Linux Weekly News

Tartalom átvétel is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Frissült: 16 perc 7 másodperc

Security advisories for Monday

h, 2014-10-13 17:25

CentOS has updated krb5 (C5: code execution).

Fedora has updated check-mk (F20; F19: code execution and more), cscope (F19: insecure snapshots), ctags (F20: denial of service), golang (F20; F19: forged certificate ownership), kdelibs (F19: authorization bypass), lzo (F19: code execution), mantis (F20; F19: null byte poisoning), mksh (F20; F19: multiple issues), nginx (F20; F19: virtual host confusion attacks), nss (F19: signature forgery), nss-softokn (F19: signature forgery), nss-util (F19: signature forgery), openstack-neutron (F20: denial of service), phpMyAdmin (F19: cross-site scripting), rubygem-bundler (F20; F19: installs malicious gem files), seamonkey (F20; F19: multiple vulnerabilities), and xen (F20; F19: multiple vulnerabilities).

Gentoo has updated locale-maketext (multiple vulnerabilities).

Kategóriák: Linux

The Linux Foundation announces Dronecode

h, 2014-10-13 14:32
The Linux Foundation has announced a new project, called Dronecode, that is concerned with free systems to drive autonomous vehicles — drones, in other words. There is a lot of code already in place, it seems. "Today more than 1,200 developers are working on Dronecode projects with more than 150 code commits a day on some projects." Andrew "Tridge" Tridgell is the chair of the project's steering committee.
Kategóriák: Linux

Fedora governance proposal approved

p, 2014-10-10 18:33
The Fedora Board has approved (via a unanimous vote) the proposal for a new governance structure for the project based around a new Council. "The current Board will continue to perform its duties while it oversees an orderly transition. The Board will work with FESCo and FAmSCo to determine the Engineering and Outreach representatives for the new Council and will hold elections in the near future to determine the initial two Elected representatives. Once those four Council members are determined they will join the Fedora Project Leader and the Fedora Program Manager to form the initial Council. At that point the Council will take over the governance and leadership responsibilities for the Fedora Project." See this page for details of how the new structure will work.
Kategóriák: Linux

Friday's security updates

p, 2014-10-10 16:12

Mageia has updates chromium-browser-stable (multiple vulnerabilities).

Red Hat has updated nss (RSA certificate forging).

Ubuntu has updated rsyslog (10.04, 12.04, 14.04: denial of service).

Kategóriák: Linux

New stable kernels

p, 2014-10-10 01:14

Greg Kroah-Hartman has released a new batch of stable kernels: 3.16.5, 3.14.21, and 3.10.57. Each incorporates multiple important updates and fixes.

Kategóriák: Linux

GNOME on Wayland in Fedora 21 (Fedora Magazine)

cs, 2014-10-09 18:07
Here's a Fedora Magazine article on how Wayland works (or doesn't) in the upcoming Fedora 21 release. "The list of apps that don’t support Wayland yet is: Terminal, Empathy, Totem, PiTiVi, Sushi. From my experience the list is in fact longer. I couldn’t, for example, run GNOME’s “Software” application on Wayland. This also applies to pretty much all other applications (Firefox, LibreOffice, etc.) and you need to run them using XWayland. Fullscreen apps don’t work at all from my experience." The good news is that a lot of other stuff works well.
Kategóriák: Linux

Thursday's security updates

cs, 2014-10-09 16:47

Debian has updated apt (file overwrite).

Fedora has updated curl (F19: multiple vulnerabilities), fish (F19; F20: multiple vulnerabilities), krfb (F19: multiple vulnerabilities), perl-Data-Dumper (F19: denial of service), and qemu (F20: code execution).

Mageia has updated bugzilla (multiple vulnerabilities), cacti (M4: multiple vulnerabilities), fish (M4: multiple vulnerabilities), golang (M4: forged certificate ownership), perl (M3; M4: denial of service), perl-Data-Dumper (denial of service), python-requests (M4: multiple vulnerabilities), rsyslog (denial of service), and torque (denial of service).

openSUSE has updated phpMyAdmin (cross-site scripting) and xen (12.3; 13.1: multiple vulnerabilities).

Ubuntu has updated bash (10.04, 12.04, 14.04: multiple vulnerabilities), EC2 kernel (10.04: multiple vulnerabilities), exuberant-ctags (12.04, 14.04: denial of service), kernel (10.04; 12.04; 14.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Kategóriák: Linux

[$] Weekly Edition for October 9, 2014

cs, 2014-10-09 01:47
The Weekly Edition for October 9, 2014 is available.
Kategóriák: Linux

Wheeler: Shellshock

sze, 2014-10-08 19:11
David A. Wheeler examines the shellshock bash vulnerability, with a discussion on ways to detect or prevent future vulnerabilities, a timeline of what happened and when, some information about specific CVEs, and a few conclusions. "Shells are widely used on these systems to process commands, so there were many ways to exploit shellshock. This included web applications implemented using CGI that are written in bash or invoke bash subshells, sshd using ForceCommand (to limit access to specific actions), and DHCP clients connecting to subverted DHCP servers. The probability of vulnerability was somewhat less on Debian and Ubuntu, because their default non-interactive shell is dash (which was not vulnerable) instead of bash, but there were still cases where they could be vulnerable. One point of confusion about Debian and Ubuntu is that their default interactive shell is bash, while their default non-interactive shell is dash, and it is primarily the non-interactive shell (aka /bin/sh) that matters in the shellshock vulnerability. Similarly, Apple MacOS does not use bash in many circumstances, but there were cases where it could be vulnerable. Android systems use Linux but normally use the MirBSD (mksh) shell, which was not vulnerable."
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-10-08 16:49

Debian has updated rsyslog (integer overflow).

Red Hat has updated kernel (RHEL6.4 EUS: privilege escalation).

Ubuntu has updated apt (14.04, 12.04: file overwrite).

Kategóriák: Linux

Open Definition 2.0

sze, 2014-10-08 14:57
Version 2.0 of the Open Definition has been announced. The Open Definition seeks to define the meaning of "open" in the context of data, content, and more. "However, these benefits are at significant risk both from quality problems such as 'open-washing' (non-open data being passed off as open) and from fragmentation of the open data ecosystem due to incompatibility between the growing number of 'open' licenses. The Open Definition eliminates these risks and ensures we realize the full benefits of open by guaranteeing quality and preventing incompatibility."
Kategóriák: Linux

Tuesday's security updates

k, 2014-10-07 16:44

CentOS has updated polkit-qt (C7: authorization bypass).

Mageia has updated dbus (multiple vulnerabilities), libvirt (two vulnerabilities), libvncserver (multiple vulnerabilities), mediawiki (two vulnerabilities), phpmyadmin (cross-site scripting), python (buffer overflow), squid (multiple vulnerabilities), and xerces-j2 (denial of service).

Oracle has updated polkit-qt (OL7: authorization bypass).

Red Hat has updated polkit-qt (RHEL7: authorization bypass).

Kategóriák: Linux

OpenSSH 6.7 released

k, 2014-10-07 14:21
OpenSSH 6.7 is available. This release includes the removal of some relatively unsafe ciphers and the removal of tcpwrappers support. On the other hand, the developers have added Unix-domain socket forwarding, support for interrupted uploads in sftp, and more; see this article for more information on this release.
Kategóriák: Linux

Voting imminent on Fedora's new governance proposal

k, 2014-10-07 13:46
The Fedora project is contemplating a new governance model built around an elected council. "The Council is composed of a mix of representatives from different areas of the project, named roles appointed by Red Hat, and a variable number of seats connected to medium-term project goals. Decisions are made by a consensus process, in which we work together as a common team to find shared solutions and address concerns, with a focus on giving voice rather than on balance of power." The current Fedora Board is beginning a vote on the proposal; the results can be seen on this page.
Kategóriák: Linux

The Unpatchable Malware That Infects USBs Is Now on the Loose (Wired)

h, 2014-10-06 21:16
The BadUSB attack was demonstrated at the Black Hat security conference, but the code was not released at that time. Wired reports that two security researchers have released some code. "In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as [Karsten] Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable." LWN covered BadUSB last August. (Thanks to Paul Wise)
Kategóriák: Linux

Stable kernel updates

h, 2014-10-06 17:45
Greg KH has released stable kernels 3.16.4, 3.14.20, and 3.10.56. All of them contain important fixes throughout the tree.
Kategóriák: Linux

Security advisories for Monday

h, 2014-10-06 17:38

CentOS has updated libvirt (C7: two vulnerabilities).

Debian has updated exuberant-ctags (denial of service), mediawiki (code execution), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).

Fedora has updated bash (F20: code injection), libvncserver (F19: multiple vulnerabilities), mediawiki (F20; F19: web script injection), nodejs-qs (F20; F19: denial of service), nodejs-send (F20; F19: directory traversal), phpMyAdmin (F20: cross-site scripting), and suricata (F20: denial of service).

Gentoo has updated bash (multiple vulnerabilities).

Kategóriák: Linux

The 3.17 kernel is out

h, 2014-10-06 01:10
Linus has released the 3.17 kernel, saying "So the past week was fairly calm, and so I have no qualms about releasing 3.17 on the normal schedule." This kernel includes four new system calls (getrandom(), seccomp(), memfd_create(), and kexec_file_load()), a bunch of internal work toward an eventual solution to the "year 2038" problem, multiqueue support in the SCSI layer, and much more.

Linus indicates that, due to travel, the 3.18 merge window may be longer than usual, but things have not always worked out that way in the past.

Kategóriák: Linux

Change of heart: Inkscape starts encouraging paid development (Libre Graphics World)

szo, 2014-10-04 00:05

Libre Graphics World (LGW) has taken a look at the newly announced funded-development policy adopted by the Inkscape project. "In a nutshell, if you have a decent track record in the project, and someone (community, enterprise, government, alien invaders) is willing to fund your work, you are welcome to get cracking, provided you reach mutual agreement with the Inkscape Board that a) the project idea makes sense, b) you really appear to have the expertise to work on it. You should also be prepared for your performance to be reviewed." LGW provides some important background, putting this new policy in the context of previous paid-development efforts—not only within Inkscape, but in comparison to other free-software graphics projects like Blender and Synfig. "Paid development in free/libre software projects is a complicated topic. Making this actually work involves far more than setting up a campaign at a crowdfunding platform and banging the drums to draw attention. And "opening the mind to the possibilities" seems to be second (more likely, tenth) to actually having human resources to allocate for organizing it all."

Kategóriák: Linux

Paquier: Postgres 9.5 feature highlight: Row-Level Security and Policies

p, 2014-10-03 18:57
The (distant) PostgreSQL 9.5 release is expected to have a new row-level security feature. This article from Michael Paquier describes how to make use of it. "This row control mechanism is controlled using a new query called CREATE POLICY (of course its flavor ALTER POLICY to update an existing policy and DROP POLICY to remove a policy exist as well). By default, tables have no restrictions in terms of how rows can be added and manipulated. However they can be made able to accept level restriction policies using ALTER TABLE and ENABLE ROW LEVEL SECURITY."
Kategóriák: Linux