Linux Weekly News

Tartalom átvétel is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Frissült: 14 perc 39 másodperc

Rkt 0.8 released

sze, 2015-08-19 21:03

Version 0.8 of the rkt container specification has been released. The changelog notes that this version adds support for running under the LKVM hypervisor and adds experimental support for user namespaces. Other features include improved integration with systemd and additional functional tests. An accompanying blog post goes into further detail for many of these new features.

Kategóriák: Linux

Wednesday's security advisories

sze, 2015-08-19 15:35

CentOS has updated pam (C6; C7: denial of service).

Debian has updated python-django (multiple vulnerabilities).

Debian-LTS has updated wordpress (multiple vulnerabilities).

Fedora has updated audit (F21; F22: unsafe escape-sequence handling), icecast (F21; F22: denial of service), kernel (F21; F22: information leak), openssh (F22: multiple vulnerabilities), rubygem-rack (F22: denial of service), rubygems (F21: DNS hijacking), strongswan (F21; F22: multiple vulnerabilities), and xfsprogs (F21: information leak).

Oracle has updated pam (O6; O7: denial of service).

Red Hat has updated kernel (RHEL6: privilege escalation) and pam (RHEL6, 7: denial of service).

Scientific Linux has updated pam (SL6, 7: denial of service).

Ubuntu has updated python-django (12.04, 14.04, 15.04: multiple vulnerabilities) and openssh (12.04, 14.04, 15.04: upstream regression resulting in denial of service).

Kategóriák: Linux

Ruoho: Multiple Vulnerabilities in Pocket

sze, 2015-08-19 01:48
On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. "The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs. These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers." He was able to get more information, such as the contents of /etc/passwd on Pocket's Amazon EC2 servers. (Thanks to Scott Bronson and Pete Flugstad.)
Kategóriák: Linux

Security advisories for Tuesday

k, 2015-08-18 20:08

CentOS has updated glibc (C5: code execution from 2013), mysql55-mysql (C5: multiple unspecified vulnerabilities, one from 2014), net-snmp (C7; C6: code execution), sqlite (C6: code execution), sqlite (C7: three vulnerabilities), and subversion (C6: three vulnerabilities).

Debian has updated apache2 (two vulnerabilities), gdk-pixbuf (code execution), and nss (two vulnerabilities).

Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).

Fedora has updated erlang (F22; F21: man-in-the-middle vulnerability), firefox (F22: many vulnerabilities), flac (F21: two vulnerabilities from 2014), gnutls (F21: code execution), golang (F22; F21: HTTP request smuggling), nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi (F22; F21: denial of service), and webkitgtk4 (F22: three unspecified vulnerabilities).

Mageia has updated kdepim (M4: no attachment encryption from 2014).

openSUSE has updated subversion (two vulnerabilities) and virtualbox (two vulnerabilities).

Oracle has updated glibc (OL5: code execution from 2013), mysql55-mysql (OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp (OL7; OL6: code execution), sqlite (OL7: three vulnerabilities), sqlite (OL6: code execution), and subversion (OL6: three vulnerabilities).

Red Hat has updated net-snmp (RHEL6&7: code execution).

Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecified vulnerabilities, one from 2014), net-snmp (SL6&7: code execution), sqlite (SL6: code execution), and subversion (SL6: three vulnerabilities).

Ubuntu has updated kernel (12.04: three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), linux-lts-vivid (14.04: denial of service), linux-ti-omap4 (12.04: three vulnerabilities), and net-snmp (two vulnerabilities, one from 2014).

Kategóriák: Linux

[$] Development statistics for the 4.2 kernel

k, 2015-08-18 16:12
As of this writing, the 4.2-rc7 prepatch is out and the final 4.2 kernel looks to be (probably) on-track to be released on August 23. Tradition says that it's time for a look at the development statistics for this cycle. 4.2, in a couple of ways, looks a bit different from recent cycles, with some older patterns reasserting themselves. Click below (subscribers only) for the full article.
Kategóriák: Linux

Schaller: An Open Letter to Apache Foundation and Apache OpenOffice team

k, 2015-08-18 02:22
Christian Schaller has posted an open letter to the Apache Software Foundation with a non-trivial request: "So dear Apache developers, for the sake of open source and free software, please recommend people to go and download LibreOffice, the free office suite that is being actively maintained and developed and which has the best chance of giving them a great experience using free software. OpenOffice is an important part of open source history, but that is also what it is at this point in time."

In this context, it's interesting to note that OpenOffice project chair Jan Iverson recently stepped down, listing resistance to an effort to cooperate with LibreOffice as one of the main reasons. The project currently looks set to name Dennis Hamilton (who is running unopposed) as its new chair.

Kategóriák: Linux

The Open Mainframe Project

k, 2015-08-18 01:31
The Linux Foundation has announced the launch of the Open Mainframe Project. "In just the last few years, demand for mainframe capabilities have drastically increased due to Big Data, mobile processing, cloud computing and virtualization. Linux excels in all these areas, often being recognized as the operating system of the cloud and for advancing the most complex technologies across data, mobile and virtualized environments. Linux on the mainframe today has reached a critical mass such that vendors, users and academia need a neutral forum to work together to advance Linux tools and technologies and increase enterprise innovation."
Kategóriák: Linux

Stable kernels 4.1.6, 3.14.51, and 3.10.87

k, 2015-08-18 00:34
Greg Kroah-Hartman has announced the release of the 4.1.6, 3.14.51, and 3.10.87. As usual, there are important fixes throughout the tree and users of those kernel series should upgrade.
Kategóriák: Linux

Security updates for Monday

h, 2015-08-17 19:17

Arch Linux has updated glibc (denial of service from 2014).

Debian-LTS has updated libidn (information disclosure) and subversion (information disclosure).

Fedora has updated bzr (F22; F21: denial of service from 2013), firefox (F21: multiple vulnerabilities), and flac (F22: two vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities), icecast (denial of service), and libgadu (three vulnerabilities from 2013 and 2014).

openSUSE has updated firefox (13.2; 13.1: multiple vulnerabilities) and flash-player (13.2; 13.1: many vulnerabilities).

Oracle has updated kernel 3.8.13 (OL7; OL6: two remote denial of service flaws), kernel 2.6.39 (OL6; OL5: two remote denial of service flaws), and kernel 2.6.32 (OL6; OL5: two remote denial of service flaws).

Red Hat has updated glibc (RHEL5: code execution from 2013), mysql55-mysql (RHEL5; RHSC2: multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecified vulnerabilities), sqlite (RHEL6: code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).

Scientific Linux has updated sqlite (SL7: three vulnerabilities).

Slackware has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities).

Ubuntu has updated openssh (15.04, 14.04, 12.04: two vulnerabilities) and pollinate (15.04, 14.04: certificate update).

Kategóriák: Linux

Kernel prepatch 4.2-rc7

h, 2015-08-17 06:04
Linus has released the 4.2-rc7 prepatch, but he's still not sure about whether it will be the last for this development cycle. "So this may be the last RC, and it might not be. It will depend on whether anything more comes up next week, and how good I feel about things come next Sunday. A part of me is convinced that all the odd 32-bit compat issues etc fallout is finally fixed, but a part of me is still a bit leery."
Kategóriák: Linux

Glibc 2.22 released

szo, 2015-08-15 15:02
Version 2.22 of the GNU C Library is out. The biggest user-visible changes are an update to Unicode 7.0.0 and the addition of a vectorized math library for the x86_64 architecture. Beyond that, of course, there is a pile of bug fixes, a few of which address security-related problems.
Kategóriák: Linux

Stagefright: Mission Accomplished? (Exodus Intelligence)

p, 2015-08-14 23:31
It would seem that reports of the demise of the Stagefright Android vulnerability may be rather premature. Exodus Intelligence is reporting that at least one of the fixes for integer overflow did not actually fully fix the problem, so MPEG4 files can still crash Android and potentially allow code execution. "Around July 31st, Exodus Intelligence security researcher Jordan Gruskovnjak noticed that there seemed to be a severe problem with the proposed patch. As the code was not yet shipped to Android devices, we had no ability to verify this authoritatively. In the following week, hackers converged in Las Vegas for the annual Black Hat conference during which the Stagefright vulnerability received much attention, both during the talk and at the various parties and events. After the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded. They were."
Kategóriák: Linux

Friday's security advisories

p, 2015-08-14 18:30

Arch Linux has updated freeradius (certificate verification botch) and subversion (two vulnerabilities).

CentOS has updated kernel (C6: two remote denial of service flaws).

Fedora has updated gnutls (F22: denial of service), nbd (F22; F21: denial of service), pcre (F22: code execution), and wordpress (F22; F21: multiple vulnerabilities).

Mageia has updated gdk-pixbuf2.0 (M5: code execution) and owncloud (three vulnerabilities).

openSUSE has updated glibc (13.1: denial of service from 2014) and kernel (13.2: multiple vulnerabilities, some from 2014).

Oracle has updated kernel (OL6: two remote denial of service flaws).

Red Hat has updated kernel (RHEL6: two remote denial of service flaws).

Scientific Linux has updated kernel (SL6: two remote denial of service flaws).

SUSE has updated firefox (SLE11SP4, SP3: information leak).

Kategóriák: Linux

The State of Fedora: 2015 Edition (Fedora Magazine)

cs, 2015-08-13 23:12
Fedora Magazine reports on Fedora project leader Matthew Miller's keynote at Flock, which is the Fedora contributor conference. He outlined the state of the distribution using some graphs and statistics and said "we’re doing very well as a project and it’s thanks to all of you". The use of Internet Relay Chat (IRC) by the project was another topic: "Fedorans do like to work together. Last year there were 1,066 IRC meetings (official meetings, not just being in IRC talking), and 765 IRC meetings in 2015 alone. 'This shows how vibrant we are, but also is buried in IRC. There’s a lot of Fedora activity you don’t see on the Fedora Web site… I want to look at ways to make that more visible,' says Miller. There are efforts to make the activity more visible, says Miller. 'If I want to interact with the project, is somebody there? Yes, but we have millions of dead pages on the wiki… we need to make this more visible.' IRC is 'definitely a measure of engagement' but it’s also a high barrier of entry, says Miller. 'Wow that’s complicated. Wow, that’s still around?' is a common response from new contributors to IRC. The technology, and 'culture' can be confusing."
Kategóriák: Linux

Security updates for Thursday

cs, 2015-08-13 16:30

Debian has updated request-tracker4 (cross-site scripting).

Red Hat has updated flash-plugin (RHEL5&6: many vulnerabilities).

SUSE has updated firefox (SLE12: information leak), java-1_7_0-ibm (SLE11SP3, SP2: many vulnerabilities), and kernel-rt (SLE11SP3: many vulnerabilities, including some from 2014).

Kategóriák: Linux

[$] Weekly Edition for August 13, 2015

cs, 2015-08-13 03:41
The Weekly Edition for August 13, 2015 is available.
Kategóriák: Linux

[$] Working with xdg-app application bundles

sze, 2015-08-12 22:43

One of the oft-recurring topics at GUADEC 2015 was the xdg-app application-packaging system currently being developed. Xdg-app's lead developer Alexander Larsson gave a presentation on its current status on the first day, and it featured prominently in Christian Hergert's keynote about reaching new developers as well as in Bastien Nocera's talk about hardware enablement. Perhaps the most practical discussion of the subject, however, came in Stephan Bergmann's talk about his recent attempts to bundle LibreOffice into an xdg-app package.

Kategóriák: Linux

Security advisories for Wednesday

sze, 2015-08-12 18:43

Arch Linux has updated firefox (multiple vulnerabilities).

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).

Debian has updated gnutls28 (denial of service), iceweasel (multiple vulnerabilities), and wordpress (multiple vulnerabilities).

Fedora has updated devscripts (F22; F21: two vulnerabilities), kernel (F22; F21: information leak), pure-ftpd (F22: denial of service), xen (F22; F21: code execution), and xfsprogs (F22: information disclosure from 2012).

Mageia has updated firefox (MG4,5: multiple vulnerabilities), flash-player-plugin (MG4,5: multiple vulnerabilities), and qemu (MG4,5: multiple vulnerabilities).

openSUSE has updated gnutls (13.2, 13.1: denial of service).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.5: use-after-free flaw).

Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).

SUSE has updated flash-player (SLE12; SLED11SP4,SP3: multiple vulnerabilities).

Ubuntu has updated firefox (15.04, 14.04, 12.04: multiple vulnerabilities) and ubufox (15.04, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Docker 1.8 released

sze, 2015-08-12 17:10
The 1.8 release of the Docker container system is out, with a number of new features. "Docker Content Trust is a new feature in Docker Engine 1.8 that makes it possible to verify the publisher of Docker images. When a publisher pushes an image to a remote registry, Docker signs the image with a private key. When you later pull this image, Docker uses the publisher’s public key to verify that the image you are about to run is exactly what the publisher created, has not been tampered with, and is up to date."
Kategóriák: Linux

Thor: another free video codec

k, 2015-08-11 22:04
Cisco, it seems, is unhappy with the patent mess around video codecs, so it has launched a project called "Thor" to make one that can be freely distributed. "The effort is being staffed by some of the world’s most foremost codec experts, including the legendary Gisle Bjøntegaard and Arild Fuldseth, both of whom have been heavy contributors to prior video codecs. We also hired patent lawyers and consultants familiar with this technology area. We created a new codec development process which would allow us to work through the long list of patents in this space, and continually evolve our codec to work around or avoid those patents."
Kategóriák: Linux