Népszerű fórum témák
FreeBSD Project News
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 21 perc 15 másodperc
The Free Software Foundation has announced the winners of its 2015 Software Freedom Awards: the Library Freedom Project won the award for projects of social benefit, while GnuPG maintainer Werner Koch received the award for the advancement of free software.
InfoWorld takes a look at Redox OS. "Redox uses Rust for its kernel-level code to provide more memory safety considerations than C allows by default. But the project doesn't simply rewrite Linux in a new language. Redox discards as much from Linux's version of the Unix tradition as it keeps. As explained in the project's wiki and design documents, Redox uses a minimal set of syscalls -- a deliberately smaller subset than what Linux supports so as to avoid legacy bloat. The OS also uses a microkernel design to stay slender, in contrast to Linux's monolithic kernel."
Fedora has updated drupal6-emfield (F23; F22: access bypass), firefox (F23: multiple vulnerabilities), git (F23: code execution), libotr (F23; F22: code execution), libvpx (F23: code execution), mod_auth_mellon (F23: denial of service), proftpd (F23; F22: weak key usage), webkitgtk3 (F23: multiple vulnerabilities), websvn (F23; F22: cross-site scripting), and xen (F23; F22: multiple vulnerabilities).
Gentoo has updated openssl (multiple vulnerabilities).
openSUSE has updated bind (13.2; 13.1; 11.4: two vulnerabilities), bsh2 (13.2: code execution), cgit (13.1; 11.4: code execution), Chromium (13.1: multiple vulnerabilities), git (13.1; 11.4: code execution), and rubygem-actionpack-3_2 (13.2: two vulnerabilities).
SUSE has updated bind (SLE11-SP2,3,4: two vulnerabilities), firefox (SLES10-SP4: multiple vulnerabilities), samba (SLE11-SP4: privilege escalation), tomcat (SLES12: multiple vulnerabilities), and tomcat6 (SLES11-SP4: multiple vulnerabilities).
At his blog, Alexander Larsson announces the release of version 0.5 of the GNOME xdg-app application sandboxing framework. The mailing list announcement provides a bit more detail on what is new, such as an API for creating graphical xdg-app front-ends, support for AppData metadata, and a new helper tool for those building app bundles. Larsson notes that his initial goals for the project were "make it possible for 3rd parties to create and distribute applications that work on multiple distributions" and "run applications with as little access as possible to the host. (For example access to the network or the users files.)" With the 0.5 release, he said, he considers the first goal met.
Debian has updated xen (multiple vulnerabilities).
Fedora has updated jenkins (F23; F22: multiple vulnerabilities), jenkins-remoting (F23; F22: multiple vulnerabilities), python-django (F23; F22: multiple vulnerabilities), rubygem-actionpack (F23; F22: code injection), and rubygem-actionview (F23; F22: code injection).
Scientific Linux has updated OpenAFS (SL 5,6,7: multiple vulnerabilities).
Slackware has updated mozilla-firefox (multiple vulnerabilities).
Ubuntu has updated pam (12.04: multiple vulnerabilities).
The information is unsurprising, since it has been strongly suspected for years, but its method of disclosure is rather amusing: Edward Snowden was the target when the US government went after the Lavabit email service. In the response to a request that the government unseal more documents in its case against him, Lavabit owner Ladar Levison got more than he bargained for—the target email address, Ed_Snowden@lavabit.com, was not redacted in one place, as WIRED reports. "WIRED spoke with Levison, prior to his learning that the government had made the redaction error, about his struggle to obtain transparency. 'Three years later, I still cannot tell you who they were after. I keep getting asked the question, and I can't answer.' Now, it appears he doesn't have to. The government has answered for him."
openSUSE has updated bsh2 (42.1: code execution), cgit (42.1, 13.2: two code execution flaws), git (42.1, 13.2: two code execution flaws), graphite2 (13.2: multiple vulnerabilities), and rubygem-actionview-4_2 (42.1: code execution).
Oracle has updated bind (OL5; OL6; OL7: two vulnerabilities), bind97 (OL5: two vulnerabilities), kernel (OL5: two vulnerabilities, one from 2013), and thunderbird (OL6; OL7: multiple vulnerabilities).
Ubuntu has updated pam (regression in earlier security update).
The LWN.net Weekly Edition for March 17, 2016 is available.
Greg Kroah Hartman has released stable kernels 4.4.6, 3.14.65, and 3.10.101. Each contains the usual set of important fixes.
No Starch Press recently released a book about working with automotive software systems: The Car Hacker's Handbook: A Guide for the Penetration Tester, written by Craig Smith. The book is an expansion of Smith's popular and widely circulated e-book of the same title. The old version remains available online at no cost, but there is considerably more content in the new revision—enough to make it a tempting purchase not just for automotive-software fans in general, but for those interested in embedded-device security and in reverse engineering other classes of consumer product.
The kernel's control-group mechanism allows processes to be divided into groups for the purposes of tracking and resource control. Both the API and underlying implementation of this mechanism have been going through considerable change in recent years. As part of that change, the newer control-group API has lost the ability to separately manage threads within a process, a loss that is not welcome in some quarters. Current work to replace that functionality is not finding an entirely warm reception either, though.
Debian has updated spip (two vulnerabilities).
Red Hat has updated kernel (RHEL5: two vulnerabilities), rh-php56-php (RHSCL: multiple vulnerabilities), rh-ror41-rubygem-actionview (RHSCL: two vulnerabilities), ror40 (RHSCL: multiple vulnerabilities), and ruby193 (RHSCL: multiple vulnerabilities).
SUSE has updated bind (SLE12: two vulnerabilities), graphite2 (SLE12-SP1: multiple vulnerabilities), java-1_6_0-ibm (SLES11-SP3; SLES10-SP4: multiple vulnerabilities), firefox, nspr, nss (SLE11-SP4: multiple vulnerabilities), sles11sp4-docker-image (SLEM12: multiple vulnerabilities), sles12-docker-image (SLEM12: multiple vulnerabilities), and kernel (SLE12: multiple vulnerabilities).
The CyanogenMod Android distribution has finally moved into the "Marshmallow" era with CM13.0 Release 1. "We left the M release builds in the oven longer than we thought, but nothing a little graham cracker and chocolate can’t make that much better. CM13.0 brings Android 6.0.1 (r17) goodies such as the battery saving ‘doze’ functionality and new permissions model, alongside the CM features you’d expect." Other changes include the removal of WhisperPush, the removal of the "quick unlock" feature, a switch to the standard Android messaging app, a new "Snap" camera app, and more.
Arch Linux has updated dropbear (information disclosure).
Ubuntu has updated exim4 (two vulnerabilities), kernel (15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: code execution).
Videos from the NetDev 1.1 conference are now available on YouTube. "It took us a while to edit and to upload these ~100 Gbytes of videos, so thanks for your patience." LWN covered several sessions from this event.
As was discussed at the 2015 Kernel Summit, there are essentially no commercial Android devices running mainline kernels. At the recently concluded Linaro Connect event, though, John Stultz demonstrated a Nexus 7 tablet running mainline with just a few patches. It even has accelerated graphics via the freedreno driver. "This is really great, because we now have a very-close to mainline test bed on a actual consumer device. So we can make sure upstream doesn't introduce any regressions (just recently, two ABI breaks that affected android were recently caught) and allows us to make sure when we push Android functionality upstream, that any interface changes required by maintainers can be properly tested to make sure what lands upstream really works."
Stéphane Graber provides an introduction to LXD. "LXD focuses on system containers, also called infrastructure containers. That is, a LXD container runs a full Linux system, exactly as it would be when run on metal or in a VM. Those containers will typically be long running and based on a clean distribution image. Traditional configuration management tools and deployment tools can be used with LXD containers exactly as you would use them for a VM, cloud instance or physical machine."
Arch Linux has updated bind (multiple vulnerabilities), openssh (command injection), pcre (code execution), pidgin-otr (code execution), wireshark-cli (multiple dissector crashes), wireshark-gtk (multiple dissector crashes), and wireshark-qt (multiple dissector crashes).
Fedora has updated bind (F23: multiple vulnerabilities), exim (F23; F22: privilege escalation), kernel (F22: denial of service), libssh (F22: insecure ssh sessions), openssh (F23: command injection), openssl (F22: multiple vulnerabilities), perl (F22: ambiguous environment), php (F22: multiple vulnerability), php-htmLawed (F22: unspecified vulnerability), php-udan11-sql-parser (F22: multiple vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), and samba (F23; F22: incorrect ACL get/set allowed on symlink path).
Gentoo has updated chromium (many vulnerabilities), ffmpeg (many vulnerabilities), flash-player (multiple vulnerabilities), flightgear (two vulnerabilities from 2012), icedtea (multiple vulnerabilities), libreswan (denial of service), oracle-jre-bin (multiple vulnerabilities), qtgui (multiple vulnerabilities), and vlc (multiple vulnerabilities).
openSUSE has updated Adobe (13.1: multiple vulnerabilities), Chromium (13.2: multiple vulnerabilities), Firefox (13.1: multiple vulnerabilities), libotr,libotr2 (13.1: code execution), and firefox (Leap42.1, 13.2: multiple vulnerabilities).
SUSE has updated firefox, nss, nspr (SLE12-SP1: multiple vulnerabilities).
Ubuntu has updated graphite2 (15.10, 14.04: multiple vulnerabilities).
Linus has released the 4.5 kernel. "So this is later on a Sunday than my usual schedule, because I just couldn't make up my mind whether I should do another rc8 or not, and kept just waffling about it. In the end, I obviously decided not to, but it could have gone either way." Some of the headline features from the development cycle are dm-verity forward error correction, optional mandatory locking, the new copy_file_range() system call, the SOCK_DESTROY operation, another set of persistent-memory improvements, extended address-space layout randomization on 32-bit systems, the MADV_FREE option for madvise(), the UBSAN checker tool, some extensions to epoll_wait(), project quotas for the ext4 filesystem, and more.
Michael Catanzaro laments the poor level of security provided by free-software applications, focusing on TLS verification issues in particular. "In the case of Shotwell, the issue has been fixed in git, but it might never be released because nobody works on Shotwell anymore. I informed distributors of the Shotwell vulnerability three months ago via the GNOME distributor list, our official mechanism for communicating with distributions, and advised them to update to a git snapshot. Most distributions ignored it. This is completely typical; to my knowledge, the stable releases of all Linux distributions except Fedora are still vulnerable."
HUP napi hírlevél
Legfrissebb HUP képek
Open source termék fejlesztésében...
aktívan részt veszek fejlesztokent (release, kód, teszt, stb...)
aktívan részt veszek felhasználóként (bug report, blog, mások segítése levlistán)
ritkán veszek részt, fejlesztokent (release, kód, teszt, stb...)
ritkán veszek részt, felhasználóként (bug report, blog, mások segítése levlistán)
nem veszek részt, de használok open source terméket
nem veszek részt, nem is használok open source terméket
mit érdekel ez téged (avagy: egyéb)?
Összes szavazat: 312