Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 29 perc 12 másodperc

Security updates for Friday

p, 2016-05-20 16:22

Arch Linux has updated bugzilla (cross-site scripting).

Debian has updated librsvg (three vulnerabilities).

Debian-LTS has updated expat (code execution) and libgd2 (denial of service).

Mageia has updated dhcpcd (code execution from 2014), expat (code execution), gdk-pixbuf2.0 (code execution), icu (code execution), imagemagick/ruby-rmagic (multiple vulnerabilities), libxml2 (two denial of service flaws), perl (denial of service), and xerces-c (code execution).

openSUSE has updated libksba (13.2: two vulnerabilities) and php5 (42.1: multiple vulnerabilities).

Red Hat has updated Red Hat OpenShift Enterprise 3.1 (unauthorized access) and Red Hat OpenShift Enterprise 3.2 (three vulnerabilities).

SUSE has updated openssl (SLE10: multiple vulnerabilities).

Kategóriák: Linux

Linux containers vs. VMs: A security comparison (InfoWorld)

p, 2016-05-20 02:18
Over at InfoWorld, Jim Reno compares the security of virtual machines (VMs) and containers. "Which is more secure?" is a question that is often asked, but the answer, of course, is "it depends". Reno analyzes the attack surface of each to help in the choosing between VMs and containers. "Many legacy VM applications treat VMs like bare metal. In other words, they have not adapted their architectures specifically for VMs or for security models not based on perimeter security. They might install many services on the same VM, run the services with root privileges, and have few or no security controls between services. Rearchitecting these applications (or more likely replacing them with newer ones) might use VMs to provide security separation between functional units, rather than simply as a means of managing larger numbers of machines. Containers are well suited for microservices architectures that “string together” large numbers of (typically) small services using standardized APIs. Such services often have a very short lifetime, where a containerized service is started on demand, responds to a request, and is destroyed, or where services are rapidly ramped up and down based on demand. That usage pattern is dependent on the fast instantiation that containers support. From a security perspective it has both benefits and drawbacks."
Kategóriák: Linux

Berkus: Changing PostgreSQL Version Numbering

cs, 2016-05-19 20:16
On his blog, Josh Berkus asks about the effects of changing how PostgreSQL numbers its releases. There is talk of moving from an x.y.z scheme to an x.y scheme, where x would increase every year to try to reduce "the need to explain to users that 9.5 to 9.6 is really a major version upgrade requiring downtime". He is wondering what impacts that will have on users, tools, scripts, packaging, and so on. "The problem is the first number, in that we have no clear criteria when to advance it. Historically, we've advanced it because of major milestones in feature development: crash-proofing for 7.0, Windows port for 8.0, and in-core replication for 9.0. However, as PostgreSQL's feature set matures, it has become less and less clear on what milestones would be considered "first digit" releases. The result is arguments about version numbering on the mailing lists every year which waste time and irritate developers."
Kategóriák: Linux

Stable kernels 4.5.5, 4.4.11, and 3.14.70

cs, 2016-05-19 16:42
Greg Kroah-Hartman has released the 4.5.5, 4.4.11, and 3.14.70 stable kernels. Users of those series should upgrade.
Kategóriák: Linux

Thursday's security advisories

cs, 2016-05-19 16:39

Arch Linux has updated p7zip (two code execution flaws).

Debian has updated swift-plugin-s3 (replay attack).

Debian-LTS has updated icedove (armhf: three vulnerabilities), nss (multiple vulnerabilities), and phpmyadmin (multiple vulnerabilities).

Mageia has updated cacti (two SQL injection flaws), chromium-browser-stable (multiple vulnerabilities), dosfstools (two vulnerabilities), libarchive (code execution), libksba (three vulnerabilities), libndp (man-in-the-middle attacks), mariadb (multiple vulnerabilities), moodle (multiple vulnerabilities), qemu (multiple vulnerabilities), and xymon (multiple vulnerabilities).

openSUSE has updated php5 (13.2: multiple vulnerabilities).

SUSE has updated firefox (SLE10: multiple vulnerabilities).

Ubuntu has updated firefox (fix to previous security update), oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities), and thunderbird (multiple vulnerabilities).

Kategóriák: Linux

LWN.net Weekly Edition for May 19, 2016

cs, 2016-05-19 05:05
The LWN.net Weekly Edition for May 19, 2016 is available.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-05-18 19:23

Arch Linux has updated expat (code execution) and lib32-expat (code execution).

CentOS has updated libndp (C7: man-in-the-middle attacks).

Debian has updated expat (code execution).

Debian-LTS has updated libidn (information disclosure), librsvg (denial of service), and xen (multiple vulnerabilities).

Fedora has updated dhcp (F22: denial of service).

openSUSE has updated cacti (Leap42.1, 13.2: SQL injection), Chromium (SPH for SLE12: multiple vulnerabilities), go (Leap42.1: two vulnerabilities), GraphicsMagick (Leap42.1, 13.2: multiple vulnerabilities), imlib2 (13.2: multiple vulnerabilities), libressl (13.2: multiple vulnerabilities), librsvg (Leap42.1, 13.2: denial of service), mercurial (Leap42.1, 13.2: code execution), mysql-community-server (Leap42.1, 13.2: multiple vulnerabilities), ntp (Leap42.1: multiple vulnerabilities), ocaml (13.2: information leak), poppler (13.2: denial of service), and proftpd (Leap42.1, 13.2: weak key usage).

Oracle has updated kernel (OL6: multiple vulnerabilities), kernel 4.1.12 (OL7; OL6: three vulnerabilities), libndp (OL7: man-in-the-middle attacks), and qemu-kvm (OL6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: privilege escalation) and thunderbird (SL5,7: two vulnerabilities).

SUSE has updated xen (SLE12: multiple vulnerabilities).

Ubuntu has updated expat (code execution), libarchive (code execution), libksba (multiple vulnerabilities), and samba (12.04: regression in previous update).

Kategóriák: Linux

Docker 1.11: The first runtime built on containerd and based on OCI technology

sze, 2016-05-18 00:41
Docker Engine 1.11 has been released, built on runC and containerd. "runC is the first implementation of the Open Containers Runtime specification and the default executor bundled with Docker Engine. Thanks to the open specification, future versions of Engine will allow you to specify different executors, thus enabling the ecosystem of alternative execution backends without any changes to Docker itself. By separating out this piece, an ecosystem partner can build their own compliant executor to the specification, and make it available to the user community at any time – without being dependent on the Engine release schedule or wait to be reviewed and merged into the codebase."
Kategóriák: Linux

Tuesday's security advisories

k, 2016-05-17 17:59

Debian has updated imagemagick (multiple vulnerabilities) and libndp (man-in-the-middle attacks).

Debian-LTS has updated squid3 (multiple vulnerabilities).

Fedora has updated ioprocess (F23; F22: invalid md5sum), libarchive (F23: code execution), libksba (F23: denial of service), and owncloud (F23; F22: undisclosed vulnerabilities).

Gentoo has updated chromium (multiple vulnerabilities).

openSUSE has updated atheme (Leap42.1, 13.2: two vulnerabilities), flash-player (13.2; 13.1; 11.4: multiple vulnerabilities), quagga (Leap42.1, 13.2: denial of service), quassel (Leap42.1, 13.2: denial of service), and varnish (13.2: access control bypass).

Red Hat has updated libndp (RHEL7: man-in-the-middle attacks).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities) and ntp (SOSC5, SMP2.1, SM2.1, SLE11-SP3, SLE11-SP2: multiple vulnerabilities).

Ubuntu has updated kernel (16.04; 15.10; 14.04: privilege escalation), libndp (16.04, 15.10: man-in-the-middle attacks), linux-lts-trusty (12.04: privilege escalation), linux-lts-utopic (14.04: privilege escalation), linux-lts-vivid (14.04: privilege escalation), linux-lts-wily (14.04: privilege escalation), linux-lts-xenial (14.04: privilege escalation), linux-raspi2 (16.04; 15.10: privilege escalation), and linux-snapdragon (16.04: privilege escalation).

Kategóriák: Linux

Yubico: Secure hardware vs. open source

k, 2016-05-17 16:58
Yubico has posted a blog entry defending the company's decision to switch to closed-source code in the Yubikey 4 product. "If you have to pick only one, is it more important to have the source code available for review or to have a product that includes serious countermeasures for attacks against the integrity of your keys?"

See also: Konstantin Ryabitsev's response to this posting. "When it comes to any hardware, we must at some point trust the manufacturer -- unless we have very large budgets that would allow us to fully monitor every step of the manufacturing process. In the absence of such large budgets, we must base our trust on the company's prior record and their willingness to work with the community to show that their hands are clean and their intentions are pure. Putting out a blackbox proprietary device after all the good will you have built up with NEOs sends the exact opposite message."

Kategóriák: Linux

Pomerantz and Peek: Fifty shades of open

k, 2016-05-17 01:00
Jeffrey Pomerantz and Robin Peek seek to disambiguate the word "open", as it is used or misused today. Examples include open source, open access, open society, open knowledge, open government, and so on. "From the common ancestor Free Software, the term “open” diversified, filling a wide range of niches. The Open Source Definition gave rise to a number of other definitions, articulating openness for everything from hardware to knowledge. Inspired by the political philosophy of openness, the Open Society Institute funded the meeting at which the Budapest Open Access Initiative declaration was created. Open Access then gave rise to a wide range of other opens concerned with scholarship, publication, and cultural heritage generally. This spread of openness can be seen as the diversification of a powerful idea into a wide range of resources and services. It can also be seen more importantly as the arrival, society-wide, of an idea whose time has come ... an idea with political, legal, and cultural impacts." (Thanks to Paul Wise)
Kategóriák: Linux

Security updates for Monday

h, 2016-05-16 18:35

Arch Linux has updated glibc (two vulnerabilities), lib32-glibc (two vulnerabilities), and thunderbird (multiple vulnerabilities).

CentOS has updated thunderbird (C5: two vulnerabilities).

Debian has updated icedove (three vulnerabilities), jansson (denial of service), libidn (information disclosure), and xerces-c (code execution).

Debian-LTS has updated dosfstools (two vulnerabilities), icedove (three vulnerabilities), jansson (denial of service), python-tornado (side-channel attack), and wpa (two vulnerabilities).

Fedora has updated botan (F23; F22: three vulnerabilities), community-mysql (F23; F22: multiple vulnerabilities), gd (F22: code execution), jackson-dataformat-xml (F23; F22: XXE attack), kernel (F22: multiple vulnerabilities), ocaml (F23: code execution), openvpn (F23: multiple vulnerabilities), and qemu (F23: multiple vulnerabilities).

Mageia has updated jackson-dataformat-xml (XXE attack) and ntp (multiple vulnerabilities).

openSUSE has updated Chromium (Leap42.1, 13.2: multiple vulnerabilities).

Oracle has updated file (OL6: multiple vulnerabilities), icedtea-web (OL6: applet execution), and ntp (OL6: multiple vulnerabilities).

SUSE has updated ImageMagick (SLE11: code execution) and java-1_6_0-ibm (SLEMLS12: multiple vulnerabilities).

Kategóriák: Linux

Major remote SSH security issue in CoreOS Linux Alpha

h, 2016-05-16 15:09
Should you happen to be running a CoreOS alpha release in an exposed setting, you'll want to have a look at this advisory and do a quick upgrade. "A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected."
Kategóriák: Linux

The 4.6 kernel has been released

h, 2016-05-16 01:11
Linus has released the 4.6 kernel, saying: "It's just as well I didn't cut the rc cycle short, since the last week ended up getting a few more fixes than expected, but nothing in there feels all that odd or out of line." Some of the more significant changes in this release are: post-init read-only memory as a bare beginning of the effort to harden the kernel, support for memory protection keys, the preadv2() and pwritev2() system calls, the kernel connection multiplexer, the OrangeFS distributed filesystem, compile-time stack validation, the OOM reaper, and many more. See the KernelNewbies 4.6 page for an amazing amount of detail.
Kategóriák: Linux

Schaller: H264 in Fedora Workstation

szo, 2016-05-14 00:11

At his blog, Christian Schaller discusses the details of the OpenH264 media codec from Cisco, which is now available in Fedora. In particular, he notes that the codec only handle the H.264 "Baseline" profile. "So as you might guess from the name Baseline, the Baseline profile is pretty much at the bottom of the H264 profile list and thus any file encoded with another profile of H264 will not work with it. The profile you need for most online videos is the High profile. If you encode a file using OpenH264 though it will work with any decoder that can do Baseline or higher, which is basically every one of them." Wim Taymans of GStreamer is looking at improving the codec with Cisco's OpenH264 team.

Kategóriák: Linux

Friday's security updates

p, 2016-05-13 18:34

Arch Linux has updated chromium (multiple vulnerabilities), flashplugin (multiple vulnerabilities), lib32-flashplugin (multiple vulnerabilities), and libksba (denial of service).

CentOS has updated thunderbird (C7: multiple vulnerabilities).

Debian has updated libxstream-java (XML external-entity attack).

Debian-LTS has updated libgwenhywfar (outdated CA certificates) and libuser (multiple vulnerabilities).

Fedora has updated glibc (F23: denial of service).

Mageia has updated flash-player-plugin (M5: multiple vulnerabilities) and mercurial (M5: code execution).

openSUSE has updated libxml2 (Leap 42.1: denial of service) and ntp (Leap 42.1: multiple vulnerabilities).

Oracle has updated kernel (O7: privilege escalation) and thunderbird (O7; O6: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), docker (RHEL7: privilege escalation), flash-plugin (RHEL 5,6: multiple vulnerabilities), and openshift (RHOSE 3.2: multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm (SLE12; SLE11: multiple vulnerabilities), ntp (SLE12: multiple vulnerabilities), and openssl (SLE11, SSO1.3, SOSC5, SMP2.1, SM2.1: multiple vulnerabilities).

Kategóriák: Linux

Announcing Certbot: EFF's Client for Let's Encrypt

p, 2016-05-13 00:29
The Electronic Frontier Foundation (EFF) has announced a new name and web site for the Let's Encrypt client. The Let's Encrypt project is a free certificate authority for TLS certificates that enable HTTPS for the web. The client, now called "Certbot", uses Automatic Certificate Management Environment (ACME) to talk to the Let's Encrypt CA, though it will no longer be the "official" client and there are other ACME clients that can be used. "Along with the rename, we've also launched a brand new website for Certbot, found at https://certbot.eff.org. The site includes frequently asked questions as well as links to how you can learn more and help support the project, but by far the biggest feature of the website is an interactive instruction tool. To get the specific commands you need to get Certbot up and running, just input your operating system and webserver. No more searching through pages and pages of documentation or Google search results! While a new name has the potential for creating technical issues, the Certbot team has worked hard to make this transition as seamless as possible. Packages installed from PyPI, letsencrypt-auto, and third party plugins should all continue to work and receive updates without modification. We expect OS packages to begin using the Certbot name in the next few weeks as well. On many systems, the current client packages will automatically transition to Certbot while continuing to support the letsencrypt command so you won't have to edit any scripts you're currently using."
Kategóriák: Linux

Thursday's security advisories

cs, 2016-05-12 18:44

Debian-LTS has updated ocaml (code execution) and xerces-c (code execution).

Fedora has updated kernel (F23: information leak), ntp (F22: multiple vulnerabilities), php (F22: multiple vulnerabilities), subversion (F23: two vulnerabilities), and xen (F23: two vulnerabilities).

Mageia has updated libtasn1 (denial of service) and squid (two vulnerabilities).

Oracle has updated pcre (OL7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: privilege escalation), kernel-rt (RHEL7; RHEL6: privilege escalation), and thunderbird (two vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated mysql (SLE11: multiple vulnerabilities), ntp (SLE11: multiple vulnerabilities), and php5 (SLE12: multiple vulnerabilities).

Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).

Kategóriák: Linux

LWN.net Weekly Edition for May 12, 2016

cs, 2016-05-12 02:55
The LWN.net Weekly Edition for May 12, 2016 is available.
Kategóriák: Linux

LEDE and OpenWrt

sze, 2016-05-11 23:32

The OpenWrt project is perhaps the most widely known Linux-based distribution for home WiFi routers and access points; it was spawned from the source code of the now-famous Linksys WRT54G router more than 12 years ago. In early May, the OpenWrt user community was thrown into a fair amount of confusion when a group of core OpenWrt developers announced that they were starting a spin-off (or, perhaps, a fork) of OpenWrt to be named the Linux Embedded Development Environment (LEDE). It was not entirely clear to the public why the split was taking place—and the fact that the LEDE announcement surprised a few other OpenWrt developers suggested trouble within the team.

Kategóriák: Linux