Author Archive

LWN.net: First Ubuntu Touch Tablet Brings Convergence at Last (Linux.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Linux.com, Eric Brown looks at the newly announced Ubuntu Touch tablet. The hardware: “The Aquaris M10 is equipped with a 64-bit, quad-core, Cortex-A53 MediaTek MT8163A system-on-chip clocked to 1.5GHz, along with a high-powered ARM Mali-T720 MP2 GPU. The tablet ships with 2GB of RAM, 16GB flash, and a microSD slot.” It is said to have 1920×1200 resolution and an 8 megapixel camera capable of HD recording. The interface will change to take advantage of larger displays and additional input devices (e.g. keyboard, mouse).
It appears that the upcoming Ubuntu 16.04 “Xenial Xerus” LTS release due in April will be the first true convergence release. According to PC World, it will still be optional, however, with a traditional Unity 7 build with X.org available alongside the newly converged Unity 8 with the new Mir display server. The new tablet, and Unity 8, will feature Ubuntu Touch’s Scopes interface, which presents frequently used content and services as an alternative to traditional apps.

In addition to automatically changing the interface in response to new screens and input devices, Ubuntu is also providing convergence on the application development level. Developers are already developing single apps that can automatically morph into desktop, phone, and tablet formats.”

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).

Fedora has updated nodejs-is-my-json-valid (F23: denial of
service), phpmyadmin (F23: multiple vulnerabilities), and prosody (F22: insecure key handling).

Gentoo has updated qemu (multiple vulnerabilities).

Slackware has updated mozilla
(unspecified), mplayer (file contents
leak), openssl (cipher downgrade), and php (three vulnerabilities).

LWN.net: NSA Hacker Chief Explains How to Keep Him Out of Your System (Wired)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Wired reports on a talk at the USENIX Enigma conference by Rob Joyce of the US National Security Agency (NSA). Joyce is the head of the NSA’s Tailored Access Operations, which is tasked with breaking into the systems of adversaries and sometimes allies. He spoke about ways to thwart the NSA and other nation-state-level attackers. “‘We put the time in …to know [that network] better than the people who designed it and the people who are securing it,’ he said. ‘You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated nginx
(three denial of service flaws).

Debian has updated iceweasel
(three vulnerabilities) and openjdk-7
(multiple vulnerabilities).

openSUSE has updated chromium
(13.1: multiple vulnerabilities), java-1_7_0-openjdk (13.2: multiple vulnerabilities),
java-1_8_0-openjdk (42.1; 13.2: multiple vulnerabilities), java7 (13.1: multiple vulnerabilities), and openldap2 (42.1: two vulnerabilities).

Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), and
firefox (OL7; OL6; OL5: two
code execution flaws).

Red Hat has updated bind (RHEL6.4, 6.5: four denial of service
flaws, including one from 2014) and bind
(RHEL6.6: three denial of service flaws).

Scientific Linux has updated bind
(denial of service), bind97 (SL5: denial of
service), and firefox (two code execution flaws).

SUSE has updated java-1_7_0-openjdk (SLE12; SLE11:
multiple vulnerabilities) and openldap2 (Studio Onsite 1.3: two vulnerabilities).

Ubuntu has updated curl
(authentication bypass) and oxide-qt
(15.10, 15.04, 14.04: multiple vulnerabilities).

LWN.net: [$] The Linux Foundation changes its bylaws

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Foundation’s board of
directors
is not usually a hotbed of
controversy; for the most part it does its work in the background, quietly
going about the business of directing the non-profit organization. In
mid-January that all changed. The bylaws that governed how
some at-large board seats were allocated were changed, which caused quite
an uproar within the
Linux world. While there is speculation about the motive for
the change—as well as an official statement of sorts—it certainly seems
like the whole thing could have been handled a lot better.

Subscribers can click below for the full story from this week’s edition.

LWN.net: The Linux Foundation changes its bylaws

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Foundation’s board of
directors
is not usually a hotbed of
controversy; for the most part it does its work in the background, quietly
going about the business of directing the non-profit organization. In
mid-January that all changed. The bylaws that governed how
some at-large board seats were allocated were changed, which caused quite
an uproar within the
Linux world. While there is speculation about the motive for
the change—as well as an official statement of sorts—it certainly seems
like the whole thing could have been handled a lot better.

Subscribers can click below for the full story from this week’s edition.

LWN.net: Hutterer: Is Wayland ready yet?

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Peter Hutterer answers the perennial “is Wayland ready yet?” question by pointing out that it really is not the right question. “The protocol is stable and has been for a while. But not every compositor and/or toolkit/application speak Wayland yet, so it may not be sufficient for your use-case. So rather than asking ‘Is Wayland ready yet’, you should be asking: ‘Can I run GNOME/KDE/Enlightenment/etc. under Wayland?’ That is the right question to ask, and the answer is generally ‘It depends what you expect to work flawlessly.’ This also means ‘people working on Wayland’ is often better stated as ‘people working on Wayland support in ….’.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities) and java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian has updated fuse
(privilege escalation).

Fedora has updated libsndfile
(F22: two vulnerabilities), python-rsa (F23: signature
forgery), and rsync (F22: file overwrite
from 2014).

Mageia has updated dhcpcd (denial
of service).

openSUSE has updated bind (42.1; 13.2:
denial of service), cgit (42.1, 13.2: three
vulnerabilities), giflib (13.2: code execution), and libxml2 (42.1: denial of service).

Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and java-1.8.0-openjdk (OL6: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (SL6; SL5&7: multiple vulnerabilities) and java-1.8.0-openjdk (SL7: multiple vulnerabilities).

Ubuntu has updated perl (15.10,
15.04: taint botch) and rsync (file
overwrite from 2014).

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated bind (two
vulnerabilities) and libdwarf (information
leak).

Fedora has updated kernel (F23:
two vulnerabilities) and prosody (F23; F22: two vulnerabilities).

Mageia has updated bind (two vulnerabilities),
cacti (three vulnerabilities), dhcp (denial of service), encfs (code execution from 2014), kernel (privilege escalation), kernel-linus (privilege escalation), kernel-tmb (privilege escalation), moodle (two vulnerabilities), and perl, perl-PathTools (taint botch).

Oracle has updated java-1.8.0-openjdk (OL7: multiple vulnerabilities), kernel (OL5: unspecified), kernel
3.8.13
(OL7; OL6: privilege escalation), and kernel 4.1.12 (OL7; OL6: privilege escalation).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-openjdk
(RHEL6; RHEL5&7: multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities),
java-1.8.0-openjdk (RHEL7; RHEL6: multiple vulnerabilities), and java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities).

Scientific Linux has updated java-1.8.0-openjdk (SL6: multiple vulnerabilities).

SUSE has updated bind (SLE12:
denial of service) and kernel (SLE12SP1: privilege escalation).

LWN.net: Garrett: Linux Foundation quietly drops community representation

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Matthew Garrett has noted that the Linux Foundation (LF) has dropped the community representatives to its board that were elected by the individual LF members. “The by-laws were amended to drop the clause that permitted individual members to elect any directors. Section 3.3(a) now says that no affiliate members may be involved in the election of directors, and section 5.3(d) still permits at-large directors but does not require them[2]. The old version of the bylaws are here – the only non-whitespace differences are in sections 3.3(a) and 5.3(d).
These changes all happened shortly after Karen Sandler [executive director of the Software Freedom Conservancy] announced that she planned to stand for the Linux Foundation board during a presentation last September [YouTube link]. A short time later, the “Individual membership” program was quietly renamed to the “Individual supporter” program and the promised benefit of being allowed to stand for and participate in board elections was dropped (compare the old page to the new one).

Garrett speculates that the GPL enforcement suit that the Software Freedom Conservancy is funding against VMware, which is an LF member, is ultimately behind the move.
He also notes (the [2] above) that there is still a community representative from the Technical Advisory Board (TAB) that sits on the LF board.

LWN.net: [$] OpenSSH and the dangers of unused code

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Unused code is untested code, which probably means that it harbors
bugs—sometimes significant security bugs. That lesson has been reinforced
by the recent OpenSSH
“roaming” vulnerability. Leaving a half-finished feature only in the client
side of the equation might seem harmless on a cursory glance but, of
course, is not. Those who mean harm can run servers that “implement” the
feature to tickle the unused code. Given that the OpenSSH project has a
strong security focus (and track record), it is truly surprising that a
blunder like this
could slip through—and keep slipping through for roughly six years.

Subscribers can click below to read the full story from the week’s edition.

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated kernel
(multiple vulnerabilities, including one from 2013).

Debian-LTS has updated isc-dhcp
(denial of service), passenger (environment
variable injection), and srtp (denial of service).

openSUSE has updated mbedtls
(42.1: signature forgery), perl-Module-Signature (13.2, 13.1: multiple
vulnerabilities), and polarssl (13.2:
signature forgery).

Red Hat has updated kernel
(RHEL5: two remote denial of service vulnerabilities) and kernel (RHEL6.2: two denial of service vulnerabilities).

SUSE has updated samba (SLE11SP4,
SLE11SP3: multiple vulnerabilities) and kernel (SLE12: multiple vulnerabilities).

LWN.net: How conference organizers can create better attendee experiences (Opensource.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Opensource.com, VM (Vicky) Brasseur and Josh Berkus give advice to conference organizers on how they can improve their conferences for attendees. There are ten different areas they address, including “Clear communications”, “Have a Code of Conduct (and train staff on what that means)”, “Fix your darn badges”, and “Working Wi-Fi (here be dragons)”. “When asked, attendees have a lot of strong opinions on the subject of conference badges, and the majority of those opinions are not positive. Badges serve multiple purposes, but the single most important one is allowing attendees to identify each other. Yet, despite that, few conference badges do a good job of performing this one deceptively simple duty.

LWN.net: Linux Foundation and Goodwill team up to provide free Linux training in Central Texas

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Foundation and Goodwill are working together to bring free Linux training and certification to adult students in Texas.
The scholarship program will begin with The Goodwill Excel Center and the Goodwill Career and Technical Academy in Central Texas and is expected to expand to other communities in the future. The Goodwill Excel Center is the first free public charter high school for adults in Texas. Students age 17-50 have the opportunity to earn their high school diploma, complete an in-demand professional certification and begin post-secondary education.

The Extended Learning Linux Foundation Scholarship Program created by Linux Foundation and Goodwill includes free access to the Intro to Linux (LFS101x) and Essentials of System Administration (LFS201) courses, and the Linux Foundation Certified System Administrator exam at no cost. Hundreds of disadvantaged individuals from underserved communities and a variety of backgrounds are expected to enroll in the new program in the year ahead.”

LWN.net: 2016 Linux Plumbers Conference Call for Microconferences

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The 2016 Linux Plumbers Conference (LPC) has announced its Call for Microconferences. LPC will be held in Santa Fe, NM, USA on November 2-4, co-located with the Kernel Summit. “A microconference is a collection of collaborative sessions focused on problems in a particular area of the Linux plumbing, which includes the kernel, libraries, utilities, UI, and so forth, but can also focus on cross-cutting concerns such as security, scaling, energy efficiency, or a particular use case. Good microconferences result in solutions to these problems and concerns, while the best microconferences result in patches that implement those solutions.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated libpng (two
vulnerabilities), pygments (code
execution), and wordpress (cross-site scripting).

Debian-LTS has updated cacti (SQL
injection) and inspircd (denial of service
and possible IRC network privilege escalation).

Fedora has updated gajim (F23; F22:
man-in-the-middle attack), nodejs-ws (F23; F22:
remote information disclosure), and perl-PathTools (F23: tainting botch).

Mageia has updated apache-commons-collections (code execution),
kernel-linus (multiple vulnerabilities), kernel-tmb (multiple vulnerabilities), libtiff (three vulnerabilities), mono (code execution from 2009), and roundcubemail (path traversal).

openSUSE has updated gajim (42.1:
man-in-the-middle attack), libpng12 (42.1:
code execution), libpng15 (42.1: code
execution), libpng16 (42.1: code
execution), libxml2 (42.1: multiple
vulnerabilities), and python-rsa (signature
forgery).

SUSE has updated java-1_6_0-ibm
(SLE10SP4: multiple vulnerabilities).

Ubuntu has updated thunderbird
(multiple vulnerabilities).

LWN.net: [$] User namespaces + overlayfs = root privileges

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The user namespaces feature is conceptually
fairly straightforward—allow users to run as root in their own space, while
limiting their privileges on the system outside that space—but the
implementation has, perhaps
unsurprisingly, proven
to be quite tricky. There are some assumptions about user IDs and how
they operate that
are deeply wired into the kernel in various subsystems; shaking those out
has taken some time, which led to some hesitation about enabling the
feature in distribution kernels. But that reluctance has largely passed at
this point, which makes the recent discovery
of a root-privilege escalation using user namespaces and the overlay
filesystem
(overlayfs) that much more dangerous.

Subscribers can click below for the full story from this week’s edition.

LWN.net: PostgreSQL 9.5 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

PostgreSQL 9.5 has been released
with lots of new features for the database management system, including
UPSERT, row-level security, and several “big data” features. We previewed
some of these features back in July and August. “A most-requested feature by application developers for several years,
‘UPSERT’ is shorthand for ‘INSERT, ON CONFLICT UPDATE’, allowing new
and updated rows to be treated the same. UPSERT simplifies web and
mobile application development by enabling the database to handle
conflicts between concurrent data changes. This feature also removes
the last significant barrier to migrating legacy MySQL applications to
PostgreSQL.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).

Fedora has updated libpng (F23:
two vulnerabilities).

openSUSE has updated grub2 (42.1:
code execution).

Red Hat has updated kernel
(RHEL6: two vulnerabilities).

Scientific Linux has updated thunderbird (multiple vulnerabilities).

Ubuntu has updated libpng (two
vulnerabilities) and pygments (code execution).

LWN.net: Cannon: Where are we in the Python 3 transition?

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Brett Cannon continues his series of posts on Python 3 with a blog post likening the path of its adoption to the Kübler-Ross model (i.e. the five stages of grief). “Unfortunately people are running up against the classic problem of lacking buy-in from management. I regularly hear from people that they would switch if they could, but their manager(s) don’t see any reason to switch and so they can’t (or that they would do per-file porting, but they don’t think they can convince their teammates to maintain the porting work). This can be especially frustrating if you use Python 3 in personal projects but are stuck on Python 2 at work. Hopefully Python 3 will continue to offer new features that will eventually entice reluctant managers to switch. Otherwise financial arguments might be necessary in the form of pointing out that porting to Python 3 is a one-time cost while staying on Python 2 past 2020 will be a perpetual cost for support to some enterprise provider of Python and will cost more in the long-term (e.g., paying for RHEL so that someone supports your Python 2 install past 2020). Have hope, though, that you can get buy-in from management for porting to Python 3 since others have and thus reached the “acceptance” stage.

LWN.net: New Year’s Eve security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian-LTS has updated cacti
(regression in previous security fix).

Fedora has updated arts (F22:
privilege escalation), claws-mail (F23:
code execution), cups-filters (F22: code
execution), kdelibs3 (F22: privilege
escalation), libpng10 (F22: read
underflow), php-horde-Horde-Core (F22:
cross-site scripting), php-horde-Horde-Perms (F22: cross-site
scripting), php-horde-Horde-Service-Weather
(F22: cross-site scripting), phpmyadmin (F23; F22:
installation path disclosure), and python-django (F22: information leak).

Gentoo has updated inspircd
(three largely unspecified vulnerabilities, one from 2012) and systemsettings (privilege escalation).

openSUSE has updated flash-player
(11.4: many vulnerabilities).

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Mageia has updated dpkg (code
execution), keepassx (information
disclosure), mediawiki (multiple
vulnerabilities), php-phpmailer (message
injection), and proftpd (denial of service).

openSUSE has updated firefox
(multiple vulnerabilities), glibc (13.2:
pointer guard circumvention), ldb, samba,
talloc, tdb, tevent
(42.1: multiple vulnerabilities), and samba,
ldb, talloc, tdb, tevent
(13.2, 13.1: multiple vulnerabilities).

Slackware has updated mozilla-thunderbird (multiple vulnerabilities).

SUSE has updated the Linux Kernel
(SLE11SP4: multiple vulnerabilities).

LWN.net: First Plasma Wayland Live Image (KDE.News)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at KDE.News, Jonathan Riddell has announced the availability of the first live image [1.2GB ISO] of the KDE Plasma desktop running atop Wayland.

The central component in this is our window manager, KWin, which has moved from drawing borders on the edges of windows to running the full compositor and talking the Wayland protocols which allow applications to draw on screen and be interacted with.

Users of the image will notice some obvious glitches, it is certainly not ready for everyday use yet, but the advantages of more secure workspaces, easier feature extendibility and graphics free of tearing and gitches will be appreciated by everybody. Work on this has been ongoing since 2011 and is expected to take years rather than months before a completely transparent switch away from X will be possible. Find more about the project on the KWin Wayland wiki pages.”

LWN.net: Security updates for Friday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated python2-pyamf (denial of service).

Debian has updated kernel (multiple vulnerabilities,
including one from 2013).

Debian-LTS has updated foomatic-filters (?:) and virtualbox-ose (no longer supported in Debian 6).

Fedora has updated firefox (F23:
multiple vulnerabilities), libldb (F23; F22: remote memory disclosure),
libpng10 (F23; F22: code execution), libtalloc (F23; F22: remote memory disclosure),
libtdb (F23; F22: remote memory disclosure), libtevent (F23; F22: remote
memory disclosure), and samba (F23: multiple vulnerabilities).

Gentoo has updated dnsmasq
(information disclosure) and ipython (?:).

Mageia has updated chromium-browser-stable (code execution) and
python-pygments (code execution).

Red Hat has updated chromium-browser (RHEL6: code execution) and openshift (RHOSE2.2: information leak).

Scientific Linux has updated bind
(SL6: denial of service) and firefox
(SL5&6: multiple vulnerabilities).

Slackware has updated grub
(password bypass) and libpng (read underflow).

SUSE has updated kernel
(SLE12SP1: multiple vulnerabilities).

Ubuntu has updated linux-lts-wily
(14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: denial of service), and
sosreport (15.10, 15.04, 14.04: two
vulnerabilities, including one from 2014).

LWN.net: Linux Foundation announces project to “advance blockchain technology”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Foundation has announced a new collaborative project to “develop an enterprise grade, open source distributed ledger framework” to allow developers to build “robust, industry-specific applications, platforms and hardware systems to support business transactions“. Twenty companies have joined the effort: Accenture, ANZ Bank, Cisco, CLS, Credits, Deutsche Börse, Digital Asset Holdings, DTCC, Fujitsu Limited, IC3, IBM, Intel, J.P. Morgan, London Stock Exchange Group, Mitsubishi UFJ Financial Group (MUFG), R3, State Street, SWIFT, VMware, and Wells Fargo. “Many of the founding members are already investing considerable research and development efforts exploring blockchain applications for industry. IBM intends to contribute tens of thousands of lines of its existing codebase and its corresponding intellectual property to this open source community. Digital Asset is contributing the Hyperledger mark, which will be used as the project name, as well as enterprise grade code and developer resources. R3 is contributing a new financial transaction architectural framework designed to specifically meet the requirements of its global bank members and other financial institutions. These technical contributions, among others from a variety of companies, will be reviewed in detail in the weeks ahead by the formation and Technical Steering Committees.