Népszerű fórum témák
FreeBSD Project News
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 14 perc 51 másodperc
The LWN.net Weekly Edition for June 5, 2014 is available.
The eighth annual PostgreSQL developer conference, known as PGCon, concluded on May 24th in Ottawa, Canada. This event has stretched into five days of meetings, talks, and discussions for 230 members of the PostgreSQL core community, which consists both of contributors and database administrators. PGCon serves to focus the whole PostgreSQL development community on deciding what's going to be in next year's PostgreSQL release as well as on showing off new features that contributors have developed. This year's conference included meetings of the main PostgreSQL team as well as for the Postgres-XC team, a keynote by Dr. Richard Hipp, and new code to put VODKA in your database.
Subscribers can click below for the full report from guest author Josh Berkus.
Cupid is an exploit for the Heartbleed bug in OpenSSL that can target both servers and endpoints running Linux and Android, reports PCMagazine. "Luis Grangeia, a researcher at SysValue, created a proof-of-concept code library that he calls "Cupid." Cupid consists of two patches to existing Linux code libraries. One allows an "evil server" to exploit Heartbleed on vulnerable Linux and Android clients, while the other allows an "evil client" to attack Linux servers. Grangeia has made the source code freely available, in hopes that other researchers will join in to learn more about just what kind of attacks are possible."
Debian has updated chkrootkit (privilege escalation).
Red Hat has updated gnutls (RHEL5: multiple vulnerabilities), gnutls (RHEL6: code execution), kernel (RHEL6.3 EUS: two vulnerabilities), libtasn1 (RHEL6: multiple vulnerabilities), and squid (RHEL6: denial of service).
Ubuntu has updated chkrootkit (privilege escalation).
Ars Technica reports on a buffer overflow in GnuTLS, which is an alternative to OpenSSL for SSL/TLS support. The length checks for the session ID in the ServerHello message were not correct, which allowed the overflow. "Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned. The bug wasn't patched until Friday [May 30], with the release of GnuTLS versions 3.1.25, 3.2.15, and 3.3.4. While the patch has been available for three days, it will protect people only when the GnuTLS-dependent software they use has incorporated it. With literally hundreds of packages dependent on the library, that may take time." This analysis shows how the bug could be exploited for arbitrary code execution.
Over at Opensource.com, Jack Kloppenburg—one of the founders of the Open Source Seed Initiative (OSSI) that is trying to apply open source ideas to the genetic material in plant seeds—describes the switch from a licensing approach to that of a "pledge". "In February of 2014, OSSI made the hard but considered decision to abandon efforts to develop a legally defensible license and to shift to a pledge. This moves OSSI’s discourse and action from the legal field to the terrain of norms and ethics. We have found this shift to be stimulating, reinvigorating, and productive. The licensing approach was pulling us into a policing and bureaucratic orientation that was not congenial. Although our pledge is likely not legally binding, it is easily transmissible, it is viral, it is an uncompromising commitment to free exchange and use, and it is a very effective tool for outreach and education."
The Google Online Security Blog has announced the alpha release of an OpenPGP-compliant end-to-end encryption extension for the Chrome/Chromium browser. "While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)"
In a lengthy message to the fedora-announce mailing list, outgoing Fedora Project Leader (FPL) Robyn Bergeron has described the role of the FPL and why turnover in that position (and other, similar leadership roles) is desirable. She also announced that the new FPL will be Matthew Miller: "Of course, Matthew is no newcomer to the Fedora Project, having been around since the *LITERAL DAWN OF FEDORA TIME* -- he was an early contributor to the Fedora Legacy project, and helped to organize early FUDCons in his area of the world, at Boston University. Since joining Red Hat in 2012, he's been responsible for the Cloud efforts in Fedora, and as the previous wrangler for that team, I was thrilled when he came on board and was willing and able to start driving forward some of the initiatives and wishlist items that team was working on. What started out small has since grown into a vision for the future, and I'm confident in Matthew's ability to lead the Fedora Project forward into its next 10 years of innovative thinking."
The Linux Mint project has released version 17 "Qiana" in Cinnamon and MATE editions. Qiana is a long term support release so it will be supported until 2019. See the new features pages for Cinnamon and MATE for some details. Here are the release notes for Cinnamon and MATE, where a few known issues are listed.
Fedora has updated libgadu (F20: code execution).
Slackware has updated mariadb (multiple unspecified vulnerabilities).
Ubuntu has updated gnutls26 (code execution).
Linus has released the 3.15-rc8 prepatch after concluding that this development cycle needed one more week of stabilization. But has also decided to go ahead and start the 3.16 merge window before the 3.15 release, mostly as a way of avoiding a conflict with a planned family vacation. "So let's try to see how well that works - the last weeks of the release tends to be me just waiting around to make sure nothing bad is happening, so doing this kind of overlapping development *should* work fine. Maybe it works so well that we'll end up doing it in the future even if there *isn't* some kind of scheduling conflict that makes me want to start the merge window before I'm 100% comfortable doing the release for the previous version."
Greg Kroah-Hartman has announced the release of the 3.14.5 and 3.10.41 stable kernels. As is the norm, they contain important fixes throughout the tree and users should upgrade.
It is a rare free software project that feels it has too many developers; indeed, most could benefit from more development help. One way to get that help is to have a company pay developers to work on a project; the presence of paid developers is often one of the first signs that a particular project is gaining traction. But paid developers often bring with them worries that the company footing the bill will seek to drive the project in undesirable directions. The GNOME project, which is conducting its annual election for its board of directors until June 8, has an opportunity to say that corporate involvement in development has gone too far — or not.
At the Mozilla "Future Releases" blog, Chad Weiner announces a new feature just added to the latest Firefox Nightly builds: WebRTC-powered audio/video chat functionality. The feature "aims to connect everyone with a WebRTC-enabled browser. And that’s all you will need. No plug-ins, no downloads. If you have a browser, a camera and a mic, you’ll be able to make audio and video calls to anyone else with an enabled browser. It will eventually work across all of your devices and operating systems. And we’ll be adding lots more features in the future as we roll it out to more users." Cross-browser multimedia chat has been demonstrated with WebRTC before, of course, but the functionality has not been built in. Firefox will evidently use OpenTok, a WebRTC application platform, in its implementation.
Red Hat has updated openstack-foreman-installer (RHEL OSP4: insecure defaults), openstack-heat-templates (RHEL OSP4: multiple vulnerabilities), openstack-keystone (RHEL OSP4: restriction bypass), openstack-neutron (RHEL OSP4: multiple vulnerabilities), openstack-nova (RHEL OSP4: information leak), and python-django-horizon (RHEL OSP4: cross-site scripting).
The LWN.net Weekly Edition for May 30, 2014 is available.
A debate about Python modules—and where and how they are hosted—raged in early May on two separate Python mailing lists. There are a number of interrelated issues that make up the debate, but the core question seems to be: should the now-default pip package manager treat the "official" module repository differently than other repositories? Some see "external modules"—those not hosted at the Python Package Index (PyPI)—as a potential reliability problem, while others don't see much difference between external and PyPI-hosted modules.
Subscribers can click below for a look at the discussion from this week's edition.
Fedora has updated libpng (F20: two denial of service flaws), libtiff (F20: code execution), openstack-neutron (F20: access restriction bypass), and php-ZendFramework2 (F20; F19: multiple vulnerabilities).
openSUSE has updated libgadu (two vulnerabilities).
The Linux Foundation has put out a press release describing the evolution of its new "Core Infrastructure Initiative," which directs funding to developers of projects deemed to be both critical and short of resources. The first projects to be funded will be OpenSSL, OpenSSH, and the network time protocol (NTP) implementation. The steering committee for the initiative has been picked; it includes Alan Cox, Eben Moglen, Bruce Schneier, and Ted Ts'o. And a few more companies (Adobe, Bloomberg, HP, Huawei and salesforce.com) have added their support to the program.
HUP napi hírlevél
Legfrissebb HUP videók
Legfrissebb Linux játékvideók
Legfrissebb HUP képek
Legfrissebb HUP dokumentumok
Van-e hiteled és / vagy megtakarításod?
Van, hitelem is és megtakarításom is - a megtakarítás a több
Van, hitelem is és megtakarításom is - a hitel a több
Nincs hitelem és van megtakarításom
Van hitelem és nincs megtakarításom
Nincs se hitelem, se megtakarításom
Egyéb / nem nyilatkozom / csak az eredmény érdekel stb.
Összes szavazat: 465