Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 7 min ago

[$] One-time passwords and GnuPG with Nitrokey

3 hours 40 min ago

A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.

Stable kernel updates

4 hours 46 min ago
Greg Kroah-Hartman has released stable kernels 4.6.5, 4.4.16, and 3.14.74. All of them contain important fixes.

A statement from the Tor project

7 hours 54 min ago
Shari Steele has posted a statement from the Tor project on the results of an investigation into the allegations of harassment (and worse) within Tor and how the project will respond. "I am pleased, therefore, to announce that both the Tor Project and the Tor community are taking active steps to strengthen our ability to handle problems of unprofessional behavior. Specifically, the Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints, and an internal complaint review process. They were recently approved by Tor’s board of directors, and they will be rolled out internally this week."

Security advisories for Wednesday

8 hours 50 min ago

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), samba (C7: crypto downgrade), and samba4 (C6: crypto downgrade).

Debian has updated libgd2 (denial of service), mariadb-10.0 (multiple vulnerabilities), and php5 (multiple vulnerabilities).

Debian-LTS has updated libgd2 (denial of service).

Mageia has updated apache (HTTP redirect), harfbuzz (multiple vulnerabilities), libgd (three vulnerabilities), libidn (multiple vulnerabilities), libupnp (unauthenticated access), libxml2 (multiple vulnerabilities), mariadb (multiple vulnerabilities), mupdf (denial of service), php/xmlrpc-epi/timezone (multiple vulnerabilities), sudo (race condition), tomcat/apache-commons-fileupload (denial of service), and virtualbox (allows local users to affect availability).

Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.7: privilege escalation).

Scientific Linux has updated samba (SL7: crypto downgrade) and samba4 (SL6: crypto downgrade).

Ubuntu has updated kde4libs (15.10, 14.04, 16.04: command execution) and openjdk-8 (16.04: multiple vulnerabilities).

Sitter: Snappy sprint reporty musing

Tuesday 26th of July 2016 06:18:44 PM
Harald Sitter reports on a discussion at recent sprint focused on making Snap packaging useful for KDE. "Shipping things users can use on Linux has been a pain in the rear since forever and these bundles are meant to change that. As such we as KDE should have a strong interest and presence in this field in the hopes of shaping a future that is useful to us. After all, we are one of the biggest source distributors, and the primary reason we don't also offer generic binary packages of our applications is because this never scaled and was altogether terrible to pull off from a KDE point of view." He and Scarlett Clark are working on some high level mass automation of snap building on top of KDE Neon's existing deb binaries. (Thanks to Jos van den Oever)

Tuesday's security updates

Tuesday 26th of July 2016 04:39:50 PM

Debian has updated ntp (multiple vulnerabilities).

Debian-LTS has updated cacti (three vulnerabilities), dietlibc (insecure default PATH), gosa (code injection), ntp (multiple vulnerabilities), squid (cache poisoning), and uclibc (three vulnerabilities).

Oracle has updated samba (OL7: crypto downgrade) and samba4 (OL6: crypto downgrade).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), samba (RHEL7: crypto downgrade), and samba4 (RHEL6: crypto downgrade).

OpenVZ 7.0 released

Monday 25th of July 2016 10:38:37 PM
OpenVZ 7.0 has been released. The new release focuses on merging OpenVZ and Virtuozzo source codebase and replacing its hypervisor with KVM. There are many other improvements and new features in container management and more.

The newest version of OpenBSD closes potential security loopholes (InfoWorld)

Monday 25th of July 2016 08:11:14 PM
InfoWorld takes a look at the upcoming OpenBSD 6.0 release. "Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications by way of a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement.""

Security advisories for Monday

Monday 25th of July 2016 04:43:00 PM

Arch Linux has updated chromium (multiple vulnerabilities), python-django (cross-site scripting), and python2-django (cross-site scripting).

Debian has updated openssh (user enumeration via timing side-channel), perl (two vulnerabilities), and phpmyadmin (multiple vulnerabilities).

Debian-LTS has updated squid3 (denial of service).

Fedora has updated ca-certificates (F24: certificate update), gd (F24: multiple vulnerabilities), httpd (F24: HTTP redirect), kf5-karchive (F24; F23: command execution, over a hundred related KDE Frameworks packages were included in this update), libgcrypt (F24: key leak), libidn (F24: multiple vulnerabilities), libvirt (F24: authentication bypass), and mingw-gnutls (F24: certificate verification vulnerability).

openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2: multiple vulnerabilities) and gnugk (Leap42.1, 13.2: denial of service).

Red Hat has updated mariadb55-mariadb (RHSCL: many vulnerabilities) and mysql55-mysql (RHSCL: many vulnerabilities).

Slackware has updated bind (denial of service).

The 4.7 kernel is out

Sunday 24th of July 2016 10:12:46 PM
Linus has returned from his travels and released the 4.7 kernel. The most significant changes in this release include the tracing histograms feature, in-kernel tracing analysis via the ability to attach BPF programs to tracepoints, the LoadPin security module, better out-of-memory detection, faster filesystem operations with parallel pathname lookups, the schedutil CPU frequency governor, and more. See the KernelNewbies 4.7 page for lots of details.

Clasen: Using modern gettext

Friday 22nd of July 2016 10:33:52 PM

At his blog, Matthias Clasen explores the recent enhancements to the the classic GNU gettext utility. Thanks in large part to new maintainer Daiki Ueno, gettext now understands many more file formats—thus enabling developers to easily extract strings from a wide variety of source files for translation. In addition to programming languages, Clasen notes, gettext understands .desktop files, GSettings schemas, GtkBuilder ui files, and Appdata files. "If you don’t want to wait for your favorite format to come with built-in its support, you can also include its files with your application; gettext will look for such files in $XDG_DATA_DIRS/gettext/its/."

Friday's security updates

Friday 22nd of July 2016 03:23:13 PM

Arch Linux has updated drupal (proxy injection).

Debian has updated mysql-5.5 (multiple vulnerabilities) and squid3 (multiple vulnerabilities).

Debian-LTS has updated python-django (cross-site scripting).

openSUSE has updated p7zip (13.1: code execution).

Slackware has updated gimp (14.0, 14.1, 14.2: code execution) and php (14.0, 14.1, 14.2: multiple vulnerabilities).

Ubuntu has updated mysql-5.5, mysql-5.6, mysql-5.7 (12.04, 14.04, 15.10, 16.04: multiple vulnerabilities).

EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment

Thursday 21st of July 2016 07:37:03 PM
The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew "bunnie" Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional: "These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing. Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials."

Security updates for Thursday

Thursday 21st of July 2016 02:02:30 PM

Arch Linux has updated bind (denial of service).

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian-LTS has updated libarchive (multiple vulnerabilities, most from 2015).

Fedora has updated openssh (F24: user enumeration via timing side-channel) and p7zip (F24: two code execution flaws).

openSUSE has updated dhcp (42.1: denial of service).

Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), and openstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).

Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated obs-service-source_validator (SLE12: code execution).

[$] LWN.net Weekly Edition for July 21, 2016

Thursday 21st of July 2016 12:02:59 AM
The LWN.net Weekly Edition for July 21, 2016 is available.

An honorary degree for Alan Cox

Wednesday 20th of July 2016 06:24:46 PM
Congratulations are due to Alan Cox, who was awarded an honorary degree by Swansea University for his work with Linux. "Alan started working on Version 0. There were bugs and problems he could correct. He put Linux on a machine in the Swansea University computer network, which revealed many problems in networking which he sorted out; later he rewrote the networking software. Alan brought to Linux software engineering discipline: Linux software releases that were tested, corrected and above all stable. On graduating, Alan worked at Swansea University, set up the UK Linux server and distributed thousands of systems."

Smedberg: Reducing Adobe Flash Usage in Firefox

Wednesday 20th of July 2016 06:01:20 PM
Benjamin Smedberg writes that the Firefox browser will soon start taking a more active approach to the elimination of Flash content. "Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness."

Security updates for Wednesday

Wednesday 20th of July 2016 04:42:50 PM

Debian has updated apache2 (HTTP redirect).

Debian-LTS has updated apache2 (HTTP redirect).

Fedora has updated ecryptfs-utils (F24: two vulnerabilities), kernel (F24; F23: multiple vulnerabilities), php-doctrine-orm (F24; F23: privilege escalation), and spice (F24: two vulnerabilities).

Gentoo has updated ansible (code execution), arpwatch (privilege escalation from 2012), bugzilla (multiple vulnerabilities from 2014), commons-beanutils (code execution from 2014), dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).

openSUSE has updated ImageMagick (Leap42.1: many vulnerabilities), nodejs (Leap42.1, 13.2: buffer overflow), and samba (13.2: crypto downgrade).

Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated python-django (16.04: cross-site scripting).

Tor veteran Lucky Green exits, torpedos critical 'Tonga' node and relays (The Register)

Tuesday 19th of July 2016 09:17:17 PM
The Register reports that longtime Tor contributor Lucky Green is quitting and closing down the node and bridge authority he operates. "Practically, it's a big deal. Bridge Authorities are part of the infrastructure that lets users get around some ISP-level blocks on the network (not, however, defeating deep packet inspection). They're also incorporated in the Tor code, meaning that to remove a Bridge Authority is going to need an update." The shutdown is scheduled for August 31. (Thanks to Nomen Nescio)

The Importance of Following Community-Oriented Principles in GPL Enforcement Work

Tuesday 19th of July 2016 08:55:02 PM
The Software Freedom Conservancy is one of the few organizations involved in GPL enforcement, and it has published principles regarding enforcement practices that seek compliance and not financial penalties. Bradley Kuhn and Karen Sandler urge others doing GPL enforcement to follow principles set forth by the SFC. "One impetus in drafting the Principles was our discovery of ongoing enforcement efforts that did not fit with the GPL enforcement community traditions and norms established for the last two decades. Publishing the previously unwritten guidelines has quickly separated the wheat from the chaff. Specifically, we remain aware of multiple non-community-oriented GPL enforcement efforts, where none of those engaged in these efforts have endorsed our principles nor pledged to abide by them. These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years." The actions of one individual prompted the netfilter project to make a statement endorsing the principles, which we covered earlier this month.