Language Selection

English French German Italian Portuguese Spanish


Syndicate content is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 1 hour 12 min ago

The US government's "Cybersecurity National Action Plan"

Wednesday 10th of February 2016 12:12:31 AM
The Obama administration has put out a plan for how it would like to make the net a safer place. There are a lot of topics covered here; toward the end it also mentions that "the Government will work with organizations such as the Linux Foundation’s Core Infrastructure Initiative to fund and secure commonly used internet 'utilities' such as open-source software, protocols, and standards. Just as our roads and bridges need regular repair and upkeep, so do the technical linkages that allow the information superhighway to flow."

[$] Protecting systems with the TPM

Tuesday 9th of February 2016 09:41:35 PM
"TPM," said Matthew Garrett in his 2016 talk, stands for "trusted platform module"; it is a tool that is meant to allow a system's owner to decide which software to trust. Some years ago, there was a lot of fear that the TPM would be used, instead, to take that decision away, to allow others to decide which software would be trusted to run on our systems; for that reason, some called "trusted computing" by the rather less complimentary name "treacherous computing." That scenario didn't come about, though, for a number of reasons, both technical and social. But we can still use the TPM for its original purpose; Matthew was there to talk about his work to bring about computing that we can trust.

Click below (subscribers only) for the full report from LCA 2016.

Tuesday's security updates

Tuesday 9th of February 2016 04:44:40 PM

Debian has updated qemu (multiple vulnerabilities), qemu (more vulnerabilities), qemu-kvm (multiple vulnerabilities), and wordpress (two vulnerabilities).

Debian-LTS has updated gajim (man-in-the-middle).

Mageia has updated mbedtls/hiawatha/belle-sip/linphone/pdns (code execution), openssl (man-in-the-middle), php (multiple vulnerabilities), privoxy (denial of service), and radicale (authentication bypass).

Red Hat has updated sos (RHEL6: information leak).

Slackware has updated curl (authentication bypass) and flac (multiple vulnerabilities).

SUSE has updated java-1_8_0-ibm (SLE12-SP1: multiple vulnerabilities) and rubygem-rails-html-sanitizer (SES2.1: multiple vulnerabilities).

Ubuntu has updated firefox (regression in previous update).

It’s Been 20 Years Since This Man Declared Cyberspace Independence (Wired)

Monday 8th of February 2016 11:40:04 PM
Wired talks with John Perry Barlow on the 20th anniversary of his Declaration of Independence of Cyberspace. "In the modern era of global NSA surveillance, China’s Great Firewall, and FBI agents trawling the dark Web, it’s easy to write off Barlow’s declaration as early dotcom-era hubris. But on his document’s 20th anniversary, Barlow himself wants to be clear: He stands by his words just as much today as he did when he clicked “send” in 1996."

Security advisories for Monday

Monday 8th of February 2016 06:11:04 PM

Arch Linux has updated lib32-libsndfile (multiple vulnerabilities) and libsndfile (multiple vulnerabilities).

Debian has updated polarssl (code execution) and tiff (multiple vulnerabilities).

Debian-LTS has updated eglibc (multiple vulnerabilities) and linux-2.6 (multiple vulnerabilities).

Fedora has updated claws-mail (F23: stack-based buffer overflow), nginx (F22: denial of service), and prosody (F23: insecure handling of dialback keys).

Mageia has updated cakephp (denial of service), cgit (three vulnerabilities), curl (authentication bypass), cyrus-imapd (two vulnerabilities), docker/golang (two vulnerabilities), gajim (man-in-the-middle), imlib2 (denial of service), java-1.8.0-openjdk/copy-jdk-configs/lua-lunit/lua-posix (multiple vulnerabilities), krb5 (three vulnerabilities), phpmyadmin/phpseclib (multiple vulnerabilities), and socat (man-in-the-middle).

openSUSE has updated curl (Leap42.1; 13.2; 13.1: authentication bypass), mariadb (Leap42.1; 13.2: multiple vulnerabilities), mysql (Leap42.1, 13.2; 13.1: multiple vulnerabilities), nginx (Leap42.1: denial of service), openssl (13.2: man-in-the-middle), php5 (Leap42.1: two vulnerabilities), phpMyAdmin (Leap42.1, 13.2: multiple vulnerabilities), rubygem-actionpack-3_2 (13.2: multiple vulnerabilities), rubygem-actionpack-4_2 (Leap42.1: multiple vulnerabilities), rubygem-rails-html-sanitizer (Leap42.1: multiple vulnerabilities), and phpmyadmin (13.1: multiple vulnerabilities).

Red Hat has updated openstack-swift (RHELOSP5 for RHEL6; RHELOSP5 for RHEL7; RHELOSP6 for RHEL7: denial of service) and python-django (RHELOSP6 for RHEL7: information disclosure).

SUSE has updated kernel (SLE11-SP3: multiple vulnerabilities).

Kernel prepatch 4.5-rc3

Monday 8th of February 2016 02:37:45 PM
The 4.5-rc3 kernel prepatch is out. "It's slightly bigger than I'd like, but not excessively so (and not unusually so). Most of the patches are pretty small, although the diff is utterly dominated by the (big) removal a couple of staging rdma drivers that just weren't going anywhere. Those removal patches are 90% of the bulk of the diff."

The rkt container manager reaches 1.0

Friday 5th of February 2016 10:49:50 PM

The CoreOS project has announced version 1.0 of its rkt container manager. As part of the release, rkt's command-line interface and on-disk format have been declared stable. The announcement also highlights a number of new security features, including "KVM-based container isolation, SELinux support, TPM integration, image signature validation, and privilege separation" and notes that rkt will run Docker images.

Friday's security updates

Friday 5th of February 2016 03:55:55 PM

Arch Linux has updated libbsd (denial of service).

Debian has updated krb5 (multiple vulnerabilities).

Fedora has updated nettle (F23: improper cryptographic calculations), salt (F22: information leak), and webkitgtk4 (F23: multiple vulnerabilities).

SUSE has updated MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss (SLE12: multiple vulnerabilities) and MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nss (SLE11: multiple vulnerabilities).

First Ubuntu Touch Tablet Brings Convergence at Last (

Thursday 4th of February 2016 10:18:53 PM
Over at, Eric Brown looks at the newly announced Ubuntu Touch tablet. The hardware: "The Aquaris M10 is equipped with a 64-bit, quad-core, Cortex-A53 MediaTek MT8163A system-on-chip clocked to 1.5GHz, along with a high-powered ARM Mali-T720 MP2 GPU. The tablet ships with 2GB of RAM, 16GB flash, and a microSD slot." It is said to have 1920x1200 resolution and an 8 megapixel camera capable of HD recording. The interface will change to take advantage of larger displays and additional input devices (e.g. keyboard, mouse). "It appears that the upcoming Ubuntu 16.04 “Xenial Xerus” LTS release due in April will be the first true convergence release. According to PC World, it will still be optional, however, with a traditional Unity 7 build with available alongside the newly converged Unity 8 with the new Mir display server. The new tablet, and Unity 8, will feature Ubuntu Touch’s Scopes interface, which presents frequently used content and services as an alternative to traditional apps. In addition to automatically changing the interface in response to new screens and input devices, Ubuntu is also providing convergence on the application development level. Developers are already developing single apps that can automatically morph into desktop, phone, and tablet formats."

Thursday's security advisories

Thursday 4th of February 2016 03:45:42 PM

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated nodejs-is-my-json-valid (F23: denial of service), phpmyadmin (F23: multiple vulnerabilities), and prosody (F22: insecure key handling).

Gentoo has updated qemu (multiple vulnerabilities).

Slackware has updated mozilla (unspecified), mplayer (file contents leak), openssl (cipher downgrade), and php (three vulnerabilities).

[$] Weekly Edition for February 4, 2016

Thursday 4th of February 2016 01:23:49 AM
The Weekly Edition for February 4, 2016 is available.

Security advisories for Wednesday

Wednesday 3rd of February 2016 05:18:10 PM

Arch Linux has updated lib32-nettle (improper cryptographic calculations) and nettle (improper cryptographic calculations).

Debian has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated openstack-heat (F23: denial of service) and openstack-swift (F23: denial of service).

openSUSE has updated kernel (13.2: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7.1: multiple vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (15.10, 14.04, 12.04: multiple vulnerabilities).

Catanzaro: On WebKit security updates

Tuesday 2nd of February 2016 08:57:33 PM
Michael Catanzaro describes the sad state of WebKit security on Linux distributions and the challenges of security support for such a complex package in general. "We regularly receive bug reports from users with very old versions of WebKit, who trust their distributors to handle security for them and might not even realize they are running ancient, unsafe versions of WebKit. I strongly recommend using a distribution that releases WebKitGTK+ updates shortly after they’re released upstream. That is currently only Arch and Fedora. (You can also safely use WebKitGTK+ in Debian testing — except during its long freeze periods — and Debian unstable, and maybe also in openSUSE Tumbleweed. Just be aware that the stable releases of these distributions are currently not receiving our security updates.)" Lots of information here, worth a read for anybody interested in the topic.

Tuesday's security advisories

Tuesday 2nd of February 2016 05:54:31 PM

Arch Linux has updated curl (authentication bypass), lib32-curl (authentication bypass), python-django (permission bypass), and python2-django: permission bypass).

Fedora has updated bind (F22: two denial of service flaws), chrony (F22: packet modification), curl (F22: authentication bypass), firefox (F22: multiple vulnerabilities), and qemu (F22: multiple vulnerabilities).

openSUSE has updated firefox (13.1: multiple vulnerabilities), privoxy (Leap42.1, 13.2; 13.1: two denial of service flaws), seamonkey (Leap42.1, 13.2; 13.1: multiple vulnerabilities), firefox (Leap42.1, 13.2: multiple vulnerabilities), and xulrunner (Leap42.1: code execution).

Red Hat has updated java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiple vulnerabilities), and redis (RHELOSP7-OT; RHELOSP7; RHELOSP6: denial of service).

Ubuntu has updated kernel (15.10; 15.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: multiple vulnerabilities), openjdk-6 (12.04: multiple vulnerabilities), and openjdk-7 (15.10, 15.04, 14.04: multiple vulnerabilities).

[$] Whole-house audio with free hardware and software

Monday 1st of February 2016 10:55:22 PM
The Black Forest fire destroyed over 500 Colorado houses in June 2013; one of those belonged to longtime Debian developer Bdale Garbee. As he reported during his talk at the 2016 Multimedia and Music miniconf, the house has been redesigned and rebuilt and life is generally better now. Part of the rebuilding process included the incorporation of a whole-house audio system; naturally, Bdale took a unique approach to that task. His talk showed what can be done when one starts from scratch — and doesn't mind designing a circuit board along the way.

Fifteen years of SELinux

Monday 1st of February 2016 07:52:13 PM
This Red Hat blog post celebrates the fifteenth anniversary of the first SELinux release. "With the question of open source security long behind us, we are now focused on providing an even more flexible security model through SELinux. With the rise of composite, distributed applications that can span hundreds of physical and virtual machines as well as disparate cloud instances and Linux container deployments, one-off usage of SELinux is not enough. Instead, we are focused on providing “defense in depth” for modern computing scenarios, effectively building and deploying SELinux policies at each level of the datacenter."

Security updates for Monday

Monday 1st of February 2016 06:28:59 PM

CentOS has updated qemu-kvm (C7; C6: code execution).

Debian has updated freetype (denial of service), privoxy (two denial of service flaws), prosody (insecure handling of dialback keys), radicale (two vulnerabilities), and rails (multiple vulnerabilities).

Debian-LTS has updated gosa (code injection), mysql-5.5 (multiple vulnerabilities), phpmyadmin (two vulnerabilities), prosody (two vulnerabilities), and tiff (multiple vulnerabilities).

Fedora has updated curl (F23: authentication bypass), firefox (F23: multiple vulnerabilities), gsi-openssh (F22: multiple vulnerabilities), imlib2 (F23: denial of service), kernel (F23; F22: multiple vulnerabilities), krb5 (F23: three vulnerabilities), moodle (F23; F22: two vulnerabilities), nginx (F23: multiple vulnerabilities), ntp (F23: multiple vulnerabilities), openssl (F23: two vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), privoxy (F23; F22: two denial of service flaws), webkitgtk4 (F22: multiple vulnerabilities), and xen (F22: multiple vulnerabilities).

Gentoo has updated openssl (multiple vulnerabilities).

openSUSE has updated ecryptfs-utils (Leap42.1; 13.1: two vulnerabilities), giflib (Leap42.1: heap-based buffer overflow), and kernel (13.1: multiple vulnerabilities).

Kernel prepatch 4.5-rc2

Monday 1st of February 2016 02:52:59 AM
The 4.5-rc2 kernel prepatch is out. Linus says things aren't going so slowly anymore: "As late as Friday, I was planning on talking about how nice it is to see this new trend of tiny rc2 releases, because there really hadn't been very many pull requests at all. But it turns out the pull requests were just heavily skewed to the end of the week, and 4.5-rc2 isn't particularly small after all. It pretty much doubled over the weekend." Still, he seems to think that things are working well enough.

The stable update stream continues

Sunday 31st of January 2016 07:56:00 PM
The 4.4.1, 4.3.5, and 4.1.17 stable kernel updates are out. These contain a relatively large number of changes as Greg Kroah-Hartman continues to work through the patch backlog.

KDE neon announced

Sunday 31st of January 2016 07:48:56 PM
The KDE neon project — which arguably could be seen as a replacement for the Kubuntu distribution — has been announced at FOSDEM. "More than ever people expect a stable desktop with cutting-edge features, all in a package which is easy to use and ready to make their own. KDE Neon is the intersection of these needs using a stable Ubuntu long-term release as its core, packaging the hottest software fresh from the KDE Community ovens. Compute knowing you have a solid foundation and enjoy the features you experience in the world's most customisable desktop."