Neil Brown writes: "For a little longer than a year now, I have been using Notmuch as my primary meansof reading email. Though the experience has not been without someannoyances, I feel that it has been a net improvement and expect to keepusing Notmuch for quite some time." Click below (subscribers only) for hisfull report.
Debian has updated libxslt (code execution).Fedora has updated dbus (F23:code execution), firefox (F23: twovulnerabilities), and pacemaker (F23: privilege escalation).openSUSE has updated mariadb(13.2: multiple vulnerabilities) and nodejs(Leap42.1, 13.2: code execution).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).Scientific Linux has updated libgcrypt (SL6: flawed random numbergeneration) and pacemaker (SL6: privilege escalation).
Dave Täht has been working to save the Internet for the last six years (atleast). Recently, his focus has been on improving the performance ofnetworking over WiFi — performance that has been disappointing for as longas anybody can remember. The good news, as related in his 2016 Linux PlumbersConference talk, is that WiFi can be fixed, and thefixes aren't even all that hard to do. Users with the right hardware and awillingness to run experimental software can have fast WiFi now, and itshould be available for the rest of us before too long.
The digiKam Software Collection 5.3.0 has been released. This version isavailable as an AppImage bundle. "AppImage is an open-source project dedicated to provide a simple way to distribute portable software as compressed binary file, that standard user can run as well, without to install special dependencies. All is included into the bundle, as last Qt5 and KF5 frameworks. AppImage use Fuse file-system, which is de-compressed into a temporary directory to start the application. You don't need to install digiKam on your system to be able to use it. Better, you can use the official digiKam from your Linux distribution in parallel, and test the new version without any conflict with one used in production. This permit to quickly test a new release without to wait an official package dedicated for your Linux box. Another AppImage advantage is to be able to provide quickly a pre-release bundle to test last patches applied to source code, outside the releases plan."
The second service pack for SUSE Linux Enterprise Server, Desktop and otherproducts, has been released. Highlightsinclude software defined networking and network function virtualization,the new SUSE Package Hub for package updates, the ability to skip servicepack releases (e.g. upgrade from SLES 12 to SLES 12-SP2), architecturesupport for AArch64 and Raspberry Pi, and much more.
Debian has updated mat (information leak) and openjdk-7 (multiple vulnerabilities).Debian-LTS has updated python-imaging (two vulnerabilities).Fedora has updated ansible (F24:two vulnerabilities), ghostscript (F24: twovulnerabilities), icu (F24: codeexecution), java-1.8.0-openjdk-aarch32(F24: multiple vulnerabilities), and kernel(F24: two vulnerabilities).openSUSE has updated bind (Leap42.1; 13.2: denial of service).Oracle has updated java-1.7.0-openjdk (OL6; OL5:multiple vulnerabilities) and libgcrypt(OL6: flawed random number generation).Red Hat has updated chromium-browser (RHEL6: memory leak), libgcrypt (RHEL6,7: flawed random numbergeneration), pacemaker (RHEL6: privilege escalation), and qemu-kvm-rhev (RHOSP8; RHOSP9: denial of service).Scientific Linux has updated java-1.7.0-openjdk (SL5,6: multiple vulnerabilities).
HackerBoards takesa look at the 64-bit Orange Pi. "Shenzhen Xunlong is keeping up its prolific pace in spinning off new Allwinner SoCs into open source SBCs, and now it has released its first 64-bit ARM model, and one of the cheapest quad-core -A53 boards around. The Orange Pi PC 2 runs Linux or Android on a new Allwinner H5 SoC featuring four Cortex-A53 cores and a more powerful Mali-450 GPU."
The 4.9-rc4 kernel prepatch is out fortesting. Linus says: "So I'm not going to lie: this is not a smallrc, and I'd have been happier if it was. But it's not unreasonably largefor this (big) release either, so it's not like I'd start worrying. I'mcurrently still assuming that we'll end up with the usual seven releasecandidates, assuming things start calming down. We'll see how that goes aswe get closer to a release."
Opensource.com celebrates25 years of Vim. "Vim is a flexible, extensible text editor with a powerful plugin system, rock-solid integration with many development tools, and support for hundreds of programming languages and file formats. Twenty-five years after its creation, Bram Moolenaar still leads development and maintenance of the project—a feat in itself! Vim had been chugging along in maintenance mode for more than a decade, but in September 2016 version 8.0 was released, adding new features to the editor of use to modern programmers."
ZDNet takesa look at the VoCore2, a coin-sized computer. "VoCore2 is an open source Linux computer and a fully-functional wireless router that is smaller than a coin. It can also act as a VPN gateway for a network, an AirPlay station to play lossless music, a private cloud to store your photos, video, and code, and much more.The Lite version of the VoCore2 features a 580MHz MT7688AN MediaTek system on chip (SoC), 64MB of DDR2 RAM, 8MB of NOR storage, and a single antenna slot for Wi-Fi that supports 150Mbps."
Arch Linux has updated lib32-gdk-pixbuf2 (denial of service).Debian has updated curl (multiple vulnerabilities) and memcached (code execution).Fedora has updated kdepimlibs(F24: three vulnerabilities), libwebp (F24:integer overflows), and quagga (F24;F23: three vulnerabilities).Gentoo has updated libreoffice (multiple vulnerabilities) and oracle-jre-bin (multiple vulnerabilities).Mageia has updated bind (denialof service), kernel-tmb (multiplevulnerabilities), php-adodb (twovulnerabilities), and rpm (code executionfrom 2014).openSUSE has updated jasper(13.2: multiple vulnerabilities, one from 2008).Oracle has updated kernel 4.1.12 (OL7; OL6: codeexecution), kernel 3.8.13 (OL7; OL6: code execution).Red Hat has updated docker(RHEL7: privilege escalation).Scientific Linux has updated bind(SL5,6: denial of service) and bind97 (SL5:denial of service).Slackware has updated bind (denial of service) and curl (multiple vulnerabilities).SUSE has updated java-1_8_0-ibm(SLE12-SP1: three vulnerabilities) and xen(SOSC5, SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).Ubuntu has updated curl (multiple vulnerabilities).
Opensource.com coversthe Internet Archive's 20th birthday celebration. "Of all the projects announced during the event though, by far one of the most exciting and impressive is the newly released ability to search the complete contents of all text items on the Internet Archive. Nine million text items, covering hundreds of years of human history, are now searchable in an instant."
Red Hat has announcedthe release of Red Hat Enterprise Linux 7.3. "This update to Red Hat’s flagship Linux operating system includes new features and enhancements built around performance, security, and reliability. The release also introduces new capabilities around Linux containers and the Internet of Things (IoT), designed to help early enterprise adopters use existing investments as they scale to meet new business demands."
The 2016 Linux Foundation TechnicalAdvisory Board election was held November 2 at the combined Kernel Summit and Linux Plumbers Conferenceevents. Incumbent members Chris Mason and Peter Anvin were re-elected tothe board; they will be joined by new members Olof Johansson, Dan Williams,and Rik van Riel. Thanks are due to outgoing members Grant Likely, KristenAccardi, and John Linville.
The Mesa project has announced version 13.0.0 of the 3D graphics library that provides an open-source implementation of OpenGL. "This release has huge amount of features, but without a doubt the biggestones are:Vulkan driver for hardware supported by the AMDGPU kernel driver [and]OpenGL 4.4/4.5 capability, yet the drivers may expose lower version due topending Khronos CTS validation."
Linux.com has atranscript of Eben Moglen's talk in New York on October 28. "I have some fine clients and wonderful friends in this movement whohave been getting rather angry recently. There is a lot of anger in theworld, in fact, in politics. Our political movement is not the only onesuffering from anger at the moment. But some of my angry friends, dearfriends, friends I really care for, have come to the conclusion thatthey’re on a jihad for free software. And I will say this after decades ofwork—whatever else will be the drawbacks in other areas of life—the problemin our neighborhood is that jihad does not scale." There is a video of the talk available as well.
Version2.0 of the Collabora Online Development Edition online office suite hasbeen released. "Collabora Productivity, the developers behindLibreOffice Online, announced the release of CODE 2.0, including the latestand most requested feature from customers: collaborativeediting. Developers and home users are encouraged to update, try this outand get involved with the latest developments." See thisblog entry for lots of details.
Arch Linux has updated bind (denial of service).Debian has updated bind9 (denial of service) and tar (file overwrite).Debian-LTS has updated libwmf (denial of service), tiff (multiple vulnerabilities), and tiff3 (two vulnerabilities).Fedora has updated ecryptfs-utils(F23: two vulnerabilities), libass (F23:multiple vulnerabilities), libXfixes (F23:integer overflow), libXrandr (F23:insufficient validation), libXrender (F23:insufficient validation), libXtst (F23:insufficient validation), libXv (F23:insufficient validation), libXvMC (F23:insufficient validation), systemd (F23:denial of service), and tor (F23: denial of service).Mageia has updated libtiff (two vulnerabilities).Red Hat has updated java-1.7.0-ibm (RHEL5: multiplevulnerabilities), java-1.7.1-ibm (RHEL6,7:multiple vulnerabilities), and java-1.8.0-ibm (RHEL6,7: multiple vulnerabilities).SUSE has updated bind (SLE12-SP1,2; SLES12: denial of service), curl (SLE12-SP1; SSO1.3: multiple vulnerabilities), nodejs4 (SLEM12: multiple vulnerabilities), php7 (SLEM12: many vulnerabilities), and php7 (SLEM12: three vulnerabilities in libgd).Ubuntu has updated bind9 (denialof service), dbus (denial of service from2015), libgd2 (three vulnerabilities), mailman (two vulnerabilities), oxide-qt (16.10, 16.04, 14.04: multiplevulnerabilities), and python-django (twovulnerabilities).
InfoWorld takesa look at a C-to-Rust translation project called Corrode. "What Corrode does not do (yet) is take constructs specific to C and rewrite them in memory-safe Rust equivalents. In other words, it performs the initial grunt work involved in porting a project from C to Rust, but it leaves the heavier lifting -- for example, using Rust's idioms and language features -- to the developer."
The opening session at the 2016 Kernel Summit, led by Jiri Kosina, had todo with the process of creating stable kernel updates. There is, he said,a bit of a disconnect between what the various parties involved want, andthat has led to trouble for the consumers of the stable kernel releases.<p>Click below (subscribers only) for the first article from LWN's 2016 KernelSummit coverage
Minoca OS has been releasedunder the GNU GPLv3. "Minoca OS is a general purpose operating system written completely from the ground up. It’s intended for devices looking to conserve power, memory, and storage. It aims to be lean, maintainable, modular, and compatible with existing software."
Arch Linux has updated libxml2(two vulnerabilities) and memcached (threecode execution vulnerabilities).Debian-LTS has updated libxml2(two vulnerabilities) and tar (file overwrite).Fedora has updated tor (F24: denial of service).Gentoo has updated openvpn(information disclosure) and unzip(multiple vulnerabilities from 2014).Mageia has updated flash-player-plugin (code execution).Red Hat has updated kernel (RHEL6.6; RHEL6.4; RHEL6.2: two vulnerabilities), mariadb55-mariadb (RHSCL: multiplevulnerabilities), and mysql55-mysql (RHSCL:multiple vulnerabilities).Slackware has updated kernel (local privilege escalation (Dirty COW)), libX11 (multiple vulnerabilities), mariadb (multiple vulnerabilities), and php (multiple vulnerabilities).SUSE has updated php5 (SLEMWS12: multiple vulnerabilities).
Ars Technica coversthe history of Android from version 0.5 to 7.0 "Nougat". "One of the most interesting additions to Nougat is a revamp of the app framework to allow for resizable apps. This allowed Google to implement split screen on phones and tablets, picture-in-picture on Android TV, and a mysterious floating windowed mode. We've been able to access the floating window mode with some software trickery, but we've yet to see Google use it in an actual product. Is it being aimed at desktop computing?"
The 4.9-rc3 prepatch is out. "Itturns out that the bug that we thought was due to the new virtually mappedstacks during the rc2 release wasn't due to that at all, but a blockrequest queuing race condition. So people who turned off the new featureweren't actually avoiding it at all." The new feature appears to besolid, but more testing is always welcome.
The Red Hat Developers Blog is running anintroduction to the nftables packet filtering system."nftables implements a set of instructions, called expressions, whichcan exchange data by storing or loading it in a number of registers. Inother words, the nftables core can be seen as a virtualmachine. Applications like the nftables front end-tool nft can use theexpressions offered by the kernel to mimic the old iptables matches whilegaining more flexibility."
For the last couple of release cycles, the kernel's ongoing transition tothe Sphinx documentation system has left kernel.org behind. Thanks to somework by Konstantin Ryabitsev, that situation has now been remedied, andkernel.org has the formatteddocumentation generated from the current -rc kernel. The DocBook-generated documentsremain available for as long as DocBook stays in use. (For thoseinterested in the linux-next version of the documentation, the version on LWN's server isusually up to date; it currently has the changes that are queued for 4.10.)
The Free Software Foundation has announcedthat Eben Moglen has stepped down as the organization's general counsel;there is no word on who his replacement will be. "The FSF looksforward to working together in other capacities with Professor Moglen andSFLC on future projects to advance the free software movement and use ofthe GNU General Public License (GPL)."
Greg Kroah-Hartman has released the 4.8.5and 4.4.28 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.
The Rowhammervulnerability affects hardware at the deepest levels. It has proved to besurprisingly exploitable on a number of different systems, leavingsecurity-oriented developers at a loss. Since it is a hardwarevulnerability, it would appear that solutions, too, must be placed in thehardware. Now, though, an interesting software-based mitigation mechanismis under discussion on the linux-kernel mailing list. The ultimateeffectiveness of this defense is unproven, but it does show that there maybe hope for a solution that doesn't require buying new computers.
Debian has updated nginx(packaging problem in previous security update).Debian-LTS has updated tre (codeexecution).openSUSE has updated flash-player(13.2: code execution).Red Hat has updated kernel(RHEL5: two vulnerabilities) and nodejs andnodejs-tough-cookie (RHOSE: two vulnerabilities).SUSE has updated flash-player(SLE12: code execution).Ubuntu has updated firefox (two vulnerabilities),, nginx (16.10, 16.04, 14.04: packagingproblem in previous security update), and thunderbird (multiple vulnerabilities).
Brendan Gregg celebratesthe capabilities of Linux kernel tracing with BPF. "With thefinal major capability for BPF tracing (timed sampling) merging in Linux4.9-rc1, the Linux kernel now has raw capabilities similar to thoseprovided by DTrace, the advanced tracer from Solaris. As a long time DTraceuser and expert, this is an exciting milestone! On Linux, you can nowanalyze the performance of applications and the kernel usingproduction-safe low-overhead custom tracing, with latency histograms,frequency counts, and more."
Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).Debian-LTS has updated bash (codeexecution), graphicsmagick (multiplevulnerabilities), libx11 (denial of service), libxi (code execution), and libxtst (code execution).openSUSE has updated kernel(11,4: many vulnerabilities, one from 2013, many from 2015), ghostscript (13.2: multiple vulnerabilities,one from 2013), and sssd (42.1: accessrestriction bypass).Red Hat has updated flash-plugin(RHEL6&5: code execution), kernel (RHEL6.5; RHEL7.1: privilege escalation), andopenstack-manila-ui (RHOSP9.0; RHOSP8.0; RHOSP7.0: cross-site scripting).
The bus1 message-passing mechanism is the successor to the "kdbus" project;it was covered here in August. The patches have now been posted for review."While bus1 emerged out of the kdbus project, bus1 was started fromscratch and the concepts have little in common. In a nutshell, bus1provides a capability-based IPC system, similar in nature to AndroidBinder, Cap'n Proto, and seL4."
CentOS has updated kernel (C6:privilege escalation).Debian has updated asterisk(multiple vulnerabilities) and nginx (privilege escalation).Debian-LTS has updated nspr (information disclosure), nss (information disclosure), potrace (multiple vulnerabilities), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).Fedora has updated perl-Image-Info (F24; F23: information disclosure).Mageia has updated graphicsmagick (three vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), mpg123 (denial of service), and tor (denial of service).openSUSE has updated GraphicsMagick (Leap42.1; 13.2: multiple vulnerabilities), guile (13.2: two vulnerabilities),guile1 (Leap42.1; 13.2: information disclosure), firefox (Leap42.1, 13.2: two vulnerabilities),qemu (Leap42.1: multiple vulnerabilities),quagga (Leap42.1: stack overrun), and kernel (13.2: multiple vulnerabilities).Oracle has updated kernel (OL6:privilege escalation).Red Hat has updated kernel (RHEL6; RHEL6.7:privilege escalation) and kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities).Scientific Linux has updated kernel (SL6: privilege escalation).Ubuntu has updated nginx (16.10,16.04, 14.04: privilege escalation).
Flatpak 0.6.13 has been released.Major changes include a change in command line arguments forinstall/update/uninstall, application runtime dependencies arechecked/downloaded, remote-add and install --from now supports uris,flatpak run can now launch a runtime directly, and more.
Arch Linux has updated linux-grsec (privilege escalation) and ocaml (information leak).CentOS has updated kernel (C7:privilege escalation).Debian has updated php5 (multiplevulnerabilities) and virtualbox (end ofsupport).Debian-LTS has updated ghostscript (multiple vulnerabilities).Fedora has updated bind (F23:denial of service), bind99 (F23: denial ofservice), and libass (F24: three vulnerabilities).Mageia has updated php (multiple vulnerabilities).openSUSE has updated quagga(13.2: stack overrun) and virtualbox (13.2:multiple unspecified vulnerabilities).Oracle has updated kernel (OL7:privilege escalation).Red Hat has updated bind(RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service).Scientific Linux has updated kernel (SL7: privilege escalation).SUSE has updated quagga(SLE12-SP1: stack overrun).Ubuntu has updated linux-raspi2(16.10: privilege escalation), mysql-5.5, mysql-5.7 (multiple unspecified vulnerabilities), and quagga (stack overrun).
Just about everyone who runs a Unix server on the internet uses SSHfor remote access, and almost everyone who does that will be familiarwith the log footprints of automated password-guessing bots. Althoughdecently-secure passwords do much to harden a server against such attacks,the costs of dealing with the continual stream of failed logins can beconsiderable. There are ways to mitigate these costs.
Valgrind 3.12.0 has been released. "3.12.0 is a feature release withmany improvements and the usual collection of bug fixes. This release addssupport for POWER ISA 3.0, improves instruction set support on ARM32, ARM64and MIPS, and provides support for the latest common components (kernel,gcc, glibc). There are many smaller refinements and new features. Therelease notes below give more details." There will be a Valgrinddeveloper room at FOSDEM in Brussels, Belgium, on February 4, 2017. Thecall for participation is open until December 1.
The Linux Foundation's TechnicalAdvisory Board provides the development community (primarily the kerneldevelopment community) with a voice in the Foundation's decision-makingprocess. Among other things, the TAB chair holds a seat on theFoundation's board of directors. The next TAB election will be held onNovember 2 at the Kernel Summit in Santa Fe, NM; five TAB members (½of the total) will be selected there. The nomination process is open untilvoting begins; anybody interested in serving on the TAB is encouraged tothrow their hat into the ring.
The second 4.9 prepatch is out for testing,and Linus is asking for people to test one feature in particular: "Myfavorite new feature that I called out in the rc1 announcement (thevirtually mapped stacks) is possibly implicated in some crashes that DaveJones has been trying to figure out, so if you want to be helpful and tryto see if you can give more data, please make sure to enableCONFIG_VMAP_STACK."
The 4.8.4,4.7.10, and4.4.27 stable updates are out. These wouldappear to contain the usual fixes. Note that 4.7.10 is the end of the linefor the 4.7.x series.
We live in an era of celebrity vulnerabilities; at the moment, anunpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking itsturn on the runway. This one is more disconcerting than many due to itsomnipresence and the ease with which it can be exploited. But there isalso some unhappiness in the wider community about how this vulnerabilityhas been handled by the kernel development community. It may well be timefor the kernel project to rethink its approach to serioussecurity problems.
LWN.net