Népszerű fórum témák
FreeBSD Project News
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 25 perc 52 másodperc
Arch Linux has updated lhasa (code execution).
Debian has updated chromium-browser (multiple vulnerabilities).
Fedora has updated cryptopp (F24: information disclosure), libtasn1 (F24: denial of service), poppler (F23: code execution), qpid-proton (F23: TLS to plaintext downgrade), and samba (F24: multiple vulnerabilities).
openSUSE has updated java-1_7_0-openjdk (13.1: sandbox bypass).
Over at the Freedom to Tinker blog, guest poster Vitaly Shmatikov, who is a professor at Cornell Tech, writes about his study [PDF] of what URL shortening means for the security and privacy of cloud services. "TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments."
Mageia has updated apache-commons-collections (code execution), imlib2 (three vulnerabilities), mercurial (three vulnerabilities), optipng (two vulnerabilities), postgresql (two vulnerabilities), python-pillow (code execution), and thunderbird (unspecified).
SUSE has updated samba (SLE11SP2: multiple vulnerabilities).
The LWN.net Weekly Edition for April 14, 2016 is available.
CentOS has updated samba (C6; C5: multiple vulnerabilities), ipa (C7; C6: multiple vulnerabilities), libldb (C7; C6: multiple vulnerabilities), libtalloc (C7; C6: multiple vulnerabilities), libtdb (C7; C6: multiple vulnerabilities), libtevent (C7; C6: multiple vulnerabilities), openchange (C7; C6: multiple vulnerabilities), samba (C7: multiple vulnerabilities), samba4 (C6: multiple vulnerabilities), and samba3x (C5: multiple vulnerabilities).
Red Hat has updated samba (RHEL7.1; RHEL6; RHEL6.2,6.4,6.5,6.6; RHEL5; RHEL5.6,5.9; RHEL4: multiple vulnerabilities), samba, samba4 (RHEL6,7: multiple vulnerabilities), samba3x (RHEL5; RHEL5.6,5.9: multiple vulnerabilities), and samba4 (RHEL6.2,6.5,6.6: multiple vulnerabilities).
CoreOS has announced the release of its "Ignition" provisioning tool. "At the the most basic level, Ignition is a tool for manipulating disks during early boot. This includes partitioning disks, formatting partitions, writing files, and configuring users." It runs as the first process — before systemd — to get the system into the proper shape before the ordinary boot process takes over.
The Intelligent Platform Management Interface (IPMI) is a set of system-management-and-monitoring APIs typically implemented on server motherboards via an embedded system-on-chip (SoC) that functions completely outside of the host system's BIOS and operating system. While it is intended as a convenience for those who must manage dozens or hundreds of servers in a remote facility, IPMI has been called out for its potential as a serious hole in server security. At the 2016 Embedded Linux Conference in San Diego, Tian Fang presented Facebook's recent work on OpenBMC, a Linux distribution designed to replace proprietary IPMI implementations with an open-source alternative built around standard facilities like SSH.
Stable kernels 4.5.1, 4.4.7, and 3.14.66 have been released. All of them contain important fixes throughout the tree.
The details for the "Badlock" vulnerability in the SMB DCE-RPC protocol have finally been disclosed, along with the obligatory logo and domain name; there is no word on the availability of hats and T-shirts yet. It is a man-in-the-middle attack that can allow an attacker to access files in an SMB share, or gain access to Active Directory administrative tools, with the permissions of the intercepted user. "Please update your systems. We are pretty sure that there will be exploits soon. Engineers at Microsoft and the Samba Team worked together during the past months to get this problem fixed."
The Let's Encrypt project, which is working to enable encrypted communications across the web, has announced that it has gained more sponsors and no longer considers itself to be in a "beta" state. "Since our beta began in September 2015 we’ve issued more than 1.7 million certificates for more than 3.8 million websites. We’ve gained tremendous operational experience and confidence in our systems. The beta label is simply not necessary any more."
openSUSE has updated cairo (13.2: denial of service), clamav-database (Leap42.1: database refresh), java-1_7_0-openjdk (Leap42.1: sandbox bypass), java-1_8_0-openjdk (Leap42.1: sandbox bypass), and kernel (Leap42.1: multiple vulnerabilities).
Ubuntu has updated linux-lts-utopic (14.04: regression in previous update).
Richard Stallman looks at the GPL and how it is incompatible with the CDDL (Common Development and Distribution License), which is the license used by ZFS. "Likewise, the copyright holders of ZFS (the version that is actually used) can give permission to use it under the GNU GPL, version 2 or later, in addition to any other license. This would make it possible to combine that version with Linux without violating the license of Linux. This would be the ideal resolution and we urge the copyright holders of ZFS to do so. Some copyright holders choose not to enforce their licenses in specific situations. That enables users to operate as if permission were granted. However, this does not alter the meaning of the GNU GPL, and does not cause uses that the GPL disallows to either suddenly or slowly become permitted by the GPL. Such acquiescence is not the case in regard to linking Linux and ZFS; indeed, some Linux copyright holders have said they consider this copyright infringement. We have explained above the reasons why that is so."
Eben Moglen opines on the role of the Linux Foundation, and on GPL enforcement in general. "LF will be as favorable to copyleft as its members are. Copyleft licensing is easy for businesses to doubt: required sharing of work that could be instead 'owned' by the capital investors seems to be mere loss in conventional calculations. I have spent most of my adult lifetime not telling businesses that copyleft was in their interest, but educating them about copyleft and others’ experience with it, in order to allow them to draw their own conclusions. Experience has taught me that this process, though uncertain and unscalable, is absolutely crucial to the attainment of the free software movement’s fundamental objectives. It is, however, all too easily destroyed by any form of overly aggressive copyleft enforcement that fully confirms businesspeople’s skepticism."
Sasha Levin has announced the creation of the "linux-stable security tree" project. The idea is to take the current stable updates and filter out everything that isn't identified as a security fix. "Quite a few users of the stable trees pointed out that on complex deployments, where validation is non-trivial, there is little incentive to follow the stable tree after the product has been deployed to production. There is no interest in 'random' kernel fixes and the only requirements are to keep up with security vulnerabilities."
Arch Linux has updated flashplugin (multiple vulnerabilities).
Fedora has updated fuse-encfs (F23; F22: cryptography issues), kernel (F23; F22: multiple vulnerabilities), latex2rtf (F23; F22: code execution), php (F23; F22: multiple vulnerabilities), python-pillow (F23; F22: buffer overflow), qemu (F22: multiple denial of service vulnerabilities), and xen (F23; F22: information disclosure).
The 4.6-rc3 kernel prepatch has been released, but there does not appear to be an announcement from Linus to go with it. As he predicted, the pace of change has increased a bit; 298 changesets have been merged since -rc2, out of 491 total since the closing of the merge window.
Update: your editor has found the missing 4.6-rc3 announcement. It seems it went to the filesystems list only; Linus apparently had filesystems on his mind. "What _is_ surprising, though, is that about half the bulk of the rc3 patch is to filesystem code. I don't recall that before, and that surprised me - I had to go look for the reason. It turns out that while we have indeed got changes to several filesystems (btrfs, ext4, orangefs, f2fs), but the big reason was simply from us getting rid of the PAGE_CACHE_SIZE macro and just using PAGE_SIZE everywhere."
WordPress has announced free HTTPS for all custom domains hosted on WordPress.com. "The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately starting working with Let’s Encrypt to make the process smoother for our massive and growing list of domains. For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity."
Mageia has updated flash-player-plugin (multiple vulnerabilities).
Red Hat has updated flash-plugin (RHEL5,6: multiple vulnerabilities).
SUSE has updated flash-player (SLE12-SP1: code execution).
Ubuntu has updated firefox (regression in previous update).
OpenStack Mitaka has been released. "OpenStack Mitaka, the 13th release of the most widely deployed open source software for building clouds, now offers greater manageability and scalability as well as an enhanced end-user experience. The Mitaka release was designed and built by an international community of 2,336 developers, operators and users from 345 organizations. OpenStack has become the cloud platform of choice for enterprises and service providers, as an integration engine to manage bare metal, virtual machines, and container orchestration frameworks with a single set of APIs." More information can be found in the release notes. There is also a press release available.
SUSE has updated rubygem-actionpack-3_2 (SLE11SP4, Webyast 1.3, Studio Onsite 1.3, Lifecycle Management Server 1.3: two vulnerabilities).
HUP napi hírlevél
Legfrissebb HUP képek
Téglásítottál (brick) már el eszközt életedben (mobil, router, konzo, tablet stb.)?
Igen, de helyrehoztam.
Igen, de nem tudtam helyrehozni. Más helyrehozta.
Igen és helyrehozhatatlan lett.
Nem, de debrick-eltem más által eltéglásított eszközt.
Összes szavazat: 446