Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 28 perc 51 másodperc

Announcing qboot, a minimal x86 firmware for QEMU

cs, 2015-05-21 17:57
The announcement of Clear Containers (which guest author Arjan van de Ven described in an LWN article from this week) seems to have sparked some interesting work on QEMU that resulted in qboot: "a minimal x86 firmware that runs on QEMU and, together with a slimmed-down QEMU configuration, boots a virtual machine in 40 milliseconds on an Ivy Bridge Core i7 processor." Paolo Bonzini announced the project (code is available at git://github.com/bonzini/qboot.git), which is quite new: "The first commit to qboot is more or less 24 hours old, so there is definitely more work to do, in particular to extract ACPI tables from QEMU and present them to the guest. This is probably another day of work or so, and it will enable multiprocessor guests with little or no impact on the boot times. SMBIOS information is also available from QEMU."
Kategóriák: Linux

Security advisories for Thursday

cs, 2015-05-21 16:32

Debian has updated libmodule-signature-perl (multiple vulnerabilities).

Debian-LTS has updated dnsmasq (information disclosure).

Fedora has updated wordpress (F21; F20: three vulnerabilities).

Oracle has updated docker (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities, one from 2005) and java-1.7.1-ibm (RHEL6&7: multiple vulnerabilities, one from 2005).

SUSE has updated gstreamer-0_10-plugins-bad (SLE11SP3: code execution) and xen (SLE12: multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for May 21, 2015

cs, 2015-05-21 02:48
The LWN.net Weekly Edition for May 21, 2015 is available.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2015-05-20 18:50

Debian has updated icedove (multiple vulnerabilities), proftpd-dfsg (unauthenticated copying of files), and zendframework (multiple vulnerabilities).

Fedora has updated dovecot (F21; F20: denial of service), firefox (F20: multiple vulnerabilities), libtasn1 (F21: denial of service), php-ZendFramework2 (F21; F20: CRLF injection), and thunderbird (F20: multiple vulnerabilities).

Ubuntu has updated kernel (14.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: two vulnerabilities).

Kategóriák: Linux

[$] PostgreSQL: the good, the bad, and the ugly

sze, 2015-05-20 17:01
The PostgreSQL development community is working toward the 9.5 release, currently planned for the third quarter of this year. Development activity is at peak levels as the planned feature freeze for this release approaches. While this activity is resulting in the merging of some interesting functionality, including the long-awaited "upsert" feature, it is also revealing some fault lines within the community. The fact that PostgreSQL lacks the review resources needed to keep up with its natural rate of change has been understood for years; many other projects suffer from the same problem. But the pressures on PostgreSQL seem to be becoming more acute, leading to concerns about fairness in the community and the durability of the project's cherished reputation for high-quality software.
Kategóriák: Linux

20 years of Qt

sze, 2015-05-20 15:26
Lars Knoll marks the 20th anniversary of the Qt toolkit on the Qt blog. "From the beginning, Qt has been released with both open source and commercial licensing options. Over the years, we have worked on expanding this model, and nowadays, Qt is actually developed as an open source project. In this sense Qt is actually in a rather unique position, having a strong ecosystem with passionate people, as well as a commercial entity behind it, which backs up and funds most of the development."
Kategóriák: Linux

How to Make Money from Open Source Platforms (Linux.com)

k, 2015-05-19 22:48
Over at Linux.com, John Mark Walker examines why companies aren't making money on pure open source ventures. "It is not that there is no money in selling open source software, but rather that the business models have shifted. Whereas, under the old proprietary world, a larger percentage of money went to pure software vendors, now that money has spread among a larger spectrum of companies and industries; lots of people get paid to work on or with open source software, but an increasing number of them don’t work for software vendors, per se. In addition to looking in all the wrong places, the current investment model is suspicious of an open source approach. The vast majority of venture capitalists, especially in Silicon Valley, are very risk averse and shy away from open source products that, in their view, will not give as large a return on their investment. In order to secure the funding required to scale a company, investors will frequently require that the startup company include proprietary bits as tools to increase revenue and margins. These two factors - diffusion of revenue and risk-averse investors - combine to both give a false impression and, in part due to the false impression, prevent pure open source software vendors from getting funding."
Kategóriák: Linux

Tuesday's security updates

k, 2015-05-19 18:40

CentOS has updated thunderbird (C6; C5: multiple vulnerabilities).

Debian has updated kfreebsd-9 (denial of service) and xen (code execution).

Debian-LTS has updated commons-httpclient (multiple vulnerabilities) and ruby1.8 (man-in-the-middle attack).

Mageia has updated avidemux (multiple vulnerabilities), firefox, thunderbird, sqlite3 (multiple vulnerabilities), moodle (multiple vulnerabilities), php (multiple vulnerabilities), phpmyadmin (two vulnerabilities), and xbmc (denial of service).

openSUSE has updated clamav (13.2, 13.1: multiple vulnerabilities), docker (13.2: multiple vulnerabilities), and flash-player (13.2, 13.1: multiple vulnerabilities).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).

Ubuntu has updated thunderbird (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Goodbye, Pi. Hello, C.H.I.P. (Linux Journal)

h, 2015-05-18 22:03
Linux Journal takes a look at the C.H.I.P. mini-computer, an open software and hardware device that comes with a Debian-based OS. "The official public release is scheduled for next year, but crowdfunding backers will be able to land a "Kernel Hacker" package this September. This package is aimed at Linux developers who want to help to contribute to kernel modifications for the C.H.I.P. before its final release."
Kategóriák: Linux

Kernel prepatch 4.1-rc4

h, 2015-05-18 21:47
Linus has released the 4.1-rc4 kernel prepatch, saying: "So here it is, last-minute fix and all. The -rc4 patch is a bit bigger than the previous ones, but that seems to be mainly due to normal random timing - just the fluctuation of when submaintainer trees get pushed."
Kategóriák: Linux

Stable kernel updates

h, 2015-05-18 19:01
New stable kernels 4.0.4, 3.14.43, and 3.10.79 have been released. All of them contain important fixes throughout the tree.
Kategóriák: Linux

Security advisories for Monday

h, 2015-05-18 18:50

Arch Linux has updated thunderbird (multiple vulnerabilities).

CentOS has updated thunderbird (C7: multiple vulnerabilities).

Debian has updated libmodule-signature-perl (multiple vulnerabilities).

Debian-LTS has updated dpkg (integrity-verification bypass), nbd (denial of service), and tiff (multiple vulnerabilities).

Fedora has updated java-1.8.0-openjdk (F21: unspecified vulnerability), NetworkManager (F21: denial of service), phpMyAdmin (F21; F20: two vulnerabilities), qemu (F21: code execution), and t1utils (F21; F20: multiple vulnerabilities).

Mageia has updated ruby-rest-client (two vulnerabilities) and virtualbox (code execution).

openSUSE has updated flash-player (11.4: multiple vulnerabilities), qemu (13.2; 13.1: code execution), and firefox (11.4: multiple vulnerabilities).

Red Hat has updated thunderbird (RHEL5,6,7: multiple vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated KVM (SLE11SP3: code execution), qemu (SLE12: two vulnerabilities), and spice (SLE12; SLESDK12: denial of service).

Kategóriák: Linux

[$] An introduction to Clear Containers

h, 2015-05-18 18:04
Guest author Arjan van de Ven writes: "Containers are hot. Everyone loves them. Developers love the ease of creating a "bundle" of something that users can consume; DevOps and information-technology departments love the ease of management and deployment." A group at Intel is working on a new approach to containers called "Clear Containers"; click below (subscribers only) for an introduction to how these containers work.
Kategóriák: Linux

Hardening Hypervisors Against VENOM-Style Attacks (Xen Project Blog)

p, 2015-05-15 22:20
The Xen Project looks at a mechanism to mitigate vulnerabilities like VENOM that attack emulation layers in QEMU. "The good news is it’s easy to mitigate all present and future QEMU bugs, which the recent Xen Security Advisory emphasized as well. Stubdomains can nip the whole class of vulnerabilities exposed by QEMU in the bud by moving QEMU into a de-privileged domain of its own. Instead of having QEMU run as root in dom0, a stubdomain has access only to the VM it is providing emulation for. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources. Furthermore, QEMU in a stubdomain runs on MiniOS, so an attacker would only have a very limited environment to run code in (as in return-to-libc/ROP-style), having exactly the same level of privilege as in the domain where the attack started. Nothing is to be gained for a lot of work, effectively making the system as secure as it would be if only PV drivers were used." The Red Hat Security Blog also noted this kind of mitigation for VENOM-style attacks.
Kategóriák: Linux

Rust 1.0 released

p, 2015-05-15 19:15
Version 1.0 of the Rust language has been released. "The 1.0 release marks the end of that churn. This release is the official beginning of our commitment to stability, and as such it offers a firm foundation for building applications and libraries. From this point forward, breaking changes are largely out of scope (some minor caveats apply, such as compiler bugs). That said, releasing 1.0 doesn’t mean that the Rust language is “done”. We have many improvements in store. In fact, the Nightly builds of Rust already demonstrate improvements to compile times (with more to come) and includes work on new APIs and language features, like std::fs and associated constants."
Kategóriák: Linux

Friday's security updates

p, 2015-05-15 15:50

Arch Linux has updated wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).

SUSE has updated flash-player (SLE12: multiple vulnerabilities).

Kategóriák: Linux

3 big lessons I learned from running an open source company (Opensource.com)

cs, 2015-05-14 21:58
Over at Opensource.com, Lucidworks co-founder and CTO Grant Ingersoll writes about lessons he has learned from running an open-source company. "You might ask, 'Why not open source it all and just provide support?' It's a fair question and one I think every company that open sources code struggles to answer, unless they are a data company (e.g., LinkedIn, Facebook), a consulting company, or a critical part of everyone's infrastructure (e.g., operating systems) and can live off of support alone. Many companies start by open sourcing to gain adoption and then add commercial features (and get accused of selling out), whereas others start commercial and then open source. Internally, the sales side almost always wants "something extra" that they can hang their quota on, while the engineers often want it all open because they know they can take their work with them."
Kategóriák: Linux

Thursday's security updates

cs, 2015-05-14 17:58

Arch Linux has updated qemu (code execution).

CentOS has updated firefox (C5: multiple vulnerabilities), kernel (C7: code execution), kvm (C5: code execution), qemu-kvm (C7; C6: code execution), and xen (C5: code execution).

Debian has updated iceweasel (multiple vulnerabilities) and qemu (multiple vulnerabilities).

Debian-LTS has updated icu (multiple vulnerabilities some from 2013).

Fedora has updated ca-certificates (F21: certificate changes), firefox (F21: multiple vulnerabilities), gnutls (F21: signature algorithm verification botch), libssh (F21: denial of service), and thunderbird (F21: two vulnerabilities).

Mageia has updated darktable (denial of service), kernel-linus (three vulnerabilities), kernel-tmb (multiple vulnerabilities), libraw (denial of service), qemu (code execution), rawtherapee (denial of service), ufraw and dcraw (denial of service), and wireshark (three dissector vulnerabilities).

Oracle has updated firefox (OL6: multiple vulnerabilities), kvm (OL5: denial of service), qemu-kvm (OL7; OL6: code execution), kernel (OL7; OL6; OL6; OL5: multiple vulnerabilities), and xen (OL5: code execution).

Scientific Linux has updated firefox (SL7,SL6,SL5: multiple vulnerabilities), kernel (SL7: code execution), kexec-tools (SL7: arbitrary file overwrite), pcs (SL7; SL6: privilege escalation), qemu-kvm (SL7; SL6: code execution), tomcat (SL7: HTTP request smuggling), and tomcat6 (SL6: HTTP request smuggling).

SUSE has updated kvm (SLE11SP3: denial of service).

Ubuntu has updated firefox (multiple vulnerabilities) and qemu, qemu-kvm (three vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for May 14, 2015

cs, 2015-05-14 03:08
The LWN.net Weekly Edition for May 14, 2015 is available.
Kategóriák: Linux

Linux 3.19.y-ckt extended stable support

sze, 2015-05-13 21:08
Kamal Mostafa has announced that Canonical's kernel team will pick up stable maintenance of the 3.19 kernel series, until July 2016.
Kategóriák: Linux