Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 11 min ago

Security advisories for Friday

Friday 9th of December 2016 04:26:05 PM

Arch Linux has updated jasper (multiple vulnerabilities, two from 2015) and linux-zen (code execution).

Debian-LTS has updated roundcube (code execution) and spip (cross-site scripting).

Fedora has updated httpd (F25: denial of service).

Mageia has updated phpmyadmin (multiple vulnerabilities).

openSUSE has updated GraphicsMagick (42.2: multiple vulnerabilities, many from 2014), kernel (13.2: multiple vulnerabilities, two from 2015), and libXfixes (13.2: denial of service).

Red Hat has updated python-XStatic-jquery-ui (RHOSP 9.0; RHOSP 8.0: cross-site scripting), rh-mariadb100-mariadb (RHSC: multiple vulnerabilities), and rh-mariadb101-mariadb (RHSC: multiple vulnerabilities).

SUSE has updated kernel (SLE12: three vulnerabilities).

Ubuntu has updated oxide-qt (16.10, 16.04, 14.04: multiple vulnerabilities).

Stable kernels 4.8.13 and 4.4.37

Thursday 8th of December 2016 08:36:36 PM
Greg Kroah-Hartman has announced the release of the 4.8.13 and 4.4.37 stable kernels. As usual, there are fixes throughout the tree and users of those kernel series should upgrade.

Note that the fix for the kernel code execution vulnerability using AF_PACKET sockets (also known as CVE-2016-8655) has not made it into these stable kernels. Those running systemd may want to check Lennart Poettering's blog post on how to mitigate the problem for services started by systemd.

Remembering a friend: Matthew Williams (Fedora Community Blog)

Thursday 8th of December 2016 06:15:20 PM
Over at the Fedora Community Blog, Brian Proffitt writes about Fedora member Matthew Williams who passed away recently from cancer. "Matthew’s passion to constantly improve the software and hardware with which he worked created a tireless advocate for the Fedora Project, and his presence was felt at conferences across the nation: SCaLE, Ohio LinuxFest, and the former Indiana LinuxFest, an Indianapolis-based event that he helped found. Matthew also devoted time to interviewing and archiving notable figures in the free and open source software communities to learn what drove people to work on their projects. He was also very driven to share what he knew, launching the Open FOSS training site in 2015 to help new Linux users with getting involved with any Linux distribution. While he was active in the Fedora community, Matthew was also very involved with Ubuntu as well."

Thursday's security updates

Thursday 8th of December 2016 05:00:48 PM

Debian has updated xen (multiple vulnerabilities).

Debian-LTS has updated gst-plugins-bad0.10 (code execution) and gst-plugins-base0.10 (code execution).

Fedora has updated memcached (F25: three vulnerabilities), ntp (F25; F24; F23: multiple vulnerabilities), php-php-gettext (F23: code execution), and phpMyAdmin (F23: multiple vulnerabilities).

Gentoo has updated binutils (multiple vulnerabilities from 2014), coreutils (code execution from 2014), cracklib (code execution), jq (code execution from 2015), openjpeg (multiple vulnerabilities, one from 2015), socat (encryption botch), and sqlite (code execution from 2015).

Mageia has updated kernel (multiple vulnerabilities) and ntp (multiple vulnerabilities).

openSUSE has updated kernel (42.2; 42.1: multiple vulnerabilities, some from 2015).

Oracle has updated kernel 4.1.12 (OL7; OL6: two vulnerabilities).

Red Hat has updated atomic-openshift (RHOSCP 3.3, 3.2, 3.1:), chromium-browser (RHEL6: many vulnerabilities), and openstack-cinder and openstack-glance (RHOSP 9.0: denial of service from 2015).

SUSE has updated firefox (SLE12: code execution), java-1_6_0-ibm (SLE11: multiple vulnerabilities), java-1_7_1-ibm (SLE12; SLE11: multiple vulnerabilities), kernel (SLE12: three vulnerabilities), and xen (SLE11: multiple vulnerabilities).

Ubuntu has updated openjdk-6 (12.04: multiple vulnerabilities).

[$] LWN.net Weekly Edition for December 8, 2016

Thursday 8th of December 2016 01:15:25 AM
The LWN.net Weekly Edition for December 8, 2016 is available.

[$] GStreamer and the state of Linux desktop security

Wednesday 7th of December 2016 08:26:20 PM

Recently Chris Evans, an IT security expert currently working for Tesla, published a series of blog posts about security vulnerabilities in the GStreamer multimedia framework. A combination of the Chrome browser and GNOME-based desktops creates a particularly scary vulnerability. Evans also made a provocative statement: that vulnerabilities of this severity currently wouldn't happen in Windows 10. Is the state of security on the Linux desktop really that bad — and what can be done about it?

Subscribers can click below for the full story from this week's edition.

What’s New with Xen Project Hypervisor 4.8?

Wednesday 7th of December 2016 07:06:07 PM
The Xen Project Blog has released the Xen Project Hypervisor 4.8. "As always, we focused on improving code quality, security hardening as well as enabling new features. One area of interest and particular focus is new feature support for ARM servers. Over the last few months, we’ve seen a surge of patches from various ARM vendors that have collaborated on a wide range of updates from new drivers to architecture to security."

Security advisories for Wednesday

Wednesday 7th of December 2016 05:42:54 PM

Arch Linux has updated kernel (privilege escalation), linux-grsec (privilege escalation), and linux-lts (privilege escalation).

CentOS has updated sudo (C6: privilege escalation) and thunderbird (C6; C5: code execution).

Debian-LTS has updated mapserver (information leak).

Fedora has updated mingw-nsis (F23: DLL hijacking).

Gentoo has updated mercurial (multiple vulnerabilities), openssh (multiple vulnerabilities), openssl (multiple vulnerabilities), and pecl-http (code execution).

Mageia has updated drupal (two vulnerabilities), kernel-linus-4.4.32 (multiple vulnerabilities), and kernel-tmb-4.4.32 (multiple vulnerabilities).

openSUSE has updated libXrender (13.2: insufficient validation), libXtst (13.2: insufficient validation), libXv (13.2: insufficient validation), libXvMC (13.2: insufficient validation), roundcubemail (Leap42.2,42.1: two vulnerabilities), roundcubemail (13.2: cross-site scripting), tiff (13.2: multiple vulnerabilities), and X (Leap42.2, 42.1, 13.2: multiple vulnerabilities).

Oracle has updated sudo (OL7; OL6: privilege escalation).

SUSE has updated kernel (SLE12-SP1: three vulnerabilities).

WordPress 4.7

Tuesday 6th of December 2016 09:06:34 PM
WordPress 4.7 “Vaughan” has been released. This version includes a new default theme, adds new features to the customizer, comes with REST API endpoints for posts, comments, terms, users, meta, and settings, and more. "To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can range from placing a business information widget in the best location to providing a sample menu with social icon links to a static front page complete with beautiful images. Don’t worry – nothing new will appear on the live site until you’re ready to save and publish your initial theme setup."

[$] Maintainerless Debian?

Tuesday 6th of December 2016 05:51:02 PM
The maintainer model is deeply ingrained into the culture of the free-software community; for any bit of code, there is usually a developer (or a small group of developers) charged with that code's maintenance. Good maintainers can help a project run smoothly, while poor maintainers can run things into the ground. What is to be done to save a project with the latter type of maintainer? Forking can be an option in some cases but, in many others, it's not a practical alternative. The Debian project is currently discussing its approach to bad maintainers — a discussion which has taken a surprising turn.

Tuesday's security updates

Tuesday 6th of December 2016 05:01:04 PM

Debian-LTS has updated monit (regression in previous update).

Fedora has updated dpkg (F25; F24; F23: code execution), gstreamer-plugins-bad-free (F25: code execution), gstreamer1-plugins-bad-free (F24: code execution), gstreamer1-plugins-good (F24: multiple vulnerabilities), kernel (F25; F24; F23: denial of service), and thunderbird (F25: code execution).

Gentoo has updated arj (multiple vulnerabilities) and util-linux (command injection).

Mageia has updated firefox (code execution), thunderbird (multiple vulnerabilities), and virtualbox (multiple vulnerabilities).

openSUSE has updated GraphicsMagick (Leap42.1; 13.2: two vulnerabilities), ImageMagick (13.2: two vulnerabilities), mariadb (Leap42.2; Leap42.1: multiple mostly unspecified vulnerabilities), firefox, thunderbird, nss (13.1: multiple vulnerabilities), tcpreplay (Leap42.2: denial of service), kernel (13.1: multiple vulnerabilities), and thunderbird (SPH for SLE12: multiple vulnerabilities).

Oracle has updated thunderbird (OL7; OL6: code execution).

Red Hat has updated bind (RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service) and sudo (RHEL6,7: privilege escalation).

SUSE has updated java-1_6_0-ibm (SLEMLS12: multiple vulnerabilities) and firefox, nss (SLE12-SP2,SP1: multiple vulnerabilities).

Ubuntu has updated kernel (16.10; 16.04; 14.04; 12.04: code execution), linux-lts-trusty (12.04: code execution), linux-lts-xenial (14.04: code execution), linux-raspi2 (16.10; 16.04: code execution), linux-snapdragon (16.04: code execution), and linux-ti-omap4 (12.04: code execution).

Bottomley: Using Your TPM as a Secure Key Store

Monday 5th of December 2016 09:03:26 PM
James Bottomley has posted a tutorial on using the trusted platform module to store cryptographic keys. "The main thing that came out of this discussion was that a lot of this stack complexity can be hidden from users and we should concentrate on making the TPM 'just work' for all cryptographic functions where we have parallels in the existing security layers (like the keystore). One of the great advantages of the TPM, instead of messing about with USB pkcs11 tokens, is that it has a file format for TPM keys (I’ll explain this later) which can be used directly in place of standard private key files."

Security advisories for Monday

Monday 5th of December 2016 06:38:40 PM

Arch Linux has updated chromium (multiple vulnerabilities) and libdwarf (multiple vulnerabilities).

CentOS has updated firefox (C6; C5: code execution).

Debian-LTS has updated openafs (information leak).

Fedora has updated firefox (F25; F24; F23: code execution), gstreamer1-plugins-bad-free (F25: code execution), gstreamer1-plugins-good (F25: code execution), p7zip (F24; F23: denial of service), phpMyAdmin (F25: multiple vulnerabilities), thunderbird (F24: code execution), and xen (F25; F24; F23: multiple vulnerabilities).

Gentoo has updated busybox (two vulnerabilities), chromium (multiple vulnerabilities), cifs-utils (code execution from 2014), dpkg (code execution), gd (multiple vulnerabilities), libsndfile (two vulnerabilities), libvirt (path traversal), nghttp2 (code execution), nghttp2 (denial of service), patch (denial of service), and pygments (shell injection).

openSUSE has updated containerd, docker, runc (Leap42.1, 42.2: permission bypass), firefox (two vulnerabilities), java-1_7_0-openjdk (13.1: multiple vulnerabilities), java-1_8_0-openjdk (Leap42.1, 42.2: multiple vulnerabilities), libarchive (Leap42.2; Leap42.1: multiple vulnerabilities), thunderbird (code execution), nodejs4 (Leap42.2: code execution), phpMyAdmin (multiple vulnerabilities), sudo (Leap42.2; Leap42.1: three vulnerabilities), tar (Leap42.1, 42.2: file overwrite), and vim (Leap42.2; Leap42.1, 13.2: code execution).

Red Hat has updated thunderbird (code execution).

SUSE has updated qemu (SLE12-SP1: multiple vulnerabilities).

Kernel prepatch 4.9-rc8

Monday 5th of December 2016 12:48:26 PM
The 4.9-rc8 kernel prepatch is out; the final 4.9 release will need one more week. "So if anybody has been following the git tree, it should come as no surprise that I ended up doing an rc8 after all: things haven't been bad, but it also hasn't been the complete quiet that would have made me go 'no point in doing another week'."

What's new in OpenStack in 2016: A look at the Newton release (Opensource.com)

Friday 2nd of December 2016 09:13:37 PM
Over at Opensource.com, Rich Bowen gives an overview of the changes in the OpenStack Newton release that was made in October. In it, he looks at each of sub-projects and highlights some of the changes for them that were in the release, which is also useful as a kind high-level guide to some of the various sub-projects and their roles. "With a product as large as OpenStack, summarizing what's new in a particular release is challenging. (See the full release notes for more details.) Each deployment of OpenStack might use a different combination of services and projects, and so will care about different updates. Added to that, the release notes for the various projects tend to be extremely technical in nature, and often don't do a great job of calling out the changes that will actually be noticed by either operators or users."

BitUnmap: Attacking Android Ashmem (Project Zero blog)

Friday 2nd of December 2016 08:24:23 PM
Google's Project Zero blog has a detailed look at exploiting a vulnerability in Android's ashmem shared-memory facility. "The mismatch between the mmap-ed and munmap-ed length provides us with a great exploitation primitive! Specifically, we could supply a short length for the mmap operation and a longer length for the munmap operation - thus resulting in deletion of an arbitrarily large range of virtual memory following our bitmap object. Moreover, there’s no need for the deleted range to contain one continuous memory mapping, since the range supplied in munmap simply ignores unmapped pages. Once we delete a range of memory, we can then attempt to “re-capture” that memory region with controlled data, by causing another allocation in the remote process. By doing so, we can forcibly “free” a data structure and replace its contents with our own chosen data -- effectively forcing a use-after-free condition."

Stable kernels 4.8.12 and 4.4.36

Friday 2nd of December 2016 04:06:59 PM
The 4.8.12 and 4.4.36 stable kernels have been released. As always, users of those kernel series should upgrade.

Security updates for Friday

Friday 2nd of December 2016 04:02:53 PM

Arch Linux has updated firefox (two vulnerabilities) and thunderbird (code execution).

CentOS has updated thunderbird (C6; C5: code execution).

Debian-LTS has updated firefox-esr (multiple vulnerabilities), imagemagick (multiple vulnerabilities, many from 2014 and 2015), monit (cross-site request forgery), tomcat6 (multiple vulnerabilities), and tomcat7 (multiple vulnerabilities).

Fedora has updated calamares (F25; F24: encryption bypass), jenkins (F25: code execution), jenkins-remoting (F25: code execution), moin (F25; F24; F23: cross-site scripting flaws), mujs (F23: multiple vulnerabilities), and zathura-pdf-mupdf (F23: multiple vulnerabilities).

Gentoo has updated davfs2 (privilege escalation from 2013) and gnupg (flawed random number generation).

openSUSE has updated libtcnative-1-0 (42.2, 42.1: SSL improvements) and pacemaker (42.2: two vulnerabilities).

Oracle has updated firefox (OL7; OL6; OL5: code execution).

Red Hat has updated firefox (code execution).

SUSE has updated kernel (SLE11: multiple vulnerabilities, some from 2013 and 2015) and ImageMagick (SLE11: multiple vulnerabilities, some from 2014 and 2015).

Ubuntu has updated ghostscript (multiple vulnerabilities, one from 2013) and oxide-qt (16.10, 16.04, 14.04: multiple vulnerabilities).

Google's OSS-Fuzz project

Thursday 1st of December 2016 05:52:35 PM
The Google security blog announces the OSS-Fuzz project, which performs continuous fuzz testing of free-software project repositories. "OSS-Fuzz has already found 150 bugs in several widely used open source projects (and churns ~4 trillion test cases a week). With your help, we can make fuzzing a standard part of open source development, and work with the broader community of developers and security testers to ensure that bugs in critical open source applications, libraries, and APIs are discovered and fixed."

Ardour 5.5 released

Thursday 1st of December 2016 05:34:23 PM
Version 5.5 of the Ardour audio editor has been released. "Among the notable new features are support for VST 2.4 plugins on OS X, the ability to have MIDI input follow MIDI track selection, support for Steinberg CC121, Avid Artist & Artist Mix Control surfaces, 'fanning out' of instrument outputs to new tracks/busses and the often requested ability to do horizontal zoom via vertical dragging on the rulers."

More in Tux Machines

Chromium/Chrome News

It's Been A Quiet Year-End For BUS1, The Proposed In-Kernel IPC For Linux

With the Linux 4.10 kernel merge window expected to open this weekend, I was digging around to see whether there was anything new on the BUS1 front and whether we might see it for the next kernel cycle. While I have yet to see any official communication from the BUS1 developers, it doesn't look like it's happening for BUS1. In fact, it's been a rather quiet past few weeks for these developers working on this in-kernel IPC mechanism to succeed the never-merged KDBUS. Read more Also: Intel Working On 5-Level Paging To Increase Linux Virtual/Physical Address Space

Games for GNU/Linux

Fedora News

  • FEDORA and GNOME at the “1er Encuentro de Tecnología e innovación-Macro Región Lima 2016” Conference
  • 10 years of dgplug summer training
    In 2017 dgplug summer training will be happening for the 10th time. Let me tell you honestly, I had no clue that we will reach here when I started this back in 2008. The community gathered together, and we somehow managed to continue. In case, you do not know about this training, dgplug summer training is a 3 months long online IRC based course where we help people to become contributors to upstream projects. The sessions start around 6:30PM IST, and continues till 9PM (or sometimes till very late at night) for 3 months. You can read the logs of the sessions here.
  • 6 3D printing applications you can install on Fedora 25
    Do you have an interest in the 3D printing space but don’t know which 3D printing application will work on your favorite Linux distribution? You’re in luck, because in this article, you learn about 6 of such applications that you can install on Fedora 25 and other Linux distributions, like Ubuntu 16.10 and debian 8. Most of these you can install by selecting the 3D printing package when using the DVD or netinstall ISO image to install Fedora 25, but the rest you have to install individually.
  • FUDCon APAC Phnom Penh 2016
    FUDCon 2016, that was for me first of all a lot of work especially after the change of the venue in nearly last minute. Instead of ITC BarCamp happened this year at Norton University, what turned out not to be a good choice. A new hotel had to be found, not an easy task as on this side of the river are not many yet.