Recently ChrisEvans, an IT security expert currently working for Tesla, published aseries of blog posts about security vulnerabilities in the GStreamermultimedia framework. A combination of the Chrome browser and GNOME-baseddesktops creates a particularlyscary vulnerability. Evans also made a provocative statement: thatvulnerabilities of this severity currently wouldn't happen inWindows 10. Is the state of security on the Linux desktop really thatbad — and what can be done about it?Subscribers can click below for the full story from this week's edition.
The Xen Project Blog has releasedthe Xen Project Hypervisor 4.8. "As always, we focused on improving code quality, security hardening as well as enabling new features. One area of interest and particular focus is new feature support for ARM servers. Over the last few months, we’ve seen a surge of patches from various ARM vendors that have collaborated on a wide range of updates from new drivers to architecture to security."
WordPress 4.7 “Vaughan†has been released. Thisversion includes a new default theme, adds new features to the customizer,comes with REST API endpoints for posts, comments, terms, users, meta, andsettings, and more."To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can range from placing a business information widget in the best location to providing a sample menu with social icon links to a static front page complete with beautiful images. Don’t worry – nothing new will appear on the live site until you’re ready to save and publish your initial theme setup."
The maintainer model is deeply ingrained into the culture of thefree-software community; for any bit of code, there is usually a developer(or a small group of developers) charged with that code's maintenance.Good maintainers can help a project run smoothly, while poor maintainerscan run things into the ground. What is to be done to save a project withthe latter type of maintainer? Forking can be an option in some casesbut, in many others, it's not a practical alternative. The Debian projectis currently discussing its approach to bad maintainers — a discussion which has taken asurprising turn.
James Bottomley has posted atutorial on using the trusted platform module to store cryptographickeys. "The main thing that came out of this discussion was that alot of this stack complexity can be hidden from users and we shouldconcentrate on making the TPM 'just work' for all cryptographic functionswhere we have parallels in the existing security layers (like thekeystore). One of the great advantages of the TPM, instead of messingabout with USB pkcs11 tokens, is that it has a file format for TPM keys(I’ll explain this later) which can be used directly in place of standardprivate key files."
The 4.9-rc8 kernel prepatch is out; thefinal 4.9 release will need one more week. "So if anybody has beenfollowing the git tree, it should come as no surprise that I ended up doingan rc8 after all: things haven't been bad, but it also hasn't been thecomplete quiet that would have made me go 'no point in doing anotherweek'."
Over at Opensource.com, Rich Bowen gives an overview of the changes in the OpenStack Newton release that was made in October. In it, he looks at each of sub-projects and highlights some of the changes for them that were in the release, which is also useful as a kind high-level guide to some of the various sub-projects and their roles. "With a product as large as OpenStack, summarizing what's new in a particular release is challenging. (See the full release notes for more details.) Each deployment of OpenStack might use a different combination of services and projects, and so will care about different updates. Added to that, the release notes for the various projects tend to be extremely technical in nature, and often don't do a great job of calling out the changes that will actually be noticed by either operators or users."
Google's Project Zero blog has a detailed look at exploiting a vulnerability in Android's ashmem shared-memory facility. "The mismatch between the mmap-ed and munmap-ed length provides us with a great exploitation primitive! Specifically, we could supply a short length for the mmap operation and a longer length for the munmap operation - thus resulting in deletion of an arbitrarily large range of virtual memory following our bitmap object. Moreover, there’s no need for the deleted range to contain one continuous memory mapping, since the range supplied in munmap simply ignores unmapped pages.Once we delete a range of memory, we can then attempt to “re-capture†that memory region with controlled data, by causing another allocation in the remote process. By doing so, we can forcibly “free†a data structure and replace its contents with our own chosen data -- effectively forcing a use-after-free condition."
Arch Linux has updated firefox(two vulnerabilities) and thunderbird (code execution).CentOS has updated thunderbird (C6; C5: code execution).Debian-LTS has updated firefox-esr (multiple vulnerabilities), imagemagick (multiple vulnerabilities, many from 2014 and 2015), monit (cross-site request forgery), tomcat6 (multiple vulnerabilities), and tomcat7 (multiple vulnerabilities).Fedora has updated calamares (F25; F24:encryption bypass), jenkins (F25: code execution), jenkins-remoting (F25: code execution), moin (F25; F24; F23: cross-site scripting flaws), mujs (F23: multiple vulnerabilities), and zathura-pdf-mupdf (F23: multiple vulnerabilities).Gentoo has updated davfs2(privilege escalation from 2013) and gnupg(flawed random number generation).openSUSE has updated libtcnative-1-0 (42.2, 42.1: SSL improvements)and pacemaker (42.2: two vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: code execution).Red Hat has updated firefox (codeexecution).SUSE has updated kernel (SLE11: multiple vulnerabilities, some from 2013 and 2015)and ImageMagick(SLE11: multiple vulnerabilities, some from 2014 and 2015).Ubuntu has updated ghostscript(multiple vulnerabilities, one from 2013) and oxide-qt (16.10,16.04, 14.04: multiple vulnerabilities).
The Google security blog announcesthe OSS-Fuzz project, which performs continuous fuzz testing offree-software project repositories. "OSS-Fuzz has already found 150bugs in several widely used open source projects (and churns ~4 trilliontest cases a week). With your help, we can make fuzzing a standard part ofopen source development, and work with the broader community of developersand security testers to ensure that bugs in critical open sourceapplications, libraries, and APIs are discovered and fixed."
Version 5.5 of the Ardouraudio editor has been released. "Among the notable new featuresare support for VST 2.4 plugins on OS X, the ability to have MIDI inputfollow MIDI track selection, support for Steinberg CC121, Avid Artist &Artist Mix Control surfaces, 'fanning out' of instrument outputs to newtracks/busses and the often requested ability to do horizontal zoom viavertical dragging on the rulers."
Debian has updated firefox-esr(code execution).Debian-LTS has updated gst-plugins-good0.10 (three code execution flaws).Gentoo has updated imagemagick(multiple vulnerabilities) and php (multiple vulnerabilities, one from 2015).openSUSE has updated bash (42.1:multiple vulnerabilities, two from 2014) and libcares2 (13.2:code execution).Slackware has updated firefox(code execution) and thunderbird (codeexecution).Ubuntu has updated c-ares (codeexecution), firefox (two vulnerabilities),imagemagick (multiple vulnerabilities), kernel (16.10; 16.04;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-xenial (14.04: multiple vulnerabilities), linux-ti-omap4 (12.04: code execution), and thunderbird (multiple vulnerabilities).
Cyanogen Inc. has put out a terse press releaseannouncing the departure of founder (and CyanogenMod creator) SteveKondik. See thisrather less terse Android Police article for Kondik's view of thematter. The future of the CyanogenMod distribution seems unclear at thispoint; if it goes forward, it may have to do so with a different name.
As covered here in January, changes to theGNU C Library's memory-allocation routines have broken the "unexec" methodused to build the Emacs editor. Fixing this problem has proved to be morechallenging than originally thought; that issue has now come to a head in adisagreement that could cost the Emacs community one of its maintainers.
The Git project has announcedthe release of Git 2.11.0. This version prints longer abbreviatedSHA-1 names and has better tools for dealing with ambiguous short SHA-1s,it's faster at accessing delta chains, and has other performanceenhancements, and much more. The releasenotes contain more details.
CentOS has updated expat (C6:code execution) and memcached (C6: code execution).openSUSE has updated ffmpeg(Leap42.2: heap corruption) and virtualbox(Leap42.2: multiple unspecified vulnerabilities).Oracle has updated expat (OL7; OL6: code execution).Red Hat has updated expat(RHEL6,7: code execution) and thunderbird(RHEL5,6,7: multiple vulnerabilities).SUSE has updated mariadb (SLE12-SP1,2; SLES12: multiple vulnerabilities) and qemu (SLES12: multiple vulnerabilities).Ubuntu has updated python-cryptography (16.10, 16.04: bad key generation) and vim (code execution).
InfoWorld looksat the underfunded NTP project. "NTP is more than 30 years old—it may be the oldest codebase running on the internet. Despite some hiccups, it continues to work well. But the project’s future is uncertain because the number of volunteer contributors has shrunk, and there’s too much work for one person—principal maintainer Harlan Stenn—to handle. When there is limited support, the project has to pick and choose what tasks it can afford to complete, which slows down maintenance and stifles innovation."
Harald Welte looksback at the Openmoko phone with a ten-year perspective (and an almostunreadable low-contrast web page). "So yes, the smartphone world ismuch more restricted, locked-down and proprietary than it was back in theOpenmoko days. If we had been more successful then, that world might bequite different today. It was a lost opportunity to make the world embracemore freedom in terms of software and hardware."
The 4.9-rc7 kernel prepatch is out. Linussays that things are shaping up and it is possible, but perhaps not likely,that the final 4.9 release will happen on December 4. "Ibasically reserve the right to make up my mind next weekend."
Greg Kroah-Hartman has announced the release of the 4.8.11 and 4.4.35 stable kernels. As usual, they containfixes throughout the kernel tree and users of those kernel series shouldupgrade.
The Verge looksat legislation in the UK that would allow police and intelligenceagencies to legally spy on its own people. "The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and awaits only the formality of royal assent before it becomes law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary."
The Fedora 25 release is now available "The Fedora Project is pleased to announce the immediate availability ofFedora 25, the next big step our journey into the containerized, modularfuture!" See the announcement and therelease notes for details on the many changes in this release.
Clement Lefebvre has announcedthe release of Cinnamon 3.2. This version has QT 5.7+ support, supportfor libinput touchpads as well as synaptics, and many more changes acrossthe stack.
Fedora Magazine has a briefoverview of the changes to be found in the workstation version of theFedora 25 release. "Wayland now replaces the old X11 displayserver by default. Its goal is to provide a smoother, richer experiencewhen navigating Fedora Workstation. Like all software, there may still besome bugs. You can still choose the old X11 server if required."
Linus has released the 4.9-rc6 kernelprepatch for testing. "We're getting further in the rc series, andwhile things have stayed pretty calm, I'm not sure if we're quite thereyet. There's a few outstanding issues that just shouldn't be issues at rc6time, so we'll just have to see. This may be one of those releases thathave an rc8, which considering the size of 4.9 is perhaps not thatunusual."
The stable kernel machine continues to produce updates; the latest are 4.8.9 and 4.4.33. Each contains the usual set ofimportant fixes. Note that 4.8.10 and4.4.34 are already in the review process;they can be expected on or after November 21.
The Linux Foundation has announced that it is consolidating three conferences under one name going forward. LinuxCon, CloudOpen, and ContainerCon join together under the "Linux Foundation Open Source Summit" name. For 2017, that encompasses three events: OSS Japan in Tokyo May 31-June 2, OSS North America in Los Angeles September 11-13, and OSS Europe in Prague October 23-25. "The Linux Foundation Open Source Summit in North America and Europe will also contain a brand new event, Community Leadership Conference. Attendees will have access to sessions across all events in a single venue, enabling them to collaborate and share information across a wide range of open source topics and areas of technology. They can take advantage of not only unparalleled educational opportunities, but also an expo hall, networking activities, hackathons, additional co-located events and The Linux Foundation’s diversity initiatives, including free childcare, nursing rooms, non-binary restrooms and a diversity luncheon."
The Tor blog has a post about the refresh of its Tor-enabled Android phone prototype, which is now in a workable state though it still has some rough edges. There is also a worrisome trend that the post highlights:"It is unfortunate that Google seems to see locking down Android as the only solution to the fragmentation and resulting insecurity of the Android platform. We believe that more transparent development and release processes, along with deals for longer device firmware support from SoC vendors, would go a long way to ensuring that it is easier for good OEM players to stay up to date. Simply moving more components to Google Play, even though it will keep those components up to date, does not solve the systemic problem that there are still no OEM incentives to update the base system. Users of old AOSP base systems will always be vulnerable to library, daemon, and operating system issues. Simply giving them slightly more up to date apps is a bandaid that both reduces freedom and does not solve the root security problems. Moreover, as more components and apps are moved to closed source versions, Google is reducing its ability to resist the demand that backdoors be introduced. It is much harder to backdoor an open source component (especially with reproducible builds and binary transparency) than a closed source one."
Arch Linux has updated firefox(multiple vulnerabilities), libgit2 (two vulnerabilities), python-django (two vulnerabilities), and python2-django (two vulnerabilities).Debian has updated firefox-esr (multiple vulnerabilities).Fedora has updated bind99 (F24:two vulnerabilities), firefox (F24: multiple vulnerabilities),and kernel (F24: denial of service).Gentoo has updated libuv(privilege escalation from 2015).Mageia has updated nss, firefox (multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and nss and nss-util (OL7; OL6; OL5: twovulnerabilities).Red Hat has updated openssl(RHEL6: denial of service).
The EuroPython Society sharesthe sad news that Rob Collins has passed away. "Many of you may know Rob from the sponsored massage sessions he regularly ran at EuroPython in recent years and which he continued to develop, taking them from a single man setup (single threaded process) to a group of people setup by giving workshops (multiprocessing) and later on by passing on his skills to more leaders (removing the GIL) to spread wellness and kindness throughout our conference series."
Debian has updated akonadi (denial of service), gst-plugins-bad0.10 (code execution), and moin (cross-site scripting).Debian-LTS has updated mysql-5.5(multiple unspecified vulnerabilities) and postgresql-9.1 (PostgreSQL 9.1 is eol, usersare encouraged to upgrade).Mageia has updated libarchive (unspecified).openSUSE has updated pcre (13.2: multiple vulnerabilities).Oracle has updated 389-ds-base(OL6: three vulnerabilities) and kernel(OL6: multiple vulnerabilities).Red Hat has updated 389-ds-base(RHEL6: three vulnerabilities), atomic-openshift (RHOSCP3.3: redirect networktraffic), atomic-openshift-utils(RHOSCP3.2,3.3: code execution), firefox(RHEL5,6,7: multiple vulnerabilities), kernel (RHEL6: two vulnerabilities), and nss and nss-util (RHEL5,6,7: three vulnerabilities).
The Linux Foundation has announced that Microsoft has joined as a platinummember. "From cloud computing and networking to gaming, Microsoft has steadilyincreased its engagement in open source projects and communities. Thecompany is currently a leading open source contributor on GitHub andearlier this year announced several milestones that indicate the scope ofits commitment to open source development."
Mozilla has released Firefox 50.0. This version features improvedperformance for SDK extensions or extensions using the SDK module loader,added download protection for a large number of executable file types,added option to Find in page that allows users to limit search to wholewords only, and more. See the releasenotes for details.
Arch Linux has updated shutter (code execution).Debian-LTS has updated sudo (privilege escalation).Fedora has updated libgit2 (F24:unspecified), memcached (F24; F23: code execution), python-django (F24: two vulnerabilities), and tre (F24; F23: code execution).Gentoo has updated libpng(multiple vulnerabilities), polkit(privilege escalation), tnftp (commandexecution from 2014), xen (multiplevulnerabilities), and xinetd (privilegeescalation from 2013).openSUSE has updated Chromium (SPH for SLE12; Leap42.2, Leap42.1, 13.2: multiple vulnerabilities).Oracle has updated policycoreutils (OL7; OL6: sandbox escape).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), qemu-kvm-rhev (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: denial ofservice), rh-mysql56-mysql (RHSCL: multiplevulnerabilities), and rh-php56 (RHSCL: multiple vulnerabilities).
Hector Marco and Ismael Ripoll reporta discouraging vulnerability in many encrypted disk setups: simply runningup too many password failures will eventually result in a root shell."This vulnerability allows to obtain a root initramfs shell onaffected systems. The vulnerability is very reliable because it doesn'tdepend on specific systems or configurations. Attackers can copy, modify ordestroy the hard disc as well as set up the network to exfiltratedata. This vulnerability is specially serious in environments likelibraries, ATMs, airport machines, labs, etc, where the whole boot processis protect (password in BIOS and GRUB) and we only have a keyboard or/and amouse."
The KDE Project has a littleproblem to report for users of the KDEneon distribution: "The package archive used by KDE neon wasincorrectly configured allowing anyone to upload packages to it. There isno reason to think that anyone actually did so but as a precaution we haveemptied the archives and removed ISOs built before this date." Oncethe process of rebuilding the archive is complete, users are recommended toupgrade to the new versions, or, better, simply reinstall.
LWN.net