Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 9 perc 1 másodperc

Friday's security updates

p, 2014-09-26 16:44

CentOS has updated bash (C5; C6; C7: code execution) and nss (C6; C7: certificate forgery).

Debian has updated bash (code execution) and mediawiki (cross-site scripting).

Fedora has updated bash (F19; F20: code execution), drupal6 (F20: multiple vulnerabilities), nss (F20: certificate forgery), nss-softokn (F20: certificate forgery), nss-util (F20: certificate forgery), perl-Email-Address (F19; F20: denial of service), python-oauth2 (F19; F20: multiple vulnerabilities), rubygem-activerecord (F20: authentication bypass), and tomcat (F20: multiple vulnerabilities).

Mandriva has updated bash (BS1: code execution).

Oracle has updated bash (O4; O5; O6; O7: code execution) and bash (O5; O6; O7: code execution; second vulnerability).

Red Hat has updated bash (code execution) and nss (certificate forgery).

Scientific Linux has updated automake (SL5: code execution), bash (code execution), nss (certificate forgery), and nss, nspr (certificate forgery).

Slackware has updated bash (code execution) and bash-3.1 (13.0: code execution).

SUSE has updated spacewalk-java (Manager Server: cross-site scripting).

Ubuntu has updated bash (10.04, 12.04, 14.04: code execution; 14.04: code execution).

Kategóriák: Linux

Python 3: threat or menace? (O'Reilly)

p, 2014-09-26 15:27
Here's an O'Reilly Radar article with suggestions on how to move to Python 3. "Python 3 isn’t a radical change (except for Unicode handling, which we’ll get to shortly). The visible changes are fairly small. It still has that minty Python scent, that art house whitespace framing, and that lovely, readable syntax. Python has always been — and this is not faint praise — a nice language. 3 is just a bit nicer. The developers chipped away at the technical debt that every project accumulates: using more consistent naming and behavior, dropping obsolete pieces, and of course fixing many bugs."
Kategóriák: Linux

Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

p, 2014-09-26 15:23
The Free Software Foundation tries to highlight the good side of the "shellshock" vulnerability. "GNU Bash has been widely adopted because it is a free (as in freedom), reliable, and featureful shell. This popularity means the serious bug that was published yesterday is just as widespread. Fortunately, GNU Bash's license, the GNU General Public License version 3, has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software."
Kategóriák: Linux

Mahinovs: Distributing third party applications via Docker?

cs, 2014-09-25 22:28
On his blog, Aigars Mahinovs considers an alternative to Lennart Poettering's recent thoughts about how Linux systems should be constructed. Mahinovs advocates a Docker-based approach. "Third party application developer writes a new game for Linux. As his target he chooses one of the "application runtime" Docker images on Docker Hub. Let's say he chooses the latest Debian stable release. In that case he writes a simple Dockerfile that installs his build-dependencies and compiles his game in "debian-app-dev:wheezy" container. The output of that is a new folder containing all the compiled game resources and another Dockerfile - this one describes the runtime dependencies of the game. Now when a docker image is built from this compiled folder, it is based on "debian-app:wheezy" container that no longer has any development tools and is optimized for speed and size. After this build is complete the developer exports the Docker image into a file. This file can contain either the full system needed to run the new game or (after #8214 is implemented) just the filesystem layers with the actual game files and enough meta-data to reconstruct the full environment from public Docker repos. The developer can then distribute this file to the end user in the way that is comfortable for them."
Kategóriák: Linux

Bugging out: How rampant online piracy squashed one insect photographer (Ars Technica)

cs, 2014-09-25 21:20
As many in the free-software world know, copyright is, at best, a double-edged sword. Copyright law is what allows the various free and open-source licenses, but enforcing that copyright (i.e. adherence to the license) is expensive and time-consuming. Ars Technica has the tale of a bug photographer who details his woes in trying to protect his photographs. "While the stereotypical copyright story pits private users against large corporate rights-holders, real-world cases are often more complex. After all, most content creators are private, and many content users—as well as content infringers—are corporate. The corporate infringements are the most frustrating, as I live off photo licenses issued to corporations in the same sectors. Licensing only works in a world where commercial content users like these must obtain permission from content creators. As long as I have the right to dispense permission, I am in a position to earn back the roughly $50 I spend to create each photograph. Money is time; I use my time to invest in more images, and the cycle continues. This is how copyright is supposed to work, and most of my photographs could not exist without it."
Kategóriák: Linux

Thursday's security updates

cs, 2014-09-25 16:22

Debian has updated iceweasel (signature forgery) and nss (signature forgery).

Fedora has updated bash (F20; F19: code injection), moodle (F20: multiple vulnerabilities), not-yet-commons-ssl (F20; F19: hostname verification botch), phpMyAdmin (F20; F19: privilege escalation), procmail (F19: code execution), wireshark (F20: yet another pile of dissector flaws), and xerces-j2 (F20; F19: denial of service from 2013).

Gentoo has updated bash (code injection) and bash (fix to the previous update for the code injection vulnerability).

Mageia has updated bash (code injection), curl (M4; M3: cookie handling), php-pear-CAS (privilege escalation), and wireshark (yet another pile of dissector flaws).

Mandriva has updated bash (code injection), curl (two cookie-handling vulnerabilities), nss (signature forgery), and wireshark (yet another pile of dissector flaws).

Oracle has updated bash (OL7; OL6; OL5 OL4: code injection).

Scientific Linux has updated bash (code injection).

Slackware has updated bash (code injection) and mozilla (signature forgery).

SUSE has updated bash (SLE11SP3, SLE10SP4; SLE11SP1: code injection) and bash (SLE10SP3: two vulnerabilities, one from 2012).

Ubuntu has updated bash (14.04, 12.04, 10.04: code injection), firefox (14.04, 12.04: signature forgery), nss (14.04, 12.04, 10.04: signature forgery), and thunderbird (14.04, 12.04: signature forgery).

Kategóriák: Linux

[$] LWN.net Weekly Edition for September 25, 2014

cs, 2014-09-25 01:59
The LWN.net Weekly Edition for September 25, 2014 is available.
Kategóriák: Linux

A remotely exploitable hole in bash

sze, 2014-09-24 21:13
The bash shell has a vulnerability in its environment variable processing that could be remotely exploited in some situations — with CGI scripts being at the top of the list. "The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation." The problem was disclosed (a little) prematurely, so updates are still coming in from the distributors.
Kategóriák: Linux

[$] Adobe releases source code for OpenType font-development tools

sze, 2014-09-24 20:38

Adobe made a surprise announcement at the annual ATypI conference in Barcelona, Spain, releasing one of the company's proprietary font-production tools under an open-source license. In addition, the team convinced another popular font-development project to release its core library as open source, too. Adobe framed the release as a move designed to help improve the quality of fonts produced with any application, but there may be other benefits as well—such as increasing the spread of Adobe's own open fonts. Up until now, those fonts have not been redistributable by many other free-software projects, precisely because the production tools needed to build them remained closed.

Kategóriák: Linux

GNOME 3.14 released

sze, 2014-09-24 19:55
The GNOME project has released GNOME 3.14. "This is another exciting release for GNOME, and brings many new features and improvements, including multitouch, captive portal support, greatly improved sharing settings. This release also includes improved and redesigned applications for weather, maps, PDF viewing, running VMs, and more. The Wayland support has matured to the point where it is ready for day-to-day use." See the release notes for details.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-09-24 17:58

CentOS has updated bash (C7; C6; C5: command execution) and haproxy (C7: denial of service).

Debian has updated apt (code execution) and bash (command execution).

Mandriva has updated dump (code execution), libgadu (missing ssl certificate validation), net-snmp (denial of service), phpmyadmin (privilege escalation), and zarafa (multiple vulnerabilities).

Oracle has updated haproxy (OL7: denial of service).

Red Hat has updated bash (RHEL4, 5.6, 5.9, 6.2, 6.4; RHEL5, 6, 7: command execution) and haproxy (RHEL7: denial of service).

Ubuntu has updated apt (code execution), EC2 kernel (10.04: privilege escalation), kernel (14.04; 12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Kategóriák: Linux

[$] Schneier on incident response

sze, 2014-09-24 16:34

Bruce Schneier is a cryptographer and security specialist who is well-known in computer circles even though he has often branched into more general security areas in recent years. His blog is a great source of security news (and, of "quotes of the week" for the Security page, as readers know). Beyond all that, he travels to many security conferences to give talks, which is just what he did at AppSec USA in Denver on September 18. The keynote topic was "incident response" (IR), which is an area that is finally getting more attention in the security-product space, he said.

Kategóriák: Linux

Security Collapse in the HTTPS Market (ACM Queue)

sze, 2014-09-24 15:24
ACM's Queue has a lengthy article on the security failures in the HTTPS layer and the prospects for improvement. "This article outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become 'too big to fail.' Unfortunately, the proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come"
Kategóriák: Linux

Hutterer: libinput - a common input stack for Wayland compositors and X.Org drivers

sze, 2014-09-24 15:17
Here's a post from Peter Hutterer on why the X.Org input stack is a mess and the new "libinput" stack is needed. "It looks like a big happy family at first, but then you see that synaptics won't talk to evdev because of the tapping incident a couple of years back, mouse and keyboard have no idea what forks and knives are for, wacom is the hippy GPL cousin that doesn't even live in the same state and no-one quite knows why elographics keeps getting invited. The X server tries to keep the peace by just generally getting in the way of everyone so no-one can argue for too long. You step back, shrug apologetically and say 'well, that's just how these things are, right?'"
Kategóriák: Linux

Kali NetHunter turns Android device into hacker Swiss Army knife (Ars Technica)

k, 2014-09-23 23:56
Ars Technica takes a look at Kali Linux NetHunter, a penetration testing platform for Nexus devices. "NetHunter is still in its early stages, but it already includes the ability to have the Nexus device emulate a USB human interface device (HID) and launch keyboard attacks on PCs that can be used to automatically elevate privileges on a Windows PC and install a reverse-HTTP tunnel to a remote workstation. It also includes an implementation of the BadUSB man-in-the-middle attack, which can force a Windows PC to recognize the USB-connected phone as a network adapter and re-route all the PC’s traffic through it for monitoring purposes."
Kategóriák: Linux

Announcing the release of Fedora 21 Alpha

k, 2014-09-23 19:31
The Fedora project has released Fedora 21 Alpha. This is the first release of Fedora.next, which introduces three products rather than the traditional single deliverable. The Fedora 21 Base includes only the base set of packages (such as kernel, RPM, yum, systemd, and Anaconda) used by all the products. Fedora 21 Cloud includes images for use in private cloud environments like OpenStack, as well as AMIs for use on Amazon, and a new image streamlined for running Docker containers. The server product is aimed at making it easier to install discrete infrastructure services. The Fedora Server will introduce three new technologies in Fedora to handle this task, rolekit, Cockpit and OpenLMI. The third product is Fedora 21 Workstation, which is aimed at providing a platform for development of server side and client applications that is attractive to developers of all stripes. The final release of Fedora 21 is expected in December.
Kategóriák: Linux

Best practices for the new era of open source (opensource.com)

k, 2014-09-23 18:19
This opensource.com article holds out Ansible as an example of a project worth emulating and delves into the reasons for its success. "The idea that a user can try something out over a lunch break, and understand it—and then learn what is left to learn—is a key success driver for open source software. Too many projects fail needlessly because they don’t invest in this critical idea."
Kategóriák: Linux

Tuesday's security updates

k, 2014-09-23 16:53

CentOS has updated kernel (C7: denial of service).

Oracle has updated kernel (OL7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: denial of service).

Ubuntu has updated dbus (multiple vulnerabilities) and nginx (14.04: virtual host confusion attacks).

Kategóriák: Linux

PyPy 2.4.0 released

h, 2014-09-22 21:55
PyPy is an optimized implementation of the Python (2.x) programming language; the 2.4 release is now available. As is often the case, performance improvements top the list of changes in this release. "Benchmarks improved after internal enhancements in string and bytearray handling, and a major rewrite of the GIL handling. This means that external calls are now a lot faster, especially the CFFI ones. It also means better performance in a lot of corner cases with handling strings or bytearrays." Various bug fixes and an update to the Python 2.7.8 standard library are included as well.
Kategóriák: Linux

Security advisories for Monday

h, 2014-09-22 16:58

Debian has updated mantis (SQL injection flaws) and nginx (virtual host confusion attacks).

Gentoo has updated adobe-flash (multiple vulnerabilities), c-icap (denial of service), chromium (denial of service), and libxml2 (denial of service).

Mageia has updated flash-player-plugin (multiple vulnerabilities), gnupg (MG3: side-channel attack), phpmyadmin (privilege escalation), and zarafa (multiple vulnerabilities).

Mandriva has updated gnupg (side-channel attack).

openSUSE has updated ntp (11.4: denial of service), chromium (13.1, 12.3: multiple vulnerabilities), and phpMyAdmin (13.1, 12.3: privilege escalation).

Red Hat has updated qemu-kvm-rhev (RHEL OSP5.0: multiple vulnerabilities).

SUSE has updated dbus-1 (SLE11 SP3: denial of service).

Ubuntu has updated nss (CA certificate update).

Kategóriák: Linux