Author Archive

LWN.net: KVM Matures, and the Use Cases Multiply (Linux.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Linux.com, Adam Jollans has a report from the recently completed KVM Forum that was held in Düsseldorf, Germany October 14-16. He looks at a talk that he gave on KVM’s relationship to OpenStack and the open cloud, a new white paper on KVM [PDF], and a panel on network function virtualization (NFV):
In the past, communications networks have been built with specific routers, switches and hubs with the configuration of all the components being manual and complex. The idea now is to take that network function, put it into software running on standard hardware.

The discussion touched on the demands – in terms of latency, throughput, and packet jitter – that network function virtualization places on KVM when it is being run on general purpose hardware and used to support high data volume. There was a lively discussion about how to get fast communication between the virtual machines as well as issues such as performance and sharing memory, as attendees drilled down into how KVM could be applied in new ways.”

LWN.net: Stable kernels 3.17.2, 3.16.7, 3.14.23, and 3.10.59

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of four new stable kernels: 3.17.2, 3.16.7, 3.14.23, and 3.10.59.
As always, they contain important fixes and users of those series should update.
Note that 3.16.7 is the last stable
kernel in the 3.16 series; users should upgrade to 3.17 soon.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated dokuwiki
(multiple vulnerabilities).

Red Hat has updated v8314-v8
(i.e. V8)
(SC1: multiple vulnerabilities, several from 2013).

Slackware has updated wget (code execution).

Ubuntu has updated php5 (multiple
vulnerabilities) and systemd-shim (14.10:
denial of service).

LWN.net: Garrett: Linux Container Security

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Matthew Garrett considers the security of Linux containers on his blog. While the attack surface of containers is likely to always be larger than that of hypervisors, that difference may not matter in practice, but it’s going to take some work to get there:

I suspect containers can be made sufficiently secure that the attack surface size doesn’t matter. But who’s going to do that work? As mentioned, modern container deployment tools make use of a number of kernel security features. But there’s been something of a dearth of contributions from the companies who sell container-based services. Meaningful work here would include things like:

  • Strong auditing and aggressive fuzzing of containers under realistic configurations
  • Support for meaningful nesting of Linux Security Modules in namespaces
  • Introspection of container state and (more difficult) the host OS itself in order to identify compromises

These aren’t easy jobs, but they’re important, and I’m hoping that the lack of obvious development in areas like this is merely a symptom of the youth of the technology rather than a lack of meaningful desire to make things better. But until things improve, it’s going to be far too easy to write containers off as a “convenient, cheap, secure: choose two” tradeoff. That’s not a winning strategy.

LWN.net: Bits from the Debian multimedia maintainers

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Debian multimedia maintainers have put out a status report on multimedia software for the Debian 8.0 (“Jessie”) release. It covers which frameworks, plugins, applications, and so on for multimedia processing will be included in the release, as well as packages that have been dropped. “The codec library libavcodec, which is used by popular media playback
applications including vlc, mpv, totem (using gstreamer1.0-libav), xine,
and many more, has been updated to the latest upstream release version
11 provided by Libav. This provides Debian users with HEVC
playback, a native Opus decoder, Matroska 3D support, Apple ProRes, and
much more. Please see libav-changelog for a full list of functionality
additions and updates.

(Thanks to Paul Wise.)

LWN.net: Schaller: GStreamer Conference 2014 talks online

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Christian Schaller announced the availability of videos from the recently completed GStreamer Conference. “For those of you who like me missed this years GStreamer Conference the recorded talks are now available online thanks to Ubicast. Ubicast has been a tremendous partner for GStreamer over the years making sure we have high quality talk recordings online shortly after the conference ends. So be sure to check out this years batch of great GStreamer talks.

LWN.net: Ubuntu 14.10 (Utopic Unicorn) released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ubuntu has announced its latest release: 14.10 “Utopic Unicorn”. As usual, it comes with versions for server, desktop, and cloud, along with multiple official “flavors”: Kubuntu, Lubuntu,
Mythbuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu Studio, and Xubuntu. All of the varieties come with a 3.16 kernel and many more new features: “Ubuntu Desktop has seen incremental improvements, with newer versions of
GTK and Qt, updates to major packages like Firefox and LibreOffice, and
improvements to Unity, including improved High-DPI display support.

Ubuntu Server 14.10 includes the Juno release of OpenStack, alongside
deployment and management tools that save devops teams time when
deploying distributed applications – whether on private clouds, public
clouds, x86 or ARM servers, or on developer laptops. Several key server
technologies, from MAAS to Ceph, have been updated to new upstream
versions with a variety of new features.” More information can be found in the release notes.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated java-1.7.0-openjdk (F19: multiple
vulnerabilities) and php (F20: three vulnerabilities).

Mandriva has updated php (BS1.0:
code execution).

Oracle has updated java-1.8.0-openjdk (OL6: multiple
vulnerabilities) and wireshark (OL5:
multiple vulnerabilities).

Red Hat has updated openstack-glance (OSP4: denial of service), openstack-heat (OSP4: information leak), openstack-keystone (OSP4: two
vulnerabilities), openstack-neutron (OSP4:
denial of service), openstack-nova (OSP4:
privilege escalation), openstack-packstack
(OSP4: unexpected firewall disable), and python-backports-ssl_match_hostname (OSP4:
denial of service from 2013).

Scientific Linux has updated java-1.6.0-openjdk (multiple vulnerabilities),
java-1.7.0-openjdk (SL7, SL6; SL5: multiple vulnerabilities), libxml2 (SL7, SL6: denial of service), openssh (SL6: two vulnerabilities), rsyslog5 and rsyslog (SL6, SL5: denial of
service), trousers (SL6: denial of service
from 2012), and wireshark (SL7, SL6;
SL5: multiple vulnerabilities).

SUSE has updated kernel (SLE11SP3; SLE11SP3: multiple vulnerabilities, one from 2013).

Ubuntu has updated openjdk-7
(14.04: multiple vulnerabilities) and pollinate (14.04: certificate refresh).

LWN.net: [$] Where to store your encrypted data

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

In a talk entitled “Lies, Damned Lies, and Remotely Hosted Encrypted Data”,
Kolab Systems CEO Georg Greve outlined the thinking and investigation that
the company did before deciding on where to store its customers’ encrypted
data. The talk, which was given at LinuxCon
Europe
in Düsseldorf, Germany, looked at various decisions that need to
be made when determining where and how to store data on the internet. It
comes down to a
number of factors, including the legal framework of the country in
question and physical security for the systems storing the data.

LWN.net: [$] The future of the realtime patch set

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

alt="[Thomas Gleixner]" width=285 height=282/>

In a followup to last year’s report on the
future of realtime Linux
, Thomas Gleixner once again summarized the
status of the long-running patch set. The intervening year did not result
in the industry stepping up to fund further work, which led Gleixner to
declare that realtime Linux is now just his hobby. That means new
releases will be done as his time allows and may eventually lead to
dropping the patch set altogether if the widening gap between mainline and
realtime grows too large.

Subscribers can click below for the full report of Gleixner’s talk at this
year’s Linux Plumbers Conference.

LWN.net: [$] LWN.net Weekly Edition for October 9, 2014

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for October 9, 2014 is available.

LWN.net: Schaller: Fedora Workstation Progress Report (Wayland and more)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Christian Schaller has a lengthy update on the progress of Fedora 21. He looks at a number of different features, including Wayland, GNOME 3.14, software installation (dnf and “Software”), and more. “This also highlights one of the advantages of the new Fedora product model where we have one clear desktop product we are targeting, that we can define operating system standards for things like application metadata and apply them to the system as a whole. So for Fedora 22 we expect to make appdata metadata a mandatory part of the application packaging for Fedora, ensuring that any desktop application packaged for Fedora is easily discover able by our users. In the old ‘bucket of parts’ model these things would in practice not happen as there was no clear target that everyone was expected to aim for.

LWN.net: Karlitschek: A possible future for PHP

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, ownCloud founder Frank Karlitschek ponders the future of PHP. He doesn’t regret choosing PHP for ownCloud, but does note that the language suffers from its mid-1990s roots, which he would like to see cleaned up and fixed at some point—in a fully compatible way. “I wish PHP would do something that makes it possible to evolve and improve the language significantly but still provides a smooth migration experience not like Perl and Python did with introducing completely new backward incompatible releases.

So a good solution would be if PHP 6 or 7 [would] introduce a new tag to start a php file. For example
<?PHPNEXT instead of <?PHP. Both modes are fully supported by the new PHP version and can be used in parallel in the same application or even in the same file. In the NEXT section the new and improved syntax is used.” He goes on to list the changes he would like to see in the language.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Oracle has updated libvirt (OL7:
two vulnerabilities).

Red Hat has updated libvirt
(RHEL7: two vulnerabilities).

LWN.net: [$] Bash gets shellshocked

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It’s been a crazy week for the Bash shell, its maintainer,
and many Linux distributions that use the shell. A remote code-execution
vulnerability that was reported on September 24 has now morphed
into multiple related vulnerabilities, which have now mostly been fixed and
updates released by distributions. The
vulnerabilities have been dubbed “Shellshock” and the technical (and
mainstream) press has had a field day reporting on the incident. It all
revolves around a somewhat dubious Bash feature, but the widespread use of Bash
in places where it may not really make sense contributed to the severity of
the bug.

LWN.net: Mahinovs: Distributing third party applications via Docker?

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Aigars Mahinovs considers an alternative to Lennart Poettering’s recent thoughts about how Linux systems should be constructed. Mahinovs advocates a Docker-based approach.

Third party application developer writes a new game for Linux. As his target he chooses one of the “application runtime” Docker images on Docker Hub. Let’s say he chooses the latest Debian stable release. In that case he writes a simple Dockerfile that installs his build-dependencies and compiles his game in “debian-app-dev:wheezy” container. The output of that is a new folder containing all the compiled game resources and another Dockerfile – this one describes the runtime dependencies of the game. Now when a docker image is built from this compiled folder, it is based on “debian-app:wheezy” container that no longer has any development tools and is optimized for speed and size. After this build is complete the developer exports the Docker image into a file. This file can contain either the full system needed to run the new game or (after #8214 is implemented) just the filesystem layers with the actual game files and enough meta-data to reconstruct the full environment from public Docker repos. The developer can then distribute this file to the end user in the way that is comfortable for them.

LWN.net: Bugging out: How rampant online piracy squashed one insect photographer (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

As many in the free-software world know, copyright is, at best, a double-edged sword. Copyright law is what allows the various free and open-source licenses, but enforcing that copyright (i.e. adherence to the license) is expensive and time-consuming. Ars Technica has the tale of a bug photographer who details his woes in trying to protect his photographs. “While the stereotypical copyright story pits private users against large corporate rights-holders, real-world cases are often more complex. After all, most content creators are private, and many content users—as well as content infringers—are corporate. The corporate infringements are the most frustrating, as I live off photo licenses issued to corporations in the same sectors.

Licensing only works in a world where commercial content users like these must obtain permission from content creators. As long as I have the right to dispense permission, I am in a position to earn back the roughly $50 I spend to create each photograph. Money is time; I use my time to invest in more images, and the cycle continues. This is how copyright is supposed to work, and most of my photographs could not exist without it.”

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated iceweasel
(signature forgery) and nss (signature forgery).

Fedora has updated bash (F20; F19:
code injection), moodle (F20: multiple
vulnerabilities), not-yet-commons-ssl (F20; F19:
hostname verification botch), phpMyAdmin (F20; F19:
privilege escalation), procmail (F19: code
execution), wireshark (F20: yet another
pile of dissector flaws), and xerces-j2 (F20; F19:
denial of service from 2013).

Gentoo has updated bash (code
injection) and bash (fix to the previous
update for the
code injection vulnerability).

Mageia has updated bash (code
injection), curl (M4; M3: cookie handling), php-pear-CAS (privilege escalation), and wireshark (yet another pile of dissector flaws).

Mandriva has updated bash (code
injection), curl (two cookie-handling
vulnerabilities), nss (signature forgery),
and wireshark (yet another pile of
dissector flaws).

Oracle has updated bash (OL7; OL6; OL5 OL4: code
injection).

Scientific Linux has updated bash
(code injection).

Slackware has updated bash (code
injection) and mozilla (signature forgery).

SUSE has updated bash (SLE11SP3, SLE10SP4; SLE11SP1: code injection) and bash (SLE10SP3: two vulnerabilities, one from
2012).

Ubuntu has updated bash (14.04,
12.04, 10.04: code injection), firefox
(14.04, 12.04: signature forgery), nss
(14.04, 12.04, 10.04: signature forgery), and thunderbird (14.04, 12.04: signature forgery).

LWN.net: [$] Schneier on incident response

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

align="right" alt="[Bruce Schneier]" width=143 height=160/>

Bruce Schneier is a cryptographer and security specialist who is
well-known in computer circles even though he has often branched into more
general security areas in recent years. His blog is a great source of
security news (and, of “quotes of the week” for the Security page, as readers
know). Beyond all that, he travels to many security conferences to give
talks, which is just what he did at AppSec USA in Denver on
September 18. The keynote topic was “incident response” (IR), which
is an area that is
finally getting more attention in the security-product space, he said.

LWN.net: Friday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated apt
(regression in previous security update).

Fedora has updated apache-poi
(F20: two XML handling flaws), asterisk (F20; F19:
denial of service), haproxy (F20:
unspecified vulnerabilities), kernel (F20:
three vulnerabilities), pdns-recursor (F20; F19:
denial of service), polkit-qt (F20; F19: authorization bypass), and ReviewBoard (F19: two vulnerabilities).

openSUSE has updated lua (code
execution) and squid (denial of service).

LWN.net: Simply Secure announces itself

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A new organization to “make security easy and fun” has announced itself in a blog post entitled “Why Hello, World!”. Simply Secure is targeting the usability of security solutions: “If privacy and security aren’t easy and intuitive, they don’t work. Usability is key.
The organization was started by Google and Dropbox; it also has the Open Technology Fund as one of its partners.
To build trust and ensure quality outcomes, one core component of our work will be public audits of interfaces and code. This will help validate the security and usability claims of the efforts we support.

More generally, we aim to take a page from the open-source community and make as much of our work transparent and widely-accessible as possible. This means that as we get into the nitty-gritty of learning how to build collaborations around usably secure software, we will share our developing methodologies and expertise publicly. Over time, this will build a body of community resources that will allow all projects in this space to become more usable and more secure.”

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated icedove (two
vulnerabilities) and libav (multiple
unspecified vulnerabilities).

openSUSE has updated curl (13.1,
12.3: two cookie-handling vulnerabilities).

Oracle has updated automake (OL5:
code execution from 2012), bind97 (OL5:
three vulnerabilities, two from 2013), conga (OL5: multiple vulnerabilities some
going back to 2012), krb5 (OL5: code
execution), krb5 (OL5: multiple
vulnerabilities, two from 2013), and nss,
nspr
(multiple vulnerabilities, one from 2013).

SUSE has updated squid3
(SLE11SP3: denial of service).

LWN.net: [$] X and SteamOS

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

alt="[Keith Packard]" width=130 height=150/>

In a talk entitled “SteamOS Magic”, longtime X developer Keith Packard
looked at the new Linux “distribution” and the effort to turn the Linux
desktop into a gaming console. It turns out that, with a fairly small
amount of code, Steam and SteamOS creator, Valve, was able to take the
existing X-based desktop and
turn it into a “living-room experience”.

Click below (subscribers only) for the full report from LinuxCon North
America.

LWN.net: Hertzog: Freexian’s first report about Debian Long Term Support

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Raphaël Hertzog reports on the first few months of work on Debian Long Term Support (LTS). Official support for Debian 6.0 (Squeeze) ended in May and the LTS is an effort to continue the support until February 2016 (five years after the original release). Hertzog’s company, Freexian, is collecting subscriptions to pay Debian developers to work on the LTS. Reports from the two developers sponsored, Thorsten Alteholz and Holger Levsen, are also linked from the report.
It’s worth noting that Freexian sponsored Holger’s work to fix the security tracker to support squeeze-lts. It’s my belief that using the money of our sponsors to make it easier for everybody to contribute to Debian LTS is money well spent.

As evidenced by the progress bar on Freexian’s offer page, we have not yet reached our minimal goal of funding the equivalent of a half-time position. And it shows in the results, the dla-needed.txt still shows around 30 open issues. This is slightly better than the state two months ago but we can improve a lot on the average time to push out a security update…”

(Thanks to Paul Wise.)

LWN.net: Yao: The State of ZFS on Linux

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

At the ClusterHQ blog, Richard Yao looks at the current status of the ZFSOnLinux (ZoL) project. He argues that ZoL is ready for production use for a number of different reasons, all of which boil down to the belief that the ZFS filesystem port to Linux has achieved the same level of data integrity, runtime stability, and features as have the other platforms where ZFS runs. “Sharing a common code base with other Open ZFS platforms has given ZFS on Linux the opportunity to rapidly implement features available on other Open ZFS platforms. At present, Illumos is the reference platform in the Open ZFS community and despite its ZFS driver having hundreds of features, ZoL is only behind on about 18 of them.