Author Archive

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated bind (F21; F20:
denial of service), lftp (F21:
automatically accepting ssh keys), and rubygem-actionpack (F20: two information leaks).

openSUSE has updated vsftpd
(13.2, 13.1: access restriction bypass).

Ubuntu has updated icu (14.10,
14.04, 12.04: multiple vulnerabilities, some from 2013).

LWN.net: The state of Linux gaming in the SteamOS era (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica takes a look at Linux gaming and at what effect SteamOS has had already for gaming on Linux. The article also considers the future and where SteamOS might (or might not) take things. “This all brings up another major question for SteamOS followers: how long is this “beta” going to last, exactly? While Valve has unquestionably built a viable Linux gaming market from practically nothing, the company’s lackadaisical development timeline might be holding the market back from growing even more. In the last year, the initial excitement behind the SteamOS beta launch seems to have given way to “Valve Time” malaise in some ways.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated thunderbird (C6; C5:
multiple vulnerabilities).

Debian has updated cups (code
execution), iceweasel (multiple
vulnerabilities), kfreebsd-9 (denial of
service), and libgtk2-perl (code execution).

Fedora has updated libhtp (F20:
denial of service).

Gentoo has updated samba
(multiple vulnerabilities, some from 2012 and 2013).

Mageia has updated apache-poi
(denial of service), cabextract (privilege
escalation), e2fsprogs (two code execution
flaws), firefox, thunderbird (multiple
vulnerabilities), and sympa (information disclosure).

openSUSE has updated cups (13.2,
13.1: code execution)
and snack (13.2, 13.1: code execution from 2012).

Oracle has updated firefox (OL5:
multiple vulnerabilities) and thunderbird
(OL6: multiple vulnerabilities).

Red Hat has announced that RHEL
5.9 support will end on March 31.

Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (SL6, SL5: multiple vulnerabilities).

Slackware has updated thunderbird
(multiple vulnerabilities) and firefox
(multiple vulnerabilities).

SUSE has updated java-1_5_0-ibm
(SLE10SP4: many vulnerabilities) and java-1_6_0-ibm (SLE11SP2: two unspecified vulnerabilities).

Ubuntu has updated EC2 kernel
(10.04: two vulnerabilities), firefox
(14.10, 14.04, 12.04: many vulnerabilities), kernel (14.10; 14.04;
12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple
vulnerabilities), linux-lts-utopic (14.04:
multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

LWN.net: Ubuntu 14.04.2 LTS released + 15.04 (“Vivid Vervet”) feature freeze

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ubuntu has announced the release of the second point release for its 14.04
long-term support (LTS). 14.04.2 comes with an updated kernel and X Window
stack to support more hardware, along with “security updates and
corrections for other high-impact bugs
” all on updated installation
media “so that fewer updates will need to
be downloaded after installation
“. It is available for all of the
members of the Ubuntu clan: Kubuntu, Edubuntu, Xubuntu,
Mythbuntu, Ubuntu GNOME, Lubuntu,
Ubuntu Kylin, and Ubuntu Studio.

One other note from the Ubuntu world: a feature
freeze is in effect
for 15.04 (“Vivid Vervet”), which is due in April.

LWN.net: Green: Another update on the Truecrypt audit

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Matthew Green gives an update on the plans to audit the TrueCrypt disk encryption tool. Green led an effort in 2013 to raise money for an audit of the TrueCrypt source code, which sort of ran aground when TrueCrypt abruptly shut down in May 2014. “It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We’re now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group’s Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price — and make your donations stretch farther — we allowed the start date to be a bit flexible, which is why we don’t have results yet.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated libreoffice
(denial of service).

Fedora has updated cups (F20:
code execution), dbus (F20: denial of
service), and freetype (F21; F20: many vulnerabilities).

Mageia has updated cpio
(privilege escalation), kernel-linus (many
vulnerabilities, two from 2013), kernel-rt
(many vulnerabilities, two from 2013), kernel-tmb (many vulnerabilities, two
from 2013), kernel-vserver (many
vulnerabilities, two from 2013), ruby-sprockets (information disclosure), sudo (information disclosure), and tomcat (HTTP request smuggling).

openSUSE has updated tigervnc
(13.2: information leak/denial of service) and xorg-x11-server (13.2, 13.1: information
leak/denial of service).

Red Hat has updated openstack-glance (access restriction bypass).

SUSE has updated java-1_7_0-openjdk (many vulnerabilities, lots
unspecified).

Ubuntu has updated nss
(TLS certificate update).

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated bind9 (denial
of service).

Debian-LTS has updated linux-2.6
(multiple vulnerabilities, one from 2013).

Fedora has updated drupal7-path_breadcrumbs (F21; F20:
access restriction bypass).

openSUSE has updated perl-YAML-LibYAML (13.2, 13.1: multiple
vulnerabilities, one each from 2013 and 2012) and php5 (13.2, 13.1: multiple vulnerabilities).

SUSE has updated xntp (SLE10SP4:
multiple vulnerabilities).

Ubuntu has updated bind9 (14.10,
14.04, 12.04: denial of service).

LWN.net: FreeBSD random number generator broken for last 4 months

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

As several LWN readers have pointed out, John-Mark Gurney posted a message to the freebsd-current mailing list on February 17 noting that the random number generator (RNG) in the FreeBSD “current” kernel has been broken for the last four months. “If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling
randomdev_init_reader, which means that read_random(9) was not returning
good random data. read_random(9) is used by arc4random(9) which is
the primary method that arc4random(3) is seeded from.

This means most/all keys generated may be predictable and must be
regenerated. This includes, but not limited to, ssh keys and keys
generated by openssl. This is purely a kernel issue, and a simple
kernel upgrade w/ the patch is sufficient to fix the issue.”

LWN.net: Linux for Astronomers (Linux Journal)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Linux Journal, Joey Bernard looks at Distro Astro, which is a Linux distribution for astronomy. It collects programs of interest to those running telescopes and planetariums, including various image collection and processing applications.
After aiming your telescope, you need to collect some images or do some astrophotography. While you can do some of this with software like KStars, you have software specifically designed to do image capture. Some, like wxAstroCapture, are specifically written for use in astronomy. With it, you can set up automatic guiding and batch image collection. You then can go have a nice hot cup of coffee while your telescope collects your data. To help you keep track of all of these observations, you can use the Observation Manager, a logging program to maintain your records.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated dbus (denial
of service) and xorg-server (information
leak/denial of service).

Debian-LTS has updated postgresql-8.4 (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple
vulnerabilities), e2fsprogs (code
execution), hivex (privilege escalation),
ntp (two vulnerabilities), owasp-esapi-java (crypto botch from 2013), perl-Gtk2 (code execution), and xdg-utils (code execution).

Mandriva has updated e2fsprogs
(code execution), elfutils (privilege
escalation), ntp (two vulnerabilities), perl-Gtk2 (code execution), and postgresql (multiple vulnerabilities).

openSUSE has updated jython
(13.2, 13.1: code execution from 2013).

Oracle has updated kernel (OL5:
two vulnerabilities) and kernel (OL5:
unspecified vulnerabilities).

Scientific Linux has updated subversion (SL7: three vulnerabilities).

SUSE has updated krb5 (SLE11SP3: multiple vulnerabilities) and ntp (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated postgresql-8.4,
postgresql-9.1, postgresql-9.3, postgresql-9.4
(multiple vulnerabilities).

LWN.net: Linux Plumbers Conference call for proposals

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The calls for proposals (CFPs) for Linux Plumbers Conference microconferences and refereed track presentations are now up. The conference will be held August 19-21 in Seattle, WA, co-located (and overlapping one day) with LinuxCon North America.

LWN.net: GCC5 and the C++11 ABI (Red Hat developer blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A post at the Red Hat developer blog looks at some of the changes that are coming with GCC5. Support for the C++11 standard means that some standard library classes need to change their ABI, notably std::basic_string and std::list. The post looks at how the change has been handled and what programmers need to do to deal with the changes.
The last time G++ went through an ABI change, back in the 3.x period, we changed the soname of libstdc++, which was widely regarded as a mistake. Changing the soname caused a lot of pain but is not sufficient to deal with changes in symbol ABIs: if you load multiple shared objects that depend on different versions of the library, you can still get clashes between different versions of the same symbol.

So the plan for this ABI change has been to leave the soname (and the existing binary interface) alone, and express the new ABI using different mangled names.”

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated maradns (F21:
denial of service) and patch (F21: two vulnerabilities).

Ubuntu has updated file (three
vulnerabilities) and python-django (12.04,
10.04: regression in previous security fix).

LWN.net: Plasma 5.2 Is Beautiful and Featureful (KDE.News)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

We are a bit late in noting that KDE has released Plasma 5.2 on January 27. This KDE.News article gives a tour of the desktop that will be featured in upcoming Kubuntu and Fedora KDE spin releases (and probably other distributions as well). There are lots of new features and bug fixes in the release, see the changelog for all the details. “In the screen locker we improved the integration with logind to ensure the screen is properly locked before suspend. The background of the lock screen can be configured. Internally this uses part of the Wayland protocol which is the future of the Linux desktop.

There are improvements in the handling of multiple monitors. The detection code for multiple monitors got ported to use the XRandR extension directly and multiple bugs related to it were fixed.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C6:
two vulnerabilities) and libyaml (C6:
denial of service).

Debian has updated virtualbox
(two denial of service flaws with no details).

Debian-LTS has updated jasper
(two vulnerabilities), libksba (denial of
service), privoxy (three vulnerabilities),
python-django (multiple vulnerabilities),
and rpm (multiple vulnerabilities, some
from 2012 and 2013).

Fedora has updated drupal7-context (F21; F20: open
redirect), suricata (F21; F20: denial of service), and unzip (F21: unspecified impact).

openSUSE has updated flash-player
(12.3: multiple vulnerabilities), git
(13.2, 13.1: code execution), glibc (11.4:
code execution), and libpng16 (13.2, 13.1:
two vulnerabilities).

Oracle has updated kernel (OL7; OL6:
multiple vulnerabilities) and libyaml (OL7; OL6:
denial of service).

Red Hat has updated glibc (RHEL4:
code execution),
kernel (RHEL7: multiple vulnerabilities), libyaml (RHEL6&7: denial of service), and
ntp (RHEL6.5: multiple code execution flaws).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities) and libyaml (SL6&7: denial of service).

Slackware has updated glibc (code
execution).

SUSE has updated firefox (SLE11SP2, SLE11SP1; SLE10SP4: multiple vulnerabilities) and flash-player (SLE11SP3: multiple vulnerabilities).

LWN.net: [$] LWN.net Weekly Edition for January 29, 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for January 29, 2015 is available.

LWN.net: Highly critical “Ghost” allowing code execution affects most Linux systems (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica has a report on GHOST, which is a critical vulnerability found in the GNU C library (glibc).
The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections.” While the proof-of-concept used Exim, a wide variety of client and server programs call gethostbyname*(), often at the behest of a remote system (or attacker). Distributions have started putting out updates; users and administrators should plan on updating as soon as possible.

LWN.net: A two-part series on LXC networking (Flockport Labs)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Flockport Labs has a two-part “LXC networking superguide” that covers a bunch of LXC networking concepts, as well as practical ideas on connecting containers (Part1 and Part 2). Part 1 starts with an introduction to LXC networking, then moves into extending layer 2 to remote hosts using a layer 3 tunnel. Part 2 looks at using LXC containers as routers.
We are going to create a bridge on 2 remote hosts over their public IPs and connect the bridges with Ethernet over GRE or L2tpv3 so containers connecting to these bridges are on the same layer 2 network.

We will first show you how to do this with Ethernet over GRE and then L2tpv3. The main difference is Ethernet over GRE is less well known while L2tpv3 is more widely used for l2 extension and uses UDP, and thus could be more flexible.”

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated binutils (F21:
two vulnerabilities), cross-binutils (F21; F20:
multiple vulnerabilities), exiv2 (F21:
denial of service), libsndfile (F21: code
execution), and python-pillow (F21: denial
of service).

Mageia has updated freeciv (code execution).

Oracle has updated java-1.7.0-openjdk (OL5: multiple vulnerabilities).

Red Hat has updated java-1.7.0-openjdk (RHEL6&7; RHEL5: multiple vulnerabilities), java-1.8.0-openjdk (RHEL6: multiple
vulnerabilities), kernel (RHEL6.5: multiple
vulnerabilities), and openssl (RHEL6&7:
multiple vulnerabilities).

LWN.net: Kernel prepatch 3.19-rc5

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On January 18, Linus Torvalds released the fifth prepatch for Linux 3.19. Things are not
calming down quite the way he would like and rc5 is larger than rc4, but: “That said, it’s not like there is anything particularly scary in here.

The arm64 vm bug that I mentioned as pending in the rc4 notes got
fixed within a day of that previous rc release, and the rest looks
pretty standard. Mostly drivers (networking, usb, scsi target, block
layer, mmc, tty etc), but also arch updates (arm, x86, s390 and some
tiny powerpc fixes), some filesystem updates (fuse and nfs), tracing
fixes, and some perf tooling fixes.”

LWN.net: Taylor: gnome-battery-bench

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Owen Taylor introduces gnome-battery-bench, which is a tool to measure power usage that should help lengthen battery life on Linux systems. It can smooth out the somewhat jumpy numbers reported by powertop and provide graphical feedback of parameters like power usage and estimated battery life remaining.
gnome-battery-bench is designed as a graphical application because I want to encourage people to explore with it and find out interactively what is using power on their system. And graphing is also useful so that the user can see when something is going wrong with the measurement; sometimes batteries will report data that jumps around. But there’s also a command line version that can be used for automatic scripting of benchmarks.

I decided to use recorded sequences of events for a couple of reasons: first, it’s easy for anybody to create new test sequences – you just run the gnome-battery-bench command line tool in record mode and do what you want to test. Second, playing back event sequences at a low level simulates user interaction very accurately. There is little CPU overhead, and as far as the desktop is concerned it’s exactly like user input.”

LWN.net: Stable kernels 3.18.3, 3.14.29, and 3.10.65

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has released the 3.18.3,
3.14.29, and 3.10.65 stable kernels. As usual, there are
fixes in various places throughout the tree and users should upgrade.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated rpm (two code
execution flaws).

Debian-LTS has updated curl (HTTP
request injection).

openSUSE has updated flash-player
(13.2, 13.1: multiple vulnerabilities), flashplayer (11.4: multiple vulnerabilities),
and util-linux (13.2, 13.1: code execution).

SUSE has updated flash-player (SLE11SP3; SLE12: multiple vulnerabilities) and kernel (SLE12: multiple vulnerabilities, one
from 2013).

LWN.net: Varda: Sandstorm raises $1.3M seed; paying forward crowdfunds

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On the Sandstorm blog, co-founder and CEO Kenton Varda gives an update on the funding and plans for the company behind the open-source Sandstorm personal cloud platform. We looked at the project back in June. “In fact, we are now arguably more aligned with the community than before. Whereas previously there had been a lot of pressure on us to focus on our subscription-based managed hosting option as a way to get revenue, our immediate goal now is just to develop and prove the platform. That means that self-hosted users are just as important to us as paying subscribers. To that end, the first thing we have done with our new money is to hire Asheesh Laroia, a long-time self-hosting and Free Software enthusiast, whose main focus will be improving Sandstorm’s self-hosting experience. To be clear, everything you need to run your own Sandstorm server will always be free and open source, still developed in the open.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), thunderbird (C6; C5: three vulnerabilities), and xulrunner (C7:
multiple vulnerabilities).

Debian has updated iceweasel
(multiple vulnerabilities) and kernel
(multiple vulnerabilities, including one from 2013).

Debian-LTS has updated unrtf (two
code execution flaws).

Fedora has updated firefox (F21; F20:
multiple vulnerabilities), kde-runtime
(F21: kwallet crypto botch from 2013), and owasp-esapi-java (F21; F20:
crypto botch from 2013).

Mageia has updated flash-player-plugin (multiple vulnerabilities)
and python-pip (denial of service).

Mandriva has updated libsndfile
(code execution), libvirt (denial of
service), mpfr (code execution), and untrf (denial of service).

Oracle has updated firefox (OL5:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities).

SUSE has updated kernel
(SLERTE11SP3: multiple vulnerabilities, some from 2012 and 2013) and xorg-x11-server (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated coreutils
(14.04, 12.04, 10.04: two vulnerabilities, one from 2009), curl (HTTP request injection), firefox (14.10, 14.04, 12.04: multiple
vulnerabilities), gparted (12.04: code
execution), GTK+ (14.04: lock screen
bypass), unzip (three code execution
flaws), and ubufox (14.10, 14.04, 12.04:
multiple vulnerabilities).