Népszerű fórum témák
Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 3 hét 1 nap
On the Red Hat Security Blog, Ilya Etingof describes some traps for the unwary in Python, some that have security implications. "Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at; experienced developers may well be aware of the peculiarities that follow." (Thanks to Paul Wise.)
Red Hat has updated Kibana (RHOS3: two vulnerabilities).
Scientific Linux has updated thunderbird (multiple vulnerabilities).
SUSE has updated java-1_7_1-ibm (SLE11: three unspecified vulnerabilities).
Concerns about the viability of the Apache OpenOffice (AOO) project are not new; they had been in the air for a while by the time LWN looked at the project's development activity in early 2015. Since then, though, the worries have grown more pronounced, especially after AOO's recent failure to produce a release with an important security fix nearly one year after being notified of the vulnerability. The result is an internal discussion on whether the project should be "retired," or whether it will find a way to turn its fortunes around.
At GUADEC 2016 in Karlsruhe, Germany, Jonathan Blandford challenged the GNOME project to rethink how its desktop software uses network access. The GNOME desktop assumes Internet connectivity is always available, which has the side effect of making the software stack considerably less useful and, indeed, usable to people who live in those places regarded as the developing world.
Last Monday was the Labor Day holiday in the US, so the LWN crew took the day off to celebrate. As a result, the weekly edition will be published one day late this week. It will be available on Friday, sometime shortly after midnight UTC.
Stable kernels 4.7.3, 4.4.20, and 3.14.78 have been released with the usual set of important fixes. There will be one more 3.14.x kernel release before this kernel series hits its end-of-life.
Debian has updated charybdis (incorrect SASL authentication).
Debian-LTS has updated libtomcrypt (signature forgery).
SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities).
Git 2.10 has been released, with lots of updates to the user interface and workflows, performance enhancements, and much more. See the announcement for details.
LWN previously reported that Gmane creator and maintainer Lars Magne Ingebrigtsen shut down the website and was contemplating shutting down the service entirely. Martin Danko now reports that Gmane has a new maintainer. "I petitioned some of our directors to allow us to offer to take it over and in the end we entered into agreement with Lars to take over Gmane. The assets of Gmane have been placed into a UK company Gmane Ltd. As part of the agreement, we have received the INN spool with all the articles but none of the code that drives the site. We’ve started rebuilding parts of the site just to get it back online, its not perfect and there are pieces missing but we’re working on building all the functionality back into the site." (Thanks to Brian Thomas)
Arch Linux has updated thunderbird (code execution).
Fedora has updated ca-certificates (F23: certificate update), ganglia (F24; F23: cross-site scripting), glibc (F23: denial of service), kernel (F24; F23: two vulnerabilities), lcms2 (F23: heap memory leak), and phpMyAdmin (F24: multiple vulnerabilities).
Scientific Linux has updated ipa (SL6,7: denial of service).
SUSE has updated kernel (SOSC5, SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).
Version 3.9 of the LLVM compiler suite is out. "This release is the result of the LLVM community's work over the past six months, including ThinLTO, new libstdc++ ABI compatibility, support for all OpenCL 2.0 and all non-offloading OpenMP 4.5 features, clang-include-fixer, many new clang-tidy checks, significantly improved ELF linking with lld, identical code folding and initial LTO support in lld, as well as improved optimization, many bug fixes and more."
The announcement of a project to develop the "Kool Desktop Environment" went out on October 14, 1996. As the 20th anniversary of that announcement approaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "This book presents 37 stories about the technical, social and cultural aspects that shaped the way the KDE community operates today. It has been written as part of the 20th anniversary of KDE. From community founders and veterans to newcomers, with insights from different perspectives and points of view, the book provides you with a thrilling trip through the history of such an amazing geek family."
The 4.8-rc5 kernel prepatch is available for testing. "So rc5 is noticeably bigger than rc4 was, and my hope last week that we were starting to calm down and shrink the releases seems to have been premature. [...] Not that any of this looks worrisome per se, but if things don't start calming down from now, this may be one of those releases that will need an rc8. We'll see."
The Z-Wave wireless home-automation protocol has been released to the public. In years past, the specification was only available to purchasers of the Z-Wave Alliance's development kit, forcing open-source implementations to reverse-engineer the protocol. The official press release notes that there are several such projects, including OpenZWave; Z-Wave support is also vital to higher-level Internet-of-Things abstraction systems like AllJoyn.
Debian has updated libidn (multiple vulnerabilities).
Debian-LTS has updated mailman (password disclosure).
Fedora has updated canl-c (F24; F23: proxy manipulation), krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).
openSUSE has updated karchive (SLE12: command execution).
The US Department of Justice has announced that it has arrested a suspect in the 2011 kernel.org breakin. "[Donald Ryan] Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorized access to the four servers by using the credentials of an individual associated with the Linux Kernel Organization. According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers."
Outgoing Apache OpenOffice project management committee (PMC) chair Dennis Hamilton has begun the discussion of a possible (note possible at this point) shutdown of the project. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue. In responses to concerns raised in June, the PMC is currently tasked by the ASF Board to account for this inability and to provide a remedy. An indicator of the seriousness of the Board's concern is the PMC been requested to report to the Board every month, starting in August, rather than quarterly, the normal case. One option for remedy that must be considered is retirement of the project. The request is for the PMC's consideration among other possible options." (Thanks to James Hogarth.)
Also of interest is this note on how the handling of CVE-2016-1513 went.
OpenBSD 6.0 has been released. An EFI bootloader has been added to the armv7 platform along with other improvements for that platform. Also in this release, new and improved hardware support, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements, and more. The announcement also contains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, and LibreSSL 2.4.2.
Debian-LTS has updated cacti (authentication bypass).
Red Hat has updated ipa (RHEL 6,7: denial of service).
Slackware has updated mozilla thunderbird (14.1, 14.2: unspecified vulnerabilities).
Here's a lengthy ars technica article on efforts to replace Tor with something more secure. "As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users."
HUP napi hírlevél