Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 1 perc
Version 3.9 of the LLVM compiler suite is out. "This release is the result of the LLVM community's work over the past six months, including ThinLTO, new libstdc++ ABI compatibility, support for all OpenCL 2.0 and all non-offloading OpenMP 4.5 features, clang-include-fixer, many new clang-tidy checks, significantly improved ELF linking with lld, identical code folding and initial LTO support in lld, as well as improved optimization, many bug fixes and more."
The announcement of a project to develop the "Kool Desktop Environment" went out on October 14, 1996. As the 20th anniversary of that announcement approaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "This book presents 37 stories about the technical, social and cultural aspects that shaped the way the KDE community operates today. It has been written as part of the 20th anniversary of KDE. From community founders and veterans to newcomers, with insights from different perspectives and points of view, the book provides you with a thrilling trip through the history of such an amazing geek family."
The 4.8-rc5 kernel prepatch is available for testing. "So rc5 is noticeably bigger than rc4 was, and my hope last week that we were starting to calm down and shrink the releases seems to have been premature. [...] Not that any of this looks worrisome per se, but if things don't start calming down from now, this may be one of those releases that will need an rc8. We'll see."
The Z-Wave wireless home-automation protocol has been released to the public. In years past, the specification was only available to purchasers of the Z-Wave Alliance's development kit, forcing open-source implementations to reverse-engineer the protocol. The official press release notes that there are several such projects, including OpenZWave; Z-Wave support is also vital to higher-level Internet-of-Things abstraction systems like AllJoyn.
Debian has updated libidn (multiple vulnerabilities).
Debian-LTS has updated mailman (password disclosure).
Fedora has updated canl-c (F24; F23: proxy manipulation), krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).
openSUSE has updated karchive (SLE12: command execution).
The US Department of Justice has announced that it has arrested a suspect in the 2011 kernel.org breakin. "[Donald Ryan] Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorized access to the four servers by using the credentials of an individual associated with the Linux Kernel Organization. According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers."
Outgoing Apache OpenOffice project management committee (PMC) chair Dennis Hamilton has begun the discussion of a possible (note possible at this point) shutdown of the project. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue. In responses to concerns raised in June, the PMC is currently tasked by the ASF Board to account for this inability and to provide a remedy. An indicator of the seriousness of the Board's concern is the PMC been requested to report to the Board every month, starting in August, rather than quarterly, the normal case. One option for remedy that must be considered is retirement of the project. The request is for the PMC's consideration among other possible options." (Thanks to James Hogarth.)
Also of interest is this note on how the handling of CVE-2016-1513 went.
OpenBSD 6.0 has been released. An EFI bootloader has been added to the armv7 platform along with other improvements for that platform. Also in this release, new and improved hardware support, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements, and more. The announcement also contains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, and LibreSSL 2.4.2.
Debian-LTS has updated cacti (authentication bypass).
Red Hat has updated ipa (RHEL 6,7: denial of service).
Slackware has updated mozilla thunderbird (14.1, 14.2: unspecified vulnerabilities).
Here's a lengthy ars technica article on efforts to replace Tor with something more secure. "As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users."
The LWN.net Weekly Edition for September 1, 2016 is available.
Some of the most important discussions associated with the annual Kernel Summit do not happen at the event itself; instead, they unfold prior to the summit on the planning mailing list. There is value in learning what developers feel needs to be talked about and, often, important issues can be resolved before the summit itself takes place. That list has just hosted (indeed, is still hosting as of this writing) a voluminous discussion on license enforcement that was described by some participants as being "pointless" or worse. But that discussion has served a valuable purpose: it has brought to the light a debate that has long festered under the surface, and it has clarified where some of the real disagreements lie.
LWN covered a memory corruption vulnerability (CVE-2016-1513) in Apache OpenOffice that was disclosed before a fix was available. Now a hotfix for the problem has been released. "The official Apache OpenOffice security bulletin was announced on July 21, 2016. Affected is Apache OpenOffice 4.1.2 and older on all platforms and all languages. OpenOffice.org versions are also affected. The Apache OpenOffice project recommends to update to the latest version 4.1.2 and then to download and install the Zip file from the table below. Please follow the installation instructions in the respective Readme file." (Thanks to Cesar Eduardo Barros)
Arch Linux has updated mupdf (denial of service).
Debian-LTS has updated tiff (multiple vulnerabilities).
Fedora has updated krb5 (F23: denial of service).
Mageia has updated bsdiff (denial of service), ctdb (privilege escalation), curl (three vulnerabilities), fontconfig (privilege escalation), gnupg/libgcrypt (flawed random number generation), kernel-linus (multiple vulnerabilities), kernel-tmb (multiple vulnerabilities), mupdf (denial of service), nettle/nettle2.7 (information leak), openssh (three vulnerabilities), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), postgresql (two vulnerabilities), and python-django (cross-site scripting).
openSUSE has updated libqt4 (Leap42.1: unsafe SSL ciphers).
Red Hat has updated rh-postgresql94-postgresql (RHSCL: two vulnerabilities).
SUSE has updated firefox (SLE11-SP4: multiple vulnerabilities).
The Red Hat Developer's blog looks at the latest updates to the GNU toolchain. GCC 6.2 and GDB 7.11.1 are mostly bug-fix releases, but GCC contains a few enhancements for SPARC users and there's a look at what's coming in GDB 7.12. Glibc 2.24 contains many new features and enhancements. "A new NSS action is added to facilitate large distributed system administration. The action, MERGE, allows remote user stores like LDAP to be merged into local user stores like /etc/groups in order to provide easy to use, updated, and managed sets of merged credentials."
We recently pointed to Lubomir Rintel's coverage of NetworkManager 1.4. Thomas Haller follows up with a more detailed look at the MAC spoofing capabilities of NetworkManager. "1.2.0 relies on support from wpa_supplicant to configure a random MAC address. The problem is that it requires API which will only be part of the next major release 2.6 of the supplicant. Such a release does not yet exist to this date and thus virtually nobody is using this feature. With NetworkManager 1.4.0, changing of the MAC address is done by NetworkManager itself, requiring no support from the supplicant. This allows also for more flexibility to generate “stable” addresses and the “generate-mac-address-mask”. Also, the same options are now available not only for Wi-Fi, but also Ethernet devices."
Arch Linux has updated mupdf (denial of service).
Debian-LTS has updated gnupg (flawed random number generation).
Fedora has updated borgbackup (F24; F23: directory traversal), freeipa (F24; F23: denial of service), java-1.8.0-openjdk-aarch32 (F24: multiple vulnerabilities), rubygem-actionpack (F24; F23: unsafe query generation), and rubygem-activerecord (F24; F23: unsafe query generation).
openSUSE has updated kernel (13.1: multiple vulnerabilities).
Slackware has updated kernel (TCP connection takeover).
Open-source font developer Vernon Adams has passed away in California at the age of 49. In 2014, Adams was injured in an automobile collision, sustaining serious trauma from which he never fully recovered. Perhaps best known within the Linux community as the creator of KDE's user-interface font Oxygen, Adams created a total of 51 font families published through Google Fonts, all under open licenses. He was also active in a number of related free-software projects, including FontForge, Metapolator, and the Open Font Library. In 2012, he co-authored the user's guide for FontForge as part of Google's Summer of Code Documentation Camp, which we reported on at that time.
Speaking personally, Vernon was always quick to offer
encouragement and assistance
to newcomers—regardless of their experience with type
design, FontForge, or free software in general. There were also few people who put as
much energy into improving the usability of free-software design tools
as he did. In addition, he was a constant advocate for
free-software principles in the world of fonts—not just on
development lists and at libre graphics conferences, but on type forums as
well, where "open source" did not automatically garner a warm
reception. The tagline on his web
site was "fonts for everyone," and he meant it. He'll
Arch Linux has updated wireshark-cli (multiple vulnerabilities).
Debian has updated mupdf (two denial of service flaws).
openSUSE has updated Firefox (13.1: buffer overflow), firefox, nss (Leap42.1, 13.2: buffer overflow), phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities), and typo3-cms-4_5 (Leap42.1, 13.2: three vulnerabilities).
Hanno Böck performed some fuzz testing on the dpkg and RPM package managers and reported the results; it seems that one of the projects has been rather more responsive than the other in fixing these issues. "The development process of RPM seems to be totally chaotic, it's neither clear where one reports bugs nor where one gets the latest code and security bugs don't get fixed within a reasonable time. There's been some recent events that make me feel especially worried about this..." It seems that some of the maintenance issues with RPM may not have improved greatly since they were reported here ten years ago.
HUP napi hírlevél