Author Archive

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated openssl (C5:
three vulnerabilities).

Debian-LTS has updated unattended-upgrades (improper package authentication).

LWN.net: [$] News and updates from DockerCon 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

DockerCon on June 22 and 23 was
a much bigger affair than CoreOSFest or ContainerCamp was. DockerCon rented out
the San Francisco Marriott for the event; the keynote ballroom seats 2000.
That’s a pretty dramatic change from the first
DockerCon
last year, with roughly 500 attendees; it shows the huge
growth of interest in Linux containers. Or maybe, given that it’s Silicon
Valley, what you’re seeing is the magnetic power of $95 million in round-C
funding.

Subscribers can click below for a report from DockerCon by guest author
Josh Berkus.

LWN.net: Ardour 4.1 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Version 4.1 of the Ardour digital audio workstation software has been released. There are some new features in the release including input gain control, support for capture-only and playback-only devices, a real “Save As” option (with the old option being renamed to “Snapshot (& switch to new version)”), and allowing plugins to be reordered and meter positions to change without adding a click into the audio. There are also lots of user interface changes, including better High-DPI support. “This release contains several new features, both internally and in the user interface, and a slew of bug fixes worthy of your attention. Encouragingly, we also have one of our longest ever contributor lists for this release.

We had hoped to be on a roughly monthly release cycle after the release of 4.0, but collaborations with other organizations delayed 4.1 by nearly a month.”

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated nss (C7;
C6: cipher downgrade) and nss-util (C7; C6: cipher downgrade).

Debian has updated cacti (three vulnerabilities).

Fedora has updated xen (F20: multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (OL6; OL5: two
vulnerabilities), kernel 3.8.13 (OL7; OL6: two
vulnerabilities), and kernel 2.6.32 (OL6; OL5: two
vulnerabilities)

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), flash-plugin (RHEL5&6: code execution), nss (RHEL6&7: cipher downgrade), php55-php (RHSC2: multiple vulnerabilities), and rh-php56-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated libreswan (SL7: denial of service) and php (SL7: multiple vulnerabilities).

SUSE has updated IBM Java
(SLE10SP4: multiple vulnerabilities) and Java (SLE11SP2: multiple vulnerabilities).

Ubuntu has updated python2.7,
python3.2, python3.4
(14.10, 14.04, 12.04: multiple vulnerabilities, some from 2013), tomcat6 (12.04: three vulnerabilities), and tomcat7 (15.04, 14.10, 14.04: multiple vulnerabilities).

LWN.net: [$] A report from PGCon 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

PGCon 2015, the PostgreSQL
international developer conference, took place in Ottawa, Canada from June
16 to 20. This PGCon involved a change in format from prior editions, with
a “developer unconference” in the two days before the main conference
program. Both the conference and the unconference covered a wide range of
topics, many of them related to horizontal or vertical scaling, or to new
PostgreSQL features.

Subscribers can click below for a report from the conference from guest author Josh Berkus.

LWN.net: A report from PGCon 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

PGCon 2015, the PostgreSQL
international developer conference, took place in Ottawa, Canada from June
16 to 20. This PGCon involved a change in format from prior editions, with
a “developer unconference” in the two days before the main conference
program. Both the conference and the unconference covered a wide range of
topics, many of them related to horizontal or vertical scaling, or to new
PostgreSQL features.

Subscribers can click below for a report from the conference from guest author Josh Berkus.

LWN.net: The long ARM of Linux: Red Hat Enterprise Linux Server for ARM Development Preview (Red Hat Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

In a post on the Red Hat Blog, the company has announced a version of Red Hat Enterprise Linux (RHEL) for ARM development. “Today, we are making the Red Hat Enterprise Linux Server for ARM Development Preview 7.1 available to all current and future members of the Red Hat ARM Partner Early Access Program as well as their end users as an unsupported development platform, providing a common standards-based operating system for existing 64-bit ARM hardware. Beyond this release, we plan to continue collaborating with our partner ISVs and OEMs, end users, and the broader open source community to enhance and refine the platform to ultimately work with the next generation of ARM-based designs.” Jon Masters, who is the technical lead for the project, has a lengthy Google+ post about the project and its history over the last 4+ years.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated cups (C7; C6: three vulnerabilities).

Debian has updated kernel (three vulnerabilities).

Debian-LTS has updated linux-2.6
(multiple vulnerabilities going back to 2011) and openssl (multiple vulnerabilities).

Fedora has updated mbedtls (F20:
code execution), python-requests (F21:
cookie stealing), and python-urllib3 (F21:
proper openssl support).

openSUSE has updated busybox
(13.2, 13.1: code execution) and strongswan
(13.2, 13.1: information disclosure).

Oracle has updated cups (OL7; OL6:
three vulnerabilities).

Red Hat has updated cups
(RHEL6&7: three vulnerabilities).

Scientific Linux has updated cups
(SL6&7: three vulnerabilities).

LWN.net: [$] LWN.net Weekly Edition for June 18, 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for June 18, 2015 is available.

LWN.net: [$] Micro Python on the pyboard

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A 2013 Kickstarter
project
brought us Micro Python, which is a version
of Python 3 for microcontrollers, along with the pyboard to
run it on. Micro Python is a complete rewrite of the interpreter that
avoids some of the CPython (the canonical Python interpreter written in C)
implementation details that don’t work well on microcontrollers.
I recently got my hands on a pyboard and decided to give it—and
Micro Python—a try.

LWN.net: The hidden costs of embargoes (Red Hat Security Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. “Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for ‘because of an incomplete fix for’.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C6:
multiple vulnerabilities) and qemu-kvm (C6: code execution).

Debian-LTS has updated wireshark
(WCP dissector crash).

Fedora has updated cabal-install
(F22: force digest authentication), freecad
(F22: code execution), fusionforge (F22; F21: code
execution), haskell-platform (F22: force
digest authentication), less (F21:
information leak), libreswan (F22;
F21: denial of service), python-tornado (F21: TLS side-channel attack),
and thermostat (F21: code execution).

openSUSE has updated proftpd
(13.2, 13.1: two vulnerabilities, one from 2013), wpa_supplicant (13.2, 13.1: three
vulnerabilities), and zeromq (13.2, 13.1:
protocol downgrade).

Oracle has updated qemu-kvm (OL6:
code execution) and kernel (OL6; OL5: three vulnerabilities).

Red Hat has updated qemu-kvm
(RHEL6: code execution) and qemu-kvm-rhev
(RHEL6OSP: code execution).

Scientific Linux has updated abrt
(SL7: multiple vulnerabilities) and qemu-kvm (SL6: code execution).

Ubuntu has updated kernel (15.04; 14.10;
14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),
linux-lts-utopic (14.04: two
vulnerabilities), linux-lts-vivid (14.04:
three vulnerabilities), and linux-ti-omap4
(12.04: multiple vulnerabilities).

LWN.net: Let’s Encrypt Root and Intermediate Certificates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Let’s Encrypt project has announced that it has created the root and intermediate keys and certificates it will use to sign certificates. Let’s Encrypt is the no-cost certificate authority announced by the Electronic Frontier Foundation (EFF) back in November. In April, the Linux Foundation announced that it would be hosting the project. “The keys and certificates that will underlie Let’s Encrypt have been generated. This was done during a key ceremony at a secure facility today.” The intermediate certificates will be cross-signed by IdenTrust so that they will be accepted by browsers before the Let’s Encrypt root certificate has been propagated. A bit more news from the blog post: “In the next few weeks, we’ll be saying some more about our plans for going live.

LWN.net: Security updates for Friday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated pcre (code
execution).

CentOS has updated openssl (C7; C6: cipher
downgrade).

Fedora has updated batik (F22; F21; F20: information leak), netty (F21: httpOnly cookie bypass), and
pcs (F22; F21; F20: two vulnerabilities).

openSUSE has updated e2fsprogs (13.2; 13.1:
two vulnerabilities) and fuse (13.1:
privilege escalation).

Oracle has updated openssl (OL7; OL6:
cipher downgrade).

Red Hat has updated openssl
(RHEL6&7: cipher downgrade).

LWN.net: GNU Octave 4.0.0 Released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

GNU Octave, which is a
high-level programming language for numerical computations that is largely
compatible with MATLAB, has made its 4.0 release. There are lots of new
features in this major release, which are described in the release notes.
Some of those features include defaulting to the graphical user interface
instead of the command-line interface, OpenGL graphics and Qt widgets by
default, a new syntax for object-oriented programming using
classdef, audio functions, better MATLAB compatibility, and more.

LWN.net: Thursday’s security alerts

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated libapache-mod-jk (information disclosure).

Debian-LTS has updated mercurial
(two code execution flaws).

Oracle has updated kernel (OL5:
unspecified vulnerabilities).

Red Hat has updated php54
(RHSC6&7: multiple vulnerabilities), php55 (RHSC6&7: multiple vulnerabilities),
python27 (RHSC6&7: multiple
vulnerabilities, two from 2013), and thermostat1 (RHSC6&7: code execution).

Ubuntu has updated t1utils
(14.10, 14.04: code execution).

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated curl
(information leak).

Debian-LTS has updated dulwich
(code execution), eglibc (code execution),
exactimage (denial of service), and libnokogiri-ruby (information disclosure from 2012).

Fedora has updated ca-certificates (F20: CA update),
hostapd (F21; F20: denial of service), java-1.8.0-openjdk (F20: insecure tmp file
use), LibRaw (F21: denial of service), mingw-LibRaw (F21: denial of service), openslp (F20: two denial of service flaws, one
from 2010, one from 2012), php (F21;
F20: multiple vulnerabilities), postgresql (F22: three vulnerabilities), and
rawtherapee (F22: denial of service).

Mageia has updated fuse
(privilege escalation), kernel-linus
(denial of service), and kernel-tmb (denial of service).

openSUSE has updated glibc,
glibc-testsuite, glibc-utils, glibc.i686
(13.2, 13.1: two vulnerabilities).

SUSE has updated firefox (SLE12:
multiple vulnerabilities).

LWN.net: Announcing qboot, a minimal x86 firmware for QEMU

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The announcement of Clear Containers (which guest author Arjan van de Ven described in an LWN article from this week) seems to have sparked some interesting work on QEMU that resulted in qboot: “a minimal x86 firmware that runs on QEMU and, together with
a slimmed-down QEMU configuration, boots a virtual machine in 40
milliseconds on an Ivy Bridge Core i7 processor.
” Paolo Bonzini announced the project (code is available at git://github.com/bonzini/qboot.git), which is quite new: “The first commit to qboot is more or less 24 hours old, so there is
definitely more work to do, in particular to extract ACPI tables from
QEMU and present them to the guest. This is probably another day of
work or so, and it will enable multiprocessor guests with little or no
impact on the boot times. SMBIOS information is also available from QEMU.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated libmodule-signature-perl (multiple vulnerabilities).

Debian-LTS has updated dnsmasq
(information disclosure).

Fedora has updated wordpress (F21; F20:
three vulnerabilities).

Oracle has updated docker (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities, one from 2005)
and java-1.7.1-ibm (RHEL6&7: multiple vulnerabilities, one
from 2005).

SUSE has updated gstreamer-0_10-plugins-bad (SLE11SP3: code
execution) and xen (SLE12: multiple vulnerabilities).

LWN.net: Hardening Hypervisors Against VENOM-Style Attacks (Xen Project Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Xen Project looks at a mechanism to mitigate vulnerabilities like VENOM that attack emulation layers in QEMU. “The good news is it’s easy to mitigate all present and future QEMU bugs, which the recent Xen Security Advisory emphasized as well. Stubdomains can nip the whole class of vulnerabilities exposed by QEMU in the bud by moving QEMU into a de-privileged domain of its own. Instead of having QEMU run as root in dom0, a stubdomain has access only to the VM it is providing emulation for. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources. Furthermore, QEMU in a stubdomain runs on MiniOS, so an attacker would only have a very limited environment to run code in (as in return-to-libc/ROP-style), having exactly the same level of privilege as in the domain where the attack started. Nothing is to be gained for a lot of work, effectively making the system as secure as it would be if only PV drivers were used.” The Red Hat Security Blog also noted this kind of mitigation for VENOM-style attacks.

LWN.net: 3 big lessons I learned from running an open source company (Opensource.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Opensource.com, Lucidworks co-founder and CTO Grant Ingersoll writes about lessons he has learned from running an open-source company. “You might ask, ‘Why not open source it all and just provide support?’ It’s a fair question and one I think every company that open sources code struggles to answer, unless they are a data company (e.g., LinkedIn, Facebook), a consulting company, or a critical part of everyone’s infrastructure (e.g., operating systems) and can live off of support alone. Many companies start by open sourcing to gain adoption and then add commercial features (and get accused of selling out), whereas others start commercial and then open source. Internally, the sales side almost always wants “something extra” that they can hang their quota on, while the engineers often want it all open because they know they can take their work with them.

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated qemu (code
execution).

CentOS has updated firefox (C5:
multiple vulnerabilities), kernel (C7: code
execution), kvm (C5: code execution),
qemu-kvm (C7; C6: code execution), and xen (C5: code execution).

Debian has updated iceweasel
(multiple vulnerabilities) and qemu
(multiple vulnerabilities).

Debian-LTS has updated icu (multiple vulnerabilities
some from 2013).

Fedora has updated ca-certificates (F21: certificate changes), firefox (F21: multiple vulnerabilities), gnutls (F21: signature algorithm verification
botch), libssh (F21: denial of service),
and thunderbird (F21: two vulnerabilities).

Mageia has updated darktable
(denial of service), kernel-linus (three
vulnerabilities), kernel-tmb (multiple vulnerabilities), libraw (denial of service), qemu (code execution), rawtherapee (denial of service), ufraw and dcraw (denial of service), and wireshark (three dissector vulnerabilities).

Oracle has updated firefox (OL6:
multiple vulnerabilities), kvm (OL5: denial of service),
qemu-kvm (OL7; OL6: code execution), kernel (OL7; OL6; OL6; OL5: multiple vulnerabilities),
and xen (OL5: code execution).

Scientific Linux has updated firefox (SL7,SL6,SL5: multiple vulnerabilities), kernel (SL7: code execution), kexec-tools (SL7: arbitrary file overwrite),
pcs (SL7; SL6: privilege escalation), qemu-kvm
(SL7; SL6:
code execution), tomcat (SL7: HTTP request
smuggling), and tomcat6 (SL6: HTTP request smuggling).

SUSE has updated kvm (SLE11SP3:
denial of service).

Ubuntu has updated firefox (multiple vulnerabilities)
and qemu, qemu-kvm (three vulnerabilities).

LWN.net: [$] CoreOS Fest and the world of containers, part 1

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It’s been a Linux container bonanza in San Francisco recently, and that
includes a series of events and announcements from multiple startups and
cloud hosts. It seems like everyone is fighting for a piece of what they
hope will be a new multi-billion-dollar market. This included Container Camp on April 17 and CoreOS Fest on May 5th and 6th, with DockerCon to come near the end of
June. While there is a lot of hype, the current container gold rush has
yielded more than a few benefits for users — and caused technological
development so rapid it is hard to keep up with.

Subscribers can click below for a report by guest author Josh Berkus from
this week’s edition.

LWN.net: Stable kernels 3.10.77, 3.14.41, 3.19.7, and 4.0.2

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has released the latest batch of stable kernels: 3.10.77, 3.14.41, 3.19.7, and 4.0.2. As usual, they contain fixes all over
the tree and users should upgrade.

LWN.net: How OpenStack gets translated (Opensource.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Opensource.com, one of the translators for OpenStack, Łukasz Jernaś, is interviewed about the process of translating a large project like OpenStack. “How does OpenStack’s release cycle play into the translation process? Is it manageable to get translations done on a six-month release cycle?

Most of the work gets done after the string freeze period, which happens around a month before the release, with a lot of it being completed after getting the first release candidate out of the window. Documentation is translated during the entire cycle, as many parts are common between releases and can be deployed independently to the releases. So we don’t have to focus that much about deadlines, as it’s available online all the time and not prepackaged and pushed out to users and distributions. Of course, having a month to do the translations can be cumbersome, depending on the team doing the translation (some do that part time, some people in their spare time), and how many developers push out new strings during the string freeze.”