Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 28 perc 2 másodperc

Security advisories for Monday

h, 2014-10-06 18:38

CentOS has updated libvirt (C7: two vulnerabilities).

Debian has updated exuberant-ctags (denial of service), mediawiki (code execution), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).

Fedora has updated bash (F20: code injection), libvncserver (F19: multiple vulnerabilities), mediawiki (F20; F19: web script injection), nodejs-qs (F20; F19: denial of service), nodejs-send (F20; F19: directory traversal), phpMyAdmin (F20: cross-site scripting), and suricata (F20: denial of service).

Gentoo has updated bash (multiple vulnerabilities).

Kategóriák: Linux

The 3.17 kernel is out

h, 2014-10-06 02:10
Linus has released the 3.17 kernel, saying "So the past week was fairly calm, and so I have no qualms about releasing 3.17 on the normal schedule." This kernel includes four new system calls (getrandom(), seccomp(), memfd_create(), and kexec_file_load()), a bunch of internal work toward an eventual solution to the "year 2038" problem, multiqueue support in the SCSI layer, and much more.

Linus indicates that, due to travel, the 3.18 merge window may be longer than usual, but things have not always worked out that way in the past.

Kategóriák: Linux

Change of heart: Inkscape starts encouraging paid development (Libre Graphics World)

szo, 2014-10-04 01:05

Libre Graphics World (LGW) has taken a look at the newly announced funded-development policy adopted by the Inkscape project. "In a nutshell, if you have a decent track record in the project, and someone (community, enterprise, government, alien invaders) is willing to fund your work, you are welcome to get cracking, provided you reach mutual agreement with the Inkscape Board that a) the project idea makes sense, b) you really appear to have the expertise to work on it. You should also be prepared for your performance to be reviewed." LGW provides some important background, putting this new policy in the context of previous paid-development efforts—not only within Inkscape, but in comparison to other free-software graphics projects like Blender and Synfig. "Paid development in free/libre software projects is a complicated topic. Making this actually work involves far more than setting up a campaign at a crowdfunding platform and banging the drums to draw attention. And "opening the mind to the possibilities" seems to be second (more likely, tenth) to actually having human resources to allocate for organizing it all."

Kategóriák: Linux

Paquier: Postgres 9.5 feature highlight: Row-Level Security and Policies

p, 2014-10-03 19:57
The (distant) PostgreSQL 9.5 release is expected to have a new row-level security feature. This article from Michael Paquier describes how to make use of it. "This row control mechanism is controlled using a new query called CREATE POLICY (of course its flavor ALTER POLICY to update an existing policy and DROP POLICY to remove a policy exist as well). By default, tables have no restrictions in terms of how rows can be added and manipulated. However they can be made able to accept level restriction policies using ALTER TABLE and ENABLE ROW LEVEL SECURITY."
Kategóriák: Linux

Friday's security updates

p, 2014-10-03 15:41

Fedora has updated cups (F19: information disclosure).

Mandriva has updated libvirt (BS1: multiple vulnerabilities) and phpmyadmin (BS1: cross-site scripting).

Ubuntu has updated file (10.04, 12.04, 14.04: code execution), openssl (12.04: protocol downgrade), and openvpn (12.04: information disclosure).

Kategóriák: Linux

Schaller: Fedora Workstation Progress Report (Wayland and more)

p, 2014-10-03 00:12
Christian Schaller has a lengthy update on the progress of Fedora 21. He looks at a number of different features, including Wayland, GNOME 3.14, software installation (dnf and "Software"), and more. "This also highlights one of the advantages of the new Fedora product model where we have one clear desktop product we are targeting, that we can define operating system standards for things like application metadata and apply them to the system as a whole. So for Fedora 22 we expect to make appdata metadata a mandatory part of the application packaging for Fedora, ensuring that any desktop application packaged for Fedora is easily discover able by our users. In the old ‘bucket of parts’ model these things would in practice not happen as there was no clear target that everyone was expected to aim for."
Kategóriák: Linux

Karlitschek: A possible future for PHP

cs, 2014-10-02 19:52
On his blog, ownCloud founder Frank Karlitschek ponders the future of PHP. He doesn't regret choosing PHP for ownCloud, but does note that the language suffers from its mid-1990s roots, which he would like to see cleaned up and fixed at some point—in a fully compatible way. "I wish PHP would do something that makes it possible to evolve and improve the language significantly but still provides a smooth migration experience not like Perl and Python did with introducing completely new backward incompatible releases. So a good solution would be if PHP 6 or 7 [would] introduce a new tag to start a php file. For example <?PHPNEXT instead of <?PHP. Both modes are fully supported by the new PHP version and can be used in parallel in the same application or even in the same file. In the NEXT section the new and improved syntax is used." He goes on to list the changes he would like to see in the language.
Kategóriák: Linux

Zalewski on the other bash RCEs (CVE-2014-6277 and CVE-2014-6278)

cs, 2014-10-02 17:21
Those interested in the more recently discovered bash vulnerabilities will likely want to have a look at this detailed posting from Michal Zalewski. Then make sure your systems are updated. "I initially shared the findings privately with vendors, but because of the intense scrutiny that this codebase is under, the ease of reproducing these results with an open-source fuzzer, and the now-broad availability of upstream mitigations, there seems to be relatively little value in continued secrecy."
Kategóriák: Linux

OpenWRT "Barrier Breaker" 14.07 released

cs, 2014-10-02 16:39
The long-awaited OpenWRT 14.07 release is out. It includes an update to the 3.10 kernel, a new init system (procd), improved IPv6 support, support for system snapshots and rollbacks, support for dynamic firewall rules, a new MDNS daemon, DNSSEC validation support, and more.
Kategóriák: Linux

Security updates for Thursday

cs, 2014-10-02 16:26

Oracle has updated libvirt (OL7: two vulnerabilities).

Red Hat has updated libvirt (RHEL7: two vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for October 2, 2014

cs, 2014-10-02 02:12
The LWN.net Weekly Edition for October 2, 2014 is available.
Kategóriák: Linux

[$] Bash gets shellshocked

sze, 2014-10-01 21:37
It's been a crazy week for the Bash shell, its maintainer, and many Linux distributions that use the shell. A remote code-execution vulnerability that was reported on September 24 has now morphed into multiple related vulnerabilities, which have now mostly been fixed and updates released by distributions. The vulnerabilities have been dubbed "Shellshock" and the technical (and mainstream) press has had a field day reporting on the incident. It all revolves around a somewhat dubious Bash feature, but the widespread use of Bash in places where it may not really make sense contributed to the severity of the bug.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-10-01 19:32

CentOS has updated kernel (Xen4CentOS: multiple vulnerabilities), libvirt (Xen4CentOS: memory leak), xen (Xen4CentOS: multiple vulnerabilities, and xen (Xen4CentOS: information disclosure).

Debian has updated rsyslog (denial of service) and xen (multiple vulnerabilities).

Fedora has updated python (F20: buffer overflow).

Mageia has updated bash (multiple vulnerabilities).

Mandriva has updated perl-Email-Address (denial of service) and xerces-j2 (unspecified vulnerability).

Red Hat has updated openstack-glance (RHEL OSP for RHEL7; RHEL OSP for RHEL6: denial of service), openstack-neutron (RHEL OSP for RHEL6: privilege escalation), and python-django-horizon (RHEL OSP for RHEL7; RHEL OSP for RHEL6: cross-site scripting).

SUSE has updated mozilla-nss (SLES10 SP4: signature forgery).

Ubuntu has updated libvirt (information disclosure/denial of service).

Kategóriák: Linux

[$] How implementation details become ABI: a case study

sze, 2014-10-01 16:21
One of the final changes that went into the mainline kernel repository before the 3.17-rc7 release was this fix from Mikhail Efremov. It affects some low-level code within the virtual filesystem layer that manages name changes in the dentry structure — the structure that handles the mapping between file names and in-kernel inode structures. How that change came to be necessary makes a good lesson in how unintended behaviors can become part of the kernel's ABI over time.
Kategóriák: Linux

Learn how to support women in open source (opensource.com)

sze, 2014-10-01 01:03
Opensource.com covers the Ada Initiative's Ally Skills Workshop, a training session designed to help allies learn how to support women in open source. "While the goal of Ally Skills Workshop is to teach everyone how to best provide support to women in open source, many of the scenarios covered teach skills that extend beyond supporting women. The scenarios about "creating a friendly environment for women" provide lessons that are applicable to creating welcoming environments for anyone. Another scenario covers what to do when a woman's contributions to a meeting are ignored or co-opted. Being ignored at a meeting is something women experience, but men who are introverted or "quiet" experience this as well. Implementing the lessons learned from that scenario will make it so that all of your colleagues are heard at meetings and have their contributions acknowledged."
Kategóriák: Linux

Linux Foundation launches the Open Platform for NFV project

k, 2014-09-30 22:32
The Linux Foundation has announced the founding of the Open Platform for NFV Project (OPNFV). "Network Functions Virtualization (NFV) and Software-Defined Networking (SDN) are part of the overall industry shift towards network and application virtualization. Together they are expected to dramatically change the networking landscape, allowing providers to deliver new services to their customers more quickly while significantly reducing both operating and capital expenditures. These technologies bring both cloud computing and Information Technology (IT) capabilities and benefits into the telecom industry, enabling new levels of flexibility and business growth opportunities for providers. Service provider applications have different demands than most IT applications, so an open platform integrating multiple open source components and ensuring continuous testing for carrier-grade service performance is essential to this transition. OPNFV will establish a carrier-grade, integrated, open source reference platform that industry peers will build together to advance the evolution of NFV and ensure consistency, performance and interoperability among multiple open source components. Because multiple open source NFV building blocks already exist, OPNFV will work with upstream projects to coordinate continuous integration and testing while filling development gaps."
Kategóriák: Linux

Tuesday's security updates

k, 2014-09-30 19:22

CentOS has updated automake (C5: code execution), bash (C5: command execution), bash (C5: two vulnerabilities), bind97 (C5: denial of service), conga (C5: multiple vulnerabilities), krb5 (C5: multiple vulnerabilities), nss (C5: signature forgery), nss, nspr (C5: multiple vulnerabilities), php (C7; C6; C5: multiple vulnerabilities), and xerces-j2 (C7; C6: unspecified vulnerability).

Fedora has updated kernel (F19: multiple vulnerabilities).

Oracle has updated php (OL7; OL6: multiple vulnerabilities) and xerces-j2 (OL7; OL6: unspecified vulnerability).

Red Hat has updated MRG Realtime (RHE MRG: multiple vulnerabilities), php (RHEL7; RHEL5&6: multiple vulnerabilities), and xerces-j2 (RHEL6&7: unspecified vulnerability).

Scientific Linux has updated xerces-j2 (SL6: unspecified vulnerability).

Slackware has updated bash (command execution).

SUSE has updated bash (SLE12; SUSE Manager: multiple vulnerabilities), bash (SLE12: command execution), and mozilla-nss (SLES11 SP1, SLES10 SP3: signature forgery).

Ubuntu has updated libvncserver (14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Interview with openSUSE chairman Richard Brown (./themukt)

k, 2014-09-30 18:08
Swapnil Bhartiya interviews Richard Brown, the new openSUSE chairman of the board. "The Chairman is appointed by SUSE, and by and large, my role is to be an active Board member, with the same roles and responsibilities as my colleagues on the Board. In addition I have a few additional responsibilities within SUSE, such as being a central point of contact for issues related to openSUSE, and communicating and representing the communities interests and activities within the company. I suppose it also means something more to the outside world, or else we wouldn’t be having this interview."
Kategóriák: Linux

Debian may drop kFreeBSD from the Jessie release

k, 2014-09-30 17:54
The latest Debian "Bits from the release team" posting has a sharply worded warning to the kFreeBSD developers: their work may not be a part of the Jessie release. "We therefore advise the kFreeBSD porters that the port is in danger of being dropped from Jessie, and invite any porters who are able to commit to working on the port in the long term to make themselves known *now*. The factor that gives us greatest concern is the human resources available to the port."
Kategóriák: Linux

Security advisories for Monday

h, 2014-09-29 20:06

Debian has updated chromium-browser (multiple vulnerabilities).

Fedora has updated libvncserver (F20: multiple vulnerabilities), nodejs (F20; F19: denial of service), perl-Data-Dumper (F20: denial of service), and v8 (F20; F19: multiple vulnerabilities).

Mageia has updated bash (code injection, command execution) and kernel (MG3: denial of service).

Mandriva has updated perl-XML-DT (file overwrites).

openSUSE has updated bash (13.1, 12.3; 12.3; 13.1; 11.4; 13.2: multiple vulnerabilities), dbus-1 (13.1; 12.3: multiple vulnerabilities), kernel (11.4: multiple vulnerabilities), geary (13.1: TLS certificate issues), bash (11.4: command execution), mozilla-nss (13.1, 12.3: signature forgery), NSS (11.4: signature forgery), php5 (11.4: multiple vulnerabilities), php5 (11.4: more vulnerabilities), srtp (13.1: denial of service), and wireshark (13.1, 12.3: multiple vulnerabilities).

Slackware has updated firefox (multiple vulnerabilities), thunderbird: (multiple vulnerabilities) and seamonkey (multiple vulnerabilities).

SUSE has updated bash (SLE11, SLE10: multiple vulnerabilities) and mozilla-nss (SLES11 SP2: signature forgery).

Kategóriák: Linux