Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 44 min 22 sec ago

[$] LWN.net Weekly Edition for July 28, 2016

Thursday 28th of July 2016 12:26:20 AM
The LWN.net Weekly Edition for July 28, 2016 is available.

[$] One-time passwords and GnuPG with Nitrokey

Wednesday 27th of July 2016 09:24:36 PM

A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.

Stable kernel updates

Wednesday 27th of July 2016 08:18:41 PM
Greg Kroah-Hartman has released stable kernels 4.6.5, 4.4.16, and 3.14.74. All of them contain important fixes.

A statement from the Tor project

Wednesday 27th of July 2016 05:10:16 PM
Shari Steele has posted a statement from the Tor project on the results of an investigation into the allegations of harassment (and worse) within Tor and how the project will respond. "I am pleased, therefore, to announce that both the Tor Project and the Tor community are taking active steps to strengthen our ability to handle problems of unprofessional behavior. Specifically, the Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints, and an internal complaint review process. They were recently approved by Tor’s board of directors, and they will be rolled out internally this week."

Security advisories for Wednesday

Wednesday 27th of July 2016 04:14:50 PM

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), samba (C7: crypto downgrade), and samba4 (C6: crypto downgrade).

Debian has updated libgd2 (denial of service), mariadb-10.0 (multiple vulnerabilities), and php5 (multiple vulnerabilities).

Debian-LTS has updated libgd2 (denial of service).

Mageia has updated apache (HTTP redirect), harfbuzz (multiple vulnerabilities), libgd (three vulnerabilities), libidn (multiple vulnerabilities), libupnp (unauthenticated access), libxml2 (multiple vulnerabilities), mariadb (multiple vulnerabilities), mupdf (denial of service), php/xmlrpc-epi/timezone (multiple vulnerabilities), sudo (race condition), tomcat/apache-commons-fileupload (denial of service), and virtualbox (allows local users to affect availability).

Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.7: privilege escalation).

Scientific Linux has updated samba (SL7: crypto downgrade) and samba4 (SL6: crypto downgrade).

Ubuntu has updated kde4libs (15.10, 14.04, 16.04: command execution) and openjdk-8 (16.04: multiple vulnerabilities).

Sitter: Snappy sprint reporty musing

Tuesday 26th of July 2016 06:18:44 PM
Harald Sitter reports on a discussion at recent sprint focused on making Snap packaging useful for KDE. "Shipping things users can use on Linux has been a pain in the rear since forever and these bundles are meant to change that. As such we as KDE should have a strong interest and presence in this field in the hopes of shaping a future that is useful to us. After all, we are one of the biggest source distributors, and the primary reason we don't also offer generic binary packages of our applications is because this never scaled and was altogether terrible to pull off from a KDE point of view." He and Scarlett Clark are working on some high level mass automation of snap building on top of KDE Neon's existing deb binaries. (Thanks to Jos van den Oever)

Tuesday's security updates

Tuesday 26th of July 2016 04:39:50 PM

Debian has updated ntp (multiple vulnerabilities).

Debian-LTS has updated cacti (three vulnerabilities), dietlibc (insecure default PATH), gosa (code injection), ntp (multiple vulnerabilities), squid (cache poisoning), and uclibc (three vulnerabilities).

Oracle has updated samba (OL7: crypto downgrade) and samba4 (OL6: crypto downgrade).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), samba (RHEL7: crypto downgrade), and samba4 (RHEL6: crypto downgrade).

OpenVZ 7.0 released

Monday 25th of July 2016 10:38:37 PM
OpenVZ 7.0 has been released. The new release focuses on merging OpenVZ and Virtuozzo source codebase and replacing its hypervisor with KVM. There are many other improvements and new features in container management and more.

The newest version of OpenBSD closes potential security loopholes (InfoWorld)

Monday 25th of July 2016 08:11:14 PM
InfoWorld takes a look at the upcoming OpenBSD 6.0 release. "Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications by way of a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement.""

Security advisories for Monday

Monday 25th of July 2016 04:43:00 PM

Arch Linux has updated chromium (multiple vulnerabilities), python-django (cross-site scripting), and python2-django (cross-site scripting).

Debian has updated openssh (user enumeration via timing side-channel), perl (two vulnerabilities), and phpmyadmin (multiple vulnerabilities).

Debian-LTS has updated squid3 (denial of service).

Fedora has updated ca-certificates (F24: certificate update), gd (F24: multiple vulnerabilities), httpd (F24: HTTP redirect), kf5-karchive (F24; F23: command execution, over a hundred related KDE Frameworks packages were included in this update), libgcrypt (F24: key leak), libidn (F24: multiple vulnerabilities), libvirt (F24: authentication bypass), and mingw-gnutls (F24: certificate verification vulnerability).

openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2: multiple vulnerabilities) and gnugk (Leap42.1, 13.2: denial of service).

Red Hat has updated mariadb55-mariadb (RHSCL: many vulnerabilities) and mysql55-mysql (RHSCL: many vulnerabilities).

Slackware has updated bind (denial of service).

The 4.7 kernel is out

Sunday 24th of July 2016 10:12:46 PM
Linus has returned from his travels and released the 4.7 kernel. The most significant changes in this release include the tracing histograms feature, in-kernel tracing analysis via the ability to attach BPF programs to tracepoints, the LoadPin security module, better out-of-memory detection, faster filesystem operations with parallel pathname lookups, the schedutil CPU frequency governor, and more. See the KernelNewbies 4.7 page for lots of details.

Clasen: Using modern gettext

Friday 22nd of July 2016 10:33:52 PM

At his blog, Matthias Clasen explores the recent enhancements to the the classic GNU gettext utility. Thanks in large part to new maintainer Daiki Ueno, gettext now understands many more file formats—thus enabling developers to easily extract strings from a wide variety of source files for translation. In addition to programming languages, Clasen notes, gettext understands .desktop files, GSettings schemas, GtkBuilder ui files, and Appdata files. "If you don’t want to wait for your favorite format to come with built-in its support, you can also include its files with your application; gettext will look for such files in $XDG_DATA_DIRS/gettext/its/."

Friday's security updates

Friday 22nd of July 2016 03:23:13 PM

Arch Linux has updated drupal (proxy injection).

Debian has updated mysql-5.5 (multiple vulnerabilities) and squid3 (multiple vulnerabilities).

Debian-LTS has updated python-django (cross-site scripting).

openSUSE has updated p7zip (13.1: code execution).

Slackware has updated gimp (14.0, 14.1, 14.2: code execution) and php (14.0, 14.1, 14.2: multiple vulnerabilities).

Ubuntu has updated mysql-5.5, mysql-5.6, mysql-5.7 (12.04, 14.04, 15.10, 16.04: multiple vulnerabilities).

EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment

Thursday 21st of July 2016 07:37:03 PM
The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew "bunnie" Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional: "These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing. Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials."

Security updates for Thursday

Thursday 21st of July 2016 02:02:30 PM

Arch Linux has updated bind (denial of service).

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian-LTS has updated libarchive (multiple vulnerabilities, most from 2015).

Fedora has updated openssh (F24: user enumeration via timing side-channel) and p7zip (F24: two code execution flaws).

openSUSE has updated dhcp (42.1: denial of service).

Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), and openstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).

Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated obs-service-source_validator (SLE12: code execution).

[$] LWN.net Weekly Edition for July 21, 2016

Thursday 21st of July 2016 12:02:59 AM
The LWN.net Weekly Edition for July 21, 2016 is available.

An honorary degree for Alan Cox

Wednesday 20th of July 2016 06:24:46 PM
Congratulations are due to Alan Cox, who was awarded an honorary degree by Swansea University for his work with Linux. "Alan started working on Version 0. There were bugs and problems he could correct. He put Linux on a machine in the Swansea University computer network, which revealed many problems in networking which he sorted out; later he rewrote the networking software. Alan brought to Linux software engineering discipline: Linux software releases that were tested, corrected and above all stable. On graduating, Alan worked at Swansea University, set up the UK Linux server and distributed thousands of systems."

Smedberg: Reducing Adobe Flash Usage in Firefox

Wednesday 20th of July 2016 06:01:20 PM
Benjamin Smedberg writes that the Firefox browser will soon start taking a more active approach to the elimination of Flash content. "Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness."

Security updates for Wednesday

Wednesday 20th of July 2016 04:42:50 PM

Debian has updated apache2 (HTTP redirect).

Debian-LTS has updated apache2 (HTTP redirect).

Fedora has updated ecryptfs-utils (F24: two vulnerabilities), kernel (F24; F23: multiple vulnerabilities), php-doctrine-orm (F24; F23: privilege escalation), and spice (F24: two vulnerabilities).

Gentoo has updated ansible (code execution), arpwatch (privilege escalation from 2012), bugzilla (multiple vulnerabilities from 2014), commons-beanutils (code execution from 2014), dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).

openSUSE has updated ImageMagick (Leap42.1: many vulnerabilities), nodejs (Leap42.1, 13.2: buffer overflow), and samba (13.2: crypto downgrade).

Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated python-django (16.04: cross-site scripting).

Tor veteran Lucky Green exits, torpedos critical 'Tonga' node and relays (The Register)

Tuesday 19th of July 2016 09:17:17 PM
The Register reports that longtime Tor contributor Lucky Green is quitting and closing down the node and bridge authority he operates. "Practically, it's a big deal. Bridge Authorities are part of the infrastructure that lets users get around some ISP-level blocks on the network (not, however, defeating deep packet inspection). They're also incorporated in the Tor code, meaning that to remove a Bridge Authority is going to need an update." The shutdown is scheduled for August 31. (Thanks to Nomen Nescio)

More in Tux Machines

Puppy Linux Cousin Toutou Linux 6.3.2 "SlaXen" Alpha Released for Public Testing

Toutou, one of the fastest and most comprehensive minimalist GNU/Linux distributions, is again in development, it looks like we're now able to test drive the 6.3.2 Alpha release of the upcoming Toutou Linux SlaXen series. Read more

Linux 4.6.5

I'm announcing the release of the 4.6.5 kernel. All users of the 4.6 kernel series must upgrade. The updated 4.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.6.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... thanks, greg k-h Read more Also: Linux 4.4.16 Linux 3.14.74

today's leftovers

Leftovers: Software

  • The Linux Deepin File Manager Is a Thing of Beauty
    China-based Linux distro Deepin has shown off its all-new desktop file manager. And to say it's pretty is an understatement.
  • GRadio Lets You Find, Listen to Radio Stations from the Ubuntu Desktop
    Love to listen to the radio? My ol’ pal Lolly did. But let’s say you want to listen to the radio on Ubuntu. How do you do it? Well, the Ubuntu Software centre should always be the first dial you try, but you’ll need to sift through a load of static to find a decent app.
  • Reprotest 0.2 released, with virtualization support
    reprotest 0.2 is available in PyPi and should hit Debian soon. I have tested null (no container, build on the host system), schroot, and qemu, but it's likely that chroot, Linux containers (lxc/lxd), and quite possibly ssh are also working. I haven't tested the autopkgtest code on a non-Debian system, but again, it probably works. At this point, reprotest is not quite a replacement for the prebuilder script because I haven't implemented all the variations yet, but it offers better virtualization because it supports qemu, and it can build non-Debian software because it doesn't rely on pbuilder.
  • Calibre 2.63.0 eBook Converter and Viewer Adds Unicode 9.0 Support, Bugfixes
    Kovid Goyal has released yet another maintenance update for his popular, open-source, free, and cross-platform Calibre ebook library management software, version 2.63.0. Calibre 2.63.0 arrives two weeks after the release of the previous maintenance update, Calibre 2.62.0, which introduced support for the new Kindle Oasis ebook reader from Amazon, as well as reading and writing of EPUB 3 metadata. Unfortunately, there aren't many interesting features added in the Calibre 2.63.0 release, except for the implementation of Unicode 9.0 support in the regex engine of the Edit Book feature that lets users edit books that contain characters encoded with the recently released Unicode 9.0 standard.
  • Mozilla Delivers Improved User Experience in Firefox for iOS
    When we rolled out Firefox for iOS late last year, we got a tremendous response and millions of downloads. Lots of Firefox users were ecstatic they could use the browser they love on the iPhone or iPad they had chosen. Today, we’re thrilled to release some big improvements to Firefox for iOS. These improvements will give users more speed, flexibility and choice, three things we care deeply about.
  • LibreOffice 5.2 Is Being Released Next Wednesday
    One week from today will mark the release of LibreOffice 5.2 as the open-source office suite's latest major update. LibreOffice 5.2 features a new (optional) single toolbar mode, bookmark improvements. new Calc spreadsheet functions (including forecasting functions), support for signature descriptions, support for OOXML signature import/export, and a wealth of other updates. There are also GTK3 user-interface improvements, OpenGL rendering improvements, multi-threaded 3D rendering, faster rendering, and more.
  • Blackmagic Design Finally Introduces Fusion 8 For Linux
  • Why Microsoft’s revival of Skype for Linux is a big deal [Ed: This article is nonsense right from the headline. Web client is not Linux support. And it's spyware (centralised too).]