Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 2 min ago

Bottomley: Using Your TPM as a Secure Key Store

8 hours 57 min ago
James Bottomley has posted a tutorial on using the trusted platform module to store cryptographic keys. "The main thing that came out of this discussion was that a lot of this stack complexity can be hidden from users and we should concentrate on making the TPM 'just work' for all cryptographic functions where we have parallels in the existing security layers (like the keystore). One of the great advantages of the TPM, instead of messing about with USB pkcs11 tokens, is that it has a file format for TPM keys (I’ll explain this later) which can be used directly in place of standard private key files."

Security advisories for Monday

11 hours 21 min ago

Arch Linux has updated chromium (multiple vulnerabilities) and libdwarf (multiple vulnerabilities).

CentOS has updated firefox (C6; C5: code execution).

Debian-LTS has updated openafs (information leak).

Fedora has updated firefox (F25; F24; F23: code execution), gstreamer1-plugins-bad-free (F25: code execution), gstreamer1-plugins-good (F25: code execution), p7zip (F24; F23: denial of service), phpMyAdmin (F25: multiple vulnerabilities), thunderbird (F24: code execution), and xen (F25; F24; F23: multiple vulnerabilities).

Gentoo has updated busybox (two vulnerabilities), chromium (multiple vulnerabilities), cifs-utils (code execution from 2014), dpkg (code execution), gd (multiple vulnerabilities), libsndfile (two vulnerabilities), libvirt (path traversal), nghttp2 (code execution), nghttp2 (denial of service), patch (denial of service), and pygments (shell injection).

openSUSE has updated containerd, docker, runc (Leap42.1, 42.2: permission bypass), firefox (two vulnerabilities), java-1_7_0-openjdk (13.1: multiple vulnerabilities), java-1_8_0-openjdk (Leap42.1, 42.2: multiple vulnerabilities), libarchive (Leap42.2; Leap42.1: multiple vulnerabilities), thunderbird (code execution), nodejs4 (Leap42.2: code execution), phpMyAdmin (multiple vulnerabilities), sudo (Leap42.2; Leap42.1: three vulnerabilities), tar (Leap42.1, 42.2: file overwrite), and vim (Leap42.2; Leap42.1, 13.2: code execution).

Red Hat has updated thunderbird (code execution).

SUSE has updated qemu (SLE12-SP1: multiple vulnerabilities).

Kernel prepatch 4.9-rc8

17 hours 12 min ago
The 4.9-rc8 kernel prepatch is out; the final 4.9 release will need one more week. "So if anybody has been following the git tree, it should come as no surprise that I ended up doing an rc8 after all: things haven't been bad, but it also hasn't been the complete quiet that would have made me go 'no point in doing another week'."

What's new in OpenStack in 2016: A look at the Newton release (Opensource.com)

Friday 2nd of December 2016 09:13:37 PM
Over at Opensource.com, Rich Bowen gives an overview of the changes in the OpenStack Newton release that was made in October. In it, he looks at each of sub-projects and highlights some of the changes for them that were in the release, which is also useful as a kind high-level guide to some of the various sub-projects and their roles. "With a product as large as OpenStack, summarizing what's new in a particular release is challenging. (See the full release notes for more details.) Each deployment of OpenStack might use a different combination of services and projects, and so will care about different updates. Added to that, the release notes for the various projects tend to be extremely technical in nature, and often don't do a great job of calling out the changes that will actually be noticed by either operators or users."

BitUnmap: Attacking Android Ashmem (Project Zero blog)

Friday 2nd of December 2016 08:24:23 PM
Google's Project Zero blog has a detailed look at exploiting a vulnerability in Android's ashmem shared-memory facility. "The mismatch between the mmap-ed and munmap-ed length provides us with a great exploitation primitive! Specifically, we could supply a short length for the mmap operation and a longer length for the munmap operation - thus resulting in deletion of an arbitrarily large range of virtual memory following our bitmap object. Moreover, there’s no need for the deleted range to contain one continuous memory mapping, since the range supplied in munmap simply ignores unmapped pages. Once we delete a range of memory, we can then attempt to “re-capture” that memory region with controlled data, by causing another allocation in the remote process. By doing so, we can forcibly “free” a data structure and replace its contents with our own chosen data -- effectively forcing a use-after-free condition."

Stable kernels 4.8.12 and 4.4.36

Friday 2nd of December 2016 04:06:59 PM
The 4.8.12 and 4.4.36 stable kernels have been released. As always, users of those kernel series should upgrade.

Security updates for Friday

Friday 2nd of December 2016 04:02:53 PM

Arch Linux has updated firefox (two vulnerabilities) and thunderbird (code execution).

CentOS has updated thunderbird (C6; C5: code execution).

Debian-LTS has updated firefox-esr (multiple vulnerabilities), imagemagick (multiple vulnerabilities, many from 2014 and 2015), monit (cross-site request forgery), tomcat6 (multiple vulnerabilities), and tomcat7 (multiple vulnerabilities).

Fedora has updated calamares (F25; F24: encryption bypass), jenkins (F25: code execution), jenkins-remoting (F25: code execution), moin (F25; F24; F23: cross-site scripting flaws), mujs (F23: multiple vulnerabilities), and zathura-pdf-mupdf (F23: multiple vulnerabilities).

Gentoo has updated davfs2 (privilege escalation from 2013) and gnupg (flawed random number generation).

openSUSE has updated libtcnative-1-0 (42.2, 42.1: SSL improvements) and pacemaker (42.2: two vulnerabilities).

Oracle has updated firefox (OL7; OL6; OL5: code execution).

Red Hat has updated firefox (code execution).

SUSE has updated kernel (SLE11: multiple vulnerabilities, some from 2013 and 2015) and ImageMagick (SLE11: multiple vulnerabilities, some from 2014 and 2015).

Ubuntu has updated ghostscript (multiple vulnerabilities, one from 2013) and oxide-qt (16.10, 16.04, 14.04: multiple vulnerabilities).

Google's OSS-Fuzz project

Thursday 1st of December 2016 05:52:35 PM
The Google security blog announces the OSS-Fuzz project, which performs continuous fuzz testing of free-software project repositories. "OSS-Fuzz has already found 150 bugs in several widely used open source projects (and churns ~4 trillion test cases a week). With your help, we can make fuzzing a standard part of open source development, and work with the broader community of developers and security testers to ensure that bugs in critical open source applications, libraries, and APIs are discovered and fixed."

Ardour 5.5 released

Thursday 1st of December 2016 05:34:23 PM
Version 5.5 of the Ardour audio editor has been released. "Among the notable new features are support for VST 2.4 plugins on OS X, the ability to have MIDI input follow MIDI track selection, support for Steinberg CC121, Avid Artist & Artist Mix Control surfaces, 'fanning out' of instrument outputs to new tracks/busses and the often requested ability to do horizontal zoom via vertical dragging on the rulers."

Thursday's security advisories

Thursday 1st of December 2016 04:24:21 PM

Debian has updated firefox-esr (code execution).

Debian-LTS has updated gst-plugins-good0.10 (three code execution flaws).

Gentoo has updated imagemagick (multiple vulnerabilities) and php (multiple vulnerabilities, one from 2015).

openSUSE has updated bash (42.1: multiple vulnerabilities, two from 2014) and libcares2 (13.2: code execution).

Slackware has updated firefox (code execution) and thunderbird (code execution).

Ubuntu has updated c-ares (code execution), firefox (two vulnerabilities), imagemagick (multiple vulnerabilities), kernel (16.10; 16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-ti-omap4 (12.04: code execution), and thunderbird (multiple vulnerabilities).

Trouble at Cyanogen

Thursday 1st of December 2016 03:50:59 PM
Cyanogen Inc. has put out a terse press release announcing the departure of founder (and CyanogenMod creator) Steve Kondik. See this rather less terse Android Police article for Kondik's view of the matter. The future of the CyanogenMod distribution seems unclear at this point; if it goes forward, it may have to do so with a different name.

[$] LWN.net Weekly Edition for December 1, 2016

Thursday 1st of December 2016 12:02:10 AM
The LWN.net Weekly Edition for December 1, 2016 is available.

Security advisories for Wednesday

Wednesday 30th of November 2016 05:08:16 PM

Arch Linux has updated neovim (code execution).

Debian has updated hdf5 (multiple vulnerabilities).

Fedora has updated drupal7 (F25; F24; F23: multiple vulnerabilities), p7zip (F25: denial of service), teeworlds (F25; F24; F23: code execution), and vagrant (F25; F24; F23: nfs export insertion).

Mageia has updated jenkins-remoting (code execution) and teeworlds (code execution).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

SUSE has updated vim (SLE12-SP2; SLE11-SP4: code execution).

[$] The Emacs dumper dispute

Wednesday 30th of November 2016 04:17:13 PM
As covered here in January, changes to the GNU C Library's memory-allocation routines have broken the "unexec" method used to build the Emacs editor. Fixing this problem has proved to be more challenging than originally thought; that issue has now come to a head in a disagreement that could cost the Emacs community one of its maintainers.

Git 2.11 released

Tuesday 29th of November 2016 10:11:07 PM
The Git project has announced the release of Git 2.11.0. This version prints longer abbreviated SHA-1 names and has better tools for dealing with ambiguous short SHA-1s, it's faster at accessing delta chains, and has other performance enhancements, and much more. The release notes contain more details.

Tuesday's security updates

Tuesday 29th of November 2016 04:37:39 PM

CentOS has updated expat (C6: code execution) and memcached (C6: code execution).

openSUSE has updated ffmpeg (Leap42.2: heap corruption) and virtualbox (Leap42.2: multiple unspecified vulnerabilities).

Oracle has updated expat (OL7; OL6: code execution).

Red Hat has updated expat (RHEL6,7: code execution) and thunderbird (RHEL5,6,7: multiple vulnerabilities).

SUSE has updated mariadb (SLE12-SP1,2; SLES12: multiple vulnerabilities) and qemu (SLES12: multiple vulnerabilities).

Ubuntu has updated python-cryptography (16.10, 16.04: bad key generation) and vim (code execution).

Time is running out for NTP (InfoWorld)

Monday 28th of November 2016 10:44:39 PM
InfoWorld looks at the underfunded NTP project. "NTP is more than 30 years old—it may be the oldest codebase running on the internet. Despite some hiccups, it continues to work well. But the project’s future is uncertain because the number of volunteer contributors has shrunk, and there’s too much work for one person—principal maintainer Harlan Stenn—to handle. When there is limited support, the project has to pick and choose what tasks it can afford to complete, which slows down maintenance and stifles innovation."

Security advisories for Monday

Monday 28th of November 2016 05:43:11 PM

Arch Linux has updated lib32-libtiff (multiple vulnerabilities), libtiff (multiple vulnerabilities), and ntp (multiple vulnerabilities).

Debian has updated icu (multiple vulnerabilities) and imagemagick (three vulnerabilities).

Debian-LTS has updated irssi (information disclosure), libsoap-lite-perl (XML expansion), and mcabber (roster push attack).

Fedora has updated bind (F23: denial of service) and python-tornado (F25: XSRF protection bypass).

Mageia has updated bzip2 (denial of service), chromium-browser-stable (multiple vulnerabilities), clamav (three vulnerabilities), giflib (denial of service), icu (two vulnerabilities), kernel-4.4.32 (code execution), libtiff (two vulnerabilities), lighttpd (man-in-the-middle attacks), and perl-Email-Address (denial of service).

openSUSE has updated wireshark (Leap42.2: multiple vulnerabilities).

SUSE has updated kernel (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated gst-plugins-good0.10, gst-plugins-good1.0 (incomplete fix in previous update).

Welte: Ten years anniversary of Openmoko

Monday 28th of November 2016 03:01:22 PM
Harald Welte looks back at the Openmoko phone with a ten-year perspective (and an almost unreadable low-contrast web page). "So yes, the smartphone world is much more restricted, locked-down and proprietary than it was back in the Openmoko days. If we had been more successful then, that world might be quite different today. It was a lost opportunity to make the world embrace more freedom in terms of software and hardware."

Kernel prepatch 4.9-rc7

Sunday 27th of November 2016 11:47:56 PM
The 4.9-rc7 kernel prepatch is out. Linus says that things are shaping up and it is possible, but perhaps not likely, that the final 4.9 release will happen on December 4. "I basically reserve the right to make up my mind next weekend."

More in Tux Machines

today's leftovers

  • The future of xinput, xmodmap, setxkbmap, xsetwacom and other tools under Wayland
    This post applies to most tools that interface with the X server and change settings in the server, including xinput, xmodmap, setxkbmap, xkbcomp, xrandr, xsetwacom and other tools that start with x. The one word to sum up the future for these tools under Wayland is: "non-functional". An X window manager is little more than an innocent bystander when it comes to anything input-related. Short of handling global shortcuts and intercepting some mouse button presses (to bring the clicked window to the front) there is very little a window manager can do. It's a separate process to the X server and does not receive most input events and it cannot affect what events are being generated. When it comes to input device configuration, any X client can tell the server to change it - that's why general debugging tools like xinput work.
  • Please don't use pastebins in bugs
  • Linux Top 3: SparkyLinux 4.5, Mageia 5.1 and Peppermint 7
    SparkyLinux is (yet another) Debian based Linux distribution. The SparkyLinux 4.5 update codenamed "Tyche' was released on December 3, providing users with multiple desktop choice other than GNOME. SparkLinux 4.5 ships with KDE, LXDE, LXQt, MATE and Xfce.
  • Upcoming Linux Distributions Releasing In December 2016
    In December 2016, a big Linux distribution release is taking shape in the form of Linux Mint 18.1 Serena, flavored by Cinnamon 3.2. It’ll be accompanied by the release of security and privacy-focused Anonymous Live CD Tails 2.9.
  • AMD Extends Strategic Partnership with Mentor Graphics for Linux-based Embedded Solutions
  • Samsung Z2 gets Firmware Update to Tizen 2.4.0.6 Z200FDDU0BPK3 in India
    Samsung’s latest Tizen-based smartphone, the Z2 model number SM-Z200F, has had a new software / firmware update land in India today. The update takes it to Tizen version 2.4.0.6., firmware Z200FDDU0BPK3. The update log mentions the following improvements: Improved send SOS message (panic mode) and also improvements to the security of the device. Additional bug fixes and performance improvements may have also been bundled in.

Leftovers: Software

  • choqok 1.6 Twitter Client was released and completely ported with KDE Frameworks 5
    Choqok is a fast, efficient and simple to use twitter client for Linux (especially built for the KDE desktop environment) that is installed by default to some of the Linux distribution which shipped with KDE Desktop Environment. The name comes from an ancient Persian word, means Sparrow!
  • 10 open source tools for your sysadmin toolbox [Ed: Terrible list which starts with two suggestions of Microsoft EEE]
    Sysadmins, no matter what platforms they work on, are awash in great open source software tools. In this article, we highlight well-known—and not-so-well-known—tools that have released new versions in 2016.
  • NetworkManager 1.2.6 Lets You Activate Multiple PPPoE Connections Simultaneously
    Beniamino Galvani was proud to announce the release and general availability of a new maintenance update to the stable NetworkManager 1.2 series of the open source network connection manager software for GNU/Linux distributions. NetworkManager is the most used network connection manager, adopted by almost all Linux-based operating systems on the market, and NetworkManager 1.2.6 is now the most advanced release of the 1.2 stable series, coming four months after the NetworkManager 1.2.4 update to fix a few bugs and regressions reported by users since then.
  • GNOME loves to cook
    With the upcoming 20th birthday of GNOME next year, some of us thought that we should make another attempt at this application, maybe as a birthday gift to all of GNOME. Shortly after GUADEC, I got my hands on some existing designs and started to toy around with implementing them over a few weekends and evenings. The screenshots in this post show how far I got since then.

today's howtos

Linux Foundation: Blockchain and Automotive Grade Linux

  • Linux Foundation’s Blockchain Collective Hyperledger Hits 100 Members
    Hyperledger aims to enable organizations to build robust, industry-specific applications, platforms and hardware systems to support their individual business transactions by creating an enterprise grade, open source distributed ledger framework and code base.
  • The Blockchain Milestone You May Have Missed
  • Sasken becomes member of Automotive Grade Linux
    Sasken Communication Technologies Ltd has announced its membership with Automotive Grade Linux as its bronze member. This will enable Sasken to provide solutions to customers on Automotive Grade Linux (AGL). Sasken will provide product development and system integration services for automotive customers spanning in-vehicle infotainment (IVI), instrument cluster, heads-up display and telematics.