Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 3 perc 59 másodperc
Greg Kroah-Hartman has released an unexpected 3.18 kernel update, despite the fact that 3.18 is no longer supported. "Turns out there was a bug in 3.18.47 in one of the backports. And a bug in 3.18.27 as well, with one of the backports there. And a very minor issue in the 3.18.28 release, but no one cares about the debug messages for a specific scsi driver, so you can just ignore that issue..."
Michael Catanzaro looks at how distributors have improved (or not) their security support for the WebKit browser engine in the last year. "So results are clearly mixed. Some distros are clearly doing well, and others are struggling, and Debian is Debian. Still, the situation on the whole seems to be much better than it was one year ago. Most importantly, Ubuntu’s decision to start updating WebKitGTK+ means the vast majority of Linux users are now receiving updates."
Kenton Varda reports that Sandstorm, as a company, is no more, but community development lives on. LWN covered the Sandstorm personal cloud platform in June 2014.
Many people also know that Sandstorm is a for-profit startup, with a business model centered on charging for enterprise-oriented features, such as LDAP and SAML single-sign-on integration, organizational access control policies, and the like. This product was called “Sandstorm for Work”; it was still open source, but official builds hid the features behind a paywall. Additionally, we planned eventually to release a scalable version of Sandstorm for big enterprise users, based on the same tech that powers Sandstorm Oasis, our managed hosting service.
As an open source project, Sandstorm has been successful: We have a thriving community of contributors, many developers building and packaging apps, and thousands of self-hosted servers running in the wild. This will continue.
However, our business has not succeeded. To date, almost no one has purchased Sandstorm for Work, despite hundreds of trials and lots of interest expressed. Only a tiny fraction of Sandstorm Oasis users choose to pay for the service – enough to cover costs, but not much more.
Debian-LTS has updated tiff (can't write files).
Luis Villa talks about the open-source lawyer career path on opensource.com. "First, going to law school is a gamble. Recent American law school graduates must fight fiercely for one of the few jobs that can cover their massive debt, and roughly 50% fail the California bar. And, the open source gamble is bigger, because the opportunities are even fewer."
The grsecurity developers have announced the first release of the "Reuse Attack Protector" (RAP) patch set, aimed at preventing return-oriented programming and other attacks. "RAP is our patent-pending and best-in-breed defense mechanism against code reuse attacks. It is the result of years of research and development into Control Flow Integrity (CFI) technologies by PaX. The version of RAP present in the test patch released to the public today under the GPLv2 is now feature-complete."
Kodi 17.0 (Krypton) has been released. Kodi is a software media center for playing videos, music, pictures, games, and more. This release features a new skin, an updated video engine, improvements to the music library, numerous improvements to Live TV and PVR functionality, and more.
One often hears the "infrastructure as code" refrain when configuration-management systems are discussed. Normally, though, that phrase doesn't bring into mind an image of infrastructure as Haskell code. In his 2017 linux.conf.au talk, Joey Hess described his Propellor system and the interesting features that a Haskell implementation makes possible, with a special focus on how Haskell's type-checking system can be pressed into service to detect configuration errors.
Arch Linux has updated gst-plugins-bad (two vulnerabilities), gst-plugins-base-libs (multiple vulnerabilities), gst-plugins-good (multiple vulnerabilities), gst-plugins-ugly (two vulnerabilities), and gstreamer (denial of service).
Debian has updated svgsalamander (server-side request forgery).
Debian-LTS has updated libphp-phpmailer (information disclosure).
Fedora has updated epiphany (F25: multiple vulnerabilities), iio-sensor-proxy (F25: unspecified), jasper (F24: code execution), thunderbird (F25; F24: multiple vulnerabilities), and wavpack (F24: multiple vulnerabilities).
Gentoo has updated rtmpdump (multiple vulnerabilities).
Mageia has updated java-1.8.0-openjdk (multiple vulnerabilities), openssl (three vulnerabilities), php (multiple vulnerabilities), phpmyadmin (two vulnerabilities), and thunderbird (multiple vulnerabilities).
openSUSE has updated cpio (42.2, 42.1: out-of-bounds write), gnutls (42.2, 42.1: multiple vulnerabilities), GraphicsMagick (42.2; 42.1: multiple vulnerabilities), gstreamer-0_10-plugins-bad (42.2: code execution), libgit2 (42.1: multiple vulnerabilities), and virtualbox (42.2: multiple vulnerabilities).
The Cloud Native Computing Foundation has announced that it has purchased the rights to the RethinkDB NoSQL database and contributed it to the Linux Foundation. In the process, the code was relicensed from the Affero GPLv3 to the Apache license. "RethinkDB is an open source, NoSQL, distributed document-oriented database that is in production use today by hundreds of technology startups, consulting firms and Fortune 500 companies, including NASA, GM, Jive, Platzi, the U.S. Department of Defense, Distractify and Matters Media. Some of Silicon Valley’s top firms invested $12.2 million over more than eight years in the RethinkDB company to build a state-of-the-art database system, but were unsuccessful in creating a sustainable business, and it shut down in October 2016."
Version 2.25 of the GNU C Library has been released. This release contains the long-awaited support for the getrandom() system call and a long list of other features; click below for the full announcement.
The 4.10-rc7 kernel prepatch has been released for testing. "Hey, look at that - it's all been very quiet, and unless anything bad happens, we're all back to the regular schedule with this being the last rc."
openSUSE has updated java-1_8_0-openjdk (42.2, 42.1: multiple vulnerabilities), mupdf (42.2; 42.1: three vulnerabilities), phpMyAdmin (42.2, 42.1: multiple vulnerabilities, one from 2015), and Wireshark (42.2: two denial of service flaws).
Ubuntu has updated kernel (16.10; 14.04; 12.04: multiple vulnerabilities), kernel, linux-raspi2, linux-snapdragon (16.04: two vulnerabilities), linux-lts-trusty (12.04: code execution), linux-lts-xenial (14.04: two vulnerabilities), and tomcat (14.04, 12.04: regression in previous update).
The Rust team has released version 1.15 of the Rust programming language, which adds a custom derive feature. "These kinds of libraries are extremely powerful, but rely on custom derive for ergonomics. While these libraries worked on Rust stable previously, they were not as nice to use, so much so that we often heard from users “I only use nightly because of Serde and Diesel.” The use of custom derive is one of the most widely used nightly-only features. As such, RFC 1681 was opened in July of last year to support this use-case. The RFC was merged in August, underwent a lot of development and testing, and now reaches stable today!"
In the acme-client-portable repository at GitHub, developer Kristaps Dz has a rather stinging indictment of trying to use seccomp sandboxing for the portable version of acme-client, which is a client program for getting Let's Encrypt certificates. He has disabled seccomp filtering in the default build for a number of reasons. "So I might use mmap, but the system call is mmap2? Great. This brings us to the second and larger problem. The C library. There are several popular ones on Linux: glibc, musl, uClibc, etc. Each of these is free to implement any standard function (like mmap, above) in any way. So while my code might say read, the C library might also invoke fstat. Great. In general, section 2 calls (system calls) map evenly between system call name and function name. (Except as noted above... and maybe elsewhere...) However, section 3 is all over the place. The strongest differences were between big functions like getaddrinfo(2). Then there's local modifications. And not just between special embedded systems. But Debian and Arch, both using glibc and both on x86_64, have different kernels installed with different features. Great. Less great for me and seccomp." (Thanks to Paul Wise.)
The 4.9.7 and 4.4.46 kernels have been released by Greg Kroah-Hartman. They contain fixes throughout the tree and users of those kernel series should upgrade.
Debian has updated ntfs-3g (privilege escalation).
Debian-LTS has updated openssl (three vulnerabilities).
openSUSE has updated bzrtp (42.2, 42.1: man-in-the-middle vulnerability), firefox (42.2, 42.1: multiple vulnerabilities), nginx (42.2, 42.1; SPH for SLE12: denial of service), seamonkey (42.2, 42.1: code execution), and thunderbird (42.2, 42.1; SPH for SLE12: multiple vulnerabilities).
Ubuntu has updated gnutls26, gnutls28 (multiple vulnerabilities), irssi (multiple vulnerabilities), iucode-tool (16.10, 16.04: code execution), libxpm (code execution), and ntfs-3g (16.10, 16.04: privilege escalation).
The GNOME Foundation's long search for a new executive director has finally come to an end: Neil McGovern has taken the job. "McGovern is an experienced leader in Free Software projects and is best known for his role as Debian Project Leader from 2014-15. He has been on the Boards of numerous organizations, including Software in the Public Interest, Inc. and the Open Rights Group."
HUP napi hírlevél