Debian has updated bind9 (threevulnerabilities), ikiwiki (threevulnerabilities), and python-pysaml2 (XMLexternal entity attack).Debian-LTS has updated libav (twovulnerabilities).Fedora has updated compat-guile18 (F25; F24:insecure directory creation), mingw-flac(F25: three vulnerabilities from 2015), qpid-java (F25: information disclosure), andspringframework-security (F25: securityconstraint bypass).openSUSE has updated flash-player(13.2: multiple vulnerabilities).Red Hat has updated memcached(RHMAP4.2: two vulnerabilities).Slackware has updated bind(denial of service), gnutls (multiplevulnerabilities), and irssi (multiple vulnerabilities).SUSE has updated bind (SLE12-SP2,SP1; SLE12; SLE11-SP4,SP3: three vulnerabilities) and flash-player (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated bind9 (threevulnerabilities) and libvncserver (two vulnerabilities).
The Ansible project is currently posting release candidates for the 2.1.4and 2.2.1 releases. They fix an important security bug:"CVE-2016-9587 is rated as HIGH in risk, as a compromised remotesystem being managed via Ansible can lead to commands being run on theAnsible controller (as the user running the ansible or ansible-playbookcommand)." Until this release is made, it would make sense to beespecially careful about running Ansible against systems that might havebeen compromised.Update: see thisadvisory for much more detailed information.
The appearance of a "Python 2.8" got the attention of the Python coredevelopers in early December. It is based on Python 2.7, withfeatures backported from Python 3.x. In general, there was littlesupport for the effort—core developers tend to clearly see Python 3 asthe way forward—but no opposition to it either. The Python license makesit clear that these kinds of efforts are legal and evenencouraged—any real opposition to the project lies in its name.Subscribers can click below for the full article from this week's edition.
Tim Kadlec looks at theongoing MongoDB compromises and how they came to be."Before version 2.6.0, that wasn’t true. By default, MongoDB was leftopen to remote connections. Authentication is also not required by default,which means that out of the box installs of MongoDB before version 2.6.0happily accept unauthenticated remote connections."
The digiKam team has announcedthe release of version 5.4.0 of the digiKam Software Collection, aphoto editing system."This version introduces several improvements to the similaritysearch engine and a complete re-write of video file support." Underthe hood, digiKam has been fully ported to the QtAV framework to handle video and audio files.
Synfig Studio 1.2.0, a 2D animation system, has been released.This version features a completely rewritten render engine and new lipsyncfeatures, along with many improvements and bugfixes.
Arch Linux has updated icoutils (code execution).CentOS has updated gstreamer-plugins-bad-free (C7: three codeexecution vulnerabilities), gstreamer-plugins-good (C7: multiplevulnerabilities), gstreamer1-plugins-bad-free (C7: multiplevulnerabilities), and gstreamer1-plugins-good (C7: multiple vulnerabilities).Debian-LTS has updated python-crypto (denial of service).Gentoo has updated adobe-flash (multiple vulnerabilities), python (two vulnerabilities), and tiff (multiple vulnerabilities).Mageia has updated nvidia304,nvidia340 (three vulnerabilities) and xen (multiple vulnerabilities).openSUSE has updated irssi (42.2, 42.1, 13.2; SPH for SLE12: multiple vulnerabilities).Scientific Linux has updated subscription-manager (SL7: information disclosure).
The GNU C library (glibc) 2.25 release isexpected to be available at the beginning of February; among the new featuresin this release will be a wrapper for the Linux getrandom() system call. One mightwell wonder why getrandom() is only appearing in this release,given that kernel support arrived with the 3.17 release in 2014 and thatthe glibc projectis supposed to be more receptive tonew features these days. A look at the history of this particular change highlights some of the reasons why getting newfeatures into glibc is still hard.
The Inkscape project has announced the release of version 0.92. "Newfeatures include mesh gradients, improved SVG2 and CSS3 support, new path effects, interactive smoothing for the penciltool, a new Object dialog for directly managing all drawing elements,and much more. Infrastructural changes are also under way, including aswitch to CMake from the venerable Autotools build system."
Greg Kroah-Hartman has released stable kernels 4.9.2, 4.8.17,and 4.4.41. All contain important fixesand users should upgrade. This is the last 4.8-stable kernel to bereleased and users of that kernel series should upgrade to 4.9.x.
The 4.10-rc3 kernel prepatch is availablefor testing. Linus says: "It still feels a bit smaller than a usualrc3, but for the first real rc after the merge window (ie I'd compareit to a regular rc2), it's fairly normal."
The Vault Storage and Filesystems conference will be held March 22 and 23in Cambridge, MA, USA, immediately after the Linux Storage, Filesystem, andMemory-Management Summit. The call forpresentations expires on January 14, and the conference organizerswould really like to get a few more proposals in before then. Developersinterested in speaking at a technical Linux event are encourage to sign up.(Also, don't forget the LWN CFP deadlinescalendar, which is a good way to stay on top of conference proposaldeadlines.)
The LearntEmail blog has a look at running AsteroidOS on the LG Watch Urbane smartwatch."It looks like a watch, it smells like a watch, but it runs like a normal computer. Wayland, systemd, polkit, dbus and friends look very friendly to hacking. Even Qt is better than android, but that's debatable.My next project - run Gtk+ on the watch :)" (Thanks to Paul Wise.)
Old habits die hard, even when support for the tools required by thosehabits ended over a decade ago. It is not surprising for users to cling tothe tools they learned early in their careers, even when they are told thatit is time to move on. A recent discussion on the Debian development list showed thesort of stress that this kind of inertia can put on a distribution andexplored the options that distributors have to try to nudge their userstoward more supportable solutions.
The Google Open Source Blog introducesthe Grumpy project. "Grumpy is an experimental Python runtimefor Go. It translates Python code into Go programs, and those transpiledprograms run seamlessly within the Go runtime. We needed to support a largeexisting Python codebase, so it was important to have a high degree ofcompatibility with CPython (quirks and all). The goal is for Grumpy to be adrop-in replacement runtime for any pure-Python project."
Arch Linux has updated lib32-curl(two vulnerabilities), lib32-libcurl-compat (two vulnerabilities), lib32-libcurl-gnutls (two vulnerabilities), libcurl-compat (two vulnerabilities), libcurl-gnutls (two vulnerabilities), and pcsclite (privilege escalation).CentOS has updated ghostscript (C7; C6: multiple vulnerabilities).Debian has updated libphp-phpmailer (regression in previous update).Debian-LTS has updated libphp-phpmailer (code execution) and libvncserver (two vulnerabilities).Fedora has updated borgbackup (F25; F24: twovulnerabilities) and freeipa (F24: two vulnerabilities).Gentoo has updated firefox (multiple vulnerabilities).Mageia has updated kernel-linus (multiple vulnerabilities), kernel-tmb (multiple vulnerabilities), libupnp (code execution), and python-html5lib (cross-site scripting).openSUSE has updated dnsmasq(42.2, 42.1: denial of service), samba (42.2; 42.1:three vulnerabilities), and wget (42.2,42.1: race condition).Red Hat has updated ghostscript (RHEL7; RHEL6:multiple vulnerabilities), kernel (RHEL7.1:denial of service), and systemd (RHEL7.1: denial of service).Scientific Linux has updated ghostscript (SL7; SL6:multiple vulnerabilities) and ipa (SL7: two vulnerabilities).
Version0.92 of the Inkscape vector drawing editor is available. "Newfeatures include mesh gradients, improved SVG2 and CSS3 support, new patheffects, interactive smoothing for the pencil tool, a new Object dialog fordirectly managing all drawing elements, and much more. Infrastructuralchanges are also under way, including a switch to CMake from the venerableAutotools build system." See therelease notes for details.
In what is becoming its annual tradition, the darktable project releaseda new stable version of its image-editing system at the end of December.The new 2.2 release incorporates several new photo-correction features ofnote.Click below (subscribers only) for the full article from Nathan Willis.
James Bottomley looks atTrusted Platform Module (TPM) version 2. "Recently Microsoft startedmandatingTPM2 as a hardware requirement for all platforms running recentversions of windows. This means that eventually all shipping systems(starting with laptops first) will have a TPM2 chip. The reason thisimpacts Linux is that TPM2 is radically different from its predecessorTPM1.2; so different, in fact, that none of the existing TPM1.2 software onLinux (trousers, the libtpm.so plug in for openssl, even my gnome keyringenhancements) will work with TPM2. The purpose of this blog is to explorethe differences and how we can make ready for the transition."(Thanks to Paul Wise)
Arch Linux has updated gst-plugins-bad (two vulnerabilities), lib32-libpng (denial of service), lib32-libpng12 (denial of service), libpng (denial of service), and libpng12 (denial of service).CentOS has updated ipa (C7: two vulnerabilities).Debian-LTS has updated samba(privilege escalation).Fedora has updated bzip2 (F25:denial of service), dovecot (F25: denial ofservice), and seamonkey (F25: multiple vulnerabilities).Gentoo has updated firefox(multiple vulnerabilities, some from 2014).Oracle has updated ipa (OL7: two vulnerabilities).
HackerBoards.com takesa look at hacker-friendly single board computers. "Community backed, open spec single board computers running Linux and Android sit at the intersection between the commercial embedded market and the open source maker community. Hacker boards also play a key role in developing the Internet of Things devices that will increasingly dominate our technology economy in the coming years, from home automation devices to industrial equipment to drones.This year, we identified 90 boards that fit our relatively loose requirements for community-backed, open spec SBCs running Linux and/or Android."
Pieter Hintjens passedaway last October. "Pieter was known mostly for founding the ZeroMQ project but he was also an ambitiousfighter for the open source philosophy, an active opponent to softwarepatents and an inspiring and keen thinker on open systems of allkind." (Thanks to Viktor Horvath)
Richard Fontana reviewslegal development in 2016 on opensource.com."The Federal Source Code Policy is notable for placing emphasis onadhering to proper standards for open development as well as open sourcelicensing. Agencies releasing open source code are directed to do so in amanner that encourages engagement with existing communities, fosters growthof new communities, and facilitates contribution both by the community tothe federal code and by federal employees and contractors to upstreamprojects."
The second 4.10 kernel prepatch is out fortesting. "Hey, it's been a really slow week between Christmas Day and New YearsDay, and I am not complaining at all.It does mean that rc2 is ridiculously and unrealistically small. Ialmost decided to skip rc2 entirely, but a small little meaninglessrelease every once in a while never hurt anybody. So here it is."
The Python 3.6 release occurred onDecember 23, only one week later than plannedall the wayback in October 2015. Python 3.6 adds a number of newfeatures, including more support for asynchronous operations (generatorsand comprehensions), a filesystem path protocol, a new literal stringformatting option, two random-number-related features, a frame evaluation APIfor debuggers and just-in-time (JIT) compilation, and more. Some of thesefeatures have been described in LWN articles along the way, but many haven't, so anoverview of the highlights of the new release is in order.Subscribers can click below to see the article that will appear in nextweek's edition.
The Electronic Frontier Foundation has a reviewof patent lawsuits in 2016. "We saw mixed results in the courtsthis year. The Supreme Court issued a gooddecision cutting back on out of control damages in design patentcases. Meanwhile, the Federal Circuit issued a very disappointingdecision that allows patent owners to undermine ownership by assertingpatent rights even after selling a patented good. Fortunately, the SupremeCourt has agreed to review that ruling. We will file an amicus briefsupporting the fundamental principle that once you buy something, you ownit."
Darktable 2.2.0 has beenreleased. This version includes the new automatic perspectivecorrection module, a liquify tool for all your fancy pixel moving, a newimage module to use a Color Look Up Table (CLUT) to change colors in theimage, and much more.
Jim Hall has announced therelease of FreeDOS 1.2. "The FreeDOS 1.2 release is an updated,more modern FreeDOS. You'll see that we changed many of the packages. Somepackages were replaced, deprecated by newer and better packages. We alsoadded other packages. And we expanded what we should include in the FreeDOSdistribution. Where FreeDOS 1.0 and 1.1 where fairly spartan distributionswith only "core" packages and software sets, the FreeDOS 1.2 distributionincludes a rich set of additional packages. We even include games."There is also a new installer.
Linus has released the 4.10-rc1 kernelprepatch and closed the merge window for this release. "Everythinglooks pretty normal, although we had an unusual amount of tree-wide finalcleanups in the last days of the merge window. But the general statisticslook fairly common: a bit over half is drivers, maybe slightly less archupdates than normal, and a fair amount of documentation updates due to thesphinx conversion."
As expected, Cyanogen Inc has announcedthe shutdown of the CyanogenMod servers as of the end of the year. A groupof community developers has declared afork, though few details are available at this point. "Embracingthat spirit, we the community of developers, designers, device maintainersand translators have taken the steps necessary to produce a fork of the CMsource code and pending patches. This is more than just a ‘rebrand’. Thisfork will return to the grassroots community effort that used to define CMwhile maintaining the professional quality and reliability you have come toexpect more recently."
Over at opensource.com, MáirÃn Duffy has a lengthy overview of the open-source creative tools available. She covers the core applications (GIMP, Inkscape, Scribus, MyPaint, Blender, and Krita) for design, as well as tools for video, photography, 2D animation, audio, music, and more. "These six applications are the juggernauts of open source design tools. They are well-established, mature projects with full feature sets, stable releases, and active development communities. All six applications are cross-platform; each is available on Linux, OS X, and Windows, although in some cases the Linux versions are the most quickly updated. These applications are so widely known, I've also included highlights of the latest features available that you may have missed if you don't closely follow their development.If you'd like to follow new developments more closely, and perhaps even help out by testing the latest development versions of the first four of these applications—GIMP, Inkscape, Scribus, and MyPaint—you can install them easily on Linux using Flatpak."
It's not entirely clear that the title is justified, but Wired does cover some progress on the encryption front in 2016. "End-to-end encryption, which ensures that the only people who can see your communications are you and the person on the receiving end, certainly isn’t new. But in 2016, encryption went mainstream, reaching billions of people all over the world. Even more significantly, it overcame its most aggressive legal challenge yet, in a prolonged standoff between Apple and the FBI. And just this week, a Congressional committee affirmed the importance of encryption, giving hope that future laws around the topic will include at least a modicum of sanity.There’s still a long way to go, and any gains that were made could potentially be rolled back, but for now it’s worth taking a step back to appreciate just how far encryption came this year. As far as silver linings go, you could do a lot worse."
The Python 3.6.0 release is out. Enhancements in this release includeformatted string literals ("f-strings"), variable type annotations,asynchronous generators and comprehensions, and more; see the "what's new"document for details.
Arch Linux has updated openssh(multiple vulnerabilities) and samba (three vulnerabilities).Debian-LTS has updated nss(timing side-channel).Fedora has updated botan (F25; F24:integer overflow), gdk-pixbuf2 (F25:unspecified), kernel (F25; F24: denial of service), samba (F25: two vulnerabilities), and xen (F24: multiple vulnerabilities).Mageia has updated libgd (twovulnerabilities), php (twovulnerabilities), and squid (two vulnerabilities).SUSE has updated dnsmasq (OSCC5:denial of service from 2015), ImageMagick (SLE12: multiple vulnerabilities, one from 2014), kernel (SLE11SP2; SLE11SP3: two vulnerabilities), and libgme (SLE12: multiple vulnerabilities).
On his blog, Alexander Larsson reflects on the Flatpak 0.8 release and his plans for the application packaging and distribution format going forward."My goal is to get the 0.8 series into the Debian 9 release, and as many other distributions as possible, so that people who create flatpaks can consider the features it supports as a reliable baseline.Sandboxing has always been one of the pillars of Flatpak, but even more important to me is cross-distro application distribution, even if not sandboxed. This is important because it gives upstream developers a way to directly interact with their users, without having an intermediate distributor. With 0.8 I think we have reached a level where the support for this is solid. So, if you ever thought about experimenting with Flatpak, now is the time!
Over at opensource.com, Joshua Allen Holm writes about two projects (Privacy Friendly Apps and Simple Mobile Tools) that are producing Android apps that are open source, privacy respecting, and only request the privileges they need. "Below, I take a look at two projects producing a wide variety of Android apps designed to only request the permissions they require to function. These apps cover a wide range of functions with each app being focused on doing only one task and doing that task well. Users looking for well designed, functional apps with no extra features and no anti-features (i.e., advertisements) should consider checking these apps out. Developers, especially those just getting started with developing for Android, should take a look at the source code for these apps to learn about developing apps with a focus on using minimal permissions and respecting users' privacy."
CentOS has updated gstreamer-plugins-bad-free (C6: two codeexecution flaws), gstreamer-plugins-good(C6: multiple vulnerabilities), thunderbird (C7; C6: multiple vulnerabilities), and vim (C7; C6: code execution).Debian-LTS has updated imagemagick (multiple vulnerabilities) and libgd2 (code execution).Fedora has updated dovecot (F24:denial of service), msgpuck (F25; F24: two denial of service flaws), andtarantool (F25; F24: two denial of service flaws).openSUSE has updated gd (13.2:code execution), GraphicsMagick (twovulnerabilities), ImageMagick (13.2: multiple vulnerabilities),mcabber (42.2: information disclosure from2015), php5 (13.2: three vulnerabilities),qemu (42.2: multiple vulnerabilities), and shellinabox (HTTP fallback from 2015).Oracle has updated gstreamer-plugins-bad-free (OL6: two codeexecution flaws), gstreamer-plugins-good(OL6: multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities), kernel3.8.13 (OL7; OL6: two vulnerabilities), kernel 4.1.12OL7; OL6:code execution), and thunderbird (OL7; OL6: multiple vulnerabilities).Red Hat has updated openstack-cinder/glance/nova (RHOSP8.0: denialof service from 2015).SUSE has updated firefox (SLE12; SLE11SP4&3; SLE11SP2: multiple vulnerabilities), kernel (SLE12: two vulnerabilities), andxen (SLE12; SLE12SP2; SLE12SP1; SLE11SP4: three vulnerabilities).
A summary of talks between the estranged OpenWrt and LEDE routerdistribution projects has been posted. It seems that progress is beingmade. "It is still not decided that both project will finally merge and wehaven't decided on the name to use, which parts of the infrastructureand many other things. In general we are agreeing on many parts and I amlooking forward to a good merged ending for all of us."
LWN.net