Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 9 perc 40 másodperc

Security advisories for Monday

h, 2015-05-18 18:50

Arch Linux has updated thunderbird (multiple vulnerabilities).

CentOS has updated thunderbird (C7: multiple vulnerabilities).

Debian has updated libmodule-signature-perl (multiple vulnerabilities).

Debian-LTS has updated dpkg (integrity-verification bypass), nbd (denial of service), and tiff (multiple vulnerabilities).

Fedora has updated java-1.8.0-openjdk (F21: unspecified vulnerability), NetworkManager (F21: denial of service), phpMyAdmin (F21; F20: two vulnerabilities), qemu (F21: code execution), and t1utils (F21; F20: multiple vulnerabilities).

Mageia has updated ruby-rest-client (two vulnerabilities) and virtualbox (code execution).

openSUSE has updated flash-player (11.4: multiple vulnerabilities), qemu (13.2; 13.1: code execution), and firefox (11.4: multiple vulnerabilities).

Red Hat has updated thunderbird (RHEL5,6,7: multiple vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated KVM (SLE11SP3: code execution), qemu (SLE12: two vulnerabilities), and spice (SLE12; SLESDK12: denial of service).

Kategóriák: Linux

[$] An introduction to Clear Containers

h, 2015-05-18 18:04
Guest author Arjan van de Ven writes: "Containers are hot. Everyone loves them. Developers love the ease of creating a "bundle" of something that users can consume; DevOps and information-technology departments love the ease of management and deployment." A group at Intel is working on a new approach to containers called "Clear Containers"; click below (subscribers only) for an introduction to how these containers work.
Kategóriák: Linux

Hardening Hypervisors Against VENOM-Style Attacks (Xen Project Blog)

p, 2015-05-15 22:20
The Xen Project looks at a mechanism to mitigate vulnerabilities like VENOM that attack emulation layers in QEMU. "The good news is it’s easy to mitigate all present and future QEMU bugs, which the recent Xen Security Advisory emphasized as well. Stubdomains can nip the whole class of vulnerabilities exposed by QEMU in the bud by moving QEMU into a de-privileged domain of its own. Instead of having QEMU run as root in dom0, a stubdomain has access only to the VM it is providing emulation for. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources. Furthermore, QEMU in a stubdomain runs on MiniOS, so an attacker would only have a very limited environment to run code in (as in return-to-libc/ROP-style), having exactly the same level of privilege as in the domain where the attack started. Nothing is to be gained for a lot of work, effectively making the system as secure as it would be if only PV drivers were used." The Red Hat Security Blog also noted this kind of mitigation for VENOM-style attacks.
Kategóriák: Linux

Rust 1.0 released

p, 2015-05-15 19:15
Version 1.0 of the Rust language has been released. "The 1.0 release marks the end of that churn. This release is the official beginning of our commitment to stability, and as such it offers a firm foundation for building applications and libraries. From this point forward, breaking changes are largely out of scope (some minor caveats apply, such as compiler bugs). That said, releasing 1.0 doesn’t mean that the Rust language is “done”. We have many improvements in store. In fact, the Nightly builds of Rust already demonstrate improvements to compile times (with more to come) and includes work on new APIs and language features, like std::fs and associated constants."
Kategóriák: Linux

Friday's security updates

p, 2015-05-15 15:50

Arch Linux has updated wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).

SUSE has updated flash-player (SLE12: multiple vulnerabilities).

Kategóriák: Linux

3 big lessons I learned from running an open source company (Opensource.com)

cs, 2015-05-14 21:58
Over at Opensource.com, Lucidworks co-founder and CTO Grant Ingersoll writes about lessons he has learned from running an open-source company. "You might ask, 'Why not open source it all and just provide support?' It's a fair question and one I think every company that open sources code struggles to answer, unless they are a data company (e.g., LinkedIn, Facebook), a consulting company, or a critical part of everyone's infrastructure (e.g., operating systems) and can live off of support alone. Many companies start by open sourcing to gain adoption and then add commercial features (and get accused of selling out), whereas others start commercial and then open source. Internally, the sales side almost always wants "something extra" that they can hang their quota on, while the engineers often want it all open because they know they can take their work with them."
Kategóriák: Linux

Thursday's security updates

cs, 2015-05-14 17:58

Arch Linux has updated qemu (code execution).

CentOS has updated firefox (C5: multiple vulnerabilities), kernel (C7: code execution), kvm (C5: code execution), qemu-kvm (C7; C6: code execution), and xen (C5: code execution).

Debian has updated iceweasel (multiple vulnerabilities) and qemu (multiple vulnerabilities).

Debian-LTS has updated icu (multiple vulnerabilities some from 2013).

Fedora has updated ca-certificates (F21: certificate changes), firefox (F21: multiple vulnerabilities), gnutls (F21: signature algorithm verification botch), libssh (F21: denial of service), and thunderbird (F21: two vulnerabilities).

Mageia has updated darktable (denial of service), kernel-linus (three vulnerabilities), kernel-tmb (multiple vulnerabilities), libraw (denial of service), qemu (code execution), rawtherapee (denial of service), ufraw and dcraw (denial of service), and wireshark (three dissector vulnerabilities).

Oracle has updated firefox (OL6: multiple vulnerabilities), kvm (OL5: denial of service), qemu-kvm (OL7; OL6: code execution), kernel (OL7; OL6; OL6; OL5: multiple vulnerabilities), and xen (OL5: code execution).

Scientific Linux has updated firefox (SL7,SL6,SL5: multiple vulnerabilities), kernel (SL7: code execution), kexec-tools (SL7: arbitrary file overwrite), pcs (SL7; SL6: privilege escalation), qemu-kvm (SL7; SL6: code execution), tomcat (SL7: HTTP request smuggling), and tomcat6 (SL6: HTTP request smuggling).

SUSE has updated kvm (SLE11SP3: denial of service).

Ubuntu has updated firefox (multiple vulnerabilities) and qemu, qemu-kvm (three vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for May 14, 2015

cs, 2015-05-14 03:08
The LWN.net Weekly Edition for May 14, 2015 is available.
Kategóriák: Linux

Linux 3.19.y-ckt extended stable support

sze, 2015-05-13 21:08
Kamal Mostafa has announced that Canonical's kernel team will pick up stable maintenance of the 3.19 kernel series, until July 2016.
Kategóriák: Linux

Stable kernel updates

sze, 2015-05-13 20:46
Greg Kroah-Hartman has released stable kernels 4.0.3, 3.14.42, and 3.10.78. All of them contain important fixes.
Kategóriák: Linux

[$] CoreOS Fest and the world of containers, part 1

sze, 2015-05-13 20:26

It's been a Linux container bonanza in San Francisco recently, and that includes a series of events and announcements from multiple startups and cloud hosts. It seems like everyone is fighting for a piece of what they hope will be a new multi-billion-dollar market. This included Container Camp on April 17 and CoreOS Fest on May 5th and 6th, with DockerCon to come near the end of June. While there is a lot of hype, the current container gold rush has yielded more than a few benefits for users — and caused technological development so rapid it is hard to keep up with.

Subscribers can click below for a report by guest author Josh Berkus from this week's edition.

Kategóriák: Linux

Security advisories for Wednesday

sze, 2015-05-13 19:25

Arch Linux has updated firefox (multiple vulnerabilities) and tomcat6 (denial of service).

CentOS has updated firefox (C7; C6: multiple vulnerabilities), kexec-tools (C7: file overwrites), pcs (C7; C6: privilege escalation), tomcat (C7: HTTP request smuggling), and tomcat6 (C6: HTTP request smuggling).

Debian has updated quassel (SQL injection).

Fedora has updated clamav (F20: multiple vulnerabilities), dpkg (F21; F20: two vulnerabilities), kernel (F21: two vulnerabilities), texlive (F21: predictable filenames), and wpa_supplicant (F20: code execution).

Gentoo has updated ettercap (multiple vulnerabilities).

Mageia has updated dnsmasq (information disclosure), flash-player-plugin (multiple vulnerabilities), hostapd (denial of service), netcf (denial of service), pam (two vulnerabilities), and testdisk (multiple vulnerabilities).

Oracle has updated firefox (OL7; OL5: multiple vulnerabilities), kernel (OL7: two vulnerabilities), kexec-tools (OL7: file overwrites), tomcat (OL7: HTTP request smuggling), and tomcat6 (OL6: HTTP request smuggling).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities), flash-plugin (RHEL5,6: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), kernel (RHEL7: privilege escalation), kernel-rt (RHEL7; RHEMRG2.5: privilege escalation), kexec-tools (RHEL7: file overwrites), kvm (RHEL5: code execution), pcs (RHEL7; RHEL6: privilege escalation), qemu-kvm (RHEL7; RHEL6: code execution), qemu-kvm-rhev (RHEL7, RHEL6, RHEL OSP4,5,6: code execution), tomcat (RHEL7: HTTP request smuggling), tomcat6 (RHEL6: HTTP request smuggling), and xen (RHEL5: code execution).

Scientific Linux has updated kvm (SL5: code execution) and xen (SL5: code execution).

Slackware has updated mozilla (multiple vulnerabilities).

SUSE has updated php5 (SLE12: multiple vulnerabilities).

Kategóriák: Linux

[$] Trading off safety and performance in the kernel

k, 2015-05-12 22:04
The kernel community ordinarily tries to avoid letting users get into a position where the integrity of their data might be compromised. There are exceptions, though; consider, for example, the ability to explicitly flush important data to disk (or more importantly, to avoid flushing at any given time). Buffering I/O in this manner can significantly improve disk write I/O throughput, but if application developers are careless, the result can be data loss should the system go down at an inopportune time. Recently there have been a couple of proposed performance-oriented changes that have tested the community's willingness to let users put themselves into danger.

Click below (subscribers only) for the full story from this week's Kernel Page.

Kategóriák: Linux

Firefox 38.0

k, 2015-05-12 21:00
Mozilla has released Firefox 38.0. This version features new tab-based preferences and Ruby annotation support. Also, it will be the base for the next ESR release. The release notes contain more information.
Kategóriák: Linux

Tuesday's security updates

k, 2015-05-12 18:28

Debian has updated mercurial (two vulnerabilities).

Mageia has updated async-http-client (two vulnerabilities), glpi (privilege escalation), kernel (multiple vulnerabilities), libarchive (denial of service), libssh (denial of service), mailman (path traversal attack), pnp4nagios (cross-site scripting), postgis (multiple vulnerabilities), ruby-redcarpet (cross-site scripting), and springframework (information disclosure).

openSUSE has updated Chromium (13.2, 13.1: two vulnerabilities), curl (13.2, 13.1: information leak), dnsmasq (13.2, 13.1: information disclosure), gnu_parallel (13.2, 13.1: file overwrite), libreoffice (13.2: code execution), libssh (13.2, 13.1: denial of service), libtasn1 (13.2, 13.1: denial of service), pcre (13.2, 13.1: multiple vulnerabilities), and php5 (13.2, 13.1: multiple vulnerabilities).

Slackware has updated mariadb (multiple unspecified vulnerabilities), mysql (multiple unspecified vulnerabilities), and wpa_supplicant (code execution).

Ubuntu has updated libmodule-signature-perl (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities) and openssl (12.04: re-enable TLSv1.2 by default).

Kategóriák: Linux

The Foresight Linux Project shuts down

k, 2015-05-12 15:06
The development of the Foresight Linux distribution has come to an end. "The Foresight Linux Council has determined that there has been insufficient volunteer activity to sustain meaningful new development of Foresight Linux. Faced with the need either to update the project's physical infrastructure or cease operations, we find no compelling reason to update the infrastructure."
Kategóriák: Linux

The last stable 3.19.x kernel

h, 2015-05-11 19:56
Greg Kroah-Hartman has released stable kernel 3.19.8. This is the last kernel in the 3.19.x series and users should upgrade to 4.0.x.
Kategóriák: Linux

Security advisories for Monday

h, 2015-05-11 18:38

Arch Linux has updated docker (multiple vulnerabilities).

Debian has updated libtasn1-6 (denial of service), suricata (denial of service), and zeromq3 (security bypass).

Fedora has updated firefox (F20: multiple vulnerabilities), libreoffice (F20: code execution), netcf (F21; F20: denial of service), perl-XML-LibXML (F21; F20: information disclosure), proftpd (F21: unauthenticated copying of files), prosody (F20: denial of service), thunderbird (F20: multiple vulnerabilities), and xulrunner (F20: multiple vulnerabilities).

Mageia has updated wordpress (cross-site scripting).

Ubuntu has updated icu (15.04, 14.10, 14.04: code execution), kernel (14.10, 14.04: regression in previous update), libtasn1-3, libtasn1-6 (15.04, 14.10, 14.04, 12.04: denial of service), linux-lts-utopic (14.04: regression in previous update), and linux-lts-trusty (12.04: regression in previous update).

Kategóriák: Linux

Kernel prepatch 4.1-rc3

h, 2015-05-11 14:29
The 4.1 development cycle continues with the release of 4.1-rc3. "Go out and test. By -rc3, things really should be pretty non-threatening and this would be a good time to just make sure everything is running smoothly if you haven't tried one of the earlier development kernels already."
Kategóriák: Linux

Testable Examples in Go

p, 2015-05-08 23:24

At the Go Blog, Andrew Gerrand provides a look at the language's approach to combining example code and documentation. "Godoc examples are snippets of Go code that are displayed as package documentation and that are verified by running them as tests. They can also be run by a user visiting the godoc web page for the package and clicking the associated "Run" button. Having executable documentation for a package guarantees that the information will not go out of date as the API changes." Each package's examples are compiled as part of the package test suite; examples can also (optionally) be executed in order to capture failures with the testing framework.

Kategóriák: Linux