Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 3 perc 59 másodperc

Stable kernel 3.18.48

sze, 2017-02-08 16:10
Greg Kroah-Hartman has released an unexpected 3.18 kernel update, despite the fact that 3.18 is no longer supported. "Turns out there was a bug in 3.18.47 in one of the backports. And a bug in 3.18.27 as well, with one of the backports there. And a very minor issue in the 3.18.28 release, but no one cares about the debug messages for a specific scsi driver, so you can just ignore that issue..."
Kategóriák: Linux

Catanzaro: An Update on WebKit Security Updates

sze, 2017-02-08 15:53
Michael Catanzaro looks at how distributors have improved (or not) their security support for the WebKit browser engine in the last year. "So results are clearly mixed. Some distros are clearly doing well, and others are struggling, and Debian is Debian. Still, the situation on the whole seems to be much better than it was one year ago. Most importantly, Ubuntu’s decision to start updating WebKitGTK+ means the vast majority of Linux users are now receiving updates."
Kategóriák: Linux

Sandstorm is returning to its community roots

k, 2017-02-07 19:23
Kenton Varda reports that Sandstorm, as a company, is no more, but community development lives on. LWN covered the Sandstorm personal cloud platform in June 2014.

Many people also know that Sandstorm is a for-profit startup, with a business model centered on charging for enterprise-oriented features, such as LDAP and SAML single-sign-on integration, organizational access control policies, and the like. This product was called “Sandstorm for Work”; it was still open source, but official builds hid the features behind a paywall. Additionally, we planned eventually to release a scalable version of Sandstorm for big enterprise users, based on the same tech that powers Sandstorm Oasis, our managed hosting service.

As an open source project, Sandstorm has been successful: We have a thriving community of contributors, many developers building and packaging apps, and thousands of self-hosted servers running in the wild. This will continue.

However, our business has not succeeded. To date, almost no one has purchased Sandstorm for Work, despite hundreds of trials and lots of interest expressed. Only a tiny fraction of Sandstorm Oasis users choose to pay for the service – enough to cover costs, but not much more.

Kategóriák: Linux

Tuesday's security advisories

k, 2017-02-07 18:03

Debian-LTS has updated tiff (can't write files).

Fedora has updated kernel (F25; F24: denial of service), moodle (F25: multiple vulnerabilities), and phpMyAdmin (F25; F24: multiple vulnerabilities).

Mageia has updated icoutils (multiple vulnerabilities) and irssi-otr (information leak).

openSUSE has updated libgit2 (SPH for SLE12: multiple vulnerabilities) and libressl (42.2, 42.1: local timing attack).

Oracle has updated kernel 4.1.12 (OL7; OL6: multiple vulnerabilities) and ntp (OL7; OL6: multiple vulnerabilities).

SUSE has updated mysql (SOSC5, SMP2.1, SM2.1, SLE11-SP3,4: multiple vulnerabilities) and kernel (SLERTE12-SP1: multiple vulnerabilities).

Ubuntu has updated nettle (information leak), squid3 (two vulnerabilities), firefox (regression in previous update), and webkit2gtk (16.10, 16.04: multiple vulnerabilities).

Kategóriák: Linux

What to know before jumping into a career as an open source lawyer (opensource.com)

k, 2017-02-07 16:57
Luis Villa talks about the open-source lawyer career path on opensource.com. "First, going to law school is a gamble. Recent American law school graduates must fight fiercely for one of the few jobs that can cover their massive debt, and roughly 50% fail the California bar. And, the open source gamble is bigger, because the opportunities are even fewer."
Kategóriák: Linux

The grsecurity "RAP" patch set

k, 2017-02-07 01:24
The grsecurity developers have announced the first release of the "Reuse Attack Protector" (RAP) patch set, aimed at preventing return-oriented programming and other attacks. "RAP is our patent-pending and best-in-breed defense mechanism against code reuse attacks. It is the result of years of research and development into Control Flow Integrity (CFI) technologies by PaX. The version of RAP present in the test patch released to the public today under the GPLv2 is now feature-complete."
Kategóriák: Linux

Kodi 17.0

k, 2017-02-07 01:02
Kodi 17.0 (Krypton) has been released. Kodi is a software media center for playing videos, music, pictures, games, and more. This release features a new skin, an updated video engine, improvements to the music library, numerous improvements to Live TV and PVR functionality, and more.
Kategóriák: Linux

[$] Type-driven configuration management with Propellor

h, 2017-02-06 21:21
One often hears the "infrastructure as code" refrain when configuration-management systems are discussed. Normally, though, that phrase doesn't bring into mind an image of infrastructure as Haskell code. In his 2017 linux.conf.au talk, Joey Hess described his Propellor system and the interesting features that a Haskell implementation makes possible, with a special focus on how Haskell's type-checking system can be pressed into service to detect configuration errors.
Kategóriák: Linux

Security advisories for Monday

h, 2017-02-06 19:30

Arch Linux has updated gst-plugins-bad (two vulnerabilities), gst-plugins-base-libs (multiple vulnerabilities), gst-plugins-good (multiple vulnerabilities), gst-plugins-ugly (two vulnerabilities), and gstreamer (denial of service).

CentOS has updated ntp (C7; C6: multiple vulnerabilities), spice (C7: two vulnerabilities), and spice-server (C6: two vulnerabilities).

Debian has updated svgsalamander (server-side request forgery).

Debian-LTS has updated libphp-phpmailer (information disclosure).

Fedora has updated epiphany (F25: multiple vulnerabilities), iio-sensor-proxy (F25: unspecified), jasper (F24: code execution), thunderbird (F25; F24: multiple vulnerabilities), and wavpack (F24: multiple vulnerabilities).

Gentoo has updated rtmpdump (multiple vulnerabilities).

Mageia has updated java-1.8.0-openjdk (multiple vulnerabilities), openssl (three vulnerabilities), php (multiple vulnerabilities), phpmyadmin (two vulnerabilities), and thunderbird (multiple vulnerabilities).

openSUSE has updated cpio (42.2, 42.1: out-of-bounds write), gnutls (42.2, 42.1: multiple vulnerabilities), GraphicsMagick (42.2; 42.1: multiple vulnerabilities), gstreamer-0_10-plugins-bad (42.2: code execution), libgit2 (42.1: multiple vulnerabilities), and virtualbox (42.2: multiple vulnerabilities).

Oracle has updated spice (OL7: two vulnerabilities) and spice-server (OL6: two vulnerabilities).

Red Hat has updated ntp (RHEL6,7: multiple vulnerabilities), spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).

Scientific Linux has updated ntp (SL6,7: multiple vulnerabilities), spice (SL7: two vulnerabilities), and spice-server (SL6: two vulnerabilities).

SUSE has updated spice (SLE12-SP2; SLE12-SP1; SLES12; SLE11-SP4: two vulnerabilities).

Kategóriák: Linux

RethinkDB source relicensed, donated to the Linux Foundation

h, 2017-02-06 16:26
The Cloud Native Computing Foundation has announced that it has purchased the rights to the RethinkDB NoSQL database and contributed it to the Linux Foundation. In the process, the code was relicensed from the Affero GPLv3 to the Apache license. "RethinkDB is an open source, NoSQL, distributed document-oriented database that is in production use today by hundreds of technology startups, consulting firms and Fortune 500 companies, including NASA, GM, Jive, Platzi, the U.S. Department of Defense, Distractify and Matters Media. Some of Silicon Valley’s top firms invested $12.2 million over more than eight years in the RethinkDB company to build a state-of-the-art database system, but were unsuccessful in creating a sustainable business, and it shut down in October 2016."
Kategóriák: Linux

GNU C Library 2.25 released

h, 2017-02-06 04:19
Version 2.25 of the GNU C Library has been released. This release contains the long-awaited support for the getrandom() system call and a long list of other features; click below for the full announcement.
Kategóriák: Linux

Kernel prepatch 4.10-rc7

h, 2017-02-06 04:06
The 4.10-rc7 kernel prepatch has been released for testing. "Hey, look at that - it's all been very quiet, and unless anything bad happens, we're all back to the regular schedule with this being the last rc."
Kategóriák: Linux

Stable kernels 4.9.8 and 4.4.47

szo, 2017-02-04 15:58
The 4.9.8 and 4.4.47 stable kernel updates are available with another set of important fixes.
Kategóriák: Linux

Friday's security updates

p, 2017-02-03 17:48

Arch Linux has updated qt5-webengine (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).

CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).

Debian-LTS has updated ntfs-3g (privilege escalation) and svgsalamander (server-side request forgery).

Fedora has updated openldap (F25: unintended cipher usage from 2015), and wavpack (F25: multiple vulnerabilities).

Mageia has updated openafs (information leak) and pdns-recursor (denial of service).

openSUSE has updated java-1_8_0-openjdk (42.2, 42.1: multiple vulnerabilities), mupdf (42.2; 42.1: three vulnerabilities), phpMyAdmin (42.2, 42.1: multiple vulnerabilities, one from 2015), and Wireshark (42.2: two denial of service flaws).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated libtiff (SL7&6: multiple vulnerabilities, one from 2015) and thunderbird (multiple vulnerabilities).

Ubuntu has updated kernel (16.10; 14.04; 12.04: multiple vulnerabilities), kernel, linux-raspi2, linux-snapdragon (16.04: two vulnerabilities), linux-lts-trusty (12.04: code execution), linux-lts-xenial (14.04: two vulnerabilities), and tomcat (14.04, 12.04: regression in previous update).

Kategóriák: Linux

Announcing Rust 1.15

cs, 2017-02-02 23:56
The Rust team has released version 1.15 of the Rust programming language, which adds a custom derive feature. "These kinds of libraries are extremely powerful, but rely on custom derive for ergonomics. While these libraries worked on Rust stable previously, they were not as nice to use, so much so that we often heard from users “I only use nightly because of Serde and Diesel.” The use of custom derive is one of the most widely used nightly-only features. As such, RFC 1681 was opened in July of last year to support this use-case. The RFC was merged in August, underwent a lot of development and testing, and now reaches stable today!"
Kategóriák: Linux

Dz: Seccomp sandboxing not enabled for acme-client

cs, 2017-02-02 22:10
In the acme-client-portable repository at GitHub, developer Kristaps Dz has a rather stinging indictment of trying to use seccomp sandboxing for the portable version of acme-client, which is a client program for getting Let's Encrypt certificates. He has disabled seccomp filtering in the default build for a number of reasons. "So I might use mmap, but the system call is mmap2? Great. This brings us to the second and larger problem. The C library. There are several popular ones on Linux: glibc, musl, uClibc, etc. Each of these is free to implement any standard function (like mmap, above) in any way. So while my code might say read, the C library might also invoke fstat. Great. In general, section 2 calls (system calls) map evenly between system call name and function name. (Except as noted above... and maybe elsewhere...) However, section 3 is all over the place. The strongest differences were between big functions like getaddrinfo(2). Then there's local modifications. And not just between special embedded systems. But Debian and Arch, both using glibc and both on x86_64, have different kernels installed with different features. Great. Less great for me and seccomp." (Thanks to Paul Wise.)
Kategóriák: Linux

Stable kernels 4.9.7 and 4.4.46 have been released

cs, 2017-02-02 17:00
The 4.9.7 and 4.4.46 kernels have been released by Greg Kroah-Hartman. They contain fixes throughout the tree and users of those kernel series should upgrade.
Kategóriák: Linux

Thursday's security advisories

cs, 2017-02-02 16:53

Debian has updated ntfs-3g (privilege escalation).

Debian-LTS has updated openssl (three vulnerabilities).

Fedora has updated jasper (F25: code execution), moodle (F24: multiple vulnerabilities), and percona-xtrabackup (F25; F24: information disclosure).

Mageia has updated libxpm (code execution), pdns (multiple vulnerabilities), python-pycrypto (denial of service from 2013), and wireshark (two denial of service flaws).

openSUSE has updated bzrtp (42.2, 42.1: man-in-the-middle vulnerability), firefox (42.2, 42.1: multiple vulnerabilities), nginx (42.2, 42.1; SPH for SLE12: denial of service), seamonkey (42.2, 42.1: code execution), and thunderbird (42.2, 42.1; SPH for SLE12: multiple vulnerabilities).

Red Hat has updated rabbitmq-server (OSP8.0: denial of service from 2015) and thunderbird (multiple vulnerabilities).

Ubuntu has updated gnutls26, gnutls28 (multiple vulnerabilities), irssi (multiple vulnerabilities), iucode-tool (16.10, 16.04: code execution), libxpm (code execution), and ntfs-3g (16.10, 16.04: privilege escalation).

Kategóriák: Linux

The GNOME Foundation gets a new director

cs, 2017-02-02 01:41
The GNOME Foundation's long search for a new executive director has finally come to an end: Neil McGovern has taken the job. "McGovern is an experienced leader in Free Software projects and is best known for his role as Debian Project Leader from 2014-15. He has been on the Boards of numerous organizations, including Software in the Public Interest, Inc. and the Open Rights Group."
Kategóriák: Linux

[$] LWN.net Weekly Edition for February 2, 2017

cs, 2017-02-02 01:13
The LWN.net Weekly Edition for February 2, 2017 is available.
Kategóriák: Linux