Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 34 min ago

Tagged memory and minion cores in the lowRISC SoC

Friday 19th of December 2014 09:15:45 PM
The lowRISC project, which aims to create and manufacture a fully open-source system-on-chip (SoC) and development board, has released a document on its plans to incorporate tagged memory and minion cores into the SoC. Minion cores are separate I/O processors that can be used to implement various I/O protocols without requiring additional hardware in the design. "Tagged memory associates metadata with each memory location and can be used to implement fine-grained memory access restrictions. Attacks which hijack control flow can be prevented by using this protection to restrict writes to memory locations containing return addresses, function pointers, and vtable pointers. Importantly, we anticipate this can be implemented with a worst- case performance overhead of a few percent and a similarly low area cost. This fine-grained memory protection can be used automatically by the compiler, meaning improved security is available to existing programs without source code modifications. We intend to provide tagged memory alongside security features which are already commonly deployed such as secure boot, encrypted off-chip memory, and cryptographic accelerators."

EU to fund Free Software code review (FSFE)

Friday 19th of December 2014 08:35:23 PM
The Free Software Foundation Europe (FSFE) has commented on the most recent European Union (EU) budget—approved on December 17—that includes €1 million for auditing free-software programs that are used by the EU governmental bodies. The auditing is meant to find and fix security holes in those programs. "Even though these institutions are tightly locked into non-free file formats, much of their infrastructure is based on Free Software. 'This is a very welcome decision,' says FSFE's president Karsten Gerloff. 'Like most public bodies, the European institutions rely heavily on Free Software for their daily operations. It is good to see that the Parliament and the Commission will invest at least a little in improving the quality and the programs they use.'"

Friday's security advisories

Friday 19th of December 2014 03:14:24 PM

CentOS has updated glibc (C7: code execution), jasper (C7; C6: three code execution flaws), and kernel (C7: privilege escalation).

Gentoo has updated znc (two denial of service flaws, one from 2013).

Oracle has updated glibc (OL7: three vulnerabilities), jasper (OL7; OL6: three code execution flaws), and kernel (OL7; OL5; OL5: privilege escalation).

Red Hat has updated glibc (RHEL7: code execution) and jasper (RHEL6&7: three code execution flaws).

Scientific Linux has updated jasper (SL6&7: three code execution flaws).

Ubuntu has updated kernel (14.04: regression in previous security fix) and kernel (14.10: regression in previous security fix).

Git v2.2.1 (security release) available

Thursday 18th of December 2014 09:45:14 PM
There is a new version of the Git client out with an important security fix: with vulnerable versions of the Git client on a case insensitive filesystem, it is possible for a pull from a repository to overwrite the .git directory and cause the execution of arbitrary commands. Linux systems running normal filesystems are not affected by this problem, but Windows and Mac OS systems are.

KDE Applications 14.12 released

Thursday 18th of December 2014 09:13:13 PM
The KDE project has announced the release of KDE Applications 14.12, which has the first set of applications that have been ported to KDE Frameworks 5. Most of the applications are still based on KDE Development Platform 4, but some have been moved to the new Qt5-based Frameworks. "The release includes the first KDE Frameworks 5-based versions of Kate and KWrite, Konsole, Gwenview, KAlgebra, Kanagram, KHangman, Kig, Parley, KApptemplate and Okteta. Some libraries are also ready for KDE Frameworks 5 use: analitza and libkeduvocdocument. Libkface is new in this release; it is a library to enable face detection and face recognition in photographs." More information on the new features and fixes that came in the release can be found in the change log and a KDE.News article.

Klapper: Good bye Bugzilla, welcome Phabricator.

Thursday 18th of December 2014 07:19:14 PM
On his blog, André Klapper describes Wikimedia's move from Bugzilla to Phabricator, which is described as an "open source software engineering platform". After ten years and 70,000+ bugs, there was a lot of data to migrate, which went well overall, though there were a few surprises along the way. "We had to work around an unresolved upstream XML-RPC API bug in Bugzilla by applying a custom hack when exporting comments in a first step and removing the hack when exporting attachments (with binary data) in a second step. Though we did, it took us a while to realize that Bugzilla attachments imported into Phabricator were scrambled as the hack got still applied for unknown reasons (some caching?). Rebooting the Bugzilla server fixed the problem but we had to start from scratch with importing attachments." (Thanks to Paul Wise.)

Security updates for Thursday

Thursday 18th of December 2014 04:43:06 PM

CentOS has updated kernel (C5: privilege escalation).

Fedora has updated bind (F20: two denial of service flaws), cpio (F21: denial of service), pam (F20: two vulnerabilities, one from 2013), and tcpdump (F20: three vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6; RHEL5: privilege escalation).

Scientific Linux has updated kernel (SL7; SL5: privilege escalation).

PostgreSQL 9.4 released

Thursday 18th of December 2014 03:28:17 PM
Version 9.4 of the PostgreSQL relational database management system is out. "This release adds many new features which enhance PostgreSQL's flexibility, scalability and performance for many different types of database users, including improvements to JSON support, replication and index performance." See this article for a lot more information on what's in this release.

[$] LWN.net Weekly Edition for December 18, 2014

Thursday 18th of December 2014 12:16:46 AM
The LWN.net Weekly Edition for December 18, 2014 is available.

Securing the future of GnuPG

Wednesday 17th of December 2014 06:40:48 PM
The GnuPG project is seeking donations. "For a critical project of this size two experienced developers are required for proper operation. This requires gross revenues of 120000 Euro per year. Unfortunately there is currently only one underpaid full time developer who is barely able to keep up with the work; see this blog entry for some background." (Thanks to Paul Wise)

Security advisories for Wednesday

Wednesday 17th of December 2014 05:13:38 PM

CentOS has updated kernel (C6: multiple vulnerabilities) and mailx (C7; C6: command execution).

Debian has updated bsd-mailx (command execution) and heirloom-mailx (command execution).

Fedora has updated dbus (F21: multiple vulnerabilities), grub2 (F19: code execution), mingw-jasper (F21; F20; F19: code execution), pwgen (F19: two vulnerabilities), python-tornado (F20: denial of service), rpm (F21: code execution), and xorg-x11-server (F20: multiple vulnerabilities).

openSUSE has updated seamonkey (13.2; 13.1, 12.3: multiple vulnerabilities) and thunderbird (13.2, 13.1, 12.3: multiple vulnerabilities).

Oracle has updated kernel (OL6: multiple vulnerabilities) and mailx (OL7; OL6: command execution).

Red Hat has updated kernel (RHEL6: multiple vulnerabilities), kernel-rt (RHE MRG: privilege escalation), mailx (RHEL6,7: command execution), and thermostat1-thermostat (RHSCL: privilege escalation).

Scientific Linux has updated kernel (SL6: multiple vulnerabilities) and mailx (SL6,7: command execution).

Stable kernel updates

Tuesday 16th of December 2014 11:35:58 PM
Stable kernels 3.18.1, 3.17.7, 3.14.27, and 3.10.63 have been released. All contain important fixes.

Trinity Desktop Environment R14.0.0 Released

Tuesday 16th of December 2014 09:23:28 PM
The Trinity Desktop Environment (TDE) development team has announced the release of TDE R14.0.0. "Unlike previous releases TDE R14.0.0 has been in development for over two years. This extended development period has allowed us to create a better, more stable and more feature-rich product than previous TDE releases. R14 is brimming with new features, such as a new hardware manager based on udev (HAL is no longer required), full network-manager 0.9 support, a brand new compositor (compton), built-in threading support, and much more!"

Harmer: Overview of Qt3D 2.0 – Part 1

Tuesday 16th of December 2014 07:08:45 PM
Sean Harmer covers the revival of Qt3D, a 3D framework. "With OpenGL taking a much more prominent position in Qt 5’s graphical stack — OpenGL is the underpinning of Qt Quick 2’s rendering power — and with OpenGL becoming a much more common part of customer projects, KDAB decided that it would be good for us and for the Qt community at large if we took over maintainership and development of the Qt3D module. To this end, several KDAB engineers have been working hard to bring Qt3D back to life and moreover to make it competitive to other modern 3D frameworks. This article is the first in a series that will cover the capabilities, APIs, and implementation of Qt3D in detail."

The Open Source Initiative's 2014 annual report

Tuesday 16th of December 2014 05:26:14 PM
The Open Source Initiative has posted its annual report for 2014 [PDF] describing its efforts to increase its relevance. "In that context, 2014 was a turning point for OSI. Our decision to hire a General Manager started to bear fruit both in the form of a growing membership and of heightened activity. We saw news from new Affiliates appearing daily, profiles of individual members inspiring us through the newsletter and both categories of members bringing forward new ideas like the curriculum for further education and the hosting of OpenHatch. We also saw more corporate sponsors than ever before generously offering funds to support our growth. That meant we had the resources both to promote open source and to challenge abuses of the term around the world."

Tuesday's security updates

Tuesday 16th of December 2014 04:24:32 PM

Mandriva has updated apache-mod_wsgi (privilege escalation).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities).

nftables 0.4 released

Tuesday 16th of December 2014 01:18:17 PM
For those of you following the development of nftables (the virtual-machine-based eventual replacement for iptables) version 0.4 of the user-space nftables utility is out. It provides access to a lot of new features, including global ruleset operations, improved logging support, masquerading and NAT, redirect support (will need a 3.19 kernel), and a lot of fixes.

Security advisories for Monday

Monday 15th of December 2014 08:03:54 PM

Debian has updated c-icap (denial of service), libyaml (denial of service), libyaml-libyaml-perl (denial of service), and mediawiki (code injection).

Fedora has updated antiword (F20; F19: denial of service), castor (F21; F20: XML injection), curl (F21; F20: information leak), dbus (F20: multiple vulnerabilities), docker-io (F21: multiple vulnerabilities), erlang (F20: command injection), flac (F21: multiple vulnerabilities), icecast (F21; F20; F19: two vulnerabilities), kde-plasma-networkmanagement (F19: man-in-the-middle attack), kde-plasma-nm (F21; F20: man-in-the-middle attack), kernel (F20: denial of service), libuv (F21; F20; F19: man-in-the-middle attack), libyaml (F21; F20; F19: denial of service), mingw-flac (F21; F20; F19: multiple vulnerabilities), nodejs (F21; F20; F19: man-in-the-middle attack), openvpn (F20; F19: denial of service), perl-YAML-LibYAML (F20; F19: denial of service), php-horde-kronolith (F21; F20: multiple vulnerabilities), phpMyAdmin (F19: two vulnerabilities), pkcs11-helper (F20; F19: denial of service), pwgen (F21; F20: two vulnerabilities), smack (F21; F20: information disclosure), util-linux (F21: command injection), and xorg-x11-server (F21: unspecified vulnerability).

Gentoo has updated chromium (multiple vulnerabilities), couchdb (denial of service), dbus (multiple vulnerabilities), django (multiple vulnerabilities), freerdp (code execution), ghostscript-gpl (multiple vulnerabilities), gnustep-base (denial of service), mcollective (two vulnerabilities), mod_wsgi (two vulnerabilities), nagios-core (multiple vulnerabilities), openjpeg (multiple vulnerabilities), ppp (privilege escalation), qtgui (denial of service), rails (multiple vulnerabilities), ruby (multiple vulnerabilities), strongswan (two vulnerabilities), tomcat (multiple vulnerabilities), varnish (two vulnerabilities), and xfig (two vulnerabilities from 2009).

Mageia has updated apache (two vulnerabilities), cpio (denial of service), freetype2 (buffer overflow), qemu (two vulnerabilities), and rpm (code execution).

Mandriva has updated bind (denial of service), cpio (denial of service), flac (multiple vulnerabilities), graphviz (format string vulnerability), jasper (code execution), mediawiki (multiple vulnerabilities), mutt (denial of service), nss (multiple vulnerabilities), openafs (multiple vulnerabilities), openvpn (denial of service), phpmyadmin (two vulnerabilities), qemu (two vulnerabilities), rpm (code execution), tcpdump (three vulnerabilities), and yaml (denial of service).

openSUSE has updated apache2 (12.3: multiple vulnerabilities), cpio (13.2, 13.1, 12.3: denial of service), jasper (13.2, 13.1, 12.3: code execution), java-1_7_0-openjdk (13.1; 12.3: multiple vulnerabilities), libjpeg-turbo, libjpeg62-turbo (13.2, 13.1, 12.3: denial of service), mutt (13.2, 13.1, 12.3: denial of service), perl-Plack (13.2, 13.1: information disclosure), phpMyAdmin (13.2, 13.1, 12.3: two vulnerabilities), rrdtool (13.2, 13.1, 12.3: denial of service), and firebird (13.2, 13.1, 12.3: denial of service).

Oracle has updated bind (OL7; OL6; OL5: denial of service) and bind97 (OL5: denial of service).

Scalability Techniques for Practical Synchronization Primitives (ACM Queue)

Monday 15th of December 2014 01:02:38 PM
Davidlohr Bueso gives an overview of kernel locking scalability techniques in this ACM Queue article. "There have recently been significant efforts to address lock-scaling issues in the Linux kernel on large high-end servers. Many of the problems and solutions apply to similar system software. This article applies general ideas and lessons learned to a wider systems context, in the hope that it can be helpful to people who are encountering similar scaling problems."

Chromium to start marking HTTP as insecure

Saturday 13th of December 2014 02:24:12 PM
The Chromium development team has posted a plan to start actively marking web pages served with HTTP as not being secure. "We know that people do not generally perceive the absence of a warning sign... Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP."