Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 3 perc 1 másodperc

Friday's security updates

p, 2014-05-16 19:23

Debian has updated ruby-actionpack-3.2 (multiple vulnerabilities).

Fedora has updated kernel (F20: multiple vulnerabilities), mariadb-galera (F20: multiple vulnerabilities), and qemu (F20: multiple vulnerabilities).

Gentoo has updated clamav (multiple vulnerabilities).

Mandriva has updated couchdb (BS1: denial of service), cups (BS1: cross-site scripting; ES5: multiple vulnerabilities), dovecot (BS1, ES5: denial of service), java-1.7.0-openjdk (BS1: multiple vulnerabilities), libvirt (BS1: multiple vulnerabilities), mariadb (BS1: multiple vulnerabilities), nagios (BS1, ES5: denial of service), openssl (BS1: denial of service), owncloud (BS1: multiple unspecified vulnerabilities), python-jinja2 (BS1: code execution), rawtherapee (BS1: denial of service), rxvt-unicode (BS1: denial of service), and struts (BS1, ES5: code execution).

openSUSE has updated chromium (12.3; 13.1: multiple vulnerabilities).

Red Hat has updated java-1.5.0-ibm (multiple vulnerabilities), java-1.6.0-ibm (multiple vulnerabilities), and ruby193-rubygem-actionpack (RHSC1: information leak).

SUSE has updated Linux Kernel (multiple vulnerabilities) and Mozilla Firefox (SLES11 SP1; SLES11 SP2: multiple vulnerabilities).

Ubuntu has updated dovecot (denial of service) and libxml2 (denial of service).

Kategóriák: Linux

Venturi: The browser is dead. Long live the browser!

p, 2014-05-16 01:17
While the title might make it seem like another comment on the Mozilla/DRM issue, the article by Giorgio Venturi on the Canonical Design blog is actually about redesigning the browser interface for mobile phones. "If content is our king, then recency should be our queen. [...] Similarly, bookmarks are often a meaningless list of webpages, as their value was linked to the specific time when they were taken. For example, let’s imagine we are planning our next holiday and we start bookmarking a few interesting places. We may even create a new ‘holidays’ folder and add the bookmarks to it. However, once the holiday is the bookmarks are still there, they don’t expire once they have lost their value. This happens pretty much every time; old bookmarks and folders will eventually start cluttering our screen and make it difficult to find the information we need. Therefore we redesigned tabs, history and bookmarks to display the most recent information first. Consequently, the display and the retrieval of information is simplified."
Kategóriák: Linux

FCC votes for Internet “fast lanes” but could change its mind later (Ars Technica)

cs, 2014-05-15 20:31
The US Federal Communications Commission (FCC) has voted for the so-called "Internet fast lanes", as Ars Technica reports. "In response to earlier complaints, FCC Chairman Tom Wheeler expanded the requests for comment in the NPRM [Notice of Proposed Rulemaking]. For example, the FCC will ask the public whether it should bar paid prioritization completely. It will ask whether the rules should apply to cellular service in addition to fixed broadband, whereas the prior rules mostly applied just to fixed broadband. The NPRM will also ask the public whether the FCC should reclassify broadband as a telecommunications service. This will likely dominate debate over the next few months. Classifying broadband as a telecommunications service would open it up to stricter “common carrier” rules under Title II of the Communications Act. The US has long applied common carrier status to the telephone network, providing justification for universal service obligations that guarantee affordable phone service to all Americans and other rules that promote competition and consumer choice."
Kategóriák: Linux

Thursday's security updates

cs, 2014-05-15 17:54

Debian has updated linux-2.6 (three privilege escalation flaws).

Fedora has updated cifs-utils (F20: code execution) and srm (F19: unspecified).

Gentoo has updated xorg-server (many vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities), nrpe (code execution), php (privilege escalation), python-lxml (code execution), python3 (privilege escalation), and struts (code execution).

Mandriva has updated php (BS1.0: privilege escalation) and python-lxml (BS1.0, ES5.0: code execution).

openSUSE has updated libvirt (12.3: information disclosure/denial of service) and libxml2 (denial of service).

Red Hat has updated flash-plugin (multiple vulnerabilities).

Ubuntu has updated python-django (information disclosure).

Kategóriák: Linux

[$] LWN.net Weekly Edition for May 15, 2014

cs, 2014-05-15 04:22
The LWN.net Weekly Edition for May 15, 2014 is available.
Kategóriák: Linux

Firefox gets closed-source DRM

sze, 2014-05-14 19:36
Andreas Gal describes why and how Mozilla will be implementing the W3C Encrypted Media Extension in Firefox. "Firefox should help users get access to the content they want to enjoy, even if Mozilla philosophically opposes the restrictions certain content owners attach to their content. As a result we have decided to implement the W3C EME specification in our products, starting with Firefox for Desktop. This is a difficult and uncomfortable step for us given our vision of a completely open Web, but it also gives us the opportunity to actually shape the DRM space and be an advocate for our users and their rights in this debate." This implementation will include a closed-source "content decryption module" supplied by Adobe. It will be interesting to see whether distributions will be able to strip this stuff out and still use the "Firefox" name.
Kategóriák: Linux

[$] A CyanogenMod 11.0 M6 test drive

sze, 2014-05-14 19:27
The CyanogenMod 11.0 M6 release was made available on May 4. CyanogenMod, of course, is an Android-based distribution for handsets and tablets. Your editor, in a grumpier than usual mood, decided that this would be a prime opportunity to inflict pain on a helpless handset and see what CyanogenMod has been up to since the 11.0 M1 review published late last year. Since then, Cyanogen (the company) has received another $23 million in venture funding; it is natural to wonder what visible effects all that money has had.
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-05-14 18:18

Debian has updated libxfont (multiple vulnerabilities).

Fedora has updated abrt (F20: prevents server usage), mingw-qt (F20; F19: denial of service), mingw-qt5-qtbase (F20; F19: denial of service), and owncloud (F20: remote users can mount the local file system).

openSUSE has updated thunderbird (13.1, 12.3: multiple vulnerabilities).

Red Hat has updated java-1.7.0-ibm (RHEL5&6 Supplementary: multiple vulnerabilities).

SUSE has updated firefox (SLE 11 SP3: multiple vulnerabilities) and OpenJDK (SLED 11 SP3: multiple vulnerabilities).

Ubuntu has updated libxfont (all: multiple vulnerabilities).

Kategóriák: Linux

RFC 7258

k, 2014-05-13 19:47
The Internet Engineering Task Force has adopted RFC 7258, titled "Pervasive monitoring is an attack." It commits the IETF to work against pervasive monitoring (PM) in the design of its protocols going forward. "In particular, architectural decisions, including which existing technology is reused, may significantly impact the vulnerability of a protocol to PM. Those developing IETF specifications therefore need to consider mitigating PM when making architectural decisions. Getting adequate, early review of architectural decisions including whether appropriate mitigation of PM can be made is important. Revisiting these architectural decisions late in the process is very costly."
Kategóriák: Linux

Stable kernel updates

k, 2014-05-13 17:35
Greg KH has released stable kernels 3.14.4, 3.10.40, and 3.4.90. All contain important fixes.
Kategóriák: Linux

Tuesday's security updates

k, 2014-05-13 17:28

Debian has updated kernel (multiple vulnerabilities).

Fedora has updated 0ad (F19: denial of service), megaglest (F19: denial of service), miniupnpc (F19: denial of service), and openstack-glance (F20: command execution).

openSUSE has updated android-tools (12.3; 13.1: code execution) and openssl (12.3; 13.1: denial of service).

Kategóriák: Linux

Linux gets fix for code-execution flaw (Ars Technica)

k, 2014-05-13 00:10
Ars Technica takes a look at serious bug in the Linux kernel that was introduced in 2009. "The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device." This flaw has been identified as CVE-2014-0196. The LWN vulnerability report is here.
Kategóriák: Linux

Security advisories for Monday

h, 2014-05-12 18:05

Fedora has updated kernel (F20: multiple vulnerabilities), php (F19: privilege escalation), rxvt-unicode (F20; F19: command execution), and xen (F20; F19: code execution).

Gentoo has updated openssh (multiple vulnerabilities, one from 2008).

Mageia has updated chromium-browser-stable (multiple vulnerabilities), ldns (information disclosure), libpng (MG4; MG3: multiple vulnerabilities), and libxml2 (denial of service).

Mandriva has updated ldns (information disclosure), libpng (multiple vulnerabilities), and libxml2 (denial of service).

openSUSE has updated seamonkey (13.1, 12.3: multiple vulnerabilities).

Slackware has updated seamonkey (multiple vulnerabilities).

Kategóriák: Linux

PyPy 2.3 released

h, 2014-05-12 12:16
The PyPy project has released version 2.3 of its high-performance implementation of the Python language. Along with a number of fixes, this release includes support for several new modules, the ability to embed the interpreter within hosting applications, OpenBSD support, and more.
Kategóriák: Linux

Garrett: Oracle continue to circumvent EXPORT_SYMBOL_GPL()

h, 2014-05-12 03:35
Matthew Garrett takes Oracle to task for using shim functions to gain access to GPL-only kernel functions in its GPL-incompatible DTrace module. "Of course, as copyright holders of DTrace, Oracle could solve the problem by dual-licensing DTrace under the GPL as well as the CDDL. The fact that they haven't implies that they think there's enough value in keeping it under an incompatible license to risk losing a copyright infringement suit. This might be just the kind of recklessness that Oracle accused Google of back in their last case."
Kategóriák: Linux

Kernel prepatch 3.15-rc5

v, 2014-05-11 14:26
The 3.15-rc5 prepatch is out, a little earlier than usual as Linus prepares for a bunch of travel. "And while rc5 may be bigger than rc3/4 were, it's not like it is worrying. This merge window was bigger than most, and the fact that rc5 is then slightly bigger than most isn't something that worries me overmuch. And since rc4 was smaller than usual, it all evens out. But I really *will* be entirely unreachable all next week, so get your testing in, because the -git tree will be very quiet."
Kategóriák: Linux

Oracle’s Java API code protected by copyright, appeals court rules (Ars Technica)

p, 2014-05-09 21:03
Ars Technica is reporting that the appeals court has overturned US District Judge William Alsup's ruling that the Java API was not copyrightable. "'Because we conclude that the declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection, we reverse the district court’s copyrightability determination with instructions to reinstate the jury’s infringement finding as to the 37 Java packages,' the US Appeals Court for the Federal Circuit ruled [PDF] Friday."
Kategóriák: Linux

Friday's security updates

p, 2014-05-09 17:15

CentOS has updated kernel (C6: multiple vulnerabilities).

Debian has updated rxvt-unicode (code execution).

Mageia has updated kernel (M4: multiple vulnerabilities), kernel-linus (M4: multiple vulnerabilities), kernel-rt (M4: multiple vulnerabilities), owncloud (M3, M4: multiple vulnerabilities), and postgresql (M4: multiple vulnerabilities).

Mandriva has updated apache-mod_security (BS1, ES5: rules bypass), mediawiki (BS1: multiple vulnerabilities), openssl (BS1: denial of service), and python-imaging (BS1: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: multiple vulnerabilities).

SUSE has updated kvm (SLES/SLED 11: multiple vulnerabilities).

Ubuntu has updated cups-filters (14.04: multiple vulnerabilities).

Kategóriák: Linux

GoboLinux 015

cs, 2014-05-08 23:12
Six years after its last release, GoboLinux is back, with the 015 release of the distribution that is best-known for a total rearrangement of the traditional Linux filesystem hierarchy. More information about the distribution is available, as are release notes for 015. After an hiatus of 6 years, we have returned with an updated set of packages and some infrastructure changes that have come for better. Some of the major points of this release are:
  • Migration from the /System/Links hierarchy to /System/Index
  • Embracing "root" as super user name -- that should make recipes more simple to write and soften the task of preparing new releases
  • Live USB support off the shelf
  • Adoption of Enlightenment as the desktop environment for the first time
We looked at GoboLinux 014 back in 2008.

[Update: The project has asked that people consider using the official mirror at http://adv1.calica.com/gobolinux/ to reduce load on the primary server.]

Kategóriák: Linux

Defeating memory comparison timing oracles (Red Hat Security Blog)

cs, 2014-05-08 20:58
Over at the Red Hat Security Blog, Florian Weimer looks at timing oracles in memory comparison functions and how to stop them. Timing oracles can allow attackers to extract keys or other secret data by timing code that compares input data to the secret. "Of course, there are other architectures (and x86 implementations), so we will have to perform further research to see if we can remove the timing oracle from their implementations at acceptable (read: zero) cost. For architectures where super-scalar, pipelined implementations are common, this is likely the case. But the GNU C library will probably not be a in a position to commit to an oracle-free memcmp by default (after all, future architectures might have different requirements). But I hope that we can promise that in -D_FORTIFY_SOURCE=2 mode, memcmp is oracle-free."
Kategóriák: Linux