Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 9 perc 50 másodperc

Pomerantz and Peek: Fifty shades of open

k, 2016-05-17 01:00
Jeffrey Pomerantz and Robin Peek seek to disambiguate the word "open", as it is used or misused today. Examples include open source, open access, open society, open knowledge, open government, and so on. "From the common ancestor Free Software, the term “open” diversified, filling a wide range of niches. The Open Source Definition gave rise to a number of other definitions, articulating openness for everything from hardware to knowledge. Inspired by the political philosophy of openness, the Open Society Institute funded the meeting at which the Budapest Open Access Initiative declaration was created. Open Access then gave rise to a wide range of other opens concerned with scholarship, publication, and cultural heritage generally. This spread of openness can be seen as the diversification of a powerful idea into a wide range of resources and services. It can also be seen more importantly as the arrival, society-wide, of an idea whose time has come ... an idea with political, legal, and cultural impacts." (Thanks to Paul Wise)
Kategóriák: Linux

Security updates for Monday

h, 2016-05-16 18:35

Arch Linux has updated glibc (two vulnerabilities), lib32-glibc (two vulnerabilities), and thunderbird (multiple vulnerabilities).

CentOS has updated thunderbird (C5: two vulnerabilities).

Debian has updated icedove (three vulnerabilities), jansson (denial of service), libidn (information disclosure), and xerces-c (code execution).

Debian-LTS has updated dosfstools (two vulnerabilities), icedove (three vulnerabilities), jansson (denial of service), python-tornado (side-channel attack), and wpa (two vulnerabilities).

Fedora has updated botan (F23; F22: three vulnerabilities), community-mysql (F23; F22: multiple vulnerabilities), gd (F22: code execution), jackson-dataformat-xml (F23; F22: XXE attack), kernel (F22: multiple vulnerabilities), ocaml (F23: code execution), openvpn (F23: multiple vulnerabilities), and qemu (F23: multiple vulnerabilities).

Mageia has updated jackson-dataformat-xml (XXE attack) and ntp (multiple vulnerabilities).

openSUSE has updated Chromium (Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated file (OL6: multiple vulnerabilities), icedtea-web (OL6: applet execution), and ntp (OL6: multiple vulnerabilities).

SUSE has updated ImageMagick (SLE11: code execution) and java-1_6_0-ibm (SLEMLS12: multiple vulnerabilities).

Kategóriák: Linux

Major remote SSH security issue in CoreOS Linux Alpha

h, 2016-05-16 15:09
Should you happen to be running a CoreOS alpha release in an exposed setting, you'll want to have a look at this advisory and do a quick upgrade. "A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected."
Kategóriák: Linux

The 4.6 kernel has been released

h, 2016-05-16 01:11
Linus has released the 4.6 kernel, saying: "It's just as well I didn't cut the rc cycle short, since the last week ended up getting a few more fixes than expected, but nothing in there feels all that odd or out of line." Some of the more significant changes in this release are: post-init read-only memory as a bare beginning of the effort to harden the kernel, support for memory protection keys, the preadv2() and pwritev2() system calls, the kernel connection multiplexer, the OrangeFS distributed filesystem, compile-time stack validation, the OOM reaper, and many more. See the KernelNewbies 4.6 page for an amazing amount of detail.
Kategóriák: Linux

Schaller: H264 in Fedora Workstation

szo, 2016-05-14 00:11

At his blog, Christian Schaller discusses the details of the OpenH264 media codec from Cisco, which is now available in Fedora. In particular, he notes that the codec only handle the H.264 "Baseline" profile. "So as you might guess from the name Baseline, the Baseline profile is pretty much at the bottom of the H264 profile list and thus any file encoded with another profile of H264 will not work with it. The profile you need for most online videos is the High profile. If you encode a file using OpenH264 though it will work with any decoder that can do Baseline or higher, which is basically every one of them." Wim Taymans of GStreamer is looking at improving the codec with Cisco's OpenH264 team.

Kategóriák: Linux

Friday's security updates

p, 2016-05-13 18:34

Arch Linux has updated chromium (multiple vulnerabilities), flashplugin (multiple vulnerabilities), lib32-flashplugin (multiple vulnerabilities), and libksba (denial of service).

CentOS has updated thunderbird (C7: multiple vulnerabilities).

Debian has updated libxstream-java (XML external-entity attack).

Debian-LTS has updated libgwenhywfar (outdated CA certificates) and libuser (multiple vulnerabilities).

Fedora has updated glibc (F23: denial of service).

Mageia has updated flash-player-plugin (M5: multiple vulnerabilities) and mercurial (M5: code execution).

openSUSE has updated libxml2 (Leap 42.1: denial of service) and ntp (Leap 42.1: multiple vulnerabilities).

Oracle has updated kernel (O7: privilege escalation) and thunderbird (O7; O6: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), docker (RHEL7: privilege escalation), flash-plugin (RHEL 5,6: multiple vulnerabilities), and openshift (RHOSE 3.2: multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm (SLE12; SLE11: multiple vulnerabilities), ntp (SLE12: multiple vulnerabilities), and openssl (SLE11, SSO1.3, SOSC5, SMP2.1, SM2.1: multiple vulnerabilities).

Kategóriák: Linux

Announcing Certbot: EFF's Client for Let's Encrypt

p, 2016-05-13 00:29
The Electronic Frontier Foundation (EFF) has announced a new name and web site for the Let's Encrypt client. The Let's Encrypt project is a free certificate authority for TLS certificates that enable HTTPS for the web. The client, now called "Certbot", uses Automatic Certificate Management Environment (ACME) to talk to the Let's Encrypt CA, though it will no longer be the "official" client and there are other ACME clients that can be used. "Along with the rename, we've also launched a brand new website for Certbot, found at https://certbot.eff.org. The site includes frequently asked questions as well as links to how you can learn more and help support the project, but by far the biggest feature of the website is an interactive instruction tool. To get the specific commands you need to get Certbot up and running, just input your operating system and webserver. No more searching through pages and pages of documentation or Google search results! While a new name has the potential for creating technical issues, the Certbot team has worked hard to make this transition as seamless as possible. Packages installed from PyPI, letsencrypt-auto, and third party plugins should all continue to work and receive updates without modification. We expect OS packages to begin using the Certbot name in the next few weeks as well. On many systems, the current client packages will automatically transition to Certbot while continuing to support the letsencrypt command so you won't have to edit any scripts you're currently using."
Kategóriák: Linux

Thursday's security advisories

cs, 2016-05-12 18:44

Debian-LTS has updated ocaml (code execution) and xerces-c (code execution).

Fedora has updated kernel (F23: information leak), ntp (F22: multiple vulnerabilities), php (F22: multiple vulnerabilities), subversion (F23: two vulnerabilities), and xen (F23: two vulnerabilities).

Mageia has updated libtasn1 (denial of service) and squid (two vulnerabilities).

Oracle has updated pcre (OL7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: privilege escalation), kernel-rt (RHEL7; RHEL6: privilege escalation), and thunderbird (two vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated mysql (SLE11: multiple vulnerabilities), ntp (SLE11: multiple vulnerabilities), and php5 (SLE12: multiple vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).

Kategóriák: Linux

LWN.net Weekly Edition for May 12, 2016

cs, 2016-05-12 02:55
The LWN.net Weekly Edition for May 12, 2016 is available.
Kategóriák: Linux

LEDE and OpenWrt

sze, 2016-05-11 23:32

The OpenWrt project is perhaps the most widely known Linux-based distribution for home WiFi routers and access points; it was spawned from the source code of the now-famous Linksys WRT54G router more than 12 years ago. In early May, the OpenWrt user community was thrown into a fair amount of confusion when a group of core OpenWrt developers announced that they were starting a spin-off (or, perhaps, a fork) of OpenWrt to be named the Linux Embedded Development Environment (LEDE). It was not entirely clear to the public why the split was taking place—and the fact that the LEDE announcement surprised a few other OpenWrt developers suggested trouble within the team.

Kategóriák: Linux

Mozilla Open Source Support: Now Open To All Projects

sze, 2016-05-11 20:08
The Mozilla Open Source Support (MOSS), an award program focused on supporting open source and free software, was launched last year. The first track provided support for software projects that Mozilla uses or relies on. This year MOSS is open "to any open source project in the world which is undertaking an activity that meaningfully furthers Mozilla’s mission." In other words, projects that help to ensure the Internet is a global public resource, open and accessible to all. "So if you think your project qualifies, we encourage you to apply. Applications for the Mission Partners track are open as of today. (Applications for Foundational Technology also remain open.) You can read more about our selection criteria and committee on the wiki. The budget for this track for 2016 is approximately US$1.25 million."
Kategóriák: Linux

Stable kernel updates

sze, 2016-05-11 18:44
Greg Kroah-Hartman has released stable kernels 4.5.4, 4.4.10, and 3.14.69. All of them contain important fixes.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-05-11 18:33

Arch Linux has updated cacti (SQL injection) and squid (multiple vulnerabilities).

Debian has updated libarchive (code execution) and monotone ovito pdns qtcreator softhsm (regression in previous update).

Debian-LTS has updated botan1.10 (regression in previous update). Not all Debian packages are fully supported in Wheezy LTS. See the debian-security-support advisory for details.

Fedora has updated glibc (F23: multiple vulnerabilities), graphite2 (F22: multiple vulnerabilities), ntp (F23: multiple vulnerabilities), openssl (F22: multiple vulnerabilities), pgpdump (F23; F22: denial of service), and thunderbird (F22: multiple vulnerabilities).

openSUSE has updated compat-openssl098 (Leap42.1: multiple vulnerabilities) and php5 (13.2: multiple vulnerabilities).

Red Hat has updated file (RHEL6: multiple vulnerabilities), icedtea-web (RHEL6: applet execution), java-1.8.0-ibm (RHEL6: multiple vulnerabilities), kernel (RHEL6: multiple vulnerabilities), ntp (RHEL6: multiple vulnerabilities), openshift (RHOSE3.1: information disclosure), openssh (RHEL6: multiple vulnerabilities), pcre (RHEL7: multiple vulnerabilities), and qemu-kvm-rhev (RHELOSP5 for RHEL6: code execution).

Scientific Linux has updated pcre (SL7: multiple vulnerabilities).

Slackware has updated imagemagick (multiple vulnerabilities).

SUSE has updated ImageMagick (SOSC5, SMP2.1, SM2.1, SLE11-SP4: multiple vulnerabilities).

Ubuntu has updated openjdk-6 (12.04: multiple vulnerabilities).

Kategóriák: Linux

[$] Two approaches to x86 memory encryption

sze, 2016-05-11 09:52
Techniques for hardening the security of running systems often focus on access to memory. An attacker who can write (or even read) arbitrary memory regions will be able to take over the system in short order; even the ability to access small regions of memory can often be exploited. One possible defensive technique would be to encrypt the contents of memory so that an attacker can do nothing useful with it, even if access is somehow gained; this type of encryption clearly requires hardware support. Both Intel and AMD are introducing such support in their processors, and patches to enable that support have been posted for consideration; the two manufacturers have taken somewhat different approaches to the problem, though.
Kategóriák: Linux

BitKeeper's open source release

sze, 2016-05-11 00:30
BitKeeper, the inspiration behind Git and Mercurial, has been released under the Apache 2.0 License. Larry McVoy is answering questions on Hacker News, posting as 'luckydude'. In one comment he says: "Git/Github has all the market share. Trying to compete with that just proved to be too hard. So rather than wait until we were about to turn out the lights, we decided to open source it while we still had money in the bank and see what happens. We've got about 2 years of money and we're trying to build up some additional stuff that we can charge for. We're also open to being doing work for pay to add whatever it is that some company wants to BK, that's more or less what we've been doing for the last 18 years. Will it work? No idea. We have a couple of years to find out. If nothing pans out, open sourcing it seemed like a better answer than selling it off." (Thanks to Josh Triplett)
Kategóriák: Linux

65% of companies are contributing to open source projects (Opensource.com)

k, 2016-05-10 23:21
The Future of Open Source Survey aims to examine trends in open source. It's hosted by Black Duck and North Bridge. Opensource.com looks at the results. "The 2016 Future of Open Source Survey analyzed responses from nearly 3,400 professionals. Developers made their voices heard in the survey this year, comprising roughly 70% of the participants. The group that showed exponential growth were security professionals, whose participation increased by over 450%. Their participation shows the increasing interest in ensuring that the open source community pays attention to security issues in open source software and securing new technologies as they emerge."
Kategóriák: Linux

Ubuntu 16.04 proves even an LTS release can live at Linux’s bleeding edge (Ars Technica)

k, 2016-05-10 22:00
Ars Technica likes Ubuntu's latest release, and thinks it may be the best release Canonical has presented to date. Snap packaging is part of that appeal, but Snaps have competition. "While something like Snap packages have the potential to completely change the way distros work, it remains to be seen if Snap specifically will be what ends up reaching critical mass. It's certainly possible that Snap may prove popular enough to warrant other distros incorporating it, but it's also possible that there may end up being more than one way to handle self-contained packages. Looking at Canonical's track record does not inspire confidence. Upstart gave way to systemd, the software center gave way to GNOME Software, and even simple things like scrollbars get abandoned for upstream solutions. How Snap packages end up over the long term will be fascinating for Ubuntu users to watch, but even in the worst-case scenario, fans shouldn't have anything to worry about. If one day Ubuntu does abandon Snap in favor of another system, all the changes will likely be behind the scenes. In the shorter term, Snap packages should be a boon to Ubuntu, allowing users to stick with a stable base system while still leaving them free to try just-released software packages without fear of wrecking the system."
Kategóriák: Linux

Security updates for Tuesday

k, 2016-05-10 18:25

CentOS has updated ImageMagick (C7; C6: multiple vulnerabilities), java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities), and qemu-kvm (C7: code execution).

Debian has updated qemu (two vulnerabilities) and websvn (cross-site scripting).

Debian-LTS has updated ikiwiki (cross-site scripting), libav (code execution), and websvn (cross-site scripting).

Oracle has updated ImageMagick (OL7; OL6: multiple vulnerabilities), java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities), and qemu-kvm (OL7: code execution).

Red Hat has updated ImageMagick (RHEL6,7: multiple vulnerabilities), openssl (RHEL6: multiple vulnerabilities), qemu-kvm (RHEL7; RHEL6: code execution), and qemu-kvm-rhev (RHOSP8; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: code execution).

Scientific Linux has updated ImageMagick (SL6,7: multiple vulnerabilities) and qemu-kvm (SL7: code execution).

Ubuntu has updated kernel (15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: multiple vulnerabilities), and openssh (15.10, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Announcing The Journal of Open Source Software

h, 2016-05-09 22:52
The Journal of Open Source Software (JOSS) has been announced. JOSS is an open source, developer-friendly journal for research software packages. "As academics, it's important for us to be able to measure the impact of our work, but available tools & metrics are woefully lacking when it comes to tracking research output that doesn't look like a paper. A 2009 survey of more than 2000 researchers found that > 90% of them consider software important or very important to their work — but even if you've followed this GitHub guide for archiving a GitHub repository with Zenodo (and acquired a DOI in the process), citations to your work probably aren't being counted by the people that matter." (Thanks to Paul Wise)
Kategóriák: Linux

Security advisories for Monday

h, 2016-05-09 19:00

Arch Linux has updated gd (code execution), latex2rtf (code execution), mencoder (denial of service), mercurial (two vulnerabilities), and mplayer (denial of service).

CentOS has updated openssl (C7: multiple vulnerabilities).

Debian has updated ikiwiki (cross-site scripting).

Debian-LTS has updated file (buffer over-write), mercurial (code execution), and nagios3 (denial of service, from 2014).

Fedora has updated firefox (F22: multiple vulnerabilities), kernel (F22: multiple vulnerabilities), libecap (F22: multiple vulnerabilities), openvas-cli (F22: cross-site scripting), openvas-gsa (F22: cross-site scripting), openvas-libraries (F22: cross-site scripting), openvas-manager (F22: cross-site scripting), openvas-scanner (F22: cross-site scripting), perl (F22: denial of service), quassel (F23; F22: denial of service), and squid (F22: multiple vulnerabilities).

Mageia has updated openssl (multiple vulnerabilities) and vlc (multiple vulnerabilities).

openSUSE has updated ImageMagick (Leap42.1; 13.2: multiple vulnerabilities), java-1_7_0-openjdk (Leap42.1: multiple vulnerabilities), java-1_8_0-openjdk (Leap42.1: multiple vulnerabilities), and subversion (Leap42.1; 13.2: two vulnerabilities).

Oracle has updated openssl (OL7: multiple vulnerabilities).

Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities) and openssl (RHEL7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities) and openssl (SL7: multiple vulnerabilities).

SUSE has updated compat-openssl098 (SLE12-SP1: multiple vulnerabilities), firefox (SLE12-SP1: multiple vulnerabilities), and ImageMagick (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated kernel (16.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04: multiple vulnerabilities), and linux-snapdragon (16.04: multiple vulnerabilities).

Kategóriák: Linux