerability), and xen (F23; F22; F21: denial of service).

openSUSE has updated Chromium (SUSE Package Hub for SLE12; Leap42.1, 13.2, 13.1: information leak), docker (Leap42.1: two vulnerabilities), and miniupnpc (Leap42.1, 13.2, 13.1: code execution).

Red Hat has updated abrt, libreport (RHEL7: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiple vulnerabilities), and libreport (RHEL6: data leak).

Gräßlin: Looking at the security of Plasma/Wayland

Monday 23rd of November 2015 03:44:56 PM
Martin Gräßlin looks at the security of the Plasma desktop running under Wayland; it's better than X11, but with some ground yet to cover. "Now imagine you want to write a key logger in a Plasma/Wayland world. How would you do it? I asked myself this question recently, thought about it, found a possible solution and had a key logger in less than 10 minutes: ouch."

GIMP is 20 Years Old, What’s Next? (Libre Graphics World)

Monday 23rd of November 2015 03:19:07 PM
This Libre Graphics World article looks at the challenges faced by the 20-year-old GIMP project. "If you've been following GIMP's progress over recent years, you couldn't help yourself noticing the decreasing activity in terms of both commits (a rather lousy metric) and amount of participants (a more sensible one). 'GIMP is dying', say some. 'GIMP developers are slacking', say others. 'You've got to go for crowdfunding' is yet another popular notion. And no matter what, there's always a few whitebearded folks who would blame the team for not going with changes from the FilmGIMP branch. So what's actually going on and what's the outlook for the project?"

Kernel prepatch 4.4-rc2

Monday 23rd of November 2015 02:54:50 PM
The second 4.4 prepatch is out for testing. Linus says: "Things are looking fairly normal in 4.4-land, with no huge surprises in rc2. There were a couple of late features: parisc hugepage support and some late slub bulk allocator patches were not only merged at the end of the week, but they strictly speaking should have been merge window things."

Poettering: Introducing sd-event

Friday 20th of November 2015 09:33:50 PM
Lennart Poettering introduces the sd-event API for the implementation of event loops. "sd-event.h, of course, is not the first event loop API around, and it doesn't implement any really novel concepts. When we started working on it we tried to do our homework, and checked the various existing event loop APIs, maybe looking for candidates to adopt instead of doing our own, and to learn about the strengths and weaknesses of the various implementations existing. Ultimately, we found no implementation that could deliver what we needed, or where it would be easy to add the missing bits: as usual in the systemd project, we wanted something that allows us access to all the Linux-specific bits, instead of limiting itself to the least common denominator of UNIX."

Friday's security updates

Friday 20th of November 2015 05:42:41 PM

Debian has updated lxc (code execution).

Debian-LTS has updated nspr (code execution).

Mageia has updated dovecot (M5: denial of service), gcc (M5: predictable random values), kernel (M5: multiple vulnerabilities), latex2rtf (M5: code execution), libpng/libpng12 (M5: denial of service), and uglify-js (M5: malicious code obfuscation).

openSUSE has updated krb5 (13.1, 13.2: memory corruption) and libksba (13.1, 13.2: denial of service).

Red Hat has updated autofs (RHEL7: privilege escalation), binutils (RHEL7: multiple vulnerabilities), chrony (RHEL7: multiple vulnerabilities), cpio (RHEL7: code execution), cups-filters (RHEL7: multiple vulnerabilities), curl (RHEL7: multiple vulnerabilities), file (RHEL7: multiple vulnerabilities), glibc (RHEL7: multiple vulnerabilities; RHEL7: privilege escalation), grep (RHEL7: heap buffer overrun), grub2 (RHEL7: Secure Boot circumvention), kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), krb5 (RHEL7: multiple vulnerabilities), libssh2 (RHEL7: denial of service), net-snmp (RHEL7: denial of service), netcf (RHEL7: denial of service), NetworkManager (RHEL7: multiple vulnerabilities), ntp (RHEL7: multiple vulnerabilities), openhpi (RHEL7: world writable /var/lib/openhpi directory), openldap (RHEL7: unintended cipher usage), openssh (RHEL7: multiple vulnerabilities), pacemaker (RHEL7: privilege escalation), pcs (RHEL7: denial of service), python (RHEL7: multiple vulnerabilities), realmd (RHEL7: unsanitized input), rest (RHEL7: denial of service), rubygem-bundler, rubygem-thor (RHEL7: code execution), squid (RHEL7: certificate validation bypass), sssd (RHEL7: memory leak), tigervnc (RHEL7: multiple vulnerabilities), unbound (RHEL7: denial of service), wireshark (RHEL7: multiple vulnerabilities), and xfsprogs (RHEL7: information leak).

Ubuntu has updated libpng (multiple vulnerabilities).

Garrett: If it's not practical to redistribute free software, it's not free software in practice

Friday 20th of November 2015 03:43:22 PM
Matthew Garrett continues his campaign against Canonical's "intellectual property rights policy". "The reality is that if Debian had had an identical policy in 2004, Ubuntu wouldn't exist. The effort required to strip all Debian trademarks from the source packages would have been immense, and this would have had to be repeated for every release. While this policy is in place, nobody's going to be able to take Ubuntu and build something better."

Pitivi 0.95 released

Friday 20th of November 2015 03:26:59 PM
The Pitivi 0.95 release is out, bringing a lot of changes to this longstanding video editor project. "This one packs a lot of bugfixes and architectural work to further stabilize the GES backend. In this blog post, I’ll give you an overview of the new and interesting stuff this release brings, coming out from a year of hard work. It’s pretty epic and you’re in for a few surprises, so I suggest listening to this song while you’re reading this blog post."

Detectify: Chrome Extensions – AKA Total Absence of Privacy

Friday 20th of November 2015 03:23:26 PM
The "Detectify Labs" site has put up a lengthy analysis of the user tracking taking place in many Chrome browser extensions. "Google, claiming that Chrome is the safest web browser out there, is actually making it very simple for extensions to hide how aggressively they are tracking their users. We have also discovered exactly how intrusive this sort of tracking actually is and how these tracking companies actually do a lot of things trying to hide it. Due to the fact that the gathering of data is made inside an extension, all other extensions created to prevent tracking (such as Ghostery) are completely bypassed." At the end they note that the situation with Firefox is not a whole lot better.

Nmap 7 released

Friday 20th of November 2015 03:11:29 PM
Version 7 of the Nmap security scanner has been released. "It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since the big Nmap 6 release in May 2012. Nmap turned 18 years old in September this year and celebrates its birthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever."

Langridge: No UI is some UI

Thursday 19th of November 2015 11:01:23 PM

At his blog, Stuart Langridge takes issue with a recent Medium post by Tony Aubé titled No UI is the New UI. Aubé's premise is that "invisible" applications—those that use text-messaging or voice-recognition rather than on-screen interfaces—are the future of UI design. Langridge, however, contends that "until very recently, and honestly pretty much still, a computer can’t understand the nuance of language. So 'use language to control computers' meant 'learn the computer’s language', not 'the computer learns yours'." More to the point, "understanding you is laughably incomplete and is obviously the core of the problem, although explaining one’s ideas and being understood by people is also the core problem of civilisation and we haven’t cracked that one yet either." There is less reason to be optimistic about language-based interfaces, he concludes: "I will say that point-and-grunt is not a very sophisticated way of communicating, but it may be all that technology can currently understand."

Thursday's security updates

Thursday 19th of November 2015 05:00:52 PM

CentOS has updated java-1.6.0-openjdk (C6; C5; C7: multiple vulnerabilities) and postgresql (C6; C7: multiple vulnerabilities).

Debian has updated libpng (multiple vulnerabilities).

Debian-LTS has updated strongswan (authentication bypass).

Fedora has updated kernel (F23; F22: ), krb5 (F22: multiple vulnerabilities), m2crypto (F23; F22: denial of service), monitorix (F23; F22: multiple vulnerabilities), perl-IPTables-Parse (F23; F22: predictable temporary file names), python-django (F23: multiple vulnerabilities), and rpcbind (F22: denial of service).

openSUSE has updated xscreensaver (13.1, 13.2, Leap 42.1: denial of service).

Oracle has updated java-1.6.0-openjdk (O7; O6; O5: multiple vulnerabilities) and postgresql (O7; O6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-openjdk (RHEL 5,6,7: multiple vulnerabilities), postgresql (RHEL 6; RHEL 7: multiple vulnerabilities), postgresql92-postgresql (RHSC 2: multiple vulnerabilities), and rh-postgresql94-postgresql (RHSC 2: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (multiple vulnerabilities) and postgresql (SL6; SL7: multiple vulnerabilities).

Ubuntu has updated nvidia-graphics-drivers-352, nvidia-graphics-drivers-352-updates (privilege escalation).

More in Tux Machines

Security Leftovers

  • Friday's security updates
  • Researchers poke hole in custom crypto built for Amazon Web Services
    Underscoring just how hard it is to design secure cryptographic software, academic researchers recently uncovered a potentially serious weakness in an early version of the code library protecting Amazon Web Services. Ironically, s2n, as Amazon's transport layer security implementation is called, was intended to be a simpler, more secure way to encrypt and authenticate Web sessions. Where the OpenSSL library requires more than 70,000 lines of code to execute the highly complex TLS standard, s2n—short for signal to noise—has just 6,000 lines. Amazon hailed the brevity as a key security feature when unveiling s2n in June. What's more, Amazon said the new code had already passed three external security evaluations and penetration tests.
  • Social engineering: hacker tricks that make recipients click
    Social engineering is one of the most powerful tools in the hacker's arsenal and it generally plays a part in most of the major security breaches we hear about today. However, there is a common misconception around the role social engineering plays in attacks.
  • Judge Gives Preliminary Approval to $8 Million Settlement Over Sony Hack
    Sony agreed to reimburse employees up to $10,000 apiece for identity-theft losses
  • Cyber Monday: it's the most wonderful time of year for cyber-attackers
    Malicious attacks on shoppers increased 40% on Cyber Monday in 2013 and 2014, according to, an anti-malware and spyware company, compared to the average number of attacks on days during the month prior. Other cybersecurity software providers have identified the December holiday shopping season as the most dangerous time of year to make online purchases. “The attackers know that there are more people online, so there will be more attacks,” said Christopher Budd, Trend Micro’s global threat communications manager. “Cyber Monday is not a one-day thing, it’s the beginning of a sustained focus on attacks that go after people in the holiday shopping season.”

Openwashing (Fake FOSS)

Android Leftovers

Slackware Live Edition – Beta 2

  • Slackware Live Edition – Beta 2
    Thanks for all the valuable feedback on the first public beta of my Slackware Live Edition. It allowed me to fix quite a few bugs in the Live scripts (thanks again!), add new functionality (requested by you or from my own TODO) and I took the opportunity to fix the packages in my Plasma 5 repository so that its Live Edition should actually work now.
  • Updated multilib packages for -current
  • (Hopefully) final recompilations for KDE 5_15.11
    There was still some work to do about my Plasma 5 package repository. The recent updates in slackware-current broke several packages that were still linking to older (and no longer present) libraries which were part of the icu4c and udev packages.