Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 12 perc 18 másodperc

Security updates for Thursday

cs, 2014-06-19 16:29

Fedora has updated kernel (F20: privilege escalation).

Gentoo has updated rxvt-unicode (code execution).

Mageia has updated dbus (denial of service), kernel (M4: three vulnerabilities), musl (M4: code execution), qt3 (two denial of service flaws), and wireshark (M4: denial of service).

Red Hat has updated foreman-proxy (OSP3&4: shell command injection) and rubygem-openshift-origin-node (OSE2.1; OSE2.0; OSE1.2.8: code execution).

Ubuntu has updated cinder (14.04, 13.10: privilege escalation), heat (14.04: information leak), and thunderbird (14.04, 13.10, 12.04: three vulnerabilities).

Kategóriák: Linux

Debian switching back to Glibc

cs, 2014-06-19 16:20
Aurelien Jarmo reports that the Debian Project is switching back to the GNU C Library and will no longer ship the EGLIBC fork. The reason is simple: the changes in the Glibc project mean that EGLIBC is no longer needed and is no longer under development. "This has resulted in a much more friendly development based on team work with good cooperation. The development is now based on peer review, which results in less buggy code (humans do make mistakes). It has also resulted in things that were clearly impossible before, like using the same repository for all architectures, and even getting rid of the ports/ directory."
Kategóriák: Linux

30 years of X

cs, 2014-06-19 15:59
The X.Org Foundation reminds us that the first announcement for the X Window System came out on June 19, 1984. "The X developers have pushed the boundaries and moved X from a system originally written to run on the CPU of a VAX VS100 to one that runs the GUI on today's laptops with 3D rendering capabilities. Indeed, X predates the concept of a Graphics Processing Unit (GPU) as we currently know it, and even the company that popularized this term in 1999, Nvidia." Congratulations to one of the oldest and most successful free software projects out there.
Kategóriák: Linux

[$] LWN.net Weekly Edition for June 19, 2014

cs, 2014-06-19 03:03
The LWN.net Weekly Edition for June 19, 2014 is available.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-06-18 19:14

Debian has updated lucene-solr (multiple vulnerabilities) and nspr (code execution).

Fedora has updated dovecot (F19: denial of service), libfep (F20; F19: privilege escalation), lynis (F20: privilege escalation), mod_wsgi (F20; F19: two vulnerabilities), php (F20; F19: denial of service), php-doctrine-orm (F20; F19: denial of service), php-horde-Horde-Ldap (F19: check for empty passwords), php-phpunit-PHPUnit-MockObject (F20; F19: denial of service), and python-djblets (F20; F19: cross-site scripting).

openSUSE has updated miniupnpc (13.1, 12.3: denial of service), rxvt-unicode (13.1, 12.3: command execution), and typo3-cms-4_5 (13.1, 12.3: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities) and kernel (SLES11 SP1 LTSS: multiple vulnerabilities).

Ubuntu has updated apt (invalid source package authentication) and nova (14.04 LTS, 13.10, 12.04 LTS: multiple vulnerabilities).

Kategóriák: Linux

[$] Android without the mothership

sze, 2014-06-18 16:10
The success of Android has brought Linux to many millions of new users and that, in turn, has increased the development community for Linux itself. But those who value free software and privacy can be forgiven for seeing Android as a step backward in some ways; Android systems include significant amounts of proprietary software, and they report vast amounts of information back to the Google mothership. But Android is, at its heart, an open-source system, meaning that it should be possible to cast it into a more freedom- and privacy-respecting form. Your editor has spent some time working on that goal; the good news is that it is indeed possible to create a (mostly) free system on the Android platform.
Kategóriák: Linux

Poettering: Factory Reset, Stateless Systems, Reproducible Systems & Verifiable Systems

k, 2014-06-17 23:57
On his blog, Lennart Poettering writes about new systemd features that will make it easier to "factory reset" systems back to their initial configuration. By handling /etc and /var differently, it will also support other use cases, such as "stateless" systems that store no persistent configuration, as well as "reproducible" and "verifiable" systems. "Booting up a system without a populated /var is relatively straight-forward. With a few lines of tmpfiles configuration it is possible to populate /var with its basic structure in a way that is sufficient to make a system boot cleanly. systemd version 214 and newer ship with support for this. Of course, support for this scheme in systemd is only a small part of the solution. While a lot of software reconstructs the directory hierarchy it needs in /var automatically, many software does not. In case like this it is necessary to ship a couple of additional tmpfiles lines that setup up at boot-time the necessary files or directories in /var to make the software operate, similar to what RPM or DEB packages would set up at installation time. Booting up a system without a populated /etc is a more difficult task. In /etc we have a lot of configuration bits that are essential for the system to operate, for example and most importantly system user and group information in /etc/passwd and /etc/group. If the system boots up without /etc there must be a way to replicate the minimal information necessary in it, so that the system manages to boot up fully."
Kategóriák: Linux

LibreOffice bug hunting event

k, 2014-06-17 22:00
The Document Foundation (TDF) has announced a LibreOffice 4.3 bug hunting session on June 20-22. "The community has already made a large collective effort to make LibreOffice 4.3 the best ever, based on automated stress tests and structured tests by Quality Assurance volunteers. Enterprise and individual LibreOffice users can now contribute to the quality of the best free office suite ever by testing the release candidate to identify issues in their preferred user scenario." See the wiki page for more information about the hunt.
Kategóriák: Linux

Android Root Access Vulnerability Affecting Most Devices (Threatpost)

k, 2014-06-17 21:13
Threatpost reports that most Android devices are vulnerable to a privilege escalation flaw in the kernel. "Researchers at Lacoon Mobile Security are calling the bug “TowelRoot,” because it is the very same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by George Hotz (Geohot). Successful exploitation of the Linux bug within the Android operating system would give the attacker administrative access to a victim’s phone. Specifically, such access could potentially allow that same attacker to run further malicious code, retrieve files and device data, bypass third-party or enterprise security applications including containers like Samsung’s secure Knox sub-operating system, and establish backdoors for future access on victim devices."
Kategóriák: Linux

Tuesday's security updates

k, 2014-06-17 18:19

CentOS has updated kernel (Xen4CentOS: multiple vulnerabilities) and xen (Xen4CentOS: multiple vulnerabilities).

Debian has updated icedove (multiple vulnerabilities), openssl (multiple vulnerabilities), and php5 (code execution).

Fedora has updated kernel (F19: multiple vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities) and cups-filters (multiple vulnerabilities).

openSUSE has updated sendmail (11.4; 12.3, 13.1: denial of service).

SUSE has updated GnuTLS (SUSE CORE 9: multiple vulnerabilities).

Ubuntu has updated libxml2 (regression in upstream update).

Kategóriák: Linux

Stable kernel updates

h, 2014-06-16 23:44
Stable kernels 3.15.1, 3.14.8, 3.10.44, and 3.4.94 have been released. All contain important fixes.
Kategóriák: Linux

Security advisories for Monday

h, 2014-06-16 18:38

Debian has updated chromium-browser (multiple vulnerabilities).

Fedora has updated firefox (F19: multiple vulnerabilities), nspr (F19: multiple vulnerabilities), thunderbird (F20: multiple vulnerabilities), and xulrunner (F19: multiple vulnerabilities).

Gentoo has updated freeradius (code execution), gnutls (multiple vulnerabilities), kdirstat (command execution), libXfont (multiple vulnerabilities), lighttpd (multiple vulnerabilities), memcached (multiple vulnerabilities), and opera (multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

Mandriva has updated kernel (BS1.0: multiple vulnerabilities) and nspr (BS1.0, ES5.0: code execution).

openSUSE has updated flash-player (11.4; 12.3, 13.1: multiple vulnerabilities) and Mozilla (11.4: multiple vulnerabilities).

SUSE has updated GnuTLS (SLES10: multiple vulnerabilities) and kernel (SLE RTE11 SP3: privilege escalation).

Kategóriák: Linux

The history of Android (ars technica)

h, 2014-06-16 16:15
Ars technica has put together a detailed history of Android so far. "Thanks to this 'cloud rot,' an Android retrospective won’t be possible in a few years. Early versions of Android will be empty, broken husks that won't function without cloud support. While it’s easy to think of this as a ways off, it's happening right now. While writing this piece, we ran into tons of apps that no longer function because the server support has been turned off. Early clients for Google Maps and the Android Market, for instance, are no longer able to communicate with Google."
Kategóriák: Linux

The 3.16 merge window has closed

h, 2014-06-16 15:36
Linus Torvalds has released the 3.16-rc1 kernel prepatch, thus closing the merge window. In the end, Torvalds picked up 11,364 non-merge commits for inclusion, making 3.16 the third busiest merge window ever (after 3.15 and 3.10). "It also looks fairly usual from a statistics standpoint: about two thirds of the changes are to drivers (and one third of *that* is to staging), and half of the remainder is architecture updates (with arm dominating, dts files leading - but there's mips, powerpc, x86 and arm64 there too). Outside of drivers and architecture updates, there's the usual mixture of changes elsewhere: filesystems (mainly reiserfs, xfs, btrfs, nfs), networking, "core" kernel (mm, locking, scheduler, tracing), and tooling (perf and power, also new self-tests)."
Kategóriák: Linux

CentOS 7 Public QA Release

p, 2014-06-13 23:06
While stressing that it is a pre-release for testing (i.e. quality assurance or QA) purposes, the CentOS team has announced the availability of the CentOS 7 QA release. It can be downloaded from here. Packages are not GPG signed, are likely to be replaced "in place" as bugs are fixed, and upgrading from the QA release to the final release may not be possible (and will not be supported). But, unlike previous CentOS releases, it has been opened up to the community before the final release. "We appreciate any and all bug reports at http://bugs.centos.org (please also check upstream bugzilla.redhat.com and link to those bugs when filing a new CentOS issue), and assistance with the “Branding Hunt” (see http://lists.centos.org/pipermail/centos-devel/2014-June/010411.html)."
Kategóriák: Linux

Security advisories for Friday

p, 2014-06-13 16:20

Debian has updated apt (invalid source package authentication) and mediawiki (cross-site scripting).

Fedora has updated chkrootkit (F20; F19: privilege escalation), firefox (F20: multiple vulnerabilities), nspr (F20: multiple vulnerabilities), sendmail (F20: denial of service), and xulrunner (F20: multiple vulnerabilities).

openSUSE has updated php5 (11.4: multiple vulnerabilities).

SUSE has updated GnuTLS (SLE11SP2; SLE11SP1; SM1.7 for SLE11SP2: multiple vulnerabilities).

Ubuntu has updated json-c (14.04, 13.10, 12.04: two denial of service flaws) and openssl (14.04, 13.10, 12.04: regression in previous security fix).

Kategóriák: Linux

GCC wins ACM SIGPLAN Programming Languages Software Award

cs, 2014-06-12 20:46
The GNU Compiler Collection (GCC) has received the ACM SIGPLAN Programming Languages Software Award. "GCC is the product of hundreds of person-years of work over its 27 years of existence. This award recognizes the GCC developer community for the substantial impact it has had on the programming language community and the larger software industry." (Thanks to David Edelsohn)
Kategóriák: Linux

Thursday's security updates

cs, 2014-06-12 18:46

CentOS has updated firefox (C6; C5: multiple vulnerabilities), kernel (C5: multiple vulnerabilities), python-jinja2 (C6: code execution), qemu-kvm (C6: multiple vulnerabilities), and thunderbird (C6; C5: multiple vulnerabilities).

Fedora has updated kernel (F20: two vulnerabilities).

Mageia has updated firefox, thunderbird (multiple vulnerabilities) and iceape (multiple vulnerabilities).

openSUSE has updated apache2-mod_wsgi (13.1, 12.3: two vulnerabilities), chromium (13.1, 12.3: multiple vulnerabilities), and php5 (13.1, 12.3, 12.2: multiple vulnerabilities).

Oracle has updated firefox (OL5: multiple vulnerabilities), kernel (OL5: multiple vulnerabilities), openssl (OL4: man-in-the-middle attack), and python-jinja2 (OL6: code execution).

Red Hat has updated python-jinja2 (RHEL6: code execution) and python33-python-jinja2 (RHSC1: code execution).

Scientific Linux has updated firefox (SL5&6: multiple vulnerabilities) and python-jinja2 (SL6: code execution).

Slackware has updated thunderbird (multiple vulnerabilities).

Kategóriák: Linux

LWN.net Weekly Edition for June 12, 2014

cs, 2014-06-12 03:36
The LWN.net Weekly Edition for June 12, 2014 is available.
Kategóriák: Linux

More stable kernel updates

sze, 2014-06-11 22:14
The 3.14.7, 3.10.43, and 3.4.93 stable kernel updates are available; each contains another long list of important fixes.
Kategóriák: Linux