The Core Infrastructure Initiative (CII) has announcedcontinued financial support for the Reproducible Builds Project."The grant extends the contribution to include Debian developersChris Lamb, Mattia Rizzolo, Ximin Luo and Vagrant Cascadian, as well asextending funding for Holger Levsen. Furthermore, this contribution addssupport for Ed Maste, working with FreeBSD." (Thanks to Paul Wise)
Getting live-patching capabilities into the mainline kernel has been amulti-year process. Basic patching support was merged for the 4.0 release,but further work has been stalled overdisagreements on how the consistency model — the code ensuring that a patchis safe to apply to a running kernel — should work. The addition of kernel stack validation has addressed thebiggest of the objections, so, arguably, it is time to move forward. Atthe 2016 Linux PlumbersConference, developers working on live patching got together to discusscurrent challenges and future directions.Click below (subscribers only) for the full report from LPC 2016.
CentOS has updated java-1.7.0-openjdk (C6: multiplevulnerabilities), libgcrypt (C6: flawedrandom number generation), and pacemaker(C6: privilege escalation).Debian has updated mariadb-10.0 (multiple vulnerabilities) and terminology (command execution).Fedora has updated bind (F24:denial of service), mingw-libwebp (F24:integer overflows), sudo (F24: privilege escalation), and tomcat (F24; F23: multiple vulnerabilities).Mageia has updated libwmf (denial of service), monit (cross-site request forgery), python-cryptography (returns empty byte-string), and quagga (stack overrun).openSUSE has updated flash-player(13.1: multiple vulnerabilities), mysql-community-server (Leap42.2: multiple vulnerabilities), and opera (Leap42.2; Leap42.1: multiple vulnerabilities).Red Hat has updated policycoreutils (RHEL6,7: sandbox escape).SUSE has updated flash-player(SLE12-SP1: multiple vulnerabilities) and mysql (SLE11-SP4: three vulnerabilities).
The 4.9-rc5 kernel prepatch is out. Linussays: "Things have definitely gotten smaller, so a normal releaseschedule (with rc7 being the last one) is still looking possible despitethe large size of 4.9. But let's see how things work out over the nextcouple of weeks. In the meantime, there's a lot of normal fixes in here,and we just need more testing."
Over at Linux Journal, Susan Sons has a lengthy article on security exercises, which are a way to test the readiness of a project or organization for some kind of security problem. "Scheduling exercises at a predictable time and reminding others when it will happen prevents confusion among staff. It is wise to begin with low-impact exercises (more on this below) that don't leverage production systems, and move on to higher-potential-impact exercises only when the organization's infrastructure and personnel have had most of the bugs shaken out. If something as small as a runaway process on a single server can seriously impact your business, it's better to find out at a planned time with all hands on deck than at 4am on a holiday when no one who knows what to do can be reached. The whole point of security exercises is to increase resilience: raise the threshold of what is normal for your team to deal with, what your systems can shrug off." She followed that article up with some example security exercises.
Christian Schaller writesthat, after all these years, a stock Fedora system will be able to play MP3files. "I know this has been a big wishlist item for a long time fora lot of people so I am really happy that we are finally in a position tofulfill that wish. You should be able to download the mp3 plugin on day 1through GNOME Software or through the missing codec installer in variousGStreamer applications. For Fedora Workstation 26 I would not be surprisedif we decide to ship it on the install media."
Fedora has updated chromium (F24:multiple vulnerabilities), chromium-native_client (F24:multiple vulnerabilities), dracut (F24:information disclosure), jasper (F24:multiple vulnerabilities), and xen (F24:multiple vulnerabilities).Mageia has updated flash-player-plugin (multiple vulnerabilities), kernel (multiple vulnerabilities), and mariadb (multiple vulnerabilities).Red Hat has updated kernel(RHEL7.2: denial of service) and systemd(RHEL7.2: denial of service).SUSE has updated php5 (SLE12:three vulnerabilities).Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).
Neil Brown writes: "For a little longer than a year now, I have been using Notmuch as my primary meansof reading email. Though the experience has not been without someannoyances, I feel that it has been a net improvement and expect to keepusing Notmuch for quite some time." Click below (subscribers only) for hisfull report.
Debian has updated libxslt (code execution).Fedora has updated dbus (F23:code execution), firefox (F23: twovulnerabilities), and pacemaker (F23: privilege escalation).openSUSE has updated mariadb(13.2: multiple vulnerabilities) and nodejs(Leap42.1, 13.2: code execution).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).Scientific Linux has updated libgcrypt (SL6: flawed random numbergeneration) and pacemaker (SL6: privilege escalation).
Dave Täht has been working to save the Internet for the last six years (atleast). Recently, his focus has been on improving the performance ofnetworking over WiFi — performance that has been disappointing for as longas anybody can remember. The good news, as related in his 2016 Linux PlumbersConference talk, is that WiFi can be fixed, and thefixes aren't even all that hard to do. Users with the right hardware and awillingness to run experimental software can have fast WiFi now, and itshould be available for the rest of us before too long.
The digiKam Software Collection 5.3.0 has been released. This version isavailable as an AppImage bundle. "AppImage is an open-source project dedicated to provide a simple way to distribute portable software as compressed binary file, that standard user can run as well, without to install special dependencies. All is included into the bundle, as last Qt5 and KF5 frameworks. AppImage use Fuse file-system, which is de-compressed into a temporary directory to start the application. You don't need to install digiKam on your system to be able to use it. Better, you can use the official digiKam from your Linux distribution in parallel, and test the new version without any conflict with one used in production. This permit to quickly test a new release without to wait an official package dedicated for your Linux box. Another AppImage advantage is to be able to provide quickly a pre-release bundle to test last patches applied to source code, outside the releases plan."
The second service pack for SUSE Linux Enterprise Server, Desktop and otherproducts, has been released. Highlightsinclude software defined networking and network function virtualization,the new SUSE Package Hub for package updates, the ability to skip servicepack releases (e.g. upgrade from SLES 12 to SLES 12-SP2), architecturesupport for AArch64 and Raspberry Pi, and much more.
Debian has updated mat (information leak) and openjdk-7 (multiple vulnerabilities).Debian-LTS has updated python-imaging (two vulnerabilities).Fedora has updated ansible (F24:two vulnerabilities), ghostscript (F24: twovulnerabilities), icu (F24: codeexecution), java-1.8.0-openjdk-aarch32(F24: multiple vulnerabilities), and kernel(F24: two vulnerabilities).openSUSE has updated bind (Leap42.1; 13.2: denial of service).Oracle has updated java-1.7.0-openjdk (OL6; OL5:multiple vulnerabilities) and libgcrypt(OL6: flawed random number generation).Red Hat has updated chromium-browser (RHEL6: memory leak), libgcrypt (RHEL6,7: flawed random numbergeneration), pacemaker (RHEL6: privilege escalation), and qemu-kvm-rhev (RHOSP8; RHOSP9: denial of service).Scientific Linux has updated java-1.7.0-openjdk (SL5,6: multiple vulnerabilities).
HackerBoards takesa look at the 64-bit Orange Pi. "Shenzhen Xunlong is keeping up its prolific pace in spinning off new Allwinner SoCs into open source SBCs, and now it has released its first 64-bit ARM model, and one of the cheapest quad-core -A53 boards around. The Orange Pi PC 2 runs Linux or Android on a new Allwinner H5 SoC featuring four Cortex-A53 cores and a more powerful Mali-450 GPU."
The 4.9-rc4 kernel prepatch is out fortesting. Linus says: "So I'm not going to lie: this is not a smallrc, and I'd have been happier if it was. But it's not unreasonably largefor this (big) release either, so it's not like I'd start worrying. I'mcurrently still assuming that we'll end up with the usual seven releasecandidates, assuming things start calming down. We'll see how that goes aswe get closer to a release."
Opensource.com celebrates25 years of Vim. "Vim is a flexible, extensible text editor with a powerful plugin system, rock-solid integration with many development tools, and support for hundreds of programming languages and file formats. Twenty-five years after its creation, Bram Moolenaar still leads development and maintenance of the project—a feat in itself! Vim had been chugging along in maintenance mode for more than a decade, but in September 2016 version 8.0 was released, adding new features to the editor of use to modern programmers."
ZDNet takesa look at the VoCore2, a coin-sized computer. "VoCore2 is an open source Linux computer and a fully-functional wireless router that is smaller than a coin. It can also act as a VPN gateway for a network, an AirPlay station to play lossless music, a private cloud to store your photos, video, and code, and much more.The Lite version of the VoCore2 features a 580MHz MT7688AN MediaTek system on chip (SoC), 64MB of DDR2 RAM, 8MB of NOR storage, and a single antenna slot for Wi-Fi that supports 150Mbps."
Arch Linux has updated lib32-gdk-pixbuf2 (denial of service).Debian has updated curl (multiple vulnerabilities) and memcached (code execution).Fedora has updated kdepimlibs(F24: three vulnerabilities), libwebp (F24:integer overflows), and quagga (F24;F23: three vulnerabilities).Gentoo has updated libreoffice (multiple vulnerabilities) and oracle-jre-bin (multiple vulnerabilities).Mageia has updated bind (denialof service), kernel-tmb (multiplevulnerabilities), php-adodb (twovulnerabilities), and rpm (code executionfrom 2014).openSUSE has updated jasper(13.2: multiple vulnerabilities, one from 2008).Oracle has updated kernel 4.1.12 (OL7; OL6: codeexecution), kernel 3.8.13 (OL7; OL6: code execution).Red Hat has updated docker(RHEL7: privilege escalation).Scientific Linux has updated bind(SL5,6: denial of service) and bind97 (SL5:denial of service).Slackware has updated bind (denial of service) and curl (multiple vulnerabilities).SUSE has updated java-1_8_0-ibm(SLE12-SP1: three vulnerabilities) and xen(SOSC5, SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).Ubuntu has updated curl (multiple vulnerabilities).
Opensource.com coversthe Internet Archive's 20th birthday celebration. "Of all the projects announced during the event though, by far one of the most exciting and impressive is the newly released ability to search the complete contents of all text items on the Internet Archive. Nine million text items, covering hundreds of years of human history, are now searchable in an instant."
Red Hat has announcedthe release of Red Hat Enterprise Linux 7.3. "This update to Red Hat’s flagship Linux operating system includes new features and enhancements built around performance, security, and reliability. The release also introduces new capabilities around Linux containers and the Internet of Things (IoT), designed to help early enterprise adopters use existing investments as they scale to meet new business demands."
The 2016 Linux Foundation TechnicalAdvisory Board election was held November 2 at the combined Kernel Summit and Linux Plumbers Conferenceevents. Incumbent members Chris Mason and Peter Anvin were re-elected tothe board; they will be joined by new members Olof Johansson, Dan Williams,and Rik van Riel. Thanks are due to outgoing members Grant Likely, KristenAccardi, and John Linville.
The Mesa project has announced version 13.0.0 of the 3D graphics library that provides an open-source implementation of OpenGL. "This release has huge amount of features, but without a doubt the biggestones are:Vulkan driver for hardware supported by the AMDGPU kernel driver [and]OpenGL 4.4/4.5 capability, yet the drivers may expose lower version due topending Khronos CTS validation."
Linux.com has atranscript of Eben Moglen's talk in New York on October 28. "I have some fine clients and wonderful friends in this movement whohave been getting rather angry recently. There is a lot of anger in theworld, in fact, in politics. Our political movement is not the only onesuffering from anger at the moment. But some of my angry friends, dearfriends, friends I really care for, have come to the conclusion thatthey’re on a jihad for free software. And I will say this after decades ofwork—whatever else will be the drawbacks in other areas of life—the problemin our neighborhood is that jihad does not scale." There is a video of the talk available as well.
Version2.0 of the Collabora Online Development Edition online office suite hasbeen released. "Collabora Productivity, the developers behindLibreOffice Online, announced the release of CODE 2.0, including the latestand most requested feature from customers: collaborativeediting. Developers and home users are encouraged to update, try this outand get involved with the latest developments." See thisblog entry for lots of details.
Arch Linux has updated bind (denial of service).Debian has updated bind9 (denial of service) and tar (file overwrite).Debian-LTS has updated libwmf (denial of service), tiff (multiple vulnerabilities), and tiff3 (two vulnerabilities).Fedora has updated ecryptfs-utils(F23: two vulnerabilities), libass (F23:multiple vulnerabilities), libXfixes (F23:integer overflow), libXrandr (F23:insufficient validation), libXrender (F23:insufficient validation), libXtst (F23:insufficient validation), libXv (F23:insufficient validation), libXvMC (F23:insufficient validation), systemd (F23:denial of service), and tor (F23: denial of service).Mageia has updated libtiff (two vulnerabilities).Red Hat has updated java-1.7.0-ibm (RHEL5: multiplevulnerabilities), java-1.7.1-ibm (RHEL6,7:multiple vulnerabilities), and java-1.8.0-ibm (RHEL6,7: multiple vulnerabilities).SUSE has updated bind (SLE12-SP1,2; SLES12: denial of service), curl (SLE12-SP1; SSO1.3: multiple vulnerabilities), nodejs4 (SLEM12: multiple vulnerabilities), php7 (SLEM12: many vulnerabilities), and php7 (SLEM12: three vulnerabilities in libgd).Ubuntu has updated bind9 (denialof service), dbus (denial of service from2015), libgd2 (three vulnerabilities), mailman (two vulnerabilities), oxide-qt (16.10, 16.04, 14.04: multiplevulnerabilities), and python-django (twovulnerabilities).
InfoWorld takesa look at a C-to-Rust translation project called Corrode. "What Corrode does not do (yet) is take constructs specific to C and rewrite them in memory-safe Rust equivalents. In other words, it performs the initial grunt work involved in porting a project from C to Rust, but it leaves the heavier lifting -- for example, using Rust's idioms and language features -- to the developer."
The opening session at the 2016 Kernel Summit, led by Jiri Kosina, had todo with the process of creating stable kernel updates. There is, he said,a bit of a disconnect between what the various parties involved want, andthat has led to trouble for the consumers of the stable kernel releases.<p>Click below (subscribers only) for the first article from LWN's 2016 KernelSummit coverage
Minoca OS has been releasedunder the GNU GPLv3. "Minoca OS is a general purpose operating system written completely from the ground up. It’s intended for devices looking to conserve power, memory, and storage. It aims to be lean, maintainable, modular, and compatible with existing software."
Arch Linux has updated libxml2(two vulnerabilities) and memcached (threecode execution vulnerabilities).Debian-LTS has updated libxml2(two vulnerabilities) and tar (file overwrite).Fedora has updated tor (F24: denial of service).Gentoo has updated openvpn(information disclosure) and unzip(multiple vulnerabilities from 2014).Mageia has updated flash-player-plugin (code execution).Red Hat has updated kernel (RHEL6.6; RHEL6.4; RHEL6.2: two vulnerabilities), mariadb55-mariadb (RHSCL: multiplevulnerabilities), and mysql55-mysql (RHSCL:multiple vulnerabilities).Slackware has updated kernel (local privilege escalation (Dirty COW)), libX11 (multiple vulnerabilities), mariadb (multiple vulnerabilities), and php (multiple vulnerabilities).SUSE has updated php5 (SLEMWS12: multiple vulnerabilities).
Ars Technica coversthe history of Android from version 0.5 to 7.0 "Nougat". "One of the most interesting additions to Nougat is a revamp of the app framework to allow for resizable apps. This allowed Google to implement split screen on phones and tablets, picture-in-picture on Android TV, and a mysterious floating windowed mode. We've been able to access the floating window mode with some software trickery, but we've yet to see Google use it in an actual product. Is it being aimed at desktop computing?"
The 4.9-rc3 prepatch is out. "Itturns out that the bug that we thought was due to the new virtually mappedstacks during the rc2 release wasn't due to that at all, but a blockrequest queuing race condition. So people who turned off the new featureweren't actually avoiding it at all." The new feature appears to besolid, but more testing is always welcome.
The Red Hat Developers Blog is running anintroduction to the nftables packet filtering system."nftables implements a set of instructions, called expressions, whichcan exchange data by storing or loading it in a number of registers. Inother words, the nftables core can be seen as a virtualmachine. Applications like the nftables front end-tool nft can use theexpressions offered by the kernel to mimic the old iptables matches whilegaining more flexibility."
For the last couple of release cycles, the kernel's ongoing transition tothe Sphinx documentation system has left kernel.org behind. Thanks to somework by Konstantin Ryabitsev, that situation has now been remedied, andkernel.org has the formatteddocumentation generated from the current -rc kernel. The DocBook-generated documentsremain available for as long as DocBook stays in use. (For thoseinterested in the linux-next version of the documentation, the version on LWN's server isusually up to date; it currently has the changes that are queued for 4.10.)
The Free Software Foundation has announcedthat Eben Moglen has stepped down as the organization's general counsel;there is no word on who his replacement will be. "The FSF looksforward to working together in other capacities with Professor Moglen andSFLC on future projects to advance the free software movement and use ofthe GNU General Public License (GPL)."
Greg Kroah-Hartman has released the 4.8.5and 4.4.28 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.
The Rowhammervulnerability affects hardware at the deepest levels. It has proved to besurprisingly exploitable on a number of different systems, leavingsecurity-oriented developers at a loss. Since it is a hardwarevulnerability, it would appear that solutions, too, must be placed in thehardware. Now, though, an interesting software-based mitigation mechanismis under discussion on the linux-kernel mailing list. The ultimateeffectiveness of this defense is unproven, but it does show that there maybe hope for a solution that doesn't require buying new computers.
Debian has updated nginx(packaging problem in previous security update).Debian-LTS has updated tre (codeexecution).openSUSE has updated flash-player(13.2: code execution).Red Hat has updated kernel(RHEL5: two vulnerabilities) and nodejs andnodejs-tough-cookie (RHOSE: two vulnerabilities).SUSE has updated flash-player(SLE12: code execution).Ubuntu has updated firefox (two vulnerabilities),, nginx (16.10, 16.04, 14.04: packagingproblem in previous security update), and thunderbird (multiple vulnerabilities).
Brendan Gregg celebratesthe capabilities of Linux kernel tracing with BPF. "With thefinal major capability for BPF tracing (timed sampling) merging in Linux4.9-rc1, the Linux kernel now has raw capabilities similar to thoseprovided by DTrace, the advanced tracer from Solaris. As a long time DTraceuser and expert, this is an exciting milestone! On Linux, you can nowanalyze the performance of applications and the kernel usingproduction-safe low-overhead custom tracing, with latency histograms,frequency counts, and more."
Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).Debian-LTS has updated bash (codeexecution), graphicsmagick (multiplevulnerabilities), libx11 (denial of service), libxi (code execution), and libxtst (code execution).openSUSE has updated kernel(11,4: many vulnerabilities, one from 2013, many from 2015), ghostscript (13.2: multiple vulnerabilities,one from 2013), and sssd (42.1: accessrestriction bypass).Red Hat has updated flash-plugin(RHEL6&5: code execution), kernel (RHEL6.5; RHEL7.1: privilege escalation), andopenstack-manila-ui (RHOSP9.0; RHOSP8.0; RHOSP7.0: cross-site scripting).
The bus1 message-passing mechanism is the successor to the "kdbus" project;it was covered here in August. The patches have now been posted for review."While bus1 emerged out of the kdbus project, bus1 was started fromscratch and the concepts have little in common. In a nutshell, bus1provides a capability-based IPC system, similar in nature to AndroidBinder, Cap'n Proto, and seL4."
LWN.net