Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 20 perc 24 másodperc
Debian has updated apache2 (HTTP redirect).
Debian-LTS has updated apache2 (HTTP redirect).
Gentoo has updated ansible (code execution), arpwatch (privilege escalation from 2012), bugzilla (multiple vulnerabilities from 2014), commons-beanutils (code execution from 2014), dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).
Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).
SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities).
Ubuntu has updated python-django (16.04: cross-site scripting).
The Register reports that longtime Tor contributor Lucky Green is quitting and closing down the node and bridge authority he operates. "Practically, it's a big deal. Bridge Authorities are part of the infrastructure that lets users get around some ISP-level blocks on the network (not, however, defeating deep packet inspection). They're also incorporated in the Tor code, meaning that to remove a Bridge Authority is going to need an update." The shutdown is scheduled for August 31. (Thanks to Nomen Nescio)
The Software Freedom Conservancy is one of the few organizations involved in GPL enforcement, and it has published principles regarding enforcement practices that seek compliance and not financial penalties. Bradley Kuhn and Karen Sandler urge others doing GPL enforcement to follow principles set forth by the SFC. "One impetus in drafting the Principles was our discovery of ongoing enforcement efforts that did not fit with the GPL enforcement community traditions and norms established for the last two decades. Publishing the previously unwritten guidelines has quickly separated the wheat from the chaff. Specifically, we remain aware of multiple non-community-oriented GPL enforcement efforts, where none of those engaged in these efforts have endorsed our principles nor pledged to abide by them. These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years." The actions of one individual prompted the netfilter project to make a statement endorsing the principles, which we covered earlier this month.
Version 1.0 of the QtWebBrowser has been released. Qt WebBrowser is a browser for embedded devices developed using the capabilities of Qt and Qt WebEngine. "The browser is optimized for embedded touch displays (running Linux), but you can play with it on the desktop platforms, too! Just make sure that you have Qt WebEngine, Qt Quick, and Qt VirtualKeyboard installed (version 5.7 or newer). For optimal performance on embedded devices you should plan for hardware-accelerated OpenGL, and around 1 GiByte of memory for the whole system. Anyhow, depending on your system configuration and the pages to be supported there is room for optimization."
Fedora has updated dnsmasq (F24: denial of service), gd (F23: two vulnerabilities), kernel (F22: multiple vulnerabilities), mingw-openjpeg2 (F24; F23: multiple vulnerabilities), pagure (F24: unspecified), pdfbox (F24: XML External Entity (XXE) attacks), perl (F24; F23: code execution), and tcpreplay (F24; F23: denial of service).
Mageia has updated imagemagick (three vulnerabilities).
openSUSE has updated apache2 (Leap42.1, 13.2: HTTP redirect).
ComputerWorld talks with Jim Hall, a contributor to FreeDOS. "FreeDOS (it was originally dubbed ‘PD-DOS’ for ‘Public Domain DOS’, but the name was changed to reflect that it’s actually released under the GNU General Public License) dates back to June 1994, meaning it is just over 22 years old — a formidable lifespan compared to many open source projects. “And if you consider the DOS platform, MS-DOS 1.0 dates back to 1981, ‘DOS’ as an operating system has been around for 35 years! That’s not too shabby,” Hall said. (Version 1.0 of MS-DOS — then marketed by IBM as PC DOS — was released in August 1981.)" (Thanks to Paul Wise)
Fedora has updated gimp (F22: use-after-free), httpd (F23: authentication bypass), openjpeg2 (F23: multiple vulnerabilities), perl (F22: code execution), python (F23: denial of service), python3 (F23: denial of service), samba (F23: crypto downgrade), and sudo (F23; F22: race condition).
Canonical has disclosed that the Ubuntu forum system has been compromised. "The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table. They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed."
The lowRISC project, which is an effort to develop a fully open-source, Linux-powered system-on-chip based on the RISC-V architecture, has published notes from the fourth RISC-V workshop. Notably, the post explains, the members of the RISC-V foundation voted to keep the RISC-V instruction-set architecture (ISA) and related standards open and license-free to all parties. There are also accounts included of the work on RISC-V interrupts, heterogeneous multicore RISC-V processors, support for non-volatile memory, and Debian's RISC-V port.
Debian has updated php5 (multiple vulnerabilities).
Mageia has updated graphicsmagick (M5: multiple vulnerabilities), pdfbox (M5: XML External Entity (XEE) attack), sqlite3 (M5: information leak:), thunderbird (M5: multiple vulnerabilities), and util-linux (M5: denial of service).
openSUSE has updated flash-player (13.1: multiple vulnerabilities), LibreOffice (Leap 42.1: multiple vulnerabilities), libvirt (13.2; Leap 42.1: authentication bypass), and xerces-c (13.2: multiple vulnerabilities).
Red Hat has updated atomic-openshift (RHOSE 3.2: information leak).
Ubuntu has updated ecryptfs-utils (15.10, 16.04: information leak), kernel (14.04; 15.10: denial of service), libarchive (12.04, 14.04, 15.10, 16.04: code execution), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), linux-lts-vivid (14.04: denial of service), linux-lts-wily (14.04: denial of service), and linux-raspi2 (15.10: denial of service).
Over at Linux.com, Eric Brown writes about the release of Automotive Grade Linux (AGL) Unified Code Base (UCB) 2.0 for in-vehicle infotainment (IVI) systems. "The latest version adds features like audio routing, rear seat display support, the beginnings of an app platform, and new development boards including the DragonBoard, Wandboard, and Raspberry Pi. AGL’s Yocto Project derived UCB distro, which is also based on part on the GENIVI and Tizen automotive specs, was first released in January. UCB 1.0 followed an experimental AGL stack in 2014 and an AGL Requirements Specification in June, 2015. UCB is scheduled for a 3.0 release in early 2017, at which point some automotive manufacturers will finally use it in production cars. Most of the IVI software will be based on UCB, but carmakers can also differentiate with their own features." We looked at AGL UCB 1.0 back in January.
Fedora has updated gnutls (F23: certificate verification botch).
Gentoo has updated flash (many vulnerabilities).
SUSE has updated MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss (SLE11: multiple vulnerabilities).
The LWN.net Weekly Edition for July 14, 2016 is available.
The Tor Project has announced a new board of directors. "As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the best possible leadership. The importance of Tor's mission requires it; the public standing of the organization makes it possible; and we are committed to achieve it. We had that duty in mind when we conducted an Executive Director search last year, and appreciate the leadership Shari Steele has brought. To support her, we further believe that it is time that we pass the baton of board oversight as the Tor Project moves into its second decade of operations."
CentOS has updated kernel (C6: privilege escalation).
Mageia has updated flash-player-plugin (multiple vulnerabilities).
Oracle has updated kernel (OL6: privilege escalation).
Scientific Linux has updated thunderbird (SL5,6,7: code execution).
Ubuntu has updated pidgin (15.10, 14.04, 12.04: multiple vulnerabilities).
Software in the Public Interest has announced its 2015 Annual Report (PDF), covering the 2015 calendar year. The annual report covers SPI's finances, elections, board members, committees, associated projects, and other significant changes throughout the year.
Dave Herman reports that with Firefox 48, Mozilla will ship its first Rust component to all desktop platforms. "One of the first groups at Mozilla to make use of Rust was the Media Playback team. Now, it’s certainly easy to see that media is at the heart of the modern Web experience. What may be less obvious to the non-paranoid is that every time a browser plays a seemingly innocuous video (say, a chameleon popping bubbles), it’s reading data delivered in a complex format and created by someone you don’t know and don’t trust. And as it turns out, media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in Web browsers’ implementation code. This makes a memory-safe programming language like Rust a compelling addition to Mozilla’s tool-chest for protecting against potentially malicious media content on the Web."
Fedora has updated expat (F22: multiple vulnerabilities), gnutls (F24: certificate verification vulnerability), gsi-openssh (F24: support GSI authentication), httpd (F24: authentication bypass), krb5 (F22: buffer overflow), mbedtls (F23: three vulnerabilities), pdfbox (F23: XML External Entity (XXE) attacks), pypy3 (F23; F22: two vulnerabilities), python (F22: startTLS stripping attack), python3 (F22: startTLS stripping attack), and samba (F24: crypto downgrade).
On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. "Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows. Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it. Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry."
HUP napi hírlevél
Tudsz-e még írásban összeadni, kivonni, szorozni, osztani?
Kapásból. Bármely számrendszerben.
Kapásból, tízes számrendszerben.
Kis gondolkodás után tízes számrendszerben.
Már nem emlékszem.
Csak az eredmény érdekel.
Összes szavazat: 438