Author Archive

LWN.net: Tagged memory and minion cores in the lowRISC SoC

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The lowRISC project, which aims to create and manufacture a fully open-source system-on-chip (SoC) and development board, has released a document on its plans to incorporate tagged memory and minion cores into the SoC. Minion cores are separate I/O processors that can be used to implement various I/O protocols without requiring additional hardware in the design.
Tagged memory associates metadata with each memory location and can be used to implement
fine-grained memory access restrictions. Attacks which hijack control flow can be prevented by
using this protection to restrict writes to memory locations containing return addresses, function
pointers, and vtable pointers. Importantly, we anticipate this can be implemented with a worst-
case performance overhead of a few percent and a similarly low area cost. This fine-grained
memory protection can be used automatically by the compiler, meaning improved security is
available to existing programs without source code modifications. We intend to provide tagged
memory alongside security features which are already commonly deployed such as secure boot,
encrypted off-chip memory, and cryptographic accelerators.

LWN.net: EU to fund Free Software code review (FSFE)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Free Software Foundation Europe (FSFE) has commented on the most recent European Union (EU) budget—approved on December 17—that includes €1 million for auditing free-software programs that are used by the EU governmental bodies. The auditing is meant to find and fix security holes in those programs. “Even though these institutions are tightly locked into non-free file formats, much of their infrastructure is based on Free Software.

‘This is a very welcome decision,’ says FSFE’s president Karsten Gerloff. ‘Like most public bodies, the European institutions rely heavily on Free Software for their daily operations. It is good to see that the Parliament and the Commission will invest at least a little in improving the quality and the programs they use.’”

LWN.net: Friday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated glibc (C7:
code execution), jasper (C7; C6: three code execution flaws), and kernel (C7: privilege escalation).

Gentoo has updated znc (two
denial of service flaws, one from 2013).

Oracle has updated glibc (OL7:
three vulnerabilities), jasper (OL7;
OL6: three code execution flaws), and
kernel (OL7; OL5; OL5:
privilege escalation).

Red Hat has updated glibc (RHEL7:
code execution) and jasper (RHEL6&7:
three code execution flaws).

Scientific Linux has updated jasper (SL6&7: three code execution flaws).

Ubuntu has updated kernel (14.04:
regression in previous security fix) and kernel (14.10: regression in previous security
fix).

LWN.net: KDE Applications 14.12 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The KDE project has announced the release of KDE Applications 14.12, which has the first set of applications that have been ported to KDE Frameworks 5. Most of the applications are still based on KDE Development Platform 4, but some have been moved to the new Qt5-based Frameworks. “The release includes the first KDE Frameworks 5-based versions of Kate and
KWrite, Konsole, Gwenview, KAlgebra, Kanagram, KHangman, Kig, Parley,
KApptemplate and Okteta. Some libraries are also ready for KDE Frameworks 5
use: analitza and libkeduvocdocument.

Libkface is new in this release; it is a library to enable face detection and
face recognition in photographs.” More information on the new features and fixes that came in the release can be found in the change log and a KDE.News article.

LWN.net: Klapper: Good bye Bugzilla, welcome Phabricator.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, André Klapper describes Wikimedia’s move from Bugzilla to Phabricator, which is described as an “open source software engineering platform“. After ten years and 70,000+ bugs, there was a lot of data to migrate, which went well overall, though there were a few surprises along the way.
We had to work around an unresolved upstream XML-RPC API bug in Bugzilla by applying a custom hack when exporting comments in a first step and removing the hack when exporting attachments (with binary data) in a second step. Though we did, it took us a while to realize that Bugzilla attachments imported into Phabricator were scrambled as the hack got still applied for unknown reasons (some caching?). Rebooting the Bugzilla server fixed the problem but we had to start from scratch with importing attachments.” (Thanks to Paul Wise.)

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C5:
privilege escalation).

Fedora has updated bind (F20: two
denial of service flaws), cpio (F21: denial
of service), pam (F20: two vulnerabilities,
one from 2013), and tcpdump (F20: three vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6;
RHEL5: privilege escalation).

Scientific Linux has updated kernel (SL7; SL5:
privilege escalation).

LWN.net: Our approach to software and ongoing support for the first Fairphones

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at the Fairphone blog, Kees Jongenburger reflects on what went right—and wrong—for the software that went into the first version of the Fairphone, which is a project aimed at creating a mobile phone that is, well, more “fair”. The project seeks to inject social values into the supply chain so that minerals come from conflict-free mining, for example, and that the workers are provided with a living wage.
Fairphone’s high-level ambition is to bring more fairness to software. To us, that means focusing on two key principles: transparency and longevity.

We believe products should be long-lasting. The longer a phone lasts, the less waste it creates and the fewer resources it requires. Longevity plays a role in hardware choices; and at the software level, longevity means keeping the software up-to-date and secure after the product was sold.

Openness ties directly into our ideas for longevity. We believe that our community should have access to the source code of our software to make improvements, add cool functionality, and extend usability. We believe that releasing the code as open source will prolong the life of the phone past its commercial life.

For the first Fairphone, we pinpointed a number of (in retrospect, over-ambitious) goals that aligned with the ideas of transparency and longevity.”
We looked at Fairphone back in July 2013. (Thanks to Paul Wise.)

LWN.net: Fairphone: Our approach to software and ongoing support for the first Fairphones

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at the Fairphone blog, Kees Jongenburger reflects on what went right—and wrong—for the software that went into the first version of the Fairphone, which is a project aimed at creating a mobile phone that is, well, more “fair”. The project seeks to inject social values into the supply chain so that minerals come from conflict-free mining, for example, and that the workers are provided with a living wage.
Fairphone’s high-level ambition is to bring more fairness to software. To us, that means focusing on two key principles: transparency and longevity.

We believe products should be long-lasting. The longer a phone lasts, the less waste it creates and the fewer resources it requires. Longevity plays a role in hardware choices; and at the software level, longevity means keeping the software up-to-date and secure after the product was sold.

Openness ties directly into our ideas for longevity. We believe that our community should have access to the source code of our software to make improvements, add cool functionality, and extend usability. We believe that releasing the code as open source will prolong the life of the phone past its commercial life.

For the first Fairphone, we pinpointed a number of (in retrospect, over-ambitious) goals that aligned with the ideas of transparency and longevity.”
We looked at Fairphone back in July 2013. (Thanks to Paul Wise.)

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated pdns-recursor
(denial of service), unbound (denial of
service), and xorg-server (multiple vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities), clamav (denial
of service), and libxml2 (denial of service).

Mageia has updated bind (M4:
denial of service), firebird (M4: denial of
service), and pdns-recursor (M4: denial of service).

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities, one
from 2013).

Slackware has updated bind
(denial of service), mozilla (multiple
vulnerabilities), openssh (tcp wrappers
support), openvpn (denial of service), pidgin (multiple vulnerabilities), seamonkey (multiple vulnerabilities), and wpa_supplicant (command execution).

Ubuntu has updated nvidia-graphics-drivers (14.10, 14.04, 12.04:
three vulnerabilities).

LWN.net: [$] Snowdrift.coop: Funding for free projects

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Funding projects in the “free and open” world is a perennial problem.
“Crowdfunding” using Kickstarter and other platforms has helped to
alleviate some funding issues for some
projects, but it is a model that targets one-time goals, not sustained
development. Snowdrift.coop, which
is an organization aimed at providing long-term funding for free and open
projects, has—somewhat ironically—announced
a crowdfunding campaign
to launch itself.

Click below (subscribers only) for the full article.

LWN.net: [$] LWN.net Weekly Edition for December 4, 2014

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for December 4, 2014 is available.

LWN.net: [$] Moving some of Python to GitHub?

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over the years, Python’s source repositories have moved a number of times,
from CVS on SourceForge to Subversion at Python.org and, eventually, to
Mercurial (aka hg), still on Python
Software Foundation
(PSF) infrastructure. But the new Python.org site
code lives at GitHub
(thus in a Git repository) and it looks like more pieces of Python’s source
may be moving in that direction. While some are concerned about moving away
from a Python-based DVCS
(i.e. Mercurial) into a closed-source web service, there is a strong
pragmatic streak in the Python community that may be winning out.

LWN.net: [$] Touring the hidden corners of LWN

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

One of the more surprising outcomes (to us) of the recent systemd “debates”
in our
comments section was finding out that some subscribers did not know of our
comment
filtering feature. Subscribers have been able to filter out specific
commenters since 2010, but knowledge of that feature seems to have
dissipated over time. We certainly could do a better job of documenting
all of our features, but we thought it might be a good time to both introduce
a couple of new features while refreshing
people’s memories of some of the features we already offer.

LWN.net: Touring the hidden corners of LWN

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

One of the more surprising outcomes (to us) of the recent systemd “debates”
in our
comments section was finding out that some subscribers did not know of our
comment
filtering feature. Subscribers have been able to filter out specific
commenters since 2010, but knowledge of that feature seems to have
dissipated over time. We certainly could do a better job of documenting
all of our features, but we thought it might be a good time to both introduce
a couple of new features while refreshing
people’s memories of some of the features we already offer.

LWN.net: Thanksgiving security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A whole bunch of security updates for the US Thanksgiving holiday.

Debian has updated openjdk-6 (?:).

Fedora has updated clamav (F19:
two vulnerabilities, one from 2013) and tcpdump (F20: three vulnerabilities).

Gentoo has updated squid (three vulnerabilities).

Mageia has updated asterisk (two
vulnerabilities), avidemux (multiple
vulnerabilities), drupal (two
vulnerabilities), flash-player-plugin (code
execution), glibc (code execution), icecast (information leak), libksba (denial of service), perl-Mojolicious (code execution), phpmyadmin (multiple vulnerabilities), ruby-httpclient (SSL downgrade protection),
and wordpress (multiple vulnerabilities).

Mandriva has updated glibc
(BS1.0: code execution), icecast (BS1.0:
information leak), and kernel (BS1.0:
multiple vulnerabilities).

openSUSE has updated file (13.2,
13.1, 12.3: code
execution), flashplayer (11.4: code
execution), rubygem-actionpack-3_2 (13.2,
13.1, 12.3: two information leaks), and rubygem-sprockets (13.2; 13.1,
12.3
: directory traversal).

Oracle has updated ruby (OL7; OL6:
three vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: code execution), ruby (RHEL7; RHEL6:
three vulnerabilities), ruby193-ruby
(RHSC1: three vulnerabilities), and ruby200-ruby (RHSC1: three vulnerabilities).

Ubuntu has updated clamav (two vulnerabilities).

LWN.net: Version 2 of the kdbus patches posted

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The second version of the kdbus patches have been posted to the Linux kernel mailing list by
Greg Kroah-Hartman. The biggest change since the original patch set (which
we looked at in early November) is that
kdbus now provides a filesystem-based interface (kdbusfs) rather than the
/dev/kdbus device-based interface. There are lots of other
changes in response to v1 review comments as well. “kdbus is a kernel-level IPC implementation that aims for resemblance to
[the] protocol layer with the existing userspace D-Bus daemon while
enabling some features that couldn’t be implemented before in userspace.

LWN.net: McKenney: Stupid RCU Tricks: rcutorture Catches an RCU Bug

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Paul McKenney investigates a bug in read-copy update (RCU) in preparation for the 3.19 merge window. “Of course, we all have specific patches that we are suspicious of. So my next step was to revert suspect patches and to otherwise attempt to outguess the bug. Unfortunately, I quickly learned that the bug is difficult to reproduce, requiring something like 100 hours of focused rcutorture testing. Bisection based on 100-hour tests would have consumed the remainder of 2014 and a significant fraction of 2015, so something better was required. In fact, something way better was required because there was only a very small number of failures, which meant that the expected test time to reproduce the bug might well have been 200 hours or even 300 hours instead of my best guess of 100 hours.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Mandriva has updated clamav
(BS1.0: denial of service from 2013) and php-ZendFramework (BS1.0: authentication bypass).

openSUSE has updated emacs (13.1:
multiple vulnerabilities).

Red Hat has updated java-1.6.0-ibm (RHEL5&6: multiple
vulnerabilities) and java-1.7.0-ibm (RHEL5:
multiple vulnerabilities).

SUSE has updated firefox
(SLE11SP3: multiple vulnerabilities).

Ubuntu has updated oxide-qt
(14.10, 14.04: multiple vulnerabilities).

LWN.net: [$] LWN.net Weekly Edition for November 20, 2014

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for November 20, 2014 is available.

LWN.net: Security advisories for Friday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated aircrack-ng (F20; F19:
multiple vulnerabilities), gnutls (F20:
three vulnerabilities), and python3 (F19:
three vulnerabilities).

Mageia has updated claws-mail
(M4: SSL certificate verification botch), curl (information leak), flash-player-plugin (many vulnerabilities), getmail (three vulnerabilities), kdebase4-workspace (M3: privilege escalation),
libreoffice (M4; M3: two vulnerabilities), and ruby (denial of service).

openSUSE has updated openssl
(13.2: multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (OL6; OL5: two vulnerabilities)
and kernel 3.8.13 (OL7; OL6: two vulnerabilities).

SUSE has updated flash-player
(SLE12: three vulnerabilities) and java-1_7_0-openjdk (SLE12: multiple vulnerabilities).

LWN.net: Linux Security Distros Compared: Tails vs. Kali vs. Qubes (Lifehacker)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Three security-oriented Linux distributions are compared and contrasted over at Lifehacker. The three (Tails, Kali Linux, and Qubes OS) have distinct use cases that are surveyed in the article. “The crux of Tails is anonymity. While it has cryptographic tools in place, its main purpose is to anonymize everything you’re during online. This is great for most people, but it doesn’t give you the freedom to do stupid things. If you log into your Facebook account under your real name, it’s still going to be obvious who you are and remaining anonymous on an online community is a lot harder than it seems.

LWN.net: The Long and Winding Road (Mageia Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over on the Mageia Blog, Rémi Verschelde explains why the Mageia 5 Beta 1 took a month and a half longer than planned—but is now available. Upgrading to RPM 4.12 during the release process caused some problems, but there were other troubles along the way.
Still, while fixing our core tools during this first mass rebuild, some important changes were made to our RPM setup. As a consequence, half of the rebuilt packages (the ones built before our RPM setup changes) were lacking some important metadata. We then decided to do a second mass rebuild in October, which went quite fine apart from some issues with the Java stack. It was already late October when the first Beta 1 ISOs could be spun and delivered to the QA team for pre-release testing.” Beta 2 has been pushed back to December 16, with a final release of Mageia 5 expected on January 31.

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated iceweasel
(multiple vulnerabilities).

openSUSE has updated docker, go
(13.2: two vulnerabilities) and libreoffice
(13.1: code execution).

Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).

SUSE has updated OpenSSL (SLECT10; SLE11: multiple vulnerabilities) and
wget (SLE10SP4; SLE11SP2, SLE11SP1: code execution).

Ubuntu has updated qemu, qemu-kvm
(multiple vulnerabilities).

LWN.net: Kügler: Diving into Plasma’s 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Sebastian Kügler looks at what next year holds for KDE Plasma 5. He looks at high-DPI and Wayland support as well as the plans by distributions (Kubuntu 15.04 for example) to start shipping Plasma 5 as the default desktop environment. “In terms of user demographic, we’re almost certain to see one thing happening with the new Plasma 5 UI, as distros start to ship it by default, this is what these new users are going to see. Not everybody in this group of users is interested in how cool the technology stack lines up, they just want to get their work done and certainly not feel impeded in their daily workflows. This is the target group which we’ve been focusing our work on in months since summer, since the release of Plasma 5.0. Wider group of users sounds pretty abstract, so let’s take some numbers: While Plasma 5 is run by a group of people already, the number of users who get it via Linux distributions is much larger than the group of early adopters. This means by the end of next year, Plasma 5 will be in the hands of millions of users, probably around 10 million, and increasing.

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated libxml-security-java (xml signature spoofing
from 2013).

Gentoo has updated mysql
(multiple unspecified vulnerabilities), tigervnc (code execution), and vlc (multiple vulnerabilities from 2010-2013).

Oracle has updated mod_auth_mellon (OL6: two vulnerabilities) and
shim (OL7: three vulnerabilities).

SUSE has updated flash-player
(SLE11SP3: three vulnerabilities), OpenSSL
(SLE11SP3: three vulnerabilities), and wget
(SLE11SP3: code execution).

Ubuntu has updated libreoffice
(14.10, 14.04: code execution).