Version3.0 of the Krita painting application has been released."Wrapping up a year of work, this is a really big release: animationsupport integrated into Krita’s core, Instant Preview for betterperformance painting and drawing with big brushes on big canvases, portedto the latest version of the Qt platform and too many bigger and smallernew features and improvements to mention!".
Linus has released 4.7-rc1 and closed themerge window for this release, saying "this time around we havea fairly big change to the vfs layer that allows filesystems (if theybuy into it) to do readdir() and path component lookup in parallelwithin the same directory.That's probably the biggest conceptual vfs change we've had since westarted doing cached pathname lookups using RCU." The code name hasbeen changed to "Psychotic Stoned Sheep."
Ars technica is carrying aneditorial from Oracle's attorney in its fight with Google; it wouldseem that this ruling is the end of the world."It is hard to see how GPL can survive such a result. In fact, it ishard to see how ownership of a copy of any software protected by copyrightcan survive this result. Software businesses now must accelerate their moveto the cloud where everything can be controlled as a service rather thansoftware. Consumers can expect to find decreasing options to own anythingfor themselves, decreasing options to control their data, decreasingoptions to protect their privacy."
At its blog, the Open Source Initiative (OSI) announces the deployment of "a machine readable publication of OSI approved licenses" accessible via api.opensource.org. The service is designed to "store a central list of crosswalks and common identifiers to other services, allowing third parties who are already license-aware to provide their mappings, and pull OSI approval status programatically." Programs can query a license by its Software Package Data Exchange (SPDX) ID and determine whether or not it is OSI-approved. API wrappers are available for Python, Ruby, and Go.
Worth a read: thispaper [PDF] From Kaiyuan Yang et al. on how an analog back door can beplaced into a hardware platform like a CPU. "In this paper, we showhow a fabrication-time attacker can leverage analog circuits to create ahardware attack that is small (i.e., requires as little as one gate) andstealthy (i.e., requires an unlikely trigger sequence before effecting[sic] achip’s functionality). In the open spaces of an already placed and routeddesign, we construct a circuit that uses capacitors to siphon charge fromnearby wires as they transition between digital values. When the capacitorsfully charge, they deploy an attack that forces a victim flip-flop to adesired value. We weaponize this attack into a remotely-controllableprivilege escalation by attaching the capacitor to a wire controllable andby selecting a victim flip-flop that holds the privilege bit for ourprocessor."
Ars technica reportsthat Google has prevailed against Oracle in its court battle over the useof the Java APIs in Android. "There was only one question on thespecial verdict form, asking if Google's use of the Java APIs was a 'fairuse' under copyright law. The jury unanimously answered 'yes,' in Google'sfavor. The verdict ends the trial, which began earlier this month."
Debian-LTS has updated bozohttpd(two vulnerabilities, one from 2014), ruby-mail (SMTP injection), and xymon (multiple vulnerabilities). Also, the Debian-LTS team has announced that some packages will not besupported (libv8, mediawiki, sogo, and vlc) for Debian 7 ("wheezy"),so users of those should upgrade to Debian 8 ("jessie").Red Hat has updated rh-mariadb100-mariadb (RHSC: many vulnerabilities).Ubuntu has updated eglibc, glibc(15.10, 14.04, 12.04: multiple vulnerabilities, some from 2013 and 2014)and samba (16.04, 15.10, 14.04: regressionin previous security fix).
Arch Linux has updated libndp (man-in-the-middle attacks).Fedora has updated kernel (F22:multiple vulnerabilities).Red Hat has updated jq (RHOSP8:code execution).Slackware has updated libarchive (code execution).Ubuntu has updated php5, php7.0 (multiple vulnerabilities).
By all accounts, the Internet's transition to IPv6 has been a slow affair.In recent years, though, perhaps inspired by the exhaustion of the IPv4address space, IPv6 usage has been on therise. There is a corresponding interest in ensuring that applicationswork with both IPv4 and IPv6. But, as a recent discussion on the OpenBSDmailing list has highlighted, a mechanism designed to ease the transition to anIPv6 network may also make the net less secure — and Linux distributionsmay be configured insecurely by default.
On the Tor blog, Nick Mathewson reports on an informal survey he did for "severe" bugs in Tor over the last few years. It breaks down the 70 bugs he found into different categories that are correlated with some recommendations for ways to try to avoid them in the future. For example: "Recommendation 5.1: all backward compatibility code should have a timeout date.On several occasions we added backward compatibility code to keep an old version of Tor working, but left it enabled for longer than we needed to. This code has tended not to get the same regular attention it deserves, and has also tended to hold surprising deviations from the specification. We should audit the code that's there today and see what we can remove, and we should never add new code of this kind without adding a ticket and a comment planning to remove it." Many of the recommendations are likely applicable to other projects.
GitLab 8.8 has been releasedwith pipeline visualization, .gitignore templates, the GitLabContainer Registry, and more. "In this release, we are supercharging GitLab CI. First with Pipelines and now with GitLab Container Registry. GitLab Container Registry is a secure and private registry for Docker images. It isn't just a standalone registry; it's completely integrated with GitLab. In fact, our container registry is actually the first Docker registry that is fully-integrated with git repository management and comes out of the box with GitLab 8.8. So if you've upgraded, you already have it! Our integrated Container Registry requires no additional installation. It allows for easy upload and download of images from GitLab CI. And it's free."
Debian has updated atheme-services (denial of service).Fedora has updated gsi-openssh(F23: privilege escalation), imlib2 (F23; F22: multiple vulnerabilities), and websvn (F23; F22: cross-site scripting).Mageia has updated glibc (multiple vulnerabilities), golang (denial of service), pcre (two vulnerabilities), and xerces-j2 (denial of service).Red Hat has updated jq (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7: code execution)and kernel (RHEL6.6: two remote denial of service vulnerabilities).SUSE has updated IBM Java 1.6.0(SLES10-SP4: multiple vulnerabilities).
Linux.com has an interviewwith Dietrich Ayala about using old smartphones for home automation."Ayala spent a lot of time studying the readouts from sensors, as well as from the phone’s microphone, camera, and, radios, that would enable a remote user to draw conclusions about what was happening at home. This contextual information could then be codified into more useful notifications.With ambient light, for example, if it suddenly goes dark in the daytime, maybe someone is standing over a device, explained Ayala. Feedback from the accelerometer can be analyzed to determine the difference between footsteps, an earthquake, or someone picking up the device. Scripts can use radio APIs to determine if a person moving around is carrying a phone with a potentially revealing Bluetooth signature."
Version1.2.0 of the Roundcube web-based email system has been released. Theheadline feature this time around would appear to be support for encryptedmail with PGP; the encryption can be handled either centrally in theserver, or in the browser via the "Mailvelope" browser plugin. Acomplete list of changes can be found in thechangelog.
For those who are curious about how the CoreOS remote SSH vulnerabilitycame to be, the company has posted adetailed report. "This misconfiguration was abetted byconfirmation bias. The expected outcome of the change to the CoreOS PAMconfiguration was for users who presented a password present in anauthentication database to be successfully authenticated. Because of thepam_permit failure case explained above, this was the observed behavior intesting, so the change was assumed to be correct. No attempt was made todetermine whether the observed behavior could be explained in some otherway, such as the system allowing any presented password."
Arch Linux has updated bugzilla(cross-site scripting).Debian has updated librsvg (threevulnerabilities).Debian-LTS has updated expat(code execution) and libgd2 (denial of service).Mageia has updated dhcpcd (codeexecution from 2014), expat (codeexecution), gdk-pixbuf2.0 (code execution),icu (code execution), imagemagick/ruby-rmagic (multiplevulnerabilities), libxml2 (two denial ofservice flaws), perl (denial of service),and xerces-c (code execution).openSUSE has updated libksba(13.2: two vulnerabilities) and php5 (42.1:multiple vulnerabilities).Red Hat has updated Red Hat OpenShiftEnterprise 3.1 (unauthorized access) and Red Hat OpenShift Enterprise 3.2 (three vulnerabilities).SUSE has updated openssl (SLE10:multiple vulnerabilities).
Over at InfoWorld, Jim Reno compares the security of virtual machines (VMs) and containers. "Which is more secure?" is a question that is often asked, but the answer, of course, is "it depends". Reno analyzes the attack surface of each to help in the choosing between VMs and containers."Many legacy VM applications treat VMs like bare metal. In other words, they have not adapted their architectures specifically for VMs or for security models not based on perimeter security. They might install many services on the same VM, run the services with root privileges, and have few or no security controls between services. Rearchitecting these applications (or more likely replacing them with newer ones) might use VMs to provide security separation between functional units, rather than simply as a means of managing larger numbers of machines.Containers are well suited for microservices architectures that “string together†large numbers of (typically) small services using standardized APIs. Such services often have a very short lifetime, where a containerized service is started on demand, responds to a request, and is destroyed, or where services are rapidly ramped up and down based on demand. That usage pattern is dependent on the fast instantiation that containers support. From a security perspective it has both benefits and drawbacks."
On his blog, Josh Berkus asks about the effects of changing how PostgreSQL numbers its releases. There is talk of moving from an x.y.z scheme to an x.y scheme, where x would increase every year to try to reduce "the need to explain to users that 9.5 to 9.6 is really a major version upgrade requiring downtime". He is wondering what impacts that will have on users, tools, scripts, packaging, and so on."The problem is the first number, in that we have no clear criteria when to advance it. Historically, we've advanced it because of major milestones in feature development: crash-proofing for 7.0, Windows port for 8.0, and in-core replication for 9.0. However, as PostgreSQL's feature set matures, it has become less and less clear on what milestones would be considered "first digit" releases. The result is arguments about version numbering on the mailing lists every year which waste time and irritate developers."
Docker Engine 1.11 has been released,built on runC and containerd. "runC is the first implementation of the Open Containers Runtime specification and the default executor bundled with Docker Engine. Thanks to the open specification, future versions of Engine will allow you to specify different executors, thus enabling the ecosystem of alternative execution backends without any changes to Docker itself. By separating out this piece, an ecosystem partner can build their own compliant executor to the specification, and make it available to the user community at any time – without being dependent on the Engine release schedule or wait to be reviewed and merged into the codebase."
Yubico has posted ablog entry defending the company's decision to switch to closed-sourcecode in the Yubikey 4 product. "If you have to pick only one,is it more important to have the source code available for review or tohave a product that includes serious countermeasures for attacks againstthe integrity of your keys?"See also: KonstantinRyabitsev's response to this posting. "When it comes to anyhardware, we must at some point trust the manufacturer -- unless we havevery large budgets that would allow us to fully monitor every step of themanufacturing process. In the absence of such large budgets, we must baseour trust on the company's prior record and their willingness to work withthe community to show that their hands are clean and their intentions arepure. Putting out a blackbox proprietary device after all the good will youhave built up with NEOs sends the exact opposite message."
Jeffrey Pomerantz and Robin Peek seek todisambiguate the word "open", as it is used or misused today. Examplesinclude open source, open access, open society, open knowledge, opengovernment, and so on."From the common ancestor Free Software, the term “open†diversified, filling a wide range of niches. The Open Source Definition gave rise to a number of other definitions, articulating openness for everything from hardware to knowledge. Inspired by the political philosophy of openness, the Open Society Institute funded the meeting at which the Budapest Open Access Initiative declaration was created. Open Access then gave rise to a wide range of other opens concerned with scholarship, publication, and cultural heritage generally. This spread of openness can be seen as the diversification of a powerful idea into a wide range of resources and services. It can also be seen more importantly as the arrival, society-wide, of an idea whose time has come ... an idea with political, legal, and cultural impacts."(Thanks to Paul Wise)
Should you happen to be running a CoreOS alpha release in an exposedsetting, you'll want to have a look at thisadvisory and do a quick upgrade. "A misconfiguration in the PAMsubsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorizedusers to gain access to accounts without a password or any otherauthentication token being required. This vulnerability affects a subset ofmachines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta orStable releases are unaffected."
Linus has released the 4.6 kernel, saying:"It's just as well I didn't cut the rc cycle short, since the lastweek ended up getting a few more fixes than expected, but nothing in therefeels all that odd or out of line."Some of the more significant changes in this release are:post-init read-only memory as a barebeginning of the effort to harden the kernel,support for memory protection keys,the preadv2() and pwritev2()system calls,the kernel connection multiplexer,the OrangeFS distributed filesystem,compile-time stack validation,the OOM reaper, and many more.See the KernelNewbies 4.6page for an amazing amount of detail.
At his blog, Christian Schaller discusses the details of the OpenH264 media codec from Cisco, which is now available in Fedora. In particular, he notes that the codec only handle the H.264 "Baseline" profile. "So as you might guess from the name Baseline, the Baseline profile is pretty much at the bottom of the H264 profile list and thus any file encoded with another profile of H264 will not work with it. The profile you need for most online videos is the High profile. If you encode a file using OpenH264 though it will work with any decoder that can do Baseline or higher, which is basically every one of them." Wim Taymans of GStreamer is looking at improving the codec with Cisco's OpenH264 team.
The Electronic Frontier Foundation (EFF) has announced a new name and web site for the Let's Encrypt client. The Let's Encrypt project is a free certificate authority for TLS certificates that enable HTTPS for the web. The client, now called "Certbot", uses Automatic Certificate Management Environment (ACME) to talk to the Let's Encrypt CA, though it will no longer be the "official" client and there are other ACME clients that can be used."Along with the rename, we've also launched a brand new website for Certbot, found at https://certbot.eff.org. The site includes frequently asked questions as well as links to how you can learn more and help support the project, but by far the biggest feature of the website is an interactive instruction tool. To get the specific commands you need to get Certbot up and running, just input your operating system and webserver. No more searching through pages and pages of documentation or Google search results!While a new name has the potential for creating technical issues, the Certbot team has worked hard to make this transition as seamless as possible. Packages installed from PyPI, letsencrypt-auto, and third party plugins should all continue to work and receive updates without modification. We expect OS packages to begin using the Certbot name in the next few weeks as well. On many systems, the current client packages will automatically transition to Certbot while continuing to support the letsencrypt command so you won't have to edit any scripts you're currently using."
Debian-LTS has updated ocaml(code execution) and xerces-c (code execution).Fedora has updated kernel (F23:information leak), ntp (F22: multiplevulnerabilities), php (F22: multiplevulnerabilities), subversion (F23: twovulnerabilities), and xen (F23: twovulnerabilities).Mageia has updated libtasn1(denial of service) and squid (twovulnerabilities).Oracle has updated pcre (OL7:multiple vulnerabilities).Red Hat has updated kernel(RHEL7: privilege escalation), kernel-rt (RHEL7; RHEL6:privilege escalation), and thunderbird (twovulnerabilities).Slackware has updated thunderbird(multiple vulnerabilities).SUSE has updated mysql (SLE11:multiple vulnerabilities), ntp (SLE11:multiple vulnerabilities), and php5 (SLE12:multiple vulnerabilities).Ubuntu has updated qemu, qemu-kvm(multiple vulnerabilities).
The OpenWrt project is perhaps the most widely known Linux-baseddistribution for home WiFi routers and access points; it was spawnedfrom the source code of the now-famous Linksys WRT54G router more than12 years ago. In early May, the OpenWrt user community was throwninto a fair amount of confusion when a group of core OpenWrtdevelopers announced that they were starting a spin-off (or, perhaps, afork) of OpenWrt to be named the Linux Embedded Development Environment(LEDE). It was not entirely clear to the public why the split wastaking place—and the fact that the LEDE announcement surprised afew other OpenWrt developers suggested trouble within the team.
The Mozilla Open Source Support (MOSS), an award program focused onsupporting open source and free software, was launched last year. The first track providedsupport for software projects that Mozilla uses or relies on. This yearMOSS isopen "to any open source project in the world which isundertaking an activity that meaningfully furthers Mozilla’smission." In other words, projects that help to ensure the Internetis a global public resource, open and accessible to all. "So if youthink your project qualifies, we encourage you to apply. Applications for the Mission Partners track are openas of today. (Applications for Foundational Technology alsoremain open.) You can read more about our selection criteria andcommittee on the wiki. Thebudget for this track for 2016 is approximately US$1.25 million."
Arch Linux has updated cacti (SQL injection) and squid (multiple vulnerabilities).Debian has updated libarchive(code execution) and monotone ovito pdnsqtcreator softhsm (regression in previous update).Debian-LTS has updated botan1.10(regression in previous update). Not all Debian packages are fullysupported in Wheezy LTS. See the debian-security-support advisory for details.Fedora has updated glibc (F23:multiple vulnerabilities), graphite2 (F22:multiple vulnerabilities), ntp (F23:multiple vulnerabilities), openssl (F22:multiple vulnerabilities), pgpdump (F23; F22:denial of service), and thunderbird (F22: multiple vulnerabilities).openSUSE has updated compat-openssl098 (Leap42.1: multiplevulnerabilities) and php5 (13.2: multiple vulnerabilities).Red Hat has updated file (RHEL6:multiple vulnerabilities), icedtea-web(RHEL6: applet execution), java-1.8.0-ibm(RHEL6: multiple vulnerabilities), kernel(RHEL6: multiple vulnerabilities), ntp(RHEL6: multiple vulnerabilities), openshift (RHOSE3.1: information disclosure),openssh (RHEL6: multiple vulnerabilities),pcre (RHEL7: multiple vulnerabilities), andqemu-kvm-rhev(RHELOSP5 for RHEL6: code execution).Scientific Linux has updated pcre(SL7: multiple vulnerabilities).Slackware has updated imagemagick (multiple vulnerabilities).SUSE has updated ImageMagick(SOSC5, SMP2.1, SM2.1, SLE11-SP4: multiple vulnerabilities).Ubuntu has updated openjdk-6(12.04: multiple vulnerabilities).
Techniques for hardening the security of running systems often focus onaccess to memory. An attacker who can write (or even read) arbitrarymemory regions will be able to take over the system in short order; even theability to access small regions of memory can often be exploited. Onepossible defensive technique would be to encrypt the contents of memory sothat an attacker can do nothing useful with it, even if access is somehowgained; this type of encryption clearly requires hardware support. Both Inteland AMD are introducing such support in their processors, and patches toenable that support have been posted for consideration; the twomanufacturers have taken somewhat different approaches to the problem,though.
BitKeeper, the inspiration behindGit and Mercurial, has been released under the Apache 2.0 License.Larry McVoy is answeringquestions on Hacker News, posting as 'luckydude'. In one comment hesays:"Git/Github has all the market share. Trying to compete with thatjust proved to be too hard. So rather than wait until we were about to turnout the lights, we decided to open source it while we still had money inthe bank and see what happens. We've got about 2 years of money and we'retrying to build up some additional stuff that we can charge for. We're alsoopen to being doing work for pay to add whatever it is that some companywants to BK, that's more or less what we've been doing for the last 18years. Will it work? No idea. We have a couple of years to find out. Ifnothing pans out, open sourcing it seemed like a better answer than sellingit off." (Thanks to Josh Triplett)
The Future of Open Source Survey aims to examine trends in open source.It's hosted by Black Duck and North Bridge. Opensource.com looksat the results. "The 2016Future of Open Source Survey analyzed responses from nearly 3,400 professionals. Developers made their voices heard in the survey this year, comprising roughly 70% of the participants. The group that showed exponential growth were security professionals, whose participation increased by over 450%. Their participation shows the increasing interest in ensuring that the open source community pays attention to security issues in open source software and securing new technologies as they emerge."
Ars Technica likesUbuntu's latest release, and thinks it may be the best releaseCanonical has presented to date. Snap packaging is part of that appeal,but Snaps have competition. "While something like Snap packages have the potential to completely change the way distros work, it remains to be seen if Snap specifically will be what ends up reaching critical mass. It's certainly possible that Snap may prove popular enough to warrant other distros incorporating it, but it's also possible that there may end up being more than one way to handle self-contained packages. Looking at Canonical's track record does not inspire confidence. Upstart gave way to systemd, the software center gave way to GNOME Software, and even simple things like scrollbars get abandoned for upstream solutions. How Snap packages end up over the long term will be fascinating for Ubuntu users to watch, but even in the worst-case scenario, fans shouldn't have anything to worry about. If one day Ubuntu does abandon Snap in favor of another system, all the changes will likely be behind the scenes.In the shorter term, Snap packages should be a boon to Ubuntu, allowing users to stick with a stable base system while still leaving them free to try just-released software packages without fear of wrecking the system."
The Journal of Open Source Software(JOSS) has been announced.JOSS is an open source, developer-friendly journal for research softwarepackages. "As academics, it's important for us to be able to measurethe impact of our work, but available tools & metrics are woefullylacking when it comes to tracking research output that doesn't look like apaper. A 2009 survey of more than 2000 researchers found that > 90% ofthem consider software important or very important to their work — but evenif you've followed this GitHub guide for archiving a GitHub repository withZenodo (and acquired a DOI in the process), citations to your work probablyaren't being counted by the people that matter." (Thanks to Paul Wise)
Ars technica reportson the restart of Oracle v.Google, the fight over Google's useof the Java APIs in Android. "So now, it's back to a jury. Oraclehas won its bid to be able to use copyright as a powerful legal sword. ButGoogle can still dodge that sword by convincing a jury that Android's useof APIs constitutes fair use—in other words, relatively small andjustified."
Linus has released the 4.6-rc7 kernelprepatch. "Nothing particularly scary, and the more people who testthis out, the more confident we can be that the final 4.6 is all good. Soplease take a moment to try it out."
LWN.net