Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 3 perc 20 másodperc

Friday's security updates

p, 2014-08-08 14:51

CentOS has updated 389-ds-base: (C6, C7: information disclosure) and tomcat (C7: XML parser injection).

Fedora has updated ansible (F19, F20: code execution), bugzilla (F19: information disclosure), chicken (F19, F20: denial of service and possible code execution), dpkg (F19: multiple vulnerabilities), kernel (F19: general-principles update to 3.14.15), krb5 (F19, F20: multiple vulnerabilities), mosquitto (F19, F20: unknown vulnerability), openstack-keystone (F20: privilege escalation), pixman (F20: integer underflow), Samba (F20: remote code execution), trafficserver (F20: mysterious vulnerability), v8 (F20: denial of service), and wireshark (F20: more dissector vulnerabilities).

Mageia has updated drupal (multiple vulnerabilities), apache-mod_wsgi (denial of service), and php (three denial-of-service or "unspecified other impact" vulnerabilities).

Mandriva has updated ocsinventory (cross-site scripting), ipython (code execution), and openssl (multiple vulnerabilities).

openSUSE has updated apache (multiple vulnerabilities, with a mod_security filter bypass fix tossed in as well).

Oracle has updated 389-ds-base (OL6, OL7: information disclosure) and tomcat (OL7: XML parser injection).

Red Hat has updated 389-ds-base (RHEL6-7: information disclosure), java-1.5.0-ibm (RLEL5-6: seven "important" vulnerabilities), java-1.6.0-ibm (RHEL5-6: nine "critical" vulnerabilities), and tomcat (RHEL7: XML parser injection).

Scientific Linux has updated 389-ds-base (SL6: information disclosure).

Ubuntu has updated openssl (multiple vulnerabilities).

Kategóriák: Linux

Google boosting sites that use HTTPS

cs, 2014-08-07 16:03
Google has announced that it is starting to look favorably on sites that use HTTPS. "We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web."
Kategóriák: Linux

Thursday's security updates

cs, 2014-08-07 15:21
CentOS has updated php (C5: multiple vulnerabilities) and kernel (C7: multiple vulnerabilities).

Debian has updated OpenSSL (nine CVE numbers).

Mandriva has updated cups (symbolic link vulnerability), glibc (multiple vulnerabilities), mediawiki (JSONP injection, cross-site scripting, and clickjacking vulnerabilities), readline (temporary file vulnerability), and kernel (multiple vulnerabilities).

Oracle has updated php (OL5, OL6, OL7: many vulnerabilities) and kernel (OL7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6: local privilege escalation) and kernel (RHEL7: six vulnerabilities).

SUSE has updated apache (SLES11: multiple vulnerabilities).

Kategóriák: Linux

LWN.net Weekly Edition for August 7, 2014

cs, 2014-08-07 04:48
The LWN.net Weekly Edition for August 7, 2014 is available.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-08-06 18:50

CentOS has updated php (C7: multiple vulnerabilities), php53 (C6: multiple vulnerabilities), resteasy-base (C7: XML eXternal Entity (XXE) attacks), samba (C7: remote code execution/privilege escalation), and samba4 (C6: remote code execution/privilege escalation).

Debian has updated reportbug (code execution).

Mageia has updated cups (privilege escalation), eet (denial of service), file (denial of service), glibc (multiple vulnerabilities), ipython (code execution), kernel (MG4; MG3: multiple vulnerabilities), mediawiki (multiple vulnerabilities), moodle (multiple vulnerabilities), ocsinventory (cross-site scripting), php-ZendFramework (SQL injection), phpmyadmin (multiple vulnerabilities), polarssl (denial of service), readline (insecure temporary files), and tor (traffic confirmation attack).

Mandriva has updated php (multiple denial of service attacks) and tor (traffic confirmation attack).

Oracle has updated resteasy-base (OL7: XML eXternal Entity (XXE) attacks), samba (OL7: remote code execution/privilege escalation), samba4 (OL6: multiple vulnerabilities), and yum-updatesd (OL5: bypass RPM package signing restriction).

Red Hat has updated php (RHEL7: multiple vulnerabilities), php53 (RHEL5&6: multiple vulnerabilities), resteasy-base (RHEL7: XML eXternal Entity (XXE) attacks), samba (RHEL7: remote code execution/privilege escalation), and samba4 (RHEL6: remote code execution/privilege escalation).

Scientific Linux has updated php53 and php (SL5&6: multiple vulnerabilities) and samba4 (SL6: remote code execution/privilege escalation).

Ubuntu has updated gpgme1.0 (code execution) and eglibc (10.04 LTS: regression in previous update).

Kategóriák: Linux

Qt to be spun off into a separate company

sze, 2014-08-06 16:26
Digia, the current owner of the Qt toolkit, has announced that Qt will be split off into a separate company that will be able to focus more on commercial licensing. "The importance of Digia’s commercial business for securing the future of Qt cannot be underestimated as it drives Qt’s foundation and everyday operations. A look into the commit statistics shows that around 75% of all code submissions to qt-project.org come from Digia employees. In addition, Digia manages the release process and the CI and testing infrastructure, thus covering more than 85% of the costs of developing Qt."
Kategóriák: Linux

How to think like open source pioneer Michael Tiemann (Opensource.com)

k, 2014-08-05 20:09
Opensource.com is running an interview with Michael Tiemann. "Make no mistake: For Tiemann, open source is not simply a business model. It's not just a method of developing software. It isn't an ethic. It's a Platonic form—perhaps something like a force, a tendency. Throughout history, many people have tried to glimpse it, if only for a moment. Tiemann knows he is but one of them: the programmer, the hacker, attempting to articulate, through code, this thing that abides. Failure to recognize the magnitude of what makes open source businesses successful, Tiemann says, is what has led so many to misunderstand them."
Kategóriák: Linux

[$] Reconsidering ffmpeg in Debian

k, 2014-08-05 18:46
For better or for worse, forks are a part of the free software landscape. Often a fork will result in a reinvigorated development community and the removal of unneeded roadblocks. But not all forks work out well. What is a distributor to do if, at some point, it concludes that it chose wrongly when it followed a fork of an important project? Going back to the original may not always be an easy thing to do, even if there appears to be a consensus for that move. The presence of security concerns can make such a change even harder to contemplate. The recent discussion on welcoming ffmpeg back into Debian illustrates the potential hazards nicely.
Kategóriák: Linux

Tuesday's security updates

k, 2014-08-05 18:03

CentOS has updated yum-updatesd (C5: bypass RPM package signing restriction).

Debian has updated icedove (multiple vulnerabilities).

Red Hat has updated yum-updatesd (RHEL5: bypass RPM package signing restriction).

Scientific Linux has updated yum-updatesd (SL5: bypass RPM package signing restriction).

SUSE has updated openjdk (SLED11 SP3: multiple vulnerabilities).

Ubuntu has updated eglibc (multiple vulnerabilities).

Kategóriák: Linux

CyanogenMod 11.0 M9 Released

h, 2014-08-04 21:54
CyanogenMod 11.0 M9 has been released. "This release marks the first ever (non-nightly) release for the Xperia Z2 ‘sirius’, Xperia Z2 Tablets ‘castor’ and the HTC One ‘m8′ – kudos to their maintainers and all the other maintainers that bring you these releases every month!"
Kategóriák: Linux

Security advisories for Monday

h, 2014-08-04 17:59

Debian has updated lzo2 (code execution).

Fedora has updated exim (F19; F20: code execution).

Gentoo has updated ZendFramework (SQL injection).

Mageia has updated gcc (code execution).

Slackware has updated dhcpcd (denial of service) and samba (remote code execution/privilege escalation).

SUSE has updated firefox (multiple vulnerabilities).

Ubuntu has updated samba (14.04 LTS: remote code execution/privilege escalation).

Kategóriák: Linux

Mozilla leaks developers email, password hashes

h, 2014-08-04 14:18
Mozilla has just disclosed a problem with its Mozilla Developer Network database sanitization system. "The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server."
Kategóriák: Linux

The 3.16 kernel has been released

h, 2014-08-04 03:54
Linus has released the 3.16 kernel, right on schedule. This release includes the unified control group hierarchy work, many improvements to the multiqueue block layer, and, as always, lots of new drivers and internal improvements.
Kategóriák: Linux

XBMC Is Getting a New Name – Introducing Kodi 14

p, 2014-08-01 22:24
The XBMC media center will be renamed Kodi. "Six years have passed since the Xbox Media Center became XBMC, and simply put, “XBMC” fits less now than it did even in 2008. The software only barely runs on the original Xbox, and then only because some clever developers are still hacking on that platform. It has never run on the Xbox 360 or Xbox One." Trademarks were another reason for name change. The project was unable to trademark XBMC, leading to issues with hacked and broken implementations of the software being sold as "XBMC". Kodi is now a registered trademark of the XBMC Foundation.
Kategóriák: Linux

Samba 4.1.11 and 4.0.21 Security Releases Available

p, 2014-08-01 19:03
The Samba Team has put out an important-looking set of releases. "All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root)."
Kategóriák: Linux

Security advisories for Friday

p, 2014-08-01 18:25

CentOS has updated kernel (C6: multiple vulnerabilities).

Fedora has updated bugzilla (F20: cross-site request forgery), kernel (F20: multiple vulnerabilities), openstack-neutron (F20: denial of service), and sdcc (F20; F19: remote denial of service).

openSUSE has updated kernel (12.3: multiple vulnerabilities).

SUSE has updated lzo (SLES11&10: denial of service/possible code execution).

Kategóriák: Linux

Stable kernel updates

p, 2014-08-01 01:10
Stable kernels 3.15.8, 3.14.15, 3.10.51, and 3.4.101 have been released. All contain important fixes.
Kategóriák: Linux

This thumbdrive hacks computers. (Ars Technica)

cs, 2014-07-31 20:53
Ars Technica takes a look at an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms. "Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices."
Kategóriák: Linux

Thursday's security updates

cs, 2014-07-31 18:43

Debian has updated nss (multiple vulnerabilities) and tor (traffic confirmation attack).

Fedora has updated cups (F20: privilege escalation).

Mandriva has updated dbus (BS1.0: two denial of service flaws), file (BS1.0: denial of service), live (BS1.0: code execution), php-ZendFramework (BS1.0: SQL injection), and sendmail (BS1.0: denial of service).

openSUSE has updated apache2-mod_wsgi (13.1: off-by-one error), firefox (13.1, 12.3: multiple vulnerabilities), gpg2 (11.4: denial of service), memcached (11.4: multiple vulnerabilities), Mozilla (11.4: multiple vulnerabilities), ntp (13.1, 12.3: denial of service), php5 (13.1, 12.3: multiple vulnerabilities), ppc64-diag (13.1; 12.3: two vulnerabilities), pulseaudio (13.1, 12.3: denial of service), samba (11.4: two vulnerabilities), php5 (11.4: code execution), and xalan-j2 (11.4: information disclosure/code execution).

Red Hat has updated openstack-keystone (RHELOS3&4: privilege escalation).

Ubuntu has updated kde4libs (14.04 LTS, 12.04 LTS: ), tomcat6, tomcat7 (14.04 LTS, 12.04 LTS, 10.04 LTS: multiple vulnerabilities), and unity (14.04 LTS: command execution).

Kategóriák: Linux

[$] LWN.net Weekly Edition for July 31, 2014

cs, 2014-07-31 02:54
The LWN.net Weekly Edition for July 31, 2014 is available.
Kategóriák: Linux