Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 9 perc 33 másodperc

Friday's security updates

p, 2015-07-24 17:04

Arch Linux has updated chromium (multiple vulnerabilities), crypto++ (private key recovery), libuser (multiple vulnerabilities), and openssh (authentication limits bypass).

CentOS has updated libuser (C7: multiple vulnerabilities).

Debian has updated chromium-browser (multiple vulnerabilities).

Gentoo has updated e2fsprogs (code execution).

Oracle has updated libuser (O7: multiple vulnerabilities).

Red Hat has updated java-1.7.0-ibm (RHEL 5: multiple vulnerabilities) and libuser (RHEL 6; RHEL 7: multiple vulnerabilities).

Scientific Linux has updated libuser (SL7: multiple vulnerabilities).

Ubuntu has updated kernel (12.04; 14.04; 14.10; 15.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Kategóriák: Linux

Day: HIG updates

p, 2015-07-24 00:24

At his blog, Allan Day announces the first major update to the GNOME Human Interface Guidelines since the first GNOME 3 version (released in 2014). Day notes that the GNOME 3 HIG is structured around design patterns, in the hopes that it can be updated regularly to reflect current practices. "These new guidelines are the direct result of design work that has happened in the past year. They attempt to distill everything we’ve learned through our own process of trial and error." Furthermore, "the HIG now links to the relevant GTK+ API reference documentation for each design component. This is nice for knowing which widget does what; and makes the design guidelines a more effective accompaniment to the toolkit."

Kategóriák: Linux

Thursday's security updates

cs, 2015-07-23 16:26

Debian has updated kernel (multiple vulnerabilities).

Fedora has updated hostapd (F21; F22: denial of service) and python-django (F22: multiple vulnerabilities).

Gentoo has updated libXfont (multiple vulnerabilities).

Mageia has updated java-1.7.0-openjdk (M4: multiple vulnerabilities) and php (M4: multiple vulnerabilities).

Red Hat has updated java-1.6.0-ibm (RHEL 5,6: multiple vulnerabilities) and java-1.7.1-ibm (RHEL 6,7: multiple vulnerabilities).

Ubuntu has updated nbd (multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for July 23, 2015

cs, 2015-07-23 02:13
The LWN.net Weekly Edition for July 23, 2015 is available.
Kategóriák: Linux

[$] Django Girls one year later

sze, 2015-07-22 23:06

Though it got a bit of a late start due to some registration woes, the first day of EuroPython 2015 began with an engaging and well-received keynote. It recounted the history of a project that got its start just a year ago when the first Django Girls workshop was held at EuroPython 2014 in Berlin. The two women who started the project, Ola Sitarska and Ola Sendecka, spoke about how the workshop to teach women about Python and the Django web framework all came together—and the amazing progress that has been made by the organization in its first year.

Kategóriák: Linux

Red Hat Enterprise Linux 6.7 released

sze, 2015-07-22 19:11
Red Hat has announced the general availability of RHEL 6.7. "As the basis for large, complex IT deployments, Red Hat Enterprise Linux 6.7 offers enterprise IT teams new capabilities to bolster system security, proactively identify and resolve business-critical IT issues, and confidently embrace some of the latest open source technologies, such as Linux containers, without sacrificing operational stability." The release notes contain details.
Kategóriák: Linux

Wednesday's security advisories

sze, 2015-07-22 18:49

Arch Linux has updated jre7-openjdk (multiple vulnerabilities).

Debian has updated cacti (SQL injection).

Debian-LTS has updated python-tornado (side-channel attack).

openSUSE has updated ansible (13.2: two vulnerabilities), libressl (13.2: multiple vulnerabilities), pdns (13.2, 13.1: denial of service), and rubygem-activesupport-3_2 (13.2, 13.1: denial of service).

Red Hat has updated autofs (RHEL6: privilege escalation), bind (RHEL6: denial of service), curl (RHEL6: multiple vulnerabilities), freeradius (RHEL6: buffer overflow), gnutls (RHEL6: multiple vulnerabilities), grep (RHEL6: two vulnerabilities), hivex (RHEL6: code execution), httpd (RHEL6: access restriction bypass), ipa (RHEL6: cross-site scripting), kernel (RHEL6: multiple vulnerabilities), libreoffice (RHEL6: code execution), libxml2 (RHEL6: denial of service), mailman (RHEL6: two vulnerabilities), net-snmp (RHEL6: denial of service), ntp (RHEL6: multiple vulnerabilities), pacemaker (RHEL6: privilege escalation), pki-core (RHEL6: cross-site scripting), ppc64-diag (RHEL6: two vulnerabilities), python (RHEL6: multiple vulnerabilities), sudo (RHEL6: information disclosure), wireshark (RHEL6: multiple vulnerabilities), and wpa_supplicant (RHEL6: denial of service).

Ubuntu has updated lxc (15.04, 14.10, 14.04: two vulnerabilities) and mysql-5.5, mysql-5.6 (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Stable kernels 4.1.3 and 4.0.9

sze, 2015-07-22 07:16
The 4.1.3 and 4.0.9 stable kernel releases are available with the usual set of important fixes. Note that 4.0.9 is the last in the 4.0.x series.
Kategóriák: Linux

[$] Domesticating applications, OpenBSD style

k, 2015-07-21 22:54
One of the many approaches to improving system security consists of reducing the attack surface of a given program by restricting the range of system calls available to it. If an application has no need for access to the network, say, then removing its ability to use the socket() system call should cause no loss in functionality while reducing the scope of the mischief that can be made should that application be compromised. In the Linux world, this kind of sandboxing can be done using a security module or the seccomp() system call. OpenBSD has lacked this capability so far, but it may soon gain it via a somewhat different approach than has been seen in Linux.
Kategóriák: Linux

"Cloud Native Computing Foundation" launched

k, 2015-07-21 20:15
The Linux Foundation has announced the Cloud Native Computing Foundation. "This new organization aims to advance the state-of-the-art for building cloud native applications and services, allowing developers to take full advantage of existing and to-be-developed open source technologies. Cloud native refers to applications or services that are container-packaged, dynamically scheduled and micro services-oriented. Founding organizations include AT&T, Box, Cisco, Cloud Foundry Foundation, CoreOS, Cycle Computing, Docker, eBay, Goldman Sachs, Google, Huawei, IBM, Intel, Joyent, Kismatic, Mesosphere, Red Hat, Switch SUPERNAP, Twitter, Univa, VMware and Weaveworks. Other organizations are encouraged to participate as founding members in the coming weeks, as the organization establishes its governance model."
Kategóriák: Linux

Security advisories for Tuesday

k, 2015-07-21 18:14

CentOS has updated bind (C7: denial of service) and thunderbird (C7; C6; C5: multiple vulnerabilities).

Debian-LTS has updated cacti (SQL injection) and cacti (regression in previous update).

Fedora has updated asterisk (F22: SSL server spoofing), bind (F21: denial of service), httpd (F22: multiple vulnerabilities), java-1.8.0-openjdk (F22; F21: multiple vulnerabilities), libunwind (F22: buffer overflow), php-horde-Horde-Auth (F22; F21: multiple vulnerabilities), php-horde-Horde-Core (F22; F21: multiple vulnerabilities), php-horde-Horde-Form (F22; F21: multiple vulnerabilities), php-horde-Horde-Icalendar (F22; F21: multiple vulnerabilities), polkit (F21: multiple vulnerabilities), and squashfs-tools (F21: two vulnerabilities).

Oracle has updated bind (OL7: denial of service) and thunderbird (OL7; OL6: multiple vulnerabilities).

Red Hat has updated bind (RHEL7: denial of service) and thunderbird (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated bind (SL7: denial of service) and thunderbird (SL5,6,7: multiple vulnerabilities).

SUSE has updated mariadb (SLE12: multiple vulnerabilities).

Ubuntu has updated thunderbird (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Gorman: Continual testing of mainline kernels

k, 2015-07-21 10:43
Mel Gorman introduces SUSE's kernel performance-testing system. "Marvin is a system that continually runs performance-related tests and is named after another robot doomed with repetitive tasks. When tests are complete it generates a performance comparison report that is publicly available but rarely linked. The primary responsibility of this system is to check SUSE Linux for Enterprise kernels for performance regressions but it is also configured to run tests against mainline releases."
Kategóriák: Linux

Security updates for Monday

h, 2015-07-20 20:38

Arch Linux has updated apache (multiple vulnerabilities).

Debian has updated freexl (denial of service), mariadb-10.0 (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), and tidy (two vulnerabilities).

Debian-LTS has updated groovy (code execution), inspircd (denial of service), libidn (information disclosure), ruby1.9.1 (denial of service), and tidy (two vulnerabilities).

Fedora has updated bind (F22: denial of service), condor (F21: code execution), cups-filters (F21: code execution), drupal7-migrate (F22; F21: cross-site scripting), drupal7-views_bulk_operations (F22; F21: permission bypass), openstack-cinder (F21: file disclosure), pcre (F21: two vulnerabilities), python-keystonemiddleware (F22: certificate verification botch), rawstudio (F22; F21: two vulnerabilities), redis (F22; F21: code execution), squashfs-tools (F22: two vulnerabilities), thunderbird (F22; F21: multiple vulnerabilities), webkitgtk4 (F22: denial of service), and xen (F22; F21: privilege escalation).

Gentoo has updated postgresql (multiple vulnerabilities).

openSUSE has updated flash-player (11.4: two vulnerabilities), libcryptopp (13.2, 13.1: information disclosure), libidn (13.2, 13.1: information disclosure), firefox, thunderbird (11.4: multiple vulnerabilities), rubygem-jquery-rails (13.2, 13.1: CSRF vulnerability), rubygem-rack (13.2, 13.1: denial of service), rubygem-rack-1_3 (13.2, 13.1: denial of service), and rubygem-rack-1_4 (13.2, 13.1: denial of service).

Slackware has updated httpd (multiple vulnerabilities) and php (multiple vulnerabilities).

SUSE has updated firefox, nspr, nss (SLE12; SLES11SP4; SLE11SP3: multiple vulnerabilities) and PHP (SLE11SP3: multiple vulnerabilities).

Kategóriák: Linux

dgit 1.0 released

h, 2015-07-20 08:13
Ian Jackson has announced the availability of dgit 1.0. "dgit allows you to treat the Debian archive as if it were a git repository, and get a git view of any package. If you have the appropriate access rights you can do builds and uploads from git, and other dgit users will see your git history."
Kategóriák: Linux

Kernel prepatch 4.2-rc3

h, 2015-07-20 08:08
The third 4.2 kernel prepatch is out for testing. Linus says: "Normal Sunday release schedule, and a fairly normal rc release. There was some fallout from the x86 FPU cleanups, but that only hit CPU's with the xsaves instruction, and it should be all good now."
Kategóriák: Linux

Mozilla Winter of Security is back

szo, 2015-07-18 00:42

At the Mozilla Blog, Julien Vehent announces that Mozilla will be conducting a second round of its "Winter of Security" mentoring program. Aimed at college students, the program allows participants to work on security-related free software for university credit, with guidance provided by Mozilla project members. This year's targeted project list includes some high-profile projects like Let's Encrypt and Mozilla's digital forensics tool MiG. Applications are due August 15.

Kategóriák: Linux

Friday's security updates

p, 2015-07-17 16:53

Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).

Mageia has updated flash-player-plugin (M4, M5: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (O5: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL 5, 6: multiple vulnerabilities), java-1.6.0-sun (RHEL 5, 6, 7: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities), and java-1.8.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities).

SUSE has updated flash-player (SLE11; SLE12: multiple vulnerabilities) and php5 (SLE12: multiple vulnerabilities).

Kategóriák: Linux

Calculating the "truck factor" for GitHub projects

p, 2015-07-17 00:03
The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.
Kategóriák: Linux

Security updates for Thursday

cs, 2015-07-16 16:52

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities), java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from 2011).

Debian-LTS has updated python-django (three vulnerabilities).

Fedora has updated cryptopp (F22; F21: information disclosure), drupal7-feeds (F22; F21: three vulnerabilities), rsyslog (F22: denial of service), and springframework (F22; F21: denial of service).

openSUSE has updated bind (13.2; 13.1: three vulnerabilities, one from 2014).

Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified), java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities), and kernel 2.6.32 (OL6; OL5: denial of service).

Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: many vulnerabilities), and kernel (SL6: multiple vulnerabilities, one from 2011).

Kategóriák: Linux

Rkt 0.7.0 released

cs, 2015-07-16 10:30
Version 0.7.0 of the rkt container runtime system is available. "This release includes new subcommands for a rkt image to manipulate images from the local store, a new build system based on autotools and integration with SELinux. These new capabilities improve the user experience, make it easier to build future features and improve security isolation between containers."
Kategóriák: Linux