Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 29 perc 36 másodperc

Stable kernels 3.14.5 and 3.10.41

v, 2014-06-01 03:03
Greg Kroah-Hartman has announced the release of the 3.14.5 and 3.10.41 stable kernels. As is the norm, they contain important fixes throughout the tree and users should upgrade.
Kategóriák: Linux

[$] Questioning corporate involvement in GNOME development

szo, 2014-05-31 14:17
It is a rare free software project that feels it has too many developers; indeed, most could benefit from more development help. One way to get that help is to have a company pay developers to work on a project; the presence of paid developers is often one of the first signs that a particular project is gaining traction. But paid developers often bring with them worries that the company footing the bill will seek to drive the project in undesirable directions. The GNOME project, which is conducting its annual election for its board of directors until June 8, has an opportunity to say that corporate involvement in development has gone too far — or not.
Kategóriák: Linux

Mozilla to build WebRTC chat into Firefox

szo, 2014-05-31 01:51

At the Mozilla "Future Releases" blog, Chad Weiner announces a new feature just added to the latest Firefox Nightly builds: WebRTC-powered audio/video chat functionality. The feature "aims to connect everyone with a WebRTC-enabled browser. And that’s all you will need. No plug-ins, no downloads. If you have a browser, a camera and a mic, you’ll be able to make audio and video calls to anyone else with an enabled browser. It will eventually work across all of your devices and operating systems. And we’ll be adding lots more features in the future as we roll it out to more users." Cross-browser multimedia chat has been demonstrated with WebRTC before, of course, but the functionality has not been built in. Firefox will evidently use OpenTok, a WebRTC application platform, in its implementation.

Kategóriák: Linux

Friday's security updates

p, 2014-05-30 19:35

Fedora has updated emacs (F20: multiple vulnerabilities) and moodle (F19; F20: multiple vulnerabilities).

Mageia has updated libgadu (code execution) and mumble (multiple vulnerabilities).

openSUSE has updated policycoreutils (12.3, 13.1: privilege escalation) and python-lxml (12.3, 13.1: code injection).

Red Hat has updated openstack-foreman-installer (RHEL OSP4: insecure defaults), openstack-heat-templates (RHEL OSP4: multiple vulnerabilities), openstack-keystone (RHEL OSP4: restriction bypass), openstack-neutron (RHEL OSP4: multiple vulnerabilities), openstack-nova (RHEL OSP4: information leak), and python-django-horizon (RHEL OSP4: cross-site scripting).

SUSE has updated IBM Java 6 (SLES10 SP3,4; SLES11 SP2: multiple vulnerabilities) and IBM Java 7 (SLES11 SP2: multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for May 30, 2014

p, 2014-05-30 03:58
The LWN.net Weekly Edition for May 30, 2014 is available.
Kategóriák: Linux

[$] PyPI, pip, and external repositories

cs, 2014-05-29 23:50

A debate about Python modules—and where and how they are hosted—raged in early May on two separate Python mailing lists. There are a number of interrelated issues that make up the debate, but the core question seems to be: should the now-default pip package manager treat the "official" module repository differently than other repositories? Some see "external modules"—those not hosted at the Python Package Index (PyPI)—as a potential reliability problem, while others don't see much difference between external and PyPI-hosted modules.

Subscribers can click below for a look at the discussion from this week's edition.

Kategóriák: Linux

Security advisories for Thursday

cs, 2014-05-29 16:31

Fedora has updated libpng (F20: two denial of service flaws), libtiff (F20: code execution), openstack-neutron (F20: access restriction bypass), and php-ZendFramework2 (F20; F19: multiple vulnerabilities).

Mageia has updated cifs-utils (code execution), libvirt (two vulnerabilities), mono (M3: denial of service from 2012), qt4 (M3: denial of service), and qt4 and qtbase5 (M4: denial of service).

openSUSE has updated libgadu (two vulnerabilities).

SUSE has updated firefox (SLE10SP4; SLE10SP3: multiple vulnerabilities) and IBM Java 6 (SLE11SP2: multiple vulnerabilities).

Kategóriák: Linux

A Core Infrastructure Initiative announcement

cs, 2014-05-29 16:01
The Linux Foundation has put out a press release describing the evolution of its new "Core Infrastructure Initiative," which directs funding to developers of projects deemed to be both critical and short of resources. The first projects to be funded will be OpenSSL, OpenSSH, and the network time protocol (NTP) implementation. The steering committee for the initiative has been picked; it includes Alan Cox, Eben Moglen, Bruce Schneier, and Ted Ts'o. And a few more companies (Adobe, Bloomberg, HP, Huawei and salesforce.com) have added their support to the program.
Kategóriák: Linux

Git 2.0.0 released

cs, 2014-05-29 14:08
Version 2.0.0 of the Git source code management system is available. See What to expect in Git 2.0 for an overview of new features; there is also an extensive set of release notes in the announcement.
Kategóriák: Linux

"TrueCrypt is not secure," official SourceForge page abruptly warns (Ars Technica)

cs, 2014-05-29 01:25
Ars Technica reports that the SourceForge-hosted web page for the TrueCrypt encryption program suddenly changed to carry a prominent security warning. It indicates that the program may "contain unfixed security issues" and "is not secure". A new version of TrueCrypt, 7.2, has been released, but with some major differences: "The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this "diff" analysis [.diff.gz], appears to contain changes warning that the program isn't safe to use. Curiously, the new release also appeared to let users decrypt encrypted data but not create new volumes. Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank."
Kategóriák: Linux

This week's edition will be published on May 30

cs, 2014-05-29 00:01
Just a reminder to those expecting the LWN Weekly Edition in the next few hours: due to the Memorial Day holiday this week, we are operating on our one-day delay schedule. So this week's edition will be published on the 30th, rather than the 29th.
Kategóriák: Linux

Wednesday's security advisories

sze, 2014-05-28 17:34

CentOS has updated curl (C6: two vulnerabilities) and libvirt (C6: information disclosure/denial of service).

Fedora has updated mumble (F20; F19: multiple vulnerabilities) and seamonkey (F20; F19: multiple vulnerabilities).

Gentoo has updated xmonad-contrib (command injection).

openSUSE has updated rubygem-actionpack-3_2 (13.1; 12.3: information leak) and tor (13.1, 12.3: information disclosure).

Oracle has updated curl (OL6: two vulnerabilities) and libvirt (OL6: information disclosure/denial of service).

Red Hat has updated curl (RHEL6: two vulnerabilities), kernel-rt (RHE MRG 2.5: multiple vulnerabilities), and libvirt (RHEL6: information disclosure/denial of service).

Scientific Linux has updated curl (SL6: two vulnerabilities) and libvirt (SL6: information disclosure/denial of service).

Kategóriák: Linux

Exim 4.82.1 security release

sze, 2014-05-28 15:12
The developers of the Exim mail transport agent have issued an urgent security release fixing a remote code execution vulnerability. Most users are probably not vulnerable, though: to be affected, a site must (1) be running the 4.82 release, and (2) have enabled the non-default EXPERIMENTAL_DMARC feature. Sites meeting those criteria should update immediately; everybody else can probably wait.
Kategóriák: Linux

PHP next generation — or not

sze, 2014-05-28 15:06
Many sites have linked to this PHP.net post describing plans for the incorporation of a just-in-time compiler into the next major release of PHP. Interestingly, it seems that much of the PHP development community is unhappy with this posting and is discussing changing or simply deleting it. There may be a JIT in a future PHP release, but it seems it was a bit early to proclaim it to the world.
Kategóriák: Linux

Security advisories for Tuesday

k, 2014-05-27 18:34

Debian has updated mod-wsgi (two vulnerabilities).

Fedora has updated python-django (F20; F19: two vulnerabilities), python-django14 (F20: two vulnerabilities), and python-django15 (F20: two vulnerabilities).

openSUSE has updated libxml2, (13.1, 12.3: fixes a regression in a previous update) and PostfixAdmin (13.1, 12.3: SQL command execution).

Ubuntu has updated kernel (14.04 LTS; 13.10: multiple vulnerabilities), linux-lts-quantal (12.04 LTS: multiple vulnerabilities), linux-lts-raring (12.04 LTS: multiple vulnerabilities), linux-lts-saucy (12.04 LTS: multiple vulnerabilities), and linux-ti-omap4 (12.04 LTS: multiple vulnerabilities).

Kategóriák: Linux

Claws Mail 3.10.0 released

k, 2014-05-27 15:09
Version 3.10.0 of the Claws Mail email client is available. New features include improved SSL certificate management, automatic email account configuration, a number of new configuration options, and more.
Kategóriák: Linux

Perl 5.20.0 released

k, 2014-05-27 15:06
The Perl 5.20.0 release is out. "Perl 5.20.0 represents approximately 12 months of development since Perl 5.18.0 and contains approximately 470,000 lines of changes across 2,900 files from 124 authors." Significant changes include subroutine signatures, improved random number generation, a new slice syntax, postfix dereferencing, improved 64-bit support, various performance improvements, and more; see the changelog for lots of details.
Kategóriák: Linux

AOSP Debugging and Performance Analysis course materials available

h, 2014-05-26 23:31
On Google+, Opersys CEO Karim Yaghmour has announced the availability of the course materials (slides and exercises) for the company's Android Open Source Project (AOSP) Debugging and Performance Analysis class. The materials are available under the CC-BY-SA (Attribution-ShareAlike) license. "I've been helping people use Android in all sorts of devices for quite a few years now and one of the top requests I get is for information on how to debug the AOSP's internals. As with many things related to Android's internals, such information has been hard to come by. Until now ... [...] The material is built around the Inforce IFC6410 board because it was one of the only dev boards I could find that actually has both Android running on it while still having full performance counter support in perf --- sidenote, perf support on ARM SoCs, especially in combination with Android, tends to be partial at best."
Kategóriák: Linux

Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass (Ars Technica)

h, 2014-05-26 23:14
Ars Technica is reporting on a WordPress bug that allows attackers to use a captured, unencrypted cookie to break into an account. "[Electronic Frontier Foundation staff technologist Yan] Zhu snagged a cookie for her own account the same way a malicious hacker might and then pasted it into a fresh browser profile. When she visited WordPress she was immediately logged in—without having to enter her credentials and even though she had enabled two-factor authentication. She was then able to publish blog posts, read private posts and blog stats, and post comments that were attributed to her account. As if that wasn't enough, she was able to use the cookie to change the e-mail address assigned to the account and, if two-factor authentication wasn't already in place, set up the feature. That means a hacker exploiting the vulnerability could lock out a vulnerable user. When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker. Remarkably, the pilfered cookie will remain valid for three years, even if the victim logs out of the account before then."
Kategóriák: Linux

Monday's security updates

h, 2014-05-26 16:14

Fedora has updated libvirt (F20: information disclosure/denial of service), mutt (F19: code execution), perl-LWP-Protocol-https (F19: SSL certificate verification botch), qt (F19: denial of service), rubygem-actionpack (F20; F19: information leak), and zabbix (F20; F19: access restriction bypass).

Mageia has updated kernel-linus (M3: multiple vulnerabilities), kernel-rt (M3: multiple vulnerabilities), kernel-tmb (M4; M3: multiple vulnerabilities), kernel-vserver (M3: multiple vulnerabilities), and mariadb (multiple unspecified vulnerabilities).

Ubuntu has updated EC2 kernel (10.04: multiple vulnerabilities), kernel (12.04; 10.04: multiple vulnerabilities), and mod-wsgi (14.04, 13.10, 12.04: two vulnerabilities).

Kategóriák: Linux