Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 4 hours 56 min ago

Security advisories for Christmas day

Thursday 25th of December 2014 04:52:05 PM

Best wishes to you and yours from LWN ...

Fedora has updated nss (F21: data smuggling) and pyxdg (F19: privilege escalation).

Gentoo has updated libvirt (three denial of service flaws), ntp (multiple code execution vulnerabilities), qemu (three vulnerabilities), and rsyslog (three vulnerabilities, one from 2011).

[$] Weekly Edition for December 25, 2014

Thursday 25th of December 2014 12:34:25 AM
The Weekly Edition for December 25, 2014 is available.

[$] Type hinting for Python

Wednesday 24th of December 2014 08:54:23 PM
Python is a poster child for dynamically typed languages, but if Guido van Rossum gets his way—as benevolent dictator for life (BDFL), he usually does—the language will soon get optional support for static type-checking. The discussion and debate has played out since August (at least), but Van Rossum has just posted a proposal that targets Python 3.5, which is due in September 2015, for including this "type hinting" feature. Unlike many languages (e.g. C, C++, Java), Python's static type-checking would be optional—programs can still be run even if the static checker has complaints.

The full story from this week's edition is available to subscribers below.

Kuhn: Toward Civil Behavior

Wednesday 24th of December 2014 07:17:00 PM
Bradley M. Kuhn talks about abusive behavior in the FLOSS community. "In the politics of Free, Libre and Open Source Software (FLOSS), some people regularly engage in behavior right on that line: berating, verbal abuse, and intimidation. These behaviors are consistently tolerated, accepted, and sometimes lauded in FLOSS projects and organizations. I can report from direct experience: if you think what happens on public mailing lists is bad, what happens on the private phone calls and in-person meetings is even worse. The types of behavior that would-be leaders employ would surely shock you." (Thanks to Paul Wise)

Security updates for Wednesday

Wednesday 24th of December 2014 05:16:51 PM

Debian has updated mediawiki (cross-site scripting) and sox (code execution).

Fedora has updated erlang (F21: command injection), freetype (F21: buffer overflow), ntp (F21: multiple code execution vulnerabilities), and qemu (F20: code execution).

Mageia has updated git (code execution), libjpeg (denial of service), and subversion (denial of service).

SUSE has updated kernel (SLES11 SP3; SLE11 SP3; SLE11 SP3; SLES11 SP2, SP1: multiple vulnerabilities), ntp (SLE12: two code execution vulnerabilities), openvpn (SLE12: denial of service), popt (SLE11 SP3: code execution), and xntp (SLES10 SP4: code execution).

[$] The "too small to fail" memory-allocation rule

Tuesday 23rd of December 2014 10:17:35 PM
Kernel developers have long been told that, with few exceptions, attempts to allocate memory can fail if the system does not have sufficient resources. As a result, in well-written code, every call to a function like kmalloc(), vmalloc(), or __get_free_pages() is accompanied by carefully thought-out error-handling code. It turns out, though, the behavior actually implemented in the memory-management subsystem is a bit different from what is written in the brochure. That difference can lead to unfortunate run-time behavior, but the fix might just be worse.

Click below (subscribers only) for the full article from this week's Kernel Page.

Devuan progress report

Tuesday 23rd of December 2014 06:50:20 PM
The people behind the Devuan project have released a progress report. Devuan is a fork of Debian without systemd. A repository has been set up at GitLab. "This is the most recent achievement on infrastructure development: last night the first devuan-baseconf package was built correctly through our continuous integration infrastructure, pulling directly from our source repository."

Tuesday's security updates

Tuesday 23rd of December 2014 05:22:03 PM

Debian has updated cpio (denial of service).

Debian-LTS has updated eglibc (denial of service), firebird2.5 (denial of service), and jasper (two code execution vulnerabilities).

Gentoo has updated pdns-recursor (multiple vulnerabilities, some from 2009).

Mageia has updated unrtf (code execution).

openSUSE has updated unbound (13.2: denial of service).

Red Hat has updated kernel (RHEL6.4; RHEL6.2; RHEL5.9; RHEL5.6: privilege escalation).

Slackware has updated ntp (multiple code execution vulnerabilities), php (two vulnerabilities), and xorg (multiple vulnerabilities).

SUSE has updated ntp (SLE11 SP3, SLES11 SP2: multiple code execution vulnerabilities).

NetworkManager 1.0.0 released

Tuesday 23rd of December 2014 02:26:42 PM
Many of us have used NetworkManager for years, but the project only got around to putting out its 1.0.0 release now. "This release brings a more modern GObject-based client library, many bug fixes and updated translations, more flexible routing, hugely improved nmcli with password support, improved nmtui, a light-weight internal DHCP client, 'configure and quit' mode, Bluetooth DUN support with Bluez5, VPN connection persistence, improved cooperation with external tools, expanded manpages and documentation, WWAN IPv6 support, and much much more."

Best of open hardware in 2014 (

Monday 22nd of December 2014 11:00:44 PM wraps up its open hardware coverage for 2014. You'll find pointers to resources and articles previously published on throughout the year. "Open hardware is the physical foundation of the open movement. It is through understanding, designing, manufacturing, commercializing, and adopting open hardware, that we built the basis for a healthy and self-reliant community of open. And the year of 2014 had plenty of activities in the open hardware front."

Security advisories for Monday

Monday 22nd of December 2014 06:49:15 PM

CentOS has updated ntp (C7; C6; C5: multiple code execution vulnerabilities).

Debian has updated firebird2.5 (denial of service), jasper (two code execution vulnerabilities), ntp (multiple code execution vulnerabilities), subversion (denial of service), and subversion (regression in previous update).

Debian-LTS has updated linux-2.6 (multiple vulnerabilities), ntp (multiple code execution vulnerabilities), qt4-x11 (code execution), subversion (denial of service), and xorg-server (multiple vulnerabilities).

Fedora has updated ctdb (F20: insecure temporary files), dbus (F19: multiple vulnerabilities), firebird (F21; F20: denial of service), flac (F19: multiple vulnerabilities), gpgme (F21: code execution), kernel (F21; F20: multiple vulnerabilities), mantis (F21; F20; F19: multiple vulnerabilities), ntp (F20: multiple code execution vulnerabilities), pcre (F20; F19: information leak), python-tornado (F19: denial of service), pyxdg (F21: symlink attacks), sagemath (F21; F20: cross-site scripting), and unbound (F21; F20: denial of service).

Gentoo has updated sendmail (information disclosure).

Mageia has updated c-icap (denial of service), claws-mail (denial of service), docuwiki (cross-site scripting), file (denial of service), jasper (two code execution vulnerabilities), krb5 (NULL dereference), nail (command execution), ntp (multiple code execution vulnerabilities), pcre (denial of service), php (code execution), pwgen (two vulnerabilities), x11-server (multiple vulnerabilities), and znc (denial of service).

openSUSE has updated clamav (11.4: two vulnerabilities), libksba (13.2, 13.1, 12.3: denial of service), kernel (13.2: multiple vulnerabilities), ntp (13.2, 13.1, 12.3; 11.4: two code execution vulnerabilities), pdns-recursor (13.1, 12.3: denial of service), and kernel (13.1; 12.3: multiple vulnerabilities).

Oracle has updated ntp (OL7; OL6; OL5: multiple code execution vulnerabilities).

Red Hat has updated ntp (RHEL6,7; RHEL5: multiple code execution vulnerabilities).

Scientific Linux has updated glibc (SL7: code execution) and ntp (SL6,7; SL5: multiple code execution vulnerabilities).

Ubuntu has updated ntp (multiple code execution vulnerabilities).

Severe NTP vulnerabilities

Monday 22nd of December 2014 02:41:29 PM
Here is a CERT advisory warning of a number of code-execution vulnerabilities in the network time protocol (NTP) implementation. "These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available." Most distributors already have updates available; applying them seems like a good idea.

Kernel prepatch 3.19-rc1

Sunday 21st of December 2014 04:16:56 AM
Linus has sent out 3.19-rc1 and closed the merge window for this release one day earlier than some might have expected. "Considering how much came in fairly late, I find it hard to care about anybody who had decided to cut it even closer than some people already did. That said, maybe there aren't any real stragglers - and judging by the size of rc1, there really can't have been much." In the end, 11,408 non-merge changesets were pulled into the mainline during this development cycle.

Tagged memory and minion cores in the lowRISC SoC

Friday 19th of December 2014 09:15:45 PM
The lowRISC project, which aims to create and manufacture a fully open-source system-on-chip (SoC) and development board, has released a document on its plans to incorporate tagged memory and minion cores into the SoC. Minion cores are separate I/O processors that can be used to implement various I/O protocols without requiring additional hardware in the design. "Tagged memory associates metadata with each memory location and can be used to implement fine-grained memory access restrictions. Attacks which hijack control flow can be prevented by using this protection to restrict writes to memory locations containing return addresses, function pointers, and vtable pointers. Importantly, we anticipate this can be implemented with a worst- case performance overhead of a few percent and a similarly low area cost. This fine-grained memory protection can be used automatically by the compiler, meaning improved security is available to existing programs without source code modifications. We intend to provide tagged memory alongside security features which are already commonly deployed such as secure boot, encrypted off-chip memory, and cryptographic accelerators."

EU to fund Free Software code review (FSFE)

Friday 19th of December 2014 08:35:23 PM
The Free Software Foundation Europe (FSFE) has commented on the most recent European Union (EU) budget—approved on December 17—that includes €1 million for auditing free-software programs that are used by the EU governmental bodies. The auditing is meant to find and fix security holes in those programs. "Even though these institutions are tightly locked into non-free file formats, much of their infrastructure is based on Free Software. 'This is a very welcome decision,' says FSFE's president Karsten Gerloff. 'Like most public bodies, the European institutions rely heavily on Free Software for their daily operations. It is good to see that the Parliament and the Commission will invest at least a little in improving the quality and the programs they use.'"

Friday's security advisories

Friday 19th of December 2014 03:14:24 PM

CentOS has updated glibc (C7: code execution), jasper (C7; C6: three code execution flaws), and kernel (C7: privilege escalation).

Gentoo has updated znc (two denial of service flaws, one from 2013).

Oracle has updated glibc (OL7: three vulnerabilities), jasper (OL7; OL6: three code execution flaws), and kernel (OL7; OL5; OL5: privilege escalation).

Red Hat has updated glibc (RHEL7: code execution) and jasper (RHEL6&7: three code execution flaws).

Scientific Linux has updated jasper (SL6&7: three code execution flaws).

Ubuntu has updated kernel (14.04: regression in previous security fix) and kernel (14.10: regression in previous security fix).

Git v2.2.1 (security release) available

Thursday 18th of December 2014 09:45:14 PM
There is a new version of the Git client out with an important security fix: with vulnerable versions of the Git client on a case insensitive filesystem, it is possible for a pull from a repository to overwrite the .git directory and cause the execution of arbitrary commands. Linux systems running normal filesystems are not affected by this problem, but Windows and Mac OS systems are.

KDE Applications 14.12 released

Thursday 18th of December 2014 09:13:13 PM
The KDE project has announced the release of KDE Applications 14.12, which has the first set of applications that have been ported to KDE Frameworks 5. Most of the applications are still based on KDE Development Platform 4, but some have been moved to the new Qt5-based Frameworks. "The release includes the first KDE Frameworks 5-based versions of Kate and KWrite, Konsole, Gwenview, KAlgebra, Kanagram, KHangman, Kig, Parley, KApptemplate and Okteta. Some libraries are also ready for KDE Frameworks 5 use: analitza and libkeduvocdocument. Libkface is new in this release; it is a library to enable face detection and face recognition in photographs." More information on the new features and fixes that came in the release can be found in the change log and a KDE.News article.

Klapper: Good bye Bugzilla, welcome Phabricator.

Thursday 18th of December 2014 07:19:14 PM
On his blog, André Klapper describes Wikimedia's move from Bugzilla to Phabricator, which is described as an "open source software engineering platform". After ten years and 70,000+ bugs, there was a lot of data to migrate, which went well overall, though there were a few surprises along the way. "We had to work around an unresolved upstream XML-RPC API bug in Bugzilla by applying a custom hack when exporting comments in a first step and removing the hack when exporting attachments (with binary data) in a second step. Though we did, it took us a while to realize that Bugzilla attachments imported into Phabricator were scrambled as the hack got still applied for unknown reasons (some caching?). Rebooting the Bugzilla server fixed the problem but we had to start from scratch with importing attachments." (Thanks to Paul Wise.)

Security updates for Thursday

Thursday 18th of December 2014 04:43:06 PM

CentOS has updated kernel (C5: privilege escalation).

Fedora has updated bind (F20: two denial of service flaws), cpio (F21: denial of service), pam (F20: two vulnerabilities, one from 2013), and tcpdump (F20: three vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6; RHEL5: privilege escalation).

Scientific Linux has updated kernel (SL7; SL5: privilege escalation).