Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 7 perc 33 másodperc

The Perl 6 release

v, 2015-12-27 10:13
The December 24 entry in the Perl 6 advent calendar describes the "coming out" of Perl 6. "Of course, she’s still just 15. She does some things really well now. Her communication skills are pretty good, and she is very polite when she can’t understand you. She can carry on several conversations at once. She’s getting pretty good at math, and shows skill in manipulating objects of various sorts. She loves foreign languages, and all those funny characters."

The December 25 entry follows with the Rakudo Perl 6 release. "This version of the compiler targets the v6.c 'Christmas' specification of the Perl 6 language. The Perl 6 community has been working toward this release over the last 15 years."

Kategóriák: Linux

Darktable 2.0 released

cs, 2015-12-24 22:00
Version 2.0 of the darktable photo editor has been released. The list of new features is long; see LWN's review from November for the details.
Kategóriák: Linux

Thursday's security updates

cs, 2015-12-24 18:47

Mageia has updated dpkg (code execution), keepassx (information disclosure), mediawiki (multiple vulnerabilities), php-phpmailer (message injection), and proftpd (denial of service).

openSUSE has updated firefox (multiple vulnerabilities), glibc (13.2: pointer guard circumvention), ldb, samba, talloc, tdb, tevent (42.1: multiple vulnerabilities), and samba, ldb, talloc, tdb, tevent (13.2, 13.1: multiple vulnerabilities).

Slackware has updated mozilla-thunderbird (multiple vulnerabilities).

SUSE has updated the Linux Kernel (SLE11SP4: multiple vulnerabilities).

Kategóriák: Linux

Rutkowska: State considered harmful - A proposal for a stateless laptop

cs, 2015-12-24 11:51
Qubes OS creator Joanna Rutkowska has announced a new paper [PDF] describing a stateless laptop design that, she thinks, will address a number of the security problems she sees as being inherent in the Intel architecture. "The Trusted Stick, a small device of a 'USB stick' or an SD card form factor, is an element that the user always carries with themselves and which contains all the 'state' for the platform. This includes the (encrypted) user files and platform configuration. It also is expected to carry all the software and – what is unique as of today – firmware for the platform, and also enforce read-onlyness of these."
Kategóriák: Linux

[$] LWN.net Weekly Edition for December 24, 2015

cs, 2015-12-24 01:08
The LWN.net Weekly Edition for December 24, 2015 is available.
Kategóriák: Linux

Kirkland: More people use Ubuntu than anyone actually knows

sze, 2015-12-23 19:15
Dustin Kirkland feels that Ubuntu users have been undercounted, and so has put together a census of his own. "Ever watch a movie on Netflix? You were served by Ubuntu. Ever hitch a ride with Uber or Lyft? Your mobile app is talking to Ubuntu servers on the backend. Did you enjoy watching The Hobbit? Hunger Games? Avengers? Avatar? All rendered on Ubuntu at WETA Digital." In the end, he says, there are over one billion Ubuntu users.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2015-12-23 18:14

Arch Linux has updated claws-mail (code execution).

CentOS has updated qemu-kvm (C6: two vulnerabilities).

Debian has updated libxml2 (multiple vulnerabilities).

Fedora has updated kernel (F23: three vulnerabilities), subversion (F23: code execution), and xen (F23: three vulnerabilities).

openSUSE has updated Chromium (Leap42.1, 13.2, 13.1; SPH for SLE12: code execution), compat-openssl098 (Leap42.1: memory leak), and quassel (Leap42.1, 13.2, 13.1: denial of service).

Oracle has updated qemu-kvm (OL6: two vulnerabilities).

Red Hat has updated qemu-kvm (RHEL6: two vulnerabilities) and qemu-kvm-rhev (RHELOSP5: two vulnerabilities).

Scientific Linux has updated qemu-kvm (SL6: two vulnerabilities).

Slackware has updated blueman (privilege escalation).

Kategóriák: Linux

WebExtensions in Firefox 45

sze, 2015-12-23 00:49
The Mozilla Add-ons blog takes a look at the work going on around the WebExtensions API. "WebExtensions is currently in an alpha state, so while this is a great time to get involved, please keep in mind that things might change if you decide to use it in its current state. Since August, we’ve closed 77 bugs and ramped up the WebExtensions team at Mozilla. With the release of Firefox 45 in March 2016, we’ll have full support for the following APIs: alarms, contextMenus, pageAction and browserAction. Plus a bunch of partially supported APIs: bookmarks, cookies, extension, i18n, notifications, runtime, storage, tabs, webNavigation, webRequest, windows."
Kategóriák: Linux

Security updates for Tuesday

k, 2015-12-22 19:50

Debian has updated foomatic-filters (command execution).

Fedora has updated bind (F22: two vulnerabilities), bind-dyndb-ldap (F22: two vulnerabilities), dnsperf (F22: two vulnerabilities), firefox (F22: multiple vulnerabilities), jenkins (F22: multiple vulnerabilities), and kernel (F22: multiple vulnerabilities).

Oracle has updated jakarta-commons-collections (OL5: code execution).

Red Hat has updated openstack-ironic-discoverd (RHELOSP6: command execution), openstack-nova (RHELOSP7; RHELOSP5: insecure VM instances), and RHELOSP7 director (RHEL7: two vulnerabilities).

Scientific Linux has updated abrt and libreport (SL7: multiple vulnerabilities), autofs (SL7: privilege escalation), binutils (SL7: multiple vulnerabilities), chrony (SL7: multiple vulnerabilities), cpio (SL7: denial of service), cups-filters (SL7: code execution), curl (SL7: multiple vulnerabilities), file (SL7: multiple vulnerabilities), git (SL7: code execution), glibc (SL7: privilege escalation), glibc (SL7: multiple vulnerabilities), grep (SL7: heap buffer overrun), grub2 (SL7: Secure Boot circumvention), grub2 (SL7: code execution), jakarta-commons-collections (SL5: code execution), kernel (SL7: multiple vulnerabilities), kernel (SL7: two vulnerabilities), krb5 (SL7: two vulnerabilities), libpng (SL7: two vulnerabilities), libpng12 (SL7: multiple vulnerabilities), libssh2 (SL7: information leak), libxml2 (SL7: multiple vulnerabilities), net-snmp (SL7: denial of service), netcf (SL7: denial of service), NetworkManager (SL7: two vulnerabilities), ntp (SL7: multiple vulnerabilities), openhpi (SL7: world writable /var/lib/openhpi directory), openldap (SL7: unintended cipher usage), openssh (SL7: multiple vulnerabilities), pacemaker (SL7: privilege escalation), pcs (SL7: denial of service), python (SL7: multiple vulnerabilities), realmd (SL7: unsanitized input), rest (SL7: denial of service), rubygem-bundler, rubygem-thor (SL7: installs malicious gem files), squid (SL7: certificate validation bypass), sssd (SL7: memory leak), tigervnc (SL7: two vulnerabilities), unbound (SL7: denial of service), wireshark (SL7: multiple vulnerabilities), and xfsprogs (SL7: information disclosure).

SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service), firefox (SLE12SP1; SLE11SP3,4; SLE11SP2: multiple vulnerabilities), rubygem-passenger (SLE12: environment variable injection), strongswan (SLE12SP1: authentication bypass), and kernel (SLE11SP4: multiple vulnerabilities).

Kategóriák: Linux

Green: On the Juniper backdoor

k, 2015-12-22 14:29
Here's an interesting article from cryptographer Matthew Green on how the Juniper backdoor is the least interesting part of this whole episode. "Thus Dual EC is safe only if you assume no tiny bug in the code could accidentally leak out 30 bytes or so of raw Dual EC output. If it did, this would make all subsequent seeding calls predictable, and thus render all numbers generated by the system predictable. In general, this would spell doom for the confidentiality of VPN connections. And unbelievably, amazingly, who coulda thunk it, it appears that such a bug does exist in many versions of ScreenOS, dating to both before and after the 'unauthorized code' noted by Juniper."
Kategóriák: Linux

Android on the desktop: Not really “good,” but better than you’d think (Ars Technica)

k, 2015-12-22 01:00
Ars Technica reports that Google has plans to bring Android to desktops and laptops. "We've Frankensteined together a little Android desktop setup using a Nexus 9 and a USB keyboard and mouse to see just how easy—or complicated—it was to use what is still formally a "mobile" operating system in a desktop context today, right now, without complicated changes or reconfigurations. It worked, but Android still has a ways to go before it can be called a real desktop operating system—quite a ways, in some cases. The biggest affordance Android makes for a desktop OS is that it supports a keyboard and mouse. Any Android device can pair with a Bluetooth mouse and keyboard, and if you want to go the wired route, just about any phone can plug in a mouse and keyboard via a USB OTG cable and a USB hub. Some OEMs even build Android devices with a keyboard and mouse, like the Asus Transformer series, which is a convertible laptop that runs Android."
Kategóriák: Linux

Security advisories for Monday

h, 2015-12-21 18:22

CentOS has updated jakarta-commons-collections (C5: code execution).

Debian has updated blueman (privilege escalation) and tomcat8 (Security Manager bypass).

Fedora has updated bind (F23: two vulnerabilities), bind-dyndb-ldap (F23: two vulnerabilities), bind99 (F23: denial of service), cups-filters (F23: command execution), dhcp (F23: denial of service), dnsperf (F23: two vulnerabilities), libsndfile (F23: two vulnerabilities), p7zip (F22: directory traversal), xen (F22: multiple vulnerabilities), and xsupplicant (F23; F22: insecure temporary files).

Gentoo has updated gdk-pixbuf (multiple vulnerabilities), grub (code execution), and openssh (multiple vulnerabilities).

Mageia has updated bind (denial of service) and grub2 (code execution).

openSUSE has updated libressl (Leap42.1, 13.2: two vulnerabilities) and libXfont (Leap42.1, 13.2, 13.1: regression in previous update).

Red Hat has updated jakarta-commons-collections (RHEL5: code execution).

SUSE has updated ldb, samba, talloc, tdb, tevent (SLE12; SLE12SP1: multiple vulnerabilities).

Ubuntu has updated kernel (15.10; 15.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: ), and linux-raspi2 (15.10: privilege escalation).

Kategóriák: Linux

Cracking Linux with the backspace key?

h, 2015-12-21 16:12
Anybody who has been paying attention to the net over the last week or so will certainly have noticed an abundance of articles with titles like "How to hack any Linux machine just using backspace". All this press does indeed highlight an important vulnerability, but it may not be the one that they think they are talking about.

Click below (no subscription required) for the full text.

Kategóriák: Linux

Kernel prepatch 4.4-rc6

h, 2015-12-21 10:51
The 4.4-rc6 kernel prepatch is out. "Things remain fairly normal. Last week rc5 was very small indeed, this week we have a slightly bigger rc6. The main difference is that rc6 had a network pull in it."
Kategóriák: Linux

First Plasma Wayland Live Image (KDE.News)

p, 2015-12-18 23:09
Over at KDE.News, Jonathan Riddell has announced the availability of the first live image [1.2GB ISO] of the KDE Plasma desktop running atop Wayland. "The central component in this is our window manager, KWin, which has moved from drawing borders on the edges of windows to running the full compositor and talking the Wayland protocols which allow applications to draw on screen and be interacted with. Users of the image will notice some obvious glitches, it is certainly not ready for everyday use yet, but the advantages of more secure workspaces, easier feature extendibility and graphics free of tearing and gitches will be appreciated by everybody. Work on this has been ongoing since 2011 and is expected to take years rather than months before a completely transparent switch away from X will be possible. Find more about the project on the KWin Wayland wiki pages."
Kategóriák: Linux

Jolla: not dead yet

p, 2015-12-18 23:04
The Jolla company blog announces that the company has closed a new round of funding and will not be shutting down after all. "This investment enables the continuation of Sailfish OS development, the community activities and other company operations. It’s clear that this recent struggle hit us hard and left some battle wounds but most importantly this means that the development and life of Sailfish OS will continue strong. This alone is worth a celebration!"
Kategóriák: Linux

Security updates for Friday

p, 2015-12-18 19:08

Arch Linux has updated python2-pyamf (denial of service).

Debian has updated kernel (multiple vulnerabilities, including one from 2013).

Debian-LTS has updated foomatic-filters (?:) and virtualbox-ose (no longer supported in Debian 6).

Fedora has updated firefox (F23: multiple vulnerabilities), libldb (F23; F22: remote memory disclosure), libpng10 (F23; F22: code execution), libtalloc (F23; F22: remote memory disclosure), libtdb (F23; F22: remote memory disclosure), libtevent (F23; F22: remote memory disclosure), and samba (F23: multiple vulnerabilities).

Gentoo has updated dnsmasq (information disclosure) and ipython (?:).

Mageia has updated chromium-browser-stable (code execution) and python-pygments (code execution).

Red Hat has updated chromium-browser (RHEL6: code execution) and openshift (RHOSE2.2: information leak).

Scientific Linux has updated bind (SL6: denial of service) and firefox (SL5&6: multiple vulnerabilities).

Slackware has updated grub (password bypass) and libpng (read underflow).

SUSE has updated kernel (SLE12SP1: multiple vulnerabilities).

Ubuntu has updated linux-lts-wily (14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: denial of service), and sosreport (15.10, 15.04, 14.04: two vulnerabilities, including one from 2014).

Kategóriák: Linux

Linux Foundation announces project to "advance blockchain technology"

cs, 2015-12-17 18:35
The Linux Foundation has announced a new collaborative project to "develop an enterprise grade, open source distributed ledger framework" to allow developers to build "robust, industry-specific applications, platforms and hardware systems to support business transactions". Twenty companies have joined the effort: Accenture, ANZ Bank, Cisco, CLS, Credits, Deutsche Börse, Digital Asset Holdings, DTCC, Fujitsu Limited, IC3, IBM, Intel, J.P. Morgan, London Stock Exchange Group, Mitsubishi UFJ Financial Group (MUFG), R3, State Street, SWIFT, VMware, and Wells Fargo. "Many of the founding members are already investing considerable research and development efforts exploring blockchain applications for industry. IBM intends to contribute tens of thousands of lines of its existing codebase and its corresponding intellectual property to this open source community. Digital Asset is contributing the Hyperledger mark, which will be used as the project name, as well as enterprise grade code and developer resources. R3 is contributing a new financial transaction architectural framework designed to specifically meet the requirements of its global bank members and other financial institutions. These technical contributions, among others from a variety of companies, will be reviewed in detail in the weeks ahead by the formation and Technical Steering Committees."
Kategóriák: Linux

Security advisories for Thursday

cs, 2015-12-17 17:03

Arch Linux has updated ruby (code execution).

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and firefox (C7; C6; C5: multiple vulnerabilities).

Debian has updated cacti (SQL injection), gdk-pixbuf (incomplete fix for earlier code execution flaw), grub2 (code execution), iceweasel (multiple vulnerabilities), subversion (code execution), and tryton-server (access check bypass).

Debian-LTS has updated bind9 (denial of service).

Fedora has updated grub2 (F22: code execution), qemu (F23: three vulnerabilities), and xen (F23: multiple vulnerabilities).

Mageia has updated cups-filters (code execution), firefox (multiple vulnerabilities), libpng (two vulnerabilities), potrace (code execution), quassel (denial of service), and redis (denial of service).

openSUSE has updated chromium (42.1, 13.2, 13.1; SPHSLE12: multiple vulnerabilities) and openssl (42.1; 13.2, 13.1: three vulnerabilities).

Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), and firefox (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated bind (RHEL6&7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and firefox (multiple vulnerabilities).

Scientific Linux has updated bind (SL5: denial of service) and bind97 (SL5: denial of service).

Ubuntu has updated cups-filters (15.10, 15.04, 14.04: code execution), foomatic-filters (12.04: code execution), kernel (12.04; 14.04; 15.04; 15.10: multiple vulnerabilities), linux-lts-trusty (12.04: three vulnerabilities), linux-lts-utopic (14.04: three vulnerabilities), and linux-lts-vivid (14.04: multiple vulnerabilities).

Kategóriák: Linux

Cannon: Why Python 3 exists

cs, 2015-12-17 16:02
Brett Cannon reminds the world why the Python developers decided to create Python 3 — and acknowledges that the transition could have been done better. "This point of avoiding bugs is a big deal that people forget. The simplification of the language and the removal of the implicitness of what a str object might represent makes code less bug-prone. The Zen of Python points out that 'explicit is better than implicit' for a reason: ambiguity and implicit knowledge that is not easily communicated code is easy to get wrong and leads to bugs. By forcing developers to explicitly separate out their binary data and textual data it leads to better code that has less of a chance to have a certain class of bug."
Kategóriák: Linux