The Gentoo community is mourningthe loss of Jonathan Portnoy. "Jon was an active member of theInternational Gentoo community, almost since its founding in 1999. He wasstill active until his last day. His passing has struck us deeply and withdisbelief. We all remember him as a vivid and enjoyable person, easy toreach out to and energetic in all his endeavors."
CentOS has updated kernel(C6: TCP injection).Debian-LTS has updated libgcrypt11 (flawed random number generation).Fedora has updated eog (F24:out-of-bounds write),kernel (F23: use-after-free), mariadb (F23: multiple vulnerabilities), mingw-lcms2 (F24: heap memory leak), postgresql (F23: multiple vulnerabilities), and python (F23: proxy injection).openSUSE has updated libidn(Leap 42.1: multiple vulnerabilities) and kernel (13.2: multiple vulnerabilities).Oracle has updated kernel(O6: TCP injection).Red Hat has updated kernel (RHEL 7.1: multiple vulnerabilities; RHEL6: TCP injection)and qemu-kvm-rhev (RHOSP8: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: TCP injection).Slackware has updated gnupg(flawed random number generation), kernel (14.2: TCP injection), and libgcrypt (flawed random number generation).
Version 5.0.0 of the KDevelop integrated development environment (IDE) has been released, marking the end of a two-year development cycle. The highlight is a move to Clang for C and C++ support: "The most prominent change certainly is the move away from our own, custom C++ analysis engine. Instead, C and C++ code analysis is now performed by clang." The announcement goes on to describe other benefits of using Clang, such as more accurate diagnostics and suggested fixes for many syntax errors. KDevelop has also been ported to KDE Frameworks 5 and Qt 5, which opens up the possibility of Windows releases down the line.
Google has announcedthat the Android 7.0 release has started rolling out to recent-model Nexusdevices. "It introduces a brand new JIT/AOT compiler to improvesoftware performance, make app installs faster, and take up lessstorage. It also adds platform support for Vulkan, a low-overhead,cross-platform API for high-performance, 3D graphics. Multi-Window supportlets users run two apps at the same time, and Direct Reply so users canreply directly to notifications without having to open the app. As always,Android is built with powerful layers of security and encryption to keepyour private data private, so Nougat brings new features like File-basedencryption, seamless updates, and Direct Boot."See this pagefor a video-heavy description of new features.
Greg Kroah-Hartman has announced the release of the 4.7.2, 4.4.19,and 3.14.77 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.
Arch Linux has updated linux-lts(connection hijacking).CentOS has updated kernel (C7: connection hijacking).Debian-LTS has updated cracklib2(code execution) and suckless-tools (screenlock bypass).Fedora has updated firewalld(F24: authentication bypass), glibc (F24:denial of service on armhfp), knot (F24; F23:denial of service), libgcrypt (F24: badrandom number generation), and perl (F23:privilege escalation).openSUSE has updated apache2-mod_fcgid (42.1, 13.2: proxyinjection), gd (13.2: multiplevulnerabilities), iperf (SPHfSLE12;42.1, 13.2: denial of service), pdns (42.1, 13.2: denial of service), python3 (42.1, 13.2: multiplevulnerabilities), roundcubemail (42.1; 13.2; 13.1: multiple vulnerabilities, two from2015), and typo3-cms-4_7 (42.1, 13.2: threevulnerabilities from 2013 and 2014).Scientific Linux has updated kernel (SL7: connection hijacking) and python (SL6&7: three vulnerabilities).
The Fedora engineering steering committee has agreed that theupcoming Fedora 25 release should use the Wayland display manager bydefault. "There are still some bugs that are important tosolve. However, there is still time to work on them. And the legacy Xorgsession option will not be removed, and will be clearly documented how tofallback in cases where users need it." If this plan holds, it maybe an important step in the long-awaited move away from the X Windowsystem.
The kdenlive video editor project has announced the16.08.0 release. "Kdenlive 16.08.0 marks a milestone in theproject’s history bringing it a step closer to becoming a full-fledgedprofessional tool." Highlights include three-point editing,pre-rendering of timeline effects, Krita image support, and more.
Microsoft has announced the release of its PowerShell automation and scripting platform under the MIT license, complete with a GitHub repository. "Last year we started down this path by contributing to a number of open source projects (e.g. OpenSSH) and open sourcing a number of our own components including DSC resources. We learned that working closely with the community, in the code and with our backlog and issues list, allowed us prioritize and drive the development much more responsively. We’ve always worked with the community but shifting to a fine-grain, tight, feedback loop with the code, energized the team and allowed us to focus on the things that had the most impact for our customers and partners. Now we are going big by making PowerShell itself an open source project and making it available on Mac OS X, Ubuntu, CentOS/RedHat and others in the future."
Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed."With optical-scan voting, the voter fills in the bubbles next to the names of her selected candidates on paper ballot; then she feeds the op-scan ballot into the optical-scan computer. The computer counts the vote, and the paper ballot is kept in a sealed ballot box. The computer could be hacked, in which case (when the polls close) the voting-machine lies about how many votes were cast for each candidate. But we can recount the physical pieces of paper marked by the voter’s own hands; that recount doesn’t rely on any computer. Instead of doing a full recount of every precinct in the state, we can spot-check just a few ballot boxes to make sure they 100% agree with the op-scan computers’ totals.Problem: What if it’s not an optical-scan computer, what if it’s a paperless touchscreen (“DRE, Direct-Recording Electronic) voting computer? Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there. If the computer is hacked, then the hacker gets to decide what numbers are reported. There are no paper ballots to audit or recount. All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem."
Arch Linux has updated chromium(multiple vulnerabilities) and linux-zen (connection hijacking).Debian has updated gnupg (flawedrandom number generation) and libgcrypt20(flawed random number generation).Debian-LTS has updated libupnp(arbitrary file overwrite).Fedora has updated bind (F23:denial of service), fontconfig (F23:privilege escalation), and python3 (F23:proxy injection).SUSE has updated xen (SLE12: multiple vulnerabilities,one from 2014) and yast2-ntp-client (SLE10:multiple vulnerabilities, most from 2015).Ubuntu has updated fontconfig(16.04, 14.04, 12.04: privilege escalation).
Anyone who has been paying attention to Linux kernel development inrecent years would be aware that IPC — interprocess communication — is nota solved problem. There are certainly many partial solutions, from pipesand signals, through sockets and shared memory, to more special-purposesolutions like Cross MemoryAttach and Android's binder. But it seems thereare still some use cases that aren't fully addressed by current solutions,leading to new solutions being occasionally proposed to try to meet those needs.The latest proposal is called "bus1".
Stable kernels 4.7.1, 4.6.7, 4.4.18,and 3.14.76 have been released. Allcontain important fixes. This is the last 4.6.y kernel, users shouldupgrade to 4.7.1 now.
Version 1.7 of the Go languagehas been released. "There is one tiny language change in thisrelease. The section on terminating statements clarifies that to determinewhether a statement list ends in a terminating statement, the 'finalnon-empty statement' is considered the end, matching the existing behaviorof the gc and gccgo compiler toolchains." On the other hand, thereappear to be significant optimization improvements; see the release notes for details.
Android Police takesa look at a new OS from Google. "Enter “Fuchsia.†Google’s owndescription for it on the project’s GitHub page is simply, “Pink + Purple == Fuchsia (a new Operating System)â€. Not very revealing, is it? When you begin to dig deeper into Fuchsia’s documentation, everything starts to make a little more sense.First, there’s the Magentakernel based on the ‘LittleKernel’ project. Justlike with Linux and Android, the Magenta kernel powers the larger Fuchsiaoperating system. Magenta is being designed as a competitor to commercialembedded OSes, such as FreeRTOS orThreadX." Fuchsiaalso uses the Flutter user interface, theDart programming language, andEscher, "a renderer that supports light diffusion, soft shadows, andother visual effects, with OpenGL or Vulkan under the hood".
Arch Linux has updated kernel(information disclosure), linux-grsec (information disclosure), and postgresql (two vulnerabilities).Debian has updated wireshark (multiple vulnerabilities).Debian-LTS has updated openssh (denial of service) and wireshark (multiple vulnerabilities).Fedora has updated chromium (F24:multiple vulnerabilities) and drupal7-entity_translation (F24; F23: cross-site scripting).openSUSE has updated GraphicsMagick (Leap42.1: multiplevulnerabilities), ImageMagick (13.2: threevulnerabilities), and php5 (13.2: multiple vulnerabilities).Scientific Linux has updated php(SL6: proxy injection).SUSE has updated firefox, nspr,nss (SLE11-SP2: multiple vulnerabilities) and kernel (SLE11-SP2: multiple vulnerabilities).Ubuntu has updated qemu, qemu-kvm(regression in previous update).
The second 4.8 prepatch has been released.Linus says: "Nothing really strange seems to be going on, so pleasejust go out and test it and report any problems you encounter. It'sobviously fairly early in the rc series, but I don't think there wasanything particularly worrisome this merge window, so don't be shy."
The OpenMandrivaLx 3.0 release is available. "OpenMandriva Lx is acutting edge distribution compiled with LLVM/clang. Combined with the highlevel of optimisation used for both code and linking (by enabling LTO) usedin its building, this gives the OpenMandriva desktop an unbelievably crispresponse to operations on the KDE Plasma 5 desktop which makes it apleasure to use."
The Ardour audio workstation has released its 5.0 version. There are many new features in the release, including a tabbed user interface, Lua scripting, built-in plugins, and new themes."Ardour 5.0 is now available for Linux, OS X and Windows. This is a major release focused on substantial changes to the GUI and major new features related to mixing, plugin use, tempo maps, scripting and more. As usual, there are also hundreds of bug fixes. Ardour 5.0 can be parallel-installed with older versions of the program, and does not use the same preference files. It will load sessions from Ardour 2, 3 and 4, though with some potential minor changes."
Twisted developer Glyph Lefkowitz writes about the attrs library for Python, which he calls "my favorite mandatory Python library". Instead of a lot of boilerplate to handle attributes in classes, attrs makes it far easier. "It lets you say what you mean directly with a declaration rather than expressing it in a roundabout imperative recipe. Instead of “I have a type, it’s called MyType, it has a constructor, in the constructor I assign the property ‘A’ to the parameter ‘A’ (and so on)â€, you say “I have a type, it’s called MyType, it has an attribute called aâ€, and behavior is derived from that fact, rather than having to later guess about the fact by reverse engineering it from behavior (for example, running dir on an instance, or looking at self.__class__.__dict__)."
Ars Techica is reporting on a mistake by Microsoft that resulted in providing a "golden key" to circumvent Secure Boot. The "key" is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a "rather funky website" (viewing the source of that page is a good way to avoid the visual and audio funkiness)."The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse." As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.Update: For some more detail, see Matthew Garrett's blog post .
Arch Linux has updated jq (codeexecution from 2015) and websvn (cross-sitescripting).Debian-LTS has updated postgresql-9.1 (two vulnerabilities).Gentoo has updated optipng (threevulnerabilities).openSUSE has updated typo3 (13.1:three vulnerabilities from 2013 and 2014) and firefox, mozilla-nss (13.1: many vulnerabilities).Red Hat has updated java-1.7.0-ibm (RHEL5: two vulnerabilities),java-1.7.1-ibm (RHEL6&7: twovulnerabilities), java-1.8.0-ibm(RHEL6&7: two vulnerabilities), and python-django (RHOSP8; RHOSP7; RHEL7:cross-site scripting).Scientific Linux has updated qemu-kvm (SL6: denial of service).Ubuntu has updated libgd2 (16.04,14.04: three vulnerabilities) and xmlrpc-epi (16.04: code execution).
Side-channel attacks against various kinds of protocols (typicallynetworking or cryptographic) are both dangerous and often hard fordevelopers and reviewers to spot.They are generally passive attacks, which makes them hard to detect as well. Arecent paper[PDF] describes in detail one such attack against the kernel's TCPnetworking stack; the bug (CVE-2016-5696)has existed since Linux 3.6, which was released in 2012. Ironically, the bug was introduced because Linux has implementeda countermeasure against another type of attack.
The KDE project has announcedthe first public release of the Kirigami interface framework. "Now,with KDE’s focus expanding beyond desktop and laptop computers into themobile and embedded sector, our QWidgets-based components alone are notsufficient anymore. In order to allow developers to easily create Qt-basedapplications that run on any major mobile or desktop operating system(including our very own existing Plasma Desktop and upcoming Plasma Mobile,of course), we have created a framework that extends Qt Quick Controls:Welcome Kirigami!"
CentOS has updated qemu-kvm (C6:denial of service).Debian-LTS has updated fontconfig(privilege escalation) and mongodb (problemin previous update).Fedora has updated lighttpd (F24; F23:man-in-the-middle attacks) and openssh(F24: denial of service).Oracle has updated qemu-kvm (OL6:multiple vulnerabilities).Red Hat has updated qemu-kvm(RHEL6: denial of service).SUSE has updated java-1_7_0-openjdk (SLE12-SP1: multiplevulnerabilities), java-1_8_0-openjdk(SLE12-SP1: multiple vulnerabilities), php53 (SLE11-SP4: multiple vulnerabilities),squid3 (SLE11-SP4: multiplevulnerabilities), and kernel (SLE11-SP4: three vulnerabilities).Ubuntu has updated kernel (16.04; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-vivid (14.04: multiplevulnerabilities), linux-lts-xenial (14.04:multiple vulnerabilities), linux-raspi2(16.04: multiple vulnerabilities), linux-snapdragon (16.04: multiplevulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).
The Electronic Frontier Foundation (EFF) has announcedthe winners of the 2016 Pioneer Awards: "Malkia Cyril of the Center for Media Justice, data protection activist Max Schrems, the authors of the “Keys Under Doormats†report that counters calls to break encryption, and the lawmakers behind CalECPA—a groundbreaking computer privacy law for Californians."
UCR Today reports thatresearchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) in Linux that enablesattackers to hijack users’ internet communications remotely. "TheUCR researchers didn’t rely on chance, though. Instead, they identified asubtle flaw (in the form of ‘side channels’) in the Linux software thatenables attackers to infer the TCP sequence numbers associated with aparticular connection with no more information than the IP address of thecommunicating parties. This means that given any two arbitrary machines onthe internet, a remote blind attacker, without being able to eavesdrop onthe communication, can track users’ online activity, terminate connectionswith others and inject false material into their communications."
US Chief Information Officer Tony Scott introducesthe Federal Source Code Policy,on the White House blog. "By making source code available forsharing and re-use across Federal agencies, we can avoid duplicative customsoftware purchases and promote innovation and collaboration across Federalagencies. By opening more of our code to the brightest minds inside andoutside of government, we can enable them to work together to ensure thatthe code is reliable and effective in furthering our nationalobjectives. And we can do all of this while remaining consistent with theFederal Government’s long-standing policy of technology neutrality, throughwhich we seek to ensure that Federal investments in IT are merit-based,improve the performance of our government, and create value for theAmerican people." (Thanks to David A. Wheeler)
The GPL-infringement case brought against VMware by Christoph Hellwig inGermany has been dismissed by the court; the ruling is available in Germanand English.The decision seems to be based entirely on uncertainty over where hiscopyrights actually lie and not on the infringement claims."Nonetheless, these questions (on which the legal interest of theparties and their counsel presumably focus) can and must remainunanswered. This is because the very first requirement for conducting anexamination, namely that code possibly protected for the Plaintiff as aholder of adapter’s copyright has been used in the Defendant’s product,cannot be established. " The ruling will beappealed.
Jeff Fortin Tam reportson the state of the GNOME Foundation. "Generally speaking, this yearwas a bit less intense than the one before it (we didn’t have to worryabout a legal battle with a giant corporation this time around!) althoughwe did end up touching a fair amount of legal matters, such as trademarkagreements. One big item we got cleared was the Ubuntu GNOME trademarkagreement. We also welcomed businesses that wanted to sell GNOME-relatedmerchandise, you can find them listed here—supporting them by purchasingGNOME-related items also supports the Foundation with a small percentageshared as royalties." (Thanks to Paul Wise)
Version1.0.0 of the Lumina Desktop Environment has been released."After roughly four years of development, I am pleased to announcethe first official release of the Lumina desktop environment! This releaseis an incredible realization of the initial idea of Lumina – a simple andunobtrusive desktop environment meant for users to configure to match theirindividual needs." Lumina is a from-scratch, BSD-licensed desktopsystem.
Arch Linux has updated glibc (twodenial of service vulnerabilities), lib32-glibc (two denial of servicevulnerabilities), and libupnp(unauthenticated access).Debian has updated kde4libs (command execution) and lighttpd (man-in-the-middle attacks).Debian-LTS has updated mongodb (two vulnerabilities), mupdf (denial of service), and openjdk-7 (multiple vulnerabilities).Fedora has updated curl (F24:three vulnerabilities), firefox (F23:multiple vulnerabilities), libgcrypt (F23:key leak), and xen (F24: multiple vulnerabilities).Mageia has updated ruby-eventmachine (denial of service).openSUSE has updated bsdiff(Leap42.1, 13.2: denial of service), Chromium (Leap42.1, 13.2; SPH for SLE12: multiplevulnerabilities), java-1_8_0-openjdk (13.2:multiple vulnerabilities), libvirt(Leap42.1: authentication bypass), redis (Leap42.1, 13.2; SPH for SLE12: information leak),and wireshark (Leap42.1, 13.2: multiple vulnerabilities).Slackware has updated curl (threevulnerabilities), firefox (multiplevulnerabilities), openssh (two vulnerabilities), and stunnel (two vulnerabilities).
Check Point has discovered four local-root vulnerabilities inQualcomm-based Android devices and is hyping the result as "QuadRooter"."QuadRooter is a set of four vulnerabilities affecting Androiddevices built using Qualcomm chipsets. Qualcomm is the world’s leadingdesigner of LTE chipsets with a 65% share of the LTE modem basebandmarket. If any one of the four vulnerabilities is exploited, an attackercan trigger privilege escalations for the purpose of gaining root access toa device." Actually getting the report requires registration. Allfour vulnerabilities are in Android-specific code; three of them are inout-of-tree modules (kgsl and ipc_router); the fourth is in the "ashmem" code in the staging tree.
Linus has released the 4.8-rc1 prepatch andclosed the merge window for this development cycle — sort of. "Iactually still have a few pull requests pending in my inbox that I justwanted to take another look at before merging, but the large bulk of themerge window material has been merged, and I wanted to make sure therearen't any new ones coming in." A total of 11,618 non-mergechangesets were pulled during the merge window.
The Let's Encrypt project, which provides a free SSL/TLS certificate authority (CA), has announced that Mozilla has accepted the project's root key into the Mozilla root program and will be trusted by default as of Firefox 50. This is a step forward from Let's Encrypt's earlier status. "In order to start issuing widely trusted certificates as soon as possible, we partnered with another CA, IdenTrust, which has a number of existing trusted roots. As part of that partnership, an IdenTrust root 'vouches for' the certificates that we issue, thus making our certificates trusted. We’re incredibly grateful to IdenTrust for helping us to start carrying out our mission as soon as possible. However, our plan has always been to operate as an independently trusted CA. Having our root trusted directly by the Mozilla root program represents significant progress towards that independence." The project has also applied for inclusion the CA trust roots maintained by Apple, Microsoft, Google, Oracle, and Blackberry. News on those programs is still pending.
The 2.24 version of the GNU C Library (glibc) has been released. It comeswith lots of bug fixes, including five for security vulnerabilities (fourstack overflows and a memory leak). Some deprecated features havebeen removed, as well as deprecating the readdir_r() andreaddir64_r() functions in favor of readdir() andreaddir64(). There are also additions to the math library(nextup*() and nextdown*()) to return the nextrepresentable value toward either positive or negative infinity.
The Tor Blog looks at using Pluggable Transports to avoid country-level Tor blocking. There are some new easy-to-follow graphical directions for using the transports."Many repressive governments and authorities benefit from blocking their users from having free and open access to the internet. They can simply get the list of Tor relays and block them. This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship. This is why we've developed methods to connect to the network and bypass censorship. These methods are called Pluggable Transports (PTs).Pluggable Transports are a type of bridge to the Tor network. They take advantage of various transports and make encrypted traffic to Tor look like not-interesting or garbage traffic. Unlike normal relays, bridge information is kept secret and distributed between users via BridgeDB."
CentOS has updated firefox (C5:multiple vulnerabilities) and squid (C6: code execution).Debian has updated firefox-esr (multiple vulnerabilities) and wordpress (multiple vulnerabilities).Debian-LTS has updated collectd(regression in previous security update), firefox-esr (multiple vulnerabilities), and libsys-syslog-perl (privilege escalation).Fedora has updated firefox (F24:multiple vulnerabilities) and pbuilder (F24; F23: file overwrite).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated squid (RHEL6:code execution).Scientific Linux has updated firefox (multiple vulnerabilities), golang (SL7: denial of service), kernel (SL7: three vulnerabilities, one from2015), and libtiff (SL7: multiple vulnerabilities, including somefrom 2014 and 2015).SUSE has updated hawk2 (SLE12:clickjacking prevention).
LWN.net