Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 1 perc 18 másodperc

Stable kernels 4.8.15 and 4.4.39

cs, 2016-12-15 19:10
The 4.8.15 and 4.4.39 stable kernels have been released. As always, users of those series should upgrade.
Kategóriák: Linux

Security advisories for Thursday

cs, 2016-12-15 18:10

Debian has updated game-music-emu (code execution).

Fedora has updated tomcat (F25; F24; F23: three vulnerabilities).

openSUSE has updated flash-player (13.2: multiple vulnerabilities), gstreamer-plugins-bad (42.1, 13.2: two code execution flaws), and python-Twisted (42.1: HTTP proxy redirect).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).

Scientific Linux has updated 389-ds-base (SL7: three vulnerabilities), bind (SL7: denial of service), curl (SL7: three vulnerabilities), dhcp (SL7: denial of service), expat (SL7&6: code execution), firefox (multiple vulnerabilities), firefox (code execution), firewalld (SL7: authentication bypass), fontconfig (SL7: privilege escalation), gimp (SL7: code execution), glibc (SL7: code execution), ipsilon (SL7: information leak/denial of service), kernel (SL7: multiple vulnerabilities, some from 2015, one from 2013), krb5 (SL7: two vulnerabilities), libguestfs and virt-p2v (SL7: information leak from 2015), libreoffice (SL7: two vulnerabilities), libreswan (SL7: denial of service), libvirt (SL7: three vulnerabilities, two from 2015), mariadb (SL7: multiple vulnerabilities), memcached (SL7: three vulnerabilities), mod_nss (SL7: encryption botch), nettle (SL7: multiple vulnerabilities, three from 2015), NetworkManager (SL7: information leak), ntp (SL7: multiple vulnerabilities from 2014 and 2015), openafs (information leak), openssh (SL7: privilege escalation from 2015), pacemaker (SL7: denial of service), pacemaker (SL7: privilege escalation), pcs (SL7: two vulnerabilities), php (SL7: multiple vulnerabilities), poppler (SL7: code execution from 2015), postgresql (SL7: two vulnerabilities), python (SL7: code execution), qemu-kvm (SL7: two vulnerabilities), resteasy-base (SL7: code execution), squid (SL7: multiple vulnerabilities), sudo (SL7&6: two vulnerabilities), sudo (SL7: information disclosure), systemd (SL7: denial of service), thunderbird (code execution), thunderbird (code execution), tomcat (SL7: multiple vulnerabilities, one from 2015), util-linux (SL7: denial of service), and wget (SL7: code execution).

SUSE has updated xen (SLE12: multiple vulnerabilities).

Ubuntu has updated apport (three vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for December 15, 2016

cs, 2016-12-15 02:55
The LWN.net Weekly Edition for December 15, 2016 is available.
Kategóriák: Linux

[$] Adopting DNSSEC

sze, 2016-12-14 21:21
The Domain Name System (DNS) is an amazing technological achievement, but it suffers from a historical excess of trust, which makes it possible for people who rely on it to be lied to. The DNS Security Extensions (formally DNSSEC-bis, more usually just DNSSEC) are a mechanism for including robust trust information within the DNS. Here we discuss briefly what DNSSEC does, how it does it, and how (and whether) you can use it to secure your domains.
Kategóriák: Linux

Krita 3.1 released

sze, 2016-12-14 18:29
Version 3.1 of the Krita image editor is available. "Krita 3.1 is the result of half a year of intense work and contains many new features, performance improvements and bug fixes. It’s now possible to use render animations (using ffmpeg) to gif or various video formats. You can use a curve editor to animate properties. Soft-proofing was added for seeing how your artwork will look in print. A new color picker that allows selecting wide-gamut colors. There is also a new brush engine that paints fast on large canvases, a stop-based gradient editor." See the release notes for more information.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-12-14 18:14

Arch Linux has updated firefox (multiple vulnerabilities), linux-zen (denial of service), python-html5lib (cross-site scripting), and python2-html5lib (cross-site scripting).

Debian has updated apt (code execution) and firefox-esr (multiple vulnerabilities).

Debian-LTS has updated chrony (packet modification).

Fedora has updated lxc (F25; F24; F23: directory traversal) and roundcubemail (F24; F23: code execution).

openSUSE has updated gc (Leap42.2, 42.1: code execution), gstreamer-0_10-plugins-bad (Leap42.1, 13.2: code execution), kernel (13.1: privilege escalation), tomcat (Leap42.2; Leap42.1: multiple vulnerabilities), w3m (Leap42.2, 42.1: multiple vulnerabilities), and xen (Leap42.2: multiple vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities) and flash-plugin (RHEL6: multiple vulnerabilities).

Slackware has updated firefox (multiple vulnerabilities).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities) and kernel (SLE12-SP2: privilege escalation).

Ubuntu has updated apt (16.10, 16.04, 14.04: code execution) and firefox (multiple vulnerabilities).

Kategóriák: Linux

[$] AMD's Display Core difficulties

k, 2016-12-13 20:26
Back in 2007, the announcement that AMD intended to reverse its longstanding position and create an upstream driver for its graphics processors was joyfully received by Linux users worldwide. As 2017 approaches, an attempt by AMD to merge a driver for an upcoming graphics chip has been rejected by the kernel's graphics subsystem maintainer — a decision that engendered rather less joy. A look at this discussion reveals a pattern seen many times before; the positions and decisions taken can seem arbitrary to the wider world but they are not without their reasons and will, hopefully, lead to a better kernel in the long run.
Kategóriák: Linux

Nextcloud 11 released

k, 2016-12-13 20:09
Nextcloud 11 has been released with many security and scalability improvements. "Nextcloud 11 introduces Apache Solr powered Full Text Search, enabling users to find words or phrases in text, pdf and common office documents on internal, external, shared and encrypted storage. The next generation Federation technology introduces a central lookup server, enabling Nextcloud users to find each other irrespective of the server their account resides on. The experimental Spreed app integrates secure, peer to peer audio and video chat in Nextcloud."
Kategóriák: Linux

Security advisories for Tuesday

k, 2016-12-13 19:06

Debian has updated php5 (multiple vulnerabilities).

Debian-LTS has updated monit (regression in previous update) and unzip (buffer overflows).

Fedora has updated golang (F25; F24: denial of service), kernel (F25; F24; F23: three vulnerabilities), perl-DBD-MySQL (F25: two vulnerabilities), php-simplesamlphp-saml2 (F25; F24; F23: incorrect signature verification), php-simplesamlphp-saml2_1 (F25; F24; F23: incorrect signature verification), and python-tornado (F24: XSRF protection bypass).

Gentoo has updated SQUASHFS (two code execution flaws from 2012), bash (code execution), botan (two vulnerabilities), elfutils (code execution from 2014), ghostscript-gpl (buffer overflow from 2015), nodejs (multiple vulnerabilities), pixman (code execution), systemd (multiple vulnerabilities from 2013), tigervnc (two vulnerabilities from 2014), webkit-gtk (many vulnerabilities, some from 2014 and 2015), xstream (code execution from 2013), and zabbix (two vulnerabilities).

openSUSE has updated Chromium (multiple vulnerabilities), ImageMagick (Leap42.2; Leap42.1: two vulnerabilities), java-1_7_0-openjdk (Leap42.2, 42.1: multiple vulnerabilities), libass (Leap42.1, 13.2: two vulnerabilities), libgit2 (Leap42.2: two vulnerabilities), pacemaker (Leap42.1: two vulnerabilities), pcre (Leap42.2, 42.1: multiple vulnerabilities, some from 2014 and 2015), perl-DBD-mysql (13.2: use after free), php5 (Leap42.2, 42.1: two vulnerabilities), php7 (Leap42.2: two vulnerabilities), qemu (Leap42.1: multiple vulnerabilities), and util-linux (Leap42.2: denial of service).

Oracle has updated kernel 3.8.13 (OL7; OL6: two vulnerabilities), and kernel 2.6.39 (OL6; OL5: denial of service).

Slackware has updated kernel (privilege escalation), loudmouth (roster push attack), and php (multiple vulnerabilities).

SUSE has updated firefox, nss (SLE11-SP2: multiple vulnerabilities).

Kategóriák: Linux

KDE e.V. Community Report - 2nd Half of 2015

k, 2016-12-13 00:55
KDE e.V. has released its community report for the second half of 2015. "Over nineteen years producing high quality free software, spreading open culture, and creating a thriving community, KDE has become a huge umbrella organization supporting all sorts of FOSS-related projects. As a consequence, an even more inclusive, diverse, and open community has grown, with opportunities we couldn't have envisioned some years ago."
Kategóriák: Linux

Release for CentOS Linux 7 (1611) on x86_64

h, 2016-12-12 21:53
CentOS Linux has released version 7.3-1611 of its Enterprise Linux clone. "This release supersedes all previously released content for CentOS Linux 7, and therefore we highly encourage all users to upgrade their machines. Information on different upgrade strategies and how to handle stale content is included in the Release Notes."
Kategóriák: Linux

Security advisories for Monday

h, 2016-12-12 20:14

Arch Linux has updated kernel (denial of service) and linux-grsec (denial of service).

Debian has updated chromium-browser (multiple vulnerabilities) and icedove (multiple vulnerabilities).

Debian-LTS has updated imagemagick (regression in previous update), jasper (multiple vulnerabilities), and libgsf (denial of service).

Fedora has updated cracklib (F25; F24: code execution), flex (F23: buffer overflow), gd (F25: three vulnerabilities), gstreamer-plugins-bad-free (F25: three vulnerabilities), gstreamer-plugins-base (F25; F24: code execution), gstreamer-plugins-good (F25: multiple vulnerabilities), gstreamer1-plugins-bad-free (F24: three vulnerabilities), gstreamer1-plugins-base (F24: code execution), httpd (F24: denial of service), kernel (F25; F24; F23: three vulnerabilities), libgsf (F25: denial of service), mcabber (F25; F24; F23: roster push attack), mingw-libarchive (F25: three vulnerabilities), openjpeg2 (F25; F24: denial of service), perl-DBD-MySQL (F24: use after free), php-php-gettext (F25; F24: code execution), phpMyAdmin (F24: multiple vulnerabilities), and roundcubemail (F25: code execution).

Gentoo has updated docker (privilege escalation), exfat-utils (two vulnerabilities from 2015), libmms (code execution from 2014), sox (code execution from 2014), and virtualbox (multiple vulnerabilities some from 2014 and 2015).

Mageia has updated python-tornado (XSRF protection bypass) and tomcat (two vulnerabilities).

openSUSE has updated pdns (Leap42.1: denial of service from 2015), subversion (Leap42.2: denial of service), and kernel (Leap42.2; Leap42.1: privilege escalation), kernel (13.1: three vulnerabilities).

SUSE has updated java-1_7_0-ibm (SOSC5, SMP2.1, SM2.1, SLE11-SP3,SP2: multiple vulnerabilities), java-1_8_0-ibm (SLE12-SP2,SP1: multiple vulnerabilities), firefox, nss (SOSC5, SMP2.1, SM2.1, SLE11-SP4,SP3: multiple vulnerabilities), kernel (SLE11-SP4: multiple vulnerabilities), tomcat (SLES12-SP2; SLES12-SP1: multiple vulnerabilities), and xen (SLE12-SP2; SLE12-SP1: multiple vulnerabilities).

Kategóriák: Linux

The 4.9 kernel has been released

v, 2016-12-11 21:55
Linus has released the 4.9 kernel, as expected. Some of the headline features in 4.9 include improved security with virtually mapped kernel stacks, the memory-protection keys system calls, the BBR congestion-control algorithm, support for the Greybus bus architecture, shared extents in the XFS filesystem (which will be used to support lightweight copy operations among other things), and much more. The code name has also been changed to "Roaring Lionus". In the end, 16,216 non-merge changesets were pulled for the 4.9 release, making this development cycle the busiest ever by far.
Kategóriák: Linux

Another set of stable kernel updates

v, 2016-12-11 00:01
The stable kernel machine continues to crank out updates; 4.8.14 and 4.4.38 are now available with another set of important fixes. These include, finally, the fix for CVE-2016-8655, a local-root exploit that has been getting some attention.
Kategóriák: Linux

Security advisories for Friday

p, 2016-12-09 17:26

Arch Linux has updated jasper (multiple vulnerabilities, two from 2015) and linux-zen (code execution).

Debian-LTS has updated roundcube (code execution) and spip (cross-site scripting).

Fedora has updated httpd (F25: denial of service).

Mageia has updated phpmyadmin (multiple vulnerabilities).

openSUSE has updated GraphicsMagick (42.2: multiple vulnerabilities, many from 2014), kernel (13.2: multiple vulnerabilities, two from 2015), and libXfixes (13.2: denial of service).

Red Hat has updated python-XStatic-jquery-ui (RHOSP 9.0; RHOSP 8.0: cross-site scripting), rh-mariadb100-mariadb (RHSC: multiple vulnerabilities), and rh-mariadb101-mariadb (RHSC: multiple vulnerabilities).

SUSE has updated kernel (SLE12: three vulnerabilities).

Ubuntu has updated oxide-qt (16.10, 16.04, 14.04: multiple vulnerabilities).

Kategóriák: Linux

Stable kernels 4.8.13 and 4.4.37

cs, 2016-12-08 21:36
Greg Kroah-Hartman has announced the release of the 4.8.13 and 4.4.37 stable kernels. As usual, there are fixes throughout the tree and users of those kernel series should upgrade.

Note that the fix for the kernel code execution vulnerability using AF_PACKET sockets (also known as CVE-2016-8655) has not made it into these stable kernels. Those running systemd may want to check Lennart Poettering's blog post on how to mitigate the problem for services started by systemd.

Kategóriák: Linux

Remembering a friend: Matthew Williams (Fedora Community Blog)

cs, 2016-12-08 19:15
Over at the Fedora Community Blog, Brian Proffitt writes about Fedora member Matthew Williams who passed away recently from cancer. "Matthew’s passion to constantly improve the software and hardware with which he worked created a tireless advocate for the Fedora Project, and his presence was felt at conferences across the nation: SCaLE, Ohio LinuxFest, and the former Indiana LinuxFest, an Indianapolis-based event that he helped found. Matthew also devoted time to interviewing and archiving notable figures in the free and open source software communities to learn what drove people to work on their projects. He was also very driven to share what he knew, launching the Open FOSS training site in 2015 to help new Linux users with getting involved with any Linux distribution. While he was active in the Fedora community, Matthew was also very involved with Ubuntu as well."
Kategóriák: Linux

Thursday's security updates

cs, 2016-12-08 18:00

Debian has updated xen (multiple vulnerabilities).

Debian-LTS has updated gst-plugins-bad0.10 (code execution) and gst-plugins-base0.10 (code execution).

Fedora has updated memcached (F25: three vulnerabilities), ntp (F25; F24; F23: multiple vulnerabilities), php-php-gettext (F23: code execution), and phpMyAdmin (F23: multiple vulnerabilities).

Gentoo has updated binutils (multiple vulnerabilities from 2014), coreutils (code execution from 2014), cracklib (code execution), jq (code execution from 2015), openjpeg (multiple vulnerabilities, one from 2015), socat (encryption botch), and sqlite (code execution from 2015).

Mageia has updated kernel (multiple vulnerabilities) and ntp (multiple vulnerabilities).

openSUSE has updated kernel (42.2; 42.1: multiple vulnerabilities, some from 2015).

Oracle has updated kernel 4.1.12 (OL7; OL6: two vulnerabilities).

Red Hat has updated atomic-openshift (RHOSCP 3.3, 3.2, 3.1:), chromium-browser (RHEL6: many vulnerabilities), and openstack-cinder and openstack-glance (RHOSP 9.0: denial of service from 2015).

SUSE has updated firefox (SLE12: code execution), java-1_6_0-ibm (SLE11: multiple vulnerabilities), java-1_7_1-ibm (SLE12; SLE11: multiple vulnerabilities), kernel (SLE12: three vulnerabilities), and xen (SLE11: multiple vulnerabilities).

Ubuntu has updated openjdk-6 (12.04: multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for December 8, 2016

cs, 2016-12-08 02:15
The LWN.net Weekly Edition for December 8, 2016 is available.
Kategóriák: Linux

Security updates for Friday

p, 2016-11-18 17:10

Debian has updated drupal7 (multiple vulnerabilities) and gst-plugins-bad1.0 (code execution).

Debian-LTS has updated akonadi (denial of service) and curl (multiple vulnerabilities).

Mageia has updated derby (information leak), dracut (information leak), gnuchess (code execution from 2015), irssi (information leak), libtiff (multiple vulnerabilities), memcached (three code execution flaws), python-pillow (two vulnerabilities), resteasy (code execution), sudo (privilege escalation), systemd (denial of service), tar (file overwrite), and wireshark (multiple vulnerabilities).

openSUSE has updated ghostscript (42.1: regression in previous security update), GraphicsMagick (42.1, 13.2: denial of service), ImageMagick (13.2: denial of service), jasper (42.2, 42.1: multiple vulnerabilities, some from 2015, 2014, and 2008), memcached (42.2; 42.1, 13.2: three code execution flaws), otrs (42.2, 13.2:), php5 (42.2; 42.1: three vulnerabilities), and util-linux (42.1: denial of service).

Ubuntu has updated openjdk-7 (14.04: multiple vulnerabilities).

Kategóriák: Linux