Author Archive

LWN.net: The Linux Test Project has been released for September 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Test Project (LTP) has made a stable release for September 2015. The previous release was in April. This release has a number of new test cases including ones for user namespaces, virtual network interfaces, umount2(), getrandom(), and more. In addition, the network namespace test cases were rewritten and regression tests have been added for inotify, cpuset, futex_wake(), and recvmsg(). We looked at writing LTP test cases back in January.

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated bind (two
denial of service flaws).

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and
libXfont (C7; C6: three privilege escalation flaws).

Debian has updated bind9 (denial
of service), qemu (multiple
vulnerabilities), and qemu-kvm (two vulnerabilities).

Debian-LTS has updated openslp-dfsg (three vulnerabilities, one from
2010, another from 2012).

Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and libXfont (RHEL6,7: three privilege escalation flaws).

Scientific Linux has updated bind (SL6,7; SL5:
denial of service), bind97 (SL5: denial of
service), and libXfont (SL6,7: three
privilege escalation flaws).

Slackware has updated bind (two
denial of service flaws).

SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service), kernel (SLE11SP2: multiple vulnerabilities,
three from 2014), and xen (SLE11SP3;
SLED11SP3: multiple vulnerabilities).

Ubuntu has updated bind9 (denial
of service).

LWN.net: KDE Sprints – who wins? (KDE.News)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

KDE.News looks at KDE sprints and their benefits. The organization is doing some fundraising to help support its sprints, so it is trying get the word out about these code-focused events: “To start with, KDE sprints are intensive sessions centered around coding. They take place in person over several days, during which time skillful developers eat, drink and sleep code. There are breaks to refresh and gain perspective, but mostly sprints involve hard, focused work. All of this developer time and effort is unpaid. However travel expenses for some developers are covered by KDE. KDE is a frugal organization with comparatively low administrative costs, and only one paid person who works part time. So the money donated for sprints goes to cover actual expenses. Who gets the money? Almost all of it goes to transportation companies.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated php5 (multiple vulnerabilities).

Debian-LTS has updated pykerberos
(authentication botch) and python-django
(two vulnerabilities).

Fedora has updated mariadb (F21: unspecified).

Mageia has updated cgit (code
execution from 2014).

Ubuntu has updated qemu, qemu-kvm
(multiple vulnerabilities, including one from 2014).

LWN.net: Go 1.5 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Version 1.5 of the Go language has been released.

This release includes significant changes to the implementation. The compiler tool chain was translated from C to Go, removing the last vestiges of C code from the Go code base. The garbage collector was completely redesigned, yielding a dramatic reduction [PDF] in garbage collection pause times. Related improvements to the scheduler allowed us to change the default GOMAXPROCS value (the number of concurrently executing goroutines) from 1 to the number of available CPUs. Changes to the linker enable distributing Go packages as shared libraries to link into Go programs, and building Go packages into archives or shared libraries that may be linked into or loaded by C programs (design doc).

LWN.net: Ruoho: Multiple Vulnerabilities in Pocket

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. “The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs.

These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers.” He was able to get more information, such as the contents of /etc/passwd on Pocket’s Amazon EC2 servers.
(Thanks to Scott Bronson and Pete Flugstad.)

LWN.net: Security advisories for Tuesday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated glibc (C5:
code execution from 2013), mysql55-mysql
(C5: multiple unspecified vulnerabilities, one from 2014), net-snmp
(C7; C6:
code execution), sqlite (C6: code
execution), sqlite (C7: three
vulnerabilities), and subversion (C6: three
vulnerabilities).

Debian has updated apache2 (two
vulnerabilities), gdk-pixbuf (code
execution), and nss (two vulnerabilities).

Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).

Fedora has updated erlang (F22; F21:
man-in-the-middle vulnerability), firefox
(F22: many vulnerabilities), flac (F21: two
vulnerabilities from 2014), gnutls (F21:
code execution), golang (F22; F21: HTTP request smuggling),
nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi
(F22; F21:
denial of service), and webkitgtk4 (F22:
three unspecified vulnerabilities).

Mageia has updated kdepim (M4: no
attachment encryption from 2014).

openSUSE has updated subversion
(two vulnerabilities) and virtualbox (two vulnerabilities).

Oracle has updated glibc (OL5:
code execution from 2013), mysql55-mysql
(OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp
(OL7; OL6:
code execution), sqlite (OL7: three
vulnerabilities), sqlite (OL6: code
execution), and subversion (OL6: three vulnerabilities).

Red Hat has updated net-snmp
(RHEL6&7: code execution).

Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecified
vulnerabilities, one from 2014), net-snmp
(SL6&7: code execution), sqlite (SL6:
code execution), and subversion (SL6: three
vulnerabilities).

Ubuntu has updated kernel (12.04:
three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service),
linux-lts-utopic (14.04: denial of
service), linux-lts-vivid (14.04: denial of
service), linux-ti-omap4 (12.04: three
vulnerabilities), and net-snmp (two
vulnerabilities, one from 2014).

LWN.net: Stable kernels 4.1.6, 3.14.51, and 3.10.87

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of the 4.1.6, 3.14.51, and 3.10.87. As usual, there are important fixes
throughout the tree and users of those kernel series should upgrade.

LWN.net: Security updates for Monday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated glibc
(denial of service from 2014).

Debian-LTS has updated libidn
(information disclosure) and subversion (information disclosure).

Fedora has updated bzr (F22; F21:
denial of service from 2013), firefox (F21:
multiple vulnerabilities), and flac (F22: two vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities), icecast (denial
of service), and libgadu (three
vulnerabilities from 2013 and 2014).

openSUSE has updated firefox (13.2; 13.1:
multiple vulnerabilities) and flash-player (13.2; 13.1: many vulnerabilities).

Oracle has updated kernel 3.8.13 (OL7; OL6: two
remote denial of service flaws), kernel 2.6.39 (OL6; OL5: two
remote denial of service flaws), and kernel 2.6.32 (OL6; OL5: two
remote denial of service flaws).

Red Hat has updated glibc (RHEL5:
code execution from 2013), mysql55-mysql (RHEL5; RHSC2:
multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecified
vulnerabilities), sqlite (RHEL6:
code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).

Scientific Linux has updated sqlite (SL7: three vulnerabilities).

Slackware has updated firefox
(multiple vulnerabilities) and thunderbird
(multiple vulnerabilities).

Ubuntu has updated openssh
(15.04, 14.04, 12.04: two vulnerabilities) and pollinate (15.04, 14.04: certificate update).

LWN.net: Stagefright: Mission Accomplished? (Exodus Intelligence)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It would seem that reports of the demise of the Stagefright Android vulnerability may be rather premature. Exodus Intelligence is reporting that at least one of the fixes for integer overflow did not actually fully fix the problem, so MPEG4 files can still crash Android and potentially allow code execution. “Around July 31st, Exodus Intelligence security researcher Jordan Gruskovnjak noticed that there seemed to be a severe problem with the proposed patch. As the code was not yet shipped to Android devices, we had no ability to verify this authoritatively.

In the following week, hackers converged in Las Vegas for the annual Black Hat conference during which the Stagefright vulnerability received much attention, both during the talk and at the various parties and events.

After the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded. They were.”

LWN.net: Friday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated freeradius
(certificate verification botch) and subversion (two vulnerabilities).

CentOS has updated kernel (C6:
two remote denial of service flaws).

Fedora has updated gnutls (F22:
denial of service), nbd (F22; F21: denial of service), pcre (F22: code execution), and
wordpress (F22; F21: multiple vulnerabilities).

Mageia has updated gdk-pixbuf2.0
(M5: code execution) and owncloud (three vulnerabilities).

openSUSE has updated glibc (13.1:
denial of service from 2014) and kernel
(13.2: multiple vulnerabilities, some from 2014).

Oracle has updated kernel (OL6:
two remote denial of service flaws).

Red Hat has updated kernel
(RHEL6: two remote denial of service flaws).

Scientific Linux has updated kernel (SL6: two remote denial of service flaws).

SUSE has updated firefox
(SLE11SP4, SP3: information leak).

LWN.net: The State of Fedora: 2015 Edition (Fedora Magazine)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora Magazine reports on Fedora project leader Matthew Miller’s keynote at Flock, which is the Fedora contributor conference. He outlined the state of the distribution using some graphs and statistics and said “we’re doing very well as a project and it’s thanks to all of you“. The use of Internet Relay Chat (IRC) by the project was another topic: “Fedorans do like to work together. Last year there were 1,066 IRC meetings (official meetings, not just being in IRC talking), and 765 IRC meetings in 2015 alone. ‘This shows how vibrant we are, but also is buried in IRC. There’s a lot of Fedora activity you don’t see on the Fedora Web site… I want to look at ways to make that more visible,’ says Miller.

There are efforts to make the activity more visible, says Miller. ‘If I want to interact with the project, is somebody there? Yes, but we have millions of dead pages on the wiki… we need to make this more visible.’

IRC is ‘definitely a measure of engagement’ but it’s also a high barrier of entry, says Miller. ‘Wow that’s complicated. Wow, that’s still around?’ is a common response from new contributors to IRC. The technology, and ‘culture’ can be confusing.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated request-tracker4 (cross-site scripting).

Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).

SUSE has updated firefox (SLE12:
information leak), java-1_7_0-ibm
(SLE11SP3, SP2: many vulnerabilities), and kernel-rt (SLE11SP3: many vulnerabilities,
including some from 2014).

LWN.net: Grasch: A Frank Look at Simon: Where To Go From Here

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Peter Grasch considers the future for the Simon speech-recognition system for KDE. He is passing the torch and will no longer be actively participating in the project, but he spent some time passing on his knowledge and some thoughts on where things might go from here. In addition, he built a working prototype of a speech-based command and control system for the Plasma desktop called Lera. “If anything, Lera is a starting point. The next steps would be to move Simon’s “eventsimulation” library into a separate framework, to be shared between Lera and Simon. Lera could then use this to type out the recognition results (see Simon’s Dictation plugin). Then, I would suggest porting a simplified notion of “Scenarios” to Lera, which should only really contain a set of commands, and maybe context information (vocabulary and “grammar” can be synthesized automatically from the command triggers). The implementation of training (acoustic model adaption) would then complete a very sensible, very usable version 1.0.

LWN.net: Federated Cloud Sharing in ownCloud 8.1 (ownCloud blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The ownCloud blog has a post about federated file sharing between ownCloud instances in ownCloud 8.1, but it also looks at the wider view of federation between various kinds of cloud servers. ownCloud founder Frank Karlitschek has a series of posts (It is Time to Federate Our Clouds, The Next Generation File Sync and Share Technology, and The Federated Architecture of Next Generation File Sync and Share) on federation technology and has also proposed a cross-cloud-platform federation API:
In addition, today Frank proposed a draft of a Federated Cloud Sharing API to the Open Cloud Mesh working group with the goal of jump-starting a discussion about what is needed to enable federation between different file sharing implementations. Sharing among ownClouds is great, but the true power of a federated file cloud is available when you can share among different implementations seamlessly, because you all speak the same common language. This is the goal of the Open Cloud Mesh working group (of which ownCloud is a member as well), and outside of that, drafts have been shared with a number of well known standards organizations around web technologies and fellow open source file share and sync projects to get the work started.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C7: multiple vulnerabilities, one from 2014).

Fedora has updated kernel (F22:
three vulnerabilities).

openSUSE has updated ghostscript
(13.2, 13.1: code execution) and php5
(13.2, 13.1: two vulnerabilities).

Red Hat has updated kernel
(RHEL7: multiple vulnerabilities, one from 2014) and kernel-rt (RHEL7; RHEL6: multiple vulnerabilities, one from 2014).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities, one from 2014).

SUSE has updated oracle-update
(Manager 2.1: multiple vulnerabilities).

Ubuntu has updated cinder (15.04:
arbitrary file reads), python-keystoneclient,
python-keystonemiddleware
(15.04, 14.04: two vulnerabilities, one from
2014), and swift (15.04, 14.04, 12,04: two
vulnerabilities, one from 2014).

LWN.net: [$] “Big data” features coming in PostgreSQL 9.5

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

PostgreSQL 9.5 Alpha 2 is due to be released on August 6. Not only
does the new version support UPSERT, more JSON functionality, and other new
features we looked at back in July, it also
has some major enhancements for “big data” workloads. Among these are
faster sorts, TABLESAMPLE, GROUPING SETS and
CUBE, BRIN indexes, and Foreign Data Wrapper improvements. Taken
together, these features strengthen arguments for using PostgreSQL for data
warehouses, and enable users to continue using it with bigger databases.

LWN.net: [$] Fuzzing perf_events

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

You might be surprised to learn that starting with Linux 2.6.31 (in 2009)
it has been rather easy to crash the Linux kernel.
This date marks the introduction of the
perf_event subsystem.
It is likely that perf_event is not any more prone to errors than
any other large kernel subsystem, but it has the distinction of
being subjected to intense testing from the

perf_fuzzer
tool, which methodically probes the interface for bugs.

Click below (subscribers only) for the full article from perf_fuzzer author
Vince Weaver.

LWN.net: Announcing the shutdown of the Ada Initiative

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Ada Initiative has announced that it is shutting down in mid-October. In the four years since it was founded, the organization has accomplished a lot to help create a less hostile environment for women in open technology and open culture. “We are proud of what we accomplished with the support of many thousands of volunteers, sponsors, and donors, and we expect all of our programs to continue on in some form without the Ada Initiative.” Essentially, the organization found it hard to find others with the same “experiences, skills, strengths and passions” as co-founders Valerie Aurora and Mary Gardiner when they wanted to change roles with the initiative. “The Ada Initiative will shut down in approximately mid-October after using our remaining funds to complete our current obligations and do the tasks necessary to shut down the organization properly. We have several Ally Skills Workshops booked or in the process of being booked during our remaining months of operation. (We will not be booking additional Ally Skills Workshops through the Ada Initiative, but we will refer clients to other people who are teaching the Ally Skills Workshop.) We will teach Impostor Syndrome training classes in Sydney and Oakland in August, and release the materials under the Creative Commons Attribution Sharealike license. We will do the work to keep the Ada Initiative’s web content online and available after the Ada Initiative shuts down.

LWN.net: DebConf15 schedule and featured speakers announced

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debconf15, which will be held in Heidelberg, Germany August 15-23, has announced its schedule as well as four featured speakers: Allison Randal, President, Open Source Initiative and Distinguished
Technologist, HP; Peter Eckersly, Chief Computer Scientist, Electronic Frontier Foundation; John Sullivan, Executive Director, Free Software Foundation; and Jon ‘maddog’ Hall, Executive Director, Linux International. “The DebConf content team is pleased to announce the schedule of
DebConf15, the forthcoming Debian Developers Conference. From a total of
nearly 100 talk submissions, the team selected 75 talks. Due to the high
number of submissions, several talks had to be shortened to 20 minute
slots, of which a total of 30 talks have made it to the schedule.

In addition, around 50 meetings and discussions (BoFs) have been
organized so far, as well as several other events like lightning talk
sessions, live demos, a movie screening, a poetry night or stand-up
comedy.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian-LTS has updated squid3
(security bypass).

Fedora has updated drupal7-path_breadcrumbs (F22; F21: cross-site
scripting), ecryptfs-utils (F22; F21: password disclosure from 2014), hplip (F21: key verification botch), httpd (F21: multiple vulnerabilities),
ipython (F22; F21: cross-site request forgery), libunwind (F21: code execution), libwmf (F21: two denial of service flaws), nx-libs (F22: unspecified vulnerabilities), wpa_supplicant (F21: code execution), and xrdp (F21: denial of service).

openSUSE has updated lxc (13.2; 13.1:
two vulnerabilities).

Oracle has updated autofs (OL6:
privilege escalation from 2014), bind (OL6; OL6:
denial of service), curl (OL6: multiple
vulnerabilities, some from 2014), freeradius (OL6: code execution from 2014), gnutls (OL6: two vulnerabilities), grep (OL6: code execution), hivex (OL6: code execution from 2014), ipa (OL6: cross-site scripting from 2010 and
2012), kernel (OL6: multiple
vulnerabilities, some from 2014), kernel 3.8.13 (OL7; OL6:
three vulnerabilities, one from 2014), libreoffice (OL6: code execution), libuser (OL6: privilege escalation), libxml2 (OL6: two vulnerabilities, one from
2014), mailman (OL6: two vulnerabilities,
one from 2002), net-snmp (OL6: denial of
service from 2014), ntp (OL6: three
vulnerabilities), pki-core (OL6: cross-site
scripting), python (OL6: two
vulnerabilities from 2013 and 2014), sudo
(OL6: information disclosure from 2014), wireshark (OL6: multiple vulnerabilities, some
from 2014), and wpa_supplicant (OL6: denial
of service).

SUSE has updated bind (SLE11SP1:
denial of service).

Ubuntu has updated ghostscript
(15.04, 14.04, 12.04: code execution), openjdk-7 (15.04, 14.04: multiple
vulnerabilities), pcre3 (15.04, 14.04,
12.04: multiple vulnerabilities, one from 2014), and tidy (15.04, 14.04, 12.04: two vulnerabilities).

LWN.net: [$] Django Girls one year later

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Though it got a bit of a late start due to some registration woes, the
first day of EuroPython 2015
began with an engaging and well-received keynote. It recounted the history
of a project that got its start just a year ago when the first Django Girls workshop was held at
EuroPython 2014 in Berlin. The two women who started the
project, Ola Sitarska and Ola Sendecka, spoke about how the workshop
to teach women about Python and the Django web framework all came
together—and the amazing progress that has been made by the organization in
its first year.

LWN.net: Calculating the “truck factor” for GitHub projects

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities),
java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from
2011).

Debian-LTS has updated python-django (three vulnerabilities).

Fedora has updated cryptopp (F22; F21:
information disclosure), drupal7-feeds (F22; F21:
three vulnerabilities), rsyslog (F22:
denial of service), and springframework (F22; F21:
denial of service).

openSUSE has updated bind (13.2; 13.1:
three vulnerabilities, one from 2014).

Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified),
java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities),
kernel 2.6.39 (OL6; OL5: two vulnerabilities),
and kernel 2.6.32 (OL6; OL5: denial of service).

Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: many
vulnerabilities), and kernel (SL6: multiple
vulnerabilities, one from 2011).

LWN.net: [$] Python 3.5 is on its way

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It has been nearly a year and a half since the last major Python release,
which was 3.4 in March 2014—that means it is about time for
Python 3.5. We looked at some of the new
features in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta release
for 3.5 seems like a good time to see what will be coming in the new release.

Subscribers can click below to see the full article from this week’s edition.