Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 4 perc 10 másodperc
The OpenMandriva Lx 3.0 release is available. "OpenMandriva Lx is a cutting edge distribution compiled with LLVM/clang. Combined with the high level of optimisation used for both code and linking (by enabling LTO) used in its building, this gives the OpenMandriva desktop an unbelievably crisp response to operations on the KDE Plasma 5 desktop which makes it a pleasure to use."
The Ardour audio workstation has released its 5.0 version. There are many new features in the release, including a tabbed user interface, Lua scripting, built-in plugins, and new themes. "Ardour 5.0 is now available for Linux, OS X and Windows. This is a major release focused on substantial changes to the GUI and major new features related to mixing, plugin use, tempo maps, scripting and more. As usual, there are also hundreds of bug fixes. Ardour 5.0 can be parallel-installed with older versions of the program, and does not use the same preference files. It will load sessions from Ardour 2, 3 and 4, though with some potential minor changes."
Twisted developer Glyph Lefkowitz writes about the attrs library for Python, which he calls "my favorite mandatory Python library". Instead of a lot of boilerplate to handle attributes in classes, attrs makes it far easier. "It lets you say what you mean directly with a declaration rather than expressing it in a roundabout imperative recipe. Instead of “I have a type, it’s called MyType, it has a constructor, in the constructor I assign the property ‘A’ to the parameter ‘A’ (and so on)”, you say “I have a type, it’s called MyType, it has an attribute called a”, and behavior is derived from that fact, rather than having to later guess about the fact by reverse engineering it from behavior (for example, running dir on an instance, or looking at self.__class__.__dict__)."
Debian-LTS has updated nettle (?:).
openSUSE has updated go (42.1, 13.2; SPH: denial of service), hawk2 (42.1: clickjacking prevention), java-1_7_0-openjdk (42.1; 13.2: multiple vulnerabilities), java-1_8_0-openjdk (42.1: multiple vulnerabilities), libarchive (42.1: multiple vulnerabilities, many from 2015), OpenJDK7 (13.1: multiple vulnerabilities), pcre2 (42.1: code execution), sqlite3 (42.1: information leak), and wget (13.2: code execution).
Red Hat has updated mariadb (RHEL7: multiple unspecified vulnerabilities), mariadb55-mariadb (RHSC: multiple unspecified vulnerabilities), php (RHEL7; RHEL6: proxy injection), php54-php (RHSC: proxy injection), php55-php (RHSC: proxy injection), qemu-kvm (RHEL7: two vulnerabilities), Red Hat OpenShift Enterprise (two vulnerabilities), rh-mariadb100-mariadb (RHSC: multiple unspecified vulnerabilities), rh-mysql56-mysql (RHSC: multiple unspecified vulnerabilities), and rh-php56-php (RHSC: proxy injection).
Ars Techica is reporting on a mistake by Microsoft that resulted in providing a "golden key" to circumvent Secure Boot. The "key" is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a "rather funky website" (viewing the source of that page is a good way to avoid the visual and audio funkiness). "The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled. And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse." As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.
Update: For some more detail, see Matthew Garrett's blog post .
Debian-LTS has updated postgresql-9.1 (two vulnerabilities).
Gentoo has updated optipng (three vulnerabilities).
Red Hat has updated java-1.7.0-ibm (RHEL5: two vulnerabilities), java-1.7.1-ibm (RHEL6&7: two vulnerabilities), java-1.8.0-ibm (RHEL6&7: two vulnerabilities), and python-django (RHOSP8; RHOSP7; RHEL7: cross-site scripting).
Scientific Linux has updated qemu-kvm (SL6: denial of service).
The LWN.net Weekly Edition for August 11, 2016 is available.
Side-channel attacks against various kinds of protocols (typically networking or cryptographic) are both dangerous and often hard for developers and reviewers to spot. They are generally passive attacks, which makes them hard to detect as well. A recent paper [PDF] describes in detail one such attack against the kernel's TCP networking stack; the bug (CVE-2016-5696) has existed since Linux 3.6, which was released in 2012. Ironically, the bug was introduced because Linux has implemented a countermeasure against another type of attack.
The 4.6.6, 4.4.17, and 3.14.75 stable kernel updates have been released. Each contains the usual set of fixes and updates.
The KDE project has announced the first public release of the Kirigami interface framework. "Now, with KDE’s focus expanding beyond desktop and laptop computers into the mobile and embedded sector, our QWidgets-based components alone are not sufficient anymore. In order to allow developers to easily create Qt-based applications that run on any major mobile or desktop operating system (including our very own existing Plasma Desktop and upcoming Plasma Mobile, of course), we have created a framework that extends Qt Quick Controls: Welcome Kirigami!"
CentOS has updated qemu-kvm (C6: denial of service).
Oracle has updated qemu-kvm (OL6: multiple vulnerabilities).
Red Hat has updated qemu-kvm (RHEL6: denial of service).
SUSE has updated java-1_7_0-openjdk (SLE12-SP1: multiple vulnerabilities), java-1_8_0-openjdk (SLE12-SP1: multiple vulnerabilities), php53 (SLE11-SP4: multiple vulnerabilities), squid3 (SLE11-SP4: multiple vulnerabilities), and kernel (SLE11-SP4: three vulnerabilities).
Ubuntu has updated kernel (16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.04: multiple vulnerabilities), linux-snapdragon (16.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).
The Electronic Frontier Foundation (EFF) has announced the winners of the 2016 Pioneer Awards: "Malkia Cyril of the Center for Media Justice, data protection activist Max Schrems, the authors of the “Keys Under Doormats” report that counters calls to break encryption, and the lawmakers behind CalECPA—a groundbreaking computer privacy law for Californians."
UCR Today reports that researchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) in Linux that enables attackers to hijack users’ internet communications remotely. "The UCR researchers didn’t rely on chance, though. Instead, they identified a subtle flaw (in the form of ‘side channels’) in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties. This means that given any two arbitrary machines on the internet, a remote blind attacker, without being able to eavesdrop on the communication, can track users’ online activity, terminate connections with others and inject false material into their communications."
US Chief Information Officer Tony Scott introduces the Federal Source Code Policy, on the White House blog. "By making source code available for sharing and re-use across Federal agencies, we can avoid duplicative custom software purchases and promote innovation and collaboration across Federal agencies. By opening more of our code to the brightest minds inside and outside of government, we can enable them to work together to ensure that the code is reliable and effective in furthering our national objectives. And we can do all of this while remaining consistent with the Federal Government’s long-standing policy of technology neutrality, through which we seek to ensure that Federal investments in IT are merit-based, improve the performance of our government, and create value for the American people." (Thanks to David A. Wheeler)
Arch Linux has updated curl (three vulnerabilities).
Fedora has updated bind99 (F23: denial of service), ca-certificates (F23: certificate update), dhcp (F23: denial of service), dnsmasq (F23: denial of service), flex (F24: buffer overflow), fontconfig (F24: privilege escalation), kernel (F24; F23: two vulnerabilities), libidn (F23: multiple vulnerabilities), libreswan (F23: unspecified), nodejs-tough-cookie (F24: denial of service), pdns (F24: denial of service), perl-CGI-Emulate-PSGI (F24; F23: HTTP redirect), perl-Module-Load-Conditional (F24; F23: privilege escalation), v8 (F24; F23: denial of service), and xen (F23: multiple vulnerabilities).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), kernel (RHEL6.4: privilege escalation), nodejs010-nodejs-minimatch (RHSCL: denial of service), and rh-nodejs4-nodejs-minimatch (RHSCL: denial of service).
SUSE has updated kernel (SLE11-SP4: multiple vulnerabilities).
Ubuntu has updated curl (three vulnerabilities).
The GPL-infringement case brought against VMware by Christoph Hellwig in Germany has been dismissed by the court; the ruling is available in German and English. The decision seems to be based entirely on uncertainty over where his copyrights actually lie and not on the infringement claims. "Nonetheless, these questions (on which the legal interest of the parties and their counsel presumably focus) can and must remain unanswered. This is because the very first requirement for conducting an examination, namely that code possibly protected for the Plaintiff as a holder of adapter’s copyright has been used in the Defendant’s product, cannot be established. " The ruling will be appealed.
Jeff Fortin Tam reports on the state of the GNOME Foundation. "Generally speaking, this year was a bit less intense than the one before it (we didn’t have to worry about a legal battle with a giant corporation this time around!) although we did end up touching a fair amount of legal matters, such as trademark agreements. One big item we got cleared was the Ubuntu GNOME trademark agreement. We also welcomed businesses that wanted to sell GNOME-related merchandise, you can find them listed here—supporting them by purchasing GNOME-related items also supports the Foundation with a small percentage shared as royalties." (Thanks to Paul Wise)
Version 1.0.0 of the Lumina Desktop Environment has been released. "After roughly four years of development, I am pleased to announce the first official release of the Lumina desktop environment! This release is an incredible realization of the initial idea of Lumina – a simple and unobtrusive desktop environment meant for users to configure to match their individual needs." Lumina is a from-scratch, BSD-licensed desktop system.
Mageia has updated ruby-eventmachine (denial of service).
openSUSE has updated bsdiff (Leap42.1, 13.2: denial of service), Chromium (Leap42.1, 13.2; SPH for SLE12: multiple vulnerabilities), java-1_8_0-openjdk (13.2: multiple vulnerabilities), libvirt (Leap42.1: authentication bypass), redis (Leap42.1, 13.2; SPH for SLE12: information leak), and wireshark (Leap42.1, 13.2: multiple vulnerabilities).
Check Point has discovered four local-root vulnerabilities in Qualcomm-based Android devices and is hyping the result as "QuadRooter". "QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device." Actually getting the report requires registration. All four vulnerabilities are in Android-specific code; three of them are in out-of-tree modules (kgsl and ipc_router); the fourth is in the "ashmem" code in the staging tree.
HUP napi hírlevél