Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 16 perc 32 másodperc

[$] Kernel building with GCC plugins

k, 2016-06-14 23:44
It has long been understood that static-analysis tools can be useful in finding (and defending against) bugs and security problems in code. One of the best places to implement such tools is in the compiler itself, since much of the work required to analyze a program is already done in the compilation process. Despite the fact that GCC has had the ability to support security-oriented plugins for some years, the mainline kernel has never adopted any such plugins. That situation looks likely to change with the 4.8 kernel release, though.
Kategóriák: Linux

Ubuntu’s snap apps are coming to distros everywhere (Ars Technica)

k, 2016-06-14 20:56
Ars Technica reports that Ubuntu's snapd tool has been ported to other Linux distributions. "To install snap packages on non-Ubuntu distributions, Linux desktop and server users will have to first install the newly cross-platform snapd. This daemon verifies the integrity of snap packages, confines them into their own restricted space, and acts as a launcher. Instructions for creating snaps and installing snapd on a variety of distributions are available at this website. Snapd itself is installed as traditional packages on these other operating systems. That means there's a snapd RPM package for Fedora, for example. It's the same snapd code for every Linux distribution, just packaged differently, and applications packaged as snaps should work on any Linux distro running snapd without needing to be re-packaged." Snapd is available for Arch, Debian, and Fedora. It's also being tested by CentOS, Elementary, Gentoo, Mint, openSUSE, OpenWrt and RHEL.
Kategóriák: Linux

Security updates for Tuesday

k, 2016-06-14 17:48

Debian has updated icedove (code execution).

Debian-LTS has updated libav (code execution).

openSUSE has updated libtasn1 (13.2: two denial of service vulnerabilities) and nodejs (Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated kernel 4.1.12 (OL7; OL6: privilege escalation), kernel 3.8.13 (OL7; OL6: privilege escalation), kernel 2.6.39 (OL6; OL5: privilege escalation).

Red Hat has updated kernel (RHEL6.5: two remote denial of service vulnerabilities).

SUSE has updated ImageMagick (SLE12-SP1: command execution) and ntp (SLE12-SP1; SLE12: multiple vulnerabilities).

Kategóriák: Linux

Git v2.9.0 released

k, 2016-06-14 15:03
Version 2.9.0 of the Git source-code management system is out. There are various improvements and small changes that maintainers of scripts using Git will want to look at, but no major changes.
Kategóriák: Linux

Lortie: Gtk 4.0 is not Gtk 4

k, 2016-06-14 01:11
Allison Lortie writes about a new proposed GTK release scheme that may take some getting used to. "Meanwhile, Gtk 4.0 will not be the final stable API of what we would call 'Gtk 4'. Each 6 months, the new release (Gtk 4.2, Gtk 4.4, Gtk 4.6) will break API and ABI vs. the release that came before it. These incompatible minor versions will not be fully parallel installable; they will use the same pkg-config name and the same header file directory. We will, of course, bump the soname with each new incompatible release — you will be able to run Gtk 4.0 apps alongside Gtk 4.2 and 4.4 apps, but you won’t be able to build them on the same system. This policy fits the model of how most distributions think about libraries and their 'development packages'." Only the last release in each major number series (expected every two years) would have a stable API. Read the whole thing to fully understand what is being proposed.
Kategóriák: Linux

Let's Encrypt Email Address Disclosures

h, 2016-06-13 22:08
Let's Encrypt has a preliminary report about an email address disclosure. "On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients. The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones." A postmortem is underway. (Thanks to Paul Wise)

Update: postmortem results have been added to the incident report. "A small piece of software had been written to handle one-off mass emailing to our subscribers. It was being used for the first time when this incident occurred. The software went through code review and testing as it was being developed, but testing was insufficient. It did not catch a bug which prepended the email addresses of prior recipients to the body of emails. Insufficient testing is considered to be the root cause of this incident."

Kategóriák: Linux

Security advisories for Monday

h, 2016-06-13 19:45

Arch Linux has updated expat (two vulnerabilities) and lib32-expat (two vulnerabilities).

Debian-LTS has updated libtorrent-rasterbar (denial of service), libxslt (three vulnerabilities), mantis (cross-site scripting), and nspr (buffer overflow).

Fedora has updated xen (F22: multiple vulnerabilities).

Mageia has updated kernel (multiple vulnerabilities), libjpeg (memory leak), openslp (denial of service), vlc/mad (code execution), and wireshark (multiple vulnerabilities).

openSUSE has updated firefox, nss (Leap42.1, 13.2; 13.1: multiple vulnerabilities), opera (Leap42.1: multiple vulnerabilities), php5 (13.2: multiple vulnerabilities), phpMyAdmin (13.1: three vulnerabilities), and proftpd (13.1: weak key usage).

SUSE has updated qemu (SLE12: multiple vulnerabilities).

Kategóriák: Linux

Mourning Hans-Jürgen Koch

v, 2016-06-12 19:55
Thomas Gleixner wrote the following to us: The Linux Kernel community is mourning the passing of Hans-Jürgen Koch. Hans was a free-software enthusiast and an active contributor. He worked on Radio Data System support both in kernel and user space and was the main author and maintainer of the UIO subsystem and contributed in various ways to the Linux kernel as a professional and hobbyist. He authored a UIO book, gave countless talks at various open-source conferences, and served as a member of the Linuxtag program committee.

His calm and modest nature made it a pleasure to work with him. Meeting him in person was always a enjoyable experience. His interests spanned a broad range from literature, music and history to politics and engagement for the german branch of Friends of the Earth. His wicked sense of humor along with his always ready to be told bag of anecdotes enlivened quite some social events.

He will be sorely missed and our thoughts are with his family and friends.

Kategóriák: Linux

Kernel prepatch 4.7-rc3

v, 2016-06-12 19:37
The third 4.7 prepatch is out for testing. Linus says: "The diffstat looks fairly normal and innocuous. There's more of a filesystem component to it than usual, but that's mostly some added new btrfs tests, and if you ignore that part it's all the normal stuff: drivers dominate (gpu and networking drivers are the bulk, but there's i2c, rdma, ...) with some arch updates, and general networking code. And the usual random stuff all over."
Kategóriák: Linux

Grover: Why Rust for Low-level Linux programming?

p, 2016-06-10 22:29
On his blog, Andy Grover makes a case for using the Rust language for new projects instead of C or Python. "Second, there are people like me, people working in C and Python on Linux systems-level stuff — the “plumbing”, who are frustrated with low productivity. C and Python have diametrically-opposed advantages and disadvantages. C is fast to run but slow to write, and hard to write securely. Python is more productive but too slow and RAM-hungry for something running all the time, on every system. We must deal with getting C components to talk to Python components all the time, and it isn’t fun. Rust is the first language that gives a system programmer performance and productivity. These people might see Rust as a chance to increase security, to increase their own productivity, to never have to touch libtool/autoconf ever again, and to solve the C/Python dilemma with a one language solution."
Kategóriák: Linux

Help Make Open Source Secure (The Mozilla Blog)

p, 2016-06-10 20:34
On The Mozilla blog, Chris Riley announces the "Secure Open Source" (SOS) fund to provide money to help with the security of open-source software. "The SOS Fund will provide security auditing, remediation, and verification for key open source software projects. The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs. But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the Internet. Security is a process. To have substantial and lasting benefit, we need to invest in education, best practices, and a host of other areas. Yet we hope that this fund will provide needed short-term benefits and industry momentum to help strengthen open source projects." SOS sounds similar in scope to the Core Infrastructure Initiative (CII) set up by the Linux Foundation.
Kategóriák: Linux

Security advisories for Friday

p, 2016-06-10 16:48

Arch Linux has updated gnutls (arbitrary file overwrite), haproxy (denial of service), and lib32-gnutls (arbitrary file overwrite).

Debian has updated firefox-esr (multiple vulnerabilities) and p7zip (code execution).

Debian-LTS has updated p7zip (code execution) and samba (regression in previous security fix).

Fedora has updated docker (F23: privilege escalation) and firefox (F22: multiple vulnerabilities).

SUSE has updated bind (two vulnerabilities) and libxml2 (SLE12: multiple vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities), kernel (16.04; 15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04; 15.10: multiple vulnerabilities), linux-snapdragon (16.04: code execution), linux-ti-omap4 (12.04: multiple vulnerabilities), and squid3 (multiple vulnerabilities).

Kategóriák: Linux

KDE neon User Edition 5.6 Available now (KDE.News)

p, 2016-06-10 00:50
The first version of KDE neon, which is a distribution based on Ubuntu 16.04 that is meant to be a stable platform on which to try the latest Plasma desktop, has been released. "KDE neon User Edition 5.6 is based on the latest version of Plasma 5.6 and intends to showcase the latest KDE technology on a stable foundation. It is a continuously updated installable image that can be used not just for exploration and testing but as the main operating system for people enthusiastic about the latest desktop software. It comes with a slim selection of apps, assuming the user's capacity to install her own applications after installation, to avoid cruft and meaningless weight to the ISO. The KDE neon team will now start adding all of KDE's applications to the neon archive. Since the announcement of the project four months ago the team has been working on rolling out our infrastructure, using current best-practice devops technologies. A continuous integration Jenkins system scans the download servers for new releases and automatically fires up computers with Docker instances to build packages. We work in the open and as a KDE project any KDE developer has access to our packaging Git repository and can make fixes, improvements and inspect our work."
Kategóriák: Linux

Thursday's security updates

cs, 2016-06-09 18:36

Fedora has updated firefox (F23: multiple vulnerabilities), gnutls (F23: arbitrary file overwrite), and kernel (F23: denial of service).

Mageia has updated firefox (multiple vulnerabilities).

openSUSE has updated ImageMagick (13.2: command execution).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated firefox (multiple vulnerabilities).

Scientific Linux has updated file (SL6: multiple vulnerabilities from 2014), icedtea-web (SL6: two vulnerabilities), ntp (SL6: multiple vulnerabilities, one from 2014), openssh (SL6: multiple vulnerabilities), openssl (SL6: multiple vulnerabilities), qemu-kvm (SL6: code execution), and thunderbird (SL6: two vulnerabilities).

Kategóriák: Linux

Tschacher: Typosquatting programming language package managers

cs, 2016-06-09 15:32
Nikolai Tschacher demonstrates how easy it is to run arbitrary code by way of "typosquatting" uploads to programming language download sites. "Because everybody can upload any package on PyPi, it is possible to create packages which are typo versions of popular packages that are prone to be mistyped. And if somebody unintentionally installs such a package, the next question comes intuitively: Is it possible to run arbitrary code and take over the computer during the installation process of a package?" He tried an experiment and was able to run a little program that phoned home from thousands of systems.
Kategóriák: Linux

[$] LWN.net Weekly Edition for June 9, 2016

cs, 2016-06-09 02:52
The LWN.net Weekly Edition for June 9, 2016 is available.
Kategóriák: Linux

Maru OS now freely available

cs, 2016-06-09 01:33
The Maru OS handset distribution (reviewed here in April) has moved out of the beta-test period and is now freely downloadable without an invitation. Maru functions as both an Android handset and an Ubuntu desktop (when connected to an external monitor). For now, it remains limited to Nexus 5 handsets. "Now that the beta program is over, I’m finally turning my attention to the open-source project so we can expand device support with the help of the community. Let’s get Maru in the hands of a lot more people!"
Kategóriák: Linux

Stable kernel updates

sze, 2016-06-08 19:05
Greg Kroah-Hartman has released stable kernels 4.6.2, 4.5.7, 4.4.13, and 3.14.72. This is the last 4.5.y stable kernel release. Users of the 4.5 kernel series should upgrade to the 4.6 kernel series.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-06-08 18:39

Arch Linux has updated firefox (multiple vulnerabilities), qemu (multiple vulnerabilities), qemu-arch-extra (multiple vulnerabilities), and subversion (two vulnerabilities).

CentOS has updated spice (C7: two vulnerabilities) and spice-server (C6: two vulnerabilities).

Debian has updated expat (two vulnerabilities) and vlc (code execution).

Debian-LTS has updated expat (two vulnerabilities), libpdfbox-java (XML External Entity attacks), and libxstream-java (XML External Entity attacks).

Fedora has updated openslp (F23; F22: denial of service).

Mageia has updated chromium-browser-stable/libpng (multiple vulnerabilities), libxslt (two vulnerabilities), and ntp (multiple vulnerabilities).

openSUSE has updated expat (Leap42.1: code execution), gd (13.2: information leak), glibc (13.2: multiple vulnerabilities), GraphicsMagick (Leap42.1; 13.2: command execution), libimobiledevice, libusbmuxd (Leap42.1, 13.2: sockets listening on INADDR_ANY), libksba (Leap42.1: denial of service), and php5 (Leap42.1: multiple vulnerabilities).

SUSE has updated expat (SLE11-SP4: code execution).

Kategóriák: Linux

The Qt Automotive Suite launches

sze, 2016-06-08 16:02
The Qt Blog announces the launch of the Qt Automotive Suite. "With cumulative experience from over 20 automotive projects it was noted how Qt is really well suited to the needs of building IVIs and Instrument Clusters, that there were already millions of vehicles on the road with Qt inside, and that there were a lot of ongoing projects. There was though a feeling that things could be even better, that there were still a few things holding back the industry, contributing to the sense that shipped IVI systems could be built faster, cheaper and with a higher quality."
Kategóriák: Linux