Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 7 perc 26 másodperc
A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.
Greg Kroah-Hartman has released stable kernels 4.6.5, 4.4.16, and 3.14.74. All of them contain important fixes.
Shari Steele has posted a statement from the Tor project on the results of an investigation into the allegations of harassment (and worse) within Tor and how the project will respond. "I am pleased, therefore, to announce that both the Tor Project and the Tor community are taking active steps to strengthen our ability to handle problems of unprofessional behavior. Specifically, the Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints, and an internal complaint review process. They were recently approved by Tor’s board of directors, and they will be rolled out internally this week."
Debian-LTS has updated libgd2 (denial of service).
Mageia has updated apache (HTTP redirect), harfbuzz (multiple vulnerabilities), libgd (three vulnerabilities), libidn (multiple vulnerabilities), libupnp (unauthenticated access), libxml2 (multiple vulnerabilities), mariadb (multiple vulnerabilities), mupdf (denial of service), php/xmlrpc-epi/timezone (multiple vulnerabilities), sudo (race condition), tomcat/apache-commons-fileupload (denial of service), and virtualbox (allows local users to affect availability).
Harald Sitter reports on a discussion at recent sprint focused on making Snap packaging useful for KDE. "Shipping things users can use on Linux has been a pain in the rear since forever and these bundles are meant to change that. As such we as KDE should have a strong interest and presence in this field in the hopes of shaping a future that is useful to us. After all, we are one of the biggest source distributors, and the primary reason we don't also offer generic binary packages of our applications is because this never scaled and was altogether terrible to pull off from a KDE point of view." He and Scarlett Clark are working on some high level mass automation of snap building on top of KDE Neon's existing deb binaries. (Thanks to Jos van den Oever)
Debian has updated ntp (multiple vulnerabilities).
Debian-LTS has updated cacti (three vulnerabilities), dietlibc (insecure default PATH), gosa (code injection), ntp (multiple vulnerabilities), squid (cache poisoning), and uclibc (three vulnerabilities).
OpenVZ 7.0 has been released. The new release focuses on merging OpenVZ and Virtuozzo source codebase and replacing its hypervisor with KVM. There are many other improvements and new features in container management and more.
InfoWorld takes a look at the upcoming OpenBSD 6.0 release. "Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications by way of a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement.""
Debian-LTS has updated squid3 (denial of service).
Fedora has updated ca-certificates (F24: certificate update), gd (F24: multiple vulnerabilities), httpd (F24: HTTP redirect), kf5-karchive (F24; F23: command execution, over a hundred related KDE Frameworks packages were included in this update), libgcrypt (F24: key leak), libidn (F24: multiple vulnerabilities), libvirt (F24: authentication bypass), and mingw-gnutls (F24: certificate verification vulnerability).
Slackware has updated bind (denial of service).
Linus has returned from his travels and released the 4.7 kernel. The most significant changes in this release include the tracing histograms feature, in-kernel tracing analysis via the ability to attach BPF programs to tracepoints, the LoadPin security module, better out-of-memory detection, faster filesystem operations with parallel pathname lookups, the schedutil CPU frequency governor, and more. See the KernelNewbies 4.7 page for lots of details.
At his blog, Matthias Clasen explores the recent enhancements to the the classic GNU gettext utility. Thanks in large part to new maintainer Daiki Ueno, gettext now understands many more file formats—thus enabling developers to easily extract strings from a wide variety of source files for translation. In addition to programming languages, Clasen notes, gettext understands .desktop files, GSettings schemas, GtkBuilder ui files, and Appdata files. "If you don’t want to wait for your favorite format to come with built-in its support, you can also include its files with your application; gettext will look for such files in $XDG_DATA_DIRS/gettext/its/."
Arch Linux has updated drupal (proxy injection).
Debian-LTS has updated python-django (cross-site scripting).
openSUSE has updated p7zip (13.1: code execution).
Ubuntu has updated mysql-5.5, mysql-5.6, mysql-5.7 (12.04, 14.04, 15.10, 16.04: multiple vulnerabilities).
EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment
The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew "bunnie" Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional: "These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing. Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials."
Arch Linux has updated bind (denial of service).
Debian-LTS has updated libarchive (multiple vulnerabilities, most from 2015).
openSUSE has updated dhcp (42.1: denial of service).
Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), and openstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).
Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).
SUSE has updated obs-service-source_validator (SLE12: code execution).
The LWN.net Weekly Edition for July 21, 2016 is available.
Congratulations are due to Alan Cox, who was awarded an honorary degree by Swansea University for his work with Linux. "Alan started working on Version 0. There were bugs and problems he could correct. He put Linux on a machine in the Swansea University computer network, which revealed many problems in networking which he sorted out; later he rewrote the networking software. Alan brought to Linux software engineering discipline: Linux software releases that were tested, corrected and above all stable. On graduating, Alan worked at Swansea University, set up the UK Linux server and distributed thousands of systems."
Benjamin Smedberg writes that the Firefox browser will soon start taking a more active approach to the elimination of Flash content. "Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness."
Debian has updated apache2 (HTTP redirect).
Debian-LTS has updated apache2 (HTTP redirect).
Gentoo has updated ansible (code execution), arpwatch (privilege escalation from 2012), bugzilla (multiple vulnerabilities from 2014), commons-beanutils (code execution from 2014), dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).
Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).
SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities).
Ubuntu has updated python-django (16.04: cross-site scripting).
The Register reports that longtime Tor contributor Lucky Green is quitting and closing down the node and bridge authority he operates. "Practically, it's a big deal. Bridge Authorities are part of the infrastructure that lets users get around some ISP-level blocks on the network (not, however, defeating deep packet inspection). They're also incorporated in the Tor code, meaning that to remove a Bridge Authority is going to need an update." The shutdown is scheduled for August 31. (Thanks to Nomen Nescio)
The Software Freedom Conservancy is one of the few organizations involved in GPL enforcement, and it has published principles regarding enforcement practices that seek compliance and not financial penalties. Bradley Kuhn and Karen Sandler urge others doing GPL enforcement to follow principles set forth by the SFC. "One impetus in drafting the Principles was our discovery of ongoing enforcement efforts that did not fit with the GPL enforcement community traditions and norms established for the last two decades. Publishing the previously unwritten guidelines has quickly separated the wheat from the chaff. Specifically, we remain aware of multiple non-community-oriented GPL enforcement efforts, where none of those engaged in these efforts have endorsed our principles nor pledged to abide by them. These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years." The actions of one individual prompted the netfilter project to make a statement endorsing the principles, which we covered earlier this month.
HUP napi hírlevél
Tudsz-e még írásban összeadni, kivonni, szorozni, osztani?
Kapásból. Bármely számrendszerben.
Kapásból, tízes számrendszerben.
Kis gondolkodás után tízes számrendszerben.
Már nem emlékszem.
Csak az eredmény érdekel.
Összes szavazat: 437