Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 6 perc 23 másodperc

How (and why) FreeDOS keeps DOS alive (ComputerWorld)

k, 2016-07-19 00:49
ComputerWorld talks with Jim Hall, a contributor to FreeDOS. "FreeDOS (it was originally dubbed ‘PD-DOS’ for ‘Public Domain DOS’, but the name was changed to reflect that it’s actually released under the GNU General Public License) dates back to June 1994, meaning it is just over 22 years old — a formidable lifespan compared to many open source projects. “And if you consider the DOS platform, MS-DOS 1.0 dates back to 1981, ‘DOS’ as an operating system has been around for 35 years! That’s not too shabby,” Hall said. (Version 1.0 of MS-DOS — then marketed by IBM as PC DOS — was released in August 1981.)" (Thanks to Paul Wise)
Kategóriák: Linux

Security advisories for Monday

h, 2016-07-18 18:24

Arch Linux has updated flashplugin (multiple vulnerabilities), gimp (use-after-free), and lib32-flashplugin (multiple vulnerabilities).

Debian has updated libgd2 (multiple vulnerabilities) and pidgin (multiple vulnerabilities).

Debian-LTS has updated binutils (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), and ruby-eventmachine (denial of service).

Fedora has updated gimp (F22: use-after-free), httpd (F23: authentication bypass), openjpeg2 (F23: multiple vulnerabilities), perl (F22: code execution), python (F23: denial of service), python3 (F23: denial of service), samba (F23: crypto downgrade), and sudo (F23; F22: race condition).

Gentoo has updated cacti (multiple vulnerabilities), chromium (multiple vulnerabilities), cups (code execution), and gd (multiple vulnerabilities).

Kategóriák: Linux

Ubuntu forums compromised

szo, 2016-07-16 01:20
Canonical has disclosed that the Ubuntu forum system has been compromised. "The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table. They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed."
Kategóriák: Linux

Notes from the fourth RISC-V workshop

szo, 2016-07-16 00:16

The lowRISC project, which is an effort to develop a fully open-source, Linux-powered system-on-chip based on the RISC-V architecture, has published notes from the fourth RISC-V workshop. Notably, the post explains, the members of the RISC-V foundation voted to keep the RISC-V instruction-set architecture (ISA) and related standards open and license-free to all parties. There are also accounts included of the work on RISC-V interrupts, heterogeneous multicore RISC-V processors, support for non-volatile memory, and Debian's RISC-V port.

Kategóriák: Linux

Friday's security updates

p, 2016-07-15 17:21

Debian has updated php5 (multiple vulnerabilities).

Debian-LTS has updated clamav (fix for previously released update) and drupal7 (privilege escalation).

Fedora has updated openjpeg2 (F24: multiple vulnerabilities) and sqlite (F24: information leak).

Mageia has updated graphicsmagick (M5: multiple vulnerabilities), pdfbox (M5: XML External Entity (XEE) attack), sqlite3 (M5: information leak:), thunderbird (M5: multiple vulnerabilities), and util-linux (M5: denial of service).

openSUSE has updated flash-player (13.1: multiple vulnerabilities), LibreOffice (Leap 42.1: multiple vulnerabilities), libvirt (13.2; Leap 42.1: authentication bypass), and xerces-c (13.2: multiple vulnerabilities).

Red Hat has updated atomic-openshift (RHOSE 3.2: information leak).

Ubuntu has updated ecryptfs-utils (15.10, 16.04: information leak), kernel (14.04; 15.10: denial of service), libarchive (12.04, 14.04, 15.10, 16.04: code execution), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), linux-lts-vivid (14.04: denial of service), linux-lts-wily (14.04: denial of service), and linux-raspi2 (15.10: denial of service).

Kategóriák: Linux

Automotive Grade Linux Releases 2.0 Spec Amid Growing Support (Linux.com)

cs, 2016-07-14 23:39
Over at Linux.com, Eric Brown writes about the release of Automotive Grade Linux (AGL) Unified Code Base (UCB) 2.0 for in-vehicle infotainment (IVI) systems. "The latest version adds features like audio routing, rear seat display support, the beginnings of an app platform, and new development boards including the DragonBoard, Wandboard, and Raspberry Pi. AGL’s Yocto Project derived UCB distro, which is also based on part on the GENIVI and Tizen automotive specs, was first released in January. UCB 1.0 followed an experimental AGL stack in 2014 and an AGL Requirements Specification in June, 2015. UCB is scheduled for a 3.0 release in early 2017, at which point some automotive manufacturers will finally use it in production cars. Most of the IVI software will be based on UCB, but carmakers can also differentiate with their own features." We looked at AGL UCB 1.0 back in January.
Kategóriák: Linux

Security advisories for Thursday

cs, 2016-07-14 16:23

Fedora has updated gnutls (F23: certificate verification botch).

Gentoo has updated flash (many vulnerabilities).

openSUSE has updated flash-player (13.2: many vulnerabilities) and kernel (42.1: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL 5↦6: many vulnerabilities) and rh-nginx18-nginx (RHSC: multiple vulnerabilities).

SUSE has updated MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss (SLE11: multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for July 14, 2016

cs, 2016-07-14 03:11
The LWN.net Weekly Edition for July 14, 2016 is available.
Kategóriák: Linux

Tor Project Elects All-New Board of Directors

sze, 2016-07-13 21:39
The Tor Project has announced a new board of directors. "As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the best possible leadership. The importance of Tor's mission requires it; the public standing of the organization makes it possible; and we are committed to achieve it. We had that duty in mind when we conducted an Executive Director search last year, and appreciate the leadership Shari Steele has brought. To support her, we further believe that it is time that we pass the baton of board oversight as the Tor Project moves into its second decade of operations."
Kategóriák: Linux

Security updates for Wednesday

sze, 2016-07-13 17:47

CentOS has updated kernel (C6: privilege escalation).

Fedora has updated python (F24: heap corruption), python3 (F24: heap corruption), and squid (F24; F23: multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

Oracle has updated kernel (OL6: privilege escalation).

Red Hat has updated kernel (RHEL7: denial of service) and kernel (RHEL6: privilege escalation).

Scientific Linux has updated thunderbird (SL5,6,7: code execution).

Ubuntu has updated pidgin (15.10, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

SPI 2015 Annual Report

sze, 2016-07-13 01:18
Software in the Public Interest has announced its 2015 Annual Report (PDF), covering the 2015 calendar year. The annual report covers SPI's finances, elections, board members, committees, associated projects, and other significant changes throughout the year.
Kategóriák: Linux

Herman: Shipping Rust in Firefox

k, 2016-07-12 22:14
Dave Herman reports that with Firefox 48, Mozilla will ship its first Rust component to all desktop platforms. "One of the first groups at Mozilla to make use of Rust was the Media Playback team. Now, it’s certainly easy to see that media is at the heart of the modern Web experience. What may be less obvious to the non-paranoid is that every time a browser plays a seemingly innocuous video (say, a chameleon popping bubbles), it’s reading data delivered in a complex format and created by someone you don’t know and don’t trust. And as it turns out, media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in Web browsers’ implementation code. This makes a memory-safe programming language like Rust a compelling addition to Mozilla’s tool-chest for protecting against potentially malicious media content on the Web."
Kategóriák: Linux

Tuesday's security advisories

k, 2016-07-12 18:19

CentOS has updated thunderbird (C7; C6; C5: code execution).

Debian-LTS has updated drupal7 (open redirect vulnerability) and graphicsmagick (two vulnerabilities).

Fedora has updated expat (F22: multiple vulnerabilities), gnutls (F24: certificate verification vulnerability), gsi-openssh (F24: support GSI authentication), httpd (F24: authentication bypass), krb5 (F22: buffer overflow), mbedtls (F23: three vulnerabilities), pdfbox (F23: XML External Entity (XXE) attacks), pypy3 (F23; F22: two vulnerabilities), python (F22: startTLS stripping attack), python3 (F22: startTLS stripping attack), and samba (F24: crypto downgrade).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Ubuntu has updated libgd2 (multiple vulnerabilities), nspr (denial of service), and nss (denial of service).

Kategóriák: Linux

Gräßlin: Multi-screen woes in Plasma 5.7

k, 2016-07-12 01:22
On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. "Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows. Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it. Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry."
Kategóriák: Linux

Two new stable kernels

h, 2016-07-11 22:12
Greg Kroah-Hartman has released stable kernels 4.6.4 and 4.4.15. Both of them contain important fixes.
Kategóriák: Linux

Security advisories for Monday

h, 2016-07-11 19:09

Arch Linux has updated thunderbird (code execution).

Fedora has updated community-mysql (F24: unspecified), davfs2 (F24: unspecified), gimp (F23: use-after-free), krb5 (F23: buffer overflow), and nodejs-ws (F24; F23: denial of service).

Gentoo has updated libpcre (multiple vulnerabilities) and squid (multiple vulnerabilities).

Mageia has updated drupal (privilege escalation), libreoffice (code execution), libvirt (authentication bypass), mbedtls (three vulnerabilities), spice (two vulnerabilities), struts (two vulnerabilities), and tcpreplay (denial of service).

openSUSE has updated glibc (Leap42.1: multiple vulnerabilities), libircclient (13.1: insecure cipher suites), and thunderbird (SPH for SLE12; Leap42.1, 13.2; 13.1: multiple vulnerabilities).

Red Hat has updated thunderbird (RHEL5,6,7: code execution).

SUSE has updated GraphicsMagick (SSO1.3, SLE11-SP4: multiple vulnerabilities), ImageMagick (SLE12-SP1; SLE11-SP4: many vulnerabilities), kvm (SLES11-SP4: multiple vulnerabilities), and kernel (SLERTE12-SP1: multiple vulnerabilities).

Kategóriák: Linux

Kernel prepatch 4.7-rc7

h, 2016-07-11 14:24
Linus has released the 4.7-rc7 kernel prepatch. "Anyway, there's a couple of regressions still being looked at, but unless anything odd happens, this is going to be the last rc. However, due to my travel schedule, I won't be doing the final 4.7 next weekend, and people will have two weeks to report (and fix) any remaining bugs. Yeah, that's the ticket. My travel schedule isn't screwing anything up, instead think of it as you guys getting a BONUS WEEK! Yay!"

See the current list of reported regressions for the known issues remaining in the 4.7 kernel.

Kategóriák: Linux

[$] Python's os.urandom() in the absence of entropy

v, 2016-07-10 16:29
Python applications, like those written in other languages, often need to obtain random data for purposes ranging from cryptographic key generation to initialization of scientific models. For years, the standard way of getting that data is via a call to os.urandom(), which is documented to "return a string of n random bytes suitable for cryptographic use." An enhancement in Python 3.5 caused a subtle change in how os.urandom() behaves on Linux systems, leading to some long, heated discussions about how randomness should be obtained in Python programs. When the dust settles, Python benevolent dictator for life (BDFL) Guido van Rossum will have the unenviable task of choosing between two competing proposals.
Kategóriák: Linux

Portals: Using GTK+ in a Flatpak

p, 2016-07-08 19:09
On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox. "Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system. Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t. Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access. Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system. The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox."
Kategóriák: Linux

Security updates for Friday

p, 2016-07-08 16:02

Debian-LTS has updated clamav (update to 0.99.2), icu (three vulnerabilities, two from 2015), and tcpreplay (denial of service).

openSUSE has updated php5 (13.2: multiple vulnerabilities, one from 2015).

Slackware has updated samba (crypto downgrade).

Kategóriák: Linux