LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
Updated: 2 hours 6 min ago
Security updates have been issued by CentOS (qemu-kvm), Debian (bind9, libquicktime, mupdf, qemu-kvm, and tnef), Fedora (mupdf, rpm, tomcat, util-linux, and xen), openSUSE (gstreamer and gstreamer-plugins-base), Oracle (qemu-kvm), Red Hat (qemu-kvm), Scientific Linux (qemu-kvm), SUSE (kernel and xen), and Ubuntu (libgd2).
Opensource.com takes a look
at changes to MySQL 8.0. "Ever open up a directory of a MySQL schema and see all those files—.frm, .myi, .myd, and the like? Those files hold some of the metadata on the database schemas. Twenty years ago, it was a good way to go, but InnoDB is a crash proof storage engine and can hold all that metadata safely. This means file corruption of a .frm file is not going to stall your work. Developers also removed the file system's maximum number of files as the limiting factor to your number of databases; you can now have literally have millions of tables in your database."
is the vulnerability identifier
for a use-after-free bug in the kernel's network stack. This vulnerability
is apparently exploitable in local privilege-escalation attacks. The
problem, introduced in 2005, is easily fixed, but it points at a couple of
shortcomings in the kernel development process; as a result, it would not
be surprising if more bugs of this variety were to turn up in the near
Security updates have been issued by Debian (apache2, libplist, and tnef), Fedora (firebird, kernel, and vim), Red Hat (java-1.6.0-ibm, java-1.7.0-ibm, java-1.7.1-ibm, kernel, and qemu-kvm-rhev), SUSE (php53 and xen), and Ubuntu (tiff).
Users of the Subversion source-code management system may want to take a
look at this
post from Mark Phippard
. He explains how hash collisions can corrupt a
repository and a couple of short-term workarounds. "The quick
summary if you do not want to read this entire post is that the problem is
really not that bad. If you run into it there are solutions to resolve it
and you are not going to run into it in normal usage. There will also
likely be some future updates to Subversion that avoid it entirely so if
you regularly update your server and client when new releases come out you
are probably safe not doing anything and just waiting for an update to
algorithm has been known for at least a decade to be
weak; while no generated hash collisions had been reported, it was assumed
that this would happen before too long. On February 23, Google announced
that it had succeeded at this task. While the technique used is
computationally expensive, this event has clarified what most developers
have known for some time: it is time to move away from SHA-1. While the
migration has essentially been completed in some areas (SSL certificates,
for example), there are still important places where it is heavily used,
including at the core of the Git source-code management system.
Unsurprisingly, the long-simmering discussion in the Git community on
moving away from SHA-1 is now at a full boil.
Security updates have been issued by Debian (apache2, radare2, and shadow), Mageia (firebird, libevent, and php-tcpdf), and openSUSE (chromium).
stable kernels are out; these
relatively small updates contain the usual set of important fixes.
Update: the 4.10.1 update is out as
well (thanks to Thorsten Leemhuis).
Security updates have been issued by CentOS (kernel and qemu-kvm), Debian (bind9, cakephp, munin, and shadow), Fedora (python-cjson, python-PyMySQL, quagga, util-linux, and xen), Mageia (kernel kmod and kernel-tmb), Oracle (kernel), Red Hat (kernel), and Scientific Linux (kernel).
Linus Torvalds has posted a lengthy
of why the recently created SHA-1 collision is not an
emergency for Git users. "In the pdf examples, the pdf format acted
as the 'black box', and what you see is the printout which has only a very
indirect relationship to the pdf encoding.
But if you use git for source control like in the kernel, the stuff you
really care about is source code, which is very much a transparent
medium. If somebody inserts random odd generated crud in the middle of your
source code, you will absolutely notice." That said, he notes that
there is work in progress to move away from SHA-1.
[It seems that subversion users have an additional set of concerns; see this bug report
conversation for the scary story.]
Thanks to Josh Triplett for sending us this Google Project Zero report
about a dump of unitialized memory caused by Cloudflare's
reverse proxies. "A while later, we figured out how to reproduce the
problem. It looked like that if an html page hosted behind cloudflare had a
specific combination of unbalanced tags, the proxy would intersperse pages
of uninitialized memory into the output (kinda like heartbleed, but
cloudflare specific and worse for reasons I'll explain later). My working
theory was that this was related to their "ScrapeShield" feature which
parses and obfuscates html - but because reverse proxies are shared between
customers, it would affect *all* Cloudflare customers. We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.
Security updates have been issued by Debian (libreoffice and phpmyadmin), Fedora (kopete and xrdp), Oracle (kernel and qemu-kvm), Red Hat (kernel and qemu-kvm), Scientific Linux (kernel and qemu-kvm), and Ubuntu (LibreOffice and php7.0).
Over at the Red Hat Developers blog, Martin Sebor looks at
some new (or enhanced) warnings available in GCC 7 that will help catch various types of memory errors. For example: "The -Wformat-overflow=level
option detects certain and likely buffer overflow in calls to the sprintf family of formatted output functions. The option starts by determining the size of the destination buffer, which can be allocated either statically or dynamically. It then iterates over directives in the format string, calculating the number of bytes each result in output. For integer directives like %i and %x it tries to determine either the exact value of the argument or its range of values and uses the result to calculate the exact or minimum and maximum number of bytes the directive can produce. Similarly for floating point directives such as %a and %f, and string directives such as %s. When it determines that the likely number of bytes a directive results in will not fit in the space remaining in the destination buffer it issues a warning."
Andrey Konovalov has announced
the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller
fuzzer (which LWN looked at
around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). "[At] this point we have a use-after-free on some_object. An attacker can
control what object that would be and overwrite it's content with
arbitrary data by using some of the kernel heap spraying techniques.
If the overwritten object has any triggerable function pointers, an
attacker gets to execute arbitrary code within the kernel.
I'll publish an exploit in a few days, giving people time to update."
Greg Kroah-Hartman has announced the release of the 4.9.12
stable kernels. As usual, there are
important fixes in the updates and users of those kernels should upgrade.
Security updates have been issued by Arch Linux (bzip2, kernel, and linux-zen), CentOS (kernel), Debian (bitlbee, kernel, and tomcat7), Fedora (diffoscope, mujs, pcre, plasma-desktop, and tomcat), Mageia (libpcap/tcpdump and spice), openSUSE (gd, kernel, libquicktime, and libXpm), Oracle (kernel), Red Hat (kernel, kernel-rt, and python-oslo-middleware), SUSE (php5 and util-linux), and Ubuntu (imagemagick).
The final version of the LEDE router distribution's 17.01.0 release is now
available. "LEDE 17.01.0 "Reboot" incorporates thousands of commits over the last
nine months of effort. With this release, the LEDE development team
closes out an intense effort to modernize many parts of OpenWrt and
incorporate many new modules, packages, and technologies." LWN
recently reviewed a release-candidate
of LEDE 17.01.
The Google security blog carries
of the first deliberately constructed SHA-1 hash collision.
"We started by creating a PDF prefix specifically crafted to allow us
to generate two documents with arbitrary distinct visual contents, but that
would hash to the same SHA-1 digest. In building this theoretical attack in
practice we had to overcome some new challenges. We then leveraged Google’s
technical expertise and cloud infrastructure to compute the collision which
is one of the largest computations ever completed."
The SHA-1 era is truly coming to an end, even if most attackers lack access
to the computing resources needed for this particular exploit.
The LWN.net Weekly Edition for February 23, 2017 is available.
Tuukka Turunen presents
a roadmap for
Qt. "Qt 3D was first released with Qt 5.7 and in Qt 5.8 the focus was mostly on stability and performance. With Qt 5.9 we are providing many new features which significantly improve the functionality of Qt 3D. Notable new features include support for mesh morphing and keyframe animations, using Qt Quick items as a texture for 3D elements, as well as support for physically based rendering and particles. There are also multiple smaller features and improvements throughout the Qt 3D module."