Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 3 perc 30 másodperc

MediaGoblin 0.7.0 released

sze, 2014-08-27 14:16
Version 0.7.0 of the MediaGoblin media publishing platform is available. New features include initial federation support, a switch to a responsive CSS system, a "featured media" option, bulk uploading via the command line, and more. "Well we’re excited to announce that the first piece towards MediaGoblin federation has landed! We don’t have server-to-server federation working yet, but we do have the first parts of the Pump API in place: you can now use the Pump API as a media upload API!"
Kategóriák: Linux

Cluetrain at Fifteen (Linux Journal)

sze, 2014-08-27 01:13
Doc Searls looks back over the fifteen years that have passed since he (along with Chris Locke, David Weinberger and Rick Levine) wrote "The Cluetrain Manifesto". "What we had in mind was much fresher to me in the Summer of 2000, when I worked with Jason Schumaker, another Linux Journal editor, on an interview about Cluetrain and its relevance to Linux. What we ended up with was too long for both the magazine and our website at the time, so the project got sidelined and eventually buried in archival directories, where it stayed until this morning, when I found it during a search for something else. Reading it, I realized that I had come across a kind of time capsule."
Kategóriák: Linux

Tuesday's security advisory

k, 2014-08-26 17:54
Today we have only one security advisory. Ubuntu has updated openjdk-7 (14.04: fixes a regression in a previous update).
Kategóriák: Linux

The poisoned NUL byte, 2014 edition (Project Zero)

k, 2014-08-26 15:15
For those interested in the gory details of a complex exploit, Google's Project Zero page describes the process of getting arbitrary code execution from a single NUL byte written to the heap by glibc in an off-by-one error. "The main point of going to all this effort is to steer industry narrative away from quibbling about whether a given bug might be exploitable or not. In this specific instance, we took a very subtle memory corruption with poor levels of attacker control over the overflow, poor levels of attacker control over the heap state, poor levels of attacker control over important heap content and poor levels of attacker control over program flow. Yet still we were able to produce a decently reliable exploit! And there’s a long history of this over the evolution of exploitation: proclamations of non-exploitability that end up being neither advisable nor correct."
Kategóriák: Linux

Kernel prepatch 3.17-rc2

k, 2014-08-26 14:28
Linus has released 3.17-rc2 a little later than might have been expected. "So I deviated from my normal Sunday schedule partly because there wasn't much there (I blame the KS and LinuxCon), but partly due to sentimental reasons: Aug 25 is the anniversary of the original Linux announcement ('Hello everybody out there using minix'), so it's just a good day for release announcements."
Kategóriák: Linux

LinuxCon and CloudOpen 2014 Keynote Videos Available

h, 2014-08-25 22:52
Videos of the keynotes for LinuxCon NA and CloudOpen are available. "The event started Wednesday, Aug. 20, with Executive Director Jim Zemlin's “State of Linux” keynote at 9 a.m. Central, followed by a panel discussion of Linux kernel developers that included Linux Creator Linus Torvalds."
Kategóriák: Linux

Security advisories for Monday

h, 2014-08-25 19:04

CentOS has updated mod_wsgi (C7: privilege escalation).

Debian has updated mediawiki (two vulnerabilities) and python-django (multiple vulnerabilities).

Fedora has updated file (F20: denial of service), fish (F20; F19: multiple vulnerabilities), libserf (F20: information leak), pen (F20: unspecified vulnerability), php-htmlpurifier-htmlpurifier (F20; F19: "Hash Length Extension" attack), phpMyAdmin (F20: multiple vulnerabilities), ppp (F20: privilege escalation), rubygem-activerecord (F20; F19: SQL injection), struts (F20: code execution), wordpress (F19: multiple vulnerabilities), and xen (F20; F19: denial of service).

Mageia has updated ansible (MG4: multiple vulnerabilities), bugzilla (cross-site request forgery), busybox (denial of service/possible code execution), jakarta-commons-httpclient (MG4; MG3: SSL server spoofing), and mednafen (denial of service/possible code execution).

openSUSE has updated IPython (13.1, 12.3: code execution), libgcrypt (13.1, 12.3: side-channel attack), and libserf, subversion (13.1, 12.3: multiple vulnerabilities).

Oracle has updated mod_wsgi (OL7: privilege escalation).

Red Hat has updated mod_wsgi (RHEL7: privilege escalation).

Kategóriák: Linux

[$] Kernel.org news: two-factor authentication and more

h, 2014-08-25 18:33
Kernel developers depend heavily on kernel.org for the hosting of Git repositories and the management of patch flow in general, so it is not surprising that the annual Kernel Summit sets aside a slot to discuss what is happening with this site. In recent years, there has been a lot of change to discuss, mostly relating to the reorganization of kernel.org management resulting from the compromise of the site in 2011. The 2014 kernel.org discussion, run by Konstantin Ryabitsev, shows that, in a lot of ways, the pace of change is slowing, but the kernel.org maintainers are still working to improve their support and make it more secure.
Kategóriák: Linux

Day: New Human Interface Guidelines for GNOME and GTK+

p, 2014-08-22 23:25

At his blog, Allan Day announces the preliminary availability of a brand-new edition of the GNOME Human Interface Guidelines (HIG). Prepared for the upcoming GNOME 3.14 release, this is the first major overhaul of the GNOME HIG in some time. Day notes: "There is a downside to all the experimentation that has been happening in software design in recent years, of course – it can often be a bewildering space to navigate. This is where the HIG comes in. Its goal is to help developers and designers take advantage of the new abilities at their disposal, without losing their way in the process. This is reflected in the structure of the new HIG: the guidelines don’t enforce a single template on which applications have to be based, but presents a series of patterns and elements which can be drawn upon." He also emphasizes that the new HIG, despite its name, is not a GNOME-only document, but is designed to aid interface design in other GTK+ applications, too.

Kategóriák: Linux

Calibre 2.0 released

p, 2014-08-22 22:14
Version 2.0 of the Calibre electronic book management tool has been released. There is a long list of new features since the 1.0 release. "The biggest new feature is an e-book editor, capable of editing ebooks in both the EPUB and AZW3 (Kindle) formats."
Kategóriák: Linux

Friday's security updates

p, 2014-08-22 17:21

Debian has updated python-imaging (denial of service).

Mageia has updated krb5 (multiple vulnerabilities) and sdcc (denial of service).

Ubuntu has updated ceilometer (14.04: information leak), glance (14.04: denial of service), horizon (14.04: multiple vulnerabilities), keystone (14.04: multiple vulnerabilities), neutron (14.04: multiple vulnerabilities), and nova (14.04: information leak).

Kategóriák: Linux

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

p, 2014-08-22 00:40

The Free Software Foundation blog has posted an article detailing a newly discovered government surveillance project as well as a new technological countermeasure. The surveillance project is known as HACIENDA, as is reportedly a multi-national effort "to map every server in twenty-seven countries, employing a technique known as port scanning." The countermeasure, developed by Julian Kirsch, Christian Grothoff, Jacob Appelbaum, and Holger Kenn, is called TCP Stealth. According to the TCP Stealth whitepaper, the system "replaces the traditional random TCP SQN number with a token that authenticates the client and (optionally) the first bytes of the TCP payload. Clients and servers can enable TCP Stealth by explicitly setting a socket option or linking against a library that wraps existing network system calls." A Linux implementation of the scheme is available.

Kategóriák: Linux

Thursday's security updates

cs, 2014-08-21 19:46

Debian has updated libstruts1.2-java (code execution) and php5 (multiple vulnerabilities).

Fedora has updated drupal7 (F19; F20: denial of service), drupal7-date (F19; F20: cross-site scripting), libndp (F19; F20: code execution), and wordpress (F20: denial of service).

Mageia has updated catfish (M3; M4: privilege escalation), gpgme (code execution), phpmyadmin (multiple vulnerabilities), python-imaging, python-pillow (denial of service), and subversion (M3; M4: information leak).

openSUSE has updated openstack-neutron (13.1: access restriction bypass), apache2 (12.3; 13.1: multiple vulnerabilities), apache2-mod_security2 (rules bypass), krb5, (code execution), openssl (multiple vulnerabilities), python (12.3; 13.1: information leak), python3 (13.1: information leak), and samba (13.1: multiple vulnerabilities).

Red Hat has updated openstack-nova (RHEL OpenStack: multiple vulnerabilities).

Ubuntu has updated oxide-qt (14.04: multiple vulnerabilities).

Kategóriák: Linux

Linux Foundation Technical Advisory Board election results

cs, 2014-08-21 18:09
The results from the Linux Foundation TAB election have been announced; the five open seats went to Chris Mason, John Linville, H. Peter Anvin, Grant Likely, and Kristen Accardi.
Kategóriák: Linux

[$] LWN.net Weekly Edition for August 21, 2014

cs, 2014-08-21 03:56
The LWN.net Weekly Edition for August 21, 2014 is available.
Kategóriák: Linux

[$] GNOME development updates from GUADEC

sze, 2014-08-20 21:39

A project as large as GNOME consists of enough constituent parts that it can be a challenge just to keep up with the latest developments of the various applications, libraries, and infrastructure efforts. GUADEC 2014 in Strasbourg provided a number of opportunities to get up speed on the various moving pieces. Of course, it is impossible to catch everything at a multi-track event, but there were still quite a few updates worth mentioning.

Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-08-20 17:41

CentOS has updated qemu-kvm (C6: code execution).

Debian has updated cacti (multiple vulnerabilities).

openSUSE has updated gpgme (13.1, 12.3: code execution) and wireshark (13.1: multiple vulnerabilities).

Oracle has updated qemu-kvm (OL6: multiple vulnerabilities).

Red Hat has updated kernel-rt (RHE MRG 2.5: multiple vulnerabilities), openstack-neutron (RHEL OSP 4.0: denial of service), and thermostat1-httpcomponents-client (RHSC1: SSL server spoofing).

Ubuntu has updated openjdk-7 (14.04 LTS: multiple vulnerabilities).

Kategóriák: Linux

[$] The 2014 Kernel Summit

sze, 2014-08-20 16:37
The 2014 Kernel Summit was held on August 18-20 in Chicago, IL, USA. Reports from the first day's session are now available to LWN subscribers. Topics covered range from I/O memory management units to the stable and linux-next trees, to performance regressions and code review. Click below (subscribers only) for access to the full set of articles.
Kategóriák: Linux

Linux Kernel Git Repositories Add 2-Factor Authentication (Linux.com)

k, 2014-08-19 19:47
Linux.com takes a look at using 2-factor authentication for commit access to kernel git repositories. "Having the technology available is one thing, but how to incorporate it into the kernel development process -- in a way that doesn't make developers' lives painful and unbearable? When we asked them, it became abundantly clear that nobody wanted to type in 6-digit codes every time they needed to do a git remote operation. Where do you draw the line between security and usability in this case? We looked at the options available in gitolite, the git repository management solution used at kernel.org, and found a way that allowed us to trigger additional checks only when someone performed a write operation, such as "git push." Since we already knew the username and the remote IP address of the developer attempting to perform a write operation, we put together a verification tool that allowed developers to temporarily whitelist their IP addresses using their 2-factor authentication token."
Kategóriák: Linux

Security advisories for Tuesday

k, 2014-08-19 17:16

CentOS has updated nss-util (C7: incorrect wildcard certificate handling), nss-softokn (C7: incorrect wildcard certificate handling), and nss (C7: incorrect wildcard certificate handling).

Fedora has updated kernel (F19: multiple vulnerabilities) and samba (F19: remote code execution/privilege escalation).

Oracle has updated nss, nss-util, nss-softokn (OL7: incorrect wildcard certificate handling).

Red Hat has updated qemu-kvm (RHEL6: multiple vulnerabilities).

Scientific Linux has updated qemu-kvm (SL6: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities).

Ubuntu has updated openssl (10.04 LTS: regression in previous update).

Kategóriák: Linux