Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 7 perc 39 másodperc

The first CyanogenMod 13.0 release

sze, 2016-03-16 08:52
The CyanogenMod Android distribution has finally moved into the "Marshmallow" era with CM13.0 Release 1. "We left the M release builds in the oven longer than we thought, but nothing a little graham cracker and chocolate can’t make that much better. CM13.0 brings Android 6.0.1 (r17) goodies such as the battery saving ‘doze’ functionality and new permissions model, alongside the CM features you’d expect." Other changes include the removal of WhisperPush, the removal of the "quick unlock" feature, a switch to the standard Android messaging app, a new "Snap" camera app, and more.
Kategóriák: Linux

Security updates for Tuesday

k, 2016-03-15 18:20

Arch Linux has updated dropbear (information disclosure).

openSUSE has updated python-Pillow (Leap42.1, 13.2: denial of service) and webkit2gtk3 (Leap42.1: multiple vulnerabilities).

Red Hat has updated samba (RHEL6,7: arbitrary file access) and samba4 (RHEL6: arbitrary file access).

SUSE has updated bind (SLE12-SP1: multiple vulnerabilities), sles12sp1-docker-image (SLEM12: multiple vulnerabilities), and tomcat (SLES12-SP1: multiple vulnerabilities).

Ubuntu has updated exim4 (two vulnerabilities), kernel (15.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: code execution).

Kategóriák: Linux

NetDev 1.1 videos now available

k, 2016-03-15 16:31
Videos from the NetDev 1.1 conference are now available on YouTube. "It took us a while to edit and to upload these ~100 Gbytes of videos, so thanks for your patience." LWN covered several sessions from this event.
Kategóriák: Linux

A (nearly) mainline kernel running on the Nexus 7

k, 2016-03-15 10:26
As was discussed at the 2015 Kernel Summit, there are essentially no commercial Android devices running mainline kernels. At the recently concluded Linaro Connect event, though, John Stultz demonstrated a Nexus 7 tablet running mainline with just a few patches. It even has accelerated graphics via the freedreno driver. "This is really great, because we now have a very-close to mainline test bed on a actual consumer device. So we can make sure upstream doesn't introduce any regressions (just recently, two ABI breaks that affected android were recently caught) and allows us to make sure when we push Android functionality upstream, that any interface changes required by maintainers can be properly tested to make sure what lands upstream really works."
Kategóriák: Linux

Graber: LXD 2.0: Introduction to LXD

k, 2016-03-15 00:45
Stéphane Graber provides an introduction to LXD. "LXD focuses on system containers, also called infrastructure containers. That is, a LXD container runs a full Linux system, exactly as it would be when run on metal or in a VM. Those containers will typically be long running and based on a clean distribution image. Traditional configuration management tools and deployment tools can be used with LXD containers exactly as you would use them for a VM, cloud instance or physical machine."
Kategóriák: Linux

Monday's security advisories

h, 2016-03-14 20:28

Arch Linux has updated bind (multiple vulnerabilities), openssh (command injection), pcre (code execution), pidgin-otr (code execution), wireshark-cli (multiple dissector crashes), wireshark-gtk (multiple dissector crashes), and wireshark-qt (multiple dissector crashes).

Debian has updated exim4 (privilege escalation), graphite2 (multiple vulnerabilities), samba (two vulnerabilities), and wireshark (multiple dissector crashes).

Fedora has updated bind (F23: multiple vulnerabilities), exim (F23; F22: privilege escalation), kernel (F22: denial of service), libssh (F22: insecure ssh sessions), openssh (F23: command injection), openssl (F22: multiple vulnerabilities), perl (F22: ambiguous environment), php (F22: multiple vulnerability), php-htmLawed (F22: unspecified vulnerability), php-udan11-sql-parser (F22: multiple vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), and samba (F23; F22: incorrect ACL get/set allowed on symlink path).

Gentoo has updated chromium (many vulnerabilities), ffmpeg (many vulnerabilities), flash-player (multiple vulnerabilities), flightgear (two vulnerabilities from 2012), icedtea (multiple vulnerabilities), libreswan (denial of service), oracle-jre-bin (multiple vulnerabilities), qtgui (multiple vulnerabilities), and vlc (multiple vulnerabilities).

openSUSE has updated Adobe (13.1: multiple vulnerabilities), Chromium (13.2: multiple vulnerabilities), Firefox (13.1: multiple vulnerabilities), libotr,libotr2 (13.1: code execution), and firefox (Leap42.1, 13.2: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL5,6: multiple vulnerabilities) and openstack-heat (RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: denial of service).

SUSE has updated firefox, nss, nspr (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated graphite2 (15.10, 14.04: multiple vulnerabilities).

Kategóriák: Linux

The 4.5 kernel has been released

h, 2016-03-14 09:34
Linus has released the 4.5 kernel. "So this is later on a Sunday than my usual schedule, because I just couldn't make up my mind whether I should do another rc8 or not, and kept just waffling about it. In the end, I obviously decided not to, but it could have gone either way." Some of the headline features from the development cycle are dm-verity forward error correction, optional mandatory locking, the new copy_file_range() system call, the SOCK_DESTROY operation, another set of persistent-memory improvements, extended address-space layout randomization on 32-bit systems, the MADV_FREE option for madvise(), the UBSAN checker tool, some extensions to epoll_wait(), project quotas for the ext4 filesystem, and more.
Kategóriák: Linux

Catanzaro: Do you trust this application?

v, 2016-03-13 12:40
Michael Catanzaro laments the poor level of security provided by free-software applications, focusing on TLS verification issues in particular. "In the case of Shotwell, the issue has been fixed in git, but it might never be released because nobody works on Shotwell anymore. I informed distributors of the Shotwell vulnerability three months ago via the GNOME distributor list, our official mechanism for communicating with distributions, and advised them to update to a git snapshot. Most distributions ignored it. This is completely typical; to my knowledge, the stable releases of all Linux distributions except Fedora are still vulnerable."
Kategóriák: Linux

TP-Link blocks open source router firmware to comply with new FCC rule (ars technica)

szo, 2016-03-12 08:54
Ars technica reports that TP-Link will block the loading of third-party firmware on its routers, citing new US Federal Communications Commission rules. "The FCC says it doesn't intend to ban the use of third-party firmware such as DD-WRT and OpenWRT; in theory, router makers can still allow loading of open source firmware as long as they also deploy controls that prevent devices from operating outside their allowed frequencies, types of modulation, power levels, and so on. But open source users feared that hardware makers would lock third-party firmware out entirely, since that would be the easiest way to comply with the FCC requirements."
Kategóriák: Linux

FSF: A preliminary analysis of High Priority Projects feedback

szo, 2016-03-12 01:58

The Free Software Foundation (FSF) has posted an initial analysis of the public feedback submitted in response to its call for suggestions about what software projects deserve to be on the high-priority projects list. Several of the existing projects on the list are likely to be removed, such as a replacement for Google Earth and an automatic-transcription application. Multiple potential additions to the list are also described, such as a free-software "Siri"-like personal assistant and a free-software implementation of advanced PDF features. Further input is welcome; the page notes that the FSF "will strive to recommend projects that are actionable. Such projects document ways for members of the free software community to get involved and make the project succeed, with any kind of concrete contributions, from money donation, to code patches, advocacy, etc."

Kategóriák: Linux

Friday's security updates

p, 2016-03-11 17:57

Arch Linux has updated flashplugin (multiple vulnerabilities) and lib32-flashplugin (multiple vulnerabilities).

CentOS has updated libssh2 (C6; C7: insecure ssh sessions) and xerces-c (C7: code execution).

Fedora has updated firefox (F23: multiple vulnerabilities), kernel (F23: denial of service), and php-htmLawed (F23: unspecified vulnerability).

Mageia has updated bind (M5: multiple vulnerabilities), flash-player-plugin (M5: multiple vulnerabilities), openssh (M5: command injection), php/timezone/php-timezonedb (M5: multiple vulnerabilities), and samba (M5: ACL ownership overwrite).

openSUSE has updated Adobe Flash Player (13.2: multiple vulnerabilities), exim (13.2, Leap 42.1: privilege escalation), libssh (Leap 42.1: insecure ssh sessions), and openssl (Leap 42.1: multiple vulnerabilities).

Oracle has updated libssh2 (O6: insecure ssh sessions) and xerces-c (O7: code execution).

Red Hat has updated xerces-c (RHEL7: code execution).

Scientific Linux has updated libssh2 (SL 6,7: insecure ssh sessions) and xerces-c (SL7: code execution).

Slackware has updated openssh (command injection).

SUSE has updated flash-player (SLE12; SLE11: multiple vulnerabilities).

Ubuntu has updated libotr (12.04: denial of service).

Kategóriák: Linux

A policy statement on open-source software from the White House

p, 2016-03-11 01:44

The White House has announced a draft policy addressing how the U.S. federal government will share and release custom software. "This policy requires that, among other things: (1) new custom code whose development is paid for by the Federal Government be made available for reuse across Federal agencies; and (2) a portion of that new custom code be released to the public as Open Source Software (OSS)."

The full policy document is available at sourcecode.cio.gov, where it has been made available for public comment. The relevant passage regarding public source releases begins by outlining a pilot program. "Each covered agency shall release at least 20 percent of its newly-developed custom code each year as OSS. Custom code is defined as code for all custom software projects, modules, and add-ons that are self-contained. [...] Although the minimum requirement for OSS release is 20 percent of custom code, covered agencies are strongly encouraged to publish as much custom-developed code as possible to further the Federal Government’s commitment to transparency, participation, and collaboration."

Kategóriák: Linux

Thursday's security updates

cs, 2016-03-10 19:31

Arch Linux has updated bind (denial of service), chromium (multiple vulnerabilities), exim (privilege escalation), firefox (multiple vulnerabilities), libotr (code execution), and perl (ambiguous environment).

Debian has updated bind9 (multiple vulnerabilities), chromium-browser (multiple vulnerabilities), iceweasel (multiple vulnerabilities), libotr (code execution), and rails (multiple vulnerabilities).

Fedora has updated 389-ds-base (F22; F23: denial or service), community-mysql (F22; F23: multiple vulnerabilities), drupal7 (F22; F23: multiple vulnerabilities), gummi (F22; F23: predictable filenames in /tmp), libmodbus (F22; F23: buffer overflow), libssh2 (F22: insecure ssh sessions), php-udan11-sql-parser (F23: multiple vulnerabilities), phpMyAdmin (F23: multiple vulnerabilities), and qpid-cpp (F23: multiple vulnerabilities).

Gentoo has updated fuse (privilege escalation) and libreoffice (multiple vulnerabilities).

Mageia has updated firefox (M5: multiple vulnerabilities), libvirt (M5: privilege escalation), and pigz (M5: directory traversal).

openSUSE has updated libotr,libotr2 (13.2, Leap 42.1: code execution), OpenVPN (13.2: multiple vulnerabilities), and php5 (13.2: stack overflow).

Oracle has updated firefox (O5; O7; O6: multiple vulnerabilities), libssh2 (O7: insecure ssh sessions), nss-util (O6: code execution), and openssl098e (O6: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and libssh2 (RHEL 6,7: insecure ssh sessions).

Slackware has updated bind (multiple vulnerabilities) and mozilla (14.0, 14.1, current: ).

Ubuntu has updated bind9 (12.04, 14.04, 15.10: denial of service) and nss (12.04, 14.04, 15.10: denial of service).

Kategóriák: Linux

Another set of stable kernel updates

cs, 2016-03-10 16:38
The 4.4.5, 3.14.64, and 3.10.100 stable kernel updates have been released; each contains the usual set of important fixes.
Kategóriák: Linux

[$] LWN.net Weekly Edition for March 10, 2016

cs, 2016-03-10 02:26
The LWN.net Weekly Edition for March 10, 2016 is available.
Kategóriák: Linux

[$] Outreachy: an intern's perspective

sze, 2016-03-09 21:05
Last year, guest author Linda Jacobson participated as an intern in the Outreachy program. She shares her experiences along with those of other participants in this project that is targeted at helping to increase diversity in the open-source world.

Subscribers can click below for the full article from this week's edition.

Kategóriák: Linux

Firefox 45.0 released

sze, 2016-03-09 20:17
Firefox 45.0 has been released. This release features instant browser tab sharing through Hello, Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching, Synced Tabs button in button bar, introduces a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level, and more. See the release notes for details.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2016-03-09 19:32

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), nss (C5: code execution), nss-util (C7; C6: code execution), and openssl098e (C7; C6: multiple vulnerabilities).

Gentoo has updated roundcube (two vulnerabilities).

Oracle has updated nss (OL5: code execution), nss-util (OL7: code execution), and openssl098e (OL7: two vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities), nss (RHEL5: code execution), nss-util (RHEL6,7: code execution), openssl098e (RHEL6,7: multiple vulnerabilities), openstack-nova (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: information exposure), and rabbitmq-server (RHELOSP7 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: two vulnerabilities).

Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities), nss (SL5: code execution), nss-util (SL6,7: code execution), and openssl098e (SL6,7: multiple vulnerabilities).

Slackware has updated firefox (multiple vulnerabilities) and samba (two vulnerabilities).

SUSE has updated bsh2 (SLESDK12-SP1; SLESDK11-SP4: code execution).

Ubuntu has updated firefox (multiple vulnerabilities).

Kategóriák: Linux

LLVM 3.8 released

sze, 2016-03-09 17:29
Version 3.8 of the LLVM compiler suite has been released. "This release contains the work of the LLVM community over the past six months: deprecated autoconf build, shrink-wrapping on by default, overhauled MSVC-compatible exception handling, updated Kaleidoscope tutorial, emutls, OpenMP supported by default, as well as improved optimizations, many bug fixes, and more." See the LLVM release notes and the Clang release notes for lots of details.
Kategóriák: Linux

When selling a site means selling a community (Opensource.com)

k, 2016-03-08 23:35
In the first of two parts Opensource.com talks with Frank Karlitschek about the sale of his network of more than 30 community sites to Blue Systems. "Although he doesn't know much about the future plans Blue Systems has for the websites, Karlitschek says the new owner is interested in continuing to run the websites and develop them in a direction that makes sense for the users and the ecosystem."

Part 2 looks at the SourceForge and Slashdot communities and how the different owners have interacted with them. "[Logan] Abbott got off on the right foot with open source developers with his SourceForge post in early February, SourceForge Acquisition and Future Plans. "Our first order of business was to terminate the 'DevShare' program," he wrote. " ... We want to restore our reputation as a trusted home for open source software, and this was a clear first step towards that. We're more interested in doing the right thing than making extra short-term profit," he added."

Kategóriák: Linux