Linux Weekly News

Tartalom átvétel is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Frissült: 1 perc 25 másodperc

Tuesday's security advisories

k, 2014-06-10 19:33

Debian has updated dovecot (denial of service).

Fedora has updated check-mk (F20; F19: file disclosure), cifs-utils (F19: code execution), cups-filters (F19: command execution), gnutls (F19: code execution), libgadu (F19: code execution), libpng (F19: denial of service), libtasn1 (F19: multiple vulnerabilities), libtiff (F19: code execution), mediawiki (F20; F19: don't parse usernames as wikitext), mingw-curl (F20; F19: multiple vulnerabilities), mingw-freetype (F20; F19: two vulnerabilities), mingw-gnutls (F20; F19: code execution), mingw-icu (F20; F19: denial of service), mingw-libgcrypt (F19: information leak), mingw-libjpeg-turbo (F20; F19: information leak), mingw-libpng (F19: multiple vulnerabilities), mingw-libtiff (F20; F19: multiple vulnerabilities), mingw-pixman (F20; F19: denial of service), mingw-readline (F20; F19: insecure temporary files), openssh (F19: two vulnerabilities), qemu (F20: multiple vulnerabilities), and qt3 (F20; F19: denial of service).

Gentoo has updated adobe-flash (multiple vulnerabilities).

Mandriva has updated curl (multiple vulnerabilities), file (denial of service), gnutls (BS 1.0; ES 5.0: code execution), libcap-ng (privilege escalation), libtasn1 (multiple vulnerabilities), openssl (ES 5.0; BS 1.0: multiple vulnerabilities), otrs (cross-site scripting), php (denial of service), python-django (ES 5.0; BS 1.0: multiple vulnerabilities), and squid (denial of service).

Slackware has updated php (multiple vulnerabilities).

Ubuntu has updated dpkg (two file modification via path traversal flaws) and libxml2 (regression in previous update).

Kategóriák: Linux

RHEL 7 released

k, 2014-06-10 17:13
Red Hat has sent out a suitably buzzword-laden press release announcing the availability of Red Hat Enterprise Linux 7. "Bare metal servers, virtual machines, Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) are converging to form a robust, powerful datacenter environment to meet constantly changing business needs. Answering the heterogeneous realities of modern enterprise IT, Red Hat Enterprise Linux 7 offers a cohesive, unified foundation that enables customers to balance modern demands while reaping the benefits of computing innovation, like Linux Containers and big data, across physical systems, virtual machines and the cloud – the open hybrid cloud."
Kategóriák: Linux

Kuhn: Why your project doesn't need a contributor licensing agreement

k, 2014-06-10 15:12
Bradley Kuhn tells free software projects that they need not worry about contributor license agreements. "Thus, I encourage those considering a CLA to look past the 'nice assurances we'd like to have — all things being equal' and focus on the 'what legal assurances our FLOSS project actually needs to assure its thrives'. I've spent years doing that analysis; I've concluded quite simply: in this regard, all a project and its legal home actually need is a clear statement and/or assent from the contributor that they offer the contribution under the project's known FLOSS license."
Kategóriák: Linux

GNOME Foundation board of directors election results

h, 2014-06-09 20:25
The GNOME Foundation is governed by a seven-member board of directors who are elected annually. The just-completed vote had eleven people vying for those seats. Unless there is a challenge to the voting process, the new board members are: Sriram Ramkrishna, Ekaterina Gerasimova, Karen Sandler, Andrea Veri, Jeff Fortin, Tobias Mueller, and Marina Zhurakhinskaya. We looked at the question of corporate involvement in GNOME as one of the election issues being discussed in last week's edition.
Kategóriák: Linux

Docker 1.0 released

h, 2014-06-09 18:58
Version 1.0 of the Docker application containerization system has been announced. It includes a number of new features; it is also the first version that the developers are willing to put forward as being production-ready. "Second, this milestone signifies Docker’s coming into its own as an open platform for distribution apps. In particular, the community’s use of Docker in such a wide variety of use-cases and apps in every phase of the application lifecycle confirms this. So from today you’ll hear us talk about Docker as a platform, its components being Docker Engine, the container runtime and packaging tool, and Docker Hub, a cloud-based service for collaboration, content, and workflow automation."
Kategóriák: Linux

CyanogenMod 11.0 M7 released

h, 2014-06-09 15:50
The CyanogenMod 11.0 M7 release is now available. Changes this time around include an overhaul of the theme chooser, a new calculator app, incorporation of ffmpeg for wider media format support, and more. "To get ahead of the inevitable questions, this release is based on Android 4.4.2. The 4.4.3 source has been merged into CM for nightlies, but given the source code was only made available last week, we chose not to rush the new code into the stable branch."
Kategóriák: Linux

Security updates for Monday

h, 2014-06-09 15:27

Debian has updated dpkg (two file modification via path traversal flaws).

Mageia has updated perl-LWP-Protocol-https (M4: SSL certificate verification botch) and php (two denial of service flaws).

Oracle has updated kernel-2.6.32 (OL6; OL5: futex privilege escalation), kernel-2.6.39 (OL6; OL5: futex privilege escalation) kernel-3.8.13 (OL6: futex privilege escalation).

Slackware has updated mozilla-firefox (multiple vulnerabilities).

SUSE has updated MySQL (SLE11SP3: 33 largely unspecified vulnerabilities) and OpenSSL (SC9: two vulnerabilities, one from 2011; SLE10SP4, SLE10SP3: three vulnerabilities).

Kategóriák: Linux

The 3.15 kernel is out

v, 2014-06-08 21:55
Linus has released the 3.15 kernel after one week of overlapping development with the 3.16 merge window. Headline features in 3.15 include some significant memory management improvements, the renameat2() system call, file-private POSIX locks, a new device mapper target called dm-era, faster resume from suspend, and more.

Linus also noted that, while overlapping the 3.16 merge window with the final 3.15 stabilization worked well enough, he is not necessarily inclined to do it every time. "I also don't think it was such a wonderful experience that I'd want to necessarily do the overlap every time, without a good specific reason for doing so. It was kind of nice being productive during the last week or rc (which is usually quite boring and dead), but I think it might be a distraction when people should be worrying about the stability of the rc."

Kategóriák: Linux

Stable kernels 3.14.6, 3.10.42, and 3.4.92

v, 2014-06-08 15:50
Greg Kroah-Hartman has released the latest batch of stable kernels: 3.14.6, 3.10.42, and 3.4.92. As usual, each contains fixes all over the tree and users of those kernel series should upgrade.
Kategóriák: Linux

Libre Graphics World: Natron 0.92 released with new roto and keying nodes

p, 2014-06-06 23:53

Libre Graphics World has an interview with Alexandre Gauthier (the developer behind the open-source video compositor Natron) as well as an overview of the most recent release. Gauthier addresses the at times controversial decision to build an interface similar to that of proprietary applications that also support the OpenFX plugin standard: "when you implement an application which will be used by professionals who potentially have a lot of background in the usage of such software, you want to make sure you don't break all their habits, otherwise they won't bother. When you have an entire keyboard layout in mind and you need to switch to another, this is a lot of pain. When you have to spend afternoons just to find how to configure the same plug-in but on another application this can be very frustrating." Among other topics, the interview also delves into the complex history behind Natron and other OpenFX applications.

Kategóriák: Linux

Friday's security updates

p, 2014-06-06 17:47

CentOS has updated openssl (C5: man-in-the-middle attack).

Debian has updated kfreebsd-9 (multiple vulnerabilities) and mupdf (code execution).

Fedora has updated kernel (F20: denial of service) and openssl (F19; F20: multiple vulnerabilities).

Gentoo has updated echoping (denial of service) and mumble (multiple vulnerabilities).

Mageia has updated emacs (M3, M4: multiple vulnerabilities), file (M3, M4: multiple vulnerabilities), libcap-ng (M3, M4: privilege escalation), mediawiki (M3, M4: cross-site scripting), openssl (M3, M4: multiple vulnerabilities), tor (M3, M4: information disclosure), and wordpress (M3, M4: multiple vulnerabilities).

openSUSE has updated kernel (11.4 Evergreen: multiple vulnerabilities), gnutls (11.4; 12.3, 13.1: multiple vulnerabilities), openssl (11.4; 12.3, 13.1: multiple vulnerabilities.

Oracle has updated openssl (O6; O5: multiple vulnerabilities) and openssl097a and openssl098e (O6; O5: multiple vulnerabilities).

Scientific Linux has updated openssl (SL6: multiple vulnerabilities) and openssl097a and openssl098e (SL5: man-in-middle attack).

Slackware has updated gnutls (multiple vulnerabilities), libtasn1 (14.0, 14.1, current: multiple vulnerabilities), openssl (multiple vulnerabilities), and sendmail (denial of service).

SUSE has updated OpenSSL (SLES/SLED 11 SP3; SLES 11 SP1, SP2: multiple vulnerabilities) and OpenSSL 1.0 (SLE Security Module 11 SP3: multiple vulnerabilities).

Ubuntu has updated EC2 kernel (10.04: multiple vulnerabilities), kernel (10.04; 13.10; 12.04; 14.04: multiple vulnerabilities), linux-lts-quantal (12.04: privilege escalation), linux-lts-raring (12.04: multiple vulnerabilities), linux-lts-saucy (12.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Kategóriák: Linux

They’re ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox (Ars Technica)

cs, 2014-06-05 19:40
Ars Technica looks at a revival of a technique for remote sites to determine browser history. Originally, using JavaScript and CSS allowed sites to track browsing history, but those holes were eventually closed by browser makers. Exploiting a timing attack [PDF] on the browser can distinguish between sites that have been visited and those that have not. "The browser timing attack technique [Aäron] Thijs borrowed from fellow researcher [Paul] Stone abuses a programming interface known as requestAnimationFrame, which is designed to make animations smoother. It can be used to time the browser's rendering, which is the time it takes for the browser to display a given webpage. By measuring variations in the time it takes links to be displayed, attackers can infer if a particular website has been visited."
Kategóriák: Linux

Day: Notify me

cs, 2014-06-05 19:16
On his blog, GNOME contributor Allan Day writes about a redesign of the GNOME 3 notification mechanisms. It includes a new Message Tray design as well as reworking the lock-screen notifications and the notification banners themselves. "The final goal is one that was at the core of the original design, and which is central to the design of GNOME 3 as a whole: that is, to be noticable and useful without being distracting. Wherever possible with GNOME 3, we have tried to produce a distraction-free experience which helps you concentrate on the task in hand. This requires a fine balancing act, which can be tricky to get right. With the new designs, we want to change that balance slightly, by making notifications a bit more noticable and by providing more effective reminders, but we still want to retain the emphasis on avoiding distraction."
Kategóriák: Linux

Security advisories for Thursday

cs, 2014-06-05 17:16

CentOS has updated openssl (C6: multiple vulnerabilities including one from 2010) and openssl097a and openssl098e (C6; C5: man-in-the-middle attack).

Debian has updated kernel (three vulnerabilities), libav (multiple unspecified vulnerabilities), openssl (multiple vulnerabilities), python-bottle (security mechanism bypass), and python-gnupg (shell command injection).

Gentoo has updated mutt (code execution) and systemtap (denial of service from 2012).

Mageia has updated chkrootkit (privilege escalation).

Red Hat has updated kernel (RHEL6: three vulnerabilities), openssl (Extended lifecycle support products; RHEL5: man-in-the-middle attack; RHEL6: multiple vulnerabilities including one from 2010), and openssl097a and openssl098e (man-in-the-middle attack).

SUSE has updated gnutls (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated openssl (multiple vulnerabilities).

Kategóriák: Linux

Another set of OpenSSL vulnerabilities

cs, 2014-06-05 16:16
The OpenSSL project has disclosed another set of vulnerabilities, including one that could enable man-in-the-middle attacks and one that could maybe lead to code execution. Expect updates from distributors soon. For the curious, Masashi Kikuchi, the discoverer of the MITM vulnerability, has posted the story of how it was found.
Kategóriák: Linux

[$] Weekly Edition for June 5, 2014

cs, 2014-06-05 02:52
The Weekly Edition for June 5, 2014 is available.
Kategóriák: Linux

[$] PGCon 2014: Clustering and VODKA

sze, 2014-06-04 20:49

The eighth annual PostgreSQL developer conference, known as PGCon, concluded on May 24th in Ottawa, Canada. This event has stretched into five days of meetings, talks, and discussions for 230 members of the PostgreSQL core community, which consists both of contributors and database administrators. PGCon serves to focus the whole PostgreSQL development community on deciding what's going to be in next year's PostgreSQL release as well as on showing off new features that contributors have developed. This year's conference included meetings of the main PostgreSQL team as well as for the Postgres-XC team, a keynote by Dr. Richard Hipp, and new code to put VODKA in your database.

Subscribers can click below for the full report from guest author Josh Berkus.

Kategóriák: Linux

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

sze, 2014-06-04 18:53
Cupid is an exploit for the Heartbleed bug in OpenSSL that can target both servers and endpoints running Linux and Android, reports PCMagazine. "Luis Grangeia, a researcher at SysValue, created a proof-of-concept code library that he calls "Cupid." Cupid consists of two patches to existing Linux code libraries. One allows an "evil server" to exploit Heartbleed on vulnerable Linux and Android clients, while the other allows an "evil client" to attack Linux servers. Grangeia has made the source code freely available, in hopes that other researchers will join in to learn more about just what kind of attacks are possible."
Kategóriák: Linux

Security advisories for Wednesday

sze, 2014-06-04 17:46

CentOS has updated gnutls (C6: code execution), gnutls (C5: multiple vulnerabilities), libtasn1 (C6: multiple vulnerabilities), and squid (C6: denial of service).

Debian has updated chkrootkit (privilege escalation).

Fedora has updated gnutls (F20: code execution) and libtasn1 (F20: multiple vulnerabilities).

openSUSE has updated libcap-ng (11.4: privilege escalation) and libxml2 (13.1, 12.3: revert fix for CVE-2014-0191).

Oracle has updated gnutls (OL6: code execution), gnutls (OL5: multiple vulnerabilities), libtasn1 (OL6: multiple vulnerabilities), and squid (OL6: denial of service).

Red Hat has updated gnutls (RHEL5: multiple vulnerabilities), gnutls (RHEL6: code execution), kernel (RHEL6.3 EUS: two vulnerabilities), libtasn1 (RHEL6: multiple vulnerabilities), and squid (RHEL6: denial of service).

Scientific Linux has updated gnutls (SL5: multiple vulnerabilities), gnutls (SL6: code execution), libtasn1 (SL6: multiple vulnerabilities), and squid (SL6: denial of service).

Ubuntu has updated chkrootkit (privilege escalation).

Kategóriák: Linux

Critical new bug in crypto library leaves Linux, apps open to drive-by attacks (Ars Technica)

sze, 2014-06-04 00:34
Ars Technica reports on a buffer overflow in GnuTLS, which is an alternative to OpenSSL for SSL/TLS support. The length checks for the session ID in the ServerHello message were not correct, which allowed the overflow. "Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned. The bug wasn't patched until Friday [May 30], with the release of GnuTLS versions 3.1.25, 3.2.15, and 3.3.4. While the patch has been available for three days, it will protect people only when the GnuTLS-dependent software they use has incorporated it. With literally hundreds of packages dependent on the library, that may take time." This analysis shows how the bug could be exploited for arbitrary code execution.
Kategóriák: Linux