OpenSSL fork LibreSSL is declared “unsafe for Linux” (Ars Technica)

Linux Weekly News - sze, 2014-07-16 00:25
Ars Technica reports that a security researcher has found what he calls a "catastrophic failure" in the Linux version of LibreSSL. "The failure results in cases where the same 16-bit PID is used to designate two or more processes. Linux ensures that a process can never have the same ID as the child process it spawned, but it remains possible for a process to have the same PID as its grandparent process. The condition appears to be an edge case, but it's one that may be possible if the Linux fork_rand program forks enough times to produce identical PIDs. OpenSSL, the open-source program LibreSSL aims to replace, has ways to recover from such cases. LibreSSL does not, at least not on Linux."

Update: This issue has been fixed in LibreSSL 2.0.2.

Kategóriák: Linux

KDE Plasma 5.0

Linux Weekly News - k, 2014-07-15 18:12
KDE has announced the release of Plasma 5.0. "Plasma 5.0 introduces a new major version of KDE's workspace offering. The new Breeze artwork concept introduces cleaner visuals and improved readability. Central work-flows have been streamlined, while well-known overarching interaction patterns are left intact. Plasma 5.0 improves support for high-DPI displays and ships a converged shell, able to switch between user experiences for different target devices. Changes under the hood include the migration to a new, fully hardware-accelerated graphics stack centered around an OpenGL(ES) scenegraph. Plasma is built using Qt 5 and Frameworks 5."
Kategóriák: Linux

Tuesday's security updates

Linux Weekly News - k, 2014-07-15 17:37

Red Hat has updated ror40-rubygem-activerecord (RHSC1: SQL injection) and ruby193-rubygem-activerecord (RHSC1: SQL injection).

SUSE has updated flash-player (SLED11SP3: multiple vulnerabilities).

Kategóriák: Linux

First Tizen phone postponed indefinitely

LinuxToday - k, 2014-07-15 15:30
Kategóriák: Linux

Google's "Project Zero"

Linux Weekly News - k, 2014-07-15 15:29
Google's newly announced Project Zero is focused on making the net as a whole safer from attackers. "We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We'll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment." Their policy of only reporting bugs to the vendor looks like it could result in the burying of inconvenient vulnerabilities, but presumably they have thought about that.
Kategóriák: Linux

[$] Filesystem notification, part 2: A deeper investigation of inotify

Linux Weekly News - k, 2014-07-15 01:20
In the first article in this series, we briefly looked at the original Linux filesystem notification API, dnotify, and noted a number of its limitations. We then turned our attention to its successor, inotify, and saw how the design of the newer API addressed various problems with the dnotify API while providing a number of other benefits as well. At first glance, inotify seems to provide a complete solution for the task of creating an application that reliably monitors the state of a filesystem. However, we are about to see that this isn't quite the case.

Subscribers can check out the next article in guest author Michael Kerrisk's series by clicking below.

Kategóriák: Linux