Python applications, like those written in other languages, often need toobtain random data for purposes ranging from cryptographic key generationto initialization of scientific models. For years, the standard way ofgetting that data is via a call to os.urandom(), which is documented to "return astring of n random bytes suitable for cryptographic use." Anenhancement in Python 3.5 caused a subtle change in howos.urandom() behaves on Linux systems, leading to some long,heated discussions about how randomness should be obtained in Python programs. When the dustsettles, Python benevolent dictator for life (BDFL) Guido van Rossum willhave the unenviable task of choosing between two competing proposals.
On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox."Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system.Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t.Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access.Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system.The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox."
Debian-LTS has updated clamav(update to 0.99.2), icu (threevulnerabilities, two from 2015), and tcpreplay (denial of service).openSUSE has updated php5 (13.2:multiple vulnerabilities, one from 2015).Slackware has updated samba(crypto downgrade).
Ars Technica reports on the "HummingBad" malware that has infected millions of Android devices: "Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android." The article is based on a report [PDF] from Check Point, though the article notes that "researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices".
Debian has updated horizon (twovulnerabilities, one from 2015).openSUSE has updated ImageMagick(13.2: many vulnerabilities, lots from 2014 and 2015) and qemu (42.1: many vulnerabilities, lots from 2015).Scientific Linux has updated ocaml (SL7: information leak from 2015).Ubuntu has updated tomcat8(16.04: denial of service).In addition, Ubuntu has announced the end oflife for 15.10 on July 28 and the end oflife for 14.04.x hardware-enablement (HWE) stacks on August 4.
The Debian Edu team has announced Debian Edu 8+edu0 "Jessie", the latestDebian Edu / Skolelinux release. Debian Edu, also known as Skolelinux,provides a complete solution for schools. Debian Edu 8 is based on Debian8 "Jessie", update 8.5. "Do you have to administrate a computer labor a whole school network? Would you like to install servers, workstations and laptops which willthen work together? Do you want the stability of Debian with networkservices already preconfigured? Do you wish to have a web-based tool tomanage systems and several hundred or even more user accounts? Have youasked yourself if and how older computers could be used?Then Debian Edu is for you. The teachers themselves or their technicalsupport can roll out a complete multi-user multi-machine studyenvironment within a few days. Debian Edu comes with hundreds ofapplications pre-installed, but you can always add more packages fromDebian."
The digiKam team has announcedthe release of digiKam Software Collection 5.0.0. "This release marks almost complete port of the application to Qt5. All Qt4/KDE4 code has been removed and many parts have been re-written, reviewed, and tested. Porting to Qt5 required a lot of work, as many important APIs had to be changed or replaced by new ones.In addition to code porting, we introduced several changes and optimizations, especially regarding dependencies on the KDE project. Although digiKam is still a KDE desktop application, it now uses many Qt dependencies instead of KDE dependencies. This simplifies the porting job on other operating systems, code maintenance, while reducing the sensitivity of API changes from KDE project."
Those who are anxiously awaiting this week's edition later today (or tomorrow, depending on time zone) will have to wait another day. The US Independence Day holiday fell on Monday, so LWN staff took that day off for barbecues, fireworks, and other festivities. That means the edition will go out sometime in the early morning hours UTC on Friday, July 8. For those who celebrated the holiday, we hope you had a great one; for those who didn't, we certainly hope you had a great day too! We will be back on our normal schedule next week.
The last time LWN looked at formatted kernel documentationin January, it seemed like the merging of AsciiDoc support for thekernel's structured source-code documentation ("kernel-doc") comments, wasimminent. As Jonathan Corbet, in the capacity of the kernel documentationmaintainer, wrote: "A good-enough solution that exists nowshould not be held up overly long in the hopes that vague ideas forsomething else might turn into real, working code." Sometimes,however, the threat that something not quite perfect might be mergedis enough to motivate people to turn those vague ideas into somethingreal.Subscribers can click below to see the full story by guest author (and the developer behind most of the Sphinx work) Jani Nikula.
KDE Plasma 5.7 has been released.This release features the return of the agenda view in the calendar,improvements to the Volume Control applet allow volume control on aper-application basis, improved Wayland support, and more. "This release brings Plasma closer to the new windowing system Wayland. Wayland is the successor of the decades-old X11 windowing system and brings many improvements, especially when it comes to tear-free and flicker-free rendering as well as security. The development of Plasma 5.7 for Wayland focused on quality in the Wayland compositor KWin. Over 5,000 lines of auto tests were added to KWin and another 5,000 lines were added to KWayland which is now released as part of KDE Frameworks 5."
The 4.7-rc6 kernel prepatch is out, righton schedule. "I'd love to tell you that things are calming down, andwe're shrinking, but that would be a lie. It's not like this is a huge rc,but it's definitely bigger than the previous rc's were. I don't thinkthat's necessarily a big problem, it seems to be mostly timing."
Slackware Linux Project has announced the releaseof Slackware version 14.2. "Slackware 14.2 brings many updates and enhancements, among which you'll find two of the most advanced desktop environments available today: Xfce 4.12.1, a fast and lightweight but visually appealing and easy to use desktop environment, and KDE 4.14.21 (KDE 4.14.3 withkdelibs-4.14.21) a stable release of the 4.14.x series of the award-winning KDE desktop environment. These desktops utilize eudev, udisks,and udisks2, and many of the specifications from freedesktop.org whichallow the system administrator to grant use of various hardware devicesaccording to users' group membership so that they will be able to useitems such as USB flash sticks, USB cameras that appear like USB storage,portable hard drives, CD and DVD media, MP3 players, and more, allwithout requiring sudo, the mount or umount command. Just plug and play.Slackware's desktop should be suitable for any level of Linuxexperience." See the release notes formore details.
Rails 5.0 has been released.The announcement highlights two new features, the ActionCable framework for handling WebSockets and an "API mode" forinterfacing with client-side JavaScript. Development of the latterfeature is ongoing; progress can be tracked in the JSONAPI::Resourcesrepository. There are quite a few other new features to be found inthe update as well; the release announcement provides links todetailed ChangeLogs for various subprojects.
Linux Mint 18 has been released with Cinnamon and MATE editions. "Linux Mint 18 is a long term support release which will be supported until 2021. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use." The MATE edition has MATE 1.14 along with many other updates listed on the What's New page. The Cinnamon edition has Cinnamon 3.0 (which we recently reviewed) and lots of other new packages described on its What's New page. The release notes pages (MATE, Cinnamon) also have important information on the releases.
The "Bits Please" blog has adetailed description of how one breaks full-disk encryption on anAndroid phone. Included therein is a lot of information on how full-diskencryption works on Android devices and its inherent limitations."Instead of creating a scheme which directly uses the hardware keywithout ever divulging it to software or firmware, the code above performsthe encryption and validation of the key blobs using keys which aredirectly available to the TrustZone software! Note that the keys are alsoconstant - they are directly derived from the SHK (which is fused into thehardware) and from two 'hard-coded' strings. Let's take a moment to explore some of the implications of thisfinding."
CoreOS has announced theavailability of version 3.0 of the etcd distributed key-value store."etcd 3.0 marks the first stable release of the etcd3 API and datamodel. Upgrades are simple, because the same etcd2 JSON endpoints andinternal cluster protocol are still provided in etcd3. Nevertheless, etcd3is a wholesale API redesign based on feedback from etcd2 users andexperience with scaling etcd2 in practice. This post highlights somenotable etcd3 improvements in efficiency, reliability, and concurrencycontrol."
Debian has updated libcommons-fileupload-java (denial ofservice), libreoffice (code execution), tomcat8 (multiple vulnerabilities, some from2015), and xerces-c (denial of service).Debian-LTS has updated libgd2(denial of service), php5 (multiplevulnerabilities), and xerces-c (denial of service).Fedora has updated setroubleshoot (F23; F22: codeexecution) and xguest (F23: insecurepassword creation).Ubuntu has updated libreoffice(16.04, 15.10, 12.04: code execution).
Fedora has updated haproxy (F24:denial of service) and xguest (F24: insecure password creation).openSUSE has updated phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities).SUSE has updated kvm (SLES11-SP3:multiple vulnerabilities) and qemu(SLE12-SP1: multiple vulnerabilities).
The PulseAudio 9.0 release is out. Changes include improvements toautomatic routing, beamforming support, use of the Linux memfd mechanism for transport, highersample-rate support, and more; see therelease notes for details.See also: thisarticle from Arun Raghavan on how the beamforming feature works."The basic idea is that if you have a number of microphones (a micarray) in some known arrangement, it is possible to 'point' or steer thearray in a particular direction, so sounds coming from that direction aremade louder, while sounds from other directions are rendered softer(attenuated)."
The -stable kernel release process faces a contradictory set of constraints.Developers naturally want to get as many fixes into -stable as possiblebut, at the same time, there is a strong desire to avoid introducing newregressions there. Each -stable release is, after all, intended to be morestable than its predecessor. At times there have been complaints that-stable is too accepting and too prone to regressions, but not manyspecifics. But, it turns out, this is an area where at least a little bitof objective research can be done.
GitHub has publishedits 2015 transparency report. "This 2015 report details the types ofrequests we receive for user accounts, user content, information about ourusers, and other such information, and how we process thoserequests. Transparency and trust are essential to GitHub and to the opensource community, and giving you access to information about these requestscan protect you, protect us, and help you feel safe as you work onGitHub." The report notes that a significant number of requests forremoval of content are notices submitted under the Digital MillenniumCopyright Act, or the DMCA.
Thierry Reding looksat Tegra support in Linux 4.7. "The XUSB driver has beenunder development for a ridiculously long time. One of the reasons is thatit relies on the XUSB pad controller to configure its pins as required bythe board design. The XUSB pad controller is very likely one of theleast-intuitive pieces of hardware I've ever encountered, and the attemptsto come up with a device tree binding to describe it have been verynumerous. We did finally settle on something earlier this year and afterthe existing code was updated for the new binding, we're finally able tosupport super-speed USB on Tegra124 and later." (Thanks to Martin Michlmayr)
The developers of "Project Triforce," an effort to run the "american fuzzylop" fuzz-testing tool in a system-wide manner, have posted adetailed description of what they are up to."AFL is an awesome tool. The power of an easy to use, feedback-drivenfuzzer has produced an absolutely staggering number of bugs. Still, atfirst AFL required being able to build the executable, something sadly notavailable on a lot of targets. With the addition of AFL's qemu_mode, itbecame possible to fuzz binaries without source, exposing a whole new worldof targets to AFL. I'd been on a number of Linux container engagementsrecently where we'd managed to escape through kernel exploits. I fellasleep one night to several AFL screens running, and I awoke suddenly witha crazy idea: 'Run AFL on the Linux Kernel.'"
The Mozilla blog has announcedthe first recipients of its Mozilla Open Source Support (MOSS) “MissionPartners†awards. "For many years people with visual impairments andthe legally blind have paid a steep price to access the Web onWindows-based computers. The market-leading software for screen readerscosts well over $1,000. The high price is a considerable obstacle tokeeping the Web open and accessible to all. The NVDA Project has developed an opensource screen reader that is free to download and to use, and which workswell with Firefox. NVDA aligns with one of the MozillaManifesto’s principles: “The Internet is a global public resource thatmust remain open and accessible.â€" The NVDA project received $15,000. Other award recipients include Tor, Tails, Caddy, Mio, DNSSEC/DANE Chain Stapling, Godot Engine, and PeARS. (Thanks to Paul Wise)
The 4.7-rc5 kernel prepatch is out."I think things are calming down, although with almost two thirdsof the commits coming in since Friday morning, it doesn't feel thatway - my Fridays end up feeling very busy. But looking at the numbers,we're pretty much where we normally are at this time of the rcseries."
The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a setof netfilter fixes that, it has just been disclosed, fix a couple of severelocal privilege-escalation vulnerabilities. Anybody who is running a sitewith user and network namespaces enabled will want to update their kernelsin short order. The fixes were originally committed into 4.6-rc2 in Aprilwith no comment regarding their implications.
It seems that the Comodo TLS certificate authority (CA) has filed for three trademarks using variations of "Let's Encrypt". As might be guessed, the Let's Encrypt project is less than pleased by Comodo trying to coopt its name. "Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt†applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt†in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization.If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt†trademark applications so we can focus all of our energy on improving the Web."[Thanks to Paul Wise.]
Version 4.7 of the Xen hypervisor has been released. "With dozens ofmajor improvements, many more bug fixes and small improvements, andsignificant improvements to Drivers and Devices, Xen Project 4.7 reflects athriving community around the Xen Project Hypervisor." Some of thenew features include live patching, better dom0 robustness, bettermigration support between non-identical hosts, scheduler improvements, andmore. See therelease notes for more information.
Debian-LTS has updated squidguard(cross-site scripting).Fedora has updated php-symfony-security-acl (F24: unspecified). Also, Fedorahas sent out a reminder that Fedora 22will reach its end of life on July 19.Mageia has updated chromium-browser-stable (multiple vulnerabilities), kernel-linus (multiple vulnerabilities, one from 2013), kernel-tmb (multiple vulnerabilities, one from 2013), libimobiledevice (socket listening on allnetwork interfaces), and python (three vulnerabilities).openSUSE has updated libarchive(42.1: code execution), mariadb (13.2: manyunspecified vulnerabilities), and obs-service-source_validator (42.1; 13.2:code execution).Red Hat has updated libxml2(RHEL6&7: multiple vulnerabilities) and setroubleshoot andsetroubleshoot-plugins (RHEL7: three vulnerabilities).
Back in 2009, Sony removed the "install otherOS" option from its PS3 game consoles, removing the ability to installLinux on those machines. It then went after developers who figured out howto jailbreak the device. Ars technica reportsthat Sony has now settled a class-action lawsuit over those actions."Under the terms of the accord, which has not been approved bya California federal judge yet, gamers are eligible to receive $55 if theyused Linux on the console. The proposed settlement, which will be vetted bya judge next month, also provides $9 to each console owner that bought aPS3 based on Sony's claims about 'Other OS' functionality." Thelawyers, instead, get over $2 million.
CentOS has updated setroubleshoot(C6: multiple vulnerabilities) and setroubleshoot-plugins (C6: multiple vulnerabilities).Debian-LTS has updated icedove(multiple vulnerabilities) and python2.7 (three vulnerabilities).Fedora has updated expat (F24:multiple vulnerabilities), php-zendframework-zendxml (F23; F22:insecure ciphertexts), php-ZendFramework2 (F23; F22:insecure ciphertexts), and xen (F22: two vulnerabilities).openSUSE has updated Chromium(13.1: multiple vulnerabilities), ImageMagick (Leap42.1: command execution), and vlc (Leap42.1; 13.2: multiple vulnerabilities).Oracle has updated openssl (OL5:multiple vulnerabilities) and setroubleshootand setroubleshoot-plugins (OL6: multiple vulnerabilities).Red Hat has updated python-django-horizon (RHOSP8.0; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: cross-sitescripting) and setroubleshoot andsetroubleshoot-plugins (RHEL6: multiple vulnerabilities).
Version 1.3 of the Elixir programming language has been released. "Elixir v1.3 brings many improvements to the language, the compiler and its tooling, specially Mix (Elixir’s build tool) and ExUnit (Elixir’s test framework). The most notable additions are the new Calendar types, the new cross-reference checker in Mix, and the assertion diffing in ExUnit."
Not to be left behind by a certain competing project, the developers of theFlatpak packaging system have put out a pressrelease proclaiming its virtues. "The Linux desktop has longbeen held back by platform fragmentation. This has been a burden ondevelopers, and creates a high barrier to entry for third party applicationdevelopers. Flatpak aims to change all that. From the very start itsprimary goal has been to allow the same application to run across a myriadof Linux distributions and operating systems. In doing so, it greatlyincreases the number of users that application developers can easilyreach."
Fedora has updated nfdump (F23; F22:multiple vulnerabilities) and webkitgtk4(F22: two vulnerabilities).openSUSE has updated ctdb(Leap42.1, 13.2: privilege escalation), libtorrent-rasterbar (Leap42.1, 13.2: denialof service), ntp (Leap42.1: multiplevulnerabilities), and kernel (Leap42.1: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).Slackware has updated libarchive (multiple vulnerabilities) and pcre (denial of service).SUSE has updated ctdb (SLE11-SP4:privilege escalation), libimobiledevice,usbmuxd (SLE12-SP1: sockets listening on INADDR_ANY), and php53 (SLES11-SP2: multiple vulnerabilities).Ubuntu has updated dnsmasq(16.04, 15.10: denial of service), expat(two vulnerabilities), haproxy (16.04:denial of service), spice (16.04, 15.10,14.04: two vulnerabilities), wget (codeexecution), and xmlrpc-c (12.04: multiple vulnerabilities).
After several schedule slips, the Fedora 24 release is available."The Fedora Project has embarked on a great journey... redefining whatan operating system should be for users and developers. Such innovationdoes not come overnight, and Fedora 24 is one big step on the road tothe next generation of Linux distributions. But that does not mean thatFedora 24 is some 'interim' release; there are great new features forFedora users to deploy in their production environments right now!"See theFedora 24 approved features list for an idea of what's in thisrelease.
On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. "However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they're still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064."
The Linux networking developers have long held a strong opinion aboutuser-space protocol implementations: they should be avoided in favor ofmaking the in-kernel implementation better. So it might be surprising tosee a veteran networking developer post a patch set aimed at makinguser-space implementations easier. A look at this patch and itsmotivations shines an interesting light on changes that are taking place inthe networking world.
The4.7-rc4 prepatch is now available fortesting. Linus Torvalds said that it is "pretty small" with"nothing particularly worrisome". The development cycle proceedsapace with the usual sorts of changes: "The statistics look very normal: about two thirds drivers, with therest being half architecture updates and half "misc" (smallfilesystem updates,. some documentation, and a smattering of patcheselsewhere)."
LWN.net