Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 11 perc 54 másodperc

Friday's security updates

p, 2015-07-17 16:53

Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).

Mageia has updated flash-player-plugin (M4, M5: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (O5: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL 5, 6: multiple vulnerabilities), java-1.6.0-sun (RHEL 5, 6, 7: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities), and java-1.8.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities).

SUSE has updated flash-player (SLE11; SLE12: multiple vulnerabilities) and php5 (SLE12: multiple vulnerabilities).

Kategóriák: Linux

Calculating the "truck factor" for GitHub projects

p, 2015-07-17 00:03
The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.
Kategóriák: Linux

Security updates for Thursday

cs, 2015-07-16 16:52

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities), java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from 2011).

Debian-LTS has updated python-django (three vulnerabilities).

Fedora has updated cryptopp (F22; F21: information disclosure), drupal7-feeds (F22; F21: three vulnerabilities), rsyslog (F22: denial of service), and springframework (F22; F21: denial of service).

openSUSE has updated bind (13.2; 13.1: three vulnerabilities, one from 2014).

Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified), java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities), and kernel 2.6.32 (OL6; OL5: denial of service).

Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: many vulnerabilities), and kernel (SL6: multiple vulnerabilities, one from 2011).

Kategóriák: Linux

Rkt 0.7.0 released

cs, 2015-07-16 10:30
Version 0.7.0 of the rkt container runtime system is available. "This release includes new subcommands for a rkt image to manipulate images from the local store, a new build system based on autotools and integration with SELinux. These new capabilities improve the user experience, make it easier to build future features and improve security isolation between containers."
Kategóriák: Linux

[$] LWN.net Weekly Edition for July 16, 2015

cs, 2015-07-16 02:22
The LWN.net Weekly Edition for July 16, 2015 is available.
Kategóriák: Linux

[$] Python 3.5 is on its way

sze, 2015-07-15 20:34

It has been nearly a year and a half since the last major Python release, which was 3.4 in March 2014—that means it is about time for Python 3.5. We looked at some of the new features in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta release for 3.5 seems like a good time to see what will be coming in the new release.

Subscribers can click below to see the full article from this week's edition.

Kategóriák: Linux

Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention (Linux.com)

sze, 2015-07-15 20:11
Linux.com has an interview with Bruce Schneier. "Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it."
Kategóriák: Linux

Security updates for Wednesday

sze, 2015-07-15 18:22

openSUSE has updated cups-filters (13.2: multiple vulnerabilities) and libunwind (13.2; 13.1: buffer overflow).

Oracle has updated kernel (OL6: multiple vulnerabilities).

Red Hat has updated java-1.7.0-openjdk (RHEL6,7; RHEL5: multiple vulnerabilities) and java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).

Ubuntu has updated firefox (12.04: multiple vulnerabilities).

Kategóriák: Linux

FSF and SFC work with Canonical on an "intellectual property" policy update

sze, 2015-07-15 16:49
The Free Software Foundation (FSF) and Software Freedom Conservancy (SFC) have both put out statements about a change to the Canonical, Ltd. "intellectual property" policy that was negotiated over the last two years (FSF statement and SFC statement). Effectively, Canonical has added a "trump clause" that clarifies that the licenses of the individual packages override the Canonical policy when there is a conflict. Though, as SFC points out: "While a trump clause is a reasonable way to comply with the GPL in a secondary licensing document, the solution is far from ideal. Redistributors of Ubuntu have little choice but to become expert analysts of Canonical, Ltd.'s policy. They must identify on their own every place where the policy contradicts the GPL. If a dispute arises on a subtle issue, Canonical, Ltd. could take legal action, arguing that the redistributor's interpretation of GPL was incorrect. Even if the redistributor was correct that the GPL trumped some specific clause in Canonical, Ltd.'s policy, it may be costly to adjudicate the issue." While backing the change made, both FSF and SFC recommend further changes to make the situation even more clear.
Kategóriák: Linux

An interview with Larry Wall (LinuxVoice)

sze, 2015-07-15 12:23
LinuxVoice has an interview with Perl creator Larry Wall. "So I was the language designer, but I was almost explicitly told: 'Stay out of the implementation! We saw what you did made out of Perl 5, and we don’t like it!' It was really funny because the innards of the new implementation started looking a whole lot like Perl 5 inside, and maybe that’s why some of the early implementations didn’t work well."
Kategóriák: Linux

How to win the copyleft fight—without litigation (Opensource.com)

sze, 2015-07-15 00:17
Opensource.com has an interview with Bradley Kuhn. "I continued on in my professional career, which included developing and supporting proprietary software, but I found that the lack of source code and/or the ability to rebuild it myself constantly hampered my ability to do my job. Proprietary software companies today are more careful to give "some open source"; thus, many technology professionals don't realize until it's too late how crippling proprietary software can be when you rely on it every day. In the mid 1990s, hardly any business software license gave us software freedom, so denying our rights to practice our profession (i.e, fix software) made many of us hate our jobs. I considered leaving the field of software entirely because I disliked working with proprietary software so much. Those experiences made me a software freedom zealot. I made a vow that I never wanted any developer or sysadmin to feel the constraints of proprietary software licensing, which limits technologists by what legal agreements their company's lawyers can negotiate rather than their technical skill."
Kategóriák: Linux

NSA releases Linux-based open source infosec tool (ITNews)

k, 2015-07-14 21:16
ITNews reports that the US National Security Agency is in the process of releasing its systems integrity management platform - SIMP. "SIMP helps to keep networked systems compliant with security standards, the NSA said, and should form part of a layered, "defence-in-depth" approach to information security. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies." Currently only RHEL and CentOS versions 6.6 and 7.1 are supported.
Kategóriák: Linux

Tuesday's security advisories

k, 2015-07-14 18:45

Fedora has updated cups-filters (F22: code execution), firefox (F22; F21: multiple vulnerabilities), libssh (F22: denial of service), openssl (F22; F21: certificate verification botch), openvas-cli (F22: sql injection), openvas-libraries (F22: sql injection), openvas-manager (F22: sql injection), openvas-scanner (F22: sql injection), pcre (F22: two vulnerabilities), polkit (F22: multiple vulnerabilities), rubygem-moped (F22; F21: denial of service), and wesnoth (F22; F21: information leak).

openSUSE has updated roundcubemail (13.1: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6: multiple vulnerabilities).

Kategóriák: Linux

[$] Why Debian returned to FFmpeg

h, 2015-07-13 22:11
Slightly less than one year ago, the Debian community had an extended discussion on whether the FFmpeg multimedia library should return to the distribution. Debian had followed the contentious libav fork when it happened in 2011, but some community members were starting to have second thoughts about that move. At the time, the discussion died out without any changes being made, but the seeds had evidently been planted; on July 8, the project's multimedia developers announced that not only was FFmpeg returning to Debian, but it would be replacing libav.

Click below (subscribers only) for a look at how this decision was made.

Kategóriák: Linux

Security advisories for Monday

h, 2015-07-13 18:48

Arch Linux has updated krb5 (two vulnerabilities), lib32-krb5 (two vulnerabilities), lib32-openssl (certificate verification botch), and thunderbird (multiple vulnerabilities).

Debian-LTS has updated bind9 (denial of service) and libunwind (buffer overflow).

Fedora has updated cups-x2go (F21: multiple vulnerabilities), libwmf (F22: multiple vulnerabilities), mariadb (F21: man-in-the-middle attack), openssh (F22; F21: restriction bypass), and s3ql (F22; F21: code execution).

Gentoo has updated libcapsinetwork (denial of service).

openSUSE has updated Firefox, nss (13.2, 13.1: multiple vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated MySQL (SLES11SP2,SP1: cipher-downgrade attacks) and kernel (SLES11SP3: multiple vulnerabilities).

Kategóriák: Linux

Kernel prepatch 4.2-rc2

h, 2015-07-13 01:22
The second 4.2 prepatch is available for testing. "This is not a particularly big rc, and things have been fairly calm. We definitely did have some problems in -rc1 that bit people, but they all seemed to be pretty small, and let's hope that -rc2 ends up having fewer annoying issues."
Kategóriák: Linux

Jones: Future development of Trinity

h, 2015-07-13 01:21
Here's a discouraging blog post from Dave Jones on why he will no longer be developing the Trinity fuzz tester. "It’s no coincidence that the number of bugs reported found with Trinity have dropped off sharply since the beginning of the year, and I don’t think it’s because the Linux kernel suddenly got lots better. Rather, it’s due to the lack of real ongoing development to 'try something else' when some approaches dry up. Sadly we now live in a world where it’s easier to get paid to run someone else’s fuzzer these days than it is to develop one."
Kategóriák: Linux

Microservices 101: The good, the bad and the ugly (ZDNet)

szo, 2015-07-11 00:26
ZDNet has an interview about "microservices" with Red Hat VP of engineering for middleware, Dr. Mark Little. Microservices are a relatively recent software architecture that relies on small, easily replaced components and is an alternative to the well-established service-oriented architecture (SOA)—but it is not a panacea: "'Just because you adopt microservices doesn't suddenly mean your badly architected ball of mud is suddenly really well architected and no longer a ball of mud. It could just be lots of distributed balls of mud,' Little said. 'That worries me a bit. I've been around service-oriented architecture for a long time and know the plus points and the negative points. I like microservices because it allows us to focus on the positive points but it does worry me that people see it as the answer to a lot of problems that it's never going to be the answer for.'"
Kategóriák: Linux

A new crop of stable kernels

p, 2015-07-10 21:53
Greg Kroah-Hartman has announced the release of the 4.1.2, 4.0.8, 3.14.48, and 3.10.84 stable kernels. All contain important fixes and users should upgrade. In addition, this is the second to last 4.0.x release (i.e. there will be a 4.0.9, but that's the last), so users should be making plans to move to 4.1.x.
Kategóriák: Linux

Friday's security updates

p, 2015-07-10 16:51

Arch Linux has updated openssl (certificate verification botch).

CentOS has updated php (C6: many vulnerabilities, some from 2014).

Debian has updated pdns (full fix for denial of service) and pdns-recursor (full fix for denial of service).

Gentoo has updated adobe-flash (multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, some from 2014), perl (denial of service from 2013), portage (certificate verification botch from 2013), pypam (code execution from 2012), and t1utils (multiple vulnerabilities).

Mageia has updated openssl (certificate verification botch).

openSUSE has updated MariaDB (13.2, 13.1: many vulnerabilities, some from 2014).

Oracle has updated php (OL6: many vulnerabilities, some from 2014).

Red Hat has updated php (RHEL6: many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated php (SL6: many vulnerabilities, some from 2014).

Slackware has updated openssl (certificate verification botch).

Ubuntu has updated firefox (15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).

Kategóriák: Linux