Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 21 perc 9 másodperc

Tuesday's security updates

k, 2015-12-01 18:35

Debian-LTS has updated libphp-snoopy (command execution).

Fedora has updated ca-certificates (F22: certificate update), grub2 (F22: Secure Boot circumvention), imapsync (F23; F22; F21: information leak), libxml2 (F22: multiple vulnerabilities), perl-HTML-Scrubber (F23; F22; F21: cross-site scripting), rpm (F22: denial of service), and wget (F23: information leak).

Oracle has updated apache-commons-collections (OL7: code execution) and jakarta-commons-collections (OL6: code execution).

Red Hat has updated apache-commons-collections (RHEL7: code execution), jakarta-commons-collections (RHEL6: code execution), and rh-java-common-apache-commons-collections (RHSCL2: code execution).

Scientific Linux has updated apache-commons-collections (SL7: code execution) and jakarta-commons-collections (SL6: code execution).

Ubuntu has updated gnutls26 (14.04, 12.04: padding oracle attack) and thunderbird (15.10, 15.04, 14.04, 12.04: multiple vulnerabilities).

Kategóriák: Linux

Thunderbird to be separated from Mozilla

k, 2015-12-01 17:42
Mozilla leader Mitchell Baker has announced that the Thunderbird email client project will, eventually, be spun out of Mozilla. "Therefore I believe Thunderbird should would thrive best by separating itself from reliance on Mozilla development systems and in some cases, Mozilla technology. The current setting isn’t stable, and we should start actively looking into how we can transition in an orderly way to a future where Thunderbird and Firefox are un-coupled."
Kategóriák: Linux

Security advisories for Monday

h, 2015-11-30 18:54

Debian-LTS has updated imagemagick (denial of service), libsndfile (multiple vulnerabilities), libxml2 (multiple vulnerabilities), and nss (code execution).

Fedora has updated abrt (F23: two vulnerabilities), mingw-libpng (F23; F22; F21: denial of service), python-pycurl (F22: use-after-free vulnerability), and seamonkey (F21: multiple vulnerabilities).

Mageia has updated lightdm (denial of service), python-cryptography (denial of service), and thunderbird (multiple vulnerabilities).

openSUSE has updated cyrus-imapd (Leap42.1, 13.2: two vulnerabilities), ffmpeg (Leap42.1: multiple vulnerabilities), GnuPG (13.2, 13.1: two vulnerabilities), libksba (Leap42.1: denial of service), libpng12 (Leap42.1: two vulnerabilities), libpng16 (Leap42.1: denial of service), libsndfile (Leap42.1: multiple vulnerabilities), ppp (Leap42.1, 13.2, 13.1: denial of service), and virtualbox (13.1: two vulnerabilities).

Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities) and thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).

Kategóriák: Linux

Garrett: What is hacker culture?

h, 2015-11-30 16:30
Matthew Garrett argues that meritocracy does not work as intended in development communities. "When people criticise meritocracy, they're not criticising the concept of treating contributions based on their merit. They're criticising the idea that humans are sufficiently self-aware that they will be able to identify and reject every subconscious prejudice that will affect their treatment of others. It's not a criticism of a desirable goal, it's a criticism of a flawed implementation."
Kategóriák: Linux

Kernel prepatch 4.4-rc3

h, 2015-11-30 16:18
The 4.4-rc3 kernel prepatch is out for testing. "I don't think there's anything particularly exciting, although that obviously depends on whether some particular issue ended up affecting you or not. Most of it is pretty tiny random fixups."
Kategóriák: Linux

Ubuntu Community Council election results posted

szo, 2015-11-28 00:30

The 2015 Ubuntu Community Council (CC) elections have been concluded. The results of the vote, as announced on the Ubuntu Fridge blog, are the seven individuals who will serve on the CC for the next two years: Daniel Holbach, Laura Czajkowski, Svetlana Belkin, Michael Hall, Scarlett Clark, C de-Avillez, and Marco Ceppi. A detailed account of the ballot results, complete with links to each candidate's biographical page, is also online.

Kategóriák: Linux

Friday's security updates

p, 2015-11-27 17:19

CentOS has updated thunderbird (C5; C6: multiple vulnerabilities).

Debian-LTS has updated libcommons-collections3-java (code execution) and smokeping (cross-site scripting).

Fedora has updated libxml2 (F23: multiple vulnerabilities) and pcre (F23: denial of service).

Mageia has updated libsndfile (M5: buffer overflow), libxml2 (M5: multiple vulnerabilities), python-m2crypto (M5: denial of service), python-pygments (M5: command injection), and tigervnc (M5: multiple vulnerabilities).

Kategóriák: Linux

Thanksgiving day security updates

cs, 2015-11-26 21:45

Happy Thanksgiving to those who celebrate it, from all of us here at LWN. Happy November 26 to everyone else :)

Debian has updated dpkg (code execution), nspr (code execution), python-django (information disclosure), and smokeping (code execution).

Debian-LTS has updated eglibc (two vulnerabilities), python-django (information disclosure), and redmine (multiple vulnerabilities).

Fedora has updated abrt (F21: information disclosure), jenkins (F22: three vulnerabilities), jenkins-remoting (F22: three vulnerabilities), and libreport (F21: information disclosure).

openSUSE has updated libpng12 (13.2, 13.1: two vulnerabilities), libpng16 (13.2, 13.1: denial of service), and strongswan (authentication bypass).

Oracle has updated abrt and libreport (OL7: multiple vulnerabilities), glibc (OL7; OL7: multiple vulnerabilities), kernel (OL7: multiple vulnerabilities), NetworkManager (OL7: denial of service), sssd (OL7: unspecified), and tigervnc (OL7: two vulnerabilities).

Red Hat has updated git19-git (RHSC2: code execution), java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities), ntp (RHEL6: denial of service), and thunderbird (multiple vulnerabilities).

SUSE has updated kernel (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated dpkg (code execution) and openjdk-7 (15.10, 15.04, 14.04: unspecified vulnerability).

Kategóriák: Linux

Software Freedom Conservancy Launches 2015 Fundraiser

sze, 2015-11-25 18:04
Software Freedom Conservancy has announced a major fundraising effort. "Pointing to the difficulty of relying on corporate funding while pursuing important but controversial issues, like GPL compliance, Conservancy has structured its fundraiser to increase individual support. The organization needs at least 750 annual Supporters to continue its basic community services and 2500 to avoid hibernating its enforcement efforts. If Conservancy does not meet its goals, it will be forced to radically restructure and wind down a substantial portion of its operations."
Kategóriák: Linux

Security advisories for Wednesday

sze, 2015-11-25 18:04

Debian has updated libcommons-collections3-java (unsanitized input data) and symfony (two vulnerabilities).

Debian-LTS has updated putty (memory corruption).

Fedora has updated grub2 (F23: Secure Boot circumvention), krb5 (F21: multiple vulnerabilities), libpng10 (F23; F22; F21: two vulnerabilities), sblim-sfcb (F23; F22; F21: denial of service), and wpa_supplicant (F22: denial of service).

Slackware has updated pcre (code execution).

SUSE has updated linux-3.12.32 (SLELP12: two vulnerabilities), linux-3.12.36 (SLELP12: two vulnerabilities), linux-3.12.38 (SLELP12: two vulnerabilities), linux-3.12.39 (SLELP12: two vulnerabilities), linux-3.12.43 (SLELP12: two vulnerabilities), linux-3.12.44 (SLELP12: two vulnerabilities), and linux-3.12.44 (SLELP12: two vulnerabilities).

Ubuntu has updated icedtea-web (15.10, 15.04, 14.04: applet execution) and python-django (15.10, 15.04, 14.04, 12.04: information disclosure).

Kategóriák: Linux

[$] A journal for MD/RAID5

k, 2015-11-24 22:48
RAID5 support in the MD driver has been part of mainline Linux since 2.4.0 was released in early 2001. During this time it has been used widely by hobbyists and small installations, but there has been little evidence of any impact on the larger or "enterprise" sites. Anecdotal evidence suggests that such sites are usually happier with so-called "hardware RAID" configurations where a purpose-built computer, whether attached by PCI or fibre channel or similar, is dedicated to managing the array. This situation could begin to change with the 4.4 kernel, which brings some enhancements to the MD driver that should make it more competitive with hardware-RAID controllers.
Kategóriák: Linux

Security updates for Tuesday

k, 2015-11-24 19:12

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated libsndfile (F22; F21: buffer overflow), mingw-freeimage (F23; F22: integer overflow), rpm (F23: denial of service), wpa_supplicant (F21: denial of service), and zarafa (F21: two vulnerabilities, one from 2012).

Oracle has updated autofs (OL7: privilege escalation), binutils (OL7: multiple vulnerabilities), chrony (OL7: multiple vulnerabilities), cpio (OL7: denial of service), cups-filters (OL7: multiple vulnerabilities), curl (OL7: multiple vulnerabilities), file (OL7: multiple vulnerabilities), grep (OL7: heap buffer overrun), grub2 (OL7: Secure Boot circumvention), krb5 (OL7: two vulnerabilities), libreport (OL6: data leak), libssh2 (OL7: information leak), net-snmp (OL7: denial of service), netcf (OL7: denial of service), ntp (OL7: multiple vulnerabilities), openhpi (OL7: world writable /var/lib/openhpi directory), openldap (OL7: unintended cipher usage), openssh (OL7: two vulnerabilities), python (OL7: multiple vulnerabilities), rest (OL7: denial of service), rubygem-bundler and rubygem-thor (OL7: installs malicious gem files), squid (OL7: certificate validation bypass), unbound (OL7: denial of service), wireshark (OL7: multiple vulnerabilities), and xfsprogs (OL7: information disclosure).

Scientific Linux has updated libreport (SL6: data leak).

SUSE has updated firefox (SLES10SP4: multiple vulnerabilities).

Kategóriák: Linux

Red Hat Enterprise Linux 7.2

h, 2015-11-23 21:34
Red Hat has announced the release of Red Hat Enterprise Linux 7.2. "New features and capabilities focus on security, networking, and system administration, along with a continued emphasis on enterprise-ready tooling for the development and deployment of Linux container-based applications. In addition, Red Hat Enterprise Linux 7.2 includes compatibility with the new Red Hat Insights, an add-on operational analytics offering designed to increase IT efficiency and reduce downtime through the proactive identification of known risks and technical issues."
Kategóriák: Linux

Security advisories for Monday

h, 2015-11-23 18:42

Debian has updated openjdk-7 (unspecified vulnerability).

Fedora has updated cyrus-imapd (F21: largely unspecified), gdm (F23: denial of service), jenkins (F23: multiple vulnerabilities), jenkins-remoting (F23: multiple vulnerabilities), kernel (F21: multiple vulnerabilities), libpng (F23: denial of service), m2crypto (F21: denial of service), pdns (F21: denial of service), perl-IPTables-Parse (F21: predictable temporary file names), postgresql (F22: two vulnerabilities), python-rauth (F23: unspecified vulnerability), and xen (F23; F22; F21: denial of service).

openSUSE has updated Chromium (SUSE Package Hub for SLE12; Leap42.1, 13.2, 13.1: information leak), docker (Leap42.1: two vulnerabilities), and miniupnpc (Leap42.1, 13.2, 13.1: code execution).

Red Hat has updated abrt, libreport (RHEL7: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiple vulnerabilities), and libreport (RHEL6: data leak).

Kategóriák: Linux

Gräßlin: Looking at the security of Plasma/Wayland

h, 2015-11-23 16:44
Martin Gräßlin looks at the security of the Plasma desktop running under Wayland; it's better than X11, but with some ground yet to cover. "Now imagine you want to write a key logger in a Plasma/Wayland world. How would you do it? I asked myself this question recently, thought about it, found a possible solution and had a key logger in less than 10 minutes: ouch."
Kategóriák: Linux

GIMP is 20 Years Old, What’s Next? (Libre Graphics World)

h, 2015-11-23 16:19
This Libre Graphics World article looks at the challenges faced by the 20-year-old GIMP project. "If you've been following GIMP's progress over recent years, you couldn't help yourself noticing the decreasing activity in terms of both commits (a rather lousy metric) and amount of participants (a more sensible one). 'GIMP is dying', say some. 'GIMP developers are slacking', say others. 'You've got to go for crowdfunding' is yet another popular notion. And no matter what, there's always a few whitebearded folks who would blame the team for not going with changes from the FilmGIMP branch. So what's actually going on and what's the outlook for the project?"
Kategóriák: Linux

Kernel prepatch 4.4-rc2

h, 2015-11-23 15:54
The second 4.4 prepatch is out for testing. Linus says: "Things are looking fairly normal in 4.4-land, with no huge surprises in rc2. There were a couple of late features: parisc hugepage support and some late slub bulk allocator patches were not only merged at the end of the week, but they strictly speaking should have been merge window things."
Kategóriák: Linux

Poettering: Introducing sd-event

p, 2015-11-20 22:33
Lennart Poettering introduces the sd-event API for the implementation of event loops. "sd-event.h, of course, is not the first event loop API around, and it doesn't implement any really novel concepts. When we started working on it we tried to do our homework, and checked the various existing event loop APIs, maybe looking for candidates to adopt instead of doing our own, and to learn about the strengths and weaknesses of the various implementations existing. Ultimately, we found no implementation that could deliver what we needed, or where it would be easy to add the missing bits: as usual in the systemd project, we wanted something that allows us access to all the Linux-specific bits, instead of limiting itself to the least common denominator of UNIX."
Kategóriák: Linux

Friday's security updates

p, 2015-11-20 18:42

Debian has updated lxc (code execution).

Debian-LTS has updated nspr (code execution).

Mageia has updated dovecot (M5: denial of service), gcc (M5: predictable random values), kernel (M5: multiple vulnerabilities), latex2rtf (M5: code execution), libpng/libpng12 (M5: denial of service), and uglify-js (M5: malicious code obfuscation).

openSUSE has updated krb5 (13.1, 13.2: memory corruption) and libksba (13.1, 13.2: denial of service).

Red Hat has updated autofs (RHEL7: privilege escalation), binutils (RHEL7: multiple vulnerabilities), chrony (RHEL7: multiple vulnerabilities), cpio (RHEL7: code execution), cups-filters (RHEL7: multiple vulnerabilities), curl (RHEL7: multiple vulnerabilities), file (RHEL7: multiple vulnerabilities), glibc (RHEL7: multiple vulnerabilities; RHEL7: privilege escalation), grep (RHEL7: heap buffer overrun), grub2 (RHEL7: Secure Boot circumvention), kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), krb5 (RHEL7: multiple vulnerabilities), libssh2 (RHEL7: denial of service), net-snmp (RHEL7: denial of service), netcf (RHEL7: denial of service), NetworkManager (RHEL7: multiple vulnerabilities), ntp (RHEL7: multiple vulnerabilities), openhpi (RHEL7: world writable /var/lib/openhpi directory), openldap (RHEL7: unintended cipher usage), openssh (RHEL7: multiple vulnerabilities), pacemaker (RHEL7: privilege escalation), pcs (RHEL7: denial of service), python (RHEL7: multiple vulnerabilities), realmd (RHEL7: unsanitized input), rest (RHEL7: denial of service), rubygem-bundler, rubygem-thor (RHEL7: code execution), squid (RHEL7: certificate validation bypass), sssd (RHEL7: memory leak), tigervnc (RHEL7: multiple vulnerabilities), unbound (RHEL7: denial of service), wireshark (RHEL7: multiple vulnerabilities), and xfsprogs (RHEL7: information leak).

Ubuntu has updated libpng (multiple vulnerabilities).

Kategóriák: Linux

Garrett: If it's not practical to redistribute free software, it's not free software in practice

p, 2015-11-20 16:43
Matthew Garrett continues his campaign against Canonical's "intellectual property rights policy". "The reality is that if Debian had had an identical policy in 2004, Ubuntu wouldn't exist. The effort required to strip all Debian trademarks from the source packages would have been immense, and this would have had to be repeated for every release. While this policy is in place, nobody's going to be able to take Ubuntu and build something better."
Kategóriák: Linux