Linux Weekly News

Tartalom átvétel
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 11 perc 16 másodperc

Green: Falling through the KRACKs

k, 2017-10-17 14:19
Matthew Green explores the origins of the KRACK vulnerability. "I don’t want to spend much time talking about KRACK itself, because the vulnerability is pretty straightforward. Instead, I want to talk about why this vulnerability continues to exist so many years after WPA was standardized. And separately, to answer a question: how did this attack slip through, despite the fact that the 802.11i handshake was formally proven secure?"
Kategóriák: Linux

[$] Point releases for the GNU C Library

h, 2017-10-16 23:45
The GNU C Library (glibc) project produces regular releases on an approximately six-month cadence. The current release is 2.26 from early August; the 2.27 release is expected at the beginning of February 2018. Unlike many other projects, though, glibc does not normally create point releases for important fixes between the major releases. The last point release from glibc was 2.14.1, which came out in 2011. A discussion on the need for a 2.26 point release led to questions about whether such releases have a useful place in the current software-development environment.
Kategóriák: Linux

DragonFly BSD 5.0

h, 2017-10-16 21:43
DragonFly BSD 5.0 has been released. "Preliminary HAMMER2 support has been released into the wild as-of the 5.0 release. This support is considered EXPERIMENTAL and should generally not yet be used for production machines and important data. The boot loader will support both UFS and HAMMER2 /boot. The installer will still use a UFS /boot even for a HAMMER2 installation because the /boot partition is typically very small and HAMMER2, like HAMMER1, does not instantly free space when files are deleted or replaced. DragonFly 5.0 has single-image HAMMER2 support, with live dedup (for cp's), compression, fast recovery, snapshot, and boot support. HAMMER2 does not yet support multi-volume or clustering, though commands for it exist. Please use non-clustered single images for now."
Kategóriák: Linux

Millions of high-security crypto keys crippled by newly discovered flaw (Ars Technica)

h, 2017-10-16 16:21
Ars Technica is reporting on a flaw in the RSA library developed by Infineon that drastically reduces the amount of work needed to discover a private key from its corresponding public key. This flaw, dubbed "ROCA", mainly affects key pairs that have been generated on keycards. "While all keys generated with the library are much weaker than they should be, it's not currently practical to factorize all of them. For example, 3072-bit and 4096-bit keys aren't practically factorable. But oddly enough, the theoretically stronger, longer 4096-bit key is much weaker than the 3072-bit key and may fall within the reach of a practical (although costly) factorization if the researchers' method improves. To spare time and cost, attackers can first test a public key to see if it's vulnerable to the attack. The test is inexpensive, requires less than 1 millisecond, and its creators believe it produces practically zero false positives and zero false negatives. The fingerprinting allows attackers to expend effort only on keys that are practically factorizable. The researchers have already used the method successfully to identify weak keys, and they have provided a tool here to test if a given key was generated using the faulty library. A blog post with more details is here."
Kategóriák: Linux

Security updates for Monday

h, 2017-10-16 16:04
Security updates have been issued by Debian (wpa), Fedora (perl, recode, and tor), Gentoo (elfutils, gnutls, graphite2, libtasn1, puppet-agent, shadow, and webkit-gtk), Mageia (pjproject, thunderbird, and weechat), and SUSE (kernel).
Kategóriák: Linux

An enforcement clarification from the kernel community

h, 2017-10-16 15:26
The Linux Foundation's Technical Advisory board, in response to concerns about exploitative license enforcement around the kernel, has put together this patch adding a document to the kernel describing its view of license enforcement. This document has been signed or acknowledged by a long list of kernel developers. In particular, it seeks to reduce the effect of the "GPLv2 death penalty" by stating that a violator's license to the software will be reinstated upon a timely return to compliance. "We view legal action as a last resort, to be initiated only when other community efforts have failed to resolve the problem. Finally, once a non-compliance issue is resolved, we hope the user will feel welcome to join us in our efforts on this project. Working together, we will be stronger."

See this blog post from Greg Kroah-Hartman for more information.

Kategóriák: Linux

"KRACK": a severe WiFi protocol flaw

h, 2017-10-16 14:55
The "krackattacks" web site discloses a set of WiFi protocol flaws that defeat most of the protection that WPA2 encryption is supposed to provide. "In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol".
Kategóriák: Linux

Kernel prepatch 4.14-rc5

h, 2017-10-16 02:50
The 4.14-rc5 kernel prepatch is out. "We've certainly had smaller rc5's, but we've had bigger ones too, and this week finally felt fairly normal in a release that has up until now felt a bit messier than it perhaps should have been. So assuming this trend holds, we're all good. Knock wood."
Kategóriák: Linux

Bottomley: Using Elliptic Curve Cryptography with TPM2

v, 2017-10-15 17:16
James Bottomley describes the use of the trusted platform module with elliptic-curve cryptography, with a substantial digression into how the elliptic-curve algorithm itself works. "The initial attraction is the same as for RSA keys: making it impossible to extract your private key from the system. However, the mathematical calculations for EC keys are much simpler than for RSA keys and don’t involve finding strong primes, so it’s much simpler for the TPM (being a fairly weak calculation machine) to derive private and public EC keys."

Kategóriák: Linux

Stable kernel 4.13.7

szo, 2017-10-14 15:08
The 4.13.7 stable kernel update has been released; it contains a fix for an unpleasant local vulnerability that affects only 4.13 kernels.
Kategóriák: Linux

[$] unsafe_put_user() turns out to be unsafe

p, 2017-10-13 22:19
When a veteran kernel developer introduces a severe security hole into the kernel, it can be instructive to look at how the vulnerability came about. Among other things, it can point the finger at an API that lends itself toward the creation of such problems. And, as it turns out, the knowledge that the API is dangerous at the outset and marking it as such may not be enough to prevent problems.
Kategóriák: Linux

Security updates for Friday

p, 2017-10-13 15:42
Security updates have been issued by Arch Linux (botan, flyspray, go, go-pie, pcre2, thunderbird, and wireshark-cli), Fedora (chromium and mingw-poppler), Red Hat (Red Hat JBoss BPM Suite 6.4.6 and Red Hat JBoss BRMS 6.4.6), SUSE (git and kernel), and Ubuntu (libffi and xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).
Kategóriák: Linux

[$] The trouble with text-only email

cs, 2017-10-12 16:11
Mozilla's manifesto commits the organization to a number of principles, including support for individual privacy and an individual's right to control how they experience the Internet. As a result, when Mozilla recently stated its intent to remove the "text only" option from its mailing lists — for the purpose of tracking whether recipients are reading its emails — the reaction was, to put it lightly, not entirely positive. The text-only option has been saved, but the motivation behind this change is indicative of the challenges facing independent senders of email.
Kategóriák: Linux

Four new stable kernels

cs, 2017-10-12 16:07
Greg Kroah-Hartman has announced the release of the 4.13.6, 4.9.55, 4.4.92, and 3.18.75 stable kernels. As usual, they contain fixes throughout the tree, so users should upgrade.

Update: Kroah-Hartman released 4.9.56: "It fixes a networking bug in 4.9.55. Don't use 4.9.55, it's busted, sorry about that, I should have held off and gotten more testing on it, my fault :("

Kategóriák: Linux

Security updates for Thursday

cs, 2017-10-12 15:41
Security updates have been issued by CentOS (httpd and thunderbird), Debian (nss), Fedora (git), openSUSE (krb5, libvirt, samba, and thunderbird), Oracle (httpd and thunderbird), Red Hat (httpd, rh-mysql57-mysql, and thunderbird), Scientific Linux (httpd and thunderbird), and Ubuntu (ceph).
Kategóriák: Linux

[$] LWN.net Weekly Edition for October 12, 2017

cs, 2017-10-12 03:46
The LWN.net Weekly Edition for October 12, 2017 is available.
Kategóriák: Linux

[$] Continuous-integration testing for Intel graphics

sze, 2017-10-11 17:01

Two separate talks, at two different venues, give us a look into the kinds of testing that the Intel graphics team is doing. Daniel Vetter had a short presentation as part of the Testing and Fuzzing microconference at the Linux Plumbers Conference (LPC). His colleague, Martin Peres, gave a somewhat longer talk, complete with demos, at the X.Org Developers Conference (XDC). The picture they paint is a pleasing one: there is lots of testing going on there. But there are problems as well; that amount of testing runs afoul of bugs elsewhere in the kernel, which makes the job harder.

Kategóriák: Linux

Security updates for Wednesday

sze, 2017-10-11 16:06
Security updates have been issued by Arch Linux (lame, salt, and xorg-server), Debian (ffmpeg, imagemagick, libxfont, wordpress, and xen), Fedora (ImageMagick, rubygem-rmagick, and tor), Oracle (kernel), SUSE (kernel, SLES 12 Docker image, SLES 12-SP1 Docker image, and SLES 12-SP2 Docker image), and Ubuntu (curl, glance, horizon, kernel, keystone, libxfont, libxfont1, libxfont2, libxml2, linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-gcp, linux-hwe, linux-lts-xenial, nova, openvswitch, swift, and thunderbird).
Kategóriák: Linux

Plasma 5.11

sze, 2017-10-11 00:08
KDE Plasma 5.11 has been released. "Plasma 5.11 brings a redesigned settings app, improved notifications, a more powerful task manager. Plasma 5.11 is the first release to contain the new “Vault”, a system to allow the user to encrypt and open sets of documents in a secure and user-friendly way, making Plasma an excellent choice for people dealing with private and confidential information."
Kategóriák: Linux

[$] Cramming features into LTS kernel releases

k, 2017-10-10 20:25
While the 4.14 development cycle has not been the busiest ever (12,500 changesets merged as of this writing, slightly more than 4.13 at this stage of the cycle), it has been seen as a rougher experience than its predecessors. There are all kinds of reasons why one cycle might be smoother than another, but it is not unreasonable to wonder whether the fact that 4.14 is a long-term support (LTS) release has affected how this cycle has gone. Indeed, when he released 4.14-rc3, Linus Torvalds complained that this cycle was more painful than most, and suggested that the long-term support status may be a part of the problem. A couple of recent pulls into the mainline highlight the pressures that, increasingly, apply to LTS releases.
Kategóriák: Linux