Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 6 hours 51 min ago

Security updates for Thursday

7 hours 57 min ago

Debian has updated libcommons-fileupload-java (denial of service), libreoffice (code execution), tomcat8 (multiple vulnerabilities, some from 2015), and xerces-c (denial of service).

Debian-LTS has updated libgd2 (denial of service), php5 (multiple vulnerabilities), and xerces-c (denial of service).

Fedora has updated setroubleshoot (F23; F22: code execution) and xguest (F23: insecure password creation).

Ubuntu has updated libreoffice (16.04, 15.10, 12.04: code execution).

[$] Weekly Edition for June 30, 2016

Thursday 30th of June 2016 01:51:57 AM
The Weekly Edition for June 30, 2016 is available.

[$] Networking without an operating system

Wednesday 29th of June 2016 07:35:23 PM
At last year's PyCon in Montréal, Josh Triplett introduced the work he and others have done to port Python to run in the GRUB boot loader. At this year's PyCon in Portland, Oregon, he updated attendees on progress that has been made in the BIOS Implementation Test Suite (BITS) to add networking support. True to form, his presentation came with an eye-opening demonstration of the networking implemented in BITS.

Security advisories for Wednesday

Wednesday 29th of June 2016 03:06:29 PM

Fedora has updated haproxy (F24: denial of service) and xguest (F24: insecure password creation).

openSUSE has updated phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities).

SUSE has updated kvm (SLES11-SP3: multiple vulnerabilities) and qemu (SLE12-SP1: multiple vulnerabilities).

PulseAudio 9.0 is out

Wednesday 29th of June 2016 01:58:53 PM
The PulseAudio 9.0 release is out. Changes include improvements to automatic routing, beamforming support, use of the Linux memfd mechanism for transport, higher sample-rate support, and more; see the release notes for details.

See also: this article from Arun Raghavan on how the beamforming feature works. "The basic idea is that if you have a number of microphones (a mic array) in some known arrangement, it is possible to 'point' or steer the array in a particular direction, so sounds coming from that direction are made louder, while sounds from other directions are rendered softer (attenuated)."

[$] How many -stable patches introduce new bugs?

Tuesday 28th of June 2016 10:37:12 PM
The -stable kernel release process faces a contradictory set of constraints. Developers naturally want to get as many fixes into -stable as possible but, at the same time, there is a strong desire to avoid introducing new regressions there. Each -stable release is, after all, intended to be more stable than its predecessor. At times there have been complaints that -stable is too accepting and too prone to regressions, but not many specifics. But, it turns out, this is an area where at least a little bit of objective research can be done.

GitHub's 2015 Transparency Report

Tuesday 28th of June 2016 08:29:07 PM
GitHub has published its 2015 transparency report. "This 2015 report details the types of requests we receive for user accounts, user content, information about our users, and other such information, and how we process those requests. Transparency and trust are essential to GitHub and to the open source community, and giving you access to information about these requests can protect you, protect us, and help you feel safe as you work on GitHub." The report notes that a significant number of requests for removal of content are notices submitted under the Digital Millennium Copyright Act, or the DMCA.

Tuesday's security advisories

Tuesday 28th of June 2016 04:09:49 PM

Debian has updated kernel (multiple vulnerabilities).

Debian-LTS has updated movabletype-opensource (SQL injection) and spice (information disclosure).

Fedora has updated drupal7 (F23; F22: privilege escalation), gd (F24: three vulnerabilities), krb5 (F24: buffer overflow), nodejs (F24: unspecified), and phpMyAdmin (F24: multiple vulnerabilities).

Gentoo has updated icedtea-bin (multiple vulnerabilities) and kwalletd (misuse of crypto).

openSUSE has updated rsync (13.2: unsafe destination path).

SUSE has updated firefox, nss, nspr (SLE12-SP1: multiple vulnerabilities) and kernel (SLE12-SP1; SLE12: multiple vulnerabilities).

Ubuntu has updated kernel (16.04; 15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04; 15.10: multiple vulnerabilities), linux-snapdragon (16.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Reding: What's new for Tegra in Linux v4.7

Monday 27th of June 2016 10:58:19 PM
Thierry Reding looks at Tegra support in Linux 4.7. "The XUSB driver has been under development for a ridiculously long time. One of the reasons is that it relies on the XUSB pad controller to configure its pins as required by the board design. The XUSB pad controller is very likely one of the least-intuitive pieces of hardware I've ever encountered, and the attempts to come up with a device tree binding to describe it have been very numerous. We did finally settle on something earlier this year and after the existing code was updated for the new binding, we're finally able to support super-speed USB on Tegra124 and later." (Thanks to Martin Michlmayr)

Project Triforce: Run AFL on Everything!

Monday 27th of June 2016 10:36:06 PM
The developers of "Project Triforce," an effort to run the "american fuzzy lop" fuzz-testing tool in a system-wide manner, have posted a detailed description of what they are up to. "AFL is an awesome tool. The power of an easy to use, feedback-driven fuzzer has produced an absolutely staggering number of bugs. Still, at first AFL required being able to build the executable, something sadly not available on a lot of targets. With the addition of AFL's qemu_mode, it became possible to fuzz binaries without source, exposing a whole new world of targets to AFL. I'd been on a number of Linux container engagements recently where we'd managed to escape through kernel exploits. I fell asleep one night to several AFL screens running, and I awoke suddenly with a crazy idea: 'Run AFL on the Linux Kernel.'"

Open Source Projects as part of MOSS “Mission Partners” Program

Monday 27th of June 2016 09:25:42 PM
The Mozilla blog has announced the first recipients of its Mozilla Open Source Support (MOSS) “Mission Partners” awards. "For many years people with visual impairments and the legally blind have paid a steep price to access the Web on Windows-based computers. The market-leading software for screen readers costs well over $1,000. The high price is a considerable obstacle to keeping the Web open and accessible to all. The NVDA Project has developed an open source screen reader that is free to download and to use, and which works well with Firefox. NVDA aligns with one of the Mozilla Manifesto’s principles: “The Internet is a global public resource that must remain open and accessible.”" The NVDA project received $15,000. Other award recipients include Tor, Tails, Caddy, Mio, DNSSEC/DANE Chain Stapling, Godot Engine, and PeARS. (Thanks to Paul Wise)

Security updates for Monday

Monday 27th of June 2016 05:33:49 PM

Arch Linux has updated chromium (multiple vulnerabilities), libdwarf (multiple vulnerabilities), libpurple (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), vlc (code execution), and xerces-c (code execution).

Debian has updated libpdfbox-java (XML External Entity (XXE) attacks).

Debian-LTS has updated gimp (use-after-free), java-common (OpenJDK 6 no longer supported), libcommons-fileupload-java (denial of service), mysql-connector-java (information disclosure), nss (denial of service), and tomcat7 (denial of service).

Fedora has updated drupal7 (F24: privilege escalation), mirrormanager (F24; F23; F22: unspecified), optipng (F23: code execution), python (F23: man-in-the-middle attack), and qemu (F24: multiple vulnerabilities).

Gentoo has updated claws-mail (multiple vulnerabilities), freexl (multiple vulnerabilities), hostapd (multiple vulnerabilities), imagemagick (multiple vulnerabilities), libssh (multiple vulnerabilities), plib (code execution from 2011), and sudo (privilege escalation).

openSUSE has updated libarchive (13.2: denial of service), libav (Leap42.1: two vulnerabilities), libtasn1 (Leap42.1: denial of service), libtorrent-rasterbar (13.1: denial of service), mariadb (Leap42.1: multiple vulnerabilities), p7zip (Leap42.1: code execution), php5 (Leap42.1: multiple vulnerabilities), and rsync (Leap42.1: unsafe destination path).

Oracle has updated kernel 2.6.32 (OL6; OL5: privilege escalation).

Red Hat has updated kernel-rt (RHEMRG2.5: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: two vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Kernel prepatch 4.7-rc5

Monday 27th of June 2016 02:57:09 AM
The 4.7-rc5 kernel prepatch is out. "I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series."

A couple of unpleasant local kernel vulnerabilities

Saturday 25th of June 2016 03:17:26 PM
The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a set of netfilter fixes that, it has just been disclosed, fix a couple of severe local privilege-escalation vulnerabilities. Anybody who is running a site with user and network namespaces enabled will want to update their kernels in short order. The fixes were originally committed into 4.6-rc2 in April with no comment regarding their implications.

Three new stable kernels

Friday 24th of June 2016 08:33:14 PM

Greg Kroah-Hartman has released stable kernel updates 4.6.3, 4.4.14, and 3.14.73. Each contains important fixes throughout the tree.

Friday's security updates

Friday 24th of June 2016 02:18:41 PM

CentOS has updated kernel (C7: multiple vulnerabilities), libxml2 (C6; C7: multiple vulnerabilities), ocaml (C7: information leak), setroubleshoot (C7: multiple vulnerabilities), and setroubleshoot-plugins (C7: multiple vulnerabilities).

Fedora has updated python (F24: startTLS stripping), setroubleshoot (F24: code execution), and setroubleshoot-plugins (F24: code execution).

Oracle has updated kernel (O7: multiple vulnerabilities), libxml2 (O6; O7: multiple vulnerabilities), ocaml (O7: information leak), and setroubleshoot and setroubleshoot-plugins (O7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), and ocaml (RHEL7: information leak).

Scientific Linux has updated libxml2 (SL 6,7: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (SL7; SL6: multiple vulnerabilities).

SUSE has updated kernel (SLE11: multiple vulnerabilities).

Defending Our Brand (Let's Encrypt)

Thursday 23rd of June 2016 09:37:48 PM
It seems that the Comodo TLS certificate authority (CA) has filed for three trademarks using variations of "Let's Encrypt". As might be guessed, the Let's Encrypt project is less than pleased by Comodo trying to coopt its name. "Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization. If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web." [Thanks to Paul Wise.]

Xen 4.7 released

Thursday 23rd of June 2016 05:05:04 PM
Version 4.7 of the Xen hypervisor has been released. "With dozens of major improvements, many more bug fixes and small improvements, and significant improvements to Drivers and Devices, Xen Project 4.7 reflects a thriving community around the Xen Project Hypervisor." Some of the new features include live patching, better dom0 robustness, better migration support between non-identical hosts, scheduler improvements, and more. See the release notes for more information.

Thursday's security advisories

Thursday 23rd of June 2016 03:02:57 PM

Debian-LTS has updated squidguard (cross-site scripting).

Fedora has updated php-symfony-security-acl (F24: unspecified). Also, Fedora has sent out a reminder that Fedora 22 will reach its end of life on July 19.

Mageia has updated chromium-browser-stable (multiple vulnerabilities), kernel-linus (multiple vulnerabilities, one from 2013), kernel-tmb (multiple vulnerabilities, one from 2013), libimobiledevice (socket listening on all network interfaces), and python (three vulnerabilities).

openSUSE has updated libarchive (42.1: code execution), mariadb (13.2: many unspecified vulnerabilities), and obs-service-source_validator (42.1; 13.2: code execution).

Red Hat has updated libxml2 (RHEL6&7: multiple vulnerabilities) and setroubleshoot and setroubleshoot-plugins (RHEL7: three vulnerabilities).

[$] Weekly Edition for June 23, 2016

Thursday 23rd of June 2016 02:41:35 AM
The Weekly Edition for June 23, 2016 is available.

More in Tux Machines