Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 10 perc 3 másodperc

Security Collapse in the HTTPS Market (ACM Queue)

sze, 2014-09-24 15:24
ACM's Queue has a lengthy article on the security failures in the HTTPS layer and the prospects for improvement. "This article outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become 'too big to fail.' Unfortunately, the proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come"
Kategóriák: Linux

Hutterer: libinput - a common input stack for Wayland compositors and X.Org drivers

sze, 2014-09-24 15:17
Here's a post from Peter Hutterer on why the X.Org input stack is a mess and the new "libinput" stack is needed. "It looks like a big happy family at first, but then you see that synaptics won't talk to evdev because of the tapping incident a couple of years back, mouse and keyboard have no idea what forks and knives are for, wacom is the hippy GPL cousin that doesn't even live in the same state and no-one quite knows why elographics keeps getting invited. The X server tries to keep the peace by just generally getting in the way of everyone so no-one can argue for too long. You step back, shrug apologetically and say 'well, that's just how these things are, right?'"
Kategóriák: Linux

Kali NetHunter turns Android device into hacker Swiss Army knife (Ars Technica)

k, 2014-09-23 23:56
Ars Technica takes a look at Kali Linux NetHunter, a penetration testing platform for Nexus devices. "NetHunter is still in its early stages, but it already includes the ability to have the Nexus device emulate a USB human interface device (HID) and launch keyboard attacks on PCs that can be used to automatically elevate privileges on a Windows PC and install a reverse-HTTP tunnel to a remote workstation. It also includes an implementation of the BadUSB man-in-the-middle attack, which can force a Windows PC to recognize the USB-connected phone as a network adapter and re-route all the PC’s traffic through it for monitoring purposes."
Kategóriák: Linux

Announcing the release of Fedora 21 Alpha

k, 2014-09-23 19:31
The Fedora project has released Fedora 21 Alpha. This is the first release of Fedora.next, which introduces three products rather than the traditional single deliverable. The Fedora 21 Base includes only the base set of packages (such as kernel, RPM, yum, systemd, and Anaconda) used by all the products. Fedora 21 Cloud includes images for use in private cloud environments like OpenStack, as well as AMIs for use on Amazon, and a new image streamlined for running Docker containers. The server product is aimed at making it easier to install discrete infrastructure services. The Fedora Server will introduce three new technologies in Fedora to handle this task, rolekit, Cockpit and OpenLMI. The third product is Fedora 21 Workstation, which is aimed at providing a platform for development of server side and client applications that is attractive to developers of all stripes. The final release of Fedora 21 is expected in December.
Kategóriák: Linux

Best practices for the new era of open source (opensource.com)

k, 2014-09-23 18:19
This opensource.com article holds out Ansible as an example of a project worth emulating and delves into the reasons for its success. "The idea that a user can try something out over a lunch break, and understand it—and then learn what is left to learn—is a key success driver for open source software. Too many projects fail needlessly because they don’t invest in this critical idea."
Kategóriák: Linux

Tuesday's security updates

k, 2014-09-23 16:53

CentOS has updated kernel (C7: denial of service).

Oracle has updated kernel (OL7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL7: denial of service).

Ubuntu has updated dbus (multiple vulnerabilities) and nginx (14.04: virtual host confusion attacks).

Kategóriák: Linux

PyPy 2.4.0 released

h, 2014-09-22 21:55
PyPy is an optimized implementation of the Python (2.x) programming language; the 2.4 release is now available. As is often the case, performance improvements top the list of changes in this release. "Benchmarks improved after internal enhancements in string and bytearray handling, and a major rewrite of the GIL handling. This means that external calls are now a lot faster, especially the CFFI ones. It also means better performance in a lot of corner cases with handling strings or bytearrays." Various bug fixes and an update to the Python 2.7.8 standard library are included as well.
Kategóriák: Linux

Security advisories for Monday

h, 2014-09-22 16:58

Debian has updated mantis (SQL injection flaws) and nginx (virtual host confusion attacks).

Gentoo has updated adobe-flash (multiple vulnerabilities), c-icap (denial of service), chromium (denial of service), and libxml2 (denial of service).

Mageia has updated flash-player-plugin (multiple vulnerabilities), gnupg (MG3: side-channel attack), phpmyadmin (privilege escalation), and zarafa (multiple vulnerabilities).

Mandriva has updated gnupg (side-channel attack).

openSUSE has updated ntp (11.4: denial of service), chromium (13.1, 12.3: multiple vulnerabilities), and phpMyAdmin (13.1, 12.3: privilege escalation).

Red Hat has updated qemu-kvm-rhev (RHEL OSP5.0: multiple vulnerabilities).

SUSE has updated dbus-1 (SLE11 SP3: denial of service).

Ubuntu has updated nss (CA certificate update).

Kategóriák: Linux

Kernel prepatch 3.17-rc6

h, 2014-09-22 00:24
Linus has released the 3.17-rc6 kernel prepatch, saying: "It's been quiet - enough so that coupled with my upcoming travel, this might just be the last -rc, and final 3.17 might be next weekend."
Kategóriák: Linux

Wayland and Weston 1.6.0 released

p, 2014-09-19 17:35
The version 1.6.0 releases of the Wayland display manager and Weston compositor are available. Wayland improvements include better error handling and an improved self-testing infrastructure. On the Weston side, they have made a number of xdg-shell protocol changes ("Yes, we broke it again since 1.5.0"), some keyboard repeat improvements, a switch to libinput by default, and more.
Kategóriák: Linux

Friday's security advisories

p, 2014-09-19 17:12

Debian has updated apt (regression in previous security update).

Fedora has updated apache-poi (F20: two XML handling flaws), asterisk (F20; F19: denial of service), haproxy (F20: unspecified vulnerabilities), kernel (F20: three vulnerabilities), pdns-recursor (F20; F19: denial of service), polkit-qt (F20; F19: authorization bypass), and ReviewBoard (F19: two vulnerabilities).

openSUSE has updated lua (code execution) and squid (denial of service).

Kategóriák: Linux

Simply Secure announces itself

cs, 2014-09-18 18:07
A new organization to "make security easy and fun" has announced itself in a blog post entitled "Why Hello, World!". Simply Secure is targeting the usability of security solutions: "If privacy and security aren’t easy and intuitive, they don’t work. Usability is key." The organization was started by Google and Dropbox; it also has the Open Technology Fund as one of its partners. "To build trust and ensure quality outcomes, one core component of our work will be public audits of interfaces and code. This will help validate the security and usability claims of the efforts we support. More generally, we aim to take a page from the open-source community and make as much of our work transparent and widely-accessible as possible. This means that as we get into the nitty-gritty of learning how to build collaborations around usably secure software, we will share our developing methodologies and expertise publicly. Over time, this will build a body of community resources that will allow all projects in this space to become more usable and more secure."
Kategóriák: Linux

Thursday's security advisories

cs, 2014-09-18 14:28

Debian has updated icedove (two vulnerabilities) and libav (multiple unspecified vulnerabilities).

openSUSE has updated curl (13.1, 12.3: two cookie-handling vulnerabilities).

Oracle has updated automake (OL5: code execution from 2012), bind97 (OL5: three vulnerabilities, two from 2013), conga (OL5: multiple vulnerabilities some going back to 2012), krb5 (OL5: code execution), krb5 (OL5: multiple vulnerabilities, two from 2013), and nss, nspr (multiple vulnerabilities, one from 2013).

SUSE has updated squid3 (SLE11SP3: denial of service).

Kategóriák: Linux

[$] LWN.net Weekly Edition for September 18, 2014

cs, 2014-09-18 00:58
The LWN.net Weekly Edition for September 18, 2014 is available.
Kategóriák: Linux

Some stable kernel updates

sze, 2014-09-17 22:30
Greg Kroah-Hartman has made some progress on the stable patch backlog with the release of 3.16.3, 3.14.19, and 3.10.55.
Kategóriák: Linux

[$] X and SteamOS

sze, 2014-09-17 18:48
In a talk entitled "SteamOS Magic", longtime X developer Keith Packard looked at the new Linux "distribution" and the effort to turn the Linux desktop into a gaming console. It turns out that, with a fairly small amount of code, Steam and SteamOS creator, Valve, was able to take the existing X-based desktop and turn it into a "living-room experience".

Click below (subscribers only) for the full report from LinuxCon North America.

Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-09-17 17:12

Debian has updated apt (multiple vulnerabilities) and dbus (multiple vulnerabilities).

Red Hat has updated krb5 (RHEL5: code execution).

SUSE has updated procmail (SLE11 SP3: code execution) and kernel (SLES11 SP1: multiple vulnerabilities).

Ubuntu has updated apt (multiple vulnerabilities), libav (12.04: code execution), and openjdk-7 (14.04: updates for arm64 and ppc64el).

Kategóriák: Linux

Garrett: ACPI, kernels and contracts with firmware

sze, 2014-09-17 13:18
Matthew Garrett writes about the challenges faced by the developers working on ACPI-based ARM systems. "Somebody is going to need to take responsibility for tracking ACPI behaviour and incrementing the exported interface whenever it changes, and we need to know who that's going to be before any of these systems start shipping. The alternative is a sea of ARM devices that only run specific kernel versions, which is exactly the scenario that ACPI was supposed to be fixing."
Kategóriák: Linux

Business as usual for openSUSE

sze, 2014-09-17 12:59
The openSUSE project has posted a statement on how things will change after Attachmate's merger with Micro Focus. In short, they don't think anything will change. "Business as Usual: There are no changes planned for the SUSE business structure and leadership. There is no need for any action by the openSUSE Project as a result of this announcement."
Kategóriák: Linux

[$] OpenSSL's new security policy

sze, 2014-09-17 10:07

The OpenSSL project is widely known due to its broad adoption as the SSL/TLS library of choice for open-source software—though, in April, it also became widely known because of a particularly vicious security vulnerability. To a large degree, the project weathered the storm, but the project has also undertaken some changes in the wake of the incident. The most recent is the adoption of a public security policy describing how issues of various kinds will be dealt with.

Kategóriák: Linux