The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a setof netfilter fixes that, it has just been disclosed, fix a couple of severelocal privilege-escalation vulnerabilities. Anybody who is running a sitewith user and network namespaces enabled will want to update their kernelsin short order. The fixes were originally committed into 4.6-rc2 in Aprilwith no comment regarding their implications.
It seems that the Comodo TLS certificate authority (CA) has filed for three trademarks using variations of "Let's Encrypt". As might be guessed, the Let's Encrypt project is less than pleased by Comodo trying to coopt its name. "Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt†applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt†in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization.If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt†trademark applications so we can focus all of our energy on improving the Web."[Thanks to Paul Wise.]
Version 4.7 of the Xen hypervisor has been released. "With dozens ofmajor improvements, many more bug fixes and small improvements, andsignificant improvements to Drivers and Devices, Xen Project 4.7 reflects athriving community around the Xen Project Hypervisor." Some of thenew features include live patching, better dom0 robustness, bettermigration support between non-identical hosts, scheduler improvements, andmore. See therelease notes for more information.
Debian-LTS has updated squidguard(cross-site scripting).Fedora has updated php-symfony-security-acl (F24: unspecified). Also, Fedorahas sent out a reminder that Fedora 22will reach its end of life on July 19.Mageia has updated chromium-browser-stable (multiple vulnerabilities), kernel-linus (multiple vulnerabilities, one from 2013), kernel-tmb (multiple vulnerabilities, one from 2013), libimobiledevice (socket listening on allnetwork interfaces), and python (three vulnerabilities).openSUSE has updated libarchive(42.1: code execution), mariadb (13.2: manyunspecified vulnerabilities), and obs-service-source_validator (42.1; 13.2:code execution).Red Hat has updated libxml2(RHEL6&7: multiple vulnerabilities) and setroubleshoot andsetroubleshoot-plugins (RHEL7: three vulnerabilities).
Back in 2009, Sony removed the "install otherOS" option from its PS3 game consoles, removing the ability to installLinux on those machines. It then went after developers who figured out howto jailbreak the device. Ars technica reportsthat Sony has now settled a class-action lawsuit over those actions."Under the terms of the accord, which has not been approved bya California federal judge yet, gamers are eligible to receive $55 if theyused Linux on the console. The proposed settlement, which will be vetted bya judge next month, also provides $9 to each console owner that bought aPS3 based on Sony's claims about 'Other OS' functionality." Thelawyers, instead, get over $2 million.
CentOS has updated setroubleshoot(C6: multiple vulnerabilities) and setroubleshoot-plugins (C6: multiple vulnerabilities).Debian-LTS has updated icedove(multiple vulnerabilities) and python2.7 (three vulnerabilities).Fedora has updated expat (F24:multiple vulnerabilities), php-zendframework-zendxml (F23; F22:insecure ciphertexts), php-ZendFramework2 (F23; F22:insecure ciphertexts), and xen (F22: two vulnerabilities).openSUSE has updated Chromium(13.1: multiple vulnerabilities), ImageMagick (Leap42.1: command execution), and vlc (Leap42.1; 13.2: multiple vulnerabilities).Oracle has updated openssl (OL5:multiple vulnerabilities) and setroubleshootand setroubleshoot-plugins (OL6: multiple vulnerabilities).Red Hat has updated python-django-horizon (RHOSP8.0; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: cross-sitescripting) and setroubleshoot andsetroubleshoot-plugins (RHEL6: multiple vulnerabilities).
Version 1.3 of the Elixir programming language has been released. "Elixir v1.3 brings many improvements to the language, the compiler and its tooling, specially Mix (Elixir’s build tool) and ExUnit (Elixir’s test framework). The most notable additions are the new Calendar types, the new cross-reference checker in Mix, and the assertion diffing in ExUnit."
Not to be left behind by a certain competing project, the developers of theFlatpak packaging system have put out a pressrelease proclaiming its virtues. "The Linux desktop has longbeen held back by platform fragmentation. This has been a burden ondevelopers, and creates a high barrier to entry for third party applicationdevelopers. Flatpak aims to change all that. From the very start itsprimary goal has been to allow the same application to run across a myriadof Linux distributions and operating systems. In doing so, it greatlyincreases the number of users that application developers can easilyreach."
Fedora has updated nfdump (F23; F22:multiple vulnerabilities) and webkitgtk4(F22: two vulnerabilities).openSUSE has updated ctdb(Leap42.1, 13.2: privilege escalation), libtorrent-rasterbar (Leap42.1, 13.2: denialof service), ntp (Leap42.1: multiplevulnerabilities), and kernel (Leap42.1: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).Slackware has updated libarchive (multiple vulnerabilities) and pcre (denial of service).SUSE has updated ctdb (SLE11-SP4:privilege escalation), libimobiledevice,usbmuxd (SLE12-SP1: sockets listening on INADDR_ANY), and php53 (SLES11-SP2: multiple vulnerabilities).Ubuntu has updated dnsmasq(16.04, 15.10: denial of service), expat(two vulnerabilities), haproxy (16.04:denial of service), spice (16.04, 15.10,14.04: two vulnerabilities), wget (codeexecution), and xmlrpc-c (12.04: multiple vulnerabilities).
After several schedule slips, the Fedora 24 release is available."The Fedora Project has embarked on a great journey... redefining whatan operating system should be for users and developers. Such innovationdoes not come overnight, and Fedora 24 is one big step on the road tothe next generation of Linux distributions. But that does not mean thatFedora 24 is some 'interim' release; there are great new features forFedora users to deploy in their production environments right now!"See theFedora 24 approved features list for an idea of what's in thisrelease.
On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. "However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they're still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064."
The Linux networking developers have long held a strong opinion aboutuser-space protocol implementations: they should be avoided in favor ofmaking the in-kernel implementation better. So it might be surprising tosee a veteran networking developer post a patch set aimed at makinguser-space implementations easier. A look at this patch and itsmotivations shines an interesting light on changes that are taking place inthe networking world.
The4.7-rc4 prepatch is now available fortesting. Linus Torvalds said that it is "pretty small" with"nothing particularly worrisome". The development cycle proceedsapace with the usual sorts of changes: "The statistics look very normal: about two thirds drivers, with therest being half architecture updates and half "misc" (smallfilesystem updates,. some documentation, and a smattering of patcheselsewhere)."
Those concerned about the proliferation of application-packaging formats will soon have one fewer to worry about. At his blog, Matthias Klumpp announces that he intends to scale back his work on Limba, the cross-distribution application-packaging format he has developed as an extension of the ideas in the earlier Listaller. The decision comes on the heels of discussions with Flatpak developer Alexander Larsson, since the two projects overlap in many respects: "Alex and I had very productive discussions, and except for the modularity issue, we were pretty much on the same page in every other aspect regarding the sandboxing and app-distribution matters."Given that he has several other active projects in development, Klumpp has decided to throttle back on Limba, although he will continue to hack on it "as a research project" and sees several opportunities where it might still fit into vendor-independent software distribution down the road. "This is good news for all the people out there using the Tanglu Linux distribution, AppStream-metadata-consuming services, PackageKit on Debian, etc. – those will receive more attention," Klumpp concludes.
For those who are wondering what Kubernetes is all about, Matt Butcher hasposted anillustrated guide for children. "Phippy loved life aboardCaptain Kube's ship and she enjoyed the company of her new friends (everyreplicated pod of Goldie was equally delightful). But as she thought backto her days on the scary hosted provider, she began to wonder if perhapsshe could also have a little privacy. 'It sounds like what you need,' saidCaptain Kube, 'is a namespace.'"
Qt 5.7 has been released, with a new Qt 3D module and other improvements."The future of user interfaces is moving towards heavier integrationof 3D graphics. 3D integration of Qt has always been possible with directOpenGL programming but with Qt 5.7 and the new Qt 3D module it is now easyto create 3D UIs and interact with 3D objects using high-level Qt C++ andQML APIs. Visualizing a 3D model with Qt 3D is now a matter of minutesinstead of hours or days of OpenGL programming. In addition to just 3Drendering, Qt 3D is a fully extensible 3D framework for near-realtimesimulations e.g. physics engine, artificial intelligence, collisiondetection. Qt 3D has been developed together with KDAB, a Qt ServicePartner and the biggest external contributor to Qt. For more informationabout KDAB, please visit www.kdab.com."
Arch maintainer Kyle Keen speaks out against directdelivery of software by upstream projects. "Maintainers' greatestpower is the ability to outright say 'This is not good enough for ourusers' and consequently punish an ISV by either patching out the offensivepart or in extreme cases removing the software from the repositories. ISVsknow this and so don't act out. After 20 years of enforced good behaviorthis has lead to the idea of ISVs as 'the benevolent upstream developer.'This is why Linux doesn't have spyware, doesn't come with browser toolbars,doesn't bundle limited trials, doesn't nag you to purchase and doesn'tpummel you with advertising."
It has long been understood that static-analysis tools can be useful infinding (and defending against) bugs and security problems in code. One ofthe best places to implement such tools is in the compiler itself, since much of the work required toanalyze a program is already done in the compilation process. Despite thefact that GCC has had the ability to support security-oriented plugins forsome years, the mainline kernel has never adopted any such plugins. Thatsituation looks likely to change with the 4.8 kernel release, though.
Ars Technica reportsthat Ubuntu's snapd tool has beenported to other Linux distributions."To install snap packages on non-Ubuntu distributions, Linux desktopand server users will have to first install the newly cross-platformsnapd. This daemon verifies the integrity of snap packages, confines theminto their own restricted space, and acts as a launcher. Instructions forcreating snaps and installing snapd on a variety of distributions areavailable at this website.Snapd itself is installed as traditional packages on these other operatingsystems. That means there's a snapd RPM package for Fedora, forexample. It's the same snapd code for every Linux distribution, justpackaged differently, and applications packaged as snaps should work on anyLinux distro running snapd without needing to be re-packaged."Snapd is available for Arch, Debian, and Fedora. It's also being tested byCentOS, Elementary, Gentoo, Mint, openSUSE, OpenWrt and RHEL.
Debian has updated icedove (code execution).Debian-LTS has updated libav (code execution).openSUSE has updated libtasn1(13.2: two denial of service vulnerabilities) and nodejs (Leap42.1, 13.2: multiple vulnerabilities).Oracle has updated kernel 4.1.12 (OL7; OL6:privilege escalation), kernel 3.8.13 (OL7; OL6:privilege escalation), kernel 2.6.39 (OL6; OL5:privilege escalation).Red Hat has updated kernel(RHEL6.5: two remote denial of service vulnerabilities).SUSE has updated ImageMagick(SLE12-SP1: command execution) and ntp (SLE12-SP1; SLE12: multiple vulnerabilities).
Version 2.9.0 of the Git source-code management system is out. There arevarious improvements and small changes that maintainers of scripts usingGit will want to look at, but no major changes.
Allison Lortie writesabout a new proposed GTK release scheme that may take some getting usedto."Meanwhile, Gtk 4.0 will not be the final stable API of what we wouldcall 'Gtk 4'. Each 6 months, the new release (Gtk 4.2, Gtk 4.4, Gtk 4.6)will break API and ABI vs. the release that came before it. Theseincompatible minor versions will not be fully parallel installable; theywill use the same pkg-config name and the same header file directory. Wewill, of course, bump the soname with each new incompatible release — youwill be able to run Gtk 4.0 apps alongside Gtk 4.2 and 4.4 apps, but youwon’t be able to build them on the same system. This policy fits the modelof how most distributions think about libraries and their 'developmentpackages'." Only the last release in each major number series(expected every two years) would have a stable API. Read the whole thingto fully understand what is being proposed.
Let's Encrypt has a preliminaryreport about an email address disclosure. "On June 11 2016(UTC), we started sending an email to all active subscribers who providedan email address, informing them of an update to our subscriberagreement. This was done via an automated system which contained a bug thatmistakenly prepended between 0 and 7,618 other email addresses to the bodyof the email. The result was that recipients could see the email addressesof other recipients. The problem was noticed and the system was stoppedafter 7,618 out of approximately 383,000 emails (1.9%) were sent. Eachemail mistakenly contained the email addresses from the emails sent priorto it, so earlier emails contained fewer addresses than later ones."A postmortem is underway. (Thanks to Paul Wise)Update: postmortem results have been added to the incident report. "A small piece of software had been written to handle one-off mass emailing to our subscribers. It was being used for the first time when this incident occurred.The software went through code review and testing as it was beingdeveloped, but testing was insufficient. It did not catch a bug whichprepended the email addresses of prior recipients to the body of emails. Insufficient testing is considered to be the root cause of this incident."
Thomas Gleixner wrote the following to us: The Linux Kernel community ismourning the passing of Hans-Jürgen Koch. Hans was a free-software enthusiast and an active contributor. He worked on RadioData System support both in kernel and user space and was the main author andmaintainer of the UIO subsystem and contributed in various ways to the Linuxkernel as a professional and hobbyist. He authored a UIO book, gavecountless talks at various open-source conferences, and served as a member of theLinuxtag program committee.His calm and modest nature made it a pleasure to work with him. Meeting him inperson was always a enjoyable experience. His interests spanned a broad rangefrom literature, music and history to politics and engagement for the germanbranch of Friends of the Earth. His wicked sense of humor along with hisalways ready to be told bag of anecdotes enlivened quite some social events.He will be sorely missed and our thoughts are with his family and friends.
The third 4.7 prepatch is out for testing.Linus says: "The diffstat looks fairly normal and innocuous. There'smore of a filesystem component to it than usual, but that's mostly someadded new btrfs tests, and if you ignore that part it's all the normalstuff: drivers dominate (gpu and networking drivers are the bulk, butthere's i2c, rdma, ...) with some arch updates, and general networkingcode. And the usual random stuff all over."
On his blog, Andy Grover makes a case for using the Rust language for new projects instead of C or Python. "Second, there are people like me, people working in C and Python on Linux systems-level stuff — the “plumbingâ€, who are frustrated with low productivity. C and Python have diametrically-opposed advantages and disadvantages. C is fast to run but slow to write, and hard to write securely. Python is more productive but too slow and RAM-hungry for something running all the time, on every system. We must deal with getting C components to talk to Python components all the time, and it isn’t fun. Rust is the first language that gives a system programmer performance and productivity. These people might see Rust as a chance to increase security, to increase their own productivity, to never have to touch libtool/autoconf ever again, and to solve the C/Python dilemma with a one language solution."
On The Mozilla blog, Chris Riley announces the "Secure Open Source" (SOS) fund to provide money to help with the security of open-source software."The SOS Fund will provide security auditing, remediation, and verification for key open source software projects. The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs. But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the Internet.Security is a process. To have substantial and lasting benefit, we need to invest in education, best practices, and a host of other areas. Yet we hope that this fund will provide needed short-term benefits and industry momentum to help strengthen open source projects." SOS sounds similar in scope to the Core Infrastructure Initiative (CII) set up by the Linux Foundation.
The first version of KDE neon, which is a distribution based on Ubuntu 16.04 that is meant to be a stable platform on which to try the latest Plasma desktop, has been released."KDE neon User Edition 5.6 is based on the latest version of Plasma 5.6 and intends to showcase the latest KDE technology on a stable foundation. It is a continuously updated installable image that can be used not just for exploration and testing but as the main operating system for people enthusiastic about the latest desktop software. It comes with a slim selection of apps, assuming the user's capacity to install her own applications after installation, to avoid cruft and meaningless weight to the ISO. The KDE neon team will now start adding all of KDE's applications to the neon archive.Since the announcement of the project four months ago the team has been working on rolling out our infrastructure, using current best-practice devops technologies. A continuous integration Jenkins system scans the download servers for new releases and automatically fires up computers with Docker instances to build packages. We work in the open and as a KDE project any KDE developer has access to our packaging Git repository and can make fixes, improvements and inspect our work."
Nikolai Tschacher demonstrateshow easy it is to run arbitrary code by way of "typosquatting" uploadsto programming language download sites. "Because everybody canupload any package on PyPi, it is possible to create packages which aretypo versions of popular packages that are prone to be mistyped. And ifsomebody unintentionally installs such a package, the next question comesintuitively: Is it possible to run arbitrary code and take over thecomputer during the installation process of a package?" He tried anexperiment and was able to run a little program that phoned home fromthousands of systems.
The Maru OS handset distribution (reviewedhere in April) has moved out of the beta-test period and is now freelydownloadable without an invitation. Maru functions as both an Androidhandset and an Ubuntu desktop (when connected to an external monitor). Fornow, it remains limited to Nexus 5 handsets."Now that the beta program is over, I’m finally turning my attentionto the open-source project so we can expand device support with the help ofthe community. Let’s get Maru in the hands of a lot more people!"
Greg Kroah-Hartman has released stable kernels 4.6.2, 4.5.7,4.4.13, and 3.14.72. This is the last 4.5.y stable kernelrelease. Users of the 4.5 kernel series should upgrade to the 4.6 kernelseries.
The Qt Blog announcesthe launch of the Qt Automotive Suite. "With cumulativeexperience from over 20 automotive projects it was noted how Qt is reallywell suited to the needs of building IVIs and Instrument Clusters, thatthere were already millions of vehicles on the road with Qt inside, andthat there were a lot of ongoing projects. There was though a feeling thatthings could be even better, that there were still a few things holdingback the industry, contributing to the sense that shipped IVI systems couldbe built faster, cheaper and with a higher quality."
Linux users tend to pride themselves on their position at the leading edgeof a fast-moving development community. But, in truth, much of what we dois rooted in many decades of Unix tradition, and we tend to get grumpy whenyoung developers show up and start changing things around. A recent change ofdefault in systemd represents such a change and the kind of response thatit brings out; as a result, Linux distributors are going to have to make adecision on whether they should preserve the way things have always workedor make a change that, while potentially disruptive to users, is arguably astep toward more predictable, controllable, and secure behavior.
Firefox 47 has been released. This version enables the VP9 video codec forusers with fast machines, plays embedded YouTube videos with HTML5 video ifFlash is not installed, and more. There is a blogpost about these and other improvements. "Now, we are making iteven easier to access synced tabs directly in your desktop Firefoxbrowser. If you’re logged into your Firefox Account, you will see all opentabs from your smartphone or other computers within the sidebar. In thesidebar you can also search for specific tabs quickly and easily."See the releasenotes for more information.
Debian has updated spice (two vulnerabilities).Debian-LTS has updated dhcpcd5 (code execution) and nss (cipher-downgrade attacks).Fedora has updated glibc (F23:denial of service), nginx (F23: denial ofservice), and qemu (F22: multiple vulnerabilities).openSUSE has updated clamav-database (Leap42.1: database refresh).Oracle has updated spice (OL7:two vulnerabilities) and spice-server (OL6:two vulnerabilities).Red Hat has updated glibc(RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities),spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).Scientific Linux has updated spice (SL7: two vulnerabilities) and squid (SL7: multiple vulnerabilities).SUSE has updated expat(SLE12-SP1: code execution).Ubuntu has updated libxml2(multiple vulnerabilities) and oxide-qt(16.04, 15.10, 14.04: multiple vulnerabilities).
Open Build Service 2.7 has been released. "Three large features around the topic of integrating external resources made it into this release. We worked on automatic tracking of moving repositories of development versions like Fedora Rawhide, distribution updates or rolling Linux releases like Arch. A change to the OBS git integration to enable developers to work on continuous builds. And last but not least an experimental KIWI import that can be used to easily migrate your images from SUSE studio."
LWN.net