Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 9 perc 29 másodperc

Security advisories for Wednesday

sze, 2014-11-19 18:46

CentOS has updated libvirt (C6: multiple vulnerabilities) and libXfont (C7: multiple vulnerabilities).

Debian has updated php5 (out-of-bounds read flaw) and php5 (regression in previous update).

Fedora has updated drupal7-ckeditor (F20; F19: cross-site scripting), geary (F20: TLS certificate issues), icecream (F20; F19: code execution), and nrpe (F20: code execution).

Mandriva has updated curl (information leak), dbus (multiple vulnerabilities), and gnutls (code execution).

openSUSE has updated dbus-1 (13.2, 13.1; 12.3: denial of service) and polarssl (13.2: two vulnerabilities).

Red Hat has updated kernel (RHEL6.4: denial of service), libvirt (RHEL6: multiple vulnerabilities), and libXfont (RHEL6,7: multiple vulnerabilities).

Scientific Linux has updated libvirt (SL6: multiple vulnerabilities) and libXfont (SL6,7: multiple vulnerabilities).

Kategóriák: Linux

Today's Debian technical committee resignation: Ian Jackson

sze, 2014-11-19 14:34
Ian Jackson has announced his immediate resignation from the Debian technical committee. "While it is important that the views of the 30-40% of the project who agree with me should continue to be represented on the TC, I myself am clearly too controversial a figure at this point to do so. I should step aside to try to reduce the extent to which conversations about the project's governance are personalised. And, speaking personally, I am exhausted." (Thanks to Mattias Mattsson).
Kategóriák: Linux

Results for the Debian init system coupling GR

sze, 2014-11-19 01:12
The preliminary results have been announced for the Debian general resolution on init system coupling. The winning option was #4, the one saying that no general resolution is required in this situation. So there will be no change in Debian policy resulting from this vote.
Kategóriák: Linux

EFF: Let's Encrypt

k, 2014-11-18 23:15
The Electronic Frontier Foundation (EFF) is helping to launch a new non-profit organization that will offer free server certificates beginning in summer 2015. "Let's Encrypt is a new free certificate authority, which will begin issuing server certificates in 2015. Server certificates are the anchor for any website that wants to offer HTTPS and encrypted traffic, proving that the server you are talking to is the server you intended to talk to. But these certificates have historically been expensive, as well as tricky to install and bothersome to update. The Let's Encrypt authority will offer server certificates at zero cost, supported by sophisticated new security protocols. The certificates will have automatic enrollment and renewal, and there will be publicly available records of all certificate issuance and revocation." Let's Encrypt will be overseen by the Internet Security Research Group (ISRG), a California public benefit corporation.
Kategóriák: Linux

Tuesday's security updates

k, 2014-11-18 18:05

CentOS has updated libxfont (C6: multiple vulnerabilities), mariadb (C7: multiple vulnerabilities), and mysql55-mysql (C5: multiple vulnerabilities).

Fedora has updated oath-toolkit (F20: denial of service), python-requests-kerberos (F20; F19: authentication bypass), and qpid-cpp (F19: xml exchange can be induced to make http requests).

openSUSE has updated flash-player (13.2, 13.1, 12.3: multiple vulnerabilities) and libreoffice (13.2: code execution).

Red Hat has updated bash Shift_JIS (RHEL5.9: multiple vulnerabilities).

Scientific Linux has updated mariadb (SL7: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities).

Ubuntu has updated mountall (14.10: privilege escalation).

Kategóriák: Linux

Live kernel patching for SUSE Enterprise Linux

k, 2014-11-18 15:27
SUSE has announced that it is now using kGraft to make live kernel patches available for its enterprise distribution. "Unlike some other Linux kernel live patching technologies, SUSE Linux Enterprise Live Patching doesn't require stopping the whole system while it performs the patching. And because it is a fully open source solution, it allows for easy code review of the patch sources. SUSE is engaging with the upstream community to help ensure a sustainable future for kernel live patching on Linux in general and SUSE Linux Enterprise specifically."
Kategóriák: Linux

Linux for lettuce (Opensource.com)

h, 2014-11-17 22:26
Opensource.com covers the founding of the Open Source Seed Initiative (OSSI) and its continuing efforts to apply the concepts of open-source to plant breeding, in an increasingly patent encumbered space. "OSSI’s de facto leader is Jack Kloppenburg, a social scientist at the University of Wisconsin who has been involved with issues concerning plant genetic resources since the 1980s. He has published widely about the concept behind OSSI, and his words are now echoed (even copied verbatim) by public plant-breeding advocates in Germany, France, and India. As he explains it, for most of human history, seeds have naturally been part of the commons—those natural resources that are inherently public, like air or sunshine. But with the advent of plant-related intellectual property and the ownership it enables, this particular part of the commons has become a resource to be mined for private gain. Thus the need for a protected commons—open source seed. Inspired by open source software, OSSI’s idea is to use “the master’s tools” of intellectual property, but in ways the master never intended: to create and enforce an ethic of sharing."
Kategóriák: Linux

Colin Watson resigns from Debian Technical Committee

h, 2014-11-17 18:44
Colin Watson announced his resignation from the Debian Technical Committee before Russ. "I appreciate that the timing is such that this looks like a response to Joey's mails, or perhaps to some other recent discussions. That isn't the case. I've been doing a good deal of refactoring of my life recently as a result of realising that I was burning out, and right now it's important that I make an effort to spend my Debian time on things I find relaxing rather than things I've been finding stressful." (Thanks to Jeff Schroeder)
Kategóriák: Linux

Security advisories for Monday

h, 2014-11-17 18:15

Debian has updated libgcrypt11 (side-channel attack).

Fedora has updated kde-workspace (F20; F19: privilege escalation), kernel (F19: multiple vulnerabilities), and konversation (F20; F19: information disclosure).

Gentoo has updated wget (symlink attack).

Mageia has updated dbus (denial of service), gnutls (code execution), kernel (MG4; MG3: multiple vulnerabilities), kernel-linus (MG4; MG3: multiple vulnerabilities), kernel-tmb (MG4; MG3: multiple vulnerabilities), and kernel-vserver (MG4: multiple vulnerabilities).

Red Hat has updated mariadb (RHEL7: multiple vulnerabilities), mariadb55-mariadb (RHSCL1: multiple vulnerabilities), and mysql55-mysql (RHEL5; RHSCL1: multiple vulnerabilities).

Scientific Linux has updated mysql55-mysql (SL5: multiple vulnerabilities).

Slackware has updated mozilla (multiple vulnerabilities).

Kategóriák: Linux

Russ Allbery leaves the Debian technical committee

h, 2014-11-17 15:04
Another resignation in the Debian camp: Russ Allbery has become the second member of the project's technical committee to leave that committee. "I think project governance is a hard problem, and a worthwhile problem, and I hope that someone with good ideas will step forward and work on that problem. Debian is one of the largest free software projects, and one that faces a large number of hard decisions. If we can do that work well, it would be a valuable contribution to the broader community. But, right now, I don't feel like I'm helping that process, and at times am making it worse."
Kategóriák: Linux

Fog Heen: Resigning as a Debian systemd maintainer

h, 2014-11-17 14:54
Here are Tollef Fog Heen's comments following his resignation as one of the systemd maintainers in Debian. "I've been a DD for almost 14 years, I should be able to weather any storm, shouldn't I? It turns out that no, the mountain does get worn down by the rain. It's not a single hurtful comment here and there. There's a constant drum about this all being some sort of conspiracy and there are sometimes flares where people wish people involved in systemd would be run over by a bus or just accusations of incompetence."
Kategóriák: Linux

Kernel prepatch 3.18-rc5

h, 2014-11-17 14:42
Linus has released the 3.18-rc5 prepatch. "So we still have a few pending issues, but things look fairly normal. We've still got a few weeks to go before final, and the more you can test, the better off we'll be."
Kategóriák: Linux

CyanogenMod 11 M12

p, 2014-11-14 22:33
CyanogenMod has announced a new milestone release of the 11.0 "KitKat" branch. The announcement also looks forward to the 12.0 "Lollipop" branch. "No doubt the big news at the beginning of November was the release of the Android 5.0 Lollipop source code. AOSP began seeing the code on the 3rd, and completed the majority of the push on the 4th, with some remaining stragglers seeing code uploaded midday on the 12th. Work on CM12 began in earnest at the end of last week, and you can now successfully sync and build the work in progress against a handful of devices."
Kategóriák: Linux

Stable kernel updates

p, 2014-11-14 21:25
Greg Kroah-Hartman has released three stable kernels; 3.17.3, 3.14.24, and 3.10.60. All of them contain lots of important fixes throughout the tree.
Kategóriák: Linux

Security advisories for Friday

p, 2014-11-14 17:25

Fedora has updated aircrack-ng (F20; F19: multiple vulnerabilities), gnutls (F20: three vulnerabilities), and python3 (F19: three vulnerabilities).

Mageia has updated claws-mail (M4: SSL certificate verification botch), curl (information leak), flash-player-plugin (many vulnerabilities), getmail (three vulnerabilities), kdebase4-workspace (M3: privilege escalation), libreoffice (M4; M3: two vulnerabilities), and ruby (denial of service).

openSUSE has updated openssl (13.2: multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (OL6; OL5: two vulnerabilities) and kernel 3.8.13 (OL7; OL6: two vulnerabilities).

SUSE has updated flash-player (SLE12: three vulnerabilities) and java-1_7_0-openjdk (SLE12: multiple vulnerabilities).

Kategóriák: Linux

Linux Security Distros Compared: Tails vs. Kali vs. Qubes (Lifehacker)

p, 2014-11-14 01:53
Three security-oriented Linux distributions are compared and contrasted over at Lifehacker. The three (Tails, Kali Linux, and Qubes OS) have distinct use cases that are surveyed in the article. "The crux of Tails is anonymity. While it has cryptographic tools in place, its main purpose is to anonymize everything you're during online. This is great for most people, but it doesn't give you the freedom to do stupid things. If you log into your Facebook account under your real name, it's still going to be obvious who you are and remaining anonymous on an online community is a lot harder than it seems."
Kategóriák: Linux

The Long and Winding Road (Mageia Blog)

p, 2014-11-14 00:40
Over on the Mageia Blog, Rémi Verschelde explains why the Mageia 5 Beta 1 took a month and a half longer than planned—but is now available. Upgrading to RPM 4.12 during the release process caused some problems, but there were other troubles along the way. "Still, while fixing our core tools during this first mass rebuild, some important changes were made to our RPM setup. As a consequence, half of the rebuilt packages (the ones built before our RPM setup changes) were lacking some important metadata. We then decided to do a second mass rebuild in October, which went quite fine apart from some issues with the Java stack. It was already late October when the first Beta 1 ISOs could be spun and delivered to the QA team for pre-release testing." Beta 2 has been pushed back to December 16, with a final release of Mageia 5 expected on January 31.
Kategóriák: Linux

Thursday's security updates

cs, 2014-11-13 15:37

Debian has updated iceweasel (multiple vulnerabilities).

openSUSE has updated docker, go (13.2: two vulnerabilities) and libreoffice (13.1: code execution).

Red Hat has updated flash-plugin (RHEL5&6: many vulnerabilities).

SUSE has updated OpenSSL (SLECT10; SLE11: multiple vulnerabilities) and wget (SLE10SP4; SLE11SP2, SLE11SP1: code execution).

Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for November 13, 2014

cs, 2014-11-13 02:33
The LWN.net Weekly Edition for November 13, 2014 is available.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-11-12 18:55

CentOS has updated gnutls (C7: code execution), kdenetwork (C7: multiple vulnerabilities), kernel (C6: multiple vulnerabilities), and libvncserver (C7; C6: multiple vulnerabilities).

Debian has updated file (out-of-bounds read flaw) and nss (code execution).

Fedora has updated deluge (F20: deluge-web is vulnerable to POODLE), mokutil (F20; F19: multiple vulnerabilities), Pound (F20: multiple vulnerabilities), shim-signed (F20; F19: multiple vulnerabilities), and tnftp (F20: command execution).

Mageia has updated apt (code execution) and php (out-of-bounds read flaw).

openSUSE has updated ImageMagick (13.2, 13.1, 12.3: multiple vulnerabilities), konversation (13.2: information disclosure), libserf (13.2, 13.1, 12.3: man-in-the-middle attack), pidgin (13.2: multiple vulnerabilities), and sssd (13.2: restriction bypass).

Oracle has updated gnutls (OL7: code execution), kdenetwork (OL7: multiple vulnerabilities), kernel (OL6: multiple vulnerabilities), and libvncserver (OL7; OL6: multiple vulnerabilities).

Red Hat has updated gnutls (RHEL7: code execution), kdenetwork (RHEL7: multiple vulnerabilities), kernel (RHEL6: multiple vulnerabilities), and libvncserver (RHEL6,7: multiple vulnerabilities).

Scientific Linux has updated gnutls (SL7: code execution), kdenetwork (SL7: multiple vulnerabilities), kernel (SL6: multiple vulnerabilities), and libvncserver (SL6,7: multiple vulnerabilities).

SUSE has updated spacewalk-branding (SUSE Manager1.7: clarify CVE audit).

Ubuntu has updated cinder (14.04: information disclosure), keystone (14.04: information disclosure), neutron (14.04: denial of service), and nova (14.04: two vulnerabilities).

Kategóriák: Linux