Linux Weekly News

Tartalom átvétel is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Frissült: 15 perc 20 másodperc

Tuesday's security updates

k, 2015-08-25 19:22

CentOS has updated httpd (C6: denial of service) and nss (C5: two vulnerabilities).

Oracle has updated httpd (OL7; OL6: denial of service), mariadb (OL7: multiple unspecified vulnerabilities), and nss (OL5: two vulnerabilities).

Red Hat has updated httpd (RHEL7; RHEL6: HTTP request smuggling), httpd24-httpd (RHSCL2: multiple vulnerabilities), libunwind (RHELOSP6: buffer overflow), mariadb (RHEL7: multiple vulnerabilities), nss (RHEL5: two vulnerabilities), openstack-neutron (RHELOSP6: denial of service), openstack-swift (RHELOSP6; RHELOSP5: arbitrary object deletion), python-django (RHELOSP6; RHELOSP5: denial of service), python-django-horizon (RHELOSP6: cross-site scripting), python-keystoneclient (RHELOSP6; RHELOSP5: two vulnerabilities), qemu-kvm-rhev (RHELOSP6; RHELOSP5: information leak), redis (RHELOSP6: code execution), and thunderbird (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated httpd (SL7; SL6: denial of service), mariadb (SL7: multiple vulnerabilities), nss (SL5: two vulnerabilities), and thunderbird (SL5,6,7: multiple vulnerabilities).

Ubuntu has updated thunderbird (15.04, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Ubuntu on the Mainframe: Interview with Canonical's Dustin Kirkland (

k, 2015-08-25 00:26 has an interview with Dustin Kirkland of Canonical's Ubuntu Product and Strategy team, about Ubuntu on the mainframe and more. "Canonical is doing a lot of different things in the enterprise space, to solve different problems. One of the interesting works going on at Canonical is Fan networking. We all know that the world is running out of IPv4 addresses (or already has). The obvious solution to this problem is IPv6, but it’s not universally available. Kirkland said, "There are still places where IPv6 doesn't exist -- little places like Amazon web services where you end up finding lots of containers." The problem multiplies as many instances in cloud need IP addresses. "Each of those instances can run hundreds of containers, each of those containers then needs to be addressable," said Kirkland."
Kategóriák: Linux

Security advisories for Monday

h, 2015-08-24 18:39

Debian-LTS has updated extplorer (cross-site scripting), roundup (multiple vulnerabilities), and wesnoth-1.8 (information leak).

Mageia has updated libcryptopp (MG4,5: information disclosure), mediawiki (MG4,5: multiple vulnerabilities), openssh (MG4,5: multiple vulnerabilities), php (MG5; MG4: multiple vulnerabilities), and x11-server (MG5: permission bypass).

openSUSE has updated wireshark (13.2: multiple vulnerabilities) and xfsprogs (13.2, 13.1: information disclosure).

Red Hat has updated rh-ruby22-ruby (RHSCL2: DNS hijacking).

Slackware has updated gnutls (denial of service).

SUSE has updated glibc (SLE11SP3,4: multiple vulnerabilities) and kvm (SLE11SP2: two vulnerabilities).

Kategóriák: Linux

Kernel prepatch 4.2-rc8

h, 2015-08-24 10:01
In the end, Linus decided to hold off one more week and release 4.2-rc8 instead of the final 4.2 kernel. "It's not like there are any real outstanding issues, and I waffled between just doing the release and doing another -rc. But we did have another low-level x86 issue come up this week, and together with the fact that a number of people are on vacation, I decided that waiting an extra week isn't going to hurt. But it was close. It's a fairly small rc8, and I really feel like it could have gone either way."
Kategóriák: Linux

Mozilla: The Future of Developing Firefox Add-ons

p, 2015-08-21 18:58
Mozilla has announced a significant set of changes for authors of Firefox add-ons. These include a new API (and the deprecation of XUL and XPCOM), a process-based sandboxing mechanism, mandatory signing of extensions, and more. "For our add-on development community, these changes will bring benefits, like greater cross-browser add-on compatibility, but will also require redevelopment of a number of existing add-ons. We’re making a big investment by expanding the team of engineers, add-on reviewers, and evangelists who work on add-ons and support the community that develops them. They will work with the community to improve and finalize the WebExtensions API, and will help developers of unsupported add-ons make the transition to newer APIs and multi-process support."
Kategóriák: Linux

The bcachefs filesystem

p, 2015-08-21 18:43
Kent Overstreet, author of the bcache block caching layer, has announced that bcache has metamorphosed into a fully featured copy-on-write filesystem. "Well, years ago (going back to when I was still at Google), I and the other people working on bcache realized that what we were working on was, almost by accident, a good chunk of the functionality of a full blown filesystem - and there was a really clean and elegant design to be had there if we took it and ran with it. And a fast one - the main goal of bcachefs to match ext4 and xfs on performance and reliability, but with the features of btrfs/zfs."
Kategóriák: Linux

Security updates for Friday

p, 2015-08-21 17:52

Fedora has updated pure-ftpd (F21: denial of service).

Red Hat has updated openshift (RHOSE3: privilege escalation).

SUSE has updated xen (SLE11SP1: two vulnerabilities).

Ubuntu has updated subversion (15.04, 14.04, 12.04: multiple vulnerabilities) and firefox (15.04, 14.04, 12.04: regression in previous update).

Kategóriák: Linux

[$] Glibc wrappers for (nearly all) Linux system calls

cs, 2015-08-20 23:27
The GNU C Library (glibc) is a famously conservative project. In the past, that conservatism created a situation where there is no way to directly call a number of Linux system calls from a glibc-using program. As glibc has relaxed a bit in recent years, its developers have started to reconsider adding wrapper functions for previously inaccessible system calls. But, as the discussion shows, adding these wrappers is still not as straightforward as one might think.
Kategóriák: Linux

Security advisories for Thursday

cs, 2015-08-20 18:29

Debian has updated conntrack (denial of service), openjdk-6 (multiple vulnerabilities), vlc (code execution), and zendframework (XML External Entity attack).

Debian-LTS has updated conntrack (denial of service).

Fedora has updated mariadb (F22: multiple vulnerabilities).

Red Hat has updated mariadb55-mariadb (RHSCL2: multiple vulnerabilities) and rh-mariadb100-mariadb (RHSCL2: multiple vulnerabilities).

SUSE has updated kvm (SLE11SP1: code execution).

Kategóriák: Linux

Rkt 0.8 released

sze, 2015-08-19 21:03

Version 0.8 of the rkt container specification has been released. The changelog notes that this version adds support for running under the LKVM hypervisor and adds experimental support for user namespaces. Other features include improved integration with systemd and additional functional tests. An accompanying blog post goes into further detail for many of these new features.

Kategóriák: Linux

Wednesday's security advisories

sze, 2015-08-19 15:35

CentOS has updated pam (C6; C7: denial of service).

Debian has updated python-django (multiple vulnerabilities).

Debian-LTS has updated wordpress (multiple vulnerabilities).

Fedora has updated audit (F21; F22: unsafe escape-sequence handling), icecast (F21; F22: denial of service), kernel (F21; F22: information leak), openssh (F22: multiple vulnerabilities), rubygem-rack (F22: denial of service), rubygems (F21: DNS hijacking), strongswan (F21; F22: multiple vulnerabilities), and xfsprogs (F21: information leak).

Oracle has updated pam (O6; O7: denial of service).

Red Hat has updated kernel (RHEL6: privilege escalation) and pam (RHEL6, 7: denial of service).

Scientific Linux has updated pam (SL6, 7: denial of service).

Ubuntu has updated python-django (12.04, 14.04, 15.04: multiple vulnerabilities) and openssh (12.04, 14.04, 15.04: upstream regression resulting in denial of service).

Kategóriák: Linux

Ruoho: Multiple Vulnerabilities in Pocket

sze, 2015-08-19 01:48
On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. "The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs. These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers." He was able to get more information, such as the contents of /etc/passwd on Pocket's Amazon EC2 servers. (Thanks to Scott Bronson and Pete Flugstad.)
Kategóriák: Linux

Security advisories for Tuesday

k, 2015-08-18 20:08

CentOS has updated glibc (C5: code execution from 2013), mysql55-mysql (C5: multiple unspecified vulnerabilities, one from 2014), net-snmp (C7; C6: code execution), sqlite (C6: code execution), sqlite (C7: three vulnerabilities), and subversion (C6: three vulnerabilities).

Debian has updated apache2 (two vulnerabilities), gdk-pixbuf (code execution), and nss (two vulnerabilities).

Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).

Fedora has updated erlang (F22; F21: man-in-the-middle vulnerability), firefox (F22: many vulnerabilities), flac (F21: two vulnerabilities from 2014), gnutls (F21: code execution), golang (F22; F21: HTTP request smuggling), nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi (F22; F21: denial of service), and webkitgtk4 (F22: three unspecified vulnerabilities).

Mageia has updated kdepim (M4: no attachment encryption from 2014).

openSUSE has updated subversion (two vulnerabilities) and virtualbox (two vulnerabilities).

Oracle has updated glibc (OL5: code execution from 2013), mysql55-mysql (OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp (OL7; OL6: code execution), sqlite (OL7: three vulnerabilities), sqlite (OL6: code execution), and subversion (OL6: three vulnerabilities).

Red Hat has updated net-snmp (RHEL6&7: code execution).

Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecified vulnerabilities, one from 2014), net-snmp (SL6&7: code execution), sqlite (SL6: code execution), and subversion (SL6: three vulnerabilities).

Ubuntu has updated kernel (12.04: three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), linux-lts-vivid (14.04: denial of service), linux-ti-omap4 (12.04: three vulnerabilities), and net-snmp (two vulnerabilities, one from 2014).

Kategóriák: Linux

[$] Development statistics for the 4.2 kernel

k, 2015-08-18 16:12
As of this writing, the 4.2-rc7 prepatch is out and the final 4.2 kernel looks to be (probably) on-track to be released on August 23. Tradition says that it's time for a look at the development statistics for this cycle. 4.2, in a couple of ways, looks a bit different from recent cycles, with some older patterns reasserting themselves. Click below (subscribers only) for the full article.
Kategóriák: Linux

Schaller: An Open Letter to Apache Foundation and Apache OpenOffice team

k, 2015-08-18 02:22
Christian Schaller has posted an open letter to the Apache Software Foundation with a non-trivial request: "So dear Apache developers, for the sake of open source and free software, please recommend people to go and download LibreOffice, the free office suite that is being actively maintained and developed and which has the best chance of giving them a great experience using free software. OpenOffice is an important part of open source history, but that is also what it is at this point in time."

In this context, it's interesting to note that OpenOffice project chair Jan Iverson recently stepped down, listing resistance to an effort to cooperate with LibreOffice as one of the main reasons. The project currently looks set to name Dennis Hamilton (who is running unopposed) as its new chair.

Kategóriák: Linux

The Open Mainframe Project

k, 2015-08-18 01:31
The Linux Foundation has announced the launch of the Open Mainframe Project. "In just the last few years, demand for mainframe capabilities have drastically increased due to Big Data, mobile processing, cloud computing and virtualization. Linux excels in all these areas, often being recognized as the operating system of the cloud and for advancing the most complex technologies across data, mobile and virtualized environments. Linux on the mainframe today has reached a critical mass such that vendors, users and academia need a neutral forum to work together to advance Linux tools and technologies and increase enterprise innovation."
Kategóriák: Linux

Stable kernels 4.1.6, 3.14.51, and 3.10.87

k, 2015-08-18 00:34
Greg Kroah-Hartman has announced the release of the 4.1.6, 3.14.51, and 3.10.87. As usual, there are important fixes throughout the tree and users of those kernel series should upgrade.
Kategóriák: Linux

Security updates for Monday

h, 2015-08-17 19:17

Arch Linux has updated glibc (denial of service from 2014).

Debian-LTS has updated libidn (information disclosure) and subversion (information disclosure).

Fedora has updated bzr (F22; F21: denial of service from 2013), firefox (F21: multiple vulnerabilities), and flac (F22: two vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities), icecast (denial of service), and libgadu (three vulnerabilities from 2013 and 2014).

openSUSE has updated firefox (13.2; 13.1: multiple vulnerabilities) and flash-player (13.2; 13.1: many vulnerabilities).

Oracle has updated kernel 3.8.13 (OL7; OL6: two remote denial of service flaws), kernel 2.6.39 (OL6; OL5: two remote denial of service flaws), and kernel 2.6.32 (OL6; OL5: two remote denial of service flaws).

Red Hat has updated glibc (RHEL5: code execution from 2013), mysql55-mysql (RHEL5; RHSC2: multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecified vulnerabilities), sqlite (RHEL6: code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).

Scientific Linux has updated sqlite (SL7: three vulnerabilities).

Slackware has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities).

Ubuntu has updated openssh (15.04, 14.04, 12.04: two vulnerabilities) and pollinate (15.04, 14.04: certificate update).

Kategóriák: Linux

Kernel prepatch 4.2-rc7

h, 2015-08-17 06:04
Linus has released the 4.2-rc7 prepatch, but he's still not sure about whether it will be the last for this development cycle. "So this may be the last RC, and it might not be. It will depend on whether anything more comes up next week, and how good I feel about things come next Sunday. A part of me is convinced that all the odd 32-bit compat issues etc fallout is finally fixed, but a part of me is still a bit leery."
Kategóriák: Linux

Glibc 2.22 released

szo, 2015-08-15 15:02
Version 2.22 of the GNU C Library is out. The biggest user-visible changes are an update to Unicode 7.0.0 and the addition of a vectorized math library for the x86_64 architecture. Beyond that, of course, there is a pile of bug fixes, a few of which address security-related problems.
Kategóriák: Linux