Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 17 min ago

August 2016 GNU Toolchain Update

7 hours 34 min ago
The Red Hat Developer's blog looks at the latest updates to the GNU toolchain. GCC 6.2 and GDB 7.11.1 are mostly bug-fix releases, but GCC contains a few enhancements for SPARC users and there's a look at what's coming in GDB 7.12. Glibc 2.24 contains many new features and enhancements. "A new NSS action is added to facilitate large distributed system administration. The action, MERGE, allows remote user stores like LDAPto be merged into local user stores like /etc/groups in order to provide easy to use, updated, and managed sets of merged credentials."

Haller: MAC Address Spoofing in NetworkManager 1.4.0

10 hours 29 min ago
We recently pointed to Lubomir Rintel's coverage of NetworkManager 1.4. Thomas Haller follows up with a more detailed look at the MAC spoofing capabilities of NetworkManager. "1.2.0 relies on support from wpa_supplicant to configure a random MAC address. The problem is that it requires API which will only be part of the next major release 2.6 of the supplicant. Such a release does not yet exist to this date and thus virtually nobody is using this feature. With NetworkManager 1.4.0, changing of the MAC address is done by NetworkManager itself, requiring no support from the supplicant. This allows also for more flexibility to generate “stable” addresses and the “generate-mac-address-mask”. Also, the same options are now available not only for Wi-Fi, but also Ethernet devices."

Security updates for Tuesday

13 hours 31 min ago

Arch Linux has updated mupdf (denial of service).

Debian-LTS has updated gnupg (flawed random number generation).

Fedora has updated borgbackup (F24; F23: directory traversal), freeipa (F24; F23: denial of service), java-1.8.0-openjdk-aarch32 (F24: multiple vulnerabilities), rubygem-actionpack (F24; F23: unsafe query generation), and rubygem-activerecord (F24; F23: unsafe query generation).

openSUSE has updated kernel (13.1: multiple vulnerabilities).

Slackware has updated kernel (TCP connection takeover).

Ubuntu has updated kernel (16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Remembering Vernon Adams

Tuesday 30th of August 2016 12:06:03 AM

Open-source font developer Vernon Adams has passed away in California at the age of 49. In 2014, Adams was injured in an automobile collision, sustaining serious trauma from which he never fully recovered. Perhaps best known within the Linux community as the creator of KDE's user-interface font Oxygen, Adams created a total of 51 font families published through Google Fonts, all under open licenses. He was also active in a number of related free-software projects, including FontForge, Metapolator, and the Open Font Library. In 2012, he co-authored the user's guide for FontForge as part of Google's Summer of Code Documentation Camp, which we reported on at that time.

Speaking personally, Vernon was always quick to offer encouragement and assistance to newcomers—regardless of their experience with type design, FontForge, or free software in general. There were also few people who put as much energy into improving the usability of free-software design tools as he did. In addition, he was a constant advocate for free-software principles in the world of fonts—not just on development lists and at libre graphics conferences, but on type forums as well, where "open source" did not automatically garner a warm reception. The tagline on his web site was "fonts for everyone," and he meant it. He'll be missed.

Security advisories for Monday

Monday 29th of August 2016 04:20:57 PM

Arch Linux has updated wireshark-cli (multiple vulnerabilities).

Debian has updated mupdf (two denial of service flaws).

Debian-LTS has updated eog (out-of-bounds write), quagga (two vulnerabilities), ruby-actionpack-3.2 (multiple vulnerabilities), and ruby-activesupport-3.2 (denial of service).

Fedora has updated lcms2 (F24: heap memory leak), uClibc (F24: code execution), and webkitgtk4 (F24: multiple vulnerabilities).

openSUSE has updated Firefox (13.1: buffer overflow), firefox, nss (Leap42.1, 13.2: buffer overflow), phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities), and typo3-cms-4_5 (Leap42.1, 13.2: three vulnerabilities).

Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and kernel 4.1.12 (OL7; OL6: multiple vulnerabilities).

Böck: Multiple vulnerabilities in RPM – and a rant

Monday 29th of August 2016 12:29:02 PM
Hanno Böck performed some fuzz testing on the dpkg and RPM package managers and reported the results; it seems that one of the projects has been rather more responsive than the other in fixing these issues. "The development process of RPM seems to be totally chaotic, it's neither clear where one reports bugs nor where one gets the latest code and security bugs don't get fixed within a reasonable time. There's been some recent events that make me feel especially worried about this..." It seems that some of the maintenance issues with RPM may not have improved greatly since they were reported here ten years ago.

Kernel prepatch 4.8-rc4

Monday 29th of August 2016 09:32:23 AM
The 4.8-rc4 kernel prepatch is out. "Everything looks normal, and it's been a bit quieter than rc3 too, so hopefully we're well into the "it's calming down" phase. Although with the usual timing-related fluctuation (different maintainers stagger their pulls differently), it's hard to tell a trend yet."

[$] Trying out openSUSE Tumbleweed

Saturday 27th of August 2016 05:22:13 AM
While distribution-hopping is common among newcomers to Linux, longtime users tend to settle into a distribution they like and stay put thereafter. In the end, Linux distributions are more alike than different, and one's time is better spent getting real work done rather than looking for a shinier version of the operating system. Your editor, however, somehow never got that memo; that's what comes from ignoring Twitter, perhaps. So there is a new distribution on the main desktop machine; this time around it's openSUSE Tumbleweed.

Nextcloud 10 released

Friday 26th of August 2016 07:20:32 PM
Nextcloud 10 has been released with new features for system administrators to control and direct the flow of data between users on a Nextcloud server. "Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations."

The long-awaited Maru OS source release

Friday 26th of August 2016 05:52:46 PM
The Maru OS handset distribution that includes an Ubuntu desktop (reviewed here in April) is finally available in source form. "If you're interested in contributing in general, please check out the project's GitHub (https://github.com/maruos/maruos), get up and running with the developer guide (https://github.com/maruos/maruos/wiki/Developer-Guide), and join the developer group (https://groups.google.com/forum/#!forum/maru-os-dev)"

Security advisories for Friday

Friday 26th of August 2016 04:51:25 PM

Arch Linux has updated mediawiki (multiple vulnerabilities).

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).

Debian has updated flex (code execution), imagemagick (multiple vulnerabilities), quagga (two vulnerabilities), and rails (cross-site scripting).

Fedora has updated gnupg (F24: flawed random number generation), openvpn (F24: information disclosure), and rubygem-actionview (F24; F23: cross-site scripting).

Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).

OpenSSL 1.1.0 released

Friday 26th of August 2016 12:24:05 PM
Version 1.1.0 of the OpenSSL TLS library is available. A list of changes can be found on this page; they include a new threading API, a number of new algorithms and the removal of a number of older ones, pipelining (parallel processing) support, extended master secret support, and more.

Rintel: NetworkManager 1.4: with better privacy and easier to use

Thursday 25th of August 2016 08:30:39 PM
Lubomir Rintel takes a look at new features in NetworkManager 1.4. "It is now possible to randomize the MAC address of Ethernet devices to mitigate possibility of tracking. The users can choose between different policies; use a completely random address, or just use different addresses in different networks. For Wi-Fi devices, the same randomization modes are now supported and does no longer require support from wpa-supplicant." Also a newly added API for using configuration snapshots that automatically roll back after a timeout, IPv6 tokenized interface identifiers can be configured, new features in nmcli, and more are covered. (Thanks to Paul Wise)

Thursday's security updates

Thursday 25th of August 2016 04:23:48 PM

Fedora has updated eog (F23: out-of-bounds write).

openSUSE has updated ImageMagick (Leap42.1: three vulnerabilities).

Red Hat has updated qemu-kvm-rhev (RHOSP9: two vulnerabilities) and Red Hat OpenShift Enterprise 2.2.10 (RHOSE: multiple vulnerabilities).

Ubuntu has updated eog (out-of-bounds write), harfbuzz (16.04, 14.04: two vulnerabilities), and libidn (multiple vulnerabilities).

[$] LWN.net Weekly Edition for August 25, 2016

Thursday 25th of August 2016 02:24:03 AM
The LWN.net Weekly Edition for August 25, 2016 is available.

[$] 25 Years of Linux — so far

Wednesday 24th of August 2016 04:26:21 PM
On August 25, 1991, an obscure student in Finland named Linus Benedict Torvalds posted a message to the comp.os.minix Usenet newsgroup saying that he was working on a free operating system as a project to learn about the x86 architecture. He cannot possibly have known that he was launching a project that would change the computing industry in fundamental ways. Twenty-five years later, it is fair to say that none of us foresaw where Linux would go — a lesson that should be taken to heart when trying to imagine where it might go from here.

In Memory of Jonathan “avenj” Portnoy

Wednesday 24th of August 2016 03:52:23 PM
The Gentoo community is mourning the loss of Jonathan Portnoy. "Jon was an active member of the International Gentoo community, almost since its founding in 1999. He was still active until his last day. His passing has struck us deeply and with disbelief. We all remember him as a vivid and enjoyable person, easy to reach out to and energetic in all his endeavors."

Wednesday's security updates

Wednesday 24th of August 2016 02:56:31 PM

CentOS has updated kernel (C6: TCP injection).

Debian-LTS has updated libgcrypt11 (flawed random number generation).

Fedora has updated eog (F24: out-of-bounds write), kernel (F23: use-after-free), mariadb (F23: multiple vulnerabilities), mingw-lcms2 (F24: heap memory leak), postgresql (F23: multiple vulnerabilities), and python (F23: proxy injection).

openSUSE has updated libidn (Leap 42.1: multiple vulnerabilities) and kernel (13.2: multiple vulnerabilities).

Oracle has updated kernel (O6: TCP injection).

Red Hat has updated kernel (RHEL 7.1: multiple vulnerabilities; RHEL6: TCP injection) and qemu-kvm-rhev (RHOSP8: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: TCP injection).

Slackware has updated gnupg (flawed random number generation), kernel (14.2: TCP injection), and libgcrypt (flawed random number generation).

KDevelop 5.0 released

Wednesday 24th of August 2016 12:31:38 AM

Version 5.0.0 of the KDevelop integrated development environment (IDE) has been released, marking the end of a two-year development cycle. The highlight is a move to Clang for C and C++ support: "The most prominent change certainly is the move away from our own, custom C++ analysis engine. Instead, C and C++ code analysis is now performed by clang." The announcement goes on to describe other benefits of using Clang, such as more accurate diagnostics and suggested fixes for many syntax errors. KDevelop has also been ported to KDE Frameworks 5 and Qt 5, which opens up the possibility of Windows releases down the line.

Tuesday's security updates

Tuesday 23rd of August 2016 02:35:45 PM

Arch Linux has updated libgcrypt (information disclosure).

Fedora has updated kernel (F24: use-after-free vulnerability), pagure (F24: cross-site scripting), and postgresql (F24: multiple vulnerabilities).

Red Hat has updated qemu-kvm-rhev (RHEL7 OSP5; RHEL7 OSP7; RHEL6 OSP5; RHEL7 OSP6: multiple vulnerabilities).

SUSE has updated MozillaFirefox (SLE12: multiple vulnerabilities).