Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 25 perc 45 másodperc

Security updates for Thursday

cs, 2014-08-28 15:38

Debian has updated s3ql (code execution).

Mageia has updated x11vnc (code execution).

openSUSE has updated phpMyAdmin (13.1, 12.3: multiple vulnerabilities) and python3 (12.3: two vulnerabilities).

Ubuntu has updated squid3 (14.04, 12.04: denial of service).

Kategóriák: Linux

2014 Kernel OPW internship report

cs, 2014-08-28 13:59
Sarah Sharp has posted an update on the kernel internships managed through the Outreach Program for Women, with an emphasis on what past participants are doing now. "Many people may be disappointed that those three OPW alumni aren’t working on open source, but I’m overjoyed that these women have found jobs in the technology sector. This fact is heartening to me because many of the women that participate in OPW were working in retail before their internship. To be able to move into the technology sector is a giant step in the right direction, and I’m happy that the OPW program could be a part of that."
Kategóriák: Linux

PHP 5.6.0 released

cs, 2014-08-28 13:35
The PHP 5.6.0 release is available. There's a number of new features, including constant scalar expressions, a new "..." operator for both variadic functions and sequence unpacking, an exponentiation operator, an integrated interactive debugger, and more. See the PHP 5.6.0 migration guide for more information.
Kategóriák: Linux

[$] LWN.net Weekly Edition for August 28, 2014

cs, 2014-08-28 01:46
The LWN.net Weekly Edition for August 28, 2014 is available.
Kategóriák: Linux

[$] Visual legerdemain abounds in G'MIC 1.6.0

sze, 2014-08-27 22:59
A new stable release of the G'MIC image-processing framework was recently released. Version 1.6.0 adds a number of new commands and filters useful for manipulating image data, as well as changes to the codebase that will hopefully make G'MIC easier to integrate into other applications.

Click below (subscribers only) for a look at the G'MIC 1.6.0 release and associated GIMP plugin.

Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-08-27 17:33

Debian has updated eglibc (code execution).

Fedora has updated jakarta-commons-httpclient (F20; F19: SSL server spoofing), krb5 (F19: code execution), mediawiki (F20; F19: multiple vulnerabilities), python-pillow (F20; F19: denial of service), and sks (F20; F19: cross-site scripting).

Mageia has updated file (denial of service), grub2 (denial of service/possible code execution), harbour (denial of service/possible code execution), icecream (denial of service/possible code execution), italc (denial of service/possible code execution), kdenetwork4 (MG3: denial of service/possible code execution), libvncserver (denial of service/possible code execution), and serf (information leak).

Red Hat has updated devtoolset-2-httpcomponents-client (RHDT2: SSL server spoofing), kernel (RHEL6.4 EUS: multiple vulnerabilities), and ror40-rubygem-activerecord (RHSCL1: strong parameter protection bypass).

Kategóriák: Linux

MediaGoblin 0.7.0 released

sze, 2014-08-27 13:16
Version 0.7.0 of the MediaGoblin media publishing platform is available. New features include initial federation support, a switch to a responsive CSS system, a "featured media" option, bulk uploading via the command line, and more. "Well we’re excited to announce that the first piece towards MediaGoblin federation has landed! We don’t have server-to-server federation working yet, but we do have the first parts of the Pump API in place: you can now use the Pump API as a media upload API!"
Kategóriák: Linux

Cluetrain at Fifteen (Linux Journal)

sze, 2014-08-27 00:13
Doc Searls looks back over the fifteen years that have passed since he (along with Chris Locke, David Weinberger and Rick Levine) wrote "The Cluetrain Manifesto". "What we had in mind was much fresher to me in the Summer of 2000, when I worked with Jason Schumaker, another Linux Journal editor, on an interview about Cluetrain and its relevance to Linux. What we ended up with was too long for both the magazine and our website at the time, so the project got sidelined and eventually buried in archival directories, where it stayed until this morning, when I found it during a search for something else. Reading it, I realized that I had come across a kind of time capsule."
Kategóriák: Linux

Tuesday's security advisory

k, 2014-08-26 16:54
Today we have only one security advisory. Ubuntu has updated openjdk-7 (14.04: fixes a regression in a previous update).
Kategóriák: Linux

The poisoned NUL byte, 2014 edition (Project Zero)

k, 2014-08-26 14:15
For those interested in the gory details of a complex exploit, Google's Project Zero page describes the process of getting arbitrary code execution from a single NUL byte written to the heap by glibc in an off-by-one error. "The main point of going to all this effort is to steer industry narrative away from quibbling about whether a given bug might be exploitable or not. In this specific instance, we took a very subtle memory corruption with poor levels of attacker control over the overflow, poor levels of attacker control over the heap state, poor levels of attacker control over important heap content and poor levels of attacker control over program flow. Yet still we were able to produce a decently reliable exploit! And there’s a long history of this over the evolution of exploitation: proclamations of non-exploitability that end up being neither advisable nor correct."
Kategóriák: Linux

Kernel prepatch 3.17-rc2

k, 2014-08-26 13:28
Linus has released 3.17-rc2 a little later than might have been expected. "So I deviated from my normal Sunday schedule partly because there wasn't much there (I blame the KS and LinuxCon), but partly due to sentimental reasons: Aug 25 is the anniversary of the original Linux announcement ('Hello everybody out there using minix'), so it's just a good day for release announcements."
Kategóriák: Linux

LinuxCon and CloudOpen 2014 Keynote Videos Available

h, 2014-08-25 21:52
Videos of the keynotes for LinuxCon NA and CloudOpen are available. "The event started Wednesday, Aug. 20, with Executive Director Jim Zemlin's “State of Linux” keynote at 9 a.m. Central, followed by a panel discussion of Linux kernel developers that included Linux Creator Linus Torvalds."
Kategóriák: Linux

Security advisories for Monday

h, 2014-08-25 18:04

CentOS has updated mod_wsgi (C7: privilege escalation).

Debian has updated mediawiki (two vulnerabilities) and python-django (multiple vulnerabilities).

Fedora has updated file (F20: denial of service), fish (F20; F19: multiple vulnerabilities), libserf (F20: information leak), pen (F20: unspecified vulnerability), php-htmlpurifier-htmlpurifier (F20; F19: "Hash Length Extension" attack), phpMyAdmin (F20: multiple vulnerabilities), ppp (F20: privilege escalation), rubygem-activerecord (F20; F19: SQL injection), struts (F20: code execution), wordpress (F19: multiple vulnerabilities), and xen (F20; F19: denial of service).

Mageia has updated ansible (MG4: multiple vulnerabilities), bugzilla (cross-site request forgery), busybox (denial of service/possible code execution), jakarta-commons-httpclient (MG4; MG3: SSL server spoofing), and mednafen (denial of service/possible code execution).

openSUSE has updated IPython (13.1, 12.3: code execution), libgcrypt (13.1, 12.3: side-channel attack), and libserf, subversion (13.1, 12.3: multiple vulnerabilities).

Oracle has updated mod_wsgi (OL7: privilege escalation).

Red Hat has updated mod_wsgi (RHEL7: privilege escalation).

Kategóriák: Linux

[$] Kernel.org news: two-factor authentication and more

h, 2014-08-25 17:33
Kernel developers depend heavily on kernel.org for the hosting of Git repositories and the management of patch flow in general, so it is not surprising that the annual Kernel Summit sets aside a slot to discuss what is happening with this site. In recent years, there has been a lot of change to discuss, mostly relating to the reorganization of kernel.org management resulting from the compromise of the site in 2011. The 2014 kernel.org discussion, run by Konstantin Ryabitsev, shows that, in a lot of ways, the pace of change is slowing, but the kernel.org maintainers are still working to improve their support and make it more secure.
Kategóriák: Linux

Day: New Human Interface Guidelines for GNOME and GTK+

p, 2014-08-22 22:25

At his blog, Allan Day announces the preliminary availability of a brand-new edition of the GNOME Human Interface Guidelines (HIG). Prepared for the upcoming GNOME 3.14 release, this is the first major overhaul of the GNOME HIG in some time. Day notes: "There is a downside to all the experimentation that has been happening in software design in recent years, of course – it can often be a bewildering space to navigate. This is where the HIG comes in. Its goal is to help developers and designers take advantage of the new abilities at their disposal, without losing their way in the process. This is reflected in the structure of the new HIG: the guidelines don’t enforce a single template on which applications have to be based, but presents a series of patterns and elements which can be drawn upon." He also emphasizes that the new HIG, despite its name, is not a GNOME-only document, but is designed to aid interface design in other GTK+ applications, too.

Kategóriák: Linux

Calibre 2.0 released

p, 2014-08-22 21:14
Version 2.0 of the Calibre electronic book management tool has been released. There is a long list of new features since the 1.0 release. "The biggest new feature is an e-book editor, capable of editing ebooks in both the EPUB and AZW3 (Kindle) formats."
Kategóriák: Linux

Friday's security updates

p, 2014-08-22 16:21

Debian has updated python-imaging (denial of service).

Mageia has updated krb5 (multiple vulnerabilities) and sdcc (denial of service).

Ubuntu has updated ceilometer (14.04: information leak), glance (14.04: denial of service), horizon (14.04: multiple vulnerabilities), keystone (14.04: multiple vulnerabilities), neutron (14.04: multiple vulnerabilities), and nova (14.04: information leak).

Kategóriák: Linux

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

cs, 2014-08-21 23:40

The Free Software Foundation blog has posted an article detailing a newly discovered government surveillance project as well as a new technological countermeasure. The surveillance project is known as HACIENDA, as is reportedly a multi-national effort "to map every server in twenty-seven countries, employing a technique known as port scanning." The countermeasure, developed by Julian Kirsch, Christian Grothoff, Jacob Appelbaum, and Holger Kenn, is called TCP Stealth. According to the TCP Stealth whitepaper, the system "replaces the traditional random TCP SQN number with a token that authenticates the client and (optionally) the first bytes of the TCP payload. Clients and servers can enable TCP Stealth by explicitly setting a socket option or linking against a library that wraps existing network system calls." A Linux implementation of the scheme is available.

Kategóriák: Linux

Thursday's security updates

cs, 2014-08-21 18:46

Debian has updated libstruts1.2-java (code execution) and php5 (multiple vulnerabilities).

Fedora has updated drupal7 (F19; F20: denial of service), drupal7-date (F19; F20: cross-site scripting), libndp (F19; F20: code execution), and wordpress (F20: denial of service).

Mageia has updated catfish (M3; M4: privilege escalation), gpgme (code execution), phpmyadmin (multiple vulnerabilities), python-imaging, python-pillow (denial of service), and subversion (M3; M4: information leak).

openSUSE has updated openstack-neutron (13.1: access restriction bypass), apache2 (12.3; 13.1: multiple vulnerabilities), apache2-mod_security2 (rules bypass), krb5, (code execution), openssl (multiple vulnerabilities), python (12.3; 13.1: information leak), python3 (13.1: information leak), and samba (13.1: multiple vulnerabilities).

Red Hat has updated openstack-nova (RHEL OpenStack: multiple vulnerabilities).

Ubuntu has updated oxide-qt (14.04: multiple vulnerabilities).

Kategóriák: Linux

Linux Foundation Technical Advisory Board election results

cs, 2014-08-21 17:09
The results from the Linux Foundation TAB election have been announced; the five open seats went to Chris Mason, John Linville, H. Peter Anvin, Grant Likely, and Kristen Accardi.
Kategóriák: Linux