Canonical has announced the availability of a live kernel patch service forthe 16.04 LTS release."It’s the best way to ensurethat machines are safe at the kernel level, while guaranteeing uptime,especially for container hosts where a single machine may be runningthousands of different workloads."Up to three systems can be patched for free; theservice requires a fee thereafter. There is a long FAQ about the servicein thisblog post; it appears to be based on the mainline live-patchingfunctionality with some Canonical add-ons.
Sebastian Kügler reports onKDE's Plasma team meeting. "We took this opportunity to also lookand plan ahead a bit further into the future. In what areas are we lacking,where do we want or need to improve? Where do we want to take Plasma in thenext two years?" Specific topics include release schedule changes,UI and theming improvements, feature backlog, Wayland, mobile, andmore. (Thanks to Paul Wise)
Debian-LTS has updated libarchive (three vulnerabilities), libxrandr (insufficient validation), libxrender (insufficient validation), and quagga (stack overrun).openSUSE has updated ffmpeg (Leap42.1; SPH for SLE12: multiplevulnerabilities) and kcoreaddons (Leap42.1, 13.2; SPH for SLE12: HTML injection).Red Hat has updated atomic-openshift (RHOSCP: authenticationbypass), kernel (RHEL6.5: privilegeescalation), and openssl (RHEL6.7: multiplevulnerabilities).
The mainline kernel has support for a wide range of hardware. One placewhere support has traditionally been lacking, though, is graphicsadapters. As a result, a great many people are still using proprietary,out-of-tree GPU drivers. Daniel Vetter went before the crowd at Kernel Recipes 2016 to saythat the situation is not as bad as some think; indeed, he said, in thisarea as well as others, world domination is proceeding according to plan.
Over on the Red Hat Enterprise Linux Blog, Dan Walsh writes about using Linux capabilities to help secure Docker containers. "Let’s look at the default list of capabilities available to privileged processes in a docker container:chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap.In the OCI/runc spec they are even more drastic only retaining, audit_write, kill, and net_bind_service and users can use ocitools to add additional capabilities. As you can imagine, I like the approach of adding capabilities you need rather than having to remember to remove capabilities you don’t." He then goes through the capabilities listed describing what they govern and when they might need to be turned on for a container application.
Arch Linux has updated guile (two vulnerabilities).Debian has updated libgd2 (denial of service).Debian-LTS has updated icedove (multiple vulnerabilities), libarchive (file overwrite), libdbd-mysql-perl (denial of service), and mpg123 (denial of service).Fedora has updated chromium (F24:multiple vulnerabilities).Gentoo has updated oracle-jdk-bin (multiple vulnerabilities).openSUSE has updated thunderbird(13.1: multiple vulnerabilities) and tiff(13.1: denial of service).Oracle has updated openssl (OL5: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).
Linus has released 4.9-rc1 and closed themerge window for this release one day earlier than some might haveexpected. "My own favorite 'small detail under the hood' happens tobe Andy Lutomirski's new virtually mapped kernel stack allocations. Theymake it easier to find and recover from stack overflows, but the effortalso cleaned up some code, and added a kernel stack mapping cache to avoidany performance downsides." The virtually mapped kernel stack workwas covered here in June. There were14,308 non-merge changesets pulled for this release, meaning that 4.9 willbe, by far, the busiest development cycle ever.
Opensource.com celebratesWorld Standards Day on October 14. "Whether in the world of software, where without standards we would have been unable to connect the world through the Internet and the World Wide Web, or the physical world, where standards make nearly everything you buy easier, more useful, and safer, the world would be a difficult place to navigate without standards. And critical to the useful of standards is making them available to all in an accessible, free format, unencumbered by legal or other hurdles."
The PostgreSQL project released version 9.6 onSeptember 29th. This new major release has an assortment of new goodiesfor PostgreSQL fans, including parallel query andphrase search, new options for synchronous replication, remote queryexecution using foreign data wrappers, "crosstab" data transformations inpsql, and more. Together with version 9.6, the community released a completely rewrittenversion of the pgAdmin database graphical interface.We'll explore multiple synchronous replicas, foreign datawrapper changes, crosstabs and the new pgAdmin here.
Arch Linux has updated gdk-pixbuf2 (denial of service).Debian has updated freeimage (two vulnerabilities).Debian-LTS has updated libxfixes (integer overflow).Fedora has updated dbus (F24: code execution) and xen (F24; F23: three vulnerabilities).openSUSE has updated compat-openssl098 (Leap42.1: multiplevulnerabilities), derby (13.2: informationleak), libreoffice (Leap42.1: codeexecution), php5 (Leap42.1: multiplevulnerabilities), go1.4(SPH for SLE12: denial of service), systemd (Leap42.1: denial of service), and unzip (13.2: two vulnerabilities).Oracle has updated kernel 4.1.12 (OL7; OL6: stack corruption).Red Hat has updated mariadb-galera (RHOSP9; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: SQL injection/privilege escalation).SUSE has updated xen (SLE12; SLES11-SP2: multiple vulnerabilities).Ubuntu has updated linux-ti-omap4(12.04: three vulnerabilities).
KDE.news notes the20th anniversary of the KDE project. "In the 20 years since thenso much has happened. We released great software, fought for softwarefreedom and empowered people all over the world to take charge of theirdigital life. In many ways we have achieved what we set out to do 20 yearsago - 'a consistent, nice looking free desktop-environment' andmore."For those feeling nostalgic, there is a new version of the KDE 1.1.2desktop ported to contemporary systems.
Christopher Allan Webber looksat a security vulnerability in Guile. Guile applications are generallynot vulnerable, but arbitrary scheme code may by used to attack the systemsof Guile developers. "There is also a lesson here that appliesbeyond Guile: the presumption that "localhost" is only accessible by local users can't be guaranteedby modern operating system environments. If you are looking to providelocal-execution-only, we recommend using unix domain sockets or namedpipes. Don't rely on localhost plus some port."
Ubuntu 16.10 (Yakkety Yak) has been released. "Under the hood, therehave been updates to many core packages, including a new 4.8-based kernel, a switch to gcc-6, and much more." Theflavors Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, UbuntuStudio, and Xubuntu have also been released. Ubuntu 16.10 will besupported for 9 months.
The long-awaited OpenOffice 4.1.3 release is out. "Apache OpenOffice 4.1.3 is a maintenance release incorporating importantbug fixes, security fixes, updated dictionaries, and build fixes. All usersof Apache OpenOffice 4.1.2 or earlier are advised to upgrade."
Peter Hutterer gave an update on the input stack at the 2016 X.Org Developers Conference (XDC). A lot has been accomplished, but thereis, naturally, more to do—especially as more and more quirky (or buggy)input hardware is released. But, overall Hutterer painted a picture of a maturesubsystem that is largely feature-complete at this point.
The Google Open Source Programs Office has announcedGoogle Code-in 2016 and Google Summer of Code 2017. Google Code-in is forstudents from 13-17 years of age who would like to explore open source."Students will find opportunities to learn and get hands onexperience with tasks from a range of categories. This structure allowsstudents to stretch themselves as they take on increasingly morechallenging tasks." Students will begin on November 28.Student applications for Google Summer of Code (GSoC) open on March 20,2017. Applications for interested open source organizations open onJanuary 19. GSoC "provides university students from around the world with an opportunity to take their skills and hone them by contributing to open source projects during their summer break from university."
The Free Software Foundation and the GNU Project are askingfor nominations for the 19th annual Free Software Awards. The Award forthe Advancement of Free Software will be presented to "an individualwho has made a great contribution to the progress and development of freesoftware, through activities that accord with the spirit of freesoftware" and the Award for Projects of Social Benefit will bepresented to "the project or team responsible for applying freesoftware, or the ideas of the free software movement, in a project thatintentionally and significantly benefits society in other aspects oflife." The deadline for nominations is November 6.
FreeBSD 11.0 has been released.This version features new architecture support, performance improvements,toolchain enhancements, and support for contemporary wireless chipsets.See the releasenotes for more information.
Fortune covers a ruling[PDF] by the U.S. Court of Appeals for the Federal Circuit that invalidatesthree patents asserted against anti-virus companies Symantec and TrendMicro. "The most important part of the decision, which has created astir among the patent bar, is a concurrence by Circuit Judge HaldaneMayer. In striking down a key claim from U.S. Patent 5987610,which claims a monopoly on using anti-virus tools within a phone network,Mayer says it is time to acknowledge that a famous Supreme Court 2014decision known as “Alice†basically ended software patents altogether."
The Debian project can be accused of many things, but jumping too quicklyon leading-edge technology is not one of them. That can be seen in, among otherthings, the fact that there is still not a version of the distribution thatsupports the UEFI secure boot mechanism. But, as Ben Hutchings explainedduring his 2016 Kernel Recipes talk, such support is in the works, and itwill be implemented in a uniquely Debian-like manner.
Version 7.12 of the GDB debugger is out. The biggest changes this timearound appear to be support for the Andes NDS32 architecture and theability to debug programs written in the Rust language.
Rich Salz and Tim Hudson started off their LinuxCon Europe 2016 talk bystating that April 3, 2014 shall forever be known as the "re-key theInternet date." That, of course, was the day that the Heartbleed vulnerability in the OpenSSLlibrary was disclosed. A lot has happened with OpenSSL since that day, tothe point that, Salz said, this should be the last talk he gives that evermentions that particular vulnerability. In the last two years, the projecthas recovered from Heartbleed and is now more vital than ever before.
On the GTK+ Development Blog, Emmanuele Bassi looks at some statistics on the development of GTK+ 3.22 and GLib contributions during the same cycle (that resulted in GLib 2.50.0). He looks at which developers contributed the most change sets and changed lines of code, as well as how many change sets and hackers there are for each component by company affiliation. "During the 3.22 development cycle, GLib saw a total of 14119 lines added, 2031 removed, for a net gain of 12088 lines [...]GTK+, instead, saw a total of 46581 lines added, 19163 removed, for a net gain of 27418 lines". Those numbers do not include the translation work that was done for 3.22.
Debian has updated nspr (codeexecution) and nss (multiple vulnerabilities, some from 2015).Debian-LTS has updated bind9 (twodenial of service flaws), freeimage (codeexecution), and zendframework (SQL injection).Fedora has updated c-ares (F24:code execution).openSUSE has updated ffmpeg(42.1: not well specified), postgresql94(42.1: two vulnerabilities), and python-Jinja2 (13.2: privilege escalation from2014).Scientific Linux has updated kernel (SL6: two vulnerabilities).SUSE has updated openssl (SLE11:multiple vulnerabilities), php53 (SLE11SP4; SLE11SP2: multiple vulnerabilities), and php7 (SLE12: multiple vulnerabilities).Ubuntu has updated ntp (16.04,14.04, 12.04: multiple vulnerabilities, many from 2015).
There's a newrelease of FontForge available. "This release introduces a new icon set, new functionality for custom icon selection graphics, support for GlyphOrderAndAliasDB files, and support for Unicode 9.0."
CentOS has updated kernel (C6:two vulnerabilities).Debian has updated icedove (multiple vulnerabilities) and libav (multiple vulnerabilities).Debian-LTS has updated libav (multiple vulnerabilities).Fedora has updated gd (F23: denial of service) and links (F24; F23: anonymity leak).openSUSE has updated flex, at,libbonobo, netpbm, openslp, sgmltool, virtuoso (Leap42.1: bufferoverflow), mariadb (Leap42.1: SQLinjection/privilege escalation), and php5(Leap42.1: multiple vulnerabilities).Oracle has updated kernel (OL6: three vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and kernel (RHEL6: two vulnerabilities).Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).Ubuntu has updated php5, php7.0 (multiple vulnerabilities).
The Mozilla Open Source Support (MOSS) program has awarded$300,000 to four projects this quarter. "On the FoundationalTechnology track, we awarded $100,000 to Redash, a tool for buildingvisualizations of data for better decision-making within organizations, and$50,000 to Review Board,software for doing web-based source code review. Both of these pieces ofsoftware are in heavy use at Mozilla. We also awarded $100,000 to Kea, the successor to the venerable ISCDHCP codebase, which deals with allocation of IP addresses on anetwork. Mozilla uses ISC DHCP, which makes funding its replacement anatural move even though we haven’t deployed it yet. On the MissionPartners track, we awarded $56,000 to Speech Rule Engine,a code library which converts mathematical markup into vocalised form(speech) for the sight-impaired, allowing them to fully appreciatemathematical and scientific content on the web." (Thanks to Paul Wise)
KDE has releasedPlasma 5.8. "This marks the point where the developers and designersare happy to recommend Plasma for the widest possible audience be theyenterprise or non-techy home users. If you tried a KDE desktop previouslyand have moved away, now is the time to re-assess, Plasma is simple bydefault, powerful when needed." Plasma 5.8 is KDE's first Long TermSupport release. The changeloghas the details.
The Mageia project remembersThomas Spuhler who died in September. "Thomas had beencontributing to Mageia, and Mandriva before that, since 2009 as a packager,and much earlier already partaking in email discussions and bugreports. His packaging interests were mostly web and server-related components, for which his contributions were invaluable. He had to step back from his Mageia responsibilities in early August due to his health condition."
Arch Linux has updated hostapd (two vulnerabilities) and systemd (denial of service).CentOS has updated thunderbird (C7; C6; C5: code execution).Debian has updated libdbd-mysql-perl (denial of service).Fedora has updated bind99 (F24:denial of service), mariadb (F23: SQLinjection/privilege escalation), and mongodb (F23: information disclosure).Mageia has updated bind (denial of service), chromium-browser-stable (multiple vulnerabilities), freerdp (denial of service), libcryptopp (information disclosure), and python-django (cross-site request forgery).openSUSE has updated chromium (Leap42.1, 13.2; SPH for SLE12: multiplevulnerabilities), glibc (13.2: denial ofservice), and php5 (13.2: multiple vulnerabilities).Oracle has updated thunderbird (OL7; OL6: codeexecution).Red Hat has updated thunderbird(RHEL5,6,7: code execution).SUSE has updated firefox (SLE12-SP1; SLE11-SP2: multiple vulnerabilities).
The schism between two Arduino companies (that we covered in March 2015) has apparently been settled. The poster child for the open hardware movement is now under one company "Arduino Holding" and a new not-for-profit Arduino Foundation has been started. "Massimo Banzi, Co-Founder of Arduino LLC, commented, 'Today is one of the best days in Arduino history. This allows us to start a new course for Arduino made of constructive dialogue and disruptive innovation in the education, Makers and IoT fields. The Arduino Foundation will allow us to champion the core values of the Arduino Community within the open-source ecosystem and to make our commitment to open-source stronger than ever. This is really a new beginning for Arduino!'" (Thanks to Paul Wise.)
Linus Torvalds has announced the availabilityof the 4.8 kernel: "So the last week was really quiet, which maybe means that I couldprobably just have skipped rc8 after all. Oh well, no real harm done."Some of the headline changes in this release includesupport for transparent huge pages in the tmpfs filesystem,a new formatted documentation subsystem anda number of documentation changes to match,a new timeout subsystem that should addressthe latency problems experienced by its predecessor,continued work on the express data path forhigh-performance network routing,build-system improvements allowing the useof GCC plugins,the hardened usercopy security work,and much more. The KernelNewbies 4.8 page isstill under construction as of this writing, but should contain lots ofdetails in the near future.
In a world full of fancy development tools and sites, the kernel project'sdependence on email and mailing lists can seem quaintly dated, if notpositively prehistoric. But, as Greg Kroah-Hartman pointed out in a Kernel Recipes talk titled "Patches carved into stone tablets", there are somegood reasons for the kernel community's choices. Rather than being aholdover from an older era, email remains the best way to manage a projectas large as the kernel.
Over at the Sandstorm Blog, project founder Kenton Varda relates a debugging war story. Sandstorm web servers would mysteriously peg the CPU around once a week, slowing request processing to a crawl, seemingly at random."Obviously, we needed to take a CPU profile while the bug was in progress. Of course, the bug only reproduced in production, therefore we’d have to take our profile in production. This ruled out any profiling technology that would harm performance at other times – so, no instrumented binaries. We’d need a sampling profiler that could run on an existing process on-demand. And it would have to understand both C++ and V8 Javascript. (This last requirement ruled out my personal favorite profiler, pprof from google-perftools.)Luckily, it turns out there is a correct modern answer: Linux’s “perf†tool. This is a sampling profiler that relies on Linux kernel APIs, thus not requiring loading any code into the target binary at all, at least for C/C++. And for Javascript, it turns out V8 has built-in support for generating a “perf mapâ€, which tells the tool how to map JITed code locations back to Javascript source: just pass the --perf_basic_prof_only_functions flag on the Node command-line. This flag is safe in production – it writes some data to disk over time, but we rebuild all our VMs weekly, so the files never get large enough to be a problem."
Arch Linux has updated c-ares(code execution) and wordpress (multiple vulnerabilities).CentOS has updated python-twisted-web (C7; C6: HTTP proxy redirect).Debian has updated wordpress (multiple vulnerabilities).Debian-LTS has updated chicken(two vulnerabilities), firefox-esr(regression in previous security update), icedove (multiple vulnerabilities), and ruby-activesupport-3.2 (access restriction bypass).Fedora has updated curl (F23:code execution) and php-adodb (F24;F23: SQL injection).openSUSE has updated libgcrypt(42.1: flawed random number generation), openjpeg (42.1: denial of service), and postgresql93 (13.2: two vulnerabilities).Oracle has updated python-twisted-web (OL7; OL6: HTTP proxy redirect).Red Hat has updated python-twisted-web (RHEL7&6: HTTP proxy redirect).SUSE has updated pidgin (SLE11:multiple vulnerabilities) and postgresql94 (SLE11: two vulnerabilities).
CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), kvm (C5: two vulnerabilities), and openssl (C7; C6: multiple vulnerabilities).Fedora has updated vfrnav (F24: unspecified).Oracle has updated bind (OL7; OL6; OL5: denial of service) and bind97 (OL5: denial of service).Scientific Linux has updated bind(denial of service), bind97 (SL5: denial of service), kvm (SL5: two vulnerabilities), and openssl (SL7&6: multiple vulnerabilities).SUSE has updated postgresql93(SLE12: two vulnerabilities) and postgresql94 (SLE12: two vulnerabilities).Ubuntu has updated clamav (16.04,14.04, 12.04: three code execution flaws), samba (16.04, 14.04: crypto downgrade), and systemd (16.04: denial of service).
Version3.2 of the Qubes OS distribution is available. "This is anincremental improvement over the 3.1 version that we released earlier thisyear. A lot of work went into making this release more polished, morestable and easier to use than our previous releases." Changesinclude a new management infrastructure, the ability to assign individualUSB devices to virtual machines and a switch to the Xfce4 desktop. See the releasenotes for details.
The PostgreSQL 9.6 release is available. "This release will allow users to both scale up and scale outhigh performance database workloads. New features include parallelquery, synchronous replication improvements, phrase search, andimprovements to performance and usability, as well as many morefeatures." See the announcement text and therelease notes for more information.
LWN.net