Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 2 min ago

Friday's security updates

7 hours 47 min ago

Debian-LTS has updated libvirt (authentication bypass), qemu (multiple vulnerabilities), qemu-kvm (multiple vulnerabilities), roundcube (cross-site scripting), wget (code execution), and wireshark (multiple vulnerabilities).

Fedora has updated kernel (F24: multiple vulnerabilities), python-django-horizon (F23: cross-site scripting), python3 (F24: StartTLS stripping), squidGuard (F22; F23; F24: cross-site scripting), struts (F23; F24: multiple vulnerabilities), and wordpress (F22; F23; F24: multiple vulnerabilities).

SUSE has updated kernel (SLE11; SLE12; SLE12 GA: multiple vulnerabilities).

Ubuntu has updated oxide-qt (14.04, 15.10, 16.04: multiple vulnerabilities).

Linux Mint 18 Cinnamon and MATE editions released

Thursday 30th of June 2016 11:59:44 PM
Linux Mint 18 has been released with Cinnamon and MATE editions. "Linux Mint 18 is a long term support release which will be supported until 2021. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use." The MATE edition has MATE 1.14 along with many other updates listed on the What's New page. The Cinnamon edition has Cinnamon 3.0 (which we recently reviewed) and lots of other new packages described on its What's New page. The release notes pages (MATE, Cinnamon) also have important information on the releases.

Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption (Bits Please)

Thursday 30th of June 2016 08:14:59 PM
The "Bits Please" blog has a detailed description of how one breaks full-disk encryption on an Android phone. Included therein is a lot of information on how full-disk encryption works on Android devices and its inherent limitations. "Instead of creating a scheme which directly uses the hardware key without ever divulging it to software or firmware, the code above performs the encryption and validation of the key blobs using keys which are directly available to the TrustZone software! Note that the keys are also constant - they are directly derived from the SHK (which is fused into the hardware) and from two 'hard-coded' strings. Let's take a moment to explore some of the implications of this finding."

etcd 3.0 released

Thursday 30th of June 2016 08:03:06 PM
CoreOS has announced the availability of version 3.0 of the etcd distributed key-value store. "etcd 3.0 marks the first stable release of the etcd3 API and data model. Upgrades are simple, because the same etcd2 JSON endpoints and internal cluster protocol are still provided in etcd3. Nevertheless, etcd3 is a wholesale API redesign based on feedback from etcd2 users and experience with scaling etcd2 in practice. This post highlights some notable etcd3 improvements in efficiency, reliability, and concurrency control."

Security updates for Thursday

Thursday 30th of June 2016 02:52:35 PM

Debian has updated libcommons-fileupload-java (denial of service), libreoffice (code execution), tomcat8 (multiple vulnerabilities, some from 2015), and xerces-c (denial of service).

Debian-LTS has updated libgd2 (denial of service), php5 (multiple vulnerabilities), and xerces-c (denial of service).

Fedora has updated setroubleshoot (F23; F22: code execution) and xguest (F23: insecure password creation).

Ubuntu has updated libreoffice (16.04, 15.10, 12.04: code execution).

[$] LWN.net Weekly Edition for June 30, 2016

Thursday 30th of June 2016 01:51:57 AM
The LWN.net Weekly Edition for June 30, 2016 is available.

[$] Networking without an operating system

Wednesday 29th of June 2016 07:35:23 PM
At last year's PyCon in Montréal, Josh Triplett introduced the work he and others have done to port Python to run in the GRUB boot loader. At this year's PyCon in Portland, Oregon, he updated attendees on progress that has been made in the BIOS Implementation Test Suite (BITS) to add networking support. True to form, his presentation came with an eye-opening demonstration of the networking implemented in BITS.

Security advisories for Wednesday

Wednesday 29th of June 2016 03:06:29 PM

Fedora has updated haproxy (F24: denial of service) and xguest (F24: insecure password creation).

openSUSE has updated phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities).

SUSE has updated kvm (SLES11-SP3: multiple vulnerabilities) and qemu (SLE12-SP1: multiple vulnerabilities).

PulseAudio 9.0 is out

Wednesday 29th of June 2016 01:58:53 PM
The PulseAudio 9.0 release is out. Changes include improvements to automatic routing, beamforming support, use of the Linux memfd mechanism for transport, higher sample-rate support, and more; see the release notes for details.

See also: this article from Arun Raghavan on how the beamforming feature works. "The basic idea is that if you have a number of microphones (a mic array) in some known arrangement, it is possible to 'point' or steer the array in a particular direction, so sounds coming from that direction are made louder, while sounds from other directions are rendered softer (attenuated)."

[$] How many -stable patches introduce new bugs?

Tuesday 28th of June 2016 10:37:12 PM
The -stable kernel release process faces a contradictory set of constraints. Developers naturally want to get as many fixes into -stable as possible but, at the same time, there is a strong desire to avoid introducing new regressions there. Each -stable release is, after all, intended to be more stable than its predecessor. At times there have been complaints that -stable is too accepting and too prone to regressions, but not many specifics. But, it turns out, this is an area where at least a little bit of objective research can be done.

GitHub's 2015 Transparency Report

Tuesday 28th of June 2016 08:29:07 PM
GitHub has published its 2015 transparency report. "This 2015 report details the types of requests we receive for user accounts, user content, information about our users, and other such information, and how we process those requests. Transparency and trust are essential to GitHub and to the open source community, and giving you access to information about these requests can protect you, protect us, and help you feel safe as you work on GitHub." The report notes that a significant number of requests for removal of content are notices submitted under the Digital Millennium Copyright Act, or the DMCA.

Tuesday's security advisories

Tuesday 28th of June 2016 04:09:49 PM

Debian has updated kernel (multiple vulnerabilities).

Debian-LTS has updated movabletype-opensource (SQL injection) and spice (information disclosure).

Fedora has updated drupal7 (F23; F22: privilege escalation), gd (F24: three vulnerabilities), krb5 (F24: buffer overflow), nodejs (F24: unspecified), and phpMyAdmin (F24: multiple vulnerabilities).

Gentoo has updated icedtea-bin (multiple vulnerabilities) and kwalletd (misuse of crypto).

openSUSE has updated rsync (13.2: unsafe destination path).

SUSE has updated firefox, nss, nspr (SLE12-SP1: multiple vulnerabilities) and kernel (SLE12-SP1; SLE12: multiple vulnerabilities).

Ubuntu has updated kernel (16.04; 15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04; 15.10: multiple vulnerabilities), linux-snapdragon (16.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Reding: What's new for Tegra in Linux v4.7

Monday 27th of June 2016 10:58:19 PM
Thierry Reding looks at Tegra support in Linux 4.7. "The XUSB driver has been under development for a ridiculously long time. One of the reasons is that it relies on the XUSB pad controller to configure its pins as required by the board design. The XUSB pad controller is very likely one of the least-intuitive pieces of hardware I've ever encountered, and the attempts to come up with a device tree binding to describe it have been very numerous. We did finally settle on something earlier this year and after the existing code was updated for the new binding, we're finally able to support super-speed USB on Tegra124 and later." (Thanks to Martin Michlmayr)

Project Triforce: Run AFL on Everything!

Monday 27th of June 2016 10:36:06 PM
The developers of "Project Triforce," an effort to run the "american fuzzy lop" fuzz-testing tool in a system-wide manner, have posted a detailed description of what they are up to. "AFL is an awesome tool. The power of an easy to use, feedback-driven fuzzer has produced an absolutely staggering number of bugs. Still, at first AFL required being able to build the executable, something sadly not available on a lot of targets. With the addition of AFL's qemu_mode, it became possible to fuzz binaries without source, exposing a whole new world of targets to AFL. I'd been on a number of Linux container engagements recently where we'd managed to escape through kernel exploits. I fell asleep one night to several AFL screens running, and I awoke suddenly with a crazy idea: 'Run AFL on the Linux Kernel.'"

Open Source Projects as part of MOSS “Mission Partners” Program

Monday 27th of June 2016 09:25:42 PM
The Mozilla blog has announced the first recipients of its Mozilla Open Source Support (MOSS) “Mission Partners” awards. "For many years people with visual impairments and the legally blind have paid a steep price to access the Web on Windows-based computers. The market-leading software for screen readers costs well over $1,000. The high price is a considerable obstacle to keeping the Web open and accessible to all. The NVDA Project has developed an open source screen reader that is free to download and to use, and which works well with Firefox. NVDA aligns with one of the Mozilla Manifesto’s principles: “The Internet is a global public resource that must remain open and accessible.”" The NVDA project received $15,000. Other award recipients include Tor, Tails, Caddy, Mio, DNSSEC/DANE Chain Stapling, Godot Engine, and PeARS. (Thanks to Paul Wise)

Security updates for Monday

Monday 27th of June 2016 05:33:49 PM

Arch Linux has updated chromium (multiple vulnerabilities), libdwarf (multiple vulnerabilities), libpurple (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), vlc (code execution), and xerces-c (code execution).

Debian has updated libpdfbox-java (XML External Entity (XXE) attacks).

Debian-LTS has updated gimp (use-after-free), java-common (OpenJDK 6 no longer supported), libcommons-fileupload-java (denial of service), mysql-connector-java (information disclosure), nss (denial of service), and tomcat7 (denial of service).

Fedora has updated drupal7 (F24: privilege escalation), mirrormanager (F24; F23; F22: unspecified), optipng (F23: code execution), python (F23: man-in-the-middle attack), and qemu (F24: multiple vulnerabilities).

Gentoo has updated claws-mail (multiple vulnerabilities), freexl (multiple vulnerabilities), hostapd (multiple vulnerabilities), imagemagick (multiple vulnerabilities), libssh (multiple vulnerabilities), plib (code execution from 2011), and sudo (privilege escalation).

openSUSE has updated libarchive (13.2: denial of service), libav (Leap42.1: two vulnerabilities), libtasn1 (Leap42.1: denial of service), libtorrent-rasterbar (13.1: denial of service), mariadb (Leap42.1: multiple vulnerabilities), p7zip (Leap42.1: code execution), php5 (Leap42.1: multiple vulnerabilities), and rsync (Leap42.1: unsafe destination path).

Oracle has updated kernel 2.6.32 (OL6; OL5: privilege escalation).

Red Hat has updated kernel-rt (RHEMRG2.5: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: two vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Kernel prepatch 4.7-rc5

Monday 27th of June 2016 02:57:09 AM
The 4.7-rc5 kernel prepatch is out. "I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series."

A couple of unpleasant local kernel vulnerabilities

Saturday 25th of June 2016 03:17:26 PM
The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a set of netfilter fixes that, it has just been disclosed, fix a couple of severe local privilege-escalation vulnerabilities. Anybody who is running a site with user and network namespaces enabled will want to update their kernels in short order. The fixes were originally committed into 4.6-rc2 in April with no comment regarding their implications.

Three new stable kernels

Friday 24th of June 2016 08:33:14 PM

Greg Kroah-Hartman has released stable kernel updates 4.6.3, 4.4.14, and 3.14.73. Each contains important fixes throughout the tree.

Friday's security updates

Friday 24th of June 2016 02:18:41 PM

CentOS has updated kernel (C7: multiple vulnerabilities), libxml2 (C6; C7: multiple vulnerabilities), ocaml (C7: information leak), setroubleshoot (C7: multiple vulnerabilities), and setroubleshoot-plugins (C7: multiple vulnerabilities).

Fedora has updated python (F24: startTLS stripping), setroubleshoot (F24: code execution), and setroubleshoot-plugins (F24: code execution).

Oracle has updated kernel (O7: multiple vulnerabilities), libxml2 (O6; O7: multiple vulnerabilities), ocaml (O7: information leak), and setroubleshoot and setroubleshoot-plugins (O7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), and ocaml (RHEL7: information leak).

Scientific Linux has updated libxml2 (SL 6,7: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (SL7; SL6: multiple vulnerabilities).

SUSE has updated kernel (SLE11: multiple vulnerabilities).

More in Tux Machines

Type Title Author Replies Last Postsort icon
Story GNU/Linux Leftovers Roy Schestowitz 01/07/2016 - 9:16pm
Story Red Hat Summit Roy Schestowitz 01/07/2016 - 9:13pm
Story Leftovers: Gaming Roy Schestowitz 01/07/2016 - 9:12pm
Story Servo Night Builds Begin, Linux Packages Coming Roy Schestowitz 01/07/2016 - 9:10pm
Story Android Leftovers Roy Schestowitz 01/07/2016 - 8:52pm
Story Leftovers: OSS Roy Schestowitz 01/07/2016 - 8:52pm
Story Openwashing Roy Schestowitz 01/07/2016 - 8:36pm
Story Apache Projects Roy Schestowitz 01/07/2016 - 8:35pm
Story Leftovers: Ubuntu, Mint, and Debian Roy Schestowitz 01/07/2016 - 8:18pm
Story Red Hat and Fedora Roy Schestowitz 01/07/2016 - 8:17pm