Népszerű fórum témák
FreeBSD Project News
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 20 perc 27 másodperc
Arch Linux has updated chromium (multiple vulnerabilities), libdwarf (multiple vulnerabilities), libpurple (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), vlc (code execution), and xerces-c (code execution).
Debian has updated libpdfbox-java (XML External Entity (XXE) attacks).
Debian-LTS has updated gimp (use-after-free), java-common (OpenJDK 6 no longer supported), libcommons-fileupload-java (denial of service), mysql-connector-java (information disclosure), nss (denial of service), and tomcat7 (denial of service).
Fedora has updated drupal7 (F24: privilege escalation), mirrormanager (F24; F23; F22: unspecified), optipng (F23: code execution), python (F23: man-in-the-middle attack), and qemu (F24: multiple vulnerabilities).
Gentoo has updated claws-mail (multiple vulnerabilities), freexl (multiple vulnerabilities), hostapd (multiple vulnerabilities), imagemagick (multiple vulnerabilities), libssh (multiple vulnerabilities), plib (code execution from 2011), and sudo (privilege escalation).
openSUSE has updated libarchive (13.2: denial of service), libav (Leap42.1: two vulnerabilities), libtasn1 (Leap42.1: denial of service), libtorrent-rasterbar (13.1: denial of service), mariadb (Leap42.1: multiple vulnerabilities), p7zip (Leap42.1: code execution), php5 (Leap42.1: multiple vulnerabilities), and rsync (Leap42.1: unsafe destination path).
Red Hat has updated kernel-rt (RHEMRG2.5: multiple vulnerabilities).
Scientific Linux has updated kernel (SL7: two vulnerabilities).
Slackware has updated php (multiple vulnerabilities).
The 4.7-rc5 kernel prepatch is out. "I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series."
The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a set of netfilter fixes that, it has just been disclosed, fix a couple of severe local privilege-escalation vulnerabilities. Anybody who is running a site with user and network namespaces enabled will want to update their kernels in short order. The fixes were originally committed into 4.6-rc2 in April with no comment regarding their implications.
CentOS has updated kernel (C7: multiple vulnerabilities), libxml2 (C6; C7: multiple vulnerabilities), ocaml (C7: information leak), setroubleshoot (C7: multiple vulnerabilities), and setroubleshoot-plugins (C7: multiple vulnerabilities).
Oracle has updated kernel (O7: multiple vulnerabilities), libxml2 (O6; O7: multiple vulnerabilities), ocaml (O7: information leak), and setroubleshoot and setroubleshoot-plugins (O7: multiple vulnerabilities).
SUSE has updated kernel (SLE11: multiple vulnerabilities).
It seems that the Comodo TLS certificate authority (CA) has filed for three trademarks using variations of "Let's Encrypt". As might be guessed, the Let's Encrypt project is less than pleased by Comodo trying to coopt its name. "Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization. If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web." [Thanks to Paul Wise.]
Version 4.7 of the Xen hypervisor has been released. "With dozens of major improvements, many more bug fixes and small improvements, and significant improvements to Drivers and Devices, Xen Project 4.7 reflects a thriving community around the Xen Project Hypervisor." Some of the new features include live patching, better dom0 robustness, better migration support between non-identical hosts, scheduler improvements, and more. See the release notes for more information.
Debian-LTS has updated squidguard (cross-site scripting).
Mageia has updated chromium-browser-stable (multiple vulnerabilities), kernel-linus (multiple vulnerabilities, one from 2013), kernel-tmb (multiple vulnerabilities, one from 2013), libimobiledevice (socket listening on all network interfaces), and python (three vulnerabilities).
The LWN.net Weekly Edition for June 23, 2016 is available.
Back in 2009, Sony removed the "install other OS" option from its PS3 game consoles, removing the ability to install Linux on those machines. It then went after developers who figured out how to jailbreak the device. Ars technica reports that Sony has now settled a class-action lawsuit over those actions. "Under the terms of the accord, which has not been approved by a California federal judge yet, gamers are eligible to receive $55 if they used Linux on the console. The proposed settlement, which will be vetted by a judge next month, also provides $9 to each console owner that bought a PS3 based on Sony's claims about 'Other OS' functionality." The lawyers, instead, get over $2 million.
Fedora has updated expat (F24: multiple vulnerabilities), php-zendframework-zendxml (F23; F22: insecure ciphertexts), php-ZendFramework2 (F23; F22: insecure ciphertexts), and xen (F22: two vulnerabilities).
Red Hat has updated python-django-horizon (RHOSP8.0; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: cross-site scripting) and setroubleshoot and setroubleshoot-plugins (RHEL6: multiple vulnerabilities).
Version 1.3 of the Elixir programming language has been released. "Elixir v1.3 brings many improvements to the language, the compiler and its tooling, specially Mix (Elixir’s build tool) and ExUnit (Elixir’s test framework). The most notable additions are the new Calendar types, the new cross-reference checker in Mix, and the assertion diffing in ExUnit."
Not to be left behind by a certain competing project, the developers of the Flatpak packaging system have put out a press release proclaiming its virtues. "The Linux desktop has long been held back by platform fragmentation. This has been a burden on developers, and creates a high barrier to entry for third party application developers. Flatpak aims to change all that. From the very start its primary goal has been to allow the same application to run across a myriad of Linux distributions and operating systems. In doing so, it greatly increases the number of users that application developers can easily reach."
openSUSE has updated ctdb (Leap42.1, 13.2: privilege escalation), libtorrent-rasterbar (Leap42.1, 13.2: denial of service), ntp (Leap42.1: multiple vulnerabilities), and kernel (Leap42.1: multiple vulnerabilities).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).
Ubuntu has updated dnsmasq (16.04, 15.10: denial of service), expat (two vulnerabilities), haproxy (16.04: denial of service), spice (16.04, 15.10, 14.04: two vulnerabilities), wget (code execution), and xmlrpc-c (12.04: multiple vulnerabilities).
After several schedule slips, the Fedora 24 release is available. "The Fedora Project has embarked on a great journey... redefining what an operating system should be for users and developers. Such innovation does not come overnight, and Fedora 24 is one big step on the road to the next generation of Linux distributions. But that does not mean that Fedora 24 is some 'interim' release; there are great new features for Fedora users to deploy in their production environments right now!" See the Fedora 24 approved features list for an idea of what's in this release.
On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. "However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they're still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064."
The Linux networking developers have long held a strong opinion about user-space protocol implementations: they should be avoided in favor of making the in-kernel implementation better. So it might be surprising to see a veteran networking developer post a patch set aimed at making user-space implementations easier. A look at this patch and its motivations shines an interesting light on changes that are taking place in the networking world.
Debian has updated libxslt (three vulnerabilities).
Fedora has updated expat (F23: multiple vulnerabilities), GraphicsMagick (F23; F22: multiple vulnerabilities), iperf3 (F23; F22: denial of service), sudo (F22: information leak), and wget (F22: code execution).
Scientific Linux has updated ImageMagick (SL6,7: multiple vulnerabilities).
The 4.7-rc4 prepatch is now available for testing. Linus Torvalds said that it is "pretty small" with "nothing particularly worrisome". The development cycle proceeds apace with the usual sorts of changes: "The statistics look very normal: about two thirds drivers, with the rest being half architecture updates and half "misc" (small filesystem updates,. some documentation, and a smattering of patches elsewhere)."
Those concerned about the proliferation of application-packaging formats will soon have one fewer to worry about. At his blog, Matthias Klumpp announces that he intends to scale back his work on Limba, the cross-distribution application-packaging format he has developed as an extension of the ideas in the earlier Listaller. The decision comes on the heels of discussions with Flatpak developer Alexander Larsson, since the two projects overlap in many respects: "Alex and I had very productive discussions, and except for the modularity issue, we were pretty much on the same page in every other aspect regarding the sandboxing and app-distribution matters."
Given that he has several other active projects in development, Klumpp has decided to throttle back on Limba, although he will continue to hack on it "as a research project" and sees several opportunities where it might still fit into vendor-independent software distribution down the road. "This is good news for all the people out there using the Tanglu Linux distribution, AppStream-metadata-consuming services, PackageKit on Debian, etc. – those will receive more attention," Klumpp concludes.
HUP napi hírlevél
Legfrissebb HUP képek
Mobiltelefonom belső tárhelymérete ... GB
Nincs, nem tudom, nem érdekel, csak az eredmény érdekel, az eredmény sem érdekel stb.
Összes szavazat: 445