Feed lwn LWN.net

Favorite IconLWN.net

Link https://lwn.net/
Feed http://lwn.net/headlines/rss
Updated 2025-09-14 08:45
Grover: Why Rust for Low-level Linux programming?
On his blog, Andy Grover makes a case for using the Rust language for new projects instead of C or Python. "Second, there are people like me, people working in C and Python on Linux systems-level stuff — the “plumbing”, who are frustrated with low productivity. C and Python have diametrically-opposed advantages and disadvantages. C is fast to run but slow to write, and hard to write securely. Python is more productive but too slow and RAM-hungry for something running all the time, on every system. We must deal with getting C components to talk to Python components all the time, and it isn’t fun. Rust is the first language that gives a system programmer performance and productivity. These people might see Rust as a chance to increase security, to increase their own productivity, to never have to touch libtool/autoconf ever again, and to solve the C/Python dilemma with a one language solution."
Help Make Open Source Secure (The Mozilla Blog)
On The Mozilla blog, Chris Riley announces the "Secure Open Source" (SOS) fund to provide money to help with the security of open-source software."The SOS Fund will provide security auditing, remediation, and verification for key open source software projects. The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs. But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the Internet.Security is a process. To have substantial and lasting benefit, we need to invest in education, best practices, and a host of other areas. Yet we hope that this fund will provide needed short-term benefits and industry momentum to help strengthen open source projects." SOS sounds similar in scope to the Core Infrastructure Initiative (CII) set up by the Linux Foundation.
Security advisories for Friday
Arch Linux has updated gnutls(arbitrary file overwrite), haproxy (denialof service), and lib32-gnutls (arbitraryfile overwrite).Debian has updated firefox-esr(multiple vulnerabilities) and p7zip (code execution).Debian-LTS has updated p7zip(code execution) and samba (regression inprevious security fix).Fedora has updated docker (F23:privilege escalation) and firefox (F22: multiple vulnerabilities).SUSE has updated bind (twovulnerabilities) and libxml2 (SLE12: multiple vulnerabilities).Ubuntu has updated firefox (multiple vulnerabilities),kernel (16.04; 15.10; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiple vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities),linux-raspi2 (16.04; 15.10: multiple vulnerabilities), linux-snapdragon (16.04: code execution), linux-ti-omap4 (12.04: multiple vulnerabilities), and squid3 (multiple vulnerabilities).
KDE neon User Edition 5.6 Available now (KDE.News)
The first version of KDE neon, which is a distribution based on Ubuntu 16.04 that is meant to be a stable platform on which to try the latest Plasma desktop, has been released."KDE neon User Edition 5.6 is based on the latest version of Plasma 5.6 and intends to showcase the latest KDE technology on a stable foundation. It is a continuously updated installable image that can be used not just for exploration and testing but as the main operating system for people enthusiastic about the latest desktop software. It comes with a slim selection of apps, assuming the user's capacity to install her own applications after installation, to avoid cruft and meaningless weight to the ISO. The KDE neon team will now start adding all of KDE's applications to the neon archive.Since the announcement of the project four months ago the team has been working on rolling out our infrastructure, using current best-practice devops technologies. A continuous integration Jenkins system scans the download servers for new releases and automatically fires up computers with Docker instances to build packages. We work in the open and as a KDE project any KDE developer has access to our packaging Git repository and can make fixes, improvements and inspect our work."
Thursday's security updates
Fedora has updated firefox (F23:multiple vulnerabilities), gnutls (F23: arbitrary fileoverwrite), and kernel (F23: denial of service).Mageia has updated firefox (multiple vulnerabilities).openSUSE has updated ImageMagick(13.2: command execution).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated firefox (multiple vulnerabilities).Scientific Linux has updated file(SL6: multiple vulnerabilities from 2014), icedtea-web (SL6: twovulnerabilities), ntp (SL6: multiple vulnerabilities, one from2014), openssh (SL6: multiple vulnerabilities), openssl (SL6: multiple vulnerabilities), qemu-kvm (SL6: code execution), and thunderbird (SL6: two vulnerabilities).
Tschacher: Typosquatting programming language package managers
Nikolai Tschacher demonstrateshow easy it is to run arbitrary code by way of "typosquatting" uploadsto programming language download sites. "Because everybody canupload any package on PyPi, it is possible to create packages which aretypo versions of popular packages that are prone to be mistyped. And ifsomebody unintentionally installs such a package, the next question comesintuitively: Is it possible to run arbitrary code and take over thecomputer during the installation process of a package?" He tried anexperiment and was able to run a little program that phoned home fromthousands of systems.
[$] LWN.net Weekly Edition for June 9, 2016
The LWN.net Weekly Edition for June 9, 2016 is available.
Maru OS now freely available
The Maru OS handset distribution (reviewedhere in April) has moved out of the beta-test period and is now freelydownloadable without an invitation. Maru functions as both an Androidhandset and an Ubuntu desktop (when connected to an external monitor). Fornow, it remains limited to Nexus 5 handsets."Now that the beta program is over, I’m finally turning my attentionto the open-source project so we can expand device support with the help ofthe community. Let’s get Maru in the hands of a lot more people!"
Stable kernel updates
Greg Kroah-Hartman has released stable kernels 4.6.2, 4.5.7,4.4.13, and 3.14.72. This is the last 4.5.y stable kernelrelease. Users of the 4.5 kernel series should upgrade to the 4.6 kernelseries.
Security advisories for Wednesday
Arch Linux has updated firefox(multiple vulnerabilities), qemu (multiplevulnerabilities), qemu-arch-extra (multiplevulnerabilities), and subversion (two vulnerabilities).CentOS has updated spice (C7: twovulnerabilities) and spice-server (C6: two vulnerabilities).Debian has updated expat (two vulnerabilities) and vlc (code execution).Debian-LTS has updated expat (two vulnerabilities), libpdfbox-java (XML External Entity attacks), and libxstream-java (XML External Entity attacks).Fedora has updated openslp (F23; F22: denial of service).Mageia has updated chromium-browser-stable/libpng (multiplevulnerabilities), libxslt (two vulnerabilities), and ntp (multiple vulnerabilities).openSUSE has updated expat(Leap42.1: code execution), gd (13.2:information leak), glibc (13.2: multiplevulnerabilities), GraphicsMagick (Leap42.1; 13.2: command execution), libimobiledevice, libusbmuxd (Leap42.1, 13.2:sockets listening on INADDR_ANY), libksba(Leap42.1: denial of service), and php5(Leap42.1: multiple vulnerabilities).SUSE has updated expat(SLE11-SP4: code execution).
The Qt Automotive Suite launches
The Qt Blog announcesthe launch of the Qt Automotive Suite. "With cumulativeexperience from over 20 automotive projects it was noted how Qt is reallywell suited to the needs of building IVIs and Instrument Clusters, thatthere were already millions of vehicles on the road with Qt inside, andthat there were a lot of ongoing projects. There was though a feeling thatthings could be even better, that there were still a few things holdingback the industry, contributing to the sense that shipped IVI systems couldbe built faster, cheaper and with a higher quality."
[$] Distributors ponder a systemd change
Linux users tend to pride themselves on their position at the leading edgeof a fast-moving development community. But, in truth, much of what we dois rooted in many decades of Unix tradition, and we tend to get grumpy whenyoung developers show up and start changing things around. A recent change ofdefault in systemd represents such a change and the kind of response thatit brings out; as a result, Linux distributors are going to have to make adecision on whether they should preserve the way things have always workedor make a change that, while potentially disruptive to users, is arguably astep toward more predictable, controllable, and secure behavior.
Firefox 47
Firefox 47 has been released. This version enables the VP9 video codec forusers with fast machines, plays embedded YouTube videos with HTML5 video ifFlash is not installed, and more. There is a blogpost about these and other improvements. "Now, we are making iteven easier to access synced tabs directly in your desktop Firefoxbrowser. If you’re logged into your Firefox Account, you will see all opentabs from your smartphone or other computers within the sidebar. In thesidebar you can also search for specific tabs quickly and easily."See the releasenotes for more information.
Tuesday's security updates
Debian has updated spice (two vulnerabilities).Debian-LTS has updated dhcpcd5 (code execution) and nss (cipher-downgrade attacks).Fedora has updated glibc (F23:denial of service), nginx (F23: denial ofservice), and qemu (F22: multiple vulnerabilities).openSUSE has updated clamav-database (Leap42.1: database refresh).Oracle has updated spice (OL7:two vulnerabilities) and spice-server (OL6:two vulnerabilities).Red Hat has updated glibc(RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities),spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).Scientific Linux has updated spice (SL7: two vulnerabilities) and squid (SL7: multiple vulnerabilities).SUSE has updated expat(SLE12-SP1: code execution).Ubuntu has updated libxml2(multiple vulnerabilities) and oxide-qt(16.04, 15.10, 14.04: multiple vulnerabilities).
Open Build Service 2.7 released
Open Build Service 2.7 has been released. "Three large features around the topic of integrating external resources made it into this release. We worked on automatic tracking of moving repositories of development versions like Fedora Rawhide, distribution updates or rolling Linux releases like Arch. A change to the OBS git integration to enable developers to work on continuous builds. And last but not least an experimental KIWI import that can be used to easily migrate your images from SUSE studio."
Security updates for Monday
Arch Linux has updated chromium(multiple vulnerabilities), ntp (multiplevulnerabilities), and webkit2gtk (code execution).Debian has updated chromium-browser (multiple vulnerabilities),mariadb-10.0 (multiple vulnerabilities),and samba (regression in previous update).Debian-LTS has updated libxml2 (multiple vulnerabilities).Fedora has updated php (F22:multiple vulnerabilities), phpMyAdmin (F22:multiple vulnerabilities), roundcubemail (F23; F22:cross-site scripting), sudo (F23:information leak), and xen (F23: multiple vulnerabilities).Gentoo has updated gnupg(multiple vulnerabilities), libjpeg-turbo (information leak), puppet-agent (multiple vulnerabilities), and putty (multiple vulnerabilities).openSUSE has updated Chromium (Leap42.1; 13.2: multiple vulnerabilities).Slackware has updated ntp (multiple vulnerabilities).SUSE has updated Chromium(SPH for SLE12: multiple vulnerabilities).
Kernel prepatch 4.7-rc2
The second 4.7 prepatch is now availablefor testing. Linus says: "There's a late non-fix I took even thoughthe merge window is over, because I've been wanting it for a while. I doubtanybody notices the actual effects of a pty change/cleanup that means thatour old disgusting DEVPTS_MULTIPLE_INSTANCES kernel config option is gone,because the cleanup means that it is no longer needed." For detailson this change, see this article from lastweek's Kernel Page.
Wolf: Stop it with those short PGP key IDs!
At his blog, Gunnar Wolf urges developers to stop using"short" (eight hex-digit) PGP key IDs as soon as possible. Theimpetus for the advice originates with Debian's Enrico Zini, who recentlyfound two keys sharing the same short ID in the wild. Thepossibility of short-ID collisions has been known for a while, but itis still disconcerting to see in the wild. "Those three keysare not (yet?) uploaded to the keyservers, though... But we can expectthem to appear at any point in the future. We don't know who is behindthis, or what his purpose is. We just know this looks veryevil."Wolf goes on to note that short IDs are not merely human-readableconveniences, but are actually used to identify PGP keys in somesoftware programs. To mitigate the risk, he recommends configuringGnuPG to never shows short IDs, to ensure that other programs do notconsume short IDs, and to "only sign somebody else's key if yousee and verify its full fingerprint. [...] And there are surely many other important recommendations. But this is a good set of points to start with."
Friday's security updates
Debian has updated libxml2(multiple vulnerabilities).Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), libgd (M5: multiple vulnerabilities), nginx (M5: denial of service), pgpdump (M5: buffer overrun), and php (M5: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).Ubuntu has updated nginx(14.04, 15.10, 16.04: denial of service).
[$] LWN.net Weekly Edition for June 3, 2016
The LWN.net Weekly Edition for June 3, 2016 is available.
[$] Patents and the open-source community
At OSCON2016 in Austin, a panel of invited experts debated thealways-thorny subject of how open-source software projects deal withpatents. The panel was packed, featuring representatives from thefree-software world, commerce, and the legal community, so there wasscarcely enough time to move through the prepared topics in the timeallotted, much less to take questions from the audience. But thediscussion was able to highlight a number of current issues, includingpatent abolition, implicit patent licenses, and where theopen-source community should focus its efforts to improve matters.
Security advisories for Thursday
Arch Linux has updated nginx (denial of service) and nginx-mainline (denial of service).Debian has updated nginx (denial of service).Debian-LTS has updated gdk-pixbuf (buffer overflows), graphicsmagick (command execution), and imagemagick (command execution).Fedora has updated compat-nettle27 (F23: improper cryptographiccalculations), dosfstools (F22: twovulnerabilities), gd (F23: twovulnerabilities), kernel (F23; F22: multiple vulnerabilities), libimobiledevice (F22: sockets listening onINADDR_ANY), libusbmuxd (F22: socketslistening on INADDR_ANY), and phpMyAdmin(F23: three vulnerabilities).SUSE has updated java-1_8_0-ibm(SLE12-SP1: multiple vulnerabilities) and ntp (SOSC5, SMP2.1, SM2.1, SLE11-SP2,3: multiple vulnerabilities).Ubuntu has updated imagemagick (multiple vulnerabilities).
[$] PostgreSQL 9.6 Beta and PGCon 2016
PostgreSQL's annual developer conference, PGCon, took place in May, which made it agood place to get a look at the new PostgreSQL features coming in version9.6. The first 9.6beta was released just the week before and severalcontributors demonstrated key changes at the conference in Ottawa. Formany users, this was the first time to see the finished versions offeatures that had been under development for months or years.
Nextcloud launches
For those who have been wondering about the exodus from ownCloud, the announcement of a company called"Nextcloud" should make things clear. "Started by the well knownopen source file sync and share developer Frank Karlitschek and joined bythe most active contributors to his previous project, building on itsmature code base, we offer a more reliable and sustainable solution forusers and customers. We will develop a drop-in replacement for that legacycode base over the coming weeks, providing the bug fixes and securityhardening all users need and the Enterprise Subscription capabilitiesenterprise customers require."See also thisblog post from Jos Poortvliet.
[$] Containers, pseudo TTYs, and backward compatibility
There is no doubt that the addition of containertechnologies to Linux has created a lot of value,allowing workloads to be effectively and efficiently isolated from each other.Implementing these technologies presents a number of challenges,particularly as much of Linux and Unix was designed to use singletons:objects of which there could never ever be more than one, such ashost names, network routing tables, or process-ID namespaces.Containers require this design approach to be revised as they needmultiple instances of these objects. A singleton that has been causing problems recently is the set of pseudoterminals (TTYs).<p>Click below (subscribers only) for the full article from Neil Brown.
Hertz: Abusing privileged and unprivileged Linux containers
Thiswhite paper by Jesse Hertz [PDF] examines various ways to compromise andescape from containers on Linux systems. "A common configuration forcompanies offering PaaS solutions built on containers is to have multiplecustomers’ containers running on the same physical host. By default, bothLXC and Docker setup container networking so that all containers share thesame Linux virtual bridge. These containers will be able to communicatewith each other. Even if this direct network access is disabled (using the–icc=false flag for Docker, or using iptables rules for LXC), containersaren’t restricted for link-layer traffic. In particular, it is possible(and in fact quite easy) to conduct an ARP spoofing attack on anothercontainer within the same host system, allowing full middle-person attacksof the targeted container’s traffic."
Fresh stable kernels
Greg KH has released stable kernels 4.6.1,4.5.6, 4.4.12, and 3.14.71. All of them contain important fixes.
Announcing the Open Source License API
The Open Source Initiative (OSI) has announced the Open Source License API,to "allow third parties to becomelicense-aware, and give organizations the ability to clearly determine if alicense is, in fact, an Open Source license, from the authoritative sourceregarding Open Source licenses, the OSI."
The CoreOS "Torus" distributed storage system
CoreOS has announceda new project called Torus which is creating a distributed storage systemfor containers. "At its core, Torus is a library with an interfacethat appears as a traditional file, allowing for storage manipulationthrough well-understood basic file operations. Coordinated and checkpointedthrough etcd’s consensus process, this distributed file can be exposed touser applications in multiple ways. Today, Torus supports exposing thisfile as block-oriented storage via a Network Block Device (NBD). We alsoexpect that in the future other storage systems, such as object storage,will be built on top of Torus as collections of these distributed files,coordinated by etcd." The project is quite young, and the currentrelease is a "prototype version."
Security advisories for Wednesday
Debian has updated chromium-browser (multiple vulnerabilities) and imagemagick (command execution).Debian-LTS has updated php5(multiple vulnerabilities) and ruby-activemodel-3.2 (validation bypass).openSUSE has updated dosfstools(Leap42.1, 13.2: two vulnerabilities), gdk-pixbuf (Leap42.1: three vulnerabilities),libarchive (13.2: code execution), openssh (Leap42.1: three vulnerabilities), p7zip (13.2: code execution), putty (Leap42.1, 13.2: code execution), and virtualbox (Leap42.1; 13.2: unspecified).Oracle has updated ntp (OL7; OL6:multiple vulnerabilities), openssl (OL5:multiple vulnerabilities), squid (OL7; OL6:multiple vulnerabilities), and squid34(OL6: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).Scientific Linux has updated openssl (SL5: code execution).SUSE has updated cyrus-imapd (SLES12-SP1; SLE11-SP4: multiple vulnerabilities) and java-1_6_0-ibm (SLEM for LS12: multiple vulnerabilities).Ubuntu has updated dosfstools(two vulnerabilities), kernel (14.04:multiple vulnerabilities), libgd2 (multiplevulnerabilities), and lxd (16.04, 15.10: two vulnerabilities).
Tor Browser 6.0 is released
The Tor Browser Team has announcedthe release of Tor browser 6.0. This release brings the browserup-to-date with Firefox 45-ESR, which provides better support for HTML5video on Youtube, as well as a host of other improvements. DuckDuckGo isnow the default search engine. "Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers."
Security updates for Tuesday
Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated ntp (C7; C6:multiple vulnerabilities), openssl (C5:code execution), squid (C7; C6: multiple vulnerabilities), and squid34 (C6: multiple vulnerabilities).Debian has updated gdk-pixbuf(two vulnerabilities) and symfony (two vulnerabilities).Debian-LTS has updated eglibc(multiple vulnerabilities), libtasn1-3(denial of service), openafs (multiplevulnerabilities), pdns (insecure databasepermissions), phpmyadmin (regression inprevious update), postgresql-9.1 (multiplevulnerabilities), ruby-activerecord-3.2(restriction bypass), and wireshark (multiple vulnerabilities).Fedora has updated bugzilla (F23; F22:cross-site scripting), kf5-kinit (F23:insecure permissions), libarchive (F22:code execution), libimobiledevice (F23:sockets listening on INADDR_ANY), libusbmuxd (F23: sockets listening onINADDR_ANY), php (F23: twovulnerabilities), qemu (F23: multiplevulnerabilities), webkitgtk4 (F23: twovulnerabilities), and xen (F23; F22: privilege escalation).Gentoo has updated libfpx (denial of service), nss (multiple vulnerabilities), pam (multiple vulnerabilities), and rsync (multiple vulnerabilities).Mageia has updated botan (two vulnerabilities), docker (privilege escalation), mediawiki (multiple vulnerabilities), and phpmyadmin (cross-site scripting).openSUSE has updated Chromium (SPH for SLE12; Leap42.1: multiple vulnerabilities), expat (13.2: two vulnerabilities), libxml2 (13.2: two vulnerabilities), libxslt (13.2: denial of service), phpMyAdmin (Leap42.1, 13.2: cross-sitescripting), redis (Leap42.1, 13.2: denialof service), and samba (13.2:man-in-the-middle attack).Red Hat has updated ntp (RHEL6,7:multiple vulnerabilities), openssl (RHEL5:code execution), python27 (RHSCL2.2:multiple vulnerabilities), squid (RHEL7; RHEL6:multiple vulnerabilities), and squid34(RHEL6: multiple vulnerabilities).Slackware has updated imagemagick (shell vulnerability), libxml2 (three vulnerabilities), libxslt (denial of service), thunderbird (multiple vulnerabilities), and php (multiple vulnerabilities).SUSE has updated Xen (SLES10-SP4:multiple vulnerabilities).
Rutkowska: Security challenges for the Qubes build process
Qubes founder Joanna Rutkowska writes about how Qubesworks to avoid building compromised software into its distribution."Ultimately, we would like to introduce a multiple-signature scheme,in which several developers (from different countries, social circles,etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary wouldhave to compromise all the build locations in order to get backdooredversions signed. For this to happen, we need to make the build processdeterministic (i.e. reproducible). Yet, this task still seems to be yearsahead of us."
Krita 3.0 released
Version3.0 of the Krita painting application has been released."Wrapping up a year of work, this is a really big release: animationsupport integrated into Krita’s core, Instant Preview for betterperformance painting and drawing with big brushes on big canvases, portedto the latest version of the Qt platform and too many bigger and smallernew features and improvements to mention!".
Kernel prepatch 4.7-rc1
Linus has released 4.7-rc1 and closed themerge window for this release, saying "this time around we havea fairly big change to the vfs layer that allows filesystems (if theybuy into it) to do readdir() and path component lookup in parallelwithin the same directory.That's probably the biggest conceptual vfs change we've had since westarted doing cached pathname lookups using RCU." The code name hasbeen changed to "Psychotic Stoned Sheep."
Oracle attorney says Google’s court victory might kill the GPL (ars technica)
Ars technica is carrying aneditorial from Oracle's attorney in its fight with Google; it wouldseem that this ruling is the end of the world."It is hard to see how GPL can survive such a result. In fact, it ishard to see how ownership of a copy of any software protected by copyrightcan survive this result. Software businesses now must accelerate their moveto the cloud where everything can be controlled as a service rather thansoftware. Consumers can expect to find decreasing options to own anythingfor themselves, decreasing options to control their data, decreasingoptions to protect their privacy."
OSI: Announcing the Open Source License API
At its blog, the Open Source Initiative (OSI) announces the deployment of "a machine readable publication of OSI approved licenses" accessible via api.opensource.org. The service is designed to "store a central list of crosswalks and common identifiers to other services, allowing third parties who are already license-aware to provide their mappings, and pull OSI approval status programatically." Programs can query a license by its Software Package Data Exchange (SPDX) ID and determine whether or not it is OSI-approved. API wrappers are available for Python, Ruby, and Go.
Friday's security updates
Arch Linux has updated libxml2 (multiple vulnerabilities).Debian has updated libgd2 (multiple vulnerabilities).Fedora has updated jenkins (F23; F22: multiple vulnerabilities).openSUSE has updated docker(13.2: privilege escalation), libreoffice (13.2: multiple vulnerabilities), ntp (13.2: multiple vulnerabilities), and systemd (Leap 42.1: multiple vulnerabilities).Ubuntu has updated eglibc,glibc (12.04, 14.04, 15.10: multiple vulnerabilities; regression).
Analog malicious hardware
Worth a read: thispaper [PDF] From Kaiyuan Yang et al. on how an analog back door can beplaced into a hardware platform like a CPU. "In this paper, we showhow a fabrication-time attacker can leverage analog circuits to create ahardware attack that is small (i.e., requires as little as one gate) andstealthy (i.e., requires an unlikely trigger sequence before effecting[sic] achip’s functionality). In the open spaces of an already placed and routeddesign, we construct a circuit that uses capacitors to siphon charge fromnearby wires as they transition between digital values. When the capacitorsfully charge, they deploy an attack that forces a victim flip-flop to adesired value. We weaponize this attack into a remotely-controllableprivilege escalation by attaching the capacitor to a wire controllable andby selecting a victim flip-flop that holds the privilege bit for ourprocessor."
Google beats Oracle—Android makes “fair use” of Java APIs (ars technica)
Ars technica reportsthat Google has prevailed against Oracle in its court battle over the useof the Java APIs in Android. "There was only one question on thespecial verdict form, asking if Google's use of the Java APIs was a 'fairuse' under copyright law. The jury unanimously answered 'yes,' in Google'sfavor. The verdict ends the trial, which began earlier this month."
Security updates for Thursday
Debian-LTS has updated bozohttpd(two vulnerabilities, one from 2014), ruby-mail (SMTP injection), and xymon (multiple vulnerabilities). Also, the Debian-LTS team has announced that some packages will not besupported (libv8, mediawiki, sogo, and vlc) for Debian 7 ("wheezy"),so users of those should upgrade to Debian 8 ("jessie").Red Hat has updated rh-mariadb100-mariadb (RHSC: many vulnerabilities).Ubuntu has updated eglibc, glibc(15.10, 14.04, 12.04: multiple vulnerabilities, some from 2013 and 2014)and samba (16.04, 15.10, 14.04: regressionin previous security fix).
[$] LWN.net Weekly Edition for May 26, 2016
The LWN.net Weekly Edition for May 26, 2016 is available.
Security advisories for Wednesday
Arch Linux has updated libndp (man-in-the-middle attacks).Fedora has updated kernel (F22:multiple vulnerabilities).Red Hat has updated jq (RHOSP8:code execution).Slackware has updated libarchive (code execution).Ubuntu has updated php5, php7.0 (multiple vulnerabilities).
[$] Should distributors disable IPv4-mapped IPv6?
By all accounts, the Internet's transition to IPv6 has been a slow affair.In recent years, though, perhaps inspired by the exhaustion of the IPv4address space, IPv6 usage has been on therise. There is a corresponding interest in ensuring that applicationswork with both IPv4 and IPv6. But, as a recent discussion on the OpenBSDmailing list has highlighted, a mechanism designed to ease the transition to anIPv6 network may also make the net less secure — and Linux distributionsmay be configured insecurely by default.
Mathewson: Mid-2016 Tor bug retrospective, with lessons for future coding
On the Tor blog, Nick Mathewson reports on an informal survey he did for "severe" bugs in Tor over the last few years. It breaks down the 70 bugs he found into different categories that are correlated with some recommendations for ways to try to avoid them in the future. For example: "Recommendation 5.1: all backward compatibility code should have a timeout date.On several occasions we added backward compatibility code to keep an old version of Tor working, but left it enabled for longer than we needed to. This code has tended not to get the same regular attention it deserves, and has also tended to hold surprising deviations from the specification. We should audit the code that's there today and see what we can remove, and we should never add new code of this kind without adding a ticket and a comment planning to remove it." Many of the recommendations are likely applicable to other projects.
GitLab 8.8 released with Pipelines and .gitignore templates
GitLab 8.8 has been releasedwith pipeline visualization, .gitignore templates, the GitLabContainer Registry, and more. "In this release, we are supercharging GitLab CI. First with Pipelines and now with GitLab Container Registry. GitLab Container Registry is a secure and private registry for Docker images. It isn't just a standalone registry; it's completely integrated with GitLab. In fact, our container registry is actually the first Docker registry that is fully-integrated with git repository management and comes out of the box with GitLab 8.8. So if you've upgraded, you already have it! Our integrated Container Registry requires no additional installation. It allows for easy upload and download of images from GitLab CI. And it's free."
Tuesday's security updates
Debian has updated atheme-services (denial of service).Fedora has updated gsi-openssh(F23: privilege escalation), imlib2 (F23; F22: multiple vulnerabilities), and websvn (F23; F22: cross-site scripting).Mageia has updated glibc (multiple vulnerabilities), golang (denial of service), pcre (two vulnerabilities), and xerces-j2 (denial of service).Red Hat has updated jq (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7: code execution)and kernel (RHEL6.6: two remote denial of service vulnerabilities).SUSE has updated IBM Java 1.6.0(SLES10-SP4: multiple vulnerabilities).
Repurposing Old Smartphones for Home Automation (Linux.com)
Linux.com has an interviewwith Dietrich Ayala about using old smartphones for home automation."Ayala spent a lot of time studying the readouts from sensors, as well as from the phone’s microphone, camera, and, radios, that would enable a remote user to draw conclusions about what was happening at home. This contextual information could then be codified into more useful notifications.With ambient light, for example, if it suddenly goes dark in the daytime, maybe someone is standing over a device, explained Ayala. Feedback from the accelerometer can be analyzed to determine the difference between footsteps, an earthquake, or someone picking up the device. Scripts can use radio APIs to determine if a person moving around is carrying a phone with a potentially revealing Bluetooth signature."
Security advisories for Monday
Debian has updated wireshark (multiple vulnerabilities).Debian-LTS has updated extplorer (cross-site request forgery), graphicsmagick (multiple vulnerabilities), and imagemagick (multiple vulnerabilities).Fedora has updated cacti (F23; F22: SQLinjection), dosfstools (F23: twovulnerabilities), libksba (F22: denial ofservice), libndp (F23; F22: man-in-the-middle attacks), mingw-openssl (F23: multiple vulnerabilities),moodle (F23: multiple vulnerabilities), openvpn (F22: multiple vulnerabilities),pgpdump (F23; F22: denial of service), php-symfony(F23; F22:buffer overflow), qemu (F22: multiplevulnerabilities), rpm (F22: twovulnerabilities), thunderbird (F23: multiple vulnerabilities), and wordpress (F23; F22: two cross-site scripting vulnerabilities).Mageia has updated apache-mod_nss (invalid handling of +CIPHER operator), bugzilla (cross-site scripting), jansson (denial of service), libgd (denial of service), libreoffice (code execution), networkmanager (information leak), openvpn (multiple vulnerabilities), p7zip (code execution), php-ZendFramework2 (insecure ciphertexts), and wpa_supplicant (two vulnerabilities).openSUSE has updated kernel(Leap42.1: multiple vulnerabilities).Oracle has updated docker-engine (OL7; OL6:privilege escalation) and kernel 3.8.13 (OL7; OL6:multiple vulnerabilities), kernel 2.6.39 (OL6; OL5:multiple vulnerabilities), kernel 2.6.32 (OL6; OL5: multiple vulnerabilities).Red Hat has updated kernel(RHEL6.4: two remote denial of service vulnerabilities).Scientific Linux has updated libndp (SL7: man-in-the-middle attacks).Slackware has updated curl (server spoofing).SUSE has updated firefox(SLE11-SP4,SP3: multiple vulnerabilities), java-1_6_0-ibm (SOSC5, SMP2.1, SM2.1,SLES11SP3,SP2: multiple vulnerabilities), and java-1_7_0-ibm (SOSC5, SMP2.1, SM2.1,SLES11SP3,SP2: multiple vulnerabilities).
Roundcube Webmail 1.2.0 released
Version1.2.0 of the Roundcube web-based email system has been released. Theheadline feature this time around would appear to be support for encryptedmail with PGP; the encryption can be handled either centrally in theserver, or in the browser via the "Mailvelope" browser plugin. Acomplete list of changes can be found in thechangelog.
...188189190191192193194195196197...