Népszerű fórum témák
FreeBSD Project News
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 29 perc 12 másodperc
Arch Linux has updated bugzilla (cross-site scripting).
Debian has updated librsvg (three vulnerabilities).
Mageia has updated dhcpcd (code execution from 2014), expat (code execution), gdk-pixbuf2.0 (code execution), icu (code execution), imagemagick/ruby-rmagic (multiple vulnerabilities), libxml2 (two denial of service flaws), perl (denial of service), and xerces-c (code execution).
SUSE has updated openssl (SLE10: multiple vulnerabilities).
Over at InfoWorld, Jim Reno compares the security of virtual machines (VMs) and containers. "Which is more secure?" is a question that is often asked, but the answer, of course, is "it depends". Reno analyzes the attack surface of each to help in the choosing between VMs and containers. "Many legacy VM applications treat VMs like bare metal. In other words, they have not adapted their architectures specifically for VMs or for security models not based on perimeter security. They might install many services on the same VM, run the services with root privileges, and have few or no security controls between services. Rearchitecting these applications (or more likely replacing them with newer ones) might use VMs to provide security separation between functional units, rather than simply as a means of managing larger numbers of machines. Containers are well suited for microservices architectures that “string together” large numbers of (typically) small services using standardized APIs. Such services often have a very short lifetime, where a containerized service is started on demand, responds to a request, and is destroyed, or where services are rapidly ramped up and down based on demand. That usage pattern is dependent on the fast instantiation that containers support. From a security perspective it has both benefits and drawbacks."
On his blog, Josh Berkus asks about the effects of changing how PostgreSQL numbers its releases. There is talk of moving from an x.y.z scheme to an x.y scheme, where x would increase every year to try to reduce "the need to explain to users that 9.5 to 9.6 is really a major version upgrade requiring downtime". He is wondering what impacts that will have on users, tools, scripts, packaging, and so on. "The problem is the first number, in that we have no clear criteria when to advance it. Historically, we've advanced it because of major milestones in feature development: crash-proofing for 7.0, Windows port for 8.0, and in-core replication for 9.0. However, as PostgreSQL's feature set matures, it has become less and less clear on what milestones would be considered "first digit" releases. The result is arguments about version numbering on the mailing lists every year which waste time and irritate developers."
Greg Kroah-Hartman has released the 4.5.5, 4.4.11, and 3.14.70 stable kernels. Users of those series should upgrade.
Arch Linux has updated p7zip (two code execution flaws).
Debian has updated swift-plugin-s3 (replay attack).
Mageia has updated cacti (two SQL injection flaws), chromium-browser-stable (multiple vulnerabilities), dosfstools (two vulnerabilities), libarchive (code execution), libksba (three vulnerabilities), libndp (man-in-the-middle attacks), mariadb (multiple vulnerabilities), moodle (multiple vulnerabilities), qemu (multiple vulnerabilities), and xymon (multiple vulnerabilities).
openSUSE has updated php5 (13.2: multiple vulnerabilities).
SUSE has updated firefox (SLE10: multiple vulnerabilities).
The LWN.net Weekly Edition for May 19, 2016 is available.
CentOS has updated libndp (C7: man-in-the-middle attacks).
Debian has updated expat (code execution).
Fedora has updated dhcp (F22: denial of service).
openSUSE has updated cacti (Leap42.1, 13.2: SQL injection), Chromium (SPH for SLE12: multiple vulnerabilities), go (Leap42.1: two vulnerabilities), GraphicsMagick (Leap42.1, 13.2: multiple vulnerabilities), imlib2 (13.2: multiple vulnerabilities), libressl (13.2: multiple vulnerabilities), librsvg (Leap42.1, 13.2: denial of service), mercurial (Leap42.1, 13.2: code execution), mysql-community-server (Leap42.1, 13.2: multiple vulnerabilities), ntp (Leap42.1: multiple vulnerabilities), ocaml (13.2: information leak), poppler (13.2: denial of service), and proftpd (Leap42.1, 13.2: weak key usage).
SUSE has updated xen (SLE12: multiple vulnerabilities).
Docker Engine 1.11 has been released, built on runC and containerd. "runC is the first implementation of the Open Containers Runtime specification and the default executor bundled with Docker Engine. Thanks to the open specification, future versions of Engine will allow you to specify different executors, thus enabling the ecosystem of alternative execution backends without any changes to Docker itself. By separating out this piece, an ecosystem partner can build their own compliant executor to the specification, and make it available to the user community at any time – without being dependent on the Engine release schedule or wait to be reviewed and merged into the codebase."
Debian-LTS has updated squid3 (multiple vulnerabilities).
Gentoo has updated chromium (multiple vulnerabilities).
openSUSE has updated atheme (Leap42.1, 13.2: two vulnerabilities), flash-player (13.2; 13.1; 11.4: multiple vulnerabilities), quagga (Leap42.1, 13.2: denial of service), quassel (Leap42.1, 13.2: denial of service), and varnish (13.2: access control bypass).
Red Hat has updated libndp (RHEL7: man-in-the-middle attacks).
Ubuntu has updated kernel (16.04; 15.10; 14.04: privilege escalation), libndp (16.04, 15.10: man-in-the-middle attacks), linux-lts-trusty (12.04: privilege escalation), linux-lts-utopic (14.04: privilege escalation), linux-lts-vivid (14.04: privilege escalation), linux-lts-wily (14.04: privilege escalation), linux-lts-xenial (14.04: privilege escalation), linux-raspi2 (16.04; 15.10: privilege escalation), and linux-snapdragon (16.04: privilege escalation).
Yubico has posted a blog entry defending the company's decision to switch to closed-source code in the Yubikey 4 product. "If you have to pick only one, is it more important to have the source code available for review or to have a product that includes serious countermeasures for attacks against the integrity of your keys?"
See also: Konstantin Ryabitsev's response to this posting. "When it comes to any hardware, we must at some point trust the manufacturer -- unless we have very large budgets that would allow us to fully monitor every step of the manufacturing process. In the absence of such large budgets, we must base our trust on the company's prior record and their willingness to work with the community to show that their hands are clean and their intentions are pure. Putting out a blackbox proprietary device after all the good will you have built up with NEOs sends the exact opposite message."
Jeffrey Pomerantz and Robin Peek seek to disambiguate the word "open", as it is used or misused today. Examples include open source, open access, open society, open knowledge, open government, and so on. "From the common ancestor Free Software, the term “open” diversified, filling a wide range of niches. The Open Source Definition gave rise to a number of other definitions, articulating openness for everything from hardware to knowledge. Inspired by the political philosophy of openness, the Open Society Institute funded the meeting at which the Budapest Open Access Initiative declaration was created. Open Access then gave rise to a wide range of other opens concerned with scholarship, publication, and cultural heritage generally. This spread of openness can be seen as the diversification of a powerful idea into a wide range of resources and services. It can also be seen more importantly as the arrival, society-wide, of an idea whose time has come ... an idea with political, legal, and cultural impacts." (Thanks to Paul Wise)
CentOS has updated thunderbird (C5: two vulnerabilities).
Fedora has updated botan (F23; F22: three vulnerabilities), community-mysql (F23; F22: multiple vulnerabilities), gd (F22: code execution), jackson-dataformat-xml (F23; F22: XXE attack), kernel (F22: multiple vulnerabilities), ocaml (F23: code execution), openvpn (F23: multiple vulnerabilities), and qemu (F23: multiple vulnerabilities).
openSUSE has updated Chromium (Leap42.1, 13.2: multiple vulnerabilities).
Should you happen to be running a CoreOS alpha release in an exposed setting, you'll want to have a look at this advisory and do a quick upgrade. "A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected."
Linus has released the 4.6 kernel, saying: "It's just as well I didn't cut the rc cycle short, since the last week ended up getting a few more fixes than expected, but nothing in there feels all that odd or out of line." Some of the more significant changes in this release are: post-init read-only memory as a bare beginning of the effort to harden the kernel, support for memory protection keys, the preadv2() and pwritev2() system calls, the kernel connection multiplexer, the OrangeFS distributed filesystem, compile-time stack validation, the OOM reaper, and many more. See the KernelNewbies 4.6 page for an amazing amount of detail.
At his blog, Christian Schaller discusses the details of the OpenH264 media codec from Cisco, which is now available in Fedora. In particular, he notes that the codec only handle the H.264 "Baseline" profile. "So as you might guess from the name Baseline, the Baseline profile is pretty much at the bottom of the H264 profile list and thus any file encoded with another profile of H264 will not work with it. The profile you need for most online videos is the High profile. If you encode a file using OpenH264 though it will work with any decoder that can do Baseline or higher, which is basically every one of them." Wim Taymans of GStreamer is looking at improving the codec with Cisco's OpenH264 team.
CentOS has updated thunderbird (C7: multiple vulnerabilities).
Debian has updated libxstream-java (XML external-entity attack).
Fedora has updated glibc (F23: denial of service).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), docker (RHEL7: privilege escalation), flash-plugin (RHEL 5,6: multiple vulnerabilities), and openshift (RHOSE 3.2: multiple vulnerabilities).
The Electronic Frontier Foundation (EFF) has announced a new name and web site for the Let's Encrypt client. The Let's Encrypt project is a free certificate authority for TLS certificates that enable HTTPS for the web. The client, now called "Certbot", uses Automatic Certificate Management Environment (ACME) to talk to the Let's Encrypt CA, though it will no longer be the "official" client and there are other ACME clients that can be used. "Along with the rename, we've also launched a brand new website for Certbot, found at https://certbot.eff.org. The site includes frequently asked questions as well as links to how you can learn more and help support the project, but by far the biggest feature of the website is an interactive instruction tool. To get the specific commands you need to get Certbot up and running, just input your operating system and webserver. No more searching through pages and pages of documentation or Google search results! While a new name has the potential for creating technical issues, the Certbot team has worked hard to make this transition as seamless as possible. Packages installed from PyPI, letsencrypt-auto, and third party plugins should all continue to work and receive updates without modification. We expect OS packages to begin using the Certbot name in the next few weeks as well. On many systems, the current client packages will automatically transition to Certbot while continuing to support the letsencrypt command so you won't have to edit any scripts you're currently using."
Oracle has updated pcre (OL7: multiple vulnerabilities).
Slackware has updated thunderbird (multiple vulnerabilities).
Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).
The LWN.net Weekly Edition for May 12, 2016 is available.
The OpenWrt project is perhaps the most widely known Linux-based distribution for home WiFi routers and access points; it was spawned from the source code of the now-famous Linksys WRT54G router more than 12 years ago. In early May, the OpenWrt user community was thrown into a fair amount of confusion when a group of core OpenWrt developers announced that they were starting a spin-off (or, perhaps, a fork) of OpenWrt to be named the Linux Embedded Development Environment (LEDE). It was not entirely clear to the public why the split was taking place—and the fact that the LEDE announcement surprised a few other OpenWrt developers suggested trouble within the team.
HUP napi hírlevél
Legfrissebb HUP képek
Szerinted mikor fogja a Microsoft portolni az Edge böngészőt Linuxra?
Majd ha piros hó esik!
Előbb-utóbb, mert kénytelen lesz!
Szerintem már van házon belüli build-jük ;)
Teljesen hidegen hagy...
Csak az eredmény érdekel / Az eredmény sem érdekel
Összes szavazat: 324