Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 6 perc 45 másodperc

[$] Debian and CAcert

sze, 2014-03-19 01:49

CAcert is an SSL/TLS certificate authority (CA) that seeks to be community driven and to provide certificates for free (gratis), which stands in sharp contrast to the other existing CAs. But, in order for CAcert-signed certificates to be accepted by web browsers and other TLS-using applications, the CAcert root certificate must be included in the "trusted certificate store" that operating systems use to determine which CAs to trust. For the most part, CAcert has found it difficult to get included in the distribution-supplied trusted root stores; the discussion in a recently closed Debian bug highlights the problem.

Subscribers can click below for the full article from this week's Distributions page.

Kategóriák: Linux

10,000 Linux servers hit by malware (ars technica)

k, 2014-03-18 20:14
Ars technica takes a look at an ongoing criminal operation infecting more than 10,000 Unix and Linux servers with malware that sends spam and redirects end users to malicious Web pages. "Windigo, as the attack campaign has been dubbed, has been active since 2011 and has compromised systems belonging to the Linux Foundation's kernel.org and the developers of the cPanel Web hosting control panel, according to a detailed report published Tuesday by researchers from antivirus provider Eset. During its 36-month run, Windigo has compromised more than 25,000 servers with robust malware that sends more than 35 million spam messages a day and exposes Windows-based Web visitors to drive-by malware attacks. It also feeds people running any type of computer banner ads for porn services." See Eset's white paper [PDF] for details.
Kategóriák: Linux

Tuesday's security advisories

k, 2014-03-18 18:11

CentOS has updated mutt (C6: code execution), ruby193-rubygem-actionpack (CSC: multiple vulnerabilities), and samba (C5: multiple vulnerabilities).

Debian has updated python2.7 (multiple vulnerabilities).

Fedora has updated wireshark (F20; F19: multiple vulnerabilities).

Mandriva has updated udisks (BS1.0: privilege escalation) and x2goserver (BS1.0: code execution).

openSUSE has updated udisks (13.1, 12.3; 11.4: privilege escalation) and udisks2 (13.1, 12.3: privilege escalation).

Oracle has updated mutt (OL6: code execution) and samba (OL5: multiple vulnerabilities).

Red Hat has updated mutt (RHEL6: code execution), ruby193-rubygem-actionpack (RHSC1: multiple vulnerabilities), and samba (RHEL5: multiple vulnerabilities).

Scientific Linux has updated mutt (SL6: code execution) and samba (SL5: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities).

Kategóriák: Linux

GNU Guile 2.0.10 released

k, 2014-03-18 15:25
Version 2.0.10 of the GNU Guile language, an implementation of the "Scheme" Lisp dialect, is out. New features include better GDB integration, HTTP proxy support, better runtime error reporting, a new vector operations library, and a lot of changes to support the upcoming "R7RS" version of the Scheme language (information about which can be found on scheme-reports.org).
Kategóriák: Linux

Security advisories for Monday

h, 2014-03-17 19:22

Mageia has updated freetype2 (MG4: two vulnerabilities), libpng (MG4: denial of service), udisks (privilege escalation), and webmin (unspecified vulnerabilities).

Mandriva has updated oath-toolkit (replays one time passwords) and webmin (multiple vulnerabilities).

openSUSE has updated flash-player (13.1, 12.3; 11.4: multiple vulnerabilities), libyaml (13.1, 12.3: code execution), python (13.1: multiple vulnerabilities), and wireshark (13.1, 12.3; 11.4: multiple vulnerabilities).

Slackware has updated php (denial of service).

Ubuntu has updated freetype (13.10: code execution), librsvg (13.10, 12.10, 12.04 LTS: unauthorized file access), and gtk+ (12.10, 12.04 LTS: compatibility fix for GTK+ to work with the librsvg security update).

Kategóriák: Linux

Python 3.4.0 released

h, 2014-03-17 15:59
After around 18 months of development, Python 3.4 has been released. There were no new language changes for this release, but there were many new features in the standard library and CPython implementation, some of which we looked at recently. The "What's new in Python 3.4" page looks at the changes in even greater detail. Beyond the new features, there were also "hundreds of small improvements and bug fixes". You can get Python 3.4 from the download page or from distribution repositories before too long.
Kategóriák: Linux

Kernel prepatch 3.14-rc7

h, 2014-03-17 15:46
The 3.14-rc7 prepatch is out, and Linus is feeling better about things. "What a difference a week makes. In a good way. A week ago, cutting rc6, I was not a happy person: the release had much too much noise in it, and I felt that an rc8 and even an rc9 might well be a real possibility. Now it's a week later, and rc7 looks much better." He is now saying this might be the last -rc for 3.14.
Kategóriák: Linux

Shuttleworth: ACPI, firmware and your security

h, 2014-03-17 15:44
Mark Shuttleworth argues against the use of ACPI in "next-generation devices" on the basis that it is a huge security hole. "If you read the catalogue of spy tools and digital weaponry provided to us by Edward Snowden, you’ll see that firmware on your device is the NSA’s best friend. Your biggest mistake might be to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity courtesy of incompetence of the worst degree from manufacturers, and competence of the highest degree from a very wide range of such agencies."
Kategóriák: Linux

Stable kernel 3.12.14

szo, 2014-03-15 02:47
Jiri Slaby has announced the release of the 3.12.14 stable kernel. Slaby took over maintenance of the 3.12 series starting with this release. As would be expected, it has fixes throughout the tree; users should upgrade.
Kategóriák: Linux

Blender announces "Gooseberry" feature-length film project

szo, 2014-03-15 00:29

The Blender Institute has announced its next open movie project, codenamed Gooseberry. As with Blender's preceding open movie (and game) projects, Gooseberry will drive feature development in Blender as is required by the film team's workflow. This time, however, the end product will be a feature-length animation rather than a short. "Targets will include asset and project management, new hair and cloth simulation, advanced animation/simulation dependency handling, and work on rendering and compositing." The complete project is expected to take 18 months, and will involve collaboration between 12 independent animation studios. More details, including both sheep-related plot points and a technical overview, are available at the site.

Kategóriák: Linux

Friday's security updates

p, 2014-03-14 18:26

CentOS has updated 389-ds-base (C6: privilege escalation), kernel (C5: multiple vulnerabilities), and udisks (C6: code execution).

Debian has updated libssh (private key disclosure) and virtualbox (multiple vulnerabilities).

Gentoo has updated file (denial of service) and qtcore (denial of service).

Mandriva has updated freeradius (BS1, ES5: code execution), imapsync (BS1: multiple vulnerabilities), mediawiki (BS1: multiple vulnerabilities), and php (BS1: multiple vulnerabilities).

openSUSE has updated file (11.4; 12.3, 13.1: multiple vulnerabilities), ImageMagick (11.4; 12.3, 13.1: multiple vulnerabilities), libssh (11.4; 12.3, 13.1: private key leak), percona-toolkit (12.3: code execution), postgresql (11.4: multiple vulnerabilities), roundcubemail (12.3, 13.1: code execution), and xtrabackup (13.1: information leak).

Oracle has updated 389-ds-base (O6: privilege escalation), kernel (O5; O6: multiple vulnerabilities), and udisks (O6: code execution).

Red Hat has updated 389-ds-base (privilege escalation) and udisks (code execution).

Scientific Linux has updated 389-ds-base (SL6: privilege escalation), kernel (SL5: multiple vulnerabilities), and udisks (SL6: code execution).

Slackware has updated samba (multiple vulnerabilities).

SUSE has updated Xen (SLES11-SP2; SLES11-SP3: multiple vulnerabilities).

Ubuntu has updated mutt (denial of service) and sudo (privilege escalation).

Kategóriák: Linux

Applications 4.13 Coming Soon, Help Us Test! (KDE.news)

cs, 2014-03-13 23:23
In conjunction with the KDE community's second beta release of Applications and Platform 4.13, Jos Poortvliet has put together a guide to helping test the Applications piece of the release. He looks at the improvements that are going into the Applications to give ideas about what to test. There are also some more formal testing resources that he mentions. "Testing is a matter of trying out some scenarios you decide to test, for example, pairing your Android phone to your computer with KDE Connect. If it works – awesome, move on. If it doesn't, find out as much as you can about why it doesn't and use that for a bug report."
Kategóriák: Linux

Ubuntu’s Mir display server may not be default on desktop until 2016 (ars technica)

cs, 2014-03-13 19:26
Ars technica reports on the virtual Ubuntu Developer Summit (vUDS) keynote from Canonical's Mark Shuttleworth. "On the desktop, users can install Mir themselves, but it won't be turned on by default for everyone just yet. 'My expectation is that within the next 12 months you will see lots of people running Mir as their default display server, and by 16.04 it will be the default display server,' Shuttleworth said. 'There's lots of reasons why that will let us support more hardware, let us get much better performance, and let us do great things with some of the software companies we care about, who want to squeeze every bit of performance out of the hardware you've got.'"
Kategóriák: Linux

Thursday's security updates

cs, 2014-03-13 16:28

Debian has updated cups (three vulnerabilities) and lighttpd (two vulnerabilities).

Fedora has updated mantis (F20; F19: three SQL injection flaws) and net-snmp (F20; F19: denial of service).

Mageia has updated flash-player-plugin (two vulnerabilities) and imapsync (information leak).

Mandriva has updated apache-commons-fileupload (BS1.0: denial of service), file (BS1.0: two vulnerabilities), libssh (BS1.0: private key leak), net-snmp (BS1.0: two denial of service flaws), otrs (BS1.0: code execution), and owncloud (BS1.0: multiple unspecified vulnerabilities).

openSUSE has updated otrs (12.3, 13.1: code execution).

Red Hat has updated flash-plugin (two vulnerabilities), gnutls (certificate validation botch), and kernel (RHEL5: multiple vulnerabilities).

Slackware has updated mutt (code execution).

Kategóriák: Linux

[$] LWN.net Weekly Edition for March 13, 2014

cs, 2014-03-13 02:53
The LWN.net Weekly Edition for March 13, 2014 is available.
Kategóriák: Linux

FSF: Replicant developers find and close Samsung Galaxy back-door

sze, 2014-03-12 23:47
The Free Software Foundation has put out a release claiming that developers working on the Replicant fork of Android have found a backdoor on Samsung Galaxy handsets. "While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system. This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write and delete files on the phone's storage. On several phone models, this program runs with sufficient rights to access and modify the user's personal data."
Kategóriák: Linux

[$] A false midnight

sze, 2014-03-12 19:10

Interpreted, "duck typing" languages often have some idiosyncrasies in their definitions of "truth" and Python is no exception. But Python goes a bit further than some other languages in interpreting the True or False status of non-Boolean values. Even so, it often comes as a big surprise for programmers to find (sometimes by way of a hard-to-reproduce bug) that, unlike any other time value, midnight (i.e. datetime.time(0,0,0)) is False. A long discussion on the python-ideas mailing list shows that, while surprising, that behavior is desirable—at least in some quarters.

Kategóriák: Linux

Stable kernel update

sze, 2014-03-12 18:44
Greg Kroah-Hartman has released stable kernel 3.4.83 with important fixes throughout the tree.
Kategóriák: Linux

Security updates for Wednesday

sze, 2014-03-12 18:38

Debian has updated cups-filters (multiple vulnerabilities), file (code execution), and mutt (code execution).

Fedora has updated file (F20: code execution) and php-sabre-dav (F20; F19: unspecified vulnerability).

openSUSE has updated libpng16 (13.1: denial of service).

Red Hat has updated kernel (RHEL6.4 EUS: multiple vulnerabilities).

Ubuntu has updated cups (10.04 LTS: multiple vulnerabilities), cups-filters (13.10, 12.10, 12.04 LTS: multiple vulnerabilities), and libssh (13.10, 12.10, 12.04 LTS: private key leak).

Kategóriák: Linux

[$] MCS locks and qspinlocks

sze, 2014-03-12 00:47
Impressive amounts of effort have gone into optimizing the kernel's low-level locking mechanisms over the years, but that does not mean that there is no room for improving their performance further. Some work that will be in the 3.14 3.15 kernel, with more likely to come later, has the potential to speed up kernel locking considerably, especially in situations where there are significant amounts of contention.

Click below (subscribers only) for the full article from this week's Kernel Page.

Kategóriák: Linux