InfoWorld takesa look at a C-to-Rust translation project called Corrode. "What Corrode does not do (yet) is take constructs specific to C and rewrite them in memory-safe Rust equivalents. In other words, it performs the initial grunt work involved in porting a project from C to Rust, but it leaves the heavier lifting -- for example, using Rust's idioms and language features -- to the developer."
The opening session at the 2016 Kernel Summit, led by Jiri Kosina, had todo with the process of creating stable kernel updates. There is, he said,a bit of a disconnect between what the various parties involved want, andthat has led to trouble for the consumers of the stable kernel releases.<p>Click below (subscribers only) for the first article from LWN's 2016 KernelSummit coverage
Minoca OS has been releasedunder the GNU GPLv3. "Minoca OS is a general purpose operating system written completely from the ground up. It’s intended for devices looking to conserve power, memory, and storage. It aims to be lean, maintainable, modular, and compatible with existing software."
Arch Linux has updated libxml2(two vulnerabilities) and memcached (threecode execution vulnerabilities).Debian-LTS has updated libxml2(two vulnerabilities) and tar (file overwrite).Fedora has updated tor (F24: denial of service).Gentoo has updated openvpn(information disclosure) and unzip(multiple vulnerabilities from 2014).Mageia has updated flash-player-plugin (code execution).Red Hat has updated kernel (RHEL6.6; RHEL6.4; RHEL6.2: two vulnerabilities), mariadb55-mariadb (RHSCL: multiplevulnerabilities), and mysql55-mysql (RHSCL:multiple vulnerabilities).Slackware has updated kernel (local privilege escalation (Dirty COW)), libX11 (multiple vulnerabilities), mariadb (multiple vulnerabilities), and php (multiple vulnerabilities).SUSE has updated php5 (SLEMWS12: multiple vulnerabilities).
Ars Technica coversthe history of Android from version 0.5 to 7.0 "Nougat". "One of the most interesting additions to Nougat is a revamp of the app framework to allow for resizable apps. This allowed Google to implement split screen on phones and tablets, picture-in-picture on Android TV, and a mysterious floating windowed mode. We've been able to access the floating window mode with some software trickery, but we've yet to see Google use it in an actual product. Is it being aimed at desktop computing?"
The 4.9-rc3 prepatch is out. "Itturns out that the bug that we thought was due to the new virtually mappedstacks during the rc2 release wasn't due to that at all, but a blockrequest queuing race condition. So people who turned off the new featureweren't actually avoiding it at all." The new feature appears to besolid, but more testing is always welcome.
The Red Hat Developers Blog is running anintroduction to the nftables packet filtering system."nftables implements a set of instructions, called expressions, whichcan exchange data by storing or loading it in a number of registers. Inother words, the nftables core can be seen as a virtualmachine. Applications like the nftables front end-tool nft can use theexpressions offered by the kernel to mimic the old iptables matches whilegaining more flexibility."
For the last couple of release cycles, the kernel's ongoing transition tothe Sphinx documentation system has left kernel.org behind. Thanks to somework by Konstantin Ryabitsev, that situation has now been remedied, andkernel.org has the formatteddocumentation generated from the current -rc kernel. The DocBook-generated documentsremain available for as long as DocBook stays in use. (For thoseinterested in the linux-next version of the documentation, the version on LWN's server isusually up to date; it currently has the changes that are queued for 4.10.)
The Free Software Foundation has announcedthat Eben Moglen has stepped down as the organization's general counsel;there is no word on who his replacement will be. "The FSF looksforward to working together in other capacities with Professor Moglen andSFLC on future projects to advance the free software movement and use ofthe GNU General Public License (GPL)."
Greg Kroah-Hartman has released the 4.8.5and 4.4.28 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.
The Rowhammervulnerability affects hardware at the deepest levels. It has proved to besurprisingly exploitable on a number of different systems, leavingsecurity-oriented developers at a loss. Since it is a hardwarevulnerability, it would appear that solutions, too, must be placed in thehardware. Now, though, an interesting software-based mitigation mechanismis under discussion on the linux-kernel mailing list. The ultimateeffectiveness of this defense is unproven, but it does show that there maybe hope for a solution that doesn't require buying new computers.
Debian has updated nginx(packaging problem in previous security update).Debian-LTS has updated tre (codeexecution).openSUSE has updated flash-player(13.2: code execution).Red Hat has updated kernel(RHEL5: two vulnerabilities) and nodejs andnodejs-tough-cookie (RHOSE: two vulnerabilities).SUSE has updated flash-player(SLE12: code execution).Ubuntu has updated firefox (two vulnerabilities),, nginx (16.10, 16.04, 14.04: packagingproblem in previous security update), and thunderbird (multiple vulnerabilities).
Brendan Gregg celebratesthe capabilities of Linux kernel tracing with BPF. "With thefinal major capability for BPF tracing (timed sampling) merging in Linux4.9-rc1, the Linux kernel now has raw capabilities similar to thoseprovided by DTrace, the advanced tracer from Solaris. As a long time DTraceuser and expert, this is an exciting milestone! On Linux, you can nowanalyze the performance of applications and the kernel usingproduction-safe low-overhead custom tracing, with latency histograms,frequency counts, and more."
Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).Debian-LTS has updated bash (codeexecution), graphicsmagick (multiplevulnerabilities), libx11 (denial of service), libxi (code execution), and libxtst (code execution).openSUSE has updated kernel(11,4: many vulnerabilities, one from 2013, many from 2015), ghostscript (13.2: multiple vulnerabilities,one from 2013), and sssd (42.1: accessrestriction bypass).Red Hat has updated flash-plugin(RHEL6&5: code execution), kernel (RHEL6.5; RHEL7.1: privilege escalation), andopenstack-manila-ui (RHOSP9.0; RHOSP8.0; RHOSP7.0: cross-site scripting).
The bus1 message-passing mechanism is the successor to the "kdbus" project;it was covered here in August. The patches have now been posted for review."While bus1 emerged out of the kdbus project, bus1 was started fromscratch and the concepts have little in common. In a nutshell, bus1provides a capability-based IPC system, similar in nature to AndroidBinder, Cap'n Proto, and seL4."
CentOS has updated kernel (C6:privilege escalation).Debian has updated asterisk(multiple vulnerabilities) and nginx (privilege escalation).Debian-LTS has updated nspr (information disclosure), nss (information disclosure), potrace (multiple vulnerabilities), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).Fedora has updated perl-Image-Info (F24; F23: information disclosure).Mageia has updated graphicsmagick (three vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), mpg123 (denial of service), and tor (denial of service).openSUSE has updated GraphicsMagick (Leap42.1; 13.2: multiple vulnerabilities), guile (13.2: two vulnerabilities),guile1 (Leap42.1; 13.2: information disclosure), firefox (Leap42.1, 13.2: two vulnerabilities),qemu (Leap42.1: multiple vulnerabilities),quagga (Leap42.1: stack overrun), and kernel (13.2: multiple vulnerabilities).Oracle has updated kernel (OL6:privilege escalation).Red Hat has updated kernel (RHEL6; RHEL6.7:privilege escalation) and kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities).Scientific Linux has updated kernel (SL6: privilege escalation).Ubuntu has updated nginx (16.10,16.04, 14.04: privilege escalation).
Flatpak 0.6.13 has been released.Major changes include a change in command line arguments forinstall/update/uninstall, application runtime dependencies arechecked/downloaded, remote-add and install --from now supports uris,flatpak run can now launch a runtime directly, and more.
Arch Linux has updated linux-grsec (privilege escalation) and ocaml (information leak).CentOS has updated kernel (C7:privilege escalation).Debian has updated php5 (multiplevulnerabilities) and virtualbox (end ofsupport).Debian-LTS has updated ghostscript (multiple vulnerabilities).Fedora has updated bind (F23:denial of service), bind99 (F23: denial ofservice), and libass (F24: three vulnerabilities).Mageia has updated php (multiple vulnerabilities).openSUSE has updated quagga(13.2: stack overrun) and virtualbox (13.2:multiple unspecified vulnerabilities).Oracle has updated kernel (OL7:privilege escalation).Red Hat has updated bind(RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service).Scientific Linux has updated kernel (SL7: privilege escalation).SUSE has updated quagga(SLE12-SP1: stack overrun).Ubuntu has updated linux-raspi2(16.10: privilege escalation), mysql-5.5, mysql-5.7 (multiple unspecified vulnerabilities), and quagga (stack overrun).
Just about everyone who runs a Unix server on the internet uses SSHfor remote access, and almost everyone who does that will be familiarwith the log footprints of automated password-guessing bots. Althoughdecently-secure passwords do much to harden a server against such attacks,the costs of dealing with the continual stream of failed logins can beconsiderable. There are ways to mitigate these costs.
Valgrind 3.12.0 has been released. "3.12.0 is a feature release withmany improvements and the usual collection of bug fixes. This release addssupport for POWER ISA 3.0, improves instruction set support on ARM32, ARM64and MIPS, and provides support for the latest common components (kernel,gcc, glibc). There are many smaller refinements and new features. Therelease notes below give more details." There will be a Valgrinddeveloper room at FOSDEM in Brussels, Belgium, on February 4, 2017. Thecall for participation is open until December 1.
The Linux Foundation's TechnicalAdvisory Board provides the development community (primarily the kerneldevelopment community) with a voice in the Foundation's decision-makingprocess. Among other things, the TAB chair holds a seat on theFoundation's board of directors. The next TAB election will be held onNovember 2 at the Kernel Summit in Santa Fe, NM; five TAB members (½of the total) will be selected there. The nomination process is open untilvoting begins; anybody interested in serving on the TAB is encouraged tothrow their hat into the ring.
The second 4.9 prepatch is out for testing,and Linus is asking for people to test one feature in particular: "Myfavorite new feature that I called out in the rc1 announcement (thevirtually mapped stacks) is possibly implicated in some crashes that DaveJones has been trying to figure out, so if you want to be helpful and tryto see if you can give more data, please make sure to enableCONFIG_VMAP_STACK."
The 4.8.4,4.7.10, and4.4.27 stable updates are out. These wouldappear to contain the usual fixes. Note that 4.7.10 is the end of the linefor the 4.7.x series.
We live in an era of celebrity vulnerabilities; at the moment, anunpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking itsturn on the runway. This one is more disconcerting than many due to itsomnipresence and the ease with which it can be exploited. But there isalso some unhappiness in the wider community about how this vulnerabilityhas been handled by the kernel development community. It may well be timefor the kernel project to rethink its approach to serioussecurity problems.
Debian-LTS has updated bind9 (denial of service).Fedora has updated libgit2 (F23:two vulnerabilities).Mageia has updated kernel (threevulnerabilities), libtiff (multiplevulnerabilities, two from 2015), and openslp (code execution).openSUSE has updated dbus-1(13.2: code execution), ghostscript-library(42.1: three vulnerabilities, one from 2013), roundcubemail (42.1: two vulnerabilities), andsquidGuard (42.1: cross-site scripting from2015).Red Hat has updated bind(RHEL6&5: denial of service) and bind97(RHEL5: denial of service).Scientific Linux has updated bind(SL6&5: denial of service) and bind97 (SL5: denial of service).Ubuntu has updated bind9 (12.04: denial of service).
Linux.com interviews Sylvain Zimmer, founder of the Common Search project, which is an effort to create an open web search engine. "Being transparent means that you can actually understand why our top search result came first, and why the second had a lower ranking. This is why people will be able to trust us and be sure we aren't manipulating results. However for this to work, it needs to apply not only to the results themselves but to the whole organization. This is what we mean by 'radical transparency.' Being a nonprofit doesn't automatically clear us of any ulterior motives, we need to go much further.As a community, we will be able to work on the ranking algorithm collaboratively and in the open, because the code is open source and the data is publicly available. We think that this means the trust in the fairness of the results will actually grow with the size of the community."
The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.
The4.8.3,4.7.9,and 4.4.26 stable kernel updates have beenreleased. There's nothing in the announcements to indicate this, but theyall contain a fix for CVE-2016-5195, a bug that can allow local attackersto overwrite files they should not have write access to. So the "all usersmust upgrade" message seems more than usually applicable this time around.
Debian has updated quagga (stack overrun) and tor (denial of service).Debian-LTS has updated dwarfutils (multiple vulnerabilities), guile-2.0 (two vulnerabilities), libass (two vulnerabilities), libgd2 (two vulnerabilities), libxv (insufficient validation), and tor (denial of service).Fedora has updated epiphany (F24:unspecified), ghostscript (F24; F23: multiple vulnerabilities), glibc-arm-linux-gnu (F24: denial of service),guile (F24: two vulnerabilities), libgit2 (F24: two vulnerabilities), openssh (F23: null pointer dereference), qemu (F24: multiple vulnerabilities), and webkitgtk4 (F24: unspecified).Mageia has updated asterisk(denial of service), flash-player-plugin(multiple vulnerabilities), kernel (multiple vulnerabilities), and mailman (password disclosure).Red Hat has updated java-1.8.0-openjdk (RHEL6, 7: multiplevulnerabilities), kernel (RHEL6.7:use-after-free), and mariadb-galera(RHOSP8: SQL injection/privilege escalation).
Canonical has announced the availability of a live kernel patch service forthe 16.04 LTS release."It’s the best way to ensurethat machines are safe at the kernel level, while guaranteeing uptime,especially for container hosts where a single machine may be runningthousands of different workloads."Up to three systems can be patched for free; theservice requires a fee thereafter. There is a long FAQ about the servicein thisblog post; it appears to be based on the mainline live-patchingfunctionality with some Canonical add-ons.
Sebastian Kügler reports onKDE's Plasma team meeting. "We took this opportunity to also lookand plan ahead a bit further into the future. In what areas are we lacking,where do we want or need to improve? Where do we want to take Plasma in thenext two years?" Specific topics include release schedule changes,UI and theming improvements, feature backlog, Wayland, mobile, andmore. (Thanks to Paul Wise)
Debian-LTS has updated libarchive (three vulnerabilities), libxrandr (insufficient validation), libxrender (insufficient validation), and quagga (stack overrun).openSUSE has updated ffmpeg (Leap42.1; SPH for SLE12: multiplevulnerabilities) and kcoreaddons (Leap42.1, 13.2; SPH for SLE12: HTML injection).Red Hat has updated atomic-openshift (RHOSCP: authenticationbypass), kernel (RHEL6.5: privilegeescalation), and openssl (RHEL6.7: multiplevulnerabilities).
The mainline kernel has support for a wide range of hardware. One placewhere support has traditionally been lacking, though, is graphicsadapters. As a result, a great many people are still using proprietary,out-of-tree GPU drivers. Daniel Vetter went before the crowd at Kernel Recipes 2016 to saythat the situation is not as bad as some think; indeed, he said, in thisarea as well as others, world domination is proceeding according to plan.
Over on the Red Hat Enterprise Linux Blog, Dan Walsh writes about using Linux capabilities to help secure Docker containers. "Let’s look at the default list of capabilities available to privileged processes in a docker container:chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap.In the OCI/runc spec they are even more drastic only retaining, audit_write, kill, and net_bind_service and users can use ocitools to add additional capabilities. As you can imagine, I like the approach of adding capabilities you need rather than having to remember to remove capabilities you don’t." He then goes through the capabilities listed describing what they govern and when they might need to be turned on for a container application.
Arch Linux has updated guile (two vulnerabilities).Debian has updated libgd2 (denial of service).Debian-LTS has updated icedove (multiple vulnerabilities), libarchive (file overwrite), libdbd-mysql-perl (denial of service), and mpg123 (denial of service).Fedora has updated chromium (F24:multiple vulnerabilities).Gentoo has updated oracle-jdk-bin (multiple vulnerabilities).openSUSE has updated thunderbird(13.1: multiple vulnerabilities) and tiff(13.1: denial of service).Oracle has updated openssl (OL5: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).
Linus has released 4.9-rc1 and closed themerge window for this release one day earlier than some might haveexpected. "My own favorite 'small detail under the hood' happens tobe Andy Lutomirski's new virtually mapped kernel stack allocations. Theymake it easier to find and recover from stack overflows, but the effortalso cleaned up some code, and added a kernel stack mapping cache to avoidany performance downsides." The virtually mapped kernel stack workwas covered here in June. There were14,308 non-merge changesets pulled for this release, meaning that 4.9 willbe, by far, the busiest development cycle ever.
Opensource.com celebratesWorld Standards Day on October 14. "Whether in the world of software, where without standards we would have been unable to connect the world through the Internet and the World Wide Web, or the physical world, where standards make nearly everything you buy easier, more useful, and safer, the world would be a difficult place to navigate without standards. And critical to the useful of standards is making them available to all in an accessible, free format, unencumbered by legal or other hurdles."
The PostgreSQL project released version 9.6 onSeptember 29th. This new major release has an assortment of new goodiesfor PostgreSQL fans, including parallel query andphrase search, new options for synchronous replication, remote queryexecution using foreign data wrappers, "crosstab" data transformations inpsql, and more. Together with version 9.6, the community released a completely rewrittenversion of the pgAdmin database graphical interface.We'll explore multiple synchronous replicas, foreign datawrapper changes, crosstabs and the new pgAdmin here.
Arch Linux has updated gdk-pixbuf2 (denial of service).Debian has updated freeimage (two vulnerabilities).Debian-LTS has updated libxfixes (integer overflow).Fedora has updated dbus (F24: code execution) and xen (F24; F23: three vulnerabilities).openSUSE has updated compat-openssl098 (Leap42.1: multiplevulnerabilities), derby (13.2: informationleak), libreoffice (Leap42.1: codeexecution), php5 (Leap42.1: multiplevulnerabilities), go1.4(SPH for SLE12: denial of service), systemd (Leap42.1: denial of service), and unzip (13.2: two vulnerabilities).Oracle has updated kernel 4.1.12 (OL7; OL6: stack corruption).Red Hat has updated mariadb-galera (RHOSP9; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: SQL injection/privilege escalation).SUSE has updated xen (SLE12; SLES11-SP2: multiple vulnerabilities).Ubuntu has updated linux-ti-omap4(12.04: three vulnerabilities).
KDE.news notes the20th anniversary of the KDE project. "In the 20 years since thenso much has happened. We released great software, fought for softwarefreedom and empowered people all over the world to take charge of theirdigital life. In many ways we have achieved what we set out to do 20 yearsago - 'a consistent, nice looking free desktop-environment' andmore."For those feeling nostalgic, there is a new version of the KDE 1.1.2desktop ported to contemporary systems.
Christopher Allan Webber looksat a security vulnerability in Guile. Guile applications are generallynot vulnerable, but arbitrary scheme code may by used to attack the systemsof Guile developers. "There is also a lesson here that appliesbeyond Guile: the presumption that "localhost" is only accessible by local users can't be guaranteedby modern operating system environments. If you are looking to providelocal-execution-only, we recommend using unix domain sockets or namedpipes. Don't rely on localhost plus some port."
Ubuntu 16.10 (Yakkety Yak) has been released. "Under the hood, therehave been updates to many core packages, including a new 4.8-based kernel, a switch to gcc-6, and much more." Theflavors Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, UbuntuStudio, and Xubuntu have also been released. Ubuntu 16.10 will besupported for 9 months.
LWN.net