Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 7 perc 5 másodperc

Tuesday's security updates

k, 2016-06-07 17:38

Debian has updated spice (two vulnerabilities).

Debian-LTS has updated dhcpcd5 (code execution) and nss (cipher-downgrade attacks).

Fedora has updated glibc (F23: denial of service), nginx (F23: denial of service), and qemu (F22: multiple vulnerabilities).

openSUSE has updated clamav-database (Leap42.1: database refresh).

Oracle has updated spice (OL7: two vulnerabilities) and spice-server (OL6: two vulnerabilities).

Red Hat has updated glibc (RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities), spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).

Scientific Linux has updated spice (SL7: two vulnerabilities) and squid (SL7: multiple vulnerabilities).

SUSE has updated expat (SLE12-SP1: code execution).

Ubuntu has updated libxml2 (multiple vulnerabilities) and oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities).

Kategóriák: Linux

Open Build Service 2.7 released

h, 2016-06-06 22:25
Open Build Service 2.7 has been released. "Three large features around the topic of integrating external resources made it into this release. We worked on automatic tracking of moving repositories of development versions like Fedora Rawhide, distribution updates or rolling Linux releases like Arch. A change to the OBS git integration to enable developers to work on continuous builds. And last but not least an experimental KIWI import that can be used to easily migrate your images from SUSE studio."
Kategóriák: Linux

Security updates for Monday

h, 2016-06-06 18:07

Arch Linux has updated chromium (multiple vulnerabilities), ntp (multiple vulnerabilities), and webkit2gtk (code execution).

Debian has updated chromium-browser (multiple vulnerabilities), mariadb-10.0 (multiple vulnerabilities), and samba (regression in previous update).

Debian-LTS has updated libxml2 (multiple vulnerabilities).

Fedora has updated php (F22: multiple vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), roundcubemail (F23; F22: cross-site scripting), sudo (F23: information leak), and xen (F23: multiple vulnerabilities).

Gentoo has updated gnupg (multiple vulnerabilities), libjpeg-turbo (information leak), puppet-agent (multiple vulnerabilities), and putty (multiple vulnerabilities).

openSUSE has updated Chromium (Leap42.1; 13.2: multiple vulnerabilities).

Slackware has updated ntp (multiple vulnerabilities).

SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities).

Kategóriák: Linux

Kernel prepatch 4.7-rc2

h, 2016-06-06 03:00
The second 4.7 prepatch is now available for testing. Linus says: "There's a late non-fix I took even though the merge window is over, because I've been wanting it for a while. I doubt anybody notices the actual effects of a pty change/cleanup that means that our old disgusting DEVPTS_MULTIPLE_INSTANCES kernel config option is gone, because the cleanup means that it is no longer needed." For details on this change, see this article from last week's Kernel Page.
Kategóriák: Linux

Wolf: Stop it with those short PGP key IDs!

szo, 2016-06-04 01:12

At his blog, Gunnar Wolf urges developers to stop using "short" (eight hex-digit) PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild. The possibility of short-ID collisions has been known for a while, but it is still disconcerting to see in the wild. "Those three keys are not (yet?) uploaded to the keyservers, though... But we can expect them to appear at any point in the future. We don't know who is behind this, or what his purpose is. We just know this looks very evil."

Wolf goes on to note that short IDs are not merely human-readable conveniences, but are actually used to identify PGP keys in some software programs. To mitigate the risk, he recommends configuring GnuPG to never shows short IDs, to ensure that other programs do not consume short IDs, and to "only sign somebody else's key if you see and verify its full fingerprint. [...] And there are surely many other important recommendations. But this is a good set of points to start with."

Kategóriák: Linux

Friday's security updates

p, 2016-06-03 16:23

Debian has updated libxml2 (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), libgd (M5: multiple vulnerabilities), nginx (M5: denial of service), pgpdump (M5: buffer overrun), and php (M5: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Ubuntu has updated nginx (14.04, 15.10, 16.04: denial of service).

Kategóriák: Linux

LWN.net Weekly Edition for June 3, 2016

p, 2016-06-03 02:19
The LWN.net Weekly Edition for June 3, 2016 is available.
Kategóriák: Linux

Patents and the open-source community

cs, 2016-06-02 21:05

At OSCON 2016 in Austin, a panel of invited experts debated the always-thorny subject of how open-source software projects deal with patents. The panel was packed, featuring representatives from the free-software world, commerce, and the legal community, so there was scarcely enough time to move through the prepared topics in the time allotted, much less to take questions from the audience. But the discussion was able to highlight a number of current issues, including patent abolition, implicit patent licenses, and where the open-source community should focus its efforts to improve matters.

Kategóriák: Linux

Security advisories for Thursday

cs, 2016-06-02 21:04

Arch Linux has updated nginx (denial of service) and nginx-mainline (denial of service).

Debian has updated nginx (denial of service).

Debian-LTS has updated gdk-pixbuf (buffer overflows), graphicsmagick (command execution), and imagemagick (command execution).

Fedora has updated compat-nettle27 (F23: improper cryptographic calculations), dosfstools (F22: two vulnerabilities), gd (F23: two vulnerabilities), kernel (F23; F22: multiple vulnerabilities), libimobiledevice (F22: sockets listening on INADDR_ANY), libusbmuxd (F22: sockets listening on INADDR_ANY), and phpMyAdmin (F23: three vulnerabilities).

SUSE has updated java-1_8_0-ibm (SLE12-SP1: multiple vulnerabilities) and ntp (SOSC5, SMP2.1, SM2.1, SLE11-SP2,3: multiple vulnerabilities).

Ubuntu has updated imagemagick (multiple vulnerabilities).

Kategóriák: Linux

[$] PostgreSQL 9.6 Beta and PGCon 2016

cs, 2016-06-02 18:13
PostgreSQL's annual developer conference, PGCon, took place in May, which made it a good place to get a look at the new PostgreSQL features coming in version 9.6. The first 9.6 beta was released just the week before and several contributors demonstrated key changes at the conference in Ottawa. For many users, this was the first time to see the finished versions of features that had been under development for months or years.
Kategóriák: Linux

Nextcloud launches

cs, 2016-06-02 15:26
For those who have been wondering about the exodus from ownCloud, the announcement of a company called "Nextcloud" should make things clear. "Started by the well known open source file sync and share developer Frank Karlitschek and joined by the most active contributors to his previous project, building on its mature code base, we offer a more reliable and sustainable solution for users and customers. We will develop a drop-in replacement for that legacy code base over the coming weeks, providing the bug fixes and security hardening all users need and the Enterprise Subscription capabilities enterprise customers require." See also this blog post from Jos Poortvliet.
Kategóriák: Linux

[$] Containers, pseudo TTYs, and backward compatibility

cs, 2016-06-02 01:12
There is no doubt that the addition of container technologies to Linux has created a lot of value, allowing workloads to be effectively and efficiently isolated from each other. Implementing these technologies presents a number of challenges, particularly as much of Linux and Unix was designed to use singletons: objects of which there could never ever be more than one, such as host names, network routing tables, or process-ID namespaces. Containers require this design approach to be revised as they need multiple instances of these objects. A singleton that has been causing problems recently is the set of pseudo terminals (TTYs).

Click below (subscribers only) for the full article from Neil Brown.

Kategóriák: Linux

Hertz: Abusing privileged and unprivileged Linux containers

cs, 2016-06-02 00:55
This white paper by Jesse Hertz [PDF] examines various ways to compromise and escape from containers on Linux systems. "A common configuration for companies offering PaaS solutions built on containers is to have multiple customers’ containers running on the same physical host. By default, both LXC and Docker setup container networking so that all containers share the same Linux virtual bridge. These containers will be able to communicate with each other. Even if this direct network access is disabled (using the –icc=false flag for Docker, or using iptables rules for LXC), containers aren’t restricted for link-layer traffic. In particular, it is possible (and in fact quite easy) to conduct an ARP spoofing attack on another container within the same host system, allowing full middle-person attacks of the targeted container’s traffic."
Kategóriák: Linux

Fresh stable kernels

cs, 2016-06-02 00:22
Greg KH has released stable kernels 4.6.1, 4.5.6, 4.4.12, and 3.14.71. All of them contain important fixes.
Kategóriák: Linux

Announcing the Open Source License API

sze, 2016-06-01 20:46
The Open Source Initiative (OSI) has announced the Open Source License API, to "allow third parties to become license-aware, and give organizations the ability to clearly determine if a license is, in fact, an Open Source license, from the authoritative source regarding Open Source licenses, the OSI."
Kategóriák: Linux

The CoreOS "Torus" distributed storage system

sze, 2016-06-01 19:33
CoreOS has announced a new project called Torus which is creating a distributed storage system for containers. "At its core, Torus is a library with an interface that appears as a traditional file, allowing for storage manipulation through well-understood basic file operations. Coordinated and checkpointed through etcd’s consensus process, this distributed file can be exposed to user applications in multiple ways. Today, Torus supports exposing this file as block-oriented storage via a Network Block Device (NBD). We also expect that in the future other storage systems, such as object storage, will be built on top of Torus as collections of these distributed files, coordinated by etcd." The project is quite young, and the current release is a "prototype version."
Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-06-01 18:39

Debian has updated chromium-browser (multiple vulnerabilities) and imagemagick (command execution).

Debian-LTS has updated php5 (multiple vulnerabilities) and ruby-activemodel-3.2 (validation bypass).

openSUSE has updated dosfstools (Leap42.1, 13.2: two vulnerabilities), gdk-pixbuf (Leap42.1: three vulnerabilities), libarchive (13.2: code execution), openssh (Leap42.1: three vulnerabilities), p7zip (13.2: code execution), putty (Leap42.1, 13.2: code execution), and virtualbox (Leap42.1; 13.2: unspecified).

Oracle has updated ntp (OL7; OL6: multiple vulnerabilities), openssl (OL5: multiple vulnerabilities), squid (OL7; OL6: multiple vulnerabilities), and squid34 (OL6: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Scientific Linux has updated openssl (SL5: code execution).

SUSE has updated cyrus-imapd (SLES12-SP1; SLE11-SP4: multiple vulnerabilities) and java-1_6_0-ibm (SLEM for LS12: multiple vulnerabilities).

Ubuntu has updated dosfstools (two vulnerabilities), kernel (14.04: multiple vulnerabilities), libgd2 (multiple vulnerabilities), and lxd (16.04, 15.10: two vulnerabilities).

Kategóriák: Linux

Tor Browser 6.0 is released

sze, 2016-06-01 00:27
The Tor Browser Team has announced the release of Tor browser 6.0. This release brings the browser up-to-date with Firefox 45-ESR, which provides better support for HTML5 video on Youtube, as well as a host of other improvements. DuckDuckGo is now the default search engine. "Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers."
Kategóriák: Linux

Security updates for Tuesday

k, 2016-05-31 20:47

Arch Linux has updated chromium (multiple vulnerabilities).

CentOS has updated ntp (C7; C6: multiple vulnerabilities), openssl (C5: code execution), squid (C7; C6: multiple vulnerabilities), and squid34 (C6: multiple vulnerabilities).

Debian has updated gdk-pixbuf (two vulnerabilities) and symfony (two vulnerabilities).

Debian-LTS has updated eglibc (multiple vulnerabilities), libtasn1-3 (denial of service), openafs (multiple vulnerabilities), pdns (insecure database permissions), phpmyadmin (regression in previous update), postgresql-9.1 (multiple vulnerabilities), ruby-activerecord-3.2 (restriction bypass), and wireshark (multiple vulnerabilities).

Fedora has updated bugzilla (F23; F22: cross-site scripting), kf5-kinit (F23: insecure permissions), libarchive (F22: code execution), libimobiledevice (F23: sockets listening on INADDR_ANY), libusbmuxd (F23: sockets listening on INADDR_ANY), php (F23: two vulnerabilities), qemu (F23: multiple vulnerabilities), webkitgtk4 (F23: two vulnerabilities), and xen (F23; F22: privilege escalation).

Gentoo has updated libfpx (denial of service), nss (multiple vulnerabilities), pam (multiple vulnerabilities), and rsync (multiple vulnerabilities).

Mageia has updated botan (two vulnerabilities), docker (privilege escalation), mediawiki (multiple vulnerabilities), and phpmyadmin (cross-site scripting).

openSUSE has updated Chromium (SPH for SLE12; Leap42.1: multiple vulnerabilities), expat (13.2: two vulnerabilities), libxml2 (13.2: two vulnerabilities), libxslt (13.2: denial of service), phpMyAdmin (Leap42.1, 13.2: cross-site scripting), redis (Leap42.1, 13.2: denial of service), and samba (13.2: man-in-the-middle attack).

Red Hat has updated ntp (RHEL6,7: multiple vulnerabilities), openssl (RHEL5: code execution), python27 (RHSCL2.2: multiple vulnerabilities), squid (RHEL7; RHEL6: multiple vulnerabilities), and squid34 (RHEL6: multiple vulnerabilities).

Slackware has updated imagemagick (shell vulnerability), libxml2 (three vulnerabilities), libxslt (denial of service), thunderbird (multiple vulnerabilities), and php (multiple vulnerabilities).

SUSE has updated Xen (SLES10-SP4: multiple vulnerabilities).

Kategóriák: Linux

Rutkowska: Security challenges for the Qubes build process

k, 2016-05-31 17:14
Qubes founder Joanna Rutkowska writes about how Qubes works to avoid building compromised software into its distribution. "Ultimately, we would like to introduce a multiple-signature scheme, in which several developers (from different countries, social circles, etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary would have to compromise all the build locations in order to get backdoored versions signed. For this to happen, we need to make the build process deterministic (i.e. reproducible). Yet, this task still seems to be years ahead of us."
Kategóriák: Linux