Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 20 perc 24 másodperc

Security updates for Wednesday

sze, 2016-07-20 18:42

Debian has updated apache2 (HTTP redirect).

Debian-LTS has updated apache2 (HTTP redirect).

Fedora has updated ecryptfs-utils (F24: two vulnerabilities), kernel (F24; F23: multiple vulnerabilities), php-doctrine-orm (F24; F23: privilege escalation), and spice (F24: two vulnerabilities).

Gentoo has updated ansible (code execution), arpwatch (privilege escalation from 2012), bugzilla (multiple vulnerabilities from 2014), commons-beanutils (code execution from 2014), dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).

openSUSE has updated ImageMagick (Leap42.1: many vulnerabilities), nodejs (Leap42.1, 13.2: buffer overflow), and samba (13.2: crypto downgrade).

Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated python-django (16.04: cross-site scripting).

Kategóriák: Linux

Tor veteran Lucky Green exits, torpedos critical 'Tonga' node and relays (The Register)

k, 2016-07-19 23:17
The Register reports that longtime Tor contributor Lucky Green is quitting and closing down the node and bridge authority he operates. "Practically, it's a big deal. Bridge Authorities are part of the infrastructure that lets users get around some ISP-level blocks on the network (not, however, defeating deep packet inspection). They're also incorporated in the Tor code, meaning that to remove a Bridge Authority is going to need an update." The shutdown is scheduled for August 31. (Thanks to Nomen Nescio)
Kategóriák: Linux

The Importance of Following Community-Oriented Principles in GPL Enforcement Work

k, 2016-07-19 22:55
The Software Freedom Conservancy is one of the few organizations involved in GPL enforcement, and it has published principles regarding enforcement practices that seek compliance and not financial penalties. Bradley Kuhn and Karen Sandler urge others doing GPL enforcement to follow principles set forth by the SFC. "One impetus in drafting the Principles was our discovery of ongoing enforcement efforts that did not fit with the GPL enforcement community traditions and norms established for the last two decades. Publishing the previously unwritten guidelines has quickly separated the wheat from the chaff. Specifically, we remain aware of multiple non-community-oriented GPL enforcement efforts, where none of those engaged in these efforts have endorsed our principles nor pledged to abide by them. These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years." The actions of one individual prompted the netfilter project to make a statement endorsing the principles, which we covered earlier this month.
Kategóriák: Linux

Qt WebBrowser 1.0

k, 2016-07-19 20:46
Version 1.0 of the QtWebBrowser has been released. Qt WebBrowser is a browser for embedded devices developed using the capabilities of Qt and Qt WebEngine. "The browser is optimized for embedded touch displays (running Linux), but you can play with it on the desktop platforms, too! Just make sure that you have Qt WebEngine, Qt Quick, and Qt VirtualKeyboard installed (version 5.7 or newer). For optimal performance on embedded devices you should plan for hardware-accelerated OpenGL, and around 1 GiByte of memory for the whole system. Anyhow, depending on your system configuration and the pages to be supported there is room for optimization."
Kategóriák: Linux

Security advisories for Tuesday

k, 2016-07-19 17:48

CentOS has updated httpd (C7; C6; C5: HTTP redirect).

Debian has updated mysql-connector-java (information disclosure) and python-django (cross-site scripting).

Fedora has updated dnsmasq (F24: denial of service), gd (F23: two vulnerabilities), kernel (F22: multiple vulnerabilities), mingw-openjpeg2 (F24; F23: multiple vulnerabilities), pagure (F24: unspecified), pdfbox (F24: XML External Entity (XXE) attacks), perl (F24; F23: code execution), and tcpreplay (F24; F23: denial of service).

Mageia has updated imagemagick (three vulnerabilities).

openSUSE has updated apache2 (Leap42.1, 13.2: HTTP redirect).

Oracle has updated httpd (OL7; OL6; OL5: HTTP redirect).

Red Hat has updated httpd (RHEL7; RHEL5,6: HTTP redirect) and httpd24-httpd (RHSCL: two vulnerabilities).

Scientific Linux has updated httpd (SL7; SL5,6: HTTP redirect) and kernel (SL6: privilege escalation).

Ubuntu has updated apache2 (HTTP redirect) and thunderbird (two vulnerabilities).

Kategóriák: Linux

How (and why) FreeDOS keeps DOS alive (ComputerWorld)

k, 2016-07-19 00:49
ComputerWorld talks with Jim Hall, a contributor to FreeDOS. "FreeDOS (it was originally dubbed ‘PD-DOS’ for ‘Public Domain DOS’, but the name was changed to reflect that it’s actually released under the GNU General Public License) dates back to June 1994, meaning it is just over 22 years old — a formidable lifespan compared to many open source projects. “And if you consider the DOS platform, MS-DOS 1.0 dates back to 1981, ‘DOS’ as an operating system has been around for 35 years! That’s not too shabby,” Hall said. (Version 1.0 of MS-DOS — then marketed by IBM as PC DOS — was released in August 1981.)" (Thanks to Paul Wise)
Kategóriák: Linux

Security advisories for Monday

h, 2016-07-18 18:24

Arch Linux has updated flashplugin (multiple vulnerabilities), gimp (use-after-free), and lib32-flashplugin (multiple vulnerabilities).

Debian has updated libgd2 (multiple vulnerabilities) and pidgin (multiple vulnerabilities).

Debian-LTS has updated binutils (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), and ruby-eventmachine (denial of service).

Fedora has updated gimp (F22: use-after-free), httpd (F23: authentication bypass), openjpeg2 (F23: multiple vulnerabilities), perl (F22: code execution), python (F23: denial of service), python3 (F23: denial of service), samba (F23: crypto downgrade), and sudo (F23; F22: race condition).

Gentoo has updated cacti (multiple vulnerabilities), chromium (multiple vulnerabilities), cups (code execution), and gd (multiple vulnerabilities).

Kategóriák: Linux

Ubuntu forums compromised

szo, 2016-07-16 01:20
Canonical has disclosed that the Ubuntu forum system has been compromised. "The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table. They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed."
Kategóriák: Linux

Notes from the fourth RISC-V workshop

szo, 2016-07-16 00:16

The lowRISC project, which is an effort to develop a fully open-source, Linux-powered system-on-chip based on the RISC-V architecture, has published notes from the fourth RISC-V workshop. Notably, the post explains, the members of the RISC-V foundation voted to keep the RISC-V instruction-set architecture (ISA) and related standards open and license-free to all parties. There are also accounts included of the work on RISC-V interrupts, heterogeneous multicore RISC-V processors, support for non-volatile memory, and Debian's RISC-V port.

Kategóriák: Linux

Friday's security updates

p, 2016-07-15 17:21

Debian has updated php5 (multiple vulnerabilities).

Debian-LTS has updated clamav (fix for previously released update) and drupal7 (privilege escalation).

Fedora has updated openjpeg2 (F24: multiple vulnerabilities) and sqlite (F24: information leak).

Mageia has updated graphicsmagick (M5: multiple vulnerabilities), pdfbox (M5: XML External Entity (XEE) attack), sqlite3 (M5: information leak:), thunderbird (M5: multiple vulnerabilities), and util-linux (M5: denial of service).

openSUSE has updated flash-player (13.1: multiple vulnerabilities), LibreOffice (Leap 42.1: multiple vulnerabilities), libvirt (13.2; Leap 42.1: authentication bypass), and xerces-c (13.2: multiple vulnerabilities).

Red Hat has updated atomic-openshift (RHOSE 3.2: information leak).

Ubuntu has updated ecryptfs-utils (15.10, 16.04: information leak), kernel (14.04; 15.10: denial of service), libarchive (12.04, 14.04, 15.10, 16.04: code execution), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), linux-lts-vivid (14.04: denial of service), linux-lts-wily (14.04: denial of service), and linux-raspi2 (15.10: denial of service).

Kategóriák: Linux

Automotive Grade Linux Releases 2.0 Spec Amid Growing Support (Linux.com)

cs, 2016-07-14 23:39
Over at Linux.com, Eric Brown writes about the release of Automotive Grade Linux (AGL) Unified Code Base (UCB) 2.0 for in-vehicle infotainment (IVI) systems. "The latest version adds features like audio routing, rear seat display support, the beginnings of an app platform, and new development boards including the DragonBoard, Wandboard, and Raspberry Pi. AGL’s Yocto Project derived UCB distro, which is also based on part on the GENIVI and Tizen automotive specs, was first released in January. UCB 1.0 followed an experimental AGL stack in 2014 and an AGL Requirements Specification in June, 2015. UCB is scheduled for a 3.0 release in early 2017, at which point some automotive manufacturers will finally use it in production cars. Most of the IVI software will be based on UCB, but carmakers can also differentiate with their own features." We looked at AGL UCB 1.0 back in January.
Kategóriák: Linux

Security advisories for Thursday

cs, 2016-07-14 16:23

Fedora has updated gnutls (F23: certificate verification botch).

Gentoo has updated flash (many vulnerabilities).

openSUSE has updated flash-player (13.2: many vulnerabilities) and kernel (42.1: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL 5↦6: many vulnerabilities) and rh-nginx18-nginx (RHSC: multiple vulnerabilities).

SUSE has updated MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss (SLE11: multiple vulnerabilities).

Kategóriák: Linux

[$] LWN.net Weekly Edition for July 14, 2016

cs, 2016-07-14 03:11
The LWN.net Weekly Edition for July 14, 2016 is available.
Kategóriák: Linux

Tor Project Elects All-New Board of Directors

sze, 2016-07-13 21:39
The Tor Project has announced a new board of directors. "As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the best possible leadership. The importance of Tor's mission requires it; the public standing of the organization makes it possible; and we are committed to achieve it. We had that duty in mind when we conducted an Executive Director search last year, and appreciate the leadership Shari Steele has brought. To support her, we further believe that it is time that we pass the baton of board oversight as the Tor Project moves into its second decade of operations."
Kategóriák: Linux

Security updates for Wednesday

sze, 2016-07-13 17:47

CentOS has updated kernel (C6: privilege escalation).

Fedora has updated python (F24: heap corruption), python3 (F24: heap corruption), and squid (F24; F23: multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

Oracle has updated kernel (OL6: privilege escalation).

Red Hat has updated kernel (RHEL7: denial of service) and kernel (RHEL6: privilege escalation).

Scientific Linux has updated thunderbird (SL5,6,7: code execution).

Ubuntu has updated pidgin (15.10, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

SPI 2015 Annual Report

sze, 2016-07-13 01:18
Software in the Public Interest has announced its 2015 Annual Report (PDF), covering the 2015 calendar year. The annual report covers SPI's finances, elections, board members, committees, associated projects, and other significant changes throughout the year.
Kategóriák: Linux

Herman: Shipping Rust in Firefox

k, 2016-07-12 22:14
Dave Herman reports that with Firefox 48, Mozilla will ship its first Rust component to all desktop platforms. "One of the first groups at Mozilla to make use of Rust was the Media Playback team. Now, it’s certainly easy to see that media is at the heart of the modern Web experience. What may be less obvious to the non-paranoid is that every time a browser plays a seemingly innocuous video (say, a chameleon popping bubbles), it’s reading data delivered in a complex format and created by someone you don’t know and don’t trust. And as it turns out, media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in Web browsers’ implementation code. This makes a memory-safe programming language like Rust a compelling addition to Mozilla’s tool-chest for protecting against potentially malicious media content on the Web."
Kategóriák: Linux

Tuesday's security advisories

k, 2016-07-12 18:19

CentOS has updated thunderbird (C7; C6; C5: code execution).

Debian-LTS has updated drupal7 (open redirect vulnerability) and graphicsmagick (two vulnerabilities).

Fedora has updated expat (F22: multiple vulnerabilities), gnutls (F24: certificate verification vulnerability), gsi-openssh (F24: support GSI authentication), httpd (F24: authentication bypass), krb5 (F22: buffer overflow), mbedtls (F23: three vulnerabilities), pdfbox (F23: XML External Entity (XXE) attacks), pypy3 (F23; F22: two vulnerabilities), python (F22: startTLS stripping attack), python3 (F22: startTLS stripping attack), and samba (F24: crypto downgrade).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Ubuntu has updated libgd2 (multiple vulnerabilities), nspr (denial of service), and nss (denial of service).

Kategóriák: Linux

Gräßlin: Multi-screen woes in Plasma 5.7

k, 2016-07-12 01:22
On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. "Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows. Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it. Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry."
Kategóriák: Linux

Two new stable kernels

h, 2016-07-11 22:12
Greg Kroah-Hartman has released stable kernels 4.6.4 and 4.4.15. Both of them contain important fixes.
Kategóriák: Linux