Matthew Garrett looks atthe real problem behind the inability of some Lenovo laptops to runLinux. "The real problem here is that Intel do very little to ensurethat free operating systems work well on their consumer hardware - we stillhave no information from Intel on how to configure systems to ensure goodpower management, we have no support for storage devices in "RAID" mode andwe have no indication that this is going to get better in future. If Intelhad provided that support, this issue would never have occurred."
Arch Linux has updatedfirefox (multiple vulnerabilities),irssi (code execution), andtomcat7 (proxy injection).CentOS has updatedfirefox (C5, C6, C7: multiple vulnerabilities).Debian has updatedwireshark (LTS: dissector vulnerabilities),irssi (denial of service), andopenssl (multiple vulnerabilities).Fedora has updateddrupal7-google_analytics (F23, F24: cross-site scripting),drupal7-panels (F23, F24: multiple vulnerabilities),jasper (F23: multiple code-executionvulnerabilities),mod_cluster (F24: "remoteexploits"),nodejs-string-dot-prototype-dot-repeat (F23: "update for securityreasons"),php-horde-Horde-Mime-Viewer (F23,F24:cross-site scripting),php-horde-Horde-Text-Filter (F23,F24:cross-site scripting), andxen (F23: multiplevulnerabilities).Mageia has updatedchromium-browser-stable (29 CVEs),curl (code execution),file-roller (file deletion),flash-player-plugin (26 CVEs),icu (code execution),jsch (path traversal vulnerability),libksba (denial of service),nodejs (remote code execution),slock (lock bypass), andtomcat (traffic redirection).openSUSE has updatedopera (multiple vulnerabilities).Oracle has updatedfirefox (OL5, OL6,OL7: multiplevulnerabilities).Scientific Linux has updatedfirefox (SL5-7: multiple vulnerabilities).Slackware has updatedirssi (denial of service),pidgin (17 CVE numbers), andfirefox (multiple vulnerabilities).SUSE has updatedjava-1_7_1-ibm (SLES12: three CVEsdescribed as "Unspecified vulnerability in Oracle Java SE 7u101 and8u92 allows local users to affect confidentiality, integrity, andavailability via vectors related to Deployment"), andjava-1_6-0-ibm (SLES11: oneunspecified vulnerability).Ubuntu has updatedfirefox (multiple vulnerabilities),gdk-pixbuf (code execution),irssi (denial of service), andthunderbird (code execution).Note that there appear to be differences of opinion as to whether the irssivulnerability can be exploited for code execution.
The GNOME Project has announced the release of GNOME 3.22, "Karlsruhe". "This release brings comprehensive Flatpak support. GNOME Software caninstall and update Flatpaks, GNOME Builder can create them, and thedesktop provides portal implementations to enable sandboxed applications.Improvements to core GNOME applications include support for batch renamingin Files, sharing support in GNOME Photos, an updated look for GNOME Software,a redesigned keyboard settings panel, and many more."
Congestion-control algorithms are unglamorous bits of code that allownetwork protocols (usually TCP) to maximize the throughput of any givenconnection while simultaneously sharing the available bandwidth equitablywith other users. New algorithms tend not to generate a great deal ofexcitement; the addition of TCPNew Vegas during the 4.8 merge window drew little fanfare, for example.The BBR (Bottleneck Bandwidth and RTT)algorithm just released by Google, though, is attracting rather moreattention; it moves away from the mechanisms traditionally used by thesealgorithms in an attempt to get better results in a network characterized bywireless links, meddling middleboxes, and bufferbloat.
Arch Linux has updated curl (code execution), lib32-curl (code execution), and lib32-jansson (denial of service).Debian has updated wireshark (multiple vulnerabilities).Debian-LTS has updated unadf (two vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities).SUSE has updated mysql(SLE11-SP3,4: multiple unspecified vulnerabilities).
The Apache CouchDB database project has announced its 2.0release. New features include clustering support, a new query language, anew administrative interface, and more. "CouchDB 2.0 is 99% APIcompatible with the 1.x series and most applications should continue tojust work."
The fuzzy notepad blog is carrying apost about the switch statement with just about everything onemight want to know about its past, present, and possible future."As we’ve seen, the switch statement has had basically the same formfor 49 years. The special case labels are based on syntax derived directlyfrom fixed-layout FORTRAN on punchcards in 1957, several months before myfather was born. I hate it."
Michael Catanzaro laysdown the rules for which GNOME applications distributions should package ifthey want to claim to provide a "pure GNOME experience." "Selectingthe right set of default applications is critical to achieving a qualityuser experience. Installing redundant or overly technical applications bydefault can leave users confused and frustrated with thedistribution. Historically, distributions have selected wildly differentsets of default applications. There’s nothing inherently wrong with this,but it’s clear that some distributions have done a much better job of thisthan others."
NTP, the Network Time Protocol, quietlyand without much fuss performs the critical internet function of knowingthe correct time. Using it, a computer with imperfect communications linksmay join a distributed community of servers, each of which is eitherdirectly attached to a reliable clock, or is trying to best synchronize itsclock to one or more better-synchronized members of the community. The NTPpool system has arisen as a method of providing such a community to theinternet; it works well, but is not without its challenges.
Carlos Garcia Campos takes alook at the latest stable release of WebKitGTK+. "[The threadedcompositor] is the most important change introduced inWebKitGTK+ 2.14 and what kept us busy for most of this release cycle. Theidea is simple, we still render everything in the web process, but theaccelerated compositing (all the OpenGL calls) has been moved to asecondary thread, leaving the main thread free to run all other heavy taskslike layout, JavaScript, etc. The result is a smoother experience ingeneral, since the main thread is no longer busy rendering frames, it canprocess the JavaScript faster improving the responsivenesssignificantly." This release is also considered feature complete inWayland.
The LLVM project is currently distributed under the BSD-like NCSA license, but theproject is considering a change in the interest of better patentprotection. "After extensive discussion involving many lawyers with differentaffiliations, we recommend taking the approach of using the Apache 2.0license, with the binary attribution exception (discussed before), and addan additional exception to handle the situation of GPL2 compatibility if itever arises."
Version 25.1 of the Emacs editor is available. New features include adynamic module loader, experimental Cairo drawing, better TLS certificatvalidation, better Unicode input, a mechanism for embedding widgets withinbuffers, and more.
The 4.8-rc7 kernel prepatch is out."Normally rc7 is the last in the series before the final release, butby now I'm pretty sure that this is going to be one of those releases thatcome with an rc8. Things did't calm down as much as I would have liked,there are still a few discussions going on, and it's just unlikely that Iwill feel like it's all good and ready for a final 4.8 next Sunday."
Here's alengthy piece from Nick Coghlan on how Python software gets to users."There have been a few recent articles reflecting on the currentstatus of the Python packaging ecosystem from an end user perspective, soit seems worthwhile for me to write-up my perspective as one of the leadarchitects for that ecosystem on how I characterise the overall problemspace of software publication and distribution, where I think we are at themoment, and where I'd like to see us go in the future."
The GNU Bourne Again SHell(Bash) project has released version 4.4 of the tool. It comes with a largenumber of bug fixes as well as new features:"The most notable newfeatures are mapfile's ability to use an arbitrary record delimiter; a --help option available for nearly all builtins; anew family of ${parameter@spec} expansions that transform the value of`parameter'; the `local' builtin's ability to save and restore the stateof the single-letter shell option flags around function calls; a newEXECIGNORE variable, which adds the ability to specify names that shouldbe ignored when searching for commands; and the beginning of an SDK forloadable builtins, which consists of a set of headers and a Makefilefragment that can be included in projects wishing to build their ownloadable builtins, augmented by support for a BASH_LOADABLES_PATH variablethat defines a search path for builtins loaded with `enable -f'. The existingloadable builtin examples are now installed by default with `makeinstall'." In addition, the related Readlinecommand-line editing library project has released Readline 7.0.
CentOS has updated libarchive (C7; C6: multiple vulnerabilities,some from 2015).Debian has updated tomcat7(privilege escalation) and tomcat8 (privilege escalation).Debian-LTS has updated mysql-5.5 (privilege escalation).Fedora has updated curl (F24:code execution).Mageia has updated cracklib (codeexecution), dropbear (three code executionflaws), jasper (two vulnerabilities from2015), krb5 (denial of service), lcms2 (information leak), mediawiki (multiple vulnerabilities), openvpn (information leak), perl-DBD-mysql (two code execution flaws from2014 and 2015), and perl-XSLoader (code execution).openSUSE has updated opera (42.1:multiple vulnerabilities) and tiff (42.1: multiple vulnerabilities, three from 2015).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).Scientific Linux has updated kernel (SL7: three vulnerabilities).Slackware has updated curl (code execution).
For this week's development horror story, it would be hard to do betterthan PeterHutterer's quest to figure out how pointer acceleration works in theSynaptics driver. "Also a disclaimer: the last time some seriouswork was done on acceleration was in 2008/2009. A lot of things havechanged since and since the server is effectively un-testable, we ended upwith the mess below that seems to make little sense. It probably made sense8 years ago and given that most or all of the patches have my signed-off-byit must've made sense to me back then. But now we live in the gloriousfuture and holy cow it's awful and confusing."
Stable kernels 4.7.4 and 4.4.21 have been released. As is normal, theycontain fixes throughout the kernel tree and users of those series shouldupgrade.
Arch Linux has updated flashplugin (many vulnerabilities), lib32-flashplugin (many vulnerabilities), andmariadb (two vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities)and mailman (cross-site request forgery).Debian-LTS has updated autotrace(code execution), tomcat6 (privilegeescalation), and tomcat7 (privilege escalation).Fedora has updated GraphicsMagick(F24: multiple vulnerabilities).openSUSE has updated chromium (42.1; 13.2; SPH for SLE12: multiple vulnerabilities), flash-player (13.2: multiple vulnerabilities),perl (42.1: multiple vulnerabilities, onefrom 2015), and virtualbox (13.2: twounspecified vulnerabilities).Oracle has updated kernel (OL7:two vulnerabilities).Red Hat has updated kernel(RHEL7: three vulnerabilities) and kernel-rt (RHEL7; RHEL6:three vulnerabilities).SUSE has updated flash-player(SLE12: many vulnerabilities).Ubuntu has updated oxide-qt(16.04, 14.04: multiple vulnerabilities) and python-imaging (12.04: three vulnerabilities,one from 2014).
One of the longest running debates in the kernel community has to do withthe backporting of patches from newer kernels to older ones. Substantialeffort goes into these backports, with the resulting kernels appearing ineverything from enterprise distributions to mobile devices. A recentresurgence of this debate on the KernelSummit discussion list led to no new conclusions, but it does show howthe debate has shifted over time.
Sebastian Kügler reportsthat Plasma 5.8 will be the first LTS release of the Plasma 5series. "One great thing of this release is that it aligns supporttime-frames across the whole stack from the desktop through Qt andunderlying operating systems. This makes Plasma 5.8 very attractive forusers need to that rely on the stability of their computers." Plasma 5.8 will receive at least 18 months of bugfix and security support from upstream KDE.
Arch Linux has updated libtorrent-rasterbar (denial of service) and powerdns (denial of service).Debian has updated mysql-5.5 (SQL injection/privilege escalation).Fedora has updated gnupg (F23:flawed random number generation), gnutls (F24; F23:certificate verification vulnerability), openjpeg2 (F24: denial of service), thunderbird (F24: unspecifiedvulnerabilities), and xen (F24: three vulnerabilities).openSUSE has updated mysql-connector-java (Leap42.1: information disclosure).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).Slackware has updated mariadb (SQL injection/privilege escalation).Ubuntu has updated mysql-5.5,mysql-5.7 (SQL injection/privilege escalation) and webkit2gtk (16.04: multiple vulnerabilities).
Geertjan Wielenga posteda proposal to the Apache incubator list to adopt NetBeans, an opensource development environment, tooling platform, and applicationframework. "NetBeans has been run by Oracle, with the majority ofcode contributions coming from Oracle. The specific reason for movingto Apache is to expand the diversity of contributors and to increasethe level of meritocracy in NetBeans. Apache NetBeans will be activelyseeking new contributors and will welcome them warmly and provide afriendly and productive environment for purposes of providing adevelopment environment, tooling environment, and applicationframework." (Thanks to Stephen Kitt)
Debian-LTS has updated libphp-adodb (SQL injection).openSUSE has updated Chromium(13.2: multiple vulnerabilities).Oracle has updated libarchive (OL7; OL6: fileoverwrite) and ntp (OL7; OL6: denial of service from 2013).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), libarchive (RHEL7;RHEL6: multiple vulnerabilities), Red Hat OpenShift Enterprise 3.1 (fileoverwrite), Red Hat OpenShift Enterprise3.2 (file overwrite), rh-ror41-rubygem-actionview (RHSCL: cross-sitescripting), rh-ror42 (RHSCL: twovulnerabilities), ror40-rubygem-actionpack(RHSCL: cross-site scripting), and ruby193-rubygem-actionpack (RHSCL: cross-site scripting).Scientific Linux has updated libarchive (SL7; SL6: multiple vulnerabilities).Ubuntu has updated openjdk-6(12.04: multiple vulnerabilities).
Andrew "Tridge" Tridgell writesabout the ArduPilot project's withdrawal from the Dronecode group."Unfortunately DroneCode has a built-in flaw. The structure andbylaws of DroneCode are built around exceptional power for the Platinummembers, giving them extraordinary control over the future ofDroneCode. [...]Just how great a flaw that is has been shown by the actions of the Platinummembers over the last two months. Due to their overwhelming desire to beable to make a proprietary autopilot stack the Platinum members staged whatcan only be called a coup. They removed all top level open source projectsfrom DroneCode, leaving only their own nominees in the Technical SteeringCommittee. They passed a resolution requiring that all projects hand overcontrol of all trademarks, accounts and domains to their control."
The Vim editor project is celebrating its 8.0release. "This the first major Vim release in ten years. Thereare interesting new features, many small improvements and lots of bugfixes." New features include asynchronous I/O, jobs, a packagesystem, GTK+ 3 support, and more.
Greg KH has released stable kernel 3.14.79. This is the last update in the3.14.x series. "Please use 4.4 if you want a LTS kernel that willlast for another year, or even better yet, just use the normal stablereleases as those will always contain the latest fixes and updates."
Arch Linux has updated file-roller (file deletion), graphicsmagick (denial of service), and tomcat8 (redirect HTTP traffic).Debian has updated openjpeg2(multiple vulnerabilities) and pdns(multiple denial of service flaws).Debian-LTS has updated libarchive (two vulnerabilities), qemu (directory/path traversal), and qemu-kvm (directory/path traversal).Fedora has updated chromium (F24:multiple vulnerabilities), elog (F24; F23:unauthorized posts), phpMyAdmin (F23: multiple vulnerabilities), python-jwcrypto (F24; F23: information disclosure), and slock (F24; F23: screen locking bypass).openSUSE has updated libtorrent-rasterbar (Leap42.1: denial ofservice), kernel (Leap42.1: multiplevulnerabilities), and wget (13.2: race condition).Slackware has updated gnutls (denial of service).SUSE has updated java-1_7_0-ibm(SOSC5, SMP2.1, SM2.1, SLES11-SP2,3: three vulnerabilities).
Linus has released the 4.8-rc6 kernelprepatch. "I still haven't decided whether we're going todo an rc8, but I guess I don't have to decide yet. Nothing looksparticularly bad, and it will depend on how rc7 looks."
Laura Abbott marks the end of the latest round of open-source internships at Outreachy with a blog post reflecting on "what makes an internship successful," especially as seen in the kernel team's internships. Among Abbott's lessons: "Choose your tasks carefully. Tasks with a specific goal but multiple ways to solve are best. Too open ended tasks can be frustrating for all involved but there should be some chance for decision making. Just giving a list of tasks and exactly how they should be completed isn't good for learning. Give your intern a chance to propose a solution and then review it together." Also: "Speaking of review, code review is a skill. Model how to respond to code review comments. Encourage interns to practice reviewing others code and ask questions as well." That is just a sampling; in total, Abbott lists well over a dozen take-aways from the experience, all worth reading.
On the Red Hat Security Blog, Ilya Etingof describes some traps for the unwary in Python, some that have security implications. "Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at; experienced developers may well be aware of the peculiarities that follow."(Thanks to Paul Wise.)
Debian-LTS has updated icu (codeexecution) and roundcube (threevulnerabilities, one each from 2015 and 2014).openSUSE has updated libsrtp(42.1: denial of service from 2015), libstorage (42.1: password disclosure), and libtcnative-1-0 (42.1: cipher downgrade from 2015).Red Hat has updated Kibana(RHOS3: two vulnerabilities).Scientific Linux has updated thunderbird (multiple vulnerabilities).SUSE has updated java-1_7_1-ibm(SLE11: three unspecified vulnerabilities).
Concerns about the viability of the Apache OpenOffice (AOO) project are notnew; they had been in the air for a while by the time LWN looked at the project's development activityin early 2015. Since then, though, the worries have grown more pronounced,especially after AOO's recent failure to produce a release with an importantsecurity fix nearly one year after being notified of the vulnerability.The result is an internal discussion on whether the project should be "retired," or whetherit will find a way to turn its fortunes around.
At GUADEC 2016 inKarlsruhe, Germany, Jonathan Blandford challenged the GNOME project torethink how its desktop software uses network access. The GNOMEdesktop assumes Internet connectivity is always available, which hasthe side effect of making the software stack considerably less usefuland, indeed, usable to people who live in those places regarded as the developing world.
Last Monday was the Labor Day holiday in the US, so the LWN crew took theday off to celebrate. As a result, the weekly edition will be published oneday late this week. It will be available on Friday, sometime shortly after midnight UTC.
Stable kernels 4.7.3, 4.4.20, and 3.14.78 have been released with the usual setof important fixes. There will be one more 3.14.x kernel release beforethis kernel series hits its end-of-life.
Debian has updated charybdis (incorrect SASL authentication).Debian-LTS has updated libtomcrypt (signature forgery).Fedora has updated 389-ds-base(F23: information disclosure), libgcrypt(F23: flawed random number generation), libksba (F23: denial of service), and mediawiki (F24; F23: multiple vulnerabilities).openSUSE has updated Chromium(Leap42.1: multiple vulnerabilities), thunderbird (SPH for SLE12; Leap42.1, 13.2: multiple vulnerabilities), andtomcat (Leap42.1: two vulnerabilities).Red Hat has updated postgresql92-postgresql (RHSCL: twovulnerabilities) and rh-postgresql95-postgresql (RHSCL: two vulnerabilities).SUSE has updated Chromium(SPH for SLE12: multiple vulnerabilities).
Git 2.10 has been released, with lots of updates to the user interface andworkflows, performance enhancements, and much more. See the announcementfor details.
LWN previously reported that Gmane creatorand maintainer Lars Magne Ingebrigtsen shut down the website and wascontemplating shutting down the service entirely. Martin Dankonowreports that Gmane has a new maintainer. "I petitioned some of our directors to allow us to offer to take it over and in the end we entered into agreement with Lars to take over Gmane. The assets of Gmane have been placed into a UK company Gmane Ltd.As part of the agreement, we have received the INN spool with all the articles but none of the code that drives the site. We’ve started rebuilding parts of the site just to get it back online, its not perfect and there are pieces missing but we’re working on building all the functionality back into the site."(Thanks to Brian Thomas)
Version 3.9 of the LLVM compiler suite is out."This release is the result of the LLVM community's work over the pastsix months, including ThinLTO, new libstdc++ ABI compatibility,support for all OpenCL 2.0 and all non-offloading OpenMP 4.5 features,clang-include-fixer, many new clang-tidy checks, significantlyimproved ELF linking with lld, identical code folding and initial LTOsupport in lld, as well as improved optimization, many bug fixes andmore."
The announcementof a project to develop the "Kool Desktop Environment" went out onOctober 14, 1996. As the 20th anniversary of that announcementapproaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "Thisbook presents 37 stories about the technical, social and cultural aspectsthat shaped the way the KDE community operates today. It has been writtenas part of the 20th anniversary of KDE. From community founders andveterans to newcomers, with insights from different perspectives and pointsof view, the book provides you with a thrilling trip through the history ofsuch an amazing geek family."
The 4.8-rc5 kernel prepatch is availablefor testing."So rc5 is noticeably bigger than rc4 was, and my hope last week thatwe were starting to calm down and shrink the releases seems to havebeen premature. [...]Not that any of this looks worrisome per se, but if things don't startcalming down from now, this may be one of those releases that willneed an rc8. We'll see."
The Z-Wave wireless home-automation protocol has been releasedto the public. In years past, the specification was only available topurchasers of the Z-Wave Alliance's development kit, forcingopen-source implementations to reverse-engineer the protocol. Theofficial pressrelease notes that there are several such projects, including OpenZWave; Z-Wave support is alsovital to higher-level Internet-of-Things abstraction systems like AllJoyn.
LWN.net