Author Archive

LWN.net: [$] The programming talent myth

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

align="right" alt="[Jacob Kaplan-Moss]" title="Jacob Kaplan-Moss" width=247
height=260/>

Jacob Kaplan-Moss is known for his work on Django but, as he would describe
in his PyCon 2015 keynote, many
think he had more to do with its creation than he actually did. While his talk
ranged quite a bit, the theme covered something that software development
organizations—and open source projects—may be grappling with: a
myth about
developer performance and how it impacts the industry. It was a
thought-provoking talk that was frequently punctuated by applause; these
are the kinds of issues that the Python community tries to confront head on, so
the talk was aimed well.

LWN.net: Debian 8 “Jessie” released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian 8, codenamed “Jessie”, has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. “With this broad selection of packages and its traditional wide
architecture support, Debian once again stays true to its goal of being
the universal operating system. It is suitable for many different use
cases: from desktop systems to netbooks; from development servers to
cluster systems; and for database, web, or storage servers. At the same
time, additional quality assurance efforts like automatic installation
and upgrade tests for all packages in Debian’s archive ensure that
“Jessie” fulfills the high expectations that users have of a stable
Debian release.

LWN.net: Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica reports on a wpa_supplicant bug that might leave Linux and other systems open to remote code execution.
That’s because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information ‘is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,’ [Google security team member Jouni] Malinen wrote, and the code ‘was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.’

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated glibc
(code execution).

Fedora has updated chrony (F21:
three vulnerabilities), gnupg2 (F20: denial
of service), java-1.7.0-openjdk (F20:
unspecified), java-1.8.0-openjdk (F21:
unspecified), kernel (F21; F20: denial of service), ntp (F20: two vulnerabilities), python (F20: denial of service from 2013), spatialite-tools (F21: three vulnerabilities),
and sqlite (F21: three vulnerabilities).

Oracle has updated kvm (OL5: two vulnerabilities).

LWN.net: GNU Hurd 0.6 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It has been roughly a year and a half since the last release of the GNU Hurd operating
system, so it may be of interest to some readers that GNU Hurd 0.6 has been
released along with
GNU Mach 1.5 (the microkernel that Hurd
runs on) and GNU MIG 1.5 (the Mach Interface Generator, which
generates code to handle remote procedure calls). New features include
procfs and random translators; cleanups and stylistic fixes, some of which
came from static analysis; message dispatching improvements; integer
hashing performance improvements; a split of the init server into a
startup server and an init program based on System V init; and more. “GNU Hurd runs on 32-bit x86 machines. A version running on 64-bit x86
(x86_64) machines is in progress. Volunteers interested in ports to
other architectures are sought; please contact us (see below) if you’d
like to help.

To compile the Hurd, you need a toolchain configured to target i?86-gnu;
you cannot use a toolchain targeting GNU/Linux. Also note that you
cannot run the Hurd “in isolation”: you’ll need to add further components
such as the GNU Mach microkernel and the GNU C Library (glibc), to turn
it into a runnable system.”

LWN.net: Boyer: Fedora 22 and Kernel 4.0

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Josh Boyer looks at the choice of the 4.0 kernel for Fedora 22. While the underpinnings of the live kernel patching feature have been merged, even when it is fully operational it is probably not something that Fedora (and perhaps other distributions) will use often (or at all). “In reality, we might not ever really leverage the live patching functionality in Fedora itself. It is understandable that people want to patch their kernel without rebooting, but the mechanism is mostly targeted at small bugfixes and security patches. You cannot, for example, live patch from version 4.0 to 4.1. Given that the Fedora kernel rebases both from stable kernel (e.g. 3.19.2 to 3.19.3) and major release kernels over the lifetime of a Fedora release, we don’t have much opportunity to build the live patches.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated gst-plugins-bad0.10 (code execution), inspircd (code execution from 2012), movabletype-opensource (code execution), and
ppp (denial of service).

Debian-LTS has updated ruby1.9.1
(three vulnerabilities).

Mageia has updated java-1.7.0-openjdk (multiple vulnerabilities),
mono (three SSL/TLS vulnerabilities), and
python-dulwich (two code execution flaws).

openSUSE has updated flash-player
(11.4: 45 vulnerabilities) and rubygem-rest-client (13.2, 13.1: plaintext
password logging).

Oracle has updated java-1.6.0-openjdk (OL5: unspecified
vulnerabilities) and java-1.7.0-openjdk
(OL5: unspecified vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple
vulnerabilities), java-1.6.0-openjdk
(RHEL5,6&7: multiple vulnerabilities), java-1.7.0-openjdk (RHEL5; RHEL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (RHEL6&7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6&7: multiple
vulnerabilities), java-1.7.0-openjdk (SL5; SL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated flash-player
(SLE11SP3: 22 vulnerabilities).

LWN.net: [$] Report from the Python Language Summit

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net


align="right" alt="[Group photo]" width=500 height=246/>

The first half of our report from the Python Language
Summit
is now available. Subscribers can click below to access reports from five sessions held before lunch covering topics like the atomicity of Python operations, making Python 3 more attractive to developers, PyParallel, infrastructure for Python development, and Python 3 adoption. We will be adding more reports to this page as they become available.

LWN.net: [$] An update on the freedreno graphics driver

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The freedreno project was
started by Rob Clark to create a free-software driver for the Adreno family
of GPUs, which are used by the Qualcomm Snapdragon system-on-chip (SoC)
family. He
presented a status report on the project, along with some history and
future plans, at
the Embedded
Linux Conference
, which was held in San Jose, CA, March 23-25.

Click below (subscribers only) for the full report from ELC 2015.

LWN.net: [$] XFS: There and back … and there again?

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

In a thought-provoking—and characteristically amusing—talk at the Vault conference,
Dave Chinner looked at the history
of XFS, its current status, and where the filesystem may be heading.
In keeping with the title of the talk (shared by this article), he sees
parallels in what drove the original development of XFS and what will be
driving
new filesystems.
Chinner’s vision of the future for today’s filesystems, and not just
of XFS, may be a bit surprising or controversial—possibly both.

LWN.net: [$] Mailman 3.0 to modernize mailing lists

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

More than a decade after its last major rewrite, the GNU Mailman mailing
list manager project aims
to release its 3.0 suite in April, during the sprints following PyCon
North America
. Mailman 3 is a major rewrite that includes a new user
membership system, a REST API, an archiver replacement for Pipermail, and a
better web interface for subscriptions and settings — but it carries with
it a few new dependencies as well. Brave system administrators can try out
the
fifth
beta version
now.

Subscribers can click below for the full story from next week’s edition.

LWN.net: Two microconferences accepted for the Linux Plumbers Conference

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The 2015 Linux Plumbers Conference (LPC) has announced that two microconferences have been accepted for the event, which will be held August 19-21 in Seattle. The Checkpoint/Restart and Energy-aware scheduling and CPU power management microconferences will be held at LPC. Registration for the conference will open on March 27 and it will be co-located with LinuxCon North America, which will be held August 17-19.

LWN.net: Docker security in the future (Opensource.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Opensource.com, Daniel Walsh writes about applying various Linux security technologies to Docker containers. In the article, he looks at using user namespaces and seccomp filters to provide better security for Docker. “One of the problems with all of the container separation modes described here and elsewhere is that they all rely on the kernel for separation. Unlike air gapped computers, or even virtual machines, the processes within the container can talk directly to the host kernel. If the host kernel has a kernel vulnerability that a container can access, they might be able to disable all of the security and break out of the container.

The x86_64 Linux kernel has over 600 system calls, a bug in any one of which could lead to a privilege escalation. Some of the system calls are seldom called, and should be eliminated from access within the container.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

OpenSSL has updates released today, with two vulnerabilities of
“High” severity, as described in its advisory. One of
the High vulnerabilities is a reclassification of the FREAK vulnerability due to the prevalence of
servers with RSA export ciphers available, the other is a denial of service
in OpenSSL 1.0.2.

CentOS has updated freetype (C6:
multiple vulnerabilities) and unzip (C6:
multiple vulnerabilities).

Debian has updated file (denial
of service).

Debian-LTS has updated mono
(three SSL/TLS vulnerabilities).

Gentoo has updated python
(multiple vulnerabilities, two from 2013).

Mageia has updated moodle
(multiple vulnerabilities).

openSUSE has updated gdm (13.2:
screen lock bypass), glusterfs (13.2:
denial of service), and libssh2_org (13.2,
13.1: information leak).

Oracle has updated unzip (OL7; OL6:
multiple vulnerabilities).

Red Hat has updated postgresql92-postgresql (RHSC1: multiple
vulnerabilities) and unzip (RHEL6&7:
multiple vulnerabilities).

SUSE has updated kernel (SLE12:
multiple vulnerabilities).

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated bind (F21; F20:
denial of service), lftp (F21:
automatically accepting ssh keys), and rubygem-actionpack (F20: two information leaks).

openSUSE has updated vsftpd
(13.2, 13.1: access restriction bypass).

Ubuntu has updated icu (14.10,
14.04, 12.04: multiple vulnerabilities, some from 2013).

LWN.net: The state of Linux gaming in the SteamOS era (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica takes a look at Linux gaming and at what effect SteamOS has had already for gaming on Linux. The article also considers the future and where SteamOS might (or might not) take things. “This all brings up another major question for SteamOS followers: how long is this “beta” going to last, exactly? While Valve has unquestionably built a viable Linux gaming market from practically nothing, the company’s lackadaisical development timeline might be holding the market back from growing even more. In the last year, the initial excitement behind the SteamOS beta launch seems to have given way to “Valve Time” malaise in some ways.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated thunderbird (C6; C5:
multiple vulnerabilities).

Debian has updated cups (code
execution), iceweasel (multiple
vulnerabilities), kfreebsd-9 (denial of
service), and libgtk2-perl (code execution).

Fedora has updated libhtp (F20:
denial of service).

Gentoo has updated samba
(multiple vulnerabilities, some from 2012 and 2013).

Mageia has updated apache-poi
(denial of service), cabextract (privilege
escalation), e2fsprogs (two code execution
flaws), firefox, thunderbird (multiple
vulnerabilities), and sympa (information disclosure).

openSUSE has updated cups (13.2,
13.1: code execution)
and snack (13.2, 13.1: code execution from 2012).

Oracle has updated firefox (OL5:
multiple vulnerabilities) and thunderbird
(OL6: multiple vulnerabilities).

Red Hat has announced that RHEL
5.9 support will end on March 31.

Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (SL6, SL5: multiple vulnerabilities).

Slackware has updated thunderbird
(multiple vulnerabilities) and firefox
(multiple vulnerabilities).

SUSE has updated java-1_5_0-ibm
(SLE10SP4: many vulnerabilities) and java-1_6_0-ibm (SLE11SP2: two unspecified vulnerabilities).

Ubuntu has updated EC2 kernel
(10.04: two vulnerabilities), firefox
(14.10, 14.04, 12.04: many vulnerabilities), kernel (14.10; 14.04;
12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple
vulnerabilities), linux-lts-utopic (14.04:
multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

LWN.net: Ubuntu 14.04.2 LTS released + 15.04 (“Vivid Vervet”) feature freeze

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ubuntu has announced the release of the second point release for its 14.04
long-term support (LTS). 14.04.2 comes with an updated kernel and X Window
stack to support more hardware, along with “security updates and
corrections for other high-impact bugs
” all on updated installation
media “so that fewer updates will need to
be downloaded after installation
“. It is available for all of the
members of the Ubuntu clan: Kubuntu, Edubuntu, Xubuntu,
Mythbuntu, Ubuntu GNOME, Lubuntu,
Ubuntu Kylin, and Ubuntu Studio.

One other note from the Ubuntu world: a feature
freeze is in effect
for 15.04 (“Vivid Vervet”), which is due in April.

LWN.net: Green: Another update on the Truecrypt audit

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Matthew Green gives an update on the plans to audit the TrueCrypt disk encryption tool. Green led an effort in 2013 to raise money for an audit of the TrueCrypt source code, which sort of ran aground when TrueCrypt abruptly shut down in May 2014. “It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We’re now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group’s Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price — and make your donations stretch farther — we allowed the start date to be a bit flexible, which is why we don’t have results yet.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated libreoffice
(denial of service).

Fedora has updated cups (F20:
code execution), dbus (F20: denial of
service), and freetype (F21; F20: many vulnerabilities).

Mageia has updated cpio
(privilege escalation), kernel-linus (many
vulnerabilities, two from 2013), kernel-rt
(many vulnerabilities, two from 2013), kernel-tmb (many vulnerabilities, two
from 2013), kernel-vserver (many
vulnerabilities, two from 2013), ruby-sprockets (information disclosure), sudo (information disclosure), and tomcat (HTTP request smuggling).

openSUSE has updated tigervnc
(13.2: information leak/denial of service) and xorg-x11-server (13.2, 13.1: information
leak/denial of service).

Red Hat has updated openstack-glance (access restriction bypass).

SUSE has updated java-1_7_0-openjdk (many vulnerabilities, lots
unspecified).

Ubuntu has updated nss
(TLS certificate update).

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated bind9 (denial
of service).

Debian-LTS has updated linux-2.6
(multiple vulnerabilities, one from 2013).

Fedora has updated drupal7-path_breadcrumbs (F21; F20:
access restriction bypass).

openSUSE has updated perl-YAML-LibYAML (13.2, 13.1: multiple
vulnerabilities, one each from 2013 and 2012) and php5 (13.2, 13.1: multiple vulnerabilities).

SUSE has updated xntp (SLE10SP4:
multiple vulnerabilities).

Ubuntu has updated bind9 (14.10,
14.04, 12.04: denial of service).

LWN.net: FreeBSD random number generator broken for last 4 months

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

As several LWN readers have pointed out, John-Mark Gurney posted a message to the freebsd-current mailing list on February 17 noting that the random number generator (RNG) in the FreeBSD “current” kernel has been broken for the last four months. “If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling
randomdev_init_reader, which means that read_random(9) was not returning
good random data. read_random(9) is used by arc4random(9) which is
the primary method that arc4random(3) is seeded from.

This means most/all keys generated may be predictable and must be
regenerated. This includes, but not limited to, ssh keys and keys
generated by openssl. This is purely a kernel issue, and a simple
kernel upgrade w/ the patch is sufficient to fix the issue.”

LWN.net: Linux for Astronomers (Linux Journal)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Linux Journal, Joey Bernard looks at Distro Astro, which is a Linux distribution for astronomy. It collects programs of interest to those running telescopes and planetariums, including various image collection and processing applications.
After aiming your telescope, you need to collect some images or do some astrophotography. While you can do some of this with software like KStars, you have software specifically designed to do image capture. Some, like wxAstroCapture, are specifically written for use in astronomy. With it, you can set up automatic guiding and batch image collection. You then can go have a nice hot cup of coffee while your telescope collects your data. To help you keep track of all of these observations, you can use the Observation Manager, a logging program to maintain your records.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated dbus (denial
of service) and xorg-server (information
leak/denial of service).

Debian-LTS has updated postgresql-8.4 (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple
vulnerabilities), e2fsprogs (code
execution), hivex (privilege escalation),
ntp (two vulnerabilities), owasp-esapi-java (crypto botch from 2013), perl-Gtk2 (code execution), and xdg-utils (code execution).

Mandriva has updated e2fsprogs
(code execution), elfutils (privilege
escalation), ntp (two vulnerabilities), perl-Gtk2 (code execution), and postgresql (multiple vulnerabilities).

openSUSE has updated jython
(13.2, 13.1: code execution from 2013).

Oracle has updated kernel (OL5:
two vulnerabilities) and kernel (OL5:
unspecified vulnerabilities).

Scientific Linux has updated subversion (SL7: three vulnerabilities).

SUSE has updated krb5 (SLE11SP3: multiple vulnerabilities) and ntp (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated postgresql-8.4,
postgresql-9.1, postgresql-9.3, postgresql-9.4
(multiple vulnerabilities).

LWN.net: Linux Plumbers Conference call for proposals

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The calls for proposals (CFPs) for Linux Plumbers Conference microconferences and refereed track presentations are now up. The conference will be held August 19-21 in Seattle, WA, co-located (and overlapping one day) with LinuxCon North America.