Author Archive

LWN.net: Announcing qboot, a minimal x86 firmware for QEMU

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The announcement of Clear Containers (which guest author Arjan van de Ven described in an LWN article from this week) seems to have sparked some interesting work on QEMU that resulted in qboot: “a minimal x86 firmware that runs on QEMU and, together with
a slimmed-down QEMU configuration, boots a virtual machine in 40
milliseconds on an Ivy Bridge Core i7 processor.
” Paolo Bonzini announced the project (code is available at git://github.com/bonzini/qboot.git), which is quite new: “The first commit to qboot is more or less 24 hours old, so there is
definitely more work to do, in particular to extract ACPI tables from
QEMU and present them to the guest. This is probably another day of
work or so, and it will enable multiprocessor guests with little or no
impact on the boot times. SMBIOS information is also available from QEMU.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated libmodule-signature-perl (multiple vulnerabilities).

Debian-LTS has updated dnsmasq
(information disclosure).

Fedora has updated wordpress (F21; F20:
three vulnerabilities).

Oracle has updated docker (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities, one from 2005)
and java-1.7.1-ibm (RHEL6&7: multiple vulnerabilities, one
from 2005).

SUSE has updated gstreamer-0_10-plugins-bad (SLE11SP3: code
execution) and xen (SLE12: multiple vulnerabilities).

LWN.net: Hardening Hypervisors Against VENOM-Style Attacks (Xen Project Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Xen Project looks at a mechanism to mitigate vulnerabilities like VENOM that attack emulation layers in QEMU. “The good news is it’s easy to mitigate all present and future QEMU bugs, which the recent Xen Security Advisory emphasized as well. Stubdomains can nip the whole class of vulnerabilities exposed by QEMU in the bud by moving QEMU into a de-privileged domain of its own. Instead of having QEMU run as root in dom0, a stubdomain has access only to the VM it is providing emulation for. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources. Furthermore, QEMU in a stubdomain runs on MiniOS, so an attacker would only have a very limited environment to run code in (as in return-to-libc/ROP-style), having exactly the same level of privilege as in the domain where the attack started. Nothing is to be gained for a lot of work, effectively making the system as secure as it would be if only PV drivers were used.” The Red Hat Security Blog also noted this kind of mitigation for VENOM-style attacks.

LWN.net: 3 big lessons I learned from running an open source company (Opensource.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Opensource.com, Lucidworks co-founder and CTO Grant Ingersoll writes about lessons he has learned from running an open-source company. “You might ask, ‘Why not open source it all and just provide support?’ It’s a fair question and one I think every company that open sources code struggles to answer, unless they are a data company (e.g., LinkedIn, Facebook), a consulting company, or a critical part of everyone’s infrastructure (e.g., operating systems) and can live off of support alone. Many companies start by open sourcing to gain adoption and then add commercial features (and get accused of selling out), whereas others start commercial and then open source. Internally, the sales side almost always wants “something extra” that they can hang their quota on, while the engineers often want it all open because they know they can take their work with them.

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated qemu (code
execution).

CentOS has updated firefox (C5:
multiple vulnerabilities), kernel (C7: code
execution), kvm (C5: code execution),
qemu-kvm (C7; C6: code execution), and xen (C5: code execution).

Debian has updated iceweasel
(multiple vulnerabilities) and qemu
(multiple vulnerabilities).

Debian-LTS has updated icu (multiple vulnerabilities
some from 2013).

Fedora has updated ca-certificates (F21: certificate changes), firefox (F21: multiple vulnerabilities), gnutls (F21: signature algorithm verification
botch), libssh (F21: denial of service),
and thunderbird (F21: two vulnerabilities).

Mageia has updated darktable
(denial of service), kernel-linus (three
vulnerabilities), kernel-tmb (multiple vulnerabilities), libraw (denial of service), qemu (code execution), rawtherapee (denial of service), ufraw and dcraw (denial of service), and wireshark (three dissector vulnerabilities).

Oracle has updated firefox (OL6:
multiple vulnerabilities), kvm (OL5: denial of service),
qemu-kvm (OL7; OL6: code execution), kernel (OL7; OL6; OL6; OL5: multiple vulnerabilities),
and xen (OL5: code execution).

Scientific Linux has updated firefox (SL7,SL6,SL5: multiple vulnerabilities), kernel (SL7: code execution), kexec-tools (SL7: arbitrary file overwrite),
pcs (SL7; SL6: privilege escalation), qemu-kvm
(SL7; SL6:
code execution), tomcat (SL7: HTTP request
smuggling), and tomcat6 (SL6: HTTP request smuggling).

SUSE has updated kvm (SLE11SP3:
denial of service).

Ubuntu has updated firefox (multiple vulnerabilities)
and qemu, qemu-kvm (three vulnerabilities).

LWN.net: [$] CoreOS Fest and the world of containers, part 1

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It’s been a Linux container bonanza in San Francisco recently, and that
includes a series of events and announcements from multiple startups and
cloud hosts. It seems like everyone is fighting for a piece of what they
hope will be a new multi-billion-dollar market. This included Container Camp on April 17 and CoreOS Fest on May 5th and 6th, with DockerCon to come near the end of
June. While there is a lot of hype, the current container gold rush has
yielded more than a few benefits for users — and caused technological
development so rapid it is hard to keep up with.

Subscribers can click below for a report by guest author Josh Berkus from
this week’s edition.

LWN.net: Stable kernels 3.10.77, 3.14.41, 3.19.7, and 4.0.2

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has released the latest batch of stable kernels: 3.10.77, 3.14.41, 3.19.7, and 4.0.2. As usual, they contain fixes all over
the tree and users should upgrade.

LWN.net: How OpenStack gets translated (Opensource.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Opensource.com, one of the translators for OpenStack, Łukasz Jernaś, is interviewed about the process of translating a large project like OpenStack. “How does OpenStack’s release cycle play into the translation process? Is it manageable to get translations done on a six-month release cycle?

Most of the work gets done after the string freeze period, which happens around a month before the release, with a lot of it being completed after getting the first release candidate out of the window. Documentation is translated during the entire cycle, as many parts are common between releases and can be deployed independently to the releases. So we don’t have to focus that much about deadlines, as it’s available online all the time and not prepackaged and pushed out to users and distributions. Of course, having a month to do the translations can be cumbersome, depending on the team doing the translation (some do that part time, some people in their spare time), and how many developers push out new strings during the string freeze.”

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated sqlite3 (three
vulnerabilities).

Mageia has updated dpkg
(integrity verification bypass), libtasn1
(denial of service), perl-XML-LibXML
(information disclosure), qt3, qt4, and
qtbase5
(three vulnerabilities), and tcl-tcllib (cross-site scripting).

Mandriva has updated perl-XML-LibXML (BS1,2: information disclosure).

LWN.net: [$] The programming talent myth

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

align="right" alt="[Jacob Kaplan-Moss]" title="Jacob Kaplan-Moss" width=247
height=260/>

Jacob Kaplan-Moss is known for his work on Django but, as he would describe
in his PyCon 2015 keynote, many
think he had more to do with its creation than he actually did. While his talk
ranged quite a bit, the theme covered something that software development
organizations—and open source projects—may be grappling with: a
myth about
developer performance and how it impacts the industry. It was a
thought-provoking talk that was frequently punctuated by applause; these
are the kinds of issues that the Python community tries to confront head on, so
the talk was aimed well.

LWN.net: Debian 8 “Jessie” released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian 8, codenamed “Jessie”, has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. “With this broad selection of packages and its traditional wide
architecture support, Debian once again stays true to its goal of being
the universal operating system. It is suitable for many different use
cases: from desktop systems to netbooks; from development servers to
cluster systems; and for database, web, or storage servers. At the same
time, additional quality assurance efforts like automatic installation
and upgrade tests for all packages in Debian’s archive ensure that
“Jessie” fulfills the high expectations that users have of a stable
Debian release.

LWN.net: Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica reports on a wpa_supplicant bug that might leave Linux and other systems open to remote code execution.
That’s because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information ‘is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,’ [Google security team member Jouni] Malinen wrote, and the code ‘was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.’

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated glibc
(code execution).

Fedora has updated chrony (F21:
three vulnerabilities), gnupg2 (F20: denial
of service), java-1.7.0-openjdk (F20:
unspecified), java-1.8.0-openjdk (F21:
unspecified), kernel (F21; F20: denial of service), ntp (F20: two vulnerabilities), python (F20: denial of service from 2013), spatialite-tools (F21: three vulnerabilities),
and sqlite (F21: three vulnerabilities).

Oracle has updated kvm (OL5: two vulnerabilities).

LWN.net: GNU Hurd 0.6 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It has been roughly a year and a half since the last release of the GNU Hurd operating
system, so it may be of interest to some readers that GNU Hurd 0.6 has been
released along with
GNU Mach 1.5 (the microkernel that Hurd
runs on) and GNU MIG 1.5 (the Mach Interface Generator, which
generates code to handle remote procedure calls). New features include
procfs and random translators; cleanups and stylistic fixes, some of which
came from static analysis; message dispatching improvements; integer
hashing performance improvements; a split of the init server into a
startup server and an init program based on System V init; and more. “GNU Hurd runs on 32-bit x86 machines. A version running on 64-bit x86
(x86_64) machines is in progress. Volunteers interested in ports to
other architectures are sought; please contact us (see below) if you’d
like to help.

To compile the Hurd, you need a toolchain configured to target i?86-gnu;
you cannot use a toolchain targeting GNU/Linux. Also note that you
cannot run the Hurd “in isolation”: you’ll need to add further components
such as the GNU Mach microkernel and the GNU C Library (glibc), to turn
it into a runnable system.”

LWN.net: Boyer: Fedora 22 and Kernel 4.0

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Josh Boyer looks at the choice of the 4.0 kernel for Fedora 22. While the underpinnings of the live kernel patching feature have been merged, even when it is fully operational it is probably not something that Fedora (and perhaps other distributions) will use often (or at all). “In reality, we might not ever really leverage the live patching functionality in Fedora itself. It is understandable that people want to patch their kernel without rebooting, but the mechanism is mostly targeted at small bugfixes and security patches. You cannot, for example, live patch from version 4.0 to 4.1. Given that the Fedora kernel rebases both from stable kernel (e.g. 3.19.2 to 3.19.3) and major release kernels over the lifetime of a Fedora release, we don’t have much opportunity to build the live patches.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated gst-plugins-bad0.10 (code execution), inspircd (code execution from 2012), movabletype-opensource (code execution), and
ppp (denial of service).

Debian-LTS has updated ruby1.9.1
(three vulnerabilities).

Mageia has updated java-1.7.0-openjdk (multiple vulnerabilities),
mono (three SSL/TLS vulnerabilities), and
python-dulwich (two code execution flaws).

openSUSE has updated flash-player
(11.4: 45 vulnerabilities) and rubygem-rest-client (13.2, 13.1: plaintext
password logging).

Oracle has updated java-1.6.0-openjdk (OL5: unspecified
vulnerabilities) and java-1.7.0-openjdk
(OL5: unspecified vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple
vulnerabilities), java-1.6.0-openjdk
(RHEL5,6&7: multiple vulnerabilities), java-1.7.0-openjdk (RHEL5; RHEL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (RHEL6&7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6&7: multiple
vulnerabilities), java-1.7.0-openjdk (SL5; SL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated flash-player
(SLE11SP3: 22 vulnerabilities).

LWN.net: [$] Report from the Python Language Summit

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net


align="right" alt="[Group photo]" width=500 height=246/>

The first half of our report from the Python Language
Summit
is now available. Subscribers can click below to access reports from five sessions held before lunch covering topics like the atomicity of Python operations, making Python 3 more attractive to developers, PyParallel, infrastructure for Python development, and Python 3 adoption. We will be adding more reports to this page as they become available.

LWN.net: [$] An update on the freedreno graphics driver

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The freedreno project was
started by Rob Clark to create a free-software driver for the Adreno family
of GPUs, which are used by the Qualcomm Snapdragon system-on-chip (SoC)
family. He
presented a status report on the project, along with some history and
future plans, at
the Embedded
Linux Conference
, which was held in San Jose, CA, March 23-25.

Click below (subscribers only) for the full report from ELC 2015.

LWN.net: [$] XFS: There and back … and there again?

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

In a thought-provoking—and characteristically amusing—talk at the Vault conference,
Dave Chinner looked at the history
of XFS, its current status, and where the filesystem may be heading.
In keeping with the title of the talk (shared by this article), he sees
parallels in what drove the original development of XFS and what will be
driving
new filesystems.
Chinner’s vision of the future for today’s filesystems, and not just
of XFS, may be a bit surprising or controversial—possibly both.

LWN.net: [$] Mailman 3.0 to modernize mailing lists

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

More than a decade after its last major rewrite, the GNU Mailman mailing
list manager project aims
to release its 3.0 suite in April, during the sprints following PyCon
North America
. Mailman 3 is a major rewrite that includes a new user
membership system, a REST API, an archiver replacement for Pipermail, and a
better web interface for subscriptions and settings — but it carries with
it a few new dependencies as well. Brave system administrators can try out
the
fifth
beta version
now.

Subscribers can click below for the full story from next week’s edition.

LWN.net: Two microconferences accepted for the Linux Plumbers Conference

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The 2015 Linux Plumbers Conference (LPC) has announced that two microconferences have been accepted for the event, which will be held August 19-21 in Seattle. The Checkpoint/Restart and Energy-aware scheduling and CPU power management microconferences will be held at LPC. Registration for the conference will open on March 27 and it will be co-located with LinuxCon North America, which will be held August 17-19.

LWN.net: Docker security in the future (Opensource.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at Opensource.com, Daniel Walsh writes about applying various Linux security technologies to Docker containers. In the article, he looks at using user namespaces and seccomp filters to provide better security for Docker. “One of the problems with all of the container separation modes described here and elsewhere is that they all rely on the kernel for separation. Unlike air gapped computers, or even virtual machines, the processes within the container can talk directly to the host kernel. If the host kernel has a kernel vulnerability that a container can access, they might be able to disable all of the security and break out of the container.

The x86_64 Linux kernel has over 600 system calls, a bug in any one of which could lead to a privilege escalation. Some of the system calls are seldom called, and should be eliminated from access within the container.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

OpenSSL has updates released today, with two vulnerabilities of
“High” severity, as described in its advisory. One of
the High vulnerabilities is a reclassification of the FREAK vulnerability due to the prevalence of
servers with RSA export ciphers available, the other is a denial of service
in OpenSSL 1.0.2.

CentOS has updated freetype (C6:
multiple vulnerabilities) and unzip (C6:
multiple vulnerabilities).

Debian has updated file (denial
of service).

Debian-LTS has updated mono
(three SSL/TLS vulnerabilities).

Gentoo has updated python
(multiple vulnerabilities, two from 2013).

Mageia has updated moodle
(multiple vulnerabilities).

openSUSE has updated gdm (13.2:
screen lock bypass), glusterfs (13.2:
denial of service), and libssh2_org (13.2,
13.1: information leak).

Oracle has updated unzip (OL7; OL6:
multiple vulnerabilities).

Red Hat has updated postgresql92-postgresql (RHSC1: multiple
vulnerabilities) and unzip (RHEL6&7:
multiple vulnerabilities).

SUSE has updated kernel (SLE12:
multiple vulnerabilities).

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated bind (F21; F20:
denial of service), lftp (F21:
automatically accepting ssh keys), and rubygem-actionpack (F20: two information leaks).

openSUSE has updated vsftpd
(13.2, 13.1: access restriction bypass).

Ubuntu has updated icu (14.10,
14.04, 12.04: multiple vulnerabilities, some from 2013).

LWN.net: The state of Linux gaming in the SteamOS era (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica takes a look at Linux gaming and at what effect SteamOS has had already for gaming on Linux. The article also considers the future and where SteamOS might (or might not) take things. “This all brings up another major question for SteamOS followers: how long is this “beta” going to last, exactly? While Valve has unquestionably built a viable Linux gaming market from practically nothing, the company’s lackadaisical development timeline might be holding the market back from growing even more. In the last year, the initial excitement behind the SteamOS beta launch seems to have given way to “Valve Time” malaise in some ways.