Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 3 perc 54 másodperc

Security advisories for Monday

h, 2015-03-16 19:46

Debian has updated freetype (many vulnerabilities), gnutls26 (two vulnerabilities), icu (multiple vulnerabilities), libav (multiple vulnerabilities), and putty (information disclosure).

Debian-LTS has updated libextlib-ruby (code execution and more), libssh2 (information leak), mod-gnutls (restriction bypass), and putty (information disclosure).

Fedora has updated 389-admin (F21: multiple /tmp/ file vulnerabilities), cups-filters (F21; F20: remote command execution), gnupg (F20: multiple vulnerabilities), httpd (F21: multiple vulnerabilities), jBCrypt (F21; F20: integer overflow), kernel (F20: multiple vulnerabilities), libmspack (F21; F20: denial of service), libuv (F20: privilege escalation), nodejs (F20: privilege escalation), phpMyAdmin (F21; F20: information leak), putty (F21; F20: information disclosure), tcllib (F21: HTML injection), and v8 (F20: privilege escalation).

Gentoo has updated hivex (privilege escalation) and icu (multiple vulnerabilities).

Mageia has updated 389-ds-base (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).

Mandriva has updated kernel (multiple vulnerabilities), nss (multiple vulnerabilities), qemu (multiple vulnerabilities), and yaml (multiple vulnerabilities).

openSUSE has updated flashplayer (11.4: multiple vulnerabilities), chromium (13.2, 13.1: multiple vulnerabilities), and postgresql (11.4: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities) and java-1_7_0-openjdk (SLE12: multiple vulnerabilities).

Ubuntu has updated cups-filters (14.10, 14.04: remote command execution), requests (14.10, 14.04: cookie stealing attacks), and sudo (information disclosure).

Kategóriák: Linux

Kernel prepatch 4.0-rc4

h, 2015-03-16 03:45
The fourth 4.0 prepatch is out for testing. Linus says: "Nothing particularly stands out here. Shortlog appended, I think we're doing fine for where in the release cycle we are."
Kategóriák: Linux

OpenSCAD 2015.03 released with text objects support (Libre Graphics World)

p, 2015-03-13 22:28

Libre Graphics World has a look at the new release of OpenSCAD, the 3D solid-modeling tool often used in conjunction with 3D printers. The new features include support for complex text layout, offset functions for manipulating polygons, and the ability to generate height maps from PNG images. "The user interface got a few improvements as well: new startup dialog to quickly open recent files or examples from a library, new QScintilla-based code editor with folding support, SVG and AMF exporting, and more."

Kategóriák: Linux

Friday's security updates

p, 2015-03-13 17:10

CentOS has updated kernel (C6: multiple vulnerabilities).

Debian has updated gnupg (multiple vulnerabilities), libgcrypt11 (multiple vulnerabilities), movabletype-opensource (multiple vulnerabilities), and nss (data smuggling).

Fedora has updated krb5 (F21: multiple vulnerabilities) and suricata (F21: multiple vulnerabilities).

Mageia has updated libarchive (M4: directory traversal), libssh2 (M4: denial of service), and qt3, qt4, qt5base (M4: denial of service).

openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities), osc (13.1, 13.2: command injection), and wireshark (13.1, 13.2: multiple vulnerabilities).

Oracle has updated gnome-shell, clutter, cogl, mutter (O7: lock screen bypass), httpd (O7: multiple vulnerabilities), ipa (O7: multiple vulnerabilities), kernel (O7: multiple vulnerabilities), krb5 (O7: multiple vulnerabilities), libreoffice (O7: code execution), libvirt (O7: multiple vulnerabilities), qemu-kvm (O7: multiple vulnerabilities), and thunderbird (O7: multiple vulnerabilities).

SUSE has updated bind (SLE10: denial of service), flash-player (SLE12: multiple vulnerabilities), and osc (SLE12: command injection).

Kategóriák: Linux

NTP's Fate Hinges On 'Father Time' (InformationWeek)

p, 2015-03-13 15:58
InformationWeek has a lengthy look at the maintenance of the network time protocol (NTP) code. "Not all is well within the NTP open source project. The number of volunteer contributors -- those who submit code for periodic updates, examine bug reports, and write fixes -- has shrunk over its long lifespan, even as its importance has increased. Its ongoing development and maintenance now rest mostly on the shoulders of [Harlan] Stenn, and that's why NTP faces a turning point. Stenn, who also works sporadically on his own consulting business, has given himself a deadline: Garner more financial support by April, 'or look for regular work.'"
Kategóriák: Linux

Google Code shutting down

cs, 2015-03-12 20:39
Google has announced that the Google Code repository is shutting down. "As developers migrated away from Google Code, a growing share of the remaining projects were spam or abuse. Lately, the administrative load has consisted almost exclusively of abuse management. After profiling non-abusive activity on Google Code, it has become clear to us that the service simply isn’t needed anymore." New project creation has been stopped already; the final pulling of the plug will be in January 2016.
Kategóriák: Linux

Thursday's security updates

cs, 2015-03-12 18:17

openSUSE has updated cacti (13.2, 13.1: multiple vulnerabilities).

Oracle has updated kernel (OL6: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6: multiple vulnerabilities).

Scientific Linux has updated bind (SL6,7: denial of service) and kernel (SL6: multiple vulnerabilities).

SUSE has updated bind (SLES11 SP1: denial of service) and kernel (SLES11 SP2: multiple vulnerabilities).

Ubuntu has updated kernel (14.10; 14.04; 12.04; 10.04: privilege escalation), linux-lts-trusty (12.04: privilege escalation), and linux-lts-utopic (14.04: privilege escalation).

Kategóriák: Linux

[$] LWN.net Weekly Edition for March 12, 2015

cs, 2015-03-12 01:03
The LWN.net Weekly Edition for March 12, 2015 is available.
Kategóriák: Linux

[$] GitHub unveils its Licenses API

sze, 2015-03-11 22:18

Since opening its doors in 2008, GitHub has grown to become the largest active project-hosting service for open-source software. But it has also attracted a fair share of criticism for some of its implementation choices—with one of the leading complaints being that it takes a lax approach to software licensing. That, in turn, leads to a glut of repositories bearing little or no licensing details. The company recently announced a new tool to help combat the license-confusion issue: a site-wide API for querying and reporting license information. Whether that API is up to the task, however, remains to be seen.

Kategóriák: Linux

Security advisories for Wednesday

sze, 2015-03-11 18:26

CentOS has updated bind (C6: denial of service).

Debian has updated libssh2 (information leak), mod-gnutls (restriction bypass), and xen (multiple vulnerabilities).

Debian-LTS has updated axis (verification bypass).

Mageia has updated gnupg, libgcrypt (information leak), icu (code execution), pngcrush (denial of service), and vsftpd (unauthorized access).

openSUSE has updated autofs (13.2, 13.1: privilege escalation), glusterfs (13.1: denial of service), percona-toolkit (13.2, 13.1: man-in-the-middle attack), and putty (13.2, 13.1: information disclosure).

Oracle has updated bind (OL6: denial of service).

Red Hat has updated bind (RHEL6,7: denial of service).

Ubuntu has updated ecryptfs-utils (information disclosure) and icu (12.04: regression in previous update).

Kategóriák: Linux

[$] Allowing small allocations to fail

sze, 2015-03-11 02:47
As Michal Hocko noted at the beginning of his session at the 2015 Linux Storage, Filesystem, and Memory Management Summit, the news that the memory-management code will normally retry small allocations indefinitely rather than returning a failure status came as a surprise to many developers. In this session, the assembled group attempted to come up with ways to safely change this behavior. Click below (subscribers only) for the full report from LSFMM 2015.
Kategóriák: Linux

Exploiting the DRAM rowhammer bug to gain kernel privileges

k, 2015-03-10 23:21
The Project Zero blog looks at the "Rowhammer" bug. "“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory." (Thanks to Paul Wise)
Kategóriák: Linux

VMware update to GPL-enforcement suit

k, 2015-03-10 22:04
VMware has published a statement on the lawsuit filed by Christoph Hellwig alleging copyright infringement. "On March 5, 2015, Software Freedom Conservancy (SFC) announced a lawsuit in Germany, filed by Christoph Hellwig against VMware, alleging a failure to comply with the General Public License (GPL). We believe the lawsuit is without merit, and we are disappointed that the SFC and plaintiff have resorted to litigation given the considerable efforts we have made to understand and address their concerns. We see huge value in supporting multiple development methodologies, including free and open source software, and we appreciate the crucial role of free and open source software in the data center. In particular, VMware devotes significant effort supporting customer usage of Linux and F/OSS based software stacks and workloads." LWN recently covered the lawsuit. (Thanks to Emmanuel Seyman)
Kategóriák: Linux

Fedora 22 Alpha released

k, 2015-03-10 21:12
The Fedora Project has announced the release of Fedora 22 Alpha. "The Alpha release contains all the exciting features of Fedora 22's editions in a form that anyone can help test. This testing, guided by the Fedora QA team, helps us target and identify bugs. When these bugs are fixed, we make a Beta release available. A Beta release is code-complete and bears a very strong resemblance to the third and final release. The final release of Fedora 22 is expected in May."
Kategóriák: Linux

Tuesday's security updates

k, 2015-03-10 19:19

Mandriva has updated kernel (multiple vulnerabilities).

Oracle has updated 389-ds-base (OL7: multiple vulnerabilities), glibc (OL7: multiple vulnerabilities), hivex (OL7: privilege escalation), openssh (OL7: two vulnerabilities), and pcre (OL7: information leak).

Red Hat has updated qpid-cpp (RHE MRG for RHEL7; RHE MRG for RHEL6; RHE MRG for RHEL5: multiple vulnerabilities).

Scientific Linux has updated 389-ds-base (SL6: information disclosure).

Ubuntu has updated apache2 (multiple vulnerabilities), oxide-qt (14.10, 14.04: multiple vulnerabilities), and firefox (14.10, 14.04, 12.04: regression in previous update).

Kategóriák: Linux

The kernel's code of conflict

h, 2015-03-09 19:41
A brief "code of conflict" was merged into the kernel's documentation directory for the 4.0-rc3 release. The idea is to describe the parameters for acceptable discourse without laying down a lot of rules; it also names the Linux Foundation's technical advisory board as a body to turn to in case of unacceptable behavior. This document has been explicitly acknowledged by a large number of prominent kernel developers.
Kategóriák: Linux

Security advisories for Monday

h, 2015-03-09 19:06

Debian-LTS has updated konversation (information disclosure), libarchive (directory traversal), and redcloth (cross-site scripting).

Fedora has updated cabextract (F21; F20: privilege escalation), kernel (F21: denial of service), krb5 (F20: multiple vulnerabilities), lftp (F20: automatically accepting ssh keys), libpng10 (F21; F20: two vulnerabilities), and qt3 (F21; F20: denial of service).

Gentoo has updated dbus (denial of service), freetype (multiple vulnerabilities), glibc (multiple vulnerabilities), and php (multiple vulnerabilities).

Mageia has updated apache (denial of service), jython (code execution), librsvg (multiple vulnerabilities), mapserver (command execution), and putty, filezilla (information disclosure).

Mandriva has updated rpm (code execution).

openSUSE has updated libmspack (13.2, 13.1: denial of service), thunderbird (13.2, 13.1: multiple vulnerabilities), and tiff (13.2, 13.1: multiple vulnerabilities).

SUSE has updated firefox (SLE11 SP3; SLE11 SP2,SP1, SLES10 SP4: multiple vulnerabilities).

Ubuntu has updated icu (12.04: regression in previous update).

Kategóriák: Linux

Kernel prepatch 4.0-rc3

h, 2015-03-09 15:17
The 4.0-rc3 prepatch is out. "Back on track with a Sunday afternoon release schedule, since there was nothing particularly odd going on this week, and no last-minute bugs that I knew of and wanted to get fixed holding things up."
Kategóriák: Linux

Three Debian technical committee appointments

h, 2015-03-09 15:10
Debian project leader Lucas Nussbaum has confirmed the appointment of three new members to the Debian technical committee. The new members are Didier Raboud, Tollef Fog Heen, and Sam Hartman; they will be replacing Ian Jackson, Russ Allbery, and Colin Watson.
Kategóriák: Linux

A pile of stable kernel updates

v, 2015-03-08 17:19
The 3.19.1, 3.18.9, 3.14.35, and 3.10.71 stable kernel updates are available; each contains a relatively large set of important fixes.
Kategóriák: Linux