Users of the Subversion source-code management system may want to take alook at thispost from Mark Phippard. He explains how hash collisions can corrupt arepository and a couple of short-term workarounds. "The quicksummary if you do not want to read this entire post is that the problem isreally not that bad. If you run into it there are solutions to resolve itand you are not going to run into it in normal usage. There will alsolikely be some future updates to Subversion that avoid it entirely so ifyou regularly update your server and client when new releases come out youare probably safe not doing anything and just waiting for an update tohappen."
The SHA-1 hashalgorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumedthat this would happen before too long. On February 23, Google announcedthat it had succeeded at this task. While the technique used iscomputationally expensive, this event has clarified what most developershave known for some time: it is time to move away from SHA-1. While themigration has essentially been completed in some areas (SSL certificates,for example), there are still important places where it is heavily used,including at the core of the Git source-code management system.Unsurprisingly, the long-simmering discussion in the Git community onmoving away from SHA-1 is now at a full boil.
The 4.9.13 and 4.4.52 stable kernels are out; theserelatively small updates contain the usual set of important fixes.Update: the 4.10.1 update is out aswell (thanks to Thorsten Leemhuis).
Security updates have been issued by CentOS (kernel and qemu-kvm), Debian (bind9, cakephp, munin, and shadow), Fedora (python-cjson, python-PyMySQL, quagga, util-linux, and xen), Mageia (kernel kmod and kernel-tmb), Oracle (kernel), Red Hat (kernel), and Scientific Linux (kernel).
Linus Torvalds has posted a lengthyexplanation of why the recently created SHA-1 collision is not anemergency for Git users. "In the pdf examples, the pdf format actedas the 'black box', and what you see is the printout which has only a veryindirect relationship to the pdf encoding. But if you use git for source control like in the kernel, the stuff youreally care about is source code, which is very much a transparentmedium. If somebody inserts random odd generated crud in the middle of yoursource code, you will absolutely notice." That said, he notes thatthere is work in progress to move away from SHA-1.[It seems that subversion users have an additional set of concerns; see this bug reportconversation for the scary story.]
Thanks to Josh Triplett for sending us this Google Project Zero report about a dump of unitialized memory caused by Cloudflare'sreverse proxies. "A while later, we figured out how to reproduce theproblem. It looked like that if an html page hosted behind cloudflare had aspecific combination of unbalanced tags, the proxy would intersperse pagesof uninitialized memory into the output (kinda like heartbleed, butcloudflare specific and worse for reasons I'll explain later). My workingtheory was that this was related to their "ScrapeShield" feature whichparses and obfuscates html - but because reverse proxies are shared betweencustomers, it would affect *all* Cloudflare customers. We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security."
Security updates have been issued by Debian (libreoffice and phpmyadmin), Fedora (kopete and xrdp), Oracle (kernel and qemu-kvm), Red Hat (kernel and qemu-kvm), Scientific Linux (kernel and qemu-kvm), and Ubuntu (LibreOffice and php7.0).
Over at the Red Hat Developers blog, Martin Sebor looks at some new (or enhanced) warnings available in GCC 7 that will help catch various types of memory errors. For example: "The -Wformat-overflow=level option detects certain and likely buffer overflow in calls to the sprintf family of formatted output functions. The option starts by determining the size of the destination buffer, which can be allocated either statically or dynamically. It then iterates over directives in the format string, calculating the number of bytes each result in output. For integer directives like %i and %x it tries to determine either the exact value of the argument or its range of values and uses the result to calculate the exact or minimum and maximum number of bytes the directive can produce. Similarly for floating point directives such as %a and %f, and string directives such as %s. When it determines that the likely number of bytes a directive results in will not fit in the space remaining in the destination buffer it issues a warning."
Andrey Konovalov has announced the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller fuzzer (which LWN looked at around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). "[At] this point we have a use-after-free on some_object. An attacker cancontrol what object that would be and overwrite it's content witharbitrary data by using some of the kernel heap spraying techniques.If the overwritten object has any triggerable function pointers, anattacker gets to execute arbitrary code within the kernel.I'll publish an exploit in a few days, giving people time to update."
Greg Kroah-Hartman has announced the release of the 4.9.12 and 4.4.51 stable kernels. As usual, there areimportant fixes in the updates and users of those kernels should upgrade.
Security updates have been issued by Arch Linux (bzip2, kernel, and linux-zen), CentOS (kernel), Debian (bitlbee, kernel, and tomcat7), Fedora (diffoscope, mujs, pcre, plasma-desktop, and tomcat), Mageia (libpcap/tcpdump and spice), Oracle (kernel), Red Hat (kernel, kernel-rt, and python-oslo-middleware), SUSE (php5 and util-linux), Ubuntu (imagemagick), and openSUSE (gd, kernel, libXpm, and libquicktime).
The final version of the LEDE router distribution's 17.01.0 release is nowavailable. "LEDE 17.01.0 "Reboot" incorporates thousands of commits over the lastnine months of effort. With this release, the LEDE development teamcloses out an intense effort to modernize many parts of OpenWrt andincorporate many new modules, packages, and technologies." LWNrecently reviewed a release-candidateversion of LEDE 17.01.
The Google security blog carriesthe news of the first deliberately constructed SHA-1 hash collision."We started by creating a PDF prefix specifically crafted to allow usto generate two documents with arbitrary distinct visual contents, but thatwould hash to the same SHA-1 digest. In building this theoretical attack inpractice we had to overcome some new challenges. We then leveraged Google’stechnical expertise and cloud infrastructure to compute the collision whichis one of the largest computations ever completed."The SHA-1 era is truly coming to an end, even if most attackers lack accessto the computing resources needed for this particular exploit.
Tuukka Turunen presents a roadmap forQt. "Qt 3D was first released with Qt 5.7 and in Qt 5.8 the focus was mostly on stability and performance. With Qt 5.9 we are providing many new features which significantly improve the functionality of Qt 3D. Notable new features include support for mesh morphing and keyframe animations, using Qt Quick items as a texture for 3D elements, as well as support for physically based rendering and particles. There are also multiple smaller features and improvements throughout the Qt 3D module."
Issues of when and how to enforce free-software licenses, and whoshould do it, have been onsome people's minds recently, and Richard Fontana from Red Hat decidedto continue the discussion at FOSDEM. This was a fairly lawyerly talk;phrases like "alleged violation" and "I think that..." were scatteredthroughout it to a degree not normally found in talks by developers.This is because Fontana is a lawyer at Red Hat, and he was talking aboutideas which, while they are not official Red Hat positions, were developedfollowing discussions between him and other members of the legal team at Red Hat.Subscribers can click below for the full report of the talk by guest author Tom Yates.
The year-2038 apocalypse is now just under21 years away. For those who are curious about how the GNU C Libraryplans to deal with this problem, there is adraft design document out for review. "In order to avoidduplicating APIs for 32-bit and 64-bit time, glibc will provide either onebut not both for a given application; the application code will have tochoose between 32-bit or 64-bit time support, and the same set of symbols(e.g. time_t or clock_gettime) will be provided in both cases."
The 2017 Linux Plumbers Conference is set for September 13 to 15 in LosAngeles, California. The core of this event is the microconferences,focused gatherings that address a specific range of problems. The callfor microconferences for the 2017 event is now out. "Goodmicroconferences result in solutions to these problems and concerns, whilethe best microconferences result in patches that implement thosesolutions."
A group of Google developers has announcedthe release of (an early version of) a new global filesystem called"Upspin". "Upspin looks a bit like a global file system, but itsreal contribution is a set of interfaces, protocols, and components fromwhich an information management system can be built, with properties suchas security and access control suited to a modern, networked world. Upspinis not an 'app' or a web service, but rather a suite of softwarecomponents, intended to run in the network and on devices connected to it,that together provide a secure, modern information storage and sharingnetwork."
David Egts takesa look at the ESP8266 WiFi chip, on Opensource.com. "What isthe ESP8266 exactly? The ESP8266 is a 32-bit RISC CPU made by Espressif Systems. Its clock runs at80MHz, and it supports up to 16MB of flash RAM for program storage. Thesespecifications are quite impressive when compared to an Arduino UNO, whichruns at 16MHz, only has 32KB of RAM, and is several times moreexpensive. Another big difference is that the ESP8266 requires only 3.3volts of power while most Arduinos require 5 volts. Keep this voltagedifference in mind when extending your existing Arduino knowledge andprojects to the ESP8266 to prevent magic smoke."
After taking a few years off, Jon Masters is restartinghis kernel podcast. "In this week’s edition: Linus Torvaldsannounces Linux 4.10, Alan Tull updates his FPGA manager framework, andIntel’s latest 5-level paging patch series is posted for review. We willhave this, and a summary of ongoing development in the first of the newlyrevived Linux Kernel Podcast."
Debian-LTS has updated gst-plugins-bad0.10 (two vulnerabilities), gst-plugins-base0.10 (two vulnerabilities), gst-plugins-good0.10 (two vulnerabilities), gst-plugins-ugly0.10 (two vulnerabilities),and wireshark (denial of service).Fedora has updated bind (F24:denial of service), python-peewee (F25; F24:largely unspecified), sshrc (F25:unspecified), and zoneminder (F25;F24: information disclosure).Gentoo has updated glibc (multiple vulnerabilities,most from 2014 and 2015), mupdf (threevulnerabilities), and ntfs3g (privilege escalation).Mageia has updated gnutls (multiple vulnerabilities),gtk-vnc (two vulnerabilities), iceape (multiple vulnerabilities), jitsi (user spoofing), libarchive (denial of service), libgd (multiple vulnerabilities), lynx (URL spoofing), mariadb (multiple vulnerabilities, almost all unspecified), netpbm (multiple vulnerabilities), openjpeg2 (multiple vulnerabilities), tomcat (information disclosure), and viewvc (cross-site scripting).openSUSE has updated chromium(42.2, 42.1: multiple vulnerabilities), firebird(42.2, 42.1: access restriction bypass), java-1_7_0-openjdk (42.2, 42.1: multiple vulnerabilities), mcabber (42.2: user spoofing), mupdf (42.2, 42.1: multiple vulnerabilities), open-vm-tools (42.1: CVE with no descriptionfrom 2015), opus (42.2, 42.1: codeexecution), tiff (42.2, 42.1: codeexecution), and vim (42.1: code execution).Red Hat has updated openssl(RHEL7&6: two vulnerabilities).Scientific Linux has updated openssl (SL7&6: two vulnerabilities).SUSE has updated kernel (SLE12: denial of service) and kernel (SLE11:multiple vulnerabilities, some from 2004, 2012, and 2015).Ubuntu has updated python-crypto(16.10, 16.04, 14.04: regression in previous update).
Linus has released the 4.10 kernel."On the whole, 4.10 didn't end up as small as it initially looked.After the huge release that was 4.9, I expected things to be prettyquiet, but it ended up very much a fairly average release by modernkernel standards."Features of note in this release include some long-awaitedwriteback throttling work,the ability to attach a BPF network filterto a control group,encryption in UBIFS filesystems,Intel cache-allocation technology support,and more. See theKernelNewbies 4.10 page for lots of details.
The SystemTap team has announced the 3.1 release of the tool that allows extracting performance and debugging information at runtime from the kernel as well as various user-space programs. New features include support for adding probes to Python 2 and 3 functions, Java probes now convert all parameters to strings before passing them to probes, a new @variance() statistical operator has been added, new sample scripts have been added, and more.
The Go team has announced therelease of Go 1.8. "The compiler back end introduced in Go 1.7 for 64-bit x86 is now usedon all architectures, and those architectures should see significant performanceimprovements. For instance, the CPU time required by our benchmarkprograms was reduced by 20-30% on 32-bit ARM systems. There are also somemodest performance improvements in this release for 64-bit x86 systems. Thecompiler and linker have been made faster. Compile times should be improvedby about 15% over Go 1.7. There is still more work to be done in this area:expect faster compilation speeds in future releases." See the release notes for more details.
Arch Linux has updated gvim (codeexecution) and vim (code execution).Red Hat has updated openstack-cinder,openstack-glance, and openstack-nova (OSP7.0: denial of service from 2015).SUSE has updated kernel (SLE12:many vulnerabilities, some from 2015 and 2014).Ubuntu has updated libgc (codeexecution) and openjdk-6 (12.04: multiple vulnerabilities).
Mark Radcliffe surveysthe most important legal issues surrounding free and open-sourcesoftware on opensource.com. "The challenge for the Linux communityis to decide when to bring litigation to enforce the GPLv2. What it meansin many situations is that to be compliant is currently left to individualcontributors rather than being based on a set of community norms. AsTheodore Ts'o noted, this issue really concerns projectgovernance. Although permitting individual contributors to make thesedecisions may be the Platonic ideal, the tradeoff is ambiguity for userstrying to be compliant as well as the potential for rogue members of thecommunity (like McHardy) to create problems. The members of the Linuxcommunity and other FOSS communities need to consider how they can bestassist the members of their community to understand what compliance meansand to determine when litigation might be useful in furtherance of thecommunity's goals."
The TensorFlow1.0 release is available, bringing an API stability guarantee to thismachine-learning library from Google. "TensorFlow 1.0 introduces ahigh-level API for TensorFlow, with tf.layers, tf.metrics, and tf.lossesmodules. We've also announced the inclusion of a new tf.keras module thatprovides full compatibility with Keras, another popular high-level neuralnetworks library."
Tom Callaway seems to be a very nice person who has beenoverclocked to about 140% normal human speed. In only 20 minutes he gavean interesting and highly-amusing talk that could have filled a 45-minuteslot on the legal principles that underpin Fedora, how they got that way, and howthey work out in practice. <p>Subscribers can click below for the full report from FOSDEM by guest author Tom Yates.
CentOS has updated bind (C7: denial of service).Debian has updated libevent (three vulnerabilities).Debian-LTS has updated libevent (three vulnerabilities).Fedora has updated lynx (F25:invalid URL parsing) and xen (F25: multiple vulnerabilities).Oracle has updated bind (OL7: denial of service).Red Hat has updated bind (RHEL7:denial of service), flash-plugin (RHEL6:multiple vulnerabilities), and kernel(RHEL7.1: code execution).Scientific Linux has updated bind(SL7: denial of service).SUSE has updated java-1_8_0-ibm(SLE12-SP1,2: multiple vulnerabilities) and kernel (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated php5 (14.04,12.04: multiple vulnerabilities).
TechRepublic reportsthat the Munich, Germany city council has voted to begin the move back toproprietary desktop software. "Under a proposal backed by the general council, the administration will investigate how long it will take and how much it will cost to build a Windows 10 client for use by the city's employees.Once this work is complete, the council will vote again on whether toreplace LiMux, a custom version of the Linux-based OS Ubuntu, across theauthority from 2021."
David Malcolm takesa look at the testing going into the upcoming GCC 7.0 release. "The other new approach is in unit-testing: GCC’s existing testing was almost all done by verifying the externally-visible behavior of the program, but we had very little direct coverage of specific implementation subsystems; this was done in a piecemeal fashion using testing plugins.To address this, I’ve added a unit-testing suite to GCC 7, which is run automatically during a non-release build. Compilers use many data structures, so the most obvious benefit is that we can directly test corner-cases in these. As a relative newcomer to the project, one of my “pain points†learning GCC’s internals was the custom garbage collector it uses to manage memory. So, I’m very happy that the test suite now has specific test coverage for various aspects of the collector, which should make the compiler more robust when handling very large input files."
CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities).Debian has updated tomcat7 (denial of service), tomcat8 (denial of service), and vim (buffer overflow).Debian-LTS has updated tomcat7 (denial of service).Fedora has updated bind (F25:denial of service), kernel (F25; F24: two vulnerabilities), netpbm (F25: three vulnerabilities), tcpdump (F25: multiple vulnerabilities), vim (F25: buffer overflow), and w3m (F25: unspecified).Gentoo has updated openssl (multiple vulnerabilities) and virtualbox (multiple vulnerabilities).openSUSE has updated kernel (42.2; 42.1: multiple vulnerabilities).Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).
For some years, OpenWrt has arguablybeen the most active router-oriented distribution.Things changed in May of last year, though, when a group of OpenWrtdevelopers split off to form the competingLEDE project. While the LEDEdevelopers have been busy, the project has yet to make its first release.That situation is about to change, though, as evidenced by the LEDE v17.01.0-rc1 release candidate, whichcame out on February 1.
Arch Linux has updated ffmpeg(two vulnerabilities), kdenetwork-kopete (social engineering attacks), and webkit2gtk (multiple vulnerabilities).Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and vim (buffer overflow).Fedora has updated epiphany (F24:password extraction sweep attack).Gentoo has updated gnutls(multiple vulnerabilities), graphviz(multiple vulnerabilities from 2014), and lsyncd (command injection from 2014).Mageia has updated audacious-plugins (multiple vulnerabilities), calibre (information leak), and nagios (two vulnerabilities).openSUSE has updated irssi (42.2,42.1: memory leak), libxml2 (42.2: threevulnerabilities), and tigervnc (42.2, 42.1:denial of service).Oracle has updated kernel 3.8.13 (OL7; OL6:multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities).Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated java-1.7.0-openjdk (SL5,6,7: multiple vulnerabilities).Slackware has updated bind (denial of service), openssl (three vulnerabilities), php (multiple vulnerabilities), and tcpdump (multiple vulnerabilities).
Linus has released one more kernel prepatch, 4.10-rc8, rather than the final 4.10 releasethat had been expected. He said that 4.10 could have come out this week, but hethought better of it. "But I decided that there's also no hugeoverriding reason to do so (other than getting back to the usual "rc7 isthe last rc" schedule, which would have been nice), and with travel comingup, I decided that I didn't really need to open the merge window. I've donemerge windows during travel before, but I just prefer not to."
Sailfish OS 2.1.0 Iijoki has been released. "Iijoki bringsmajor architectural changes to Sailfish OS by introducing Qt 5.6 UIframework, BlueZ 5 Bluetooth stack and basic implementations of 64-bitarchitecture. It also brings improvements to the camera software withfaster shutter speeds, initial support for Virtual Private Networks (VPN),option to enlarge UI fonts to different levels and last but not least, alarge number of bug and error fixes mostly reported by ourcommunity." The releasenotes contain additional details.
Arch Linux has updated bind(denial of service).Debian has updated jasper (multiple vulnerabilities).Debian-LTS has updated mysql-5.5(code execution) and viewvc (cross-site scripting).Fedora has updated bitlbee (F24:denial of service), gnome-boxes (F24:password disclosure), gtk-vnc (F25: twovulnerabilities), iio-sensor-proxy (F24:authentication bypass), java-1.8.0-openjdk-aarch32 (F25; F24: multiple vulnerabilities),libwmf (F25: multiple vulnerabilities), mariadb (F24: multiple vulnerabilities), openssl (F24: three vulnerabilities), quagga (F25: denial of service), spice(F25; F24:two vulnerabilities), viewvc (F24:cross-site scripting), and wireshark (F25:two denial of service flaws).Gentoo has updated firejail(incomplete fix for previous vulnerability).SUSE has updated opus (SLE12:code execution) and kernel (SLE11: multiple vulnerabilities).Ubuntu has updated linux-raspi2(16.10: multiple vulnerabilities), linux-ti-omap4 (12.04: twovulnerabilities), and nova-lxd (16.04: ).
Debian has updated openjdk-7(multiple vulnerabilities), php5 (multiple vulnerabilities), and viewvc (cross-site scripting).Fedora has updated bitlbee (F25:denial of service), mariadb (F25: multiple vulnerabilities), redis (F25: two vulnerabilities), and viewvc (F25: cross-site scripting).openSUSE has updated libplist(42.2, 42.1: two vulnerabilities), opera(42.2, 42.1: multiple vulnerabilities), and rubygem-minitar(42.2: file overwrite).Red Hat has updated java-1.8.0-ibm (RHEL7&6: multiple vulnerabilities).SUSE has updated firefox (SLE11; SLE12: multiple vulnerabilities).Ubuntu has updated openjdk-7(14.04: multiple vulnerabilities) and oxide-qt (16.10, 16.04,14.04: multiple vulnerabilities).
High-speed networking was once, according to Andy Wingo in his 2017linux.conf.au presentation, the domain of "the silicon people". But thatsituation is changing, and now any hacker can work with networking at thehighest speeds. There is one little catch: one must dispense with thekernel's network stack and do the work in user space. Happily, not all ofthe solutions in this area are proprietary; he was there to talk about theSnabb networking toolkit andwhat can be done with it.
Debian-LTS has updated php5 (multiple vulnerabilities).Fedora has updated calibre (F25; F24:information leak), gnome-boxes (F25:password disclosure), and openssl (F25: three vulnerabilities).openSUSE has updated irssi(SPH for SLE12: memory leak) and spice (42.2; 42.1: two vulnerabilities).SUSE has updated mariadb (SLE12-SP1,2; SLES12: multiple vulnerabilities).
LWN.net