The 4.9-rc4 kernel prepatch is out fortesting. Linus says: "So I'm not going to lie: this is not a smallrc, and I'd have been happier if it was. But it's not unreasonably largefor this (big) release either, so it's not like I'd start worrying. I'mcurrently still assuming that we'll end up with the usual seven releasecandidates, assuming things start calming down. We'll see how that goes aswe get closer to a release."
Opensource.com celebrates25 years of Vim. "Vim is a flexible, extensible text editor with a powerful plugin system, rock-solid integration with many development tools, and support for hundreds of programming languages and file formats. Twenty-five years after its creation, Bram Moolenaar still leads development and maintenance of the project—a feat in itself! Vim had been chugging along in maintenance mode for more than a decade, but in September 2016 version 8.0 was released, adding new features to the editor of use to modern programmers."
ZDNet takesa look at the VoCore2, a coin-sized computer. "VoCore2 is an open source Linux computer and a fully-functional wireless router that is smaller than a coin. It can also act as a VPN gateway for a network, an AirPlay station to play lossless music, a private cloud to store your photos, video, and code, and much more.The Lite version of the VoCore2 features a 580MHz MT7688AN MediaTek system on chip (SoC), 64MB of DDR2 RAM, 8MB of NOR storage, and a single antenna slot for Wi-Fi that supports 150Mbps."
Arch Linux has updated lib32-gdk-pixbuf2 (denial of service).Debian has updated curl (multiple vulnerabilities) and memcached (code execution).Fedora has updated kdepimlibs(F24: three vulnerabilities), libwebp (F24:integer overflows), and quagga (F24;F23: three vulnerabilities).Gentoo has updated libreoffice (multiple vulnerabilities) and oracle-jre-bin (multiple vulnerabilities).Mageia has updated bind (denialof service), kernel-tmb (multiplevulnerabilities), php-adodb (twovulnerabilities), and rpm (code executionfrom 2014).openSUSE has updated jasper(13.2: multiple vulnerabilities, one from 2008).Oracle has updated kernel 4.1.12 (OL7; OL6: codeexecution), kernel 3.8.13 (OL7; OL6: code execution).Red Hat has updated docker(RHEL7: privilege escalation).Scientific Linux has updated bind(SL5,6: denial of service) and bind97 (SL5:denial of service).Slackware has updated bind (denial of service) and curl (multiple vulnerabilities).SUSE has updated java-1_8_0-ibm(SLE12-SP1: three vulnerabilities) and xen(SOSC5, SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).Ubuntu has updated curl (multiple vulnerabilities).
Opensource.com coversthe Internet Archive's 20th birthday celebration. "Of all the projects announced during the event though, by far one of the most exciting and impressive is the newly released ability to search the complete contents of all text items on the Internet Archive. Nine million text items, covering hundreds of years of human history, are now searchable in an instant."
Red Hat has announcedthe release of Red Hat Enterprise Linux 7.3. "This update to Red Hat’s flagship Linux operating system includes new features and enhancements built around performance, security, and reliability. The release also introduces new capabilities around Linux containers and the Internet of Things (IoT), designed to help early enterprise adopters use existing investments as they scale to meet new business demands."
The 2016 Linux Foundation TechnicalAdvisory Board election was held November 2 at the combined Kernel Summit and Linux Plumbers Conferenceevents. Incumbent members Chris Mason and Peter Anvin were re-elected tothe board; they will be joined by new members Olof Johansson, Dan Williams,and Rik van Riel. Thanks are due to outgoing members Grant Likely, KristenAccardi, and John Linville.
The Mesa project has announced version 13.0.0 of the 3D graphics library that provides an open-source implementation of OpenGL. "This release has huge amount of features, but without a doubt the biggestones are:Vulkan driver for hardware supported by the AMDGPU kernel driver [and]OpenGL 4.4/4.5 capability, yet the drivers may expose lower version due topending Khronos CTS validation."
Linux.com has atranscript of Eben Moglen's talk in New York on October 28. "I have some fine clients and wonderful friends in this movement whohave been getting rather angry recently. There is a lot of anger in theworld, in fact, in politics. Our political movement is not the only onesuffering from anger at the moment. But some of my angry friends, dearfriends, friends I really care for, have come to the conclusion thatthey’re on a jihad for free software. And I will say this after decades ofwork—whatever else will be the drawbacks in other areas of life—the problemin our neighborhood is that jihad does not scale." There is a video of the talk available as well.
Version2.0 of the Collabora Online Development Edition online office suite hasbeen released. "Collabora Productivity, the developers behindLibreOffice Online, announced the release of CODE 2.0, including the latestand most requested feature from customers: collaborativeediting. Developers and home users are encouraged to update, try this outand get involved with the latest developments." See thisblog entry for lots of details.
Arch Linux has updated bind (denial of service).Debian has updated bind9 (denial of service) and tar (file overwrite).Debian-LTS has updated libwmf (denial of service), tiff (multiple vulnerabilities), and tiff3 (two vulnerabilities).Fedora has updated ecryptfs-utils(F23: two vulnerabilities), libass (F23:multiple vulnerabilities), libXfixes (F23:integer overflow), libXrandr (F23:insufficient validation), libXrender (F23:insufficient validation), libXtst (F23:insufficient validation), libXv (F23:insufficient validation), libXvMC (F23:insufficient validation), systemd (F23:denial of service), and tor (F23: denial of service).Mageia has updated libtiff (two vulnerabilities).Red Hat has updated java-1.7.0-ibm (RHEL5: multiplevulnerabilities), java-1.7.1-ibm (RHEL6,7:multiple vulnerabilities), and java-1.8.0-ibm (RHEL6,7: multiple vulnerabilities).SUSE has updated bind (SLE12-SP1,2; SLES12: denial of service), curl (SLE12-SP1; SSO1.3: multiple vulnerabilities), nodejs4 (SLEM12: multiple vulnerabilities), php7 (SLEM12: many vulnerabilities), and php7 (SLEM12: three vulnerabilities in libgd).Ubuntu has updated bind9 (denialof service), dbus (denial of service from2015), libgd2 (three vulnerabilities), mailman (two vulnerabilities), oxide-qt (16.10, 16.04, 14.04: multiplevulnerabilities), and python-django (twovulnerabilities).
InfoWorld takesa look at a C-to-Rust translation project called Corrode. "What Corrode does not do (yet) is take constructs specific to C and rewrite them in memory-safe Rust equivalents. In other words, it performs the initial grunt work involved in porting a project from C to Rust, but it leaves the heavier lifting -- for example, using Rust's idioms and language features -- to the developer."
The opening session at the 2016 Kernel Summit, led by Jiri Kosina, had todo with the process of creating stable kernel updates. There is, he said,a bit of a disconnect between what the various parties involved want, andthat has led to trouble for the consumers of the stable kernel releases.<p>Click below (subscribers only) for the first article from LWN's 2016 KernelSummit coverage
Minoca OS has been releasedunder the GNU GPLv3. "Minoca OS is a general purpose operating system written completely from the ground up. It’s intended for devices looking to conserve power, memory, and storage. It aims to be lean, maintainable, modular, and compatible with existing software."
Arch Linux has updated libxml2(two vulnerabilities) and memcached (threecode execution vulnerabilities).Debian-LTS has updated libxml2(two vulnerabilities) and tar (file overwrite).Fedora has updated tor (F24: denial of service).Gentoo has updated openvpn(information disclosure) and unzip(multiple vulnerabilities from 2014).Mageia has updated flash-player-plugin (code execution).Red Hat has updated kernel (RHEL6.6; RHEL6.4; RHEL6.2: two vulnerabilities), mariadb55-mariadb (RHSCL: multiplevulnerabilities), and mysql55-mysql (RHSCL:multiple vulnerabilities).Slackware has updated kernel (local privilege escalation (Dirty COW)), libX11 (multiple vulnerabilities), mariadb (multiple vulnerabilities), and php (multiple vulnerabilities).SUSE has updated php5 (SLEMWS12: multiple vulnerabilities).
Ars Technica coversthe history of Android from version 0.5 to 7.0 "Nougat". "One of the most interesting additions to Nougat is a revamp of the app framework to allow for resizable apps. This allowed Google to implement split screen on phones and tablets, picture-in-picture on Android TV, and a mysterious floating windowed mode. We've been able to access the floating window mode with some software trickery, but we've yet to see Google use it in an actual product. Is it being aimed at desktop computing?"
The 4.9-rc3 prepatch is out. "Itturns out that the bug that we thought was due to the new virtually mappedstacks during the rc2 release wasn't due to that at all, but a blockrequest queuing race condition. So people who turned off the new featureweren't actually avoiding it at all." The new feature appears to besolid, but more testing is always welcome.
The Red Hat Developers Blog is running anintroduction to the nftables packet filtering system."nftables implements a set of instructions, called expressions, whichcan exchange data by storing or loading it in a number of registers. Inother words, the nftables core can be seen as a virtualmachine. Applications like the nftables front end-tool nft can use theexpressions offered by the kernel to mimic the old iptables matches whilegaining more flexibility."
For the last couple of release cycles, the kernel's ongoing transition tothe Sphinx documentation system has left kernel.org behind. Thanks to somework by Konstantin Ryabitsev, that situation has now been remedied, andkernel.org has the formatteddocumentation generated from the current -rc kernel. The DocBook-generated documentsremain available for as long as DocBook stays in use. (For thoseinterested in the linux-next version of the documentation, the version on LWN's server isusually up to date; it currently has the changes that are queued for 4.10.)
The Free Software Foundation has announcedthat Eben Moglen has stepped down as the organization's general counsel;there is no word on who his replacement will be. "The FSF looksforward to working together in other capacities with Professor Moglen andSFLC on future projects to advance the free software movement and use ofthe GNU General Public License (GPL)."
Greg Kroah-Hartman has released the 4.8.5and 4.4.28 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.
The Rowhammervulnerability affects hardware at the deepest levels. It has proved to besurprisingly exploitable on a number of different systems, leavingsecurity-oriented developers at a loss. Since it is a hardwarevulnerability, it would appear that solutions, too, must be placed in thehardware. Now, though, an interesting software-based mitigation mechanismis under discussion on the linux-kernel mailing list. The ultimateeffectiveness of this defense is unproven, but it does show that there maybe hope for a solution that doesn't require buying new computers.
Debian has updated nginx(packaging problem in previous security update).Debian-LTS has updated tre (codeexecution).openSUSE has updated flash-player(13.2: code execution).Red Hat has updated kernel(RHEL5: two vulnerabilities) and nodejs andnodejs-tough-cookie (RHOSE: two vulnerabilities).SUSE has updated flash-player(SLE12: code execution).Ubuntu has updated firefox (two vulnerabilities),, nginx (16.10, 16.04, 14.04: packagingproblem in previous security update), and thunderbird (multiple vulnerabilities).
Brendan Gregg celebratesthe capabilities of Linux kernel tracing with BPF. "With thefinal major capability for BPF tracing (timed sampling) merging in Linux4.9-rc1, the Linux kernel now has raw capabilities similar to thoseprovided by DTrace, the advanced tracer from Solaris. As a long time DTraceuser and expert, this is an exciting milestone! On Linux, you can nowanalyze the performance of applications and the kernel usingproduction-safe low-overhead custom tracing, with latency histograms,frequency counts, and more."
Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).Debian-LTS has updated bash (codeexecution), graphicsmagick (multiplevulnerabilities), libx11 (denial of service), libxi (code execution), and libxtst (code execution).openSUSE has updated kernel(11,4: many vulnerabilities, one from 2013, many from 2015), ghostscript (13.2: multiple vulnerabilities,one from 2013), and sssd (42.1: accessrestriction bypass).Red Hat has updated flash-plugin(RHEL6&5: code execution), kernel (RHEL6.5; RHEL7.1: privilege escalation), andopenstack-manila-ui (RHOSP9.0; RHOSP8.0; RHOSP7.0: cross-site scripting).
The bus1 message-passing mechanism is the successor to the "kdbus" project;it was covered here in August. The patches have now been posted for review."While bus1 emerged out of the kdbus project, bus1 was started fromscratch and the concepts have little in common. In a nutshell, bus1provides a capability-based IPC system, similar in nature to AndroidBinder, Cap'n Proto, and seL4."
CentOS has updated kernel (C6:privilege escalation).Debian has updated asterisk(multiple vulnerabilities) and nginx (privilege escalation).Debian-LTS has updated nspr (information disclosure), nss (information disclosure), potrace (multiple vulnerabilities), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).Fedora has updated perl-Image-Info (F24; F23: information disclosure).Mageia has updated graphicsmagick (three vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), mpg123 (denial of service), and tor (denial of service).openSUSE has updated GraphicsMagick (Leap42.1; 13.2: multiple vulnerabilities), guile (13.2: two vulnerabilities),guile1 (Leap42.1; 13.2: information disclosure), firefox (Leap42.1, 13.2: two vulnerabilities),qemu (Leap42.1: multiple vulnerabilities),quagga (Leap42.1: stack overrun), and kernel (13.2: multiple vulnerabilities).Oracle has updated kernel (OL6:privilege escalation).Red Hat has updated kernel (RHEL6; RHEL6.7:privilege escalation) and kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities).Scientific Linux has updated kernel (SL6: privilege escalation).Ubuntu has updated nginx (16.10,16.04, 14.04: privilege escalation).
Flatpak 0.6.13 has been released.Major changes include a change in command line arguments forinstall/update/uninstall, application runtime dependencies arechecked/downloaded, remote-add and install --from now supports uris,flatpak run can now launch a runtime directly, and more.
Arch Linux has updated linux-grsec (privilege escalation) and ocaml (information leak).CentOS has updated kernel (C7:privilege escalation).Debian has updated php5 (multiplevulnerabilities) and virtualbox (end ofsupport).Debian-LTS has updated ghostscript (multiple vulnerabilities).Fedora has updated bind (F23:denial of service), bind99 (F23: denial ofservice), and libass (F24: three vulnerabilities).Mageia has updated php (multiple vulnerabilities).openSUSE has updated quagga(13.2: stack overrun) and virtualbox (13.2:multiple unspecified vulnerabilities).Oracle has updated kernel (OL7:privilege escalation).Red Hat has updated bind(RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service).Scientific Linux has updated kernel (SL7: privilege escalation).SUSE has updated quagga(SLE12-SP1: stack overrun).Ubuntu has updated linux-raspi2(16.10: privilege escalation), mysql-5.5, mysql-5.7 (multiple unspecified vulnerabilities), and quagga (stack overrun).
Just about everyone who runs a Unix server on the internet uses SSHfor remote access, and almost everyone who does that will be familiarwith the log footprints of automated password-guessing bots. Althoughdecently-secure passwords do much to harden a server against such attacks,the costs of dealing with the continual stream of failed logins can beconsiderable. There are ways to mitigate these costs.
Valgrind 3.12.0 has been released. "3.12.0 is a feature release withmany improvements and the usual collection of bug fixes. This release addssupport for POWER ISA 3.0, improves instruction set support on ARM32, ARM64and MIPS, and provides support for the latest common components (kernel,gcc, glibc). There are many smaller refinements and new features. Therelease notes below give more details." There will be a Valgrinddeveloper room at FOSDEM in Brussels, Belgium, on February 4, 2017. Thecall for participation is open until December 1.
The Linux Foundation's TechnicalAdvisory Board provides the development community (primarily the kerneldevelopment community) with a voice in the Foundation's decision-makingprocess. Among other things, the TAB chair holds a seat on theFoundation's board of directors. The next TAB election will be held onNovember 2 at the Kernel Summit in Santa Fe, NM; five TAB members (½of the total) will be selected there. The nomination process is open untilvoting begins; anybody interested in serving on the TAB is encouraged tothrow their hat into the ring.
The second 4.9 prepatch is out for testing,and Linus is asking for people to test one feature in particular: "Myfavorite new feature that I called out in the rc1 announcement (thevirtually mapped stacks) is possibly implicated in some crashes that DaveJones has been trying to figure out, so if you want to be helpful and tryto see if you can give more data, please make sure to enableCONFIG_VMAP_STACK."
The 4.8.4,4.7.10, and4.4.27 stable updates are out. These wouldappear to contain the usual fixes. Note that 4.7.10 is the end of the linefor the 4.7.x series.
We live in an era of celebrity vulnerabilities; at the moment, anunpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking itsturn on the runway. This one is more disconcerting than many due to itsomnipresence and the ease with which it can be exploited. But there isalso some unhappiness in the wider community about how this vulnerabilityhas been handled by the kernel development community. It may well be timefor the kernel project to rethink its approach to serioussecurity problems.
Debian-LTS has updated bind9 (denial of service).Fedora has updated libgit2 (F23:two vulnerabilities).Mageia has updated kernel (threevulnerabilities), libtiff (multiplevulnerabilities, two from 2015), and openslp (code execution).openSUSE has updated dbus-1(13.2: code execution), ghostscript-library(42.1: three vulnerabilities, one from 2013), roundcubemail (42.1: two vulnerabilities), andsquidGuard (42.1: cross-site scripting from2015).Red Hat has updated bind(RHEL6&5: denial of service) and bind97(RHEL5: denial of service).Scientific Linux has updated bind(SL6&5: denial of service) and bind97 (SL5: denial of service).Ubuntu has updated bind9 (12.04: denial of service).
Linux.com interviews Sylvain Zimmer, founder of the Common Search project, which is an effort to create an open web search engine. "Being transparent means that you can actually understand why our top search result came first, and why the second had a lower ranking. This is why people will be able to trust us and be sure we aren't manipulating results. However for this to work, it needs to apply not only to the results themselves but to the whole organization. This is what we mean by 'radical transparency.' Being a nonprofit doesn't automatically clear us of any ulterior motives, we need to go much further.As a community, we will be able to work on the ranking algorithm collaboratively and in the open, because the code is open source and the data is publicly available. We think that this means the trust in the fairness of the results will actually grow with the size of the community."
The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.
The4.8.3,4.7.9,and 4.4.26 stable kernel updates have beenreleased. There's nothing in the announcements to indicate this, but theyall contain a fix for CVE-2016-5195, a bug that can allow local attackersto overwrite files they should not have write access to. So the "all usersmust upgrade" message seems more than usually applicable this time around.
Debian has updated quagga (stack overrun) and tor (denial of service).Debian-LTS has updated dwarfutils (multiple vulnerabilities), guile-2.0 (two vulnerabilities), libass (two vulnerabilities), libgd2 (two vulnerabilities), libxv (insufficient validation), and tor (denial of service).Fedora has updated epiphany (F24:unspecified), ghostscript (F24; F23: multiple vulnerabilities), glibc-arm-linux-gnu (F24: denial of service),guile (F24: two vulnerabilities), libgit2 (F24: two vulnerabilities), openssh (F23: null pointer dereference), qemu (F24: multiple vulnerabilities), and webkitgtk4 (F24: unspecified).Mageia has updated asterisk(denial of service), flash-player-plugin(multiple vulnerabilities), kernel (multiple vulnerabilities), and mailman (password disclosure).Red Hat has updated java-1.8.0-openjdk (RHEL6, 7: multiplevulnerabilities), kernel (RHEL6.7:use-after-free), and mariadb-galera(RHOSP8: SQL injection/privilege escalation).
LWN.net