The Linux Test Project (LTP) has made a stable release for September 2015. The previous release was in April. This release has a number of new test cases including ones for user namespaces, virtual network interfaces, umount2(), getrandom(), and more. In addition, the network namespace test cases were rewritten and regression tests have been added for inotify, cpuset, futex_wake(), and recvmsg(). We looked at writing LTP test cases back in January.
Arch Linux has updated bind (two
denial of service flaws).
Debian-LTS has updated openslp-dfsg (three vulnerabilities, one from
2010, another from 2012).
Slackware has updated bind (two
denial of service flaws).
Ubuntu has updated bind9 (denial
KDE.News looks at KDE sprints and their benefits. The organization is doing some fundraising to help support its sprints, so it is trying get the word out about these code-focused events: “To start with, KDE sprints are intensive sessions centered around coding. They take place in person over several days, during which time skillful developers eat, drink and sleep code. There are breaks to refresh and gain perspective, but mostly sprints involve hard, focused work. All of this developer time and effort is unpaid. However travel expenses for some developers are covered by KDE. KDE is a frugal organization with comparatively low administrative costs, and only one paid person who works part time. So the money donated for sprints goes to cover actual expenses. Who gets the money? Almost all of it goes to transportation companies.”
Debian has updated php5 (multiple vulnerabilities).
Fedora has updated mariadb (F21: unspecified).
Mageia has updated cgit (code
execution from 2014).
Ubuntu has updated qemu, qemu-kvm
(multiple vulnerabilities, including one from 2014).
“This release includes significant changes to the implementation. The compiler tool chain was translated from C to Go, removing the last vestiges of C code from the Go code base. The garbage collector was completely redesigned, yielding a dramatic reduction [PDF] in garbage collection pause times. Related improvements to the scheduler allowed us to change the default GOMAXPROCS value (the number of concurrently executing goroutines) from 1 to the number of available CPUs. Changes to the linker enable distributing Go packages as shared libraries to link into Go programs, and building Go packages into archives or shared libraries that may be linked into or loaded by C programs (design doc).”
On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. “The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs.
These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers.” He was able to get more information, such as the contents of /etc/passwd on Pocket’s Amazon EC2 servers.
(Thanks to Scott Bronson and Pete Flugstad.)
CentOS has updated glibc (C5:
code execution from 2013), mysql55-mysql
(C5: multiple unspecified vulnerabilities, one from 2014), net-snmp
code execution), sqlite (C6: code
execution), sqlite (C7: three
vulnerabilities), and subversion (C6: three
Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).
Fedora has updated erlang (F22; F21:
man-in-the-middle vulnerability), firefox
(F22: many vulnerabilities), flac (F21: two
vulnerabilities from 2014), gnutls (F21:
code execution), golang (F22; F21: HTTP request smuggling),
nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi
denial of service), and webkitgtk4 (F22:
three unspecified vulnerabilities).
Mageia has updated kdepim (M4: no
attachment encryption from 2014).
Oracle has updated glibc (OL5:
code execution from 2013), mysql55-mysql
(OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp
code execution), sqlite (OL7: three
vulnerabilities), sqlite (OL6: code
execution), and subversion (OL6: three vulnerabilities).
Red Hat has updated net-snmp
(RHEL6&7: code execution).
Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecified
vulnerabilities, one from 2014), net-snmp
(SL6&7: code execution), sqlite (SL6:
code execution), and subversion (SL6: three
Ubuntu has updated kernel (12.04:
three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service),
linux-lts-utopic (14.04: denial of
service), linux-lts-vivid (14.04: denial of
service), linux-ti-omap4 (12.04: three
vulnerabilities), and net-snmp (two
vulnerabilities, one from 2014).
Arch Linux has updated glibc
(denial of service from 2014).
Oracle has updated kernel 3.8.13 (OL7; OL6: two
remote denial of service flaws), kernel 2.6.39 (OL6; OL5: two
remote denial of service flaws), and kernel 2.6.32 (OL6; OL5: two
remote denial of service flaws).
Red Hat has updated glibc (RHEL5:
code execution from 2013), mysql55-mysql (RHEL5; RHSC2:
multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecified
vulnerabilities), sqlite (RHEL6:
code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).
Scientific Linux has updated sqlite (SL7: three vulnerabilities).
It would seem that reports of the demise of the Stagefright Android vulnerability may be rather premature. Exodus Intelligence is reporting that at least one of the fixes for integer overflow did not actually fully fix the problem, so MPEG4 files can still crash Android and potentially allow code execution. “Around July 31st, Exodus Intelligence security researcher Jordan Gruskovnjak noticed that there seemed to be a severe problem with the proposed patch. As the code was not yet shipped to Android devices, we had no ability to verify this authoritatively.
In the following week, hackers converged in Las Vegas for the annual Black Hat conference during which the Stagefright vulnerability received much attention, both during the talk and at the various parties and events.
After the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded. They were.”
CentOS has updated kernel (C6:
two remote denial of service flaws).
Oracle has updated kernel (OL6:
two remote denial of service flaws).
Red Hat has updated kernel
(RHEL6: two remote denial of service flaws).
Scientific Linux has updated kernel (SL6: two remote denial of service flaws).
SUSE has updated firefox
(SLE11SP4, SP3: information leak).
Fedora Magazine reports on Fedora project leader Matthew Miller’s keynote at Flock, which is the Fedora contributor conference. He outlined the state of the distribution using some graphs and statistics and said “we’re doing very well as a project and it’s thanks to all of you“. The use of Internet Relay Chat (IRC) by the project was another topic: “Fedorans do like to work together. Last year there were 1,066 IRC meetings (official meetings, not just being in IRC talking), and 765 IRC meetings in 2015 alone. ‘This shows how vibrant we are, but also is buried in IRC. There’s a lot of Fedora activity you don’t see on the Fedora Web site… I want to look at ways to make that more visible,’ says Miller.
There are efforts to make the activity more visible, says Miller. ‘If I want to interact with the project, is somebody there? Yes, but we have millions of dead pages on the wiki… we need to make this more visible.’
IRC is ‘definitely a measure of engagement’ but it’s also a high barrier of entry, says Miller. ‘Wow that’s complicated. Wow, that’s still around?’ is a common response from new contributors to IRC. The technology, and ‘culture’ can be confusing.”
Debian has updated request-tracker4 (cross-site scripting).
Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).
On his blog, Peter Grasch considers the future for the Simon speech-recognition system for KDE. He is passing the torch and will no longer be actively participating in the project, but he spent some time passing on his knowledge and some thoughts on where things might go from here. In addition, he built a working prototype of a speech-based command and control system for the Plasma desktop called Lera. “If anything, Lera is a starting point. The next steps would be to move Simon’s “eventsimulation” library into a separate framework, to be shared between Lera and Simon. Lera could then use this to type out the recognition results (see Simon’s Dictation plugin). Then, I would suggest porting a simplified notion of “Scenarios” to Lera, which should only really contain a set of commands, and maybe context information (vocabulary and “grammar” can be synthesized automatically from the command triggers). The implementation of training (acoustic model adaption) would then complete a very sensible, very usable version 1.0.”
The ownCloud blog has a post about federated file sharing between ownCloud instances in ownCloud 8.1, but it also looks at the wider view of federation between various kinds of cloud servers. ownCloud founder Frank Karlitschek has a series of posts (It is Time to Federate Our Clouds, The Next Generation File Sync and Share Technology, and The Federated Architecture of Next Generation File Sync and Share) on federation technology and has also proposed a cross-cloud-platform federation API:
“In addition, today Frank proposed a draft of a Federated Cloud Sharing API to the Open Cloud Mesh working group with the goal of jump-starting a discussion about what is needed to enable federation between different file sharing implementations. Sharing among ownClouds is great, but the true power of a federated file cloud is available when you can share among different implementations seamlessly, because you all speak the same common language. This is the goal of the Open Cloud Mesh working group (of which ownCloud is a member as well), and outside of that, drafts have been shared with a number of well known standards organizations around web technologies and fellow open source file share and sync projects to get the work started.”
CentOS has updated kernel (C7: multiple vulnerabilities, one from 2014).
Fedora has updated kernel (F22:
Scientific Linux has updated kernel (SL7: multiple vulnerabilities, one from 2014).
SUSE has updated oracle-update
(Manager 2.1: multiple vulnerabilities).
Ubuntu has updated cinder (15.04:
arbitrary file reads), python-keystoneclient,
python-keystonemiddleware (15.04, 14.04: two vulnerabilities, one from
2014), and swift (15.04, 14.04, 12,04: two
vulnerabilities, one from 2014).
PostgreSQL 9.5 Alpha 2 is due to be released on August 6. Not only
does the new version support UPSERT, more JSON functionality, and other new
features we looked at back in July, it also
has some major enhancements for “big data” workloads. Among these are
faster sorts, TABLESAMPLE, GROUPING SETS and
CUBE, BRIN indexes, and Foreign Data Wrapper improvements. Taken
together, these features strengthen arguments for using PostgreSQL for data
warehouses, and enable users to continue using it with bigger databases.
You might be surprised to learn that starting with Linux 2.6.31 (in 2009)
it has been rather easy to crash the Linux kernel.
This date marks the introduction of the
It is likely that perf_event is not any more prone to errors than
any other large kernel subsystem, but it has the distinction of
being subjected to intense testing from the
perf_fuzzer tool, which methodically probes the interface for bugs.
Click below (subscribers only) for the full article from perf_fuzzer author
The Ada Initiative has announced that it is shutting down in mid-October. In the four years since it was founded, the organization has accomplished a lot to help create a less hostile environment for women in open technology and open culture. “We are proud of what we accomplished with the support of many thousands of volunteers, sponsors, and donors, and we expect all of our programs to continue on in some form without the Ada Initiative.” Essentially, the organization found it hard to find others with the same “experiences, skills, strengths and passions” as co-founders Valerie Aurora and Mary Gardiner when they wanted to change roles with the initiative. “The Ada Initiative will shut down in approximately mid-October after using our remaining funds to complete our current obligations and do the tasks necessary to shut down the organization properly. We have several Ally Skills Workshops booked or in the process of being booked during our remaining months of operation. (We will not be booking additional Ally Skills Workshops through the Ada Initiative, but we will refer clients to other people who are teaching the Ally Skills Workshop.) We will teach Impostor Syndrome training classes in Sydney and Oakland in August, and release the materials under the Creative Commons Attribution Sharealike license. We will do the work to keep the Ada Initiative’s web content online and available after the Ada Initiative shuts down.”
Debconf15, which will be held in Heidelberg, Germany August 15-23, has announced its schedule as well as four featured speakers: Allison Randal, President, Open Source Initiative and Distinguished
Technologist, HP; Peter Eckersly, Chief Computer Scientist, Electronic Frontier Foundation; John Sullivan, Executive Director, Free Software Foundation; and Jon ‘maddog’ Hall, Executive Director, Linux International. “The DebConf content team is pleased to announce the schedule of
DebConf15, the forthcoming Debian Developers Conference. From a total of
nearly 100 talk submissions, the team selected 75 talks. Due to the high
number of submissions, several talks had to be shortened to 20 minute
slots, of which a total of 30 talks have made it to the schedule.
In addition, around 50 meetings and discussions (BoFs) have been
organized so far, as well as several other events like lightning talk
sessions, live demos, a movie screening, a poetry night or stand-up
Debian-LTS has updated squid3
Fedora has updated drupal7-path_breadcrumbs (F22; F21: cross-site
scripting), ecryptfs-utils (F22; F21: password disclosure from 2014), hplip (F21: key verification botch), httpd (F21: multiple vulnerabilities),
ipython (F22; F21: cross-site request forgery), libunwind (F21: code execution), libwmf (F21: two denial of service flaws), nx-libs (F22: unspecified vulnerabilities), wpa_supplicant (F21: code execution), and xrdp (F21: denial of service).
Oracle has updated autofs (OL6:
privilege escalation from 2014), bind (OL6; OL6:
denial of service), curl (OL6: multiple
vulnerabilities, some from 2014), freeradius (OL6: code execution from 2014), gnutls (OL6: two vulnerabilities), grep (OL6: code execution), hivex (OL6: code execution from 2014), ipa (OL6: cross-site scripting from 2010 and
2012), kernel (OL6: multiple
vulnerabilities, some from 2014), kernel 3.8.13 (OL7; OL6:
three vulnerabilities, one from 2014), libreoffice (OL6: code execution), libuser (OL6: privilege escalation), libxml2 (OL6: two vulnerabilities, one from
2014), mailman (OL6: two vulnerabilities,
one from 2002), net-snmp (OL6: denial of
service from 2014), ntp (OL6: three
vulnerabilities), pki-core (OL6: cross-site
scripting), python (OL6: two
vulnerabilities from 2013 and 2014), sudo
(OL6: information disclosure from 2014), wireshark (OL6: multiple vulnerabilities, some
from 2014), and wpa_supplicant (OL6: denial
SUSE has updated bind (SLE11SP1:
denial of service).
Ubuntu has updated ghostscript
(15.04, 14.04, 12.04: code execution), openjdk-7 (15.04, 14.04: multiple
vulnerabilities), pcre3 (15.04, 14.04,
12.04: multiple vulnerabilities, one from 2014), and tidy (15.04, 14.04, 12.04: two vulnerabilities).
Though it got a bit of a late start due to some registration woes, the
first day of EuroPython 2015
began with an engaging and well-received keynote. It recounted the history
of a project that got its start just a year ago when the first Django Girls workshop was held at
EuroPython 2014 in Berlin. The two women who started the
project, Ola Sitarska and Ola Sendecka, spoke about how the workshop
to teach women about Python and the Django web framework all came
together—and the amazing progress that has been made by the organization in
its first year.
The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.
Debian-LTS has updated python-django (three vulnerabilities).
Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified),
java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities),
kernel 2.6.39 (OL6; OL5: two vulnerabilities),
and kernel 2.6.32 (OL6; OL5: denial of service).
It has been nearly a year and a half since the last major Python release,
which was 3.4 in March 2014—that means it is about time for
Python 3.5. We looked at some of the new
features in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta release
for 3.5 seems like a good time to see what will be coming in the new release.
Subscribers can click below to see the full article from this week’s edition.