Népszerű fórum témák
FreeBSD Project News
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 7 perc 5 másodperc
Debian has updated spice (two vulnerabilities).
openSUSE has updated clamav-database (Leap42.1: database refresh).
Red Hat has updated glibc (RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities), spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).
SUSE has updated expat (SLE12-SP1: code execution).
Open Build Service 2.7 has been released. "Three large features around the topic of integrating external resources made it into this release. We worked on automatic tracking of moving repositories of development versions like Fedora Rawhide, distribution updates or rolling Linux releases like Arch. A change to the OBS git integration to enable developers to work on continuous builds. And last but not least an experimental KIWI import that can be used to easily migrate your images from SUSE studio."
Debian-LTS has updated libxml2 (multiple vulnerabilities).
Fedora has updated php (F22: multiple vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), roundcubemail (F23; F22: cross-site scripting), sudo (F23: information leak), and xen (F23: multiple vulnerabilities).
Slackware has updated ntp (multiple vulnerabilities).
SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities).
The second 4.7 prepatch is now available for testing. Linus says: "There's a late non-fix I took even though the merge window is over, because I've been wanting it for a while. I doubt anybody notices the actual effects of a pty change/cleanup that means that our old disgusting DEVPTS_MULTIPLE_INSTANCES kernel config option is gone, because the cleanup means that it is no longer needed." For details on this change, see this article from last week's Kernel Page.
At his blog, Gunnar Wolf urges developers to stop using "short" (eight hex-digit) PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild. The possibility of short-ID collisions has been known for a while, but it is still disconcerting to see in the wild. "Those three keys are not (yet?) uploaded to the keyservers, though... But we can expect them to appear at any point in the future. We don't know who is behind this, or what his purpose is. We just know this looks very evil."
Wolf goes on to note that short IDs are not merely human-readable conveniences, but are actually used to identify PGP keys in some software programs. To mitigate the risk, he recommends configuring GnuPG to never shows short IDs, to ensure that other programs do not consume short IDs, and to "only sign somebody else's key if you see and verify its full fingerprint. [...] And there are surely many other important recommendations. But this is a good set of points to start with."
Debian has updated libxml2 (multiple vulnerabilities).
Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), libgd (M5: multiple vulnerabilities), nginx (M5: denial of service), pgpdump (M5: buffer overrun), and php (M5: multiple vulnerabilities).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).
Ubuntu has updated nginx (14.04, 15.10, 16.04: denial of service).
The LWN.net Weekly Edition for June 3, 2016 is available.
At OSCON 2016 in Austin, a panel of invited experts debated the always-thorny subject of how open-source software projects deal with patents. The panel was packed, featuring representatives from the free-software world, commerce, and the legal community, so there was scarcely enough time to move through the prepared topics in the time allotted, much less to take questions from the audience. But the discussion was able to highlight a number of current issues, including patent abolition, implicit patent licenses, and where the open-source community should focus its efforts to improve matters.
Debian has updated nginx (denial of service).
Fedora has updated compat-nettle27 (F23: improper cryptographic calculations), dosfstools (F22: two vulnerabilities), gd (F23: two vulnerabilities), kernel (F23; F22: multiple vulnerabilities), libimobiledevice (F22: sockets listening on INADDR_ANY), libusbmuxd (F22: sockets listening on INADDR_ANY), and phpMyAdmin (F23: three vulnerabilities).
Ubuntu has updated imagemagick (multiple vulnerabilities).
PostgreSQL's annual developer conference, PGCon, took place in May, which made it a good place to get a look at the new PostgreSQL features coming in version 9.6. The first 9.6 beta was released just the week before and several contributors demonstrated key changes at the conference in Ottawa. For many users, this was the first time to see the finished versions of features that had been under development for months or years.
For those who have been wondering about the exodus from ownCloud, the announcement of a company called "Nextcloud" should make things clear. "Started by the well known open source file sync and share developer Frank Karlitschek and joined by the most active contributors to his previous project, building on its mature code base, we offer a more reliable and sustainable solution for users and customers. We will develop a drop-in replacement for that legacy code base over the coming weeks, providing the bug fixes and security hardening all users need and the Enterprise Subscription capabilities enterprise customers require." See also this blog post from Jos Poortvliet.
There is no doubt that the addition of container technologies to Linux has created a lot of value, allowing workloads to be effectively and efficiently isolated from each other. Implementing these technologies presents a number of challenges, particularly as much of Linux and Unix was designed to use singletons: objects of which there could never ever be more than one, such as host names, network routing tables, or process-ID namespaces. Containers require this design approach to be revised as they need multiple instances of these objects. A singleton that has been causing problems recently is the set of pseudo terminals (TTYs).
Click below (subscribers only) for the full article from Neil Brown.
This white paper by Jesse Hertz [PDF] examines various ways to compromise and escape from containers on Linux systems. "A common configuration for companies offering PaaS solutions built on containers is to have multiple customers’ containers running on the same physical host. By default, both LXC and Docker setup container networking so that all containers share the same Linux virtual bridge. These containers will be able to communicate with each other. Even if this direct network access is disabled (using the –icc=false flag for Docker, or using iptables rules for LXC), containers aren’t restricted for link-layer traffic. In particular, it is possible (and in fact quite easy) to conduct an ARP spoofing attack on another container within the same host system, allowing full middle-person attacks of the targeted container’s traffic."
Greg KH has released stable kernels 4.6.1, 4.5.6, 4.4.12, and 3.14.71. All of them contain important fixes.
The Open Source Initiative (OSI) has announced the Open Source License API, to "allow third parties to become license-aware, and give organizations the ability to clearly determine if a license is, in fact, an Open Source license, from the authoritative source regarding Open Source licenses, the OSI."
CoreOS has announced a new project called Torus which is creating a distributed storage system for containers. "At its core, Torus is a library with an interface that appears as a traditional file, allowing for storage manipulation through well-understood basic file operations. Coordinated and checkpointed through etcd’s consensus process, this distributed file can be exposed to user applications in multiple ways. Today, Torus supports exposing this file as block-oriented storage via a Network Block Device (NBD). We also expect that in the future other storage systems, such as object storage, will be built on top of Torus as collections of these distributed files, coordinated by etcd." The project is quite young, and the current release is a "prototype version."
openSUSE has updated dosfstools (Leap42.1, 13.2: two vulnerabilities), gdk-pixbuf (Leap42.1: three vulnerabilities), libarchive (13.2: code execution), openssh (Leap42.1: three vulnerabilities), p7zip (13.2: code execution), putty (Leap42.1, 13.2: code execution), and virtualbox (Leap42.1; 13.2: unspecified).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).
Scientific Linux has updated openssl (SL5: code execution).
The Tor Browser Team has announced the release of Tor browser 6.0. This release brings the browser up-to-date with Firefox 45-ESR, which provides better support for HTML5 video on Youtube, as well as a host of other improvements. DuckDuckGo is now the default search engine. "Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers."
Arch Linux has updated chromium (multiple vulnerabilities).
Debian-LTS has updated eglibc (multiple vulnerabilities), libtasn1-3 (denial of service), openafs (multiple vulnerabilities), pdns (insecure database permissions), phpmyadmin (regression in previous update), postgresql-9.1 (multiple vulnerabilities), ruby-activerecord-3.2 (restriction bypass), and wireshark (multiple vulnerabilities).
Fedora has updated bugzilla (F23; F22: cross-site scripting), kf5-kinit (F23: insecure permissions), libarchive (F22: code execution), libimobiledevice (F23: sockets listening on INADDR_ANY), libusbmuxd (F23: sockets listening on INADDR_ANY), php (F23: two vulnerabilities), qemu (F23: multiple vulnerabilities), webkitgtk4 (F23: two vulnerabilities), and xen (F23; F22: privilege escalation).
openSUSE has updated Chromium (SPH for SLE12; Leap42.1: multiple vulnerabilities), expat (13.2: two vulnerabilities), libxml2 (13.2: two vulnerabilities), libxslt (13.2: denial of service), phpMyAdmin (Leap42.1, 13.2: cross-site scripting), redis (Leap42.1, 13.2: denial of service), and samba (13.2: man-in-the-middle attack).
Red Hat has updated ntp (RHEL6,7: multiple vulnerabilities), openssl (RHEL5: code execution), python27 (RHSCL2.2: multiple vulnerabilities), squid (RHEL7; RHEL6: multiple vulnerabilities), and squid34 (RHEL6: multiple vulnerabilities).
SUSE has updated Xen (SLES10-SP4: multiple vulnerabilities).
Qubes founder Joanna Rutkowska writes about how Qubes works to avoid building compromised software into its distribution. "Ultimately, we would like to introduce a multiple-signature scheme, in which several developers (from different countries, social circles, etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary would have to compromise all the build locations in order to get backdoored versions signed. For this to happen, we need to make the build process deterministic (i.e. reproducible). Yet, this task still seems to be years ahead of us."
HUP napi hírlevél
Legfrissebb HUP képek
A Pokémon GO ...
Feltettem, kipróbáltam, töröltem.
Fogalmam sincs, hogy micsoda.
Aktuális hülye hype.
Csak az eredmény érdekel / az eredmény sem érdekel.
Összes szavazat: 474