Tom Callaway seems to be a very nice person who has beenoverclocked to about 140% normal human speed. In only 20 minutes he gavean interesting and highly-amusing talk that could have filled a 45-minuteslot on the legal principles that underpin Fedora, how they got that way, and howthey work out in practice. <p>Subscribers can click below for the full report from FOSDEM by guest author Tom Yates.
CentOS has updated bind (C7: denial of service).Debian has updated libevent (three vulnerabilities).Debian-LTS has updated libevent (three vulnerabilities).Fedora has updated lynx (F25:invalid URL parsing) and xen (F25: multiple vulnerabilities).Oracle has updated bind (OL7: denial of service).Red Hat has updated bind (RHEL7:denial of service), flash-plugin (RHEL6:multiple vulnerabilities), and kernel(RHEL7.1: code execution).Scientific Linux has updated bind(SL7: denial of service).SUSE has updated java-1_8_0-ibm(SLE12-SP1,2: multiple vulnerabilities) and kernel (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated php5 (14.04,12.04: multiple vulnerabilities).
TechRepublic reportsthat the Munich, Germany city council has voted to begin the move back toproprietary desktop software. "Under a proposal backed by the general council, the administration will investigate how long it will take and how much it will cost to build a Windows 10 client for use by the city's employees.Once this work is complete, the council will vote again on whether toreplace LiMux, a custom version of the Linux-based OS Ubuntu, across theauthority from 2021."
David Malcolm takesa look at the testing going into the upcoming GCC 7.0 release. "The other new approach is in unit-testing: GCC’s existing testing was almost all done by verifying the externally-visible behavior of the program, but we had very little direct coverage of specific implementation subsystems; this was done in a piecemeal fashion using testing plugins.To address this, I’ve added a unit-testing suite to GCC 7, which is run automatically during a non-release build. Compilers use many data structures, so the most obvious benefit is that we can directly test corner-cases in these. As a relative newcomer to the project, one of my “pain points†learning GCC’s internals was the custom garbage collector it uses to manage memory. So, I’m very happy that the test suite now has specific test coverage for various aspects of the collector, which should make the compiler more robust when handling very large input files."
CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities).Debian has updated tomcat7 (denial of service), tomcat8 (denial of service), and vim (buffer overflow).Debian-LTS has updated tomcat7 (denial of service).Fedora has updated bind (F25:denial of service), kernel (F25; F24: two vulnerabilities), netpbm (F25: three vulnerabilities), tcpdump (F25: multiple vulnerabilities), vim (F25: buffer overflow), and w3m (F25: unspecified).Gentoo has updated openssl (multiple vulnerabilities) and virtualbox (multiple vulnerabilities).openSUSE has updated kernel (42.2; 42.1: multiple vulnerabilities).Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).
For some years, OpenWrt has arguablybeen the most active router-oriented distribution.Things changed in May of last year, though, when a group of OpenWrtdevelopers split off to form the competingLEDE project. While the LEDEdevelopers have been busy, the project has yet to make its first release.That situation is about to change, though, as evidenced by the LEDE v17.01.0-rc1 release candidate, whichcame out on February 1.
Arch Linux has updated ffmpeg(two vulnerabilities), kdenetwork-kopete (social engineering attacks), and webkit2gtk (multiple vulnerabilities).Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and vim (buffer overflow).Fedora has updated epiphany (F24:password extraction sweep attack).Gentoo has updated gnutls(multiple vulnerabilities), graphviz(multiple vulnerabilities from 2014), and lsyncd (command injection from 2014).Mageia has updated audacious-plugins (multiple vulnerabilities), calibre (information leak), and nagios (two vulnerabilities).openSUSE has updated irssi (42.2,42.1: memory leak), libxml2 (42.2: threevulnerabilities), and tigervnc (42.2, 42.1:denial of service).Oracle has updated kernel 3.8.13 (OL7; OL6:multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities).Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated java-1.7.0-openjdk (SL5,6,7: multiple vulnerabilities).Slackware has updated bind (denial of service), openssl (three vulnerabilities), php (multiple vulnerabilities), and tcpdump (multiple vulnerabilities).
Linus has released one more kernel prepatch, 4.10-rc8, rather than the final 4.10 releasethat had been expected. He said that 4.10 could have come out this week, but hethought better of it. "But I decided that there's also no hugeoverriding reason to do so (other than getting back to the usual "rc7 isthe last rc" schedule, which would have been nice), and with travel comingup, I decided that I didn't really need to open the merge window. I've donemerge windows during travel before, but I just prefer not to."
Sailfish OS 2.1.0 Iijoki has been released. "Iijoki bringsmajor architectural changes to Sailfish OS by introducing Qt 5.6 UIframework, BlueZ 5 Bluetooth stack and basic implementations of 64-bitarchitecture. It also brings improvements to the camera software withfaster shutter speeds, initial support for Virtual Private Networks (VPN),option to enlarge UI fonts to different levels and last but not least, alarge number of bug and error fixes mostly reported by ourcommunity." The releasenotes contain additional details.
Arch Linux has updated bind(denial of service).Debian has updated jasper (multiple vulnerabilities).Debian-LTS has updated mysql-5.5(code execution) and viewvc (cross-site scripting).Fedora has updated bitlbee (F24:denial of service), gnome-boxes (F24:password disclosure), gtk-vnc (F25: twovulnerabilities), iio-sensor-proxy (F24:authentication bypass), java-1.8.0-openjdk-aarch32 (F25; F24: multiple vulnerabilities),libwmf (F25: multiple vulnerabilities), mariadb (F24: multiple vulnerabilities), openssl (F24: three vulnerabilities), quagga (F25: denial of service), spice(F25; F24:two vulnerabilities), viewvc (F24:cross-site scripting), and wireshark (F25:two denial of service flaws).Gentoo has updated firejail(incomplete fix for previous vulnerability).SUSE has updated opus (SLE12:code execution) and kernel (SLE11: multiple vulnerabilities).Ubuntu has updated linux-raspi2(16.10: multiple vulnerabilities), linux-ti-omap4 (12.04: twovulnerabilities), and nova-lxd (16.04: ).
Debian has updated openjdk-7(multiple vulnerabilities), php5 (multiple vulnerabilities), and viewvc (cross-site scripting).Fedora has updated bitlbee (F25:denial of service), mariadb (F25: multiple vulnerabilities), redis (F25: two vulnerabilities), and viewvc (F25: cross-site scripting).openSUSE has updated libplist(42.2, 42.1: two vulnerabilities), opera(42.2, 42.1: multiple vulnerabilities), and rubygem-minitar(42.2: file overwrite).Red Hat has updated java-1.8.0-ibm (RHEL7&6: multiple vulnerabilities).SUSE has updated firefox (SLE11; SLE12: multiple vulnerabilities).Ubuntu has updated openjdk-7(14.04: multiple vulnerabilities) and oxide-qt (16.10, 16.04,14.04: multiple vulnerabilities).
High-speed networking was once, according to Andy Wingo in his 2017linux.conf.au presentation, the domain of "the silicon people". But thatsituation is changing, and now any hacker can work with networking at thehighest speeds. There is one little catch: one must dispense with thekernel's network stack and do the work in user space. Happily, not all ofthe solutions in this area are proprietary; he was there to talk about theSnabb networking toolkit andwhat can be done with it.
Debian-LTS has updated php5 (multiple vulnerabilities).Fedora has updated calibre (F25; F24:information leak), gnome-boxes (F25:password disclosure), and openssl (F25: three vulnerabilities).openSUSE has updated irssi(SPH for SLE12: memory leak) and spice (42.2; 42.1: two vulnerabilities).SUSE has updated mariadb (SLE12-SP1,2; SLES12: multiple vulnerabilities).
Greg Kroah-Hartman has released an unexpected3.18 kernel update, despite the fact that 3.18 is no longer supported."Turns out there was a bug in 3.18.47 in one of the backports. And abug in 3.18.27 as well, with one of the backports there. And a very minorissue in the 3.18.28 release, but no one cares about the debug messages fora specific scsi driver, so you can just ignore that issue..."
Michael Catanzaro looksat how distributors have improved (or not) their security support forthe WebKit browser engine in the last year. "So results are clearlymixed. Some distros are clearly doing well, and others are struggling, andDebian is Debian. Still, the situation on the whole seems to be much betterthan it was one year ago. Most importantly, Ubuntu’s decision to startupdating WebKitGTK+ means the vast majority of Linux users are nowreceiving updates."
Kenton Varda reportsthat Sandstorm, as a company, is no more, but community development liveson. LWN covered the Sandstorm personalcloud platform in June 2014.Many people also know that Sandstorm is a for-profit startup, with a business model centered on charging for enterprise-oriented features, such as LDAP and SAML single-sign-on integration, organizational access control policies, and the like. This product was called “Sandstorm for Workâ€; it was still open source, but official builds hid the features behind a paywall. Additionally, we planned eventually to release a scalable version of Sandstorm for big enterprise users, based on the same tech that powers Sandstorm Oasis, our managed hosting service.As an open source project, Sandstorm has been successful: We have a thriving community of contributors, many developers building and packaging apps, and thousands of self-hosted servers running in the wild. This will continue.However, our business has not succeeded. To date, almost no one has purchased Sandstorm for Work, despite hundreds of trials and lots of interest expressed. Only a tiny fraction of Sandstorm Oasis users choose to pay for the service – enough to cover costs, but not much more.
Luis Villa talks aboutthe open-source lawyer career path on opensource.com."First, going to law school is a gamble. Recent American law schoolgraduates must fight fiercely for one of the few jobs that can cover theirmassive debt, and roughly 50% fail the California bar. And, the open sourcegamble is bigger, because the opportunities are even fewer."
The grsecurity developers have announced thefirst release of the "Reuse Attack Protector" (RAP) patch set, aimed atpreventing return-oriented programming and other attacks. "RAP isour patent-pending and best-in-breed defense mechanism against code reuseattacks. It is the result of years of research and development into ControlFlow Integrity (CFI) technologies by PaX. The version of RAP present in thetest patch released to the public today under the GPLv2 is nowfeature-complete."
Kodi 17.0 (Krypton) has been released. Kodi is a software mediacenter for playing videos, music, pictures, games, and more. This releasefeatures a new skin, an updated video engine, improvements to the musiclibrary, numerous improvements to Live TV and PVR functionality, and more.
One often hears the "infrastructure as code" refrain whenconfiguration-management systems are discussed. Normally, though, thatphrase doesn't bring into mind an image of infrastructure as Haskellcode. In his 2017 linux.conf.au talk, Joey Hess described his Propellor system and theinteresting features that a Haskell implementation makes possible, with aspecial focus on how Haskell's type-checking system can be pressed intoservice to detect configuration errors.
The Cloud Native Computing Foundation has announcedthat it has purchased the rights to the RethinkDB NoSQL database andcontributed it to the Linux Foundation. In the process, the code wasrelicensed from the Affero GPLv3 to the Apache license. "RethinkDBis an open source, NoSQL, distributed document-oriented database that is inproduction use today by hundreds of technology startups, consulting firmsand Fortune 500 companies, including NASA, GM, Jive, Platzi, theU.S. Department of Defense, Distractify and Matters Media. Some of SiliconValley’s top firms invested $12.2 million over more than eight years in theRethinkDB company to build a state-of-the-art database system, but wereunsuccessful in creating a sustainable business, and it shut down inOctober 2016."
Version 2.25 of the GNU C Library has been released. This release containsthe long-awaited support for thegetrandom() system call and a long list of other features;click below for the full announcement.
The 4.10-rc7 kernel prepatch has beenreleased for testing. "Hey, look at that - it's all been very quiet,and unless anything bad happens, we're all back to the regular schedulewith this being the last rc."
Arch Linux has updated qt5-webengine (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).Debian-LTS has updated ntfs-3g(privilege escalation) and svgsalamander(server-side request forgery).Fedora has updated openldap (F25:unintended cipher usage from 2015), and wavpack (F25: multiple vulnerabilities).Mageia has updated openafs(information leak) and pdns-recursor(denial of service).openSUSE has updated java-1_8_0-openjdk (42.2, 42.1: multiple vulnerabilities),mupdf (42.2; 42.1: three vulnerabilities), phpMyAdmin (42.2, 42.1: multiple vulnerabilities, one from 2015),and Wireshark (42.2: two denial of service flaws).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Scientific Linux has updated libtiff (SL7&6: multiple vulnerabilities, one from 2015) and thunderbird (multiple vulnerabilities).Ubuntu has updated kernel (16.10; 14.04;12.04: multiple vulnerabilities), kernel, linux-raspi2, linux-snapdragon (16.04:two vulnerabilities), linux-lts-trusty(12.04: code execution), linux-lts-xenial(14.04: two vulnerabilities), and tomcat(14.04, 12.04: regression in previous update).
The Rust team has releasedversion 1.15 of the Rust programming language, which adds a custom derivefeature. "These kinds of libraries are extremely powerful, but relyon custom derive for ergonomics. While these libraries worked on Ruststable previously, they were not as nice to use, so much so that we oftenheard from users “I only use nightly because of Serde and Diesel.†The useof custom derive is one of the most widely used nightly-only features. Assuch, RFC 1681 was opened in July of last year to support this use-case. The RFC was merged in August, underwent a lot of development and testing, and now reaches stable today!"
In the acme-client-portable repository at GitHub, developer Kristaps Dz has a rather stinging indictment of trying to use seccomp sandboxing for the portable version of acme-client, which is a client program for getting Let's Encrypt certificates. He has disabled seccomp filtering in the default build for a number of reasons. "So I might use mmap, but the system call is mmap2? Great. This brings us to the second and larger problem. The C library. There are several popular ones on Linux: glibc, musl, uClibc, etc. Each of these is free to implement any standard function (like mmap, above) in any way. So while my code might say read, the C library might also invoke fstat. Great.In general, section 2 calls (system calls) map evenly between system call name and function name. (Except as noted above... and maybe elsewhere...) However, section 3 is all over the place. The strongest differences were between big functions like getaddrinfo(2).Then there's local modifications. And not just between special embedded systems. But Debian and Arch, both using glibc and both on x86_64, have different kernels installed with different features. Great.Less great for me and seccomp." (Thanks to Paul Wise.)
The 4.9.7 and 4.4.46 kernels have been released by GregKroah-Hartman. They contain fixes throughout the tree and users of thosekernel series should upgrade.
The GNOME Foundation's long search for a new executive director has finallycome to an end: Neil McGovern has taken the job."McGovern is an experienced leader in Free Software projects and is bestknown for his role as Debian Project Leader from 2014-15. He has been onthe Boards of numerous organizations, including Software in the PublicInterest, Inc. and the Open Rights Group."
Version 3.1.2 of the Krita painting application has been released. Thisversion features audio support for animations along with other improvementsand bug fixes. "Audio is not yet available in the Linux appimages. It is an experimental feature, with no guarantee that it works correctly yet — we need your feedback!"
Last year, three new umbrella organizations for free and open-sourcesoftware (and hardware) projects emerged in Europe. Their aim is tocater to the needs of the community by providing a legal entity forprojects to join, leaving the projects free to focus on technical and communitytasks. These organizations(Public Software CIC, [The Commons Conservancy],and the Center for the Cultivation of Technology)will take on the overhead of actually running alegal entity themselves.
Arch Linux has updated salt (two vulnerabilities).CentOS has updated libtiff (C7; C6: multiple vulnerabilities).Debian has updated libgd2 (multiple vulnerabilities), ruby-archive-tar-minitar (file overwrites), and wordpress (multiple vulnerabilities).Debian-LTS has updated ikiwiki (three vulnerabilities), libplist (two vulnerabilities), and wordpress (multiple vulnerabilities).Gentoo has updated pcsc-lite (privilege escalation).openSUSE has updated openssh(42.2: multiple vulnerabilities).Oracle has updated libtiff (OL7; OL6: multiple vulnerabilities).Red Hat has updated libtiff(RHEL6,7: multiple vulnerabilities).SUSE has updated gnutls(SLE12-SP1,2: multiple vulnerabilities) and java-1_8_0-openjdk (SLE12-SP1,2: multiple vulnerabilities).Ubuntu has updated openssl (multiple vulnerabilities).
The LEDE project, working on a fork of the OpenWrt router distribution, has announced its first release candidate. "With this release, the LEDE development team closes out an intenseeffort to modernize many parts of OpenWrt and incorporate many newmodules, packages, and technologies." Click below for a terse listof changes; they include the significant WiFi performance improvementsdescribed in this article.
Version 5.3 of the LibreOffice office suite is out. "LibreOffice 5.3 represents a significant step forward in the evolutionof the software: it offers an introduction to new features such asonline with collaborative editing, which increase the competitivepositioning of the application, and at the same time providesincremental improvements, to make the program more reliable,interoperable and user friendly."
Google has announcedthat Google Earth Enterprise (GEE) will be published on GitHub under theApache2 license in March. GEE is an enterprise product that allowsdevelopers to build and host their own private maps and 3D globes. Thisrelease includes GEE Fusion, GEE Server, and GEE Portable Server sourcecode. "Feedback is important to us and we’ve heard from ourcustomers that GEE remains in-use in mission-critical applications. Manycustomers have not transitioned to other technologies. Open-sourcing GEEallows our customer community to continue to improve and evolve the projectin perpetuity. Note that the Google Earth Enterprise Client, Google MapsJavaScript® API V3 and Google Earth API will not be open sourced. TheEnterprise Client will continue to be made available and updated. However,since GEE Fusion and GEE Server are being open-sourced, the imagery andterrain quadtree implementations used in these products will allowthird-party developers to build viewers that can consume GEE ServerDatabases." (Thanks to Paul Wise)
The Python Software Foundation has announcedthat python.org and related sites will begin disabling the old TLS versions1.0 and 1.1. "This change was imposed on us by our content deliverynetwork, Fastly, in response to a change imposed on them by the Payment Card Industry Security Standards Council. In order to continue serving websites that take credit card payments, Fastly is required to disable the old, insecure versions of TLS. Since the PSF's servers, including PyPI, use Fastly, the old versions of TLS will be disabled as well."
Debian has updated chromium-browser (multiple vulnerabilities).Debian-LTS has updated libarchive (denial of service), ruby-archive-tar-minitar (file overwrites), and tcpdump (multiple vulnerabilities).Fedora has updated flatpak (F24: sandbox escape), irssi (F25; F24: multiple vulnerabilities), kernel (F25; F24: multiple vulnerabilities), and python-crypto (F25; F24: denial of service).Gentoo has updated ansible (code execution) and harfbuzz (multiple vulnerabilities).openSUSE has updated lcms2 (42.1:heap memory leak) and virtualbox (42.1: multiple vulnerabilities).Red Hat has updated kernel(RHEL7.2: two vulnerabilities), kernel (RHEL6.6; RHEL6.2 (code execution), and nagios (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL6; RHELOSP5 for RHEL7: multiple vulnerabilities).SUSE has updated kernel(SLE11-SP2: multiple vulnerabilities).
The KDE project has announced therelease of the Plasma 5.9 desktop environment with a number of newfeatures. "Global Menus have returned. KDE's pioneering feature toseparate the menu bar from the application window allows for new userinterface paradigm with either a Plasma Widget showing the menu or neatlytucked away in the window bar."
David Egts reviews theOrange Pi at Opensource.com. "Compared to a $5 Raspberry Pi Zero, the Orange Pi Zero is only a few dollars more expensive, but it is much more useful out of the box because it has onboard Internet connectivity and four CPU cores instead of one. This onboard networking capability also makes the Orange Pi Zero a better gift than a Raspberry Pi Zero because the Raspberry Pi Zero needs Micro-USB-to-USB adapters and a Wi-Fi USB adapter to connect to the Internet. When giving IoT devices as gifts, you want the recipient to enjoy the product as quickly and easily as possible, instead of giving something incomplete that will just end up on a shelf."
The 4.10-rc6 kernel prepatch is out fortesting. Linus is worried that the patch activity has increased this timearound. "It's still not all that big by historical standards, since4.10 has generally been pretty calm, but it's a bit distressing. I washoping to do the usual 'rc7 is the last rc' release schedule for once (withboth 4.8 and 4.9 pushing out to rc8), and I really want things to calm downfor that to happen." The codename has changed again, now it's"Fearless Coyote".
Kernel.org has announced that it will be shutting down FTP access to its archives in two stages: March 1 will see the end of ftp.kernel.org, while December 1 is the termination date for mirrors.kernel.org.Let's face it -- while kinda neat and convenient, offering a public NFS/CIFS server was a Pretty Bad Idea, not only because both these protocols are pretty terrible over high latency connections, but also because of important security implications.Well, 19 years later we're thinking it's time to terminate another service that has important protocol and security implications -- our FTP servers. Our decision is driven by the following considerations:
CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), mysql(C6: three vulnerabilities), squid (C7:information leak), and squid34 (C6:information leak).Debian has updated libxpm (code execution).Debian-LTS has updated asterisk(denial of service from 2014), firefox-esr(multiple vulnerabilities), lcms2 (denial of service), and libxpm (code execution).Mageia has updated firefox (multiple vulnerabilities),gstreamer (code execution), and php-phpmailer (two vulnerabilities).openSUSE has updated apache2(42.2: denial of service) and gstreamer-0_10-plugins-good (42.1: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and puppet-swift (OSP10.0: information disclosure).Slackware has updated mozilla-thunderbird (multiple vulnerabilities).
LWN.net