Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 1 perc 46 másodperc

The hidden costs of embargoes (Red Hat Security Blog)

p, 2015-06-12 05:12
Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. "Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for 'because of an incomplete fix for'."
Kategóriák: Linux

Security advisories for Thursday

cs, 2015-06-11 17:37

CentOS has updated kernel (C6: multiple vulnerabilities) and qemu-kvm (C6: code execution).

Debian-LTS has updated wireshark (WCP dissector crash).

Fedora has updated cabal-install (F22: force digest authentication), freecad (F22: code execution), fusionforge (F22; F21: code execution), haskell-platform (F22: force digest authentication), less (F21: information leak), libreswan (F22; F21: denial of service), python-tornado (F21: TLS side-channel attack), and thermostat (F21: code execution).

openSUSE has updated proftpd (13.2, 13.1: two vulnerabilities, one from 2013), wpa_supplicant (13.2, 13.1: three vulnerabilities), and zeromq (13.2, 13.1: protocol downgrade).

Oracle has updated qemu-kvm (OL6: code execution) and kernel (OL6; OL5: three vulnerabilities).

Red Hat has updated qemu-kvm (RHEL6: code execution) and qemu-kvm-rhev (RHEL6OSP: code execution).

Scientific Linux has updated abrt (SL7: multiple vulnerabilities) and qemu-kvm (SL6: code execution).

Ubuntu has updated kernel (15.04; 14.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-utopic (14.04: two vulnerabilities), linux-lts-vivid (14.04: three vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Kategóriák: Linux

LinkedIn open-sources Pinot

cs, 2015-06-11 15:30
LinkedIn has announced the release of its "Pinot" analytics system under the Apache license. "We’ve been using it at LinkedIn for more than two years, and in that time, it has established itself as the de facto online analytics platform to provide valuable insights to our members and customers. At LinkedIn, we have a large deployment of Pinot storing 100’s of billions of records and ingesting over a billion records every day."
Kategóriák: Linux

LWN.net Weekly Edition for June 11, 2015

cs, 2015-06-11 03:51
The LWN.net Weekly Edition for June 11, 2015 is available.
Kategóriák: Linux

[$] Resurrecting the SuperH architecture

cs, 2015-06-11 00:00
Processor architectures are far from trivial; untold millions of dollars and many thousands of hours have likely gone into the creation and refinement of the x86 and ARM architectures that dominate the CPUs in Linux boxes today. But that does not mean that x86 and ARM are the only architectures of value, as Jeff Dionne, Rob Landley, and Shumpei Kawasaki illustrated in their LinuxCon Japan session "Turtles all the way down: running Linux on open hardware." The team has been working on breathing new life into a somewhat older architecture that offers comparable performance to many common system-on-chip (SoC) designs—and which can be produced as open hardware.

Click below (subscribers only) for the full report from LinuxCon Japan.

Kategóriák: Linux

Huston: Multipath TCP

sze, 2015-06-10 21:31
Geoff Huston has written a lengthy column on multipath TCP. "For many scenarios there is little value in being able to use multiple addresses. The conventional behavior is where each new session is directed to a particular interface, and the session is given an outbound address as determined by local policies. However, when we start to consider applications where the binding of location and identity is more fluid, and where network connections are transient, and the cost and capacity of connections differ, as is often the case in todays mobile cellular radio services and in WiFi roaming services, then having a session that has a certain amount of agility to switch across networks can be a significant factor." (See also: LWN's look at the Linux multipath TCP implementation from 2013).
Kategóriák: Linux

Inside NGINX: How We Designed for Performance & Scale

sze, 2015-06-10 21:25
The folks behind the NGINX web server have put up a highly self-congratulatory article on how the system was designed. "NGINX scales very well to support hundreds of thousands of connections per worker process. Each new connection creates another file descriptor and consumes a small amount of additional memory in the worker process. There is very little additional overhead per connection. NGINX processes can remain pinned to CPUs. Context switches are relatively infrequent and occur when there is no work to be done."
Kategóriák: Linux

Security updates for Wednesday

sze, 2015-06-10 18:14

Arch Linux has updated cups (two vulnerabilities).

Debian has updated cups (two vulnerabilities).

Debian-LTS has updated libapache-mod-jk (information disclosure) and libraw (denial of service).

Oracle has updated abrt (OL7: multiple vulnerabilities) and kernel (OL6: multiple vulnerabilities).

Red Hat has updated abrt (RHEL7: multiple vulnerabilities), flash-plugin (RHEL5,6: multiple vulnerabilities), and kernel (RHEL6; RHEL6.2: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: multiple vulnerabilities).

Ubuntu has updated cups (15.04, 14.10, 14.04, 12.04: two vulnerabilities) and qemu, qemu-kvm (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

[$] Obstacles to contribution in embedded Linux

k, 2015-06-09 22:46
Tim Bird has worked with embedded Linux for many years; during this time he has noticed an unhappy pattern: many of the companies that use and modify open-source software are not involved with the communities that develop that software. That is, he said, "a shame." In an attempt to determine what is keeping companies from contributing to the kernel in particular, the Consumer Electronics Linux Forum (a Linux Foundation workgroup) has run a survey of embedded kernel developers. The resulting picture highlights some of the forces keeping these developers from engaging with the development community and offers some ideas for improving the situation.
Kategóriák: Linux

Tuesday's security advisories

k, 2015-06-09 18:28

Debian-LTS has updated cups (two vulnerabilities).

Fedora has updated fuse (F21: privilege escalation), mbedtls (F22: code execution), python-tornado (F22: side-channel attack), and thermostat (F22: code execution).

Mageia has updated ipsec-tools (denial of service), jackrabbit (information leak), php-ZendFramework (CRLF injection), and rabbitmq-server (multiple vulnerabilities).

Ubuntu has updated strongswan (15.04, 14.10, 14.04: information disclosure).

Kategóriák: Linux

As open source code, Apple's Swift language could take flight (ITWorld)

k, 2015-06-09 00:50
ITWorld reports that Apple will release its Swift programming language under an open source license. "When Swift becomes open source later this year, programmers will be able to compile Swift programs to run on Linux as well as on OS X and iOS, said Craig Federighi, Apple’s head of software engineering, during the opening keynote of Apple’s Worldwide Developers Conference Monday in San Francisco. The source code will include the Swift compiler and standard library, and community contributions will be “accepted—and encouraged,” Apple said."
Kategóriák: Linux

Security advisories for Monday

h, 2015-06-08 18:14

Debian has updated php5 (multiple vulnerabilities), redis (code execution), and strongswan (information disclosure).

Debian-LTS has updated fuse (privilege escalation).

Fedora has updated dcraw (F22; F21; F20: denial of service), fuse (F22: privilege escalation), ipsec-tools (F21; F20: denial of service), less (F22: information leak), ntfs-3g (F21: privilege escalation), php-symfony (F22; F21; F20: restriction bypass), ufraw (F22; F21; F20: denial of service), and zarafa (F21; F20: file overwrites).

Scientific Linux has updated openssl (SL6,7: cipher-downgrade attacks).

SUSE has updated cups (SLE11SP3: privilege escalation).

Kategóriák: Linux

Some stable kernel updates

h, 2015-06-08 15:37
The 4.0.5, 3.14.44, and 3.10.80 stable kernels have been released. These contain a number of important bug fixes, including the fixes for the ext4 and RAID 0 data corruption issues discussed in this article.

At LinuxCon Japan last week it was announced that the next long-term stable release, to be maintained for two years, will be 4.1.

Kategóriák: Linux

Kernel prepatch 4.1-rc7

h, 2015-06-08 15:15
The 4.1-rc7 prepatch is out. "Normally rc7 tends to be the last rc release, and there's not a lot going on to really merit anything else this time around. However, we do still have some pending regressions, and as mentioned last week I also have my yearly family vacation coming up, so we'll have an rc8 and an extra week before 4.1 actually gets released."
Kategóriák: Linux

Let's Encrypt Root and Intermediate Certificates

szo, 2015-06-06 00:41
The Let's Encrypt project has announced that it has created the root and intermediate keys and certificates it will use to sign certificates. Let's Encrypt is the no-cost certificate authority announced by the Electronic Frontier Foundation (EFF) back in November. In April, the Linux Foundation announced that it would be hosting the project. "The keys and certificates that will underlie Let’s Encrypt have been generated. This was done during a key ceremony at a secure facility today." The intermediate certificates will be cross-signed by IdenTrust so that they will be accepted by browsers before the Let's Encrypt root certificate has been propagated. A bit more news from the blog post: "In the next few weeks, we’ll be saying some more about our plans for going live."
Kategóriák: Linux

Security updates for Friday

p, 2015-06-05 16:41

Arch Linux has updated pcre (code execution).

CentOS has updated openssl (C7; C6: cipher downgrade).

Fedora has updated batik (F22; F21; F20: information leak), netty (F21: httpOnly cookie bypass), and pcs (F22; F21; F20: two vulnerabilities).

openSUSE has updated e2fsprogs (13.2; 13.1: two vulnerabilities) and fuse (13.1: privilege escalation).

Oracle has updated openssl (OL7; OL6: cipher downgrade).

Red Hat has updated openssl (RHEL6&7: cipher downgrade).

Kategóriák: Linux

GNU Octave 4.0.0 Released

p, 2015-06-05 01:43
GNU Octave, which is a high-level programming language for numerical computations that is largely compatible with MATLAB, has made its 4.0 release. There are lots of new features in this major release, which are described in the release notes. Some of those features include defaulting to the graphical user interface instead of the command-line interface, OpenGL graphics and Qt widgets by default, a new syntax for object-oriented programming using classdef, audio functions, better MATLAB compatibility, and more.
Kategóriák: Linux

Thursday's security alerts

cs, 2015-06-04 15:58

Debian has updated libapache-mod-jk (information disclosure).

Debian-LTS has updated mercurial (two code execution flaws).

Oracle has updated kernel (OL5: unspecified vulnerabilities).

Red Hat has updated php54 (RHSC6&7: multiple vulnerabilities), php55 (RHSC6&7: multiple vulnerabilities), python27 (RHSC6&7: multiple vulnerabilities, two from 2013), and thermostat1 (RHSC6&7: code execution).

Ubuntu has updated t1utils (14.10, 14.04: code execution).

Kategóriák: Linux

LWN.net Weekly Edition for June 4, 2015

cs, 2015-06-04 02:55
The LWN.net Weekly Edition for June 4, 2015 is available.
Kategóriák: Linux

Emergency security band-aids with Systemtap

sze, 2015-06-03 23:14
Here's an article on the Red Hat security blog on the use of Systemtap to apply emergency security fixes. "With the vulnerability-band-aid approach chosen, we need to express our intent in the systemtap scripting language. The model is simple: for each place where the state change is to be done we place a probe. In each probe handler, we detect whether the context indicates an exploit is in progress and, if so, make changes to the context. We might also need additional probes to detect and capture state from before the vulnerable section of code, for diagnostic purposes."
Kategóriák: Linux