Author Archive

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated icedove (two
vulnerabilities) and libav (multiple
unspecified vulnerabilities).

openSUSE has updated curl (13.1,
12.3: two cookie-handling vulnerabilities).

Oracle has updated automake (OL5:
code execution from 2012), bind97 (OL5:
three vulnerabilities, two from 2013), conga (OL5: multiple vulnerabilities some
going back to 2012), krb5 (OL5: code
execution), krb5 (OL5: multiple
vulnerabilities, two from 2013), and nss,
nspr
(multiple vulnerabilities, one from 2013).

SUSE has updated squid3
(SLE11SP3: denial of service).

LWN.net: [$] X and SteamOS

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

alt="[Keith Packard]" width=130 height=150/>

In a talk entitled “SteamOS Magic”, longtime X developer Keith Packard
looked at the new Linux “distribution” and the effort to turn the Linux
desktop into a gaming console. It turns out that, with a fairly small
amount of code, Steam and SteamOS creator, Valve, was able to take the
existing X-based desktop and
turn it into a “living-room experience”.

Click below (subscribers only) for the full report from LinuxCon North
America.

LWN.net: Hertzog: Freexian’s first report about Debian Long Term Support

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Raphaël Hertzog reports on the first few months of work on Debian Long Term Support (LTS). Official support for Debian 6.0 (Squeeze) ended in May and the LTS is an effort to continue the support until February 2016 (five years after the original release). Hertzog’s company, Freexian, is collecting subscriptions to pay Debian developers to work on the LTS. Reports from the two developers sponsored, Thorsten Alteholz and Holger Levsen, are also linked from the report.
It’s worth noting that Freexian sponsored Holger’s work to fix the security tracker to support squeeze-lts. It’s my belief that using the money of our sponsors to make it easier for everybody to contribute to Debian LTS is money well spent.

As evidenced by the progress bar on Freexian’s offer page, we have not yet reached our minimal goal of funding the equivalent of a half-time position. And it shows in the results, the dla-needed.txt still shows around 30 open issues. This is slightly better than the state two months ago but we can improve a lot on the average time to push out a security update…”

(Thanks to Paul Wise.)

LWN.net: Yao: The State of ZFS on Linux

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

At the ClusterHQ blog, Richard Yao looks at the current status of the ZFSOnLinux (ZoL) project. He argues that ZoL is ready for production use for a number of different reasons, all of which boil down to the belief that the ZFS filesystem port to Linux has achieved the same level of data integrity, runtime stability, and features as have the other platforms where ZFS runs. “Sharing a common code base with other Open ZFS platforms has given ZFS on Linux the opportunity to rapidly implement features available on other Open ZFS platforms. At present, Illumos is the reference platform in the Open ZFS community and despite its ZFS driver having hundreds of features, ZoL is only behind on about 18 of them.

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated curl (two
cookie-handling vulnerabilities) and file
(regression in previous security update).

Fedora has updated qemu (F20:
information leak).

openSUSE has updated glibc (13.1,
12.3: three vulnerabilities) and procmail
(13.1, 12.3: code execution).

Oracle has updated kernel 2.6.39 (OL6; OL5:
denial of service), kernel 2.6.32 (OL6; OL5: two
vulnerabilities), kernel 3.8.13 (OL7; OL6:
denial of service), and procmail (OL5: code
execution).

SUSE has updated firefox
(SLE11SP2: two vulnerabilities) and LibreOffice (SLE11SP3: two vulnerabilities,
one from 2013).

LWN.net: Stable kernels 3.16.2, 3.14.18, and 3.10.54

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the latest batch of stable kernels: 3.16.2, 3.14.18, and 3.10.54. As usual, these new kernels contain fixes throughout
the tree; users of these series should upgrade.

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated xulrunner (C7: two
vulnerabilities), firefox (C7; C6; C5: two
vulnerabilities), httpcomponents-client
(C7: SSL server spoofing), kernel (C5:
denial of service), squid (C6; C5: two denial of service
flaws, one from 2013), squid (C7: denial of
service), and thunderbird (C6; C5: two vulnerabilities).

Gentoo has updated dhcpcd (denial
of service) and mysql (many
vulnerabilities, mostly unspecified, some from 2013).

Oracle has updated firefox (OL6:
two vulnerabilities), httpcomponents-client
(OL7: SSL server spoofing), squid (OL6; OL5: two denial of service
flaws, one from 2013), squid (OL7: denial
of service), and thunderbird (OL6: two vulnerabilities).

Red Hat has updated firefox (two
vulnerabilities), httpcomponents-client
(RHEL7: SSL server spoofing), kernel
(RHEL5: denial of service), squid (RHEL5&6: two denial of service
flaws, one from 2013), squid (RHEL7: denial of service), and thunderbird (RHEL5&6: two vulnerabilities).

Ubuntu has updated gnupg (12.04,
10.04: key disclosure) and libgcrypt11
(14.04, 12.04, 10.04: key disclosure).

LWN.net: Linux Foundation creates a new storage and filesystems conference: Vault

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Foundation has announced a new conference called “Vault” that will focus on storage and filesystems for Linux. It will be co-located with the annual invitation-only Linux Storage, Filesystem and Memory Management Summit and will be held March 11-12, 2015 at the Revere Hotel in Boston. “’90% of the world’s data has been created in the last few years and most of that data is being stored and accessed via a Linux-based system,’ said Linux Foundation Chief Marketing Officer Amanda McPherson. ‘Now is the ideal time to bring the open source community together in this new forum, Vault, to collaborate on new methods of improving capacity, efficiency and security to manage the huge data volumes envisioned in the coming years. By bringing together the leading minds of Linux file systems and storage and our members who are pushing the limits of what is possible, Vault should expand the state of the art in Linux.’

LWN.net: Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Russell Pavlicek looks at the rivalry between containers and hypervisors over at Linux.com. He outlines the arguments for and against each, and follows it up with a description of a new contender for a “cloud operating system”: unikernels.
Unikernel systems create tiny VMs. Mirage OS from the Xen Project incubator, for example, has created several network devices that run kilobytes in size (yes, that’s “kilobytes” – when was the last time you heard of any VM under a megabyte?). They can get that small because the VM itself does not contain a general-purpose operating system per se, but rather a specially built piece of code that exposes only those operating system functions required by the application.

There is no multi-user operating environment, no shell scripts, and no massive library of utilities to take up room – or to subvert in some nefarious exploit. There is just enough code to make the application run, and precious little for a malefactor to leverage. And in unikernels like Mirage OS, all the code that is present is statically type-safe, from the applications stack all the way down to the device drivers themselves. It’s not the “end-all be-all” of security, but it is certainly heading in the right direction.”

LWN.net: 5 UX Tips for Developers (Red Hat developer blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On Red Hat’s developer blog, Máirín Duffy has tips for developers on improving their application’s user experience (UX). “Speaking of speeding things up for your users – one way you can do this is to limit the amount of choices users have to make while using your application. It’s you, my application developer friend, that users are relying on as an expert in the ways of whatever it is that your application does. Users trust you to make set sane defaults based on your domain expertise; when you set defaults, you are also alleviating users from having to make a choice that – depending on their level of expertise – may be quite hard for them to understand.

This isn’t to say you should eliminate all choices and configuration options from your application! Let users ease into it, though. Give them a good default so that your application requires less of them to start, and as they gain expertise and confidence in using your app over time, they can explore the preferences and change those settings based on their needs when they are ready.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated s3ql (code execution).

Mageia has updated x11vnc (code
execution).

openSUSE has updated phpMyAdmin
(13.1, 12.3: multiple vulnerabilities) and python3 (12.3: two vulnerabilities).

Ubuntu has updated squid3 (14.04,
12.04: denial of service).

LWN.net: Riddell: Upstream and Downstream: why packaging takes time

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Kubuntu developer Jonathan Riddell looks at packaging all of the pieces of KDE on his blog. His perspective is, of course, Kubuntu-focused, but the comments contain lengthy responses from Fedora and openSUSE KDE packagers, which makes for a good look at the work distributions put into packaging a huge code base like KDE. “Much of what we package are libraries and if one small bit changes in the library, any applications which use that library will crash. This is ABI and the rules for binary [compatibility] in C++ are nuts. Not infrequently someone in KDE will alter a library ABI without realising. So we maintain symbol files to list all the symbols, these can often feel like more trouble than they’re worth because they need updated when a new version of GCC produces different symbols or when symbols disappear and on investigation they turn out to be marked private and nobody will be using them anyway, but if you miss a change and apps start crashing as nearly happened in KDE PIM last week then people get grumpy.” (Thanks to Robie Basak.)

LWN.net: Five new stable kernels

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of five new stable kernels: 3.16.1, 3.15.10, 3.14.17, 3.10.53, and 3.4.103. As usual, each has important fixes
and users should upgrade. In addition, this is the last 3.15.x release, so
users should be switching to the 3.16 series.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated openssl (C7; C6; C5: multiple vulnerabilities).

Debian has updated gpgme1.0 (code
execution).

Gentoo has updated adobe-flash
(multiple vulnerabilities), catfish
(multiple privilege escalations), and libpng (three vulnerabilities, two from 2013).

openSUSE has updated flash-player
(13.1, 12.3: multiple vulnerabilities).

Oracle has updated openssl (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated openssl (RHEL6&7; RHEL5: multiple vulnerabilities).

Scientific Linux has updated openssl (SL6; SL5:
multiple vulnerabilities).

LWN.net: SFC and OSI team up to work on tax exemption issues for US organizations

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Software Freedom Conservancy (SFC) and Open Source Initiative (OSI) have announced (and here) that they are both founding members of a working group “focused on tax exemption issues for organizations in the United States“. The working group will be open to participation by any concerned groups or individuals and will be looking for legal experts to join in. Aaron Williamson, formerly of the Software Freedom Law Center, will be chairing the group.
Recent activity by the Internal Revenue Service in response to applications for tax exempt status have sparked a lot of interest and discussion amongst free and open source software communities.

OSI and Conservancy recognize that the IRS’s understanding and evaluation of free and open source software can impact both new organizations created to promote the public good as charities (known as 501(c)(3) organizations after the corresponding tax code provision), as well as new organizations formed to forward a common business interest (known as 501(c)(6) organizations).” We looked at the issue in July after the Yorba Foundation’s unsuccessful attempt to become a US tax-exempt organization.

LWN.net: LPC: An In-Depth Look: Live Kernel Patching Microconference

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Plumbers Conference (LPC) has a new blog post looking at the live kernel patching microconference. “There has been a great deal of interest in live kernel patching (see this LWN.net article) over the past few months, with several different approaches proposed, including CRIU+kexec, kGraft, and kpatch, all in addition to ksplice. This microconference will host discussions on required infrastructure (including tracing, checkpoint/restart, kexec, and live patching), along with expositions and comparisons of the various approaches. The purpose, believe it or not, is to work towards a common implementation that everyone can live with.” LPC will be held in Düsseldorf, Germany, October 15­­–17, co-located with LinuxCon Europe; the front-page blog for LPC has looks at many of the other microconferences along with other interesting information about the conference.

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated tomcat6 (C6:
two vulnerabilities, one from 2013).

Debian has updated acpi-support
(regression in earlier security fix).

Gentoo has updated libssh (key
disclosure via bad randomness).

Mageia has updated drupal (denial
of service), kdelibs4 (M3: authorization
bypass), openssl (multiple vulnerabilities), wireshark (multiple vulnerabilities), and wordpress (multiple vulnerabilities).

Oracle has updated kernel-2.6.32 (OL6; OL5:
denial of service),
kernel-2.6.39 (OL6; OL5: denial of service), kernel-3.8.13
(OL7; OL6:
two vulnerabilities), and tomcat6 (OL6: two
vulnerabilities, one from 2013).

Red Hat has updated java-1.7.0-ibm (RHEL5&6: many
vulnerabilities), java-1.7.1-ibm (RHEL7:
many vulnerabilities), and tomcat6 (RHEL6:
two vulnerabilities, one from 2013).

Scientific Linux has updated tomcat6 (SL6: two vulnerabilities, one from 2013).

Ubuntu has updated python-pycadf
(14.04: information leak).

LWN.net: PyCon 2015: Call for Proposals is open

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On the Montréal-Python blog, Mathieu Leduc-Hamel announces that the 2015 PyCon Call for Proposals (CFP) is now open. The conference will be held in Montréal April 8–16, 2015; CFPs will be accepted until September 15. “There are likely 95 talk slots to fill, assuming we keep the usual balance of 30/45 minute slots the same, and we’ll have room for 32 tutorials. This makes for some steep competition given the potential to reach over 600 talk proposals, while seeing three to four times as many tutorial proposals as available slots. While proposals will be accepted through September 15, we encourage submissions as early as possible, allowing reviewers more time to assess and provide feedback which may prove beneficial as the various rounds of review begin.

LWN.net: Security updates for Monday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated drupal7
(denial of service), kde4libs (privilege
escalation), krb5 (multiple
vulnerabilities), libav (multiple
vulnerabilities, most from 2011 and 2013), wireshark (multiple
vulnerabilities), and wordpress (multiple
vulnerabilities).

Fedora has updated drupal7-views (F20; F19:
access control bypass), openssl (F20; F19:
multiple vulnerabilities), thunderbird
(F19: multiple vulnerabilities), and xulrunner (F20: multiple vulnerabilities).

Gentoo has updated freetype (code
execution).

Mandriva has updated wireshark
(multiple vulnerabilities).

openSUSE has updated chromium
(13.1, 12.3: multiple vulnerabilities), elfutils (13.1, 12.3: code execution),
exim (13.1, 12.3; 11.4: multiple vulnerabilities
going back to 2011), jbigkit (13.1, 12.3:
code execution from 2013), kdelibs4 (13.1:
privilege escalation), kdirstat (13.1: code
execution), kernel (13.1: multiple
vulnerabilities), krb5 (13.1, 12.3:
multiple vulnerabilities), thunderbird
(13.1, 12.3: multiple vulnerabilities), tor
(13.1, 12.3: traffic confirmation), and transmission (13.1: code execution).

Slackware has updated openssl
(multiple vulnerabilities).

Ubuntu has updated krb5 (14.04,
12.04, 10.04: multiple vulnerabilities going back to 2012) and libav (12.04: multiple vulnerabilities, most
from 2011 and 2013).

LWN.net: Interview with Nathan Willis, GUADEC Keynote Speaker (GNOME News)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

LWN editor Nathan Willis is giving a keynote talk at the upcoming GUADEC (GNOME Users and Developers European Conference) and was interviewed by GNOME News. Willis’s talk is titled “Should We Teach The Robot To Kill” and will look at free software and the automotive industry. “And, finally, my ultimate goal would be to persuade some people that the free-software community can — and should — take up the challenge and view the car as a first-rate environment where free software belongs. Because there will naturally be lots of little gaps where the different corporate projects don’t quite have every angle covered. But we don’t have to wait for other giant companies to come along and finish the job. We can get involved now, and if we do, then the next generation of automotive software will be stronger for it, both in terms of features and in terms of free-software ideals.” GUADEC is being held in Strasbourg, France July 26–August 1.

LWN.net: Kügler: Plasma’s Road to Wayland

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Sebastian Kügler looks at what’s left to be done for KDE’s Plasma desktop to support Wayland. He discusses why the project cares about Wayland, what it means to support Wayland, the current status, the strategy for further work, and how interested folks can get involved.
One of the important topics which we have (kind of) excluded from Plasma’s recent 5.0 release is support for Wayland. The reason is that much of the work that has gone into renovating our graphics stack was also needed in preparation for Wayland support in Plasma. In order to support Wayland systems properly, we needed to lift the software stack to Qt5, make X11 dependencies in our underlying libraries, Frameworks 5 optional. This part is pretty much done. We now need to ready support for non-X11 systems in our workspace components, the window manager and compositor, and the workspace shell.

LWN.net: Security updates for Friday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C7; C6; C5: two
vulnerabilities) and qemu-kvm (C7: many vulnerabilities).

Debian has updated apache2 (three
vulnerabilities) and transmission (code execution).

Fedora has updated httpd (F20:
multiple vulnerabilities), ipython (F20; F19: code
execution), java-1.7.0-openjdk (F19:
multiple vulnerabilities), java-1.8.0-openjdk (F20; F19:
multiple vulnerabilities), and kernel (F19:
multiple vulnerabilities).

Oracle has updated enterprise
kernel
(OL7: three vulnerabilities) and kernel (OL5: two vulnerabilities).

Red Hat has updated openstack-nova (OSP5.0: information
disclosure), openstack-swift (OSP5.0:
cross-site scripting), python-django-horizon (OSP5.0: three
vulnerabilities), and qemu-kvm-rhev
(OSP4.0, OSP3.0: multiple vulnerabilities).

LWN.net: Fedora 21 delayed three weeks

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

At yesterday’s Fedora Engineering Steering Committee (FESCo) meeting, the release of Fedora 21 was delayed by three weeks (FESCo ticket), with the final release now scheduled for November 4. There are some problems with “test composes” of the release (creating test ISO images) that mean the deadline for the alpha release would be missed. The original plan was to delay for two weeks, but that put the freeze just before the Flock conference, so it was decided to push out an additional week.

LWN.net: An Interview with Karen Sandler (Model View Culture)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Model View Culture, Adam Saunders interviews Karen Sandler, executive director of the Software Freedom Conservancy (SFC) and formerly the executive director of the GNOME Foundation. Sandler talks about SFC, the Outreach Program for Women, as well as being a cyborg: “I was diagnosed with a heart condition and needed a pacemaker/defibrillator, and none of the device manufacturers would let me see the source code that was to be literally sewn into my body and connected to my heart. My life relies on the proper functioning of software every day, and I have no confidence that it will. The FDA generally doesn’t review the source code of medical devices nor can the public. But multiple researchers have shown that these devices can be maliciously hacked, with fatal consequences.

Once you start considering medical devices, you quickly start to realize that it’s all kinds of software that is life and society-critical – cars, voting machines, stock markets… It’s essential that our software be safe, and the only way we can realistically expect that to be the case over time is by ensuring that our software is free and open. If there’s catastrophic failure at Medtronic (the makers of my defibrillator), for example, I wouldn’t be able to fix a bug in my own medical device.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated httpd (C7; C6; C5: multiple vulnerabilities).

Debian has updated iceweasel
(multiple vulnerabilities) and openjdk-7 (multiple vulnerabilities).

Fedora has updated firefox (F20: multiple vulnerabilities).

Oracle has updated dovecot (OL7:
denial of service), firefox (OL7; OL7; OL5:
multiple vulnerabilities), gnutls (OL7: two
vulnerabilities), httpd (OL7; OL6; OL5:
multiple vulnerabilities), java-1.6.0-openjdk (OL7; OL7:
multiple vulnerabilities), java-1.7.0-openjdk (OL7; OL7:
multiple vulnerabilities), json-c (OL7: two
denial of service flaws), kernel (OL7; OL6: two
privilege escalations), kernel (OL7:
multiple vulnerabilities), kernel
(OL7:privilege escalation), libtasn1 (OL7:
three vulnerabilities), libvirt (OL7:
information disclosure/denial of service), lzo (OL7: denial of service/possible code
execution), mariadb (OL7: multiple
unspecified vulnerabilities), nss, nspr
(OL7: code execution), openssl (OL7:
multiple vulnerabilities), openssl098e
(OL7: man-in-the-middle attack), qemu-kvm
(OL7: many vulnerabilities), qemu-kvm (OL7:
code execution), samba (?:), (tomcat (OL7: three vulnerabilities), and tomcat (OL7: three vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6.4; RHEL6; RHEL5: two privilege escalations) and qemu-kvm (RHEL7: many vulnerabilities).

Scientific Linux has updated kernel (SL6; SL5: two
privilege escalations).

Slackware has updated httpd
(multiple vulnerabilities), thunderbird
(multiple vulnerabilities), and firefox
(multiple vulnerabilities).

SUSE has updated libtasn1
(SLE11SP3: three vulnerabilities) and ppc64-diag (SLE11SP3: two vulnerabilities).

Ubuntu has updated apache2
(14.04, 12.04, 10.04: multiple vulnerabilities), jinja2 (12.04: code execution), lzo2 (14.04, 12.04: denial of service/possible
code execution), and oxide-qt (14.04:
multiple vulnerabilities).