Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 14 perc 51 másodperc

[$] LWN.net Weekly Edition for June 5, 2014

cs, 2014-06-05 02:52
The LWN.net Weekly Edition for June 5, 2014 is available.
Kategóriák: Linux

[$] PGCon 2014: Clustering and VODKA

sze, 2014-06-04 20:49

The eighth annual PostgreSQL developer conference, known as PGCon, concluded on May 24th in Ottawa, Canada. This event has stretched into five days of meetings, talks, and discussions for 230 members of the PostgreSQL core community, which consists both of contributors and database administrators. PGCon serves to focus the whole PostgreSQL development community on deciding what's going to be in next year's PostgreSQL release as well as on showing off new features that contributors have developed. This year's conference included meetings of the main PostgreSQL team as well as for the Postgres-XC team, a keynote by Dr. Richard Hipp, and new code to put VODKA in your database.

Subscribers can click below for the full report from guest author Josh Berkus.

Kategóriák: Linux

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

sze, 2014-06-04 18:53
Cupid is an exploit for the Heartbleed bug in OpenSSL that can target both servers and endpoints running Linux and Android, reports PCMagazine. "Luis Grangeia, a researcher at SysValue, created a proof-of-concept code library that he calls "Cupid." Cupid consists of two patches to existing Linux code libraries. One allows an "evil server" to exploit Heartbleed on vulnerable Linux and Android clients, while the other allows an "evil client" to attack Linux servers. Grangeia has made the source code freely available, in hopes that other researchers will join in to learn more about just what kind of attacks are possible."
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-06-04 17:46

CentOS has updated gnutls (C6: code execution), gnutls (C5: multiple vulnerabilities), libtasn1 (C6: multiple vulnerabilities), and squid (C6: denial of service).

Debian has updated chkrootkit (privilege escalation).

Fedora has updated gnutls (F20: code execution) and libtasn1 (F20: multiple vulnerabilities).

openSUSE has updated libcap-ng (11.4: privilege escalation) and libxml2 (13.1, 12.3: revert fix for CVE-2014-0191).

Oracle has updated gnutls (OL6: code execution), gnutls (OL5: multiple vulnerabilities), libtasn1 (OL6: multiple vulnerabilities), and squid (OL6: denial of service).

Red Hat has updated gnutls (RHEL5: multiple vulnerabilities), gnutls (RHEL6: code execution), kernel (RHEL6.3 EUS: two vulnerabilities), libtasn1 (RHEL6: multiple vulnerabilities), and squid (RHEL6: denial of service).

Scientific Linux has updated gnutls (SL5: multiple vulnerabilities), gnutls (SL6: code execution), libtasn1 (SL6: multiple vulnerabilities), and squid (SL6: denial of service).

Ubuntu has updated chkrootkit (privilege escalation).

Kategóriák: Linux

Critical new bug in crypto library leaves Linux, apps open to drive-by attacks (Ars Technica)

sze, 2014-06-04 00:34
Ars Technica reports on a buffer overflow in GnuTLS, which is an alternative to OpenSSL for SSL/TLS support. The length checks for the session ID in the ServerHello message were not correct, which allowed the overflow. "Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned. The bug wasn't patched until Friday [May 30], with the release of GnuTLS versions 3.1.25, 3.2.15, and 3.3.4. While the patch has been available for three days, it will protect people only when the GnuTLS-dependent software they use has incorporated it. With literally hundreds of packages dependent on the library, that may take time." This analysis shows how the bug could be exploited for arbitrary code execution.
Kategóriák: Linux

The unexpected outcome of the Open Source Seed Initiative's licensing debate (Opensource.com)

sze, 2014-06-04 00:23
Over at Opensource.com, Jack Kloppenburg—one of the founders of the Open Source Seed Initiative (OSSI) that is trying to apply open source ideas to the genetic material in plant seeds—describes the switch from a licensing approach to that of a "pledge". "In February of 2014, OSSI made the hard but considered decision to abandon efforts to develop a legally defensible license and to shift to a pledge. This moves OSSI’s discourse and action from the legal field to the terrain of norms and ethics. We have found this shift to be stimulating, reinvigorating, and productive. The licensing approach was pulling us into a policing and bureaucratic orientation that was not congenial. Although our pledge is likely not legally binding, it is easily transmissible, it is viral, it is an uncompromising commitment to free exchange and use, and it is a very effective tool for outreach and education."
Kategóriák: Linux

Making end-to-end encryption easier to use (Google Online Security Blog)

sze, 2014-06-04 00:13
The Google Online Security Blog has announced the alpha release of an OpenPGP-compliant end-to-end encryption extension for the Chrome/Chromium browser. "While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)"
Kategóriák: Linux

Tuesday's security updates

k, 2014-06-03 18:03

Fedora has updated smb4k (F20; F19: credential cache leak).

Mageia has updated gnutls (two vulnerabilities) and libtasn1 (multiple vulnerabilities).

SUSE has updated IBM Java 6 (SLE11 SP3: multiple vulnerabilities) and IBM Java 7 (SLE11 SP3: multiple vulnerabilities).

Kategóriák: Linux

Bergeron: Introducing the new Fedora Project Leader, and some parting thoughts.

k, 2014-06-03 15:43
In a lengthy message to the fedora-announce mailing list, outgoing Fedora Project Leader (FPL) Robyn Bergeron has described the role of the FPL and why turnover in that position (and other, similar leadership roles) is desirable. She also announced that the new FPL will be Matthew Miller: "Of course, Matthew is no newcomer to the Fedora Project, having been around since the *LITERAL DAWN OF FEDORA TIME* -- he was an early contributor to the Fedora Legacy project, and helped to organize early FUDCons in his area of the world, at Boston University. Since joining Red Hat in 2012, he's been responsible for the Cloud efforts in Fedora, and as the previous wrangler for that team, I was thrilled when he came on board and was willing and able to start driving forward some of the initiatives and wishlist items that team was working on. What started out small has since grown into a vision for the future, and I'm confident in Matthew's ability to lead the Fedora Project forward into its next 10 years of innovative thinking."
Kategóriák: Linux

Linux Mint 17 released

k, 2014-06-03 00:09
The Linux Mint project has released version 17 "Qiana" in Cinnamon and MATE editions. Qiana is a long term support release so it will be supported until 2019. See the new features pages for Cinnamon and MATE for some details. Here are the release notes for Cinnamon and MATE, where a few known issues are listed.
Kategóriák: Linux

Security advisories for Monday

h, 2014-06-02 18:48

Debian has updated chromium-browser (multiple vulnerabilities), gnutls26 (code execution), lxml (code injection), php5 (multiple vulnerabilities), and typo3-src (multiple vulnerabilities).

Fedora has updated libgadu (F20: code execution).

Gentoo has updated dbus (privilege escalation from 2012), fail2ban (multiple vulnerabilities, one from 2009), and libarchive (multiple vulnerabilities, one from 2010).

openSUSE has updated libgadu (11.4: two vulnerabilities), libxml2, (11.4: regression in previous update), and sudo (11.4: privilege escalation).

Slackware has updated mariadb (multiple unspecified vulnerabilities).

Ubuntu has updated gnutls26 (code execution).

Kategóriák: Linux

Kernel prepatch 3.15-rc8 — and the start of the 3.16 merge window

h, 2014-06-02 05:32
Linus has released the 3.15-rc8 prepatch after concluding that this development cycle needed one more week of stabilization. But has also decided to go ahead and start the 3.16 merge window before the 3.15 release, mostly as a way of avoiding a conflict with a planned family vacation. "So let's try to see how well that works - the last weeks of the release tends to be me just waiting around to make sure nothing bad is happening, so doing this kind of overlapping development *should* work fine. Maybe it works so well that we'll end up doing it in the future even if there *isn't* some kind of scheduling conflict that makes me want to start the merge window before I'm 100% comfortable doing the release for the previous version."
Kategóriák: Linux

Stable kernels 3.14.5 and 3.10.41

v, 2014-06-01 03:03
Greg Kroah-Hartman has announced the release of the 3.14.5 and 3.10.41 stable kernels. As is the norm, they contain important fixes throughout the tree and users should upgrade.
Kategóriák: Linux

[$] Questioning corporate involvement in GNOME development

szo, 2014-05-31 14:17
It is a rare free software project that feels it has too many developers; indeed, most could benefit from more development help. One way to get that help is to have a company pay developers to work on a project; the presence of paid developers is often one of the first signs that a particular project is gaining traction. But paid developers often bring with them worries that the company footing the bill will seek to drive the project in undesirable directions. The GNOME project, which is conducting its annual election for its board of directors until June 8, has an opportunity to say that corporate involvement in development has gone too far — or not.
Kategóriák: Linux

Mozilla to build WebRTC chat into Firefox

szo, 2014-05-31 01:51

At the Mozilla "Future Releases" blog, Chad Weiner announces a new feature just added to the latest Firefox Nightly builds: WebRTC-powered audio/video chat functionality. The feature "aims to connect everyone with a WebRTC-enabled browser. And that’s all you will need. No plug-ins, no downloads. If you have a browser, a camera and a mic, you’ll be able to make audio and video calls to anyone else with an enabled browser. It will eventually work across all of your devices and operating systems. And we’ll be adding lots more features in the future as we roll it out to more users." Cross-browser multimedia chat has been demonstrated with WebRTC before, of course, but the functionality has not been built in. Firefox will evidently use OpenTok, a WebRTC application platform, in its implementation.

Kategóriák: Linux

Friday's security updates

p, 2014-05-30 19:35

Fedora has updated emacs (F20: multiple vulnerabilities) and moodle (F19; F20: multiple vulnerabilities).

Mageia has updated libgadu (code execution) and mumble (multiple vulnerabilities).

openSUSE has updated policycoreutils (12.3, 13.1: privilege escalation) and python-lxml (12.3, 13.1: code injection).

Red Hat has updated openstack-foreman-installer (RHEL OSP4: insecure defaults), openstack-heat-templates (RHEL OSP4: multiple vulnerabilities), openstack-keystone (RHEL OSP4: restriction bypass), openstack-neutron (RHEL OSP4: multiple vulnerabilities), openstack-nova (RHEL OSP4: information leak), and python-django-horizon (RHEL OSP4: cross-site scripting).

SUSE has updated IBM Java 6 (SLES10 SP3,4; SLES11 SP2: multiple vulnerabilities) and IBM Java 7 (SLES11 SP2: multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for May 30, 2014

p, 2014-05-30 03:58
The LWN.net Weekly Edition for May 30, 2014 is available.
Kategóriák: Linux

[$] PyPI, pip, and external repositories

cs, 2014-05-29 23:50

A debate about Python modules—and where and how they are hosted—raged in early May on two separate Python mailing lists. There are a number of interrelated issues that make up the debate, but the core question seems to be: should the now-default pip package manager treat the "official" module repository differently than other repositories? Some see "external modules"—those not hosted at the Python Package Index (PyPI)—as a potential reliability problem, while others don't see much difference between external and PyPI-hosted modules.

Subscribers can click below for a look at the discussion from this week's edition.

Kategóriák: Linux

Security advisories for Thursday

cs, 2014-05-29 16:31

Fedora has updated libpng (F20: two denial of service flaws), libtiff (F20: code execution), openstack-neutron (F20: access restriction bypass), and php-ZendFramework2 (F20; F19: multiple vulnerabilities).

Mageia has updated cifs-utils (code execution), libvirt (two vulnerabilities), mono (M3: denial of service from 2012), qt4 (M3: denial of service), and qt4 and qtbase5 (M4: denial of service).

openSUSE has updated libgadu (two vulnerabilities).

SUSE has updated firefox (SLE10SP4; SLE10SP3: multiple vulnerabilities) and IBM Java 6 (SLE11SP2: multiple vulnerabilities).

Kategóriák: Linux

A Core Infrastructure Initiative announcement

cs, 2014-05-29 16:01
The Linux Foundation has put out a press release describing the evolution of its new "Core Infrastructure Initiative," which directs funding to developers of projects deemed to be both critical and short of resources. The first projects to be funded will be OpenSSL, OpenSSH, and the network time protocol (NTP) implementation. The steering committee for the initiative has been picked; it includes Alan Cox, Eben Moglen, Bruce Schneier, and Ted Ts'o. And a few more companies (Adobe, Bloomberg, HP, Huawei and salesforce.com) have added their support to the program.
Kategóriák: Linux