Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 16 perc 16 másodperc

Two new stable kernels

p, 2016-10-28 17:33
Greg Kroah-Hartman has released the 4.8.5 and 4.4.28 stable kernels. As usual, they contain fixes throughout the tree and users of those series should upgrade.
Kategóriák: Linux

[$] Defending against Rowhammer in the kernel

p, 2016-10-28 17:01
The Rowhammer vulnerability affects hardware at the deepest levels. It has proved to be surprisingly exploitable on a number of different systems, leaving security-oriented developers at a loss. Since it is a hardware vulnerability, it would appear that solutions, too, must be placed in the hardware. Now, though, an interesting software-based mitigation mechanism is under discussion on the linux-kernel mailing list. The ultimate effectiveness of this defense is unproven, but it does show that there may be hope for a solution that doesn't require buying new computers.
Kategóriák: Linux

Friday's security advisories

p, 2016-10-28 16:13

Debian has updated nginx (packaging problem in previous security update).

Debian-LTS has updated tre (code execution).

openSUSE has updated flash-player (13.2: code execution).

Red Hat has updated kernel (RHEL5: two vulnerabilities) and nodejs and nodejs-tough-cookie (RHOSE: two vulnerabilities).

SUSE has updated flash-player (SLE12: code execution).

Ubuntu has updated firefox (two vulnerabilities), , nginx (16.10, 16.04, 14.04: packaging problem in previous security update), and thunderbird (multiple vulnerabilities).

Kategóriák: Linux

Gregg: DTrace for Linux 2016

cs, 2016-10-27 20:02
Brendan Gregg celebrates the capabilities of Linux kernel tracing with BPF. "With the final major capability for BPF tracing (timed sampling) merging in Linux 4.9-rc1, the Linux kernel now has raw capabilities similar to those provided by DTrace, the advanced tracer from Solaris. As a long time DTrace user and expert, this is an exciting milestone! On Linux, you can now analyze the performance of applications and the kernel using production-safe low-overhead custom tracing, with latency histograms, frequency counts, and more."
Kategóriák: Linux

Thursday's security updates

cs, 2016-10-27 15:55

Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).

Debian-LTS has updated bash (code execution), graphicsmagick (multiple vulnerabilities), libx11 (denial of service), libxi (code execution), and libxtst (code execution).

openSUSE has updated kernel (11,4: many vulnerabilities, one from 2013, many from 2015), ghostscript (13.2: multiple vulnerabilities, one from 2013), and sssd (42.1: access restriction bypass).

Red Hat has updated flash-plugin (RHEL6&5: code execution), kernel (RHEL6.5; RHEL7.1: privilege escalation), and openstack-manila-ui (RHOSP9.0; RHOSP8.0; RHOSP7.0: cross-site scripting).

Kategóriák: Linux

[$] LWN.net Weekly Edition for October 27, 2016

cs, 2016-10-27 03:00
The LWN.net Weekly Edition for October 27, 2016 is available.
Kategóriák: Linux

The initial bus1 patch posting

sze, 2016-10-26 20:55
The bus1 message-passing mechanism is the successor to the "kdbus" project; it was covered here in August. The patches have now been posted for review. "While bus1 emerged out of the kdbus project, bus1 was started from scratch and the concepts have little in common. In a nutshell, bus1 provides a capability-based IPC system, similar in nature to Android Binder, Cap'n Proto, and seL4."
Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-10-26 18:17

CentOS has updated kernel (C6: privilege escalation).

Debian has updated asterisk (multiple vulnerabilities) and nginx (privilege escalation).

Debian-LTS has updated nspr (information disclosure), nss (information disclosure), potrace (multiple vulnerabilities), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).

Fedora has updated perl-Image-Info (F24; F23: information disclosure).

Mageia has updated graphicsmagick (three vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), mpg123 (denial of service), and tor (denial of service).

openSUSE has updated GraphicsMagick (Leap42.1; 13.2: multiple vulnerabilities), guile (13.2: two vulnerabilities), guile1 (Leap42.1; 13.2: information disclosure), firefox (Leap42.1, 13.2: two vulnerabilities), qemu (Leap42.1: multiple vulnerabilities), quagga (Leap42.1: stack overrun), and kernel (13.2: multiple vulnerabilities).

Oracle has updated kernel (OL6: privilege escalation).

Red Hat has updated kernel (RHEL6; RHEL6.7: privilege escalation) and kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities).

Scientific Linux has updated kernel (SL6: privilege escalation).

Ubuntu has updated nginx (16.10, 16.04, 14.04: privilege escalation).

Kategóriák: Linux

Flatpak 0.6.13

k, 2016-10-25 19:37
Flatpak 0.6.13 has been released. Major changes include a change in command line arguments for install/update/uninstall, application runtime dependencies are checked/downloaded, remote-add and install --from now supports uris, flatpak run can now launch a runtime directly, and more.
Kategóriák: Linux

Tuesday's security updates

k, 2016-10-25 17:11

Arch Linux has updated linux-grsec (privilege escalation) and ocaml (information leak).

CentOS has updated kernel (C7: privilege escalation).

Debian has updated php5 (multiple vulnerabilities) and virtualbox (end of support).

Debian-LTS has updated ghostscript (multiple vulnerabilities).

Fedora has updated bind (F23: denial of service), bind99 (F23: denial of service), and libass (F24: three vulnerabilities).

Mageia has updated php (multiple vulnerabilities).

openSUSE has updated quagga (13.2: stack overrun) and virtualbox (13.2: multiple unspecified vulnerabilities).

Oracle has updated kernel (OL7: privilege escalation).

Red Hat has updated bind (RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service).

Scientific Linux has updated kernel (SL7: privilege escalation).

SUSE has updated quagga (SLE12-SP1: stack overrun).

Ubuntu has updated linux-raspi2 (16.10: privilege escalation), mysql-5.5, mysql-5.7 (multiple unspecified vulnerabilities), and quagga (stack overrun).

Kategóriák: Linux

[$] Dealing with automated SSH password-guessing

h, 2016-10-24 23:41
Just about everyone who runs a Unix server on the internet uses SSH for remote access, and almost everyone who does that will be familiar with the log footprints of automated password-guessing bots. Although decently-secure passwords do much to harden a server against such attacks, the costs of dealing with the continual stream of failed logins can be considerable. There are ways to mitigate these costs.
Kategóriák: Linux

Valgrind-3.12.0 is available

h, 2016-10-24 19:22
Valgrind 3.12.0 has been released. "3.12.0 is a feature release with many improvements and the usual collection of bug fixes. This release adds support for POWER ISA 3.0, improves instruction set support on ARM32, ARM64 and MIPS, and provides support for the latest common components (kernel, gcc, glibc). There are many smaller refinements and new features. The release notes below give more details." There will be a Valgrind developer room at FOSDEM in Brussels, Belgium, on February 4, 2017. The call for participation is open until December 1.
Kategóriák: Linux

Security advisories for Monday

h, 2016-10-24 18:20

Arch Linux has updated chromium (multiple vulnerabilities), kernel (privilege escalation), linux-lts (privilege escalation), python-django (cross-site request forgery), and python2-django (cross-site request forgery).

CentOS has updated bind (C6; C5: denial of service) and bind97 (C5: denial of service).

Debian has updated kdepimlibs (HTML injection).

Debian-LTS has updated kdepimlibs (HTML injection).

Fedora has updated guile (F23: two vulnerabilities), kernel (F24; F23: privilege escalation), php (F24; F23: multiple vulnerabilities), and php-pecl-zip (F24; F23: multiple vulnerabilities).

Mageia has updated 389-ds-base (information disclosure), c-ares (code execution), guile (two vulnerabilities), openjpeg (denial of service), and php-ZendFramework (SQL injection).

openSUSE has updated Chromium (Leap42.1, 13.2: multiple vulnerabilities), dbus-1 (Leap42.1: code execution), gd (13.2: denial of service), kdump (Leap42.1: denial of service), php5 (13.2: three vulnerabilities), kernel (Leap42.1; 13.1: multiple vulnerabilities), tor (Leap42.1, 13.2: denial of service), and X (Leap42.1: multiple vulnerabilities).

Oracle has updated bind (OL6; OL5: denial of service), bind97 (OL5: multiple vulnerabilities), and kernel 4.1.12 (OL7; OL6: privilege escalation), kernel 3.8.13 (OL7; OL6: privilege escalation), kernel 2.6.39 (OL6; OL5: privilege escalation).

Red Hat has updated kernel (RHEL7: privilege escalation).

SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities), qemu (SLE12-SP1: multiple vulnerabilities), and kernel (SLE12-SP1; SLE12; SLE11-SP4; SLE11-SP3; SLE11-SP2: privilege escalation).

Kategóriák: Linux

The Linux Foundation Technical Advisory Board election

h, 2016-10-24 15:36
The Linux Foundation's Technical Advisory Board provides the development community (primarily the kernel development community) with a voice in the Foundation's decision-making process. Among other things, the TAB chair holds a seat on the Foundation's board of directors. The next TAB election will be held on November 2 at the Kernel Summit in Santa Fe, NM; five TAB members (½ of the total) will be selected there. The nomination process is open until voting begins; anybody interested in serving on the TAB is encouraged to throw their hat into the ring.
Kategóriák: Linux

Kernel prepatch 4.9-rc2

h, 2016-10-24 02:08
The second 4.9 prepatch is out for testing, and Linus is asking for people to test one feature in particular: "My favorite new feature that I called out in the rc1 announcement (the virtually mapped stacks) is possibly implicated in some crashes that Dave Jones has been trying to figure out, so if you want to be helpful and try to see if you can give more data, please make sure to enable CONFIG_VMAP_STACK."
Kategóriák: Linux

More stable kernel updates

szo, 2016-10-22 16:33
The 4.8.4, 4.7.10, and 4.4.27 stable updates are out. These would appear to contain the usual fixes. Note that 4.7.10 is the end of the line for the 4.7.x series.
Kategóriák: Linux

[$] Dirty COW and clean commit messages

p, 2016-10-21 18:08
We live in an era of celebrity vulnerabilities; at the moment, an unpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking its turn on the runway. This one is more disconcerting than many due to its omnipresence and the ease with which it can be exploited. But there is also some unhappiness in the wider community about how this vulnerability has been handled by the kernel development community. It may well be time for the kernel project to rethink its approach to serious security problems.
Kategóriák: Linux

Friday's security updates

p, 2016-10-21 15:50

Debian-LTS has updated bind9 (denial of service).

Fedora has updated libgit2 (F23: two vulnerabilities).

Mageia has updated kernel (three vulnerabilities), libtiff (multiple vulnerabilities, two from 2015), and openslp (code execution).

openSUSE has updated dbus-1 (13.2: code execution), ghostscript-library (42.1: three vulnerabilities, one from 2013), roundcubemail (42.1: two vulnerabilities), and squidGuard (42.1: cross-site scripting from 2015).

Red Hat has updated bind (RHEL6&5: denial of service) and bind97 (RHEL5: denial of service).

Scientific Linux has updated bind (SL6&5: denial of service) and bind97 (SL5: denial of service).

Ubuntu has updated bind9 (12.04: denial of service).

Kategóriák: Linux

Ranking the Web With Radical Transparency (Linux.com)

p, 2016-10-21 00:29
Linux.com interviews Sylvain Zimmer, founder of the Common Search project, which is an effort to create an open web search engine. "Being transparent means that you can actually understand why our top search result came first, and why the second had a lower ranking. This is why people will be able to trust us and be sure we aren't manipulating results. However for this to work, it needs to apply not only to the results themselves but to the whole organization. This is what we mean by 'radical transparency.' Being a nonprofit doesn't automatically clear us of any ulterior motives, we need to go much further. As a community, we will be able to work on the ranking algorithm collaboratively and in the open, because the code is open source and the data is publicly available. We think that this means the trust in the fairness of the results will actually grow with the size of the community."
Kategóriák: Linux

More information about Dirty COW (aka CVE-2016-5195)

cs, 2016-10-20 22:12
The security hole fixed in the 4.8.3, 4.7.9, and 4.4.26 stable kernel updates has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.
Kategóriák: Linux