Népszerű fórum témák
FreeBSD Project News
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 27 perc 24 másodperc
Google has disclosed a new SSL vulnerability that goes by the name POODLE. In essence: a man-in-the-middle attacker can force a connection to drop back to the obsolete SSL 3.0 protocol, then recover plaintext data. "Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks." The OpenSSL project has issued an advisory describing its response to a few vulnerabilities, POODLE included.
For those with an interest in the KVM hypervisor: the Linux Foundation's Open Virtualization Alliance has published a white paper [PDF] with an overview of KVM and where it is going. "OpenStack is one of the brightest spots for KVM. As cloud deployments gain in adoption, OpenStack is the leading open source option and has tremendous community momentum behind it. KVM is the most popular hypervisor for OpenStack deployments, so as OpenStack succeeds, so will KVM."
Fedora Magazine looks at new features in the Fedora 21 graphics stack. "This article details some of the driver support and feature updates that will be available for the graphics stack in Fedora 21. Note that this post does contain some pretty low level details about new drivers and features in Fedora 21. While most users won’t directly see many of these features in day to day usage, the effects of all these low-level updates make more graphics cards work better on Fedora. Special thanks to Adam Jackson for collating this list of updates for this article."
Red Hat has announced the release of the sixth update to RHEL 6. "From the kernel to the network stack, Red Hat Enterprise Linux 6.6 has been tuned to optimize performance. With support for higher processor counts and memory limits as well as kernel optimizations that allow for more efficient CPU utilization on large NUMA systems, Red Hat Enterprise Linux 6.6 better accommodates dense single-server workloads. Other system performance enhancements include support for additional 40 GbE network adapters, reductions in network latency and jitter, and support for high performance, low latency applications." See the release notes for details.
CentOS has updated rsyslog (C7: denial of service).
Oracle has updated rsyslog (OL7: denial of service).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), cups (RHEL6: multiple vulnerabilities), file (RHEL6: multiple vulnerabilities), glibc (RHEL6: two vulnerabilities), kernel (RHEL6: multiple vulnerabilities), krb5 (RHEL6: multiple vulnerabilities), luci (RHEL6: code execution), openssh (RHEL6: two vulnerabilities), rsyslog (RHEL7: denial of service), trousers (RHEL6: denial of service), and X11 client libraries (RHEL6: many vulnerabilities).
Scientific Linux has updated bind97 (SL5: denial of service), conga (SL5: multiple vulnerabilities), krb5 (SL5: multiple vulnerabilities), krb5 (SL5: code execution), php53 and php (SL5, SL6: multiple vulnerabilities), and rsyslog (SL7: denial of service).
SUSE has updated Containment-Studio (SUSE Studio: multiple vulnerabilities).
Version 2.0 of the CUPS printing system was released on October 1. In addition to marking the 15th anniversary of version 1.0, the 2.0 milestone primarily designates that CUPS has implemented a full set of APIs for running an HTTP and Internet Printing Protocol (IPP) service. This includes support for the IPP Everywhere effort that makes IPP printers available to smartphones, tablets, and other sub-PC devices. But there are many other enhancements as well, including improved system compatibility for Linux and several security fixes.
Scientific Linux has released version 7.0 of its enterprise Linux clone. "Fermilab's intention is to continue the development and support of Scientific Linux and refine its focus as an operating system for scientific computing." It is recommended to read both the Scientific Linux release notes and the RHEL7 release notes.
CentOS has updated krb5 (C5: code execution).
Fedora has updated check-mk (F20; F19: code execution and more), cscope (F19: insecure snapshots), ctags (F20: denial of service), golang (F20; F19: forged certificate ownership), kdelibs (F19: authorization bypass), lzo (F19: code execution), mantis (F20; F19: null byte poisoning), mksh (F20; F19: multiple issues), nginx (F20; F19: virtual host confusion attacks), nss (F19: signature forgery), nss-softokn (F19: signature forgery), nss-util (F19: signature forgery), openstack-neutron (F20: denial of service), phpMyAdmin (F19: cross-site scripting), rubygem-bundler (F20; F19: installs malicious gem files), seamonkey (F20; F19: multiple vulnerabilities), and xen (F20; F19: multiple vulnerabilities).
Gentoo has updated locale-maketext (multiple vulnerabilities).
The Linux Foundation has announced a new project, called Dronecode, that is concerned with free systems to drive autonomous vehicles — drones, in other words. There is a lot of code already in place, it seems. "Today more than 1,200 developers are working on Dronecode projects with more than 150 code commits a day on some projects." Andrew "Tridge" Tridgell is the chair of the project's steering committee.
The Fedora Board has approved (via a unanimous vote) the proposal for a new governance structure for the project based around a new Council. "The current Board will continue to perform its duties while it oversees an orderly transition. The Board will work with FESCo and FAmSCo to determine the Engineering and Outreach representatives for the new Council and will hold elections in the near future to determine the initial two Elected representatives. Once those four Council members are determined they will join the Fedora Project Leader and the Fedora Program Manager to form the initial Council. At that point the Council will take over the governance and leadership responsibilities for the Fedora Project." See this page for details of how the new structure will work.
Mageia has updates chromium-browser-stable (multiple vulnerabilities).
Red Hat has updated nss (RSA certificate forging).
Ubuntu has updated rsyslog (10.04, 12.04, 14.04: denial of service).
Here's a Fedora Magazine article on how Wayland works (or doesn't) in the upcoming Fedora 21 release. "The list of apps that don’t support Wayland yet is: Terminal, Empathy, Totem, PiTiVi, Sushi. From my experience the list is in fact longer. I couldn’t, for example, run GNOME’s “Software” application on Wayland. This also applies to pretty much all other applications (Firefox, LibreOffice, etc.) and you need to run them using XWayland. Fullscreen apps don’t work at all from my experience." The good news is that a lot of other stuff works well.
Debian has updated apt (file overwrite).
Fedora has updated curl (F19: multiple vulnerabilities), fish (F19; F20: multiple vulnerabilities), krfb (F19: multiple vulnerabilities), perl-Data-Dumper (F19: denial of service), and qemu (F20: code execution).
Mageia has updated bugzilla (multiple vulnerabilities), cacti (M4: multiple vulnerabilities), fish (M4: multiple vulnerabilities), golang (M4: forged certificate ownership), perl (M3; M4: denial of service), perl-Data-Dumper (denial of service), python-requests (M4: multiple vulnerabilities), rsyslog (denial of service), and torque (denial of service).
Ubuntu has updated bash (10.04, 12.04, 14.04: multiple vulnerabilities), EC2 kernel (10.04: multiple vulnerabilities), exuberant-ctags (12.04, 14.04: denial of service), kernel (10.04; 12.04; 14.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).
The LWN.net Weekly Edition for October 9, 2014 is available.
David A. Wheeler examines the shellshock bash vulnerability, with a discussion on ways to detect or prevent future vulnerabilities, a timeline of what happened and when, some information about specific CVEs, and a few conclusions. "Shells are widely used on these systems to process commands, so there were many ways to exploit shellshock. This included web applications implemented using CGI that are written in bash or invoke bash subshells, sshd using ForceCommand (to limit access to specific actions), and DHCP clients connecting to subverted DHCP servers. The probability of vulnerability was somewhat less on Debian and Ubuntu, because their default non-interactive shell is dash (which was not vulnerable) instead of bash, but there were still cases where they could be vulnerable. One point of confusion about Debian and Ubuntu is that their default interactive shell is bash, while their default non-interactive shell is dash, and it is primarily the non-interactive shell (aka /bin/sh) that matters in the shellshock vulnerability. Similarly, Apple MacOS does not use bash in many circumstances, but there were cases where it could be vulnerable. Android systems use Linux but normally use the MirBSD (mksh) shell, which was not vulnerable."
Debian has updated rsyslog (integer overflow).
Red Hat has updated kernel (RHEL6.4 EUS: privilege escalation).
Ubuntu has updated apt (14.04, 12.04: file overwrite).
Version 2.0 of the Open Definition has been announced. The Open Definition seeks to define the meaning of "open" in the context of data, content, and more. "However, these benefits are at significant risk both from quality problems such as 'open-washing' (non-open data being passed off as open) and from fragmentation of the open data ecosystem due to incompatibility between the growing number of 'open' licenses. The Open Definition eliminates these risks and ensures we realize the full benefits of open by guaranteeing quality and preventing incompatibility."
CentOS has updated polkit-qt (C7: authorization bypass).
Mageia has updated dbus (multiple vulnerabilities), libvirt (two vulnerabilities), libvncserver (multiple vulnerabilities), mediawiki (two vulnerabilities), phpmyadmin (cross-site scripting), python (buffer overflow), squid (multiple vulnerabilities), and xerces-j2 (denial of service).
Oracle has updated polkit-qt (OL7: authorization bypass).
Red Hat has updated polkit-qt (RHEL7: authorization bypass).
HUP napi hírlevél
Legfrissebb Linux játékvideók
Legfrissebb HUP dokumentumok
Tört már össze mobiltelefonod kijelzője valaha?
Csak az eredmény érdekel.
Összes szavazat: 764