Thispost on the Red Hat Enterprise Linux blog describes the discovery andrepair of the "Badlock" vulnerability. One begins to understand a littlebetter why it took as long as it did. "The code was rewritten; inMarch 2016 the changes needed to fix all eight CVEs amounted to about 200individual patches against a development version of Samba, with about halfof those responsible for fixing CVE-2015-5370. When backported to previousstable Samba versions, they needed additional hundred patches. To oldestsupported Samba version — about four hundred patches. What started as anindividual snowflake became an avalanche but it wasn’t finishedyet."
It appears to be widely accepted that the Linux desktop has achievedlimited success at best, while the Linux palmtop — in the form ofAndroid — has been wildly successful. The two classes of systems aregenerally thought of as being quite different, but it is worth rememberingthat the handsets we carry now have more computing power than the desktopsystems we were using in the recent past. Given the right peripherals, anAndroid handset should be more than capable of providing a reasonabledesktop experience. The Marudistribution is an experiment intended to prove that point by turning asmartphone device into a portable Debian desktop.
The 4.6-rc4 kernel prepatch is out for testing."So there really isn't anything particularly interesting here. Justlike I like it in the rc series. Let's hope it stays that way."
On his blog, Sven Brauch has some suggestions on how to use NumPy to process scientific data and how to avoid some pitfalls that will ruin its performance. "In general, copying data is cheap. But if your program simulates 25 million particles, each having a float64 location in 3d, you already have 8*3*25e6 = 600 MB of data. Thus, if you write r = r + v*dt, you will copy 1.2 GB of data around in memory: once 600 MB to calculate v*dt, and again to calculate r+(v*dt), and only then the result is written back to r. This can really become a major bottleneck if you aren’t careful. Fortunately, it is usually easy to circumvent; instead of writing r = r+dv, write r += dv. Instead of a = 3*a + b, write a *= 3; a+= b. This avoids the copying completely. For calculating v*dt and adding it to r, the situation is a bit more tricky; one good idea is to just have the unit of v be such that you don’t need to multiply by dt. If that is not possible, it might even be worth it to keep a copy of v which is multiplied by dt already, and update that whenever you update v. This is advantageous if only few v values change per step of your simulation.I would not recommend writing it like this everywhere though, it’s often not worth the loss in readability; just for really large arrays and when the code is executed frequently."
Over at the Scylla blog, Glauber Costa looks at why a high-performance datastore application might want to do its own I/O scheduling. "If one is using a threaded approach for managing I/O, a thread can be assigned to a different priority group by tools such as ionice. However, ionice only allows us to choose between general concepts like real-time, best-effort and idle. And while Linux will try to preserve fairness among the different actors, that doesn’t allow any fine tuning to take place. Dividing bandwidth among users is a common task in network processing, but it is usually not possible with disk I/O without resorting to infrastructure like cgroups.More importantly, modern designs like the Seastar framework used by Scylla to build its infrastructure may stay away from threads in favor of a thread-per-core design in the search for better scalability. In the light of these considerations, can a userspace application like Scylla somehow guarantee that all actors are served according to the priorities we would want them to obey?"
Over at the Freedom to Tinker blog, guest poster Vitaly Shmatikov, who is a professor at Cornell Tech, writes about his study [PDF] of whatURL shortening means for the security and privacy of cloud services."TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments."
CoreOS has announced therelease of its "Ignition" provisioning tool. "At the the most basiclevel, Ignition is a tool for manipulating disks during early boot. Thisincludes partitioning disks, formatting partitions, writing files, andconfiguring users." It runs as the first process — before systemd —to get the system into the proper shape before the ordinary boot processtakes over.
The IntelligentPlatform Management Interface (IPMI) is a set ofsystem-management-and-monitoring APIs typically implemented on servermotherboards via an embedded system-on-chip (SoC) that functionscompletely outside of the host system's BIOS and operating system.While it is intended as a convenience for those who must manage dozensor hundreds of servers in a remote facility, IPMI has been called outfor its potential as a serious hole in server security. At the2016 EmbeddedLinux Conference in San Diego, Tian Fang presented Facebook'srecent work on OpenBMC, a Linux distribution designed to replaceproprietary IPMI implementations with an open-source alternative builtaround standard facilities like SSH.
The details for the "Badlock" vulnerability in the SMBDCE-RPC protocol have finally been disclosed, along with theobligatory logo and domain name; there is no word on the availability ofhats and T-shirts yet. It is a man-in-the-middle attack that can allow anattacker to access files in an SMB share, or gain access to Active Directoryadministrative tools, with the permissions of theintercepted user. "Please update your systems. We are pretty sure that there will be exploits soon.Engineers at Microsoft and the Samba Team worked together during the past months to get this problem fixed."
The Let's Encrypt project, which isworking to enable encrypted communications across the web, has announcedthat it has gained more sponsors and no longer considers itself to be in a"beta" state. "Since our beta began in September 2015 we’ve issuedmore than 1.7 million certificates for more than 3.8 millionwebsites. We’ve gained tremendous operational experience and confidence inour systems. The beta label is simply not necessary any more."
Debian has updated didiwiki(regression in previous update) and imagemagick (multiple vulnerabilities).openSUSE has updated cairo (13.2:denial of service), clamav-database(Leap42.1: database refresh), java-1_7_0-openjdk (Leap42.1: sandbox bypass),java-1_8_0-openjdk (Leap42.1: sandboxbypass), and kernel (Leap42.1: multiple vulnerabilities).Red Hat has updated kernel(RHEL6.6: memory leak) and openvswitch(RHOSE3.1: code execution).SUSE has updated mercurial (SLESDK12-SP1; SLESDK11-SP4: three vulnerabilities).Ubuntu has updated linux-lts-utopic (14.04: regression inprevious update).
Richard Stallman looks at the GPL andhow it is incompatible with the CDDL (Common Development and DistributionLicense), which is the license used by ZFS. "Likewise, the copyright holders of ZFS (the version that is actually used) can give permission to use it under the GNU GPL, version 2 or later, in addition to any other license. This would make it possible to combine that version with Linux without violating the license of Linux. This would be the ideal resolution and we urge the copyright holders of ZFS to do so.Some copyright holders choose not to enforce their licenses in specific situations. That enables users to operate as if permission were granted. However, this does not alter the meaning of the GNU GPL, and does not cause uses that the GPL disallows to either suddenly or slowly become permitted by the GPL. Such acquiescence is not the case in regard to linking Linux and ZFS; indeed, some Linux copyright holders have said they consider this copyright infringement. We have explained above the reasons why that is so."
Eben Moglen opines onthe role of the Linux Foundation, and on GPL enforcement in general."LF will be as favorable to copyleft as its members are. Copyleftlicensing is easy for businesses to doubt: required sharing of work thatcould be instead 'owned' by the capital investors seems to be mere loss inconventional calculations. I have spent most of my adult lifetime nottelling businesses that copyleft was in their interest, but educating themabout copyleft and others’ experience with it, in order to allow them todraw their own conclusions. Experience has taught me that this process,though uncertain and unscalable, is absolutely crucial to the attainment ofthe free software movement’s fundamental objectives. It is, however, alltoo easily destroyed by any form of overly aggressive copyleft enforcementthat fully confirms businesspeople’s skepticism."
Sasha Levin has announced the creation of the "linux-stable security tree"project. The idea is to take the current stable updates and filter outeverything that isn't identified as a security fix. "Quite a fewusers of the stable trees pointed out that on complex deployments, wherevalidation is non-trivial, there is little incentive to follow the stabletree after the product has been deployed to production. There is nointerest in 'random' kernel fixes and the only requirements are to keep upwith security vulnerabilities."
Arch Linux has updated flashplugin (multiple vulnerabilities).Fedora has updated fuse-encfs (F23; F22:cryptography issues), kernel (F23;F22: multiple vulnerabilities),latex2rtf (F23; F22: code execution), php (F23; F22:multiple vulnerabilities), python-pillow (F23; F22:buffer overflow), qemu (F22: multiple denial of service vulnerabilities), and xen (F23; F22: information disclosure).openSUSE has updated flash-player(13.1: code execution) and xen (13.2:multiple vulnerabilities, some from 2013).
The 4.6-rc3 kernel prepatch has been released, but there does not appear tobe an announcement from Linus to go with it. As he predicted, the pace ofchange has increased a bit; 298 changesets have been merged since -rc2, outof 491 total since the closing of the merge window.Update: your editor has found themissing 4.6-rc3 announcement. It seems it went to the filesystems listonly; Linus apparently had filesystems on his mind. "What _is_ surprising, though, is that about half the bulk of the rc3patch is to filesystem code. I don't recall that before, and thatsurprised me - I had to go look for the reason. It turns out thatwhile we have indeed got changes to several filesystems (btrfs, ext4,orangefs, f2fs), but the big reason was simply from us getting rid ofthe PAGE_CACHE_SIZE macro and just using PAGE_SIZE everywhere."
WordPress has announcedfree HTTPS for all custom domains hosted on WordPress.com."The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately starting working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity."
OpenStack Mitaka has been released. "OpenStack Mitaka, the 13th release of the most widely deployed open source software for building clouds, now offers greater manageability and scalability as well as an enhanced end-user experience.The Mitaka release was designed and built by an international community of 2,336 developers, operators and users from 345 organizations.OpenStack has become the cloud platform of choice for enterprises and service providers, as an integration engine to manage bare metal, virtual machines, and container orchestration frameworks with a single set of APIs." More information can be found in the release notes. There is also a press release available.
Fedora has updated libmaxminddb(F24: multiple vulnerabilities) and python-rsa (F23: unspecified).openSUSE has updated java-1_7_0-openjdk (13.2: sandbox bypass) andxerces-c (13.2: two vulnerabilities).SUSE has updated rubygem-actionpack-3_2 (SLE11SP4, Webyast 1.3,Studio Onsite 1.3, Lifecycle Management Server 1.3: two vulnerabilities).
Peter Hutterer writesabout the cost of configuration options."You see, whenever you write 'it's just 5 lines of code to make thisan option', what I think is 'once the patch is reviewed and applied, I'llspend two days to write test cases and documentation. I'll need to handleany bug reports related to this, and I'm expected to make sure this optionworks indefinitely. Any addition of another feature may conflict with thisoption, so I need to make sure the right combination is possible and testcases are written.' So your work ends after writing a 5 line patch, my workas maintainer merely starts."
Version1.3.0 of the rkt container system has been released. "rktversion 1.3.0 improves handling of errors within app containers, tightenssecurity for rkt’s modular stage1 images, and provides a more compatiblehandling of volumes when executing Docker container images rather thanrkt’s native ACI image format. This release further develops the essentialsupport for rkt as a component of the Kubernetes clusterorchestrator."
The Open Sourced Vulnerability Database (OSVDB) has been shut down. "Thiswas not an easy decision, and several of us struggled for well over tenyears trying to make it work at great personal expense. The industry simplydid not want to contribute and support such an effort. The OSVDB blog willcontinue to be a place for providing commentary on all things related tothe vulnerability world." (Thanks to Paul Wise)
The Berkeley packet filter (BPF) mechanismhas been working its way into various kernel subsystems since it wasrewritten and extended in 2014. There is, it turns out, great value in anin-kernel virtual machine that allows for the implementation of arbitrarypolicies without writing kernel code. A recent patch set pushing BPF intonetworking drivers shows some of the potential of this mechanism — and thedifficulty of designing its integration in a way that will stand the testof time. If it is successful, it may change the way high-performancenetworking is done on Linux systems.
The KDE project has releaseda vision statement, a single sentence that sums up what the projectwould like to achieve: A world in which everyone has control over their digital life and enjoys freedom and privacy."Our vision unites KDE in common purpose. It sets out where we wantto get to, but it provides no guidance on how we should get there. Afterfinalizing our vision (the "what"), we have immediately started the processof defining KDE's Mission Statement (the "how"). As with all things KDE,you are invited to contribute. You can easily add your thoughts on our missionbrainstorming wiki page." (Thanks to Paul Wise)
Arch Linux has updated optipng (code execution).Debian has updated mercurial (three vulnerabilities) and roundcube (code execution).Fedora has updated krb5 (F22: null pointer dereference) and vtun (F23; F22: denial of service).Gentoo has updated xen (multiplevulnerabilities, some from 2012).openSUSE has updated ghostscript(Leap42.1: buffer overflow).Red Hat has updated nss, nss-util,nspr (RHEL6: two vulnerabilities).Slackware has updated thunderbird (multiple vulnerabilities).SUSE has updated xen (SLE11-SP4:multiple vulnerabilities, some from 2013).Ubuntu has updated libav (12.04: multiple vulnerabilities) and xchat-gnome (man-in-the-middle attack).
Matthew Garrett'stake on the Debian-XScreenSaver disagreement is worth a read."Free software doesn't benefit from distributions antagonising theirupstreams, even if said upstream is a cranky nightclub owner. Debian'susers are Debian's highest priority, but those users are going to suffer ifdevelopers decide that not using free licenses improves their quality oflife. Kneejerk reactions around specific instances aren't helpful, but nowis probably a good time to start thinking about what value Debian bring toits upstream authors and how that can be increased."
The Linux Foundation has announced the Civil Infrastructure Platform,"an open source framework that will provide the software foundationneeded to deliver essential services for civil infrastructure and economicdevelopment on a global scale." Civil infrastructure systemsdeliver critical services such as electric power, oil and gas, water,health care, communications, transportation and more. "The CivilInfrastructure Platform will aim to work upstream with the Linux kernel and other open source projects to establish a “base layer†ofindustrial-grade software. This base layer will enable the use of softwarebuilding blocks that meet safety, security, reliability and otherrequirements that are critical to industrial and civil infrastructureprojects."
Arch Linux has updated squid (denial of service).Debian has updated lhasa (code execution) and srtp (denial of service).Fedora has updated apache-commons-collections (F23; F22: codeexecution), bind (F22: multiplevulnerabilities), bind99 (F22: multiplevulnerabilities), and NetworkManager (F23: multiple vulnerabilities).Gentoo has updated qemu (multiplevulnerabilities) and xalan (code executionfrom 2014).openSUSE has updated krb5 (13.2: null pointer dereference).Oracle has updated openssh (OL5:two vulnerabilities).Scientific Linux has updated krb5(SL7: three vulnerabilities) and mariadb(SL7: multiple vulnerabilities).Slackware has updated mercurial (three vulnerabilities) and php (multiple vulnerabilities).
Linus has released the second 4.6prepatch."You all know the drill by now - another week, another rc. I'd say thatthings look fairly normal at this point: it's not a big rc2, butthat's been true lately (rc3 tends to be a bit bigger - probably justbecause it takes time for people to start noticing issues)."
Version 1.5 of the Discourse open-source discussion-and-commenting system has beenreleased.Significant work went into rewriting the top-level "topics" page,resulting in a five-fold speed increase. Administrators can nowchange and customize every object label used in the interface. "Want topics to be 'threads'? Users to be'funkatrons'? Like to be 'brofist'? Well, Discourse is yourhuckleberry." Support for email comments has also been improved, and usergroups can now exchange private messages. The badge system, which isused to denote user roles and to mark popular posts, received avisual refresh and new documentation; user summary pages were also refreshed.
At the Mono Project blog, Miguel de Icaza announced that the Mono runtime has been relicensed, moving from a dual-license slate (with LGPLv2 and proprietary optiona) to the MIT license. The Mono compiler and class libraries were already under the MIT license and will remain so. "Moving the Mono runtime to the MIT license removes barriers to the adoption of C# and .NET in a large number of scenarios, embedded applications, including embedding Mono as a scripting engine in game engines or other applications." De Icaza notes that Xamarin (which was recently acquired by Microsoft) had developed several proprietary Mono modules in recent years; these will also now be released under the MIT license.
The web-development community was briefly thrown into chaos in lateMarch when a lone Node.js developer suddenly unpublished a short butwidely used package from the Node Package Manager (npm) repository.The events leading up to that developer's withdrawal arecontroversial in their own right, but the chaotic effects raise evenmore serious questions for the Node.js and npm user communities.
NetworkWorld reportsthat software developed at MIT Media Lab will be open source by default. "This effort does away with developers having to get such licenses approved first by an internal committee, which [Lab Director Joi Ito] says "always allowed our developers to open-source their work" anyway."
Dustin Kirkland announcesthe availability of the Ubuntu user space on Windows 10 — acooperative project with Microsoft. "Finally, I imagine some of you-- long time Windows and Ubuntu users alike -- are still wondering,perhaps, 'Why?!?' Having dedicated most of the past two decades of mycareer to free and open source software, this is an almost surrealendorsement by Microsoft on the importance of open source to developers.Indeed, what a fantastic opportunity to bridge the world of free and opensource technology directly into any Windows 10 desktop on theplanet."
Arch Linux has updated jdk8-openjdk (sandbox bypass), jre8-openjdk (sandbox bypass), and jre8-openjdk-headless (sandbox bypass).Debian has updated dhcpcd (multiple vulnerabilities) and kamailio (code execution).Fedora has updated openssh (F22:command injection) and webkitgtk (F22: multiple vulnerabilities).Oracle has updated kernel-uek (OL7; OL6: unspecified).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and openvswitch (RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: code execution).SUSE has updated firefox, nspr,nss (SLE11-SP2: multiple vulnerabilities) and kernel (SLE11-SP4: multiple vulnerabilities).Ubuntu has updated pcre3 (multiple vulnerabilities).
The KDE project has announceda new framework called the Kirigami UI; it appears to be oriented towardthe needs of mobile applications. "Kirigami UI isn't just a set ofcomponents, it's also a philosophy: It defines precise UI/UX patterns toallow developers to quickly develop intuitive and consistent apps thatprovide a great user experience."
The OpenBSD 5.9 release is available. There are a lot of enhancements andimprovements. Perhaps most significant is the addition of thepledge() system call, which can be used by a process to limit itsfuture capabilities. LWN looked at an earlyversion of this work, back when it was called tame().
For many aspiring projects, getting accepted and shipped by populardistributions is an important step toward a long and successful life. Buteven large and established projects can struggle in this area. The distributionoutreach program recently launched by the KDE project hosted adiscussion making it clear that KDE cannot count on the support ofdistributions without supporting them in turn. If the participants are tobe believed, KDE's second-place position in the desktop competition can at least partially be attributed tohow the project works with distributors.
Debian has updated openvswitch (code execution).openSUSE has updated gdk-pixbuf(13.2: three vulnerabilities).SUSE has updated samba(SLES11-SP2: ACL ownership overwrite).
LWN.net