Author Archive

LWN.net: Plasma 5.2 Is Beautiful and Featureful (KDE.News)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

We are a bit late in noting that KDE has released Plasma 5.2 on January 27. This KDE.News article gives a tour of the desktop that will be featured in upcoming Kubuntu and Fedora KDE spin releases (and probably other distributions as well). There are lots of new features and bug fixes in the release, see the changelog for all the details. “In the screen locker we improved the integration with logind to ensure the screen is properly locked before suspend. The background of the lock screen can be configured. Internally this uses part of the Wayland protocol which is the future of the Linux desktop.

There are improvements in the handling of multiple monitors. The detection code for multiple monitors got ported to use the XRandR extension directly and multiple bugs related to it were fixed.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C6:
two vulnerabilities) and libyaml (C6:
denial of service).

Debian has updated virtualbox
(two denial of service flaws with no details).

Debian-LTS has updated jasper
(two vulnerabilities), libksba (denial of
service), privoxy (three vulnerabilities),
python-django (multiple vulnerabilities),
and rpm (multiple vulnerabilities, some
from 2012 and 2013).

Fedora has updated drupal7-context (F21; F20: open
redirect), suricata (F21; F20: denial of service), and unzip (F21: unspecified impact).

openSUSE has updated flash-player
(12.3: multiple vulnerabilities), git
(13.2, 13.1: code execution), glibc (11.4:
code execution), and libpng16 (13.2, 13.1:
two vulnerabilities).

Oracle has updated kernel (OL7; OL6:
multiple vulnerabilities) and libyaml (OL7; OL6:
denial of service).

Red Hat has updated glibc (RHEL4:
code execution),
kernel (RHEL7: multiple vulnerabilities), libyaml (RHEL6&7: denial of service), and
ntp (RHEL6.5: multiple code execution flaws).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities) and libyaml (SL6&7: denial of service).

Slackware has updated glibc (code
execution).

SUSE has updated firefox (SLE11SP2, SLE11SP1; SLE10SP4: multiple vulnerabilities) and flash-player (SLE11SP3: multiple vulnerabilities).

LWN.net: [$] LWN.net Weekly Edition for January 29, 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for January 29, 2015 is available.

LWN.net: Highly critical “Ghost” allowing code execution affects most Linux systems (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica has a report on GHOST, which is a critical vulnerability found in the GNU C library (glibc).
The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections.” While the proof-of-concept used Exim, a wide variety of client and server programs call gethostbyname*(), often at the behest of a remote system (or attacker). Distributions have started putting out updates; users and administrators should plan on updating as soon as possible.

LWN.net: A two-part series on LXC networking (Flockport Labs)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Flockport Labs has a two-part “LXC networking superguide” that covers a bunch of LXC networking concepts, as well as practical ideas on connecting containers (Part1 and Part 2). Part 1 starts with an introduction to LXC networking, then moves into extending layer 2 to remote hosts using a layer 3 tunnel. Part 2 looks at using LXC containers as routers.
We are going to create a bridge on 2 remote hosts over their public IPs and connect the bridges with Ethernet over GRE or L2tpv3 so containers connecting to these bridges are on the same layer 2 network.

We will first show you how to do this with Ethernet over GRE and then L2tpv3. The main difference is Ethernet over GRE is less well known while L2tpv3 is more widely used for l2 extension and uses UDP, and thus could be more flexible.”

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Fedora has updated binutils (F21:
two vulnerabilities), cross-binutils (F21; F20:
multiple vulnerabilities), exiv2 (F21:
denial of service), libsndfile (F21: code
execution), and python-pillow (F21: denial
of service).

Mageia has updated freeciv (code execution).

Oracle has updated java-1.7.0-openjdk (OL5: multiple vulnerabilities).

Red Hat has updated java-1.7.0-openjdk (RHEL6&7; RHEL5: multiple vulnerabilities), java-1.8.0-openjdk (RHEL6: multiple
vulnerabilities), kernel (RHEL6.5: multiple
vulnerabilities), and openssl (RHEL6&7:
multiple vulnerabilities).

LWN.net: Kernel prepatch 3.19-rc5

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On January 18, Linus Torvalds released the fifth prepatch for Linux 3.19. Things are not
calming down quite the way he would like and rc5 is larger than rc4, but: “That said, it’s not like there is anything particularly scary in here.

The arm64 vm bug that I mentioned as pending in the rc4 notes got
fixed within a day of that previous rc release, and the rest looks
pretty standard. Mostly drivers (networking, usb, scsi target, block
layer, mmc, tty etc), but also arch updates (arm, x86, s390 and some
tiny powerpc fixes), some filesystem updates (fuse and nfs), tracing
fixes, and some perf tooling fixes.”

LWN.net: Taylor: gnome-battery-bench

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Owen Taylor introduces gnome-battery-bench, which is a tool to measure power usage that should help lengthen battery life on Linux systems. It can smooth out the somewhat jumpy numbers reported by powertop and provide graphical feedback of parameters like power usage and estimated battery life remaining.
gnome-battery-bench is designed as a graphical application because I want to encourage people to explore with it and find out interactively what is using power on their system. And graphing is also useful so that the user can see when something is going wrong with the measurement; sometimes batteries will report data that jumps around. But there’s also a command line version that can be used for automatic scripting of benchmarks.

I decided to use recorded sequences of events for a couple of reasons: first, it’s easy for anybody to create new test sequences – you just run the gnome-battery-bench command line tool in record mode and do what you want to test. Second, playing back event sequences at a low level simulates user interaction very accurately. There is little CPU overhead, and as far as the desktop is concerned it’s exactly like user input.”

LWN.net: Stable kernels 3.18.3, 3.14.29, and 3.10.65

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has released the 3.18.3,
3.14.29, and 3.10.65 stable kernels. As usual, there are
fixes in various places throughout the tree and users should upgrade.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated rpm (two code
execution flaws).

Debian-LTS has updated curl (HTTP
request injection).

openSUSE has updated flash-player
(13.2, 13.1: multiple vulnerabilities), flashplayer (11.4: multiple vulnerabilities),
and util-linux (13.2, 13.1: code execution).

SUSE has updated flash-player (SLE11SP3; SLE12: multiple vulnerabilities) and kernel (SLE12: multiple vulnerabilities, one
from 2013).

LWN.net: Varda: Sandstorm raises $1.3M seed; paying forward crowdfunds

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On the Sandstorm blog, co-founder and CEO Kenton Varda gives an update on the funding and plans for the company behind the open-source Sandstorm personal cloud platform. We looked at the project back in June. “In fact, we are now arguably more aligned with the community than before. Whereas previously there had been a lot of pressure on us to focus on our subscription-based managed hosting option as a way to get revenue, our immediate goal now is just to develop and prove the platform. That means that self-hosted users are just as important to us as paying subscribers. To that end, the first thing we have done with our new money is to hire Asheesh Laroia, a long-time self-hosting and Free Software enthusiast, whose main focus will be improving Sandstorm’s self-hosting experience. To be clear, everything you need to run your own Sandstorm server will always be free and open source, still developed in the open.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), thunderbird (C6; C5: three vulnerabilities), and xulrunner (C7:
multiple vulnerabilities).

Debian has updated iceweasel
(multiple vulnerabilities) and kernel
(multiple vulnerabilities, including one from 2013).

Debian-LTS has updated unrtf (two
code execution flaws).

Fedora has updated firefox (F21; F20:
multiple vulnerabilities), kde-runtime
(F21: kwallet crypto botch from 2013), and owasp-esapi-java (F21; F20:
crypto botch from 2013).

Mageia has updated flash-player-plugin (multiple vulnerabilities)
and python-pip (denial of service).

Mandriva has updated libsndfile
(code execution), libvirt (denial of
service), mpfr (code execution), and untrf (denial of service).

Oracle has updated firefox (OL5:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities).

SUSE has updated kernel
(SLERTE11SP3: multiple vulnerabilities, some from 2012 and 2013) and xorg-x11-server (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated coreutils
(14.04, 12.04, 10.04: two vulnerabilities, one from 2009), curl (HTTP request injection), firefox (14.10, 14.04, 12.04: multiple
vulnerabilities), gparted (12.04: code
execution), GTK+ (14.04: lock screen
bypass), unzip (three code execution
flaws), and ubufox (14.10, 14.04, 12.04:
multiple vulnerabilities).

LWN.net: Security advisories for Christmas day

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Best wishes to you and yours from LWN …

Fedora has updated nss (F21: data
smuggling) and pyxdg (F19: privilege escalation).

Gentoo has updated libvirt (three
denial of service flaws), ntp (multiple
code execution vulnerabilities), qemu
(three vulnerabilities), and rsyslog (three
vulnerabilities, one from 2011).

LWN.net: [$] Type hinting for Python

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Python is a poster child for dynamically typed languages, but
if Guido van Rossum gets his way—as benevolent dictator for life (BDFL), he
usually does—the language will soon get optional support for static
type-checking
. The discussion and debate has played out since August
(at least), but Van Rossum has just posted a proposal that targets
Python 3.5, which is due in September 2015, for including this “type
hinting” feature. Unlike many languages (e.g. C, C++, Java), Python’s
static type-checking would be optional—programs can still be run even if
the static checker has complaints.

The full story from this week’s edition is available to subscribers below.

LWN.net: Tagged memory and minion cores in the lowRISC SoC

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The lowRISC project, which aims to create and manufacture a fully open-source system-on-chip (SoC) and development board, has released a document on its plans to incorporate tagged memory and minion cores into the SoC. Minion cores are separate I/O processors that can be used to implement various I/O protocols without requiring additional hardware in the design.
Tagged memory associates metadata with each memory location and can be used to implement
fine-grained memory access restrictions. Attacks which hijack control flow can be prevented by
using this protection to restrict writes to memory locations containing return addresses, function
pointers, and vtable pointers. Importantly, we anticipate this can be implemented with a worst-
case performance overhead of a few percent and a similarly low area cost. This fine-grained
memory protection can be used automatically by the compiler, meaning improved security is
available to existing programs without source code modifications. We intend to provide tagged
memory alongside security features which are already commonly deployed such as secure boot,
encrypted off-chip memory, and cryptographic accelerators.

LWN.net: EU to fund Free Software code review (FSFE)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Free Software Foundation Europe (FSFE) has commented on the most recent European Union (EU) budget—approved on December 17—that includes €1 million for auditing free-software programs that are used by the EU governmental bodies. The auditing is meant to find and fix security holes in those programs. “Even though these institutions are tightly locked into non-free file formats, much of their infrastructure is based on Free Software.

‘This is a very welcome decision,’ says FSFE’s president Karsten Gerloff. ‘Like most public bodies, the European institutions rely heavily on Free Software for their daily operations. It is good to see that the Parliament and the Commission will invest at least a little in improving the quality and the programs they use.’”

LWN.net: Friday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated glibc (C7:
code execution), jasper (C7; C6: three code execution flaws), and kernel (C7: privilege escalation).

Gentoo has updated znc (two
denial of service flaws, one from 2013).

Oracle has updated glibc (OL7:
three vulnerabilities), jasper (OL7;
OL6: three code execution flaws), and
kernel (OL7; OL5; OL5:
privilege escalation).

Red Hat has updated glibc (RHEL7:
code execution) and jasper (RHEL6&7:
three code execution flaws).

Scientific Linux has updated jasper (SL6&7: three code execution flaws).

Ubuntu has updated kernel (14.04:
regression in previous security fix) and kernel (14.10: regression in previous security
fix).

LWN.net: KDE Applications 14.12 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The KDE project has announced the release of KDE Applications 14.12, which has the first set of applications that have been ported to KDE Frameworks 5. Most of the applications are still based on KDE Development Platform 4, but some have been moved to the new Qt5-based Frameworks. “The release includes the first KDE Frameworks 5-based versions of Kate and
KWrite, Konsole, Gwenview, KAlgebra, Kanagram, KHangman, Kig, Parley,
KApptemplate and Okteta. Some libraries are also ready for KDE Frameworks 5
use: analitza and libkeduvocdocument.

Libkface is new in this release; it is a library to enable face detection and
face recognition in photographs.” More information on the new features and fixes that came in the release can be found in the change log and a KDE.News article.

LWN.net: Klapper: Good bye Bugzilla, welcome Phabricator.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, André Klapper describes Wikimedia’s move from Bugzilla to Phabricator, which is described as an “open source software engineering platform“. After ten years and 70,000+ bugs, there was a lot of data to migrate, which went well overall, though there were a few surprises along the way.
We had to work around an unresolved upstream XML-RPC API bug in Bugzilla by applying a custom hack when exporting comments in a first step and removing the hack when exporting attachments (with binary data) in a second step. Though we did, it took us a while to realize that Bugzilla attachments imported into Phabricator were scrambled as the hack got still applied for unknown reasons (some caching?). Rebooting the Bugzilla server fixed the problem but we had to start from scratch with importing attachments.” (Thanks to Paul Wise.)

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C5:
privilege escalation).

Fedora has updated bind (F20: two
denial of service flaws), cpio (F21: denial
of service), pam (F20: two vulnerabilities,
one from 2013), and tcpdump (F20: three vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6;
RHEL5: privilege escalation).

Scientific Linux has updated kernel (SL7; SL5:
privilege escalation).

LWN.net: Our approach to software and ongoing support for the first Fairphones

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at the Fairphone blog, Kees Jongenburger reflects on what went right—and wrong—for the software that went into the first version of the Fairphone, which is a project aimed at creating a mobile phone that is, well, more “fair”. The project seeks to inject social values into the supply chain so that minerals come from conflict-free mining, for example, and that the workers are provided with a living wage.
Fairphone’s high-level ambition is to bring more fairness to software. To us, that means focusing on two key principles: transparency and longevity.

We believe products should be long-lasting. The longer a phone lasts, the less waste it creates and the fewer resources it requires. Longevity plays a role in hardware choices; and at the software level, longevity means keeping the software up-to-date and secure after the product was sold.

Openness ties directly into our ideas for longevity. We believe that our community should have access to the source code of our software to make improvements, add cool functionality, and extend usability. We believe that releasing the code as open source will prolong the life of the phone past its commercial life.

For the first Fairphone, we pinpointed a number of (in retrospect, over-ambitious) goals that aligned with the ideas of transparency and longevity.”
We looked at Fairphone back in July 2013. (Thanks to Paul Wise.)

LWN.net: Fairphone: Our approach to software and ongoing support for the first Fairphones

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at the Fairphone blog, Kees Jongenburger reflects on what went right—and wrong—for the software that went into the first version of the Fairphone, which is a project aimed at creating a mobile phone that is, well, more “fair”. The project seeks to inject social values into the supply chain so that minerals come from conflict-free mining, for example, and that the workers are provided with a living wage.
Fairphone’s high-level ambition is to bring more fairness to software. To us, that means focusing on two key principles: transparency and longevity.

We believe products should be long-lasting. The longer a phone lasts, the less waste it creates and the fewer resources it requires. Longevity plays a role in hardware choices; and at the software level, longevity means keeping the software up-to-date and secure after the product was sold.

Openness ties directly into our ideas for longevity. We believe that our community should have access to the source code of our software to make improvements, add cool functionality, and extend usability. We believe that releasing the code as open source will prolong the life of the phone past its commercial life.

For the first Fairphone, we pinpointed a number of (in retrospect, over-ambitious) goals that aligned with the ideas of transparency and longevity.”
We looked at Fairphone back in July 2013. (Thanks to Paul Wise.)

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated pdns-recursor
(denial of service), unbound (denial of
service), and xorg-server (multiple vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities), clamav (denial
of service), and libxml2 (denial of service).

Mageia has updated bind (M4:
denial of service), firebird (M4: denial of
service), and pdns-recursor (M4: denial of service).

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities, one
from 2013).

Slackware has updated bind
(denial of service), mozilla (multiple
vulnerabilities), openssh (tcp wrappers
support), openvpn (denial of service), pidgin (multiple vulnerabilities), seamonkey (multiple vulnerabilities), and wpa_supplicant (command execution).

Ubuntu has updated nvidia-graphics-drivers (14.10, 14.04, 12.04:
three vulnerabilities).

LWN.net: [$] Snowdrift.coop: Funding for free projects

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Funding projects in the “free and open” world is a perennial problem.
“Crowdfunding” using Kickstarter and other platforms has helped to
alleviate some funding issues for some
projects, but it is a model that targets one-time goals, not sustained
development. Snowdrift.coop, which
is an organization aimed at providing long-term funding for free and open
projects, has—somewhat ironically—announced
a crowdfunding campaign
to launch itself.

Click below (subscribers only) for the full article.

LWN.net: [$] LWN.net Weekly Edition for December 4, 2014

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for December 4, 2014 is available.