Linux Weekly News

Tartalom átvétel is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Frissült: 24 perc 50 másodperc

SFC: GPL Violations Related to Combining ZFS and Linux

cs, 2016-02-25 18:56
The Software Freedom Conservancy (SFC) has put out an analysis of the recently announced plans of Canonical to provide and support ZFS as part of Ubuntu 16.04. There are some license-compatibility questions within the community, but Canonical believes that it is within its rights to distribute the CDDLv1-licensed zfs.ko kernel module with the GPLv2-licensed kernel. SFC, however, disagrees: "We are sympathetic to Canonical's frustration in this desire to easily support more features for their users. However, as set out below, we have concluded that their distribution of zfs.ko violates the GPL. We have written this statement to answer, from the point of view of many key Linux copyright holders, the community questions that we've seen on this matter. Specifically, we provide our detailed analysis of the incompatibility between CDDLv1 and GPLv2 — and its potential impact on the trajectory of free software development — below. However, our conclusion is simple: Conservancy and the Linux copyright holders in the GPL Compliance Project for Linux Developers believe that distribution of ZFS binaries is a GPL violation and infringes Linux's copyright. We are also concerned that it may infringe Oracle's copyrights in ZFS. As such, we again ask Oracle to respect community norms against license proliferation and simply relicense its copyrights in ZFS under a GPLv2-compatible license."
Kategóriák: Linux

Thursday's security updates

cs, 2016-02-25 17:39

Arch Linux has updated libgcrypt (key leak) and libssh2 (insecure sessions).

Debian has updated icedove (multiple vulnerabilities).

Debian-LTS has updated libfcgi (denial of service), libfcgi-perl (denial of service), pixman (code execution from 2014), and postgresql-8.4 (denial of service).

Fedora has updated hamster-time-tracker (F22: denial of service), postgresql (denial of service), and qemu (three vulnerabilities).

Mageia has updated libssh (insecure sessions).

openSUSE has updated gummi (42.1, 13.2: insecure tmp files), libgcrypt (13.2: key leak), and postgresql94 (42.1: three vulnerabilities, one from 2007).

Oracle has updated openssh (OL5: denial of service from 2010).

SUSE has updated firefox (SLE11SP4: denial of service).

Ubuntu has updated ca-certificates (15.10, 14.04, 12.04: 1024-bit RSA key removal), glib-networking (15.10, 14.04, 12.04: update for certificate changes), gnutls (14.04, 12.04: update for certificate changes), and openssl (14.04, 12.04: update for certificate changes).

Kategóriák: Linux

[$] Weekly Edition for February 25, 2016

cs, 2016-02-25 02:32
The Weekly Edition for February 25, 2016 is available.
Kategóriák: Linux

[$] Systemd vs. Docker

sze, 2016-02-24 21:30

One of the more entertaining presentations at this year's was by Dan Walsh, Red Hat's head of container engineering. He presented on one of the core conflicts in the Linux container world: systemd versus the Docker daemon. This is far from a new issue; it has been brewing since Ubuntu adopted systemd, and CoreOS introduced Rocket, a container system built around systemd.

Subscribers can click below for a look at the talk by guest author Josh Berkus.

Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-02-24 18:57

Arch Linux has updated libssh (insecure ssh sessions).

Debian has updated libssh (multiple vulnerabilities), lighttpd (padding-oracle attack), and websvn (cross-site scripting).

Debian-LTS has updated nss (cryptographic weakness) and websvn (cross-site scripting).

Fedora has updated botan (F23: three vulnerabilities), code-editor (F23: three vulnerabilities), gdl (F22: out-of-bounds read flaw), GraphicsMagick (F22: out-of-bounds read flaw), monotone (F23: three vulnerabilities), octave (F22: out-of-bounds read flaw), postgresql (F23: denial of service), qca (F23: three vulnerabilities), qt-creator (F23: three vulnerabilities), vdr-skinenigmang (F22: out-of-bounds read flaw), vdr-skinnopacity (F22: out-of-bounds read flaw), and vdr-tvguide (F22: out-of-bounds read flaw).

openSUSE has updated firefox (13.1: same-origin restriction bypass).

Red Hat has updated rh-ror41 (RHSCL: multiple vulnerabilities).

Slackware has updated bind (denial of service), glibc (code execution), libgcrypt (two vulnerabilities), and ntp (multiple vulnerabilities).

SUSE has updated firefox (SLE12-SP1: denial of service) and postgresql94 (SLE12-SP1: three vulnerabilities, one from 2007).

Kategóriák: Linux

Upcoming features in GCC 6

k, 2016-02-23 23:14
The Red Hat developer blog looks at what's coming in version 6 of the GNU Compiler Collection. "The x86/x86_64 is a segmented memory architecture, yet GCC has largely ignored this aspect of the Intel architecture and relied on implicit segment registers. Low level code such as the Linux kernel & glibc often have to be aware of the segmented architecture and have traditionally resorted to asm statements to use explicit segment registers for memory accesses. Starting with GCC 6, variables may be declared as being relative to a particular segment. Explicit segment registers will then be used to access those variables in memory." The GCC 6 release can be expected sometime around April.
Kategóriák: Linux

Tuesday's security advisories

k, 2016-02-23 19:19

Debian has updated libssh2 (insecure ssh sessions).

Debian-LTS has updated didiwiki (unintended access), krb5 (two vulnerabilities), libssh (insecure ssh sessions), and libssh2 (insecure ssh sessions).

Fedora has updated nghttp2 (F22: denial of service) and nodejs (F22: two vulnerabilities).

Mageia has updated 389-ds-base (denial of service).

Red Hat has updated chromium-browser (RHEL6: code execution).

Ubuntu has updated cpio (two vulnerabilities), kernel (15.10; 14.04; 12.04: multiple vulnerabilities), libssh (two vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: three vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: denial of service), oxide-qt (15.10, 14.04: code execution), and nss (12.04: regression in previous update).

Kategóriák: Linux

Kaminsky: A Skeleton Key of Unknown Strength

k, 2016-02-23 01:50
Dan Kaminsky looks at the Glibc DNS bug (CVE-2015-7547). "We’ve investigated the DNS lookup path, which requires the glibc exploit to survive traversing one of the millions of DNS caches dotted across the Internet. We’ve found that it is neither trivial to squeeze the glibc flaw through common name servers, nor is it trivial to prove such a feat is impossible. The vast majority of potentially affected systems require this attack path to function, and we just don’t know yet if it can. Our belief is that we’re likely to end up with attacks that work sometimes, and we’re probably going to end up hardening DNS caches against them with intent rather than accident. We’re likely not going to apply network level DNS length limits because that breaks things in catastrophic and hard to predict ways."
Kategóriák: Linux

Security advisories for Monday

h, 2016-02-22 20:06

Arch Linux has updated chromium (code execution) and thunderbird (multiple vulnerabilities).

Debian has updated chromium-browser (multiple vulnerabilities), didiwiki (unintended access), and xdelta3 (code execution).

Debian-LTS has updated openssl (man-in-the-middle attacks) and python-imaging (denial of service).

Fedora has updated graphite2 (F23: multiple vulnerabilities), kscreenlocker (F23; F22: restriction bypass), mariadb (F23: multiple vulnerabilities), nettle (F22: improper cryptographic calculations), ntp (F22: multiple vulnerabilities), php-horde-horde (F23; F22: cross-site scripting), poco (F23; F22: SSL server spoofing), python-pillow (F22: denial of service), qemu (F23: multiple vulnerabilities), and thunderbird (F23: multiple vulnerabilities).

openSUSE has updated chromium (13.1: multiple vulnerabilities), chromium (13.1: code execution), erlang (13.2: man-in-the-middle attack), ffmpeg (Leap42.1: denial of service), obs-service-download_files, (Leap42.1, 13.2: code injection), postgresql93 (Leap42.1, 13.2: multiple vulnerabilities, one from 2007), qemu (Leap42.1: two vulnerabilities), chromium (SPH for SLE12; Leap42.1, 13.2: code execution), kernel (13.2: two vulnerabilities), and xdelta3 (13.2; 13.1: code execution).

SUSE has updated postgresql93 (SLE12: multiple vulnerabilities, one from 2007).

Kategóriák: Linux

GNU C Library 2.23 released

h, 2016-02-22 15:49
Version 2.23 of the GNU C Library (glibc) has been released. The headline feature this time around seems to be Unicode 8.0.0 support; there are a number of API changes, performance improvements and security fixes as well.
Kategóriák: Linux

Linux Mint downloads (briefly) compromised

v, 2016-02-21 06:11
The Linux Mint blog announces that the project's web site was compromised and made to point to a backdoored version of the distribution. "As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either. Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th."

Update: it appears that the Linux Mint forums were compromised too; users should assume that their passwords have been exposed.

Kategóriák: Linux

Kernel prepatch 4.5-rc5

v, 2016-02-21 01:12
The 4.5-rc5 kernel prepatch is out, one day ahead of the usual schedule. "Things continue to look normal, and things have been fairly calm. Yes, the VM THP cleanup seems to still be problematic on s390, but other than that I don't see anything particularly worrisome."
Kategóriák: Linux

Two new stable kernels

szo, 2016-02-20 01:16

Greg Kroah-Hartman has announced the release of stable kernels 4.3.6 and 3.10.97. Both contain important updates throughout the tree. In addition, 4.3.6 is the last release for the now end-of-life 4.3 kernel branch; users will need to migrate to the 4.4 series.

Kategóriák: Linux

Ardour 4.7 released

p, 2016-02-19 22:56

Version 4.7 of the Ardour digital-audio workstation has been released. The update includes two key new features: a dialog that displays detailed spectral and waveform analysis for exported files, and substantially improved support for Mackie Control brand hardware control consoles. Many other improvements are listed in the announcement, including preliminary support for importing work from ProTools 10 and 11.

Kategóriák: Linux

Friday's security updates

p, 2016-02-19 17:20

CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).

Debian has updated cpio (denial of service).

Debian-LTS has updated libmatroska (code execution).

Mageia has updated glibc (M5: multiple vulnerabilities) and nodejs (M5: multiple vulnerabilities).

openSUSE has updated glibc (13.2: multiple vulnerabilities; 11.4, 13.1: code execution).

Oracle has updated kernel (O7; O6: privilege escalation) and thunderbird (O7; O6: multiple vulnerabilities).

Red Hat has updated openstack-heat (RHEL7: denial of service) and thunderbird (RHEL 5,6,7: multiple vulnerabilities).

Scientific Linux has updated thunderbird (SL 5,6,7: multiple vulnerabilities).

Ubuntu has updated oxide-qt (14.04, 15.10: multiple vulnerabilities).

Kategóriák: Linux

Kirkland: ZFS licensing and Linux

p, 2016-02-19 00:45
Dustin Kirkland justifies Ubuntu's plans to ship the ZFS filesystem kernel module. "And zfs.ko, as a self-contained file system module, is clearly not a derivative work of the Linux kernel but rather quite obviously a derivative work of OpenZFS and OpenSolaris. Equivalent exceptions have existed for many years, for various other stand alone, self-contained, non-GPL and even proprietary (hi, nvidia.ko) kernel modules."
Kategóriák: Linux

Open source Zephyr Project aims to deliver an RTOS

cs, 2016-02-18 21:09
The Linux Foundation has announced the Zephyr Project, which is aimed at building a real-time operating system (RTOS) for the Internet of Things (IoT). "Modularity and security are key considerations when building systems for embedded IoT devices. The Zephyr Project prioritizes these features by providing the freedom to use the RTOS as is or to tailor a solution. The project’s focus on security includes plans for a dedicated security working group and a delegated security maintainer. Broad communications and networking support is also addressed and will initially include Bluetooth, Bluetooth Low Energy and IEEE 802.15.4, with plans to expand communications and networking support over time." The Zephyr Kernel v1.0.0 Release Notes provide more details.
Kategóriák: Linux

Security updates for Thursday

cs, 2016-02-18 18:41

Arch Linux has updated lib32-glibc (multiple vulnerabilities).

Debian has updated libreoffice (two code execution flaws).

Fedora has updated hamster-time-tracker (F23: two denial of service flaws).

Mageia has updated cacti (authentication bypass), claws-mail (two vulnerabilities), cpio (code execution), eog (code execution from 2013), eom (code execution from 2013), gambas3 (code execution from 2013), gnome-photos (code execution from 2013), graphite2/firefox (multiple vulnerabilities), gtk+2.0 (code execution from 2013), libgcrypt (key leak), libxmp (multiple vulnerabilities), nginx (three vulnerabilities), pinpoint (code execution from 2013), python-pillow (two code execution flaws), thunar (code execution from 2013), and thunderbird (multiple vulnerabilities).

Ubuntu has updated nss (15.10, 14.04, 12.04: cryptographic weakness).

Kategóriák: Linux

[$] Weekly Edition for February 18, 2016

cs, 2016-02-18 05:56
The Weekly Edition for February 18, 2016 is available.
Kategóriák: Linux

Stable kernel updates

sze, 2016-02-17 23:52
Greg Kroah-Hartman has released stable kernels 4.4.2 and 3.14.61. Both of them contain important fixes.
Kategóriák: Linux