Noise

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A successor to last year’s World IPv6 Day is the subject of an article over at ars technica. World IPv6 Launch will take place on June 6 and this time the plan is to leave things up and running on IPv6 after the day has ended. “Also new this year is that several Internet service providers will be participating by enabling IPv6 for at least one percent of their customers—with more to follow. These ISPs include not only those that have already put a toe in the IPv6 waters before, such as Comcast, Free Telecom in France, and XS4ALL in the Netherlands; but also Time Warner Cable and AT&T. Last but not least, Cisco/Linksys and D-Link will be enabling IPv6 support in the default configurations of their home routers.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated php (C5: multiple
vulnerabilities).

Fedora has updated pdns (F16: denial
of service) and bugzilla (F15; F16: multiple vulnerabilities).

openSUSE has updated libqt4 (denial
of service or possible unspecified other impact), icu (multiple vulnerabilities), NetworkManager-gnome (man-in-the-middle
vulnerability from 2006), squid (denial of
service from 2010),
tomcat (hash collision denial of service),
ecryptfs-utils (mtab group permissions),
and libxml2 (code execution).

Oracle has updated php (OL5:
multiple vulnerabilities).

Red Hat has updated php (RHEL 5:
multiple vulnerabilities) and java-1.6.0-ibm (multiple vulnerabilities).

Scientific Linux has updated php
(SL5: multiple vulnerabilities).

SUSE has updated libqt4 (denial
of service or possible unspecified other impact).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A debugging feature introduced into the X.org server 1.11 can be used by someone with physical access to the system to bypass the screensaver. First reported by “Gu1″ on their blog and on the oss-security mailing list. The key sequence Ctrl-Alt-KeypadMultiply will bypass any screensaver. A workaround has been posted, but one would expect an update from X.org before long.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Daniel P. Berrangé writes about a new application sandbox tool that uses libvirt, LXC (Linux Containers), and KVM. It is based on some of the ideas behind the SELinux sandbox but uses KVM or LXC to isolate the application from the rest of the OS. “People also generally assume that running a KVM guest, means having a guest operating system install. This is absolutely something that is not acceptable for application sandboxing, and indeed not actually necessary. In a nutshell, libvirt-sandbox creates a new initrd image containing a custom init binary. This init binary simply loads the virtio-9p kernel module and then mounts the host OS’ root filesystem as the guest’s root filesystem, readonly of course. It then hands off to a second boot strap process which runs the desired application binary and forwards I/O back to the host OS, until the sandboxed application exits. Finally the init process powers off the virtual machine. To get an idea of the overhead, the /bin/false binary can be executed inside a KVM sandbox with an overall execution time of 4 seconds.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Matthew Garrett provides an update on the UEFI secure boot situation. Unlike what some have said, the Microsoft certification requirements for Windows 8 still place significant barriers in the way of installing Linux—even on x86 systems—which Garrett outlines. “I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they’re right. The technical implementation details are fairly straightforward. But they’re not the difficult bit.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The H looks at SEAndroid, which was recently released by the US National Security Agency. It brings some of SELinux to the Android kernel to limit the damage that malicious apps can do.
“In a presentation [PDF] originally given at the 2011 Linux Security Summit, Stephen Smalley of the NSA explained the functionality within SEAndroid. He noted that it brings Mandatory Access Control to Android’s Linux kernel and can help sandbox, isolate and prevent privilege escalation by applications with a centralised policy that is amenable to analysis. That said, it cannot protect against kernel vulnerabilities and misconfiguration of the security policy. Smalley also discussed how SEAndroid works to protect against a number of known exploits and how SEAndroid would have stopped them in different ways.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Arun Raghavan reports on comparing the performance of PulseAudio vs. Android’s AudioFlinger, running them both on a Galaxy Nexus smartphone under Ice Cream Sandwich (Android 4.0). He compares CPU, memory, power usage, latency, and the features offered by both, and PulseAudio fares quite well. “For future work, it would be interesting to write a wrapper on top of PulseAudio that exposes the AudioFlinger audio and policy APIs — this would basically let us run PulseAudio as a drop-in AudioFlinger replacement. In addition, there are potential performance benefits that can be derived from using Android-specific infrastructure such as Binder (for IPC) and ashmem (for transferring audio blocks as shared memory segments, something we support on desktops using the standard Linux SHM mechanism which is not available on Android).”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Do you have an interest in helping to create the best free software
technical information site on the net? Here at LWN.net, we have reached a
point where we can hire another full-time editor if we can find the right
person. We have put together a list of the skills we are looking and if you (or someone you know) meets them, please get in touch. Click through for the full job listing.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Mel Chua writes about Plover, an open suite for stenography, at Opensource.com. “Plover isn’t just a straight-out copy-paste of existing proprietary CART [Communication Access Realtime Transcription] software; it also has several feature advantages over them. Most steno software has a time-based buffer, forcing the user to conform to the software’s timing; Plover is designed the other way around, so the software responds to a human, and typists can take their time to think and control the pacing of their words. Plover is also the first steno software of any kind that follows the Unix design principle of modularity, acting essentially as a keyboard emulator – no different from any other alternative input option such as on-screen keyboards for tablets or input methods for the disabled. In contrast, proprietary steno programs contain full-fledged word processors that typists are then forced to use.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Oracle has updated libxml2 (OL5:
multiple vulnerabilities), kernel (OL5:
multiple vulnerabilities), and php53 (OL5:
multiple vulnerabilities).

Ubuntu has updated linux-mvl-dove
(10.10: multiple vulnerabilities), linux-ti-omap4 (11.04: denial of service), linux-ti-omap4 (11.10: multiple
vulnerabilities), and linux-lts-backport-maverick (10.04: multiple
vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

FreeBSD 9.0 has been released. Highlights of this release include a new installer, Capsicum Capability Mode for sandboxing, softupdates journaling for the Fast Filesystem, user-level DTrace, ZFS updates, and much more, see the release notes for more information. “The FreeBSD Project dedicates the FreeBSD 9.0-RELEASE to the memory of Dennis M. Ritchie, one of the founding fathers of the UNIX[tm] operating system. It is on the foundation laid by the work of visionaries like Dennis that software like the FreeBSD operating system came to be. The fact that his work of so many years ago continues to influence new design decisions to this very day speaks for the brilliant engineer that he was.

May he rest in peace.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Linux.com, Rikki Endsley interviews two NASA workers who are responsible for organizing and expanding the US space agency’s open source efforts.
“In December, [William] Eshagh announced NASA’s presence on GitHub, and their first public repository houses NASA’s World Wind Java project, an open source 3D interactive world viewer. Additional projects are being added, including OpenMDAO, an open-source Multidisciplinary Design Analysis and Optimization (MDAO) framework; NASA Ames StereoPipeline, a suite of automated geodesy and stereogrammetry tools; and NASA Vision Workbench, a general-purpose image processing and computer vision library.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of four stable kernels:
2.6.32.54,
3.0.17,
3.1.9, and
3.2.1. All have fixes throughout the tree
and users of those series should upgrade. In the 3.1.9 review posting, Kroah-Hartman said that it was
likely the last in the 3.1.x series. It’s not repeated in the
announcement, but certainly the end of 3.1.x is coming soon and folks
should move to 3.2.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated libxml2 (C4; C5; C6: multiple vulnerabilities), kernel (C5: multiple vulnerabilities), php53 (C5: multiple vulnerabilities), and php (C6: multiple vulnerabilities).

Debian has updated simplesamlphp
(cross-site scripting) and openttd
(multiple vulnerabilities).

Mandriva has updated t1lib (multiple
vulnerabilities).

openSUSE has updated libxml2 (denial
of service or possible unspecified other impact).

Oracle has updated libxml2 (OL4; OL6:
multiple vulnerabilities) and php (OL6:
multiple vulnerabilities).

Red Hat has updated libxml2 (RHEL
4; RHEL 5; RHEL 6: multiple vulnerabilities) and php/php53 (RHEL 5&6:
multiple vulnerabilities).

Scientific Linux has updated libxml2 (SL4; SL5; SL6: multiple vulnerabilities), kernel (SL5: multiple vulnerabilities), and php/php53 (SL 5&6: multiple
vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Marijn Kruisselbrink reports on getting Calligra Mobile working on Android. In it he describes various problems he ran into in porting the mobile office suite, including a lack of DBus and KSyCoCa support in Android. “So after some (sometimes frustrating) hacking, I’ve got the first results: Calligra Mobile running on an android tablet. There are still lots of rough edges, and not everything works correctly, but as you can see in these screenshots, it does actually run and work. To get to this point I had to make some rather ugly hacks though to work around some of the android limitations.”
(Thanks to Inge Wallin.)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Developers for several scripting language projects are currently scrambling
to fix a newly-disclosed denial of service vulnerability caused by
predictable hashing algorithms. As it happens, the term “newly disclosed”
does not quite apply here, though: the problem has been known since 2003.
Click below (subscribers only) for a description of this problem, its
history, and its solution from this week’s Security Page.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A new library libkmod and set of tools (kmod-*) for handling kernel modules has been announced. The idea is to give early boot tools, installers, udev, and others an easy way to query and control kernel modules via a library, rather than using modprobe. “In a recent Linux Desktop (and also several embedded systems) when computer is booting up, udev is responsible for checking available hardware, creating device nodes under /dev (or at least configuring their permissions) and loading kernel modules for the available hardware. In a kernel from a distribution it’s pretty common to put most of the things as modules. Udev reads the /sys filesystem to check the available hardware and tries to load the necessary modules. This translates in hundreds of calls to the modprobe binary, and in several of them just to know the module is already loaded, or it’s in-kernel. With libkmod it’s possible for udev with a few lines of code to do all the job, benefiting from the configurations and indexes already opened and parsed.” The project also provides work-alike programs for insmod, lsmod, rmmod, and an incomplete version of modprobe that use libkmod, with plans to complete the set. (Thanks to Luis Felipe Strano Moraes.)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated pidgin (C4; C5:
multiple vulnerabilities).

Fedora has updated dhcp (F16: denial
of service) and arora (F15: certificate
spoofing).

Mandriva has updated php-pear
(arbitrary file overwrite) and libxml2
(multiple vulnerabilities).

openSUSE has updated namazu
(cross-site scripting).

Oracle has updated pidgin (OL4:
multiple vulnerabilities).

Red Hat has updated dhcp (RHEL 6:
denial of service) and pidgin (RHEL
4&5; RHEL 6: multiple
vulnerabilities).

SUSE has updated susestudio, kiwi
(multiple vulnerabilities).

Ubuntu has updated bzip2 (insecure
tmp file creation) and dhcp (denial of
service).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Ada Initiative is a
non-profit dedicated to increasing the participation of women in open
technology and culture. In other words, we want more women in open
source, Wikipedia, and the rest of our brave new Internet world. A
lot of people agree with that goal – at least that’s what
our first
Ada Initiative survey told us. Guest author and Ada Initiative co-founder Valerie Aurora has an update on the status and plans for the organization; subscribers can click below to see the full article from this week’s edition.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Git maintainer Junio C. Hamano reports on GitTogether 2011 on the Google Open Source blog. A two-day “unconference” event was held at Google’s Mountain View headquarters to discuss various Git features, including: “Support for large blobs that would not fit in the memory has been always lacking in Git. There recently has been a lot of work in the native support (e.g. storing them straight to the object store without having to read and hold the whole thing in core, checking out from the object store to the working tree without having to hold the whole thing in core, etc.). There are a few third-party tools and approaches with their own pros-and-cons, but it was generally agreed that adding a split-object encoding like Avery Pennarun’s “bup” tools uses would be the right way to help support object transfer between repositories to advance the native support of large objects in Git further.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated perl (C4;
C5: multiple vulnerabilities).

openSUSE has updated opera (multiple
vulnerabilities).

Oracle has updated perl (OL4; OL5:
multiple vulnerabilities).

Red Hat has updated perl (RHEL
4&5: multiple vulnerabilities), qemu-kvm (RHEL 6: privilege escalation), and
jasper (RHEL 6: two code execution flaws).

Scientific Linux has put out a bunch of updates to SL6 that track the ones
released as part of RHEL 6.2 on Wednesday: kexec-tools (three ssh-related flaws), krb5 (denial of service), squid (denial of service), libxml2 (multiple vulnerabilities), php-pear (arbitrary file overwrite), libcap (chroot escape), util-linux-ng (mtab corruption and denial of
service), ruby (two random number flaws),
resource-agents (privilege escalation), sos (Red Hat network entitlement key
disclosure), nfs-utils (mtab corruption and
access control bypass), glibc (code
execution and mtab corruption), and cups
(code execution). It has also updated perl
(SL4&5: multiple vulnerabilities).

Ubuntu has updated dovecot
(certificate validation flaw), acpid
(multiple vulnerabilities), and django
(multiple vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of the
2.6.32.50,
3.0.13, and
3.1.5 stable kernels. As usual, these
updates have important changes throughout the tree.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

In something of a reprise of the February incident where Canonical switched Banshee’s Amazon MP3 store referral code so that it could collect the revenue (and share 30% 25% of that with Banshee), Linux Mint has now done much the same thing. First reported by OMG! Ubuntu!, it has since been confirmed by Linux Mint lead Clement Lefebvre. So far, the revenue ($3.41) has been negligible, but he seems willing to negotiate a revenue share should that change: “Now, should we share the $3.41/month with Banshee? We could. With Ubuntu? Why not. They’re both upstream to us and they’re both important to us. If we agree with them on how to share, then it might happen, whether they keep control and share with us, or we keep control and share with them. What’s for sure though, is that for this kind of revenue, not a lot of time is going to be spent in negotiations.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On its tenth anniversary, December 7, Rockbox released version 3.10 of the free alternative firmware for a wide variety of music players. Version 3.10 is considered stable on more than two dozen different players as can be seen in the release notes. Notable features in the release include better catalog handling, theming improvements, a fully functional audio mixer, support for a bunch of gaming audio formats, additional embedded album art support, Ogg Vorbis decoding performance improvements, and more. More information can be found on the Rockbox home page.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated chasen (code
execution).

Mandriva has updated dhcp (denial of
service).

SUSE has updated freetype2 (SLE
10SP4; SLE 11SP1: multiple
vulnerabilities).

Ubuntu has updated colord (SQL
injection), krb5 (denial of service), kernel (8.04: multiple vulnerabilities), Maverick backport kernel (10.04: multiple
vulnerabilities), kernel (10.10: multiple
vulnerabilities), Oneiric backport kernel
(10.04: multiple vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The H reports that Download.com has apologized for bundling the Nmap scanner with an installer that does a lot more than just install Nmap (it changes the default search to Bing, installs toolbars, …). “‘The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused’ said [Download.com's Sean] Murphy, adding that the company had ‘reviewed all open source files in our catalog to ensure none are being bundled’. Nmap has been removed from the download manager on Download.com, according to Murphy, and attempts to download it from the site will now send the user what appears to be an unmodified setup file for the network scanner.” Nmap’s Fyodor is maintaining a web page covering the “unrest”.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The security-conscious will tell you that a multi-factor authentication
scheme involves requiring items from two or more of the categories “things
you know,” “things you have,” and “things you are.” Passwords and
passphrases both fall under the “things you know” umbrella, and while there
are commercially viable options for the latter two categories —
security dongles and biometric fingerprint scanners, for example —
neither have taken off with the general public. Google
Authenticator is a project that allows the use of a smartphone to serve
as a “thing you have”; subscribers can click below for a look at that
project from this week’s edition.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has given three months
notice about the end of life for
CentOS 4 on February 29, 2012.

Debian has updated openjdk-6
(multiple vulnerabilities).

Oracle has updated libarchive (OL6:
two code execution flaws) and cyrus-imapd (OL4; OL5; OL6: multiple vulnerabilities).

Scientific Linux has updated cyrus-imapd (multiple vulnerabilities) and libarchive (SL6: two code execution flaws).

SUSE has updated xorg-x11-server
(SLE 11SP1: two information disclosures) and java-1_5_0-ibm (SLE 10SP4: multiple
vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated hardlink
(F16: multiple vulnerabilities).

openSUSE has updated perl (code
execution).

Red Hat has updated java-1.5.0-ibm
(multiple vulnerabilities).

Scientific Linux has updated kernel
(SL6: multiple vulnerabilities).

Ubuntu has updated EC2 kernel
(multiple vulnerabilities), Maverick backport kernel (10.04:
multiple vulnerabilities), Natty backport
kernel (10.04: multiple vulnerabilities), and OMAP4 kernel (10.10; 11.04:
multiple vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

“Just in time for Thanksgiving“, Linus Torvalds has released
the third prepatch for 3.2. “Anyway, whether you will be stuffing yourself with turkey tomorrow or
not, there’s a new -rc out. I’d love to say that things have been
calming down, and that the number of commits just keep shrinking, but
I’d be lying. -rc3 is actually bigger than -rc2, mainly due to a
network update (none in -rc2) and with Greg doing his normal
usb/driver-core/tty/staging thing.
[...]
We also had a drm update.” As he notes, US folks may be slow to
pick up and test this kernel due to the holiday on November 24.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated puppet
(man-in-the-middle attacks).

Fedora has updated phpMyAdmin (F14; F15; F16: arbitrary file reading).

openSUSE has updated NetworkManager
(multiple vulnerabilities).

SUSE has updated bind (SLE10 SP2:
denial of
service).

Ubuntu has updated firefox (multiple
vulnerabilities) and mozvoikko, ubufox
(multiple vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Conferences are one of main ways that our communities come together and
meet face-to-face. There are lots of different examples of how to
organize, schedule, and produce those conferences, with advantages and
disadvantages to the various approaches. LWN editor Jake Edge reflects on
various conferences that he has attended to try to distill some guidelines
that conferences may find useful when planning next year’s event.
Subscribers can click below for the article from this week’s edition.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

LinuxFr.org is carrying an interview [French] with Andrew Tanenbaum (English version). In it, he has some criticisms of Linux (and Linus Torvalds) as well as the GPL, monolithic kernels, and so on. Standard Tanenbaum fare, along with the news that he has received a grant to commercialize MINIX 3 and that it will be ported to ARM starting in January. “The reason MINIX 3 didn’t dominate the world has to do with one mistake I made about 1992. At that time I thought BSD was going to take over the world. It was a mature and stable system. I didn’t see any point in competing with it, so I focused MINIX on education. Four of the BSD guys had just formed a company to sell BSD commercially. They even had a nice phone number: 1-800-ITS-UNIX. That phone number did them and me in. AT&T sued them over the phone number and the lawsuit took 3 years to settle. That was precisely the period Linux was launched and BSD was frozen due to the lawsuit. By the time it was settled, Linux had taken off. My mistake was not to realize the lawsuit would take so long and cripple BSD. If AT&T had not brought suit (or better yet, bought BSDI), Linux would never have become popular at all and BSD would dominate the world.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated bind9 (denial of
service).

Mandriva has updated bind (denial of
service).

Oracle has updated freetype (OL4; OL5; OL6: code execution).

Red Hat has updated freetype (code
execution).

Scientific Linux has updated freetype (code execution).

SUSE has updated flash-player
(multiple vulnerabilities).

Ubuntu has updated icedtea-web,
openjdk6 (multiple vulnerabilities), bind9 (denial of service), system-config-printer (man-in-the-middle
package installation), and openldap (denial
of service).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The H looks at a proposal from Google to protect against rogue or compromised certificate authorities. “[Google product manager Ian] Fette said that after that affair, other companies asked Google for a way to protect themselves against bogus certificates. As there are numerous CAs, the possibility that similar illegitimate certificates could be issued remains, explained the developer. However, Fette said that embedding the certification policy for all potential parties into browsers doesn’t scale, and that he and his colleagues, Chris Evans and Chris Palmer, therefore advocate the dynamic pinning of public keys.” The article goes on to look at the proposal and some complaints about it, along with an alternative based on DNSSEC.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The BIND 9 DNS name server is undergoing a concerted denial of service attack, according to this Internet Systems Consortium advisory. “Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: “INSIST(! dns_rdataset_isassociated(sigrdataset))” Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9. [...] An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.” We should be seeing distributions releasing updated versions soon.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

GNOME has put out a press release that highlights the accomplishments of seven women in the Google Summer of Code program for GNOME along with eight participants in GNOME Outreach Program for Women internships. “The accomplishments of the women who participated in Google Summer of Code this year are impressive. For example, Nohemi Fernandez implemented a full-featured on-screen keyboard for GNOME Shell, which makes it possible to use GNOME 3.2 on tablets. Raluca Elena Podiuc added the ability to create an avatar in Empathy with a webcam. Srishti Sethi created four activities for children to discover Braille for the GCompris educational software.
[...]
There were also eight women who participated in the GNOME Outreach Program for Women internships during the same time period as Google Summer of Code. Five of them worked on documentation, creating new topic-based help for the core desktop, as well as for the Accerciser accessibility tool, Vinagre remote desktop viewer, Brasero CD/DVD burner, Cheese webcam application, and GNOME System Monitor.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The awesome window manager provides a framework for users to essentially create their own window manager. Awesome has been around for a few years now, but may be gaining some visibility now that Sabayon Linux has added an awesome edition. Guest author Koen Vervloesem has been using awesome for a number of years, and subscribers can click below for his look at the window manager from this week’s edition.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of the 3.0.9 and 3.1.1 stable kernels. Both contain many fixes
(more than 250 patches each) throughout the tree. As always, all users of
the 3.0 or 3.1 series must upgrade.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Mandriva has updated java-1.6.0-openjdk (multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL 5&6: multiple vulnerabilities).

Ubuntu has updated Firefox/Xulrunner (10.04, 10.10: multiple
vulnerabilities) and apache2 (multiple
vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated nss (C4;
C5: certificate authority removal),
firefox (C4; C5: multiple vulnerabilities),
thunderbird (C4; C5: cross-site scripting), rpm (C4: code execution), xorg-x11 (C4: multiple vulnerabilities), pidgin (C4: multiple vulnerabilities), postgresql (C4: crackable password hashing),
kdelibs (C4: certificate spoofing), httpd (C4: mod_proxy reverse proxy exposure),
freetype (C4: code execution), and seamonkey (C4: cross-site scripting).

Debian has updated openssl
(certificate authority removal).

Fedora has updated tor (F16:
multiple vulnerabilities), tomcat6 (F15:
HTTP digest authentication flaws), java-1.7.0-openjdk (F16: multiple
vulnerabilities), asterisk (F15; F16: denial of service), icedtea-web
(F15; F16:
same-origin policy violation), and freetype
(F15: code execution).

Mandriva has updated mozilla
(multiple vulnerabilities).

Oracle has updated firefox (OL4; OL5; OL6: multiple vulnerabilities),
thunderbird (OL4; OL6: multiple vulnerabilities), seamonkey (OL4: cross-site scripting), icedtea-web (OL6: same-origin policy
violation), and nss (OL4; OL5; OL6:
certificate authority removal).

Ubuntu has updated radvd (code
execution) and clamav (code execution).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The gpl-violations.org web site has the news that the court ruled against AVM in its bid to restrict Cybits (and anyone else) from modifying the GPL-covered code in home routers. “Although the written reasoning of the decision is not available yet, it
is clear that the court rejected AVM’s claims according to which no
third party shall be permitted to alter their products’ firmware, even
if the GNU GPL components are concerned. Thus, Cybits or anyone else may
perform such modifications. Furthermore, under the judgement, Cybits is
not prohibited from distributing its software that assists users in
making and installing modifications to GNU GPL licensed software (Linux
kernel used in the Fritz!Box device).” LWN recently covered a talk about the case.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

height=125 align="right" alt="[Christopher 'Monty' Montgomery]"/>

While the talks at the 2011 GStreamer conference mostly focused on the
multimedia framework itself—not surprising—there were also some
that looked at the wider multimedia ecosystem. One of those was Christopher “Monty”
Montgomery’s presentation about Xiph.org, and its
work to promote free and open source multimedia. Xiph is known for its
work on the Ogg container format (and the Vorbis and Theora codecs), but
the organization has worked on much more than just those. In addition,
Montgomery outlined a new strategy that Xiph is trying out to combat one of the
biggest problems in the free multimedia world: codec patents.

Subscribers can click below for a report on the talk from this week’s edition.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of the
2.6.32.47 and 2.6.33.20 stable kernels. Both contain long
lists of fixes throughout the tree, and users should upgrade. In addition,
this is the last 2.6.33
kernel: “It is now
end-of-life, please move to the 3.0 kernel for your real time needs.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated mahara (multiple
vulnerabilities), man2html (cross-site
scripting), xen (multiple vulnerabilities),
moodle (multiple vulnerabilities), and nss (certificate removal and possible code
execution flaw).

Fedora has updated tor (F15:
multiple vulnerabilities), kernel (F14:
multiple vulnerabilities), and clamav (F14; F15:
multiple vulnerabilities).

Gentoo has updated oracle-java
(multiple vulnerabilities).

Mandriva has updated gimp (code
execution).

Scientific Linux has updated java-1.6.0-sun (multiple vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The folks at Free Electrons have released videos from the Embedded Linux Conference Europe that was held in Prague, October 26-28. All of the videos are in WebM format, in two different sizes, and have been posted much more quickly than has happened in the past, thanks, no doubt, to lots of hard work from Free Electrons. “Below, you’ll find 51 videos, in both a 1920×1080 HD format and a reduced 800×450 format. In total, it represents 28 GB of video, for a duration of 2214 minutes, that is more of 36 hours of video. We hope that you will enjoy those videos and that these will be useful to those who couldn’t attend the conference.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars technica is reporting on an odd plan for how to distribute the One Laptop Per Child’s XO-3 touchscreen tablet: “‘We’ll take tablets and drop them out of helicopters into villages that have no electricity and school, then go [back] a year later and see if the kids can read,’ [OLPC founder Nicholas] Negroponte told The Register. He reportedly cited Professor Sugata Mitra’s Hole in the Wall experiment as the basis for his belief that dropping the tablets will encourage self-directed literacy.
[...]
Among the major challenges that the OLPC project was never able to fully overcome during its laptop days were supporting the hardware in the field and providing teachers with the proper training and educational material. In light of the cost and difficulty of tackling those issues, it’s not hard to see why the eccentric stealth drop approach looks appealing to Negroponte.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated openswan (C5: denial
of service) and php53 (C5: multiple
vulnerabilities).

Fedora has updated perl (F14:
multiple vulnerabilities).

Mandriva has updated php (multiple
vulnerabilities).

openSUSE has updated rpm (code
execution) and pam (11.3; 11.4: multiple vulnerabilities).

Red Hat has updated openswan (RHEL
5&6: denial
of service) and php53/php (RHEL 5&6: multiple
vulnerabilities).

Scientific Linux has updated openswan (SL 5&6: denial of service) and
php53/php (SL 5&6: multiple
vulnerabilities).

SUSE has updated popt (code
execution) and pam (SLE 10 SP3; SLE 10 SP4; SLE 11
SP1: multiple vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

align="right" width=89 height=125 alt="[Till Jaeger]"/>

German lawyer Till Jaeger came to the Embedded Linux Conference Europe to
update attendees on the AVM vs. Cybits
case that is currently underway in Germany. The case has some
potentially serious implications for users of GPL-licensed software,
particularly in embedded Linux contexts, so Jaeger (and his client Harald
Welte) felt it was important to
publicize the details of the case. So important, in fact, that he and
Welte are forgoing the usual practice of keeping all of the
privileged information (between a lawyer and client) private. Subscribers
can click below for coverage of the talk from this week’s edition.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for October 27, 2011 is available.