OpenBSD 5.7 has been released. This version includesimproved hardware support, network stack improvements, installerimprovements, security and bug fixes, and more. OpenSSH 6.8, LibreSSL, andother packages have also seen improvements and bug fixes.
Arch Linux has updated perl-xml-libxml (information disclosure).Debian has updated chromium-browser (multiple vulnerabilities).Debian-LTS has updated libjson-ruby (denial of service), libxml-libxml-perl (information disclosure), squid (denial of service), xdg-utils (command execution), and xorg-server (information leak/denial of service).Mageia has updated kernel(multiple vulnerabilities), kernel-linus(multiple vulnerabilities), libreoffice (code execution), ppp (denial of service), and quassel (SQL injection).openSUSE has updated wpa_supplicant (13.2, 13.1: code execution).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and kernel (RHEL5.6: privilege escalation).Scientific Linux has updated 389-ds-base (SL7: access control bypass).SUSE has updated kernel(SLES10 SP4: multiple vulnerabilities).
The Mozilla community has declaredits intent to phase out "non-secure" (not encrypted with TLS)web access. "Since the goal of this effort is to send a message tothe web developer community that they need to be secure, our work here willbe most effective if coordinated across the web community. We expect to bemaking some proposals to the W3C WebAppSec Working Group soon."
The Apache SpamAssassin 3.4.1 release is out. "Highlights include: Improved automation to help combat spammers that are abusing new top level domains; Tweaks to the SPF support to block more spoofed emails; Increased character set normalization to make rules easier to develop, block more international spam and stop spammers from using alternate character sets to bypass tests; Continued refinement to the native IPv6 support; and Improved Bayesian classification with better debugging and attachment hashing."
WeLiveSecurity reportsthat ESET researchers have revealed a family of Linux malware that stayedunder the radar for more than 5 years. They are calling itLinux/Mumblehard. "There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average.Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines."
Debian GNU/Hurd 2015 has been released. "This is a snapshot ofDebian "sid" at the time of the stable Debian "jessie" release (April2015), so it is mostly based on the same sources. It is not an officialDebian release, but it is an official Debian GNU/Hurd port release."
Arch Linux has updated chromium (multiple vulnerabilities) and dovecot (denial of service).CentOS has updated 389-ds-base(C7: access control bypass).Debian-LTS has updated jruby (denial of service).Fedora has updated libreoffice(F21: code execution) and yourls (F21; F20: cross-site scripting).Mandriva has updated lftp(MBS1.0: man-in-the-middle attack), libksba(MBS1.0, MBS2.0: denial of service), ntop(MBS1.0: cross-site-scripting), and t1utils(MBS1.0: multiple vulnerabilities).openSUSE has updated curl (13.2,13.1: multiple vulnerabilities) and python-Pillow (13.2: denial of service).Oracle has updated 389-ds-base(OL7: access control bypass).
GNU Mailman 3.0 has been released. "Over seven years in development, Mailman 3 represents a major new version,redesigned as a suite of cooperating components which can be used to mix andmatch however you want. The core engine is now backed by a relationaldatabase and exposes its functionality to other components via anadministrative REST+JSON API. Our new web user interface, Postorius is Django-based, as is our new archiverHyperKitty. The core requires Python 3.4 while Postorius and HyperKittyrequire Python 2.7. LWN looked at Mailman 3.0 in March, and at HyperKitty in April 2014.
Jacob Kaplan-Moss is known for his work on Django but, as he would describein his PyCon 2015 keynote, manythink he had more to do with its creation than he actually did. While his talkranged quite a bit, the theme covered something that software developmentorganizations—and open source projects—may be grappling with: amyth about developer performance and how it impacts the industry. It was athought-provoking talk that was frequently punctuated by applause; theseare the kinds of issues that the Python community tries to confront head on, sothe talk was aimed well.
KDE has announced therelease of Plasma 5.3. This release features improved powermanagement, better Bluetooth capabilities, improved Plasma widgets, a techpreview of the Plasma Media Center, big steps towards Wayland support, andmore.
Matthew Garrett looked into why Linux systems consume too much power onrecent Intel chipsets and wrote up his results —a reduction of idle power use on his laptop from 8.5W to 5W. "Thistrend is likely to continue. As systems become more integrated we're goingto have to pay more attention to the interdependencies in order to obtainthe best possible power consumption, and that means that distributionvendors are going to have to spend some time figuring out what thesedependencies are and what the appropriate default policy is for theirusers."
The 4.1-rc1 prepatch is out. Linus says:"No earth-shattering new features come to mind, even if initialsupport for ACPI on arm64 looks funny. Depending on what you care about,your notion of 'big new feature' may differ from mine, of course. There's alot of work all over, and some of it might just make a big difference toyour use cases." What he doesn't mention is that, in the end, kdbuswas not merged for this development cycle.
Debian 8, codenamed "Jessie", has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. "With this broad selection of packages and its traditional widearchitecture support, Debian once again stays true to its goal of beingthe universal operating system. It is suitable for many different usecases: from desktop systems to netbooks; from development servers tocluster systems; and for database, web, or storage servers. At the sametime, additional quality assurance efforts like automatic installationand upgrade tests for all packages in Debian's archive ensure that"Jessie" fulfills the high expectations that users have of a stableDebian release."
The Rust blog has posted a guideto using Rust's foreign function interface (FFI) with C code.Highlighted in particular are Rust's safe abstractions, which are saidto impose no costs. "Most features in Rust tie into its coreconcept of ownership, and the FFI is no exception. When binding a Clibrary in Rust you not only have the benefit of zero overhead, butyou are also able to make it safer than C can! Bindings can leveragethe ownership and borrowing principles in Rust to codify commentstypically found in a C header about how its API should beused."
The Ubuntu 15.04 release is out. "Ubuntu Server 15.04 includes the Kilo release of OpenStack, alongsidedeployment and management tools that save devops teams time whendeploying distributed applications - whether on private clouds, publicclouds, x86 or ARM servers, or on developer laptops. Several key servertechnologies, from MAAS to Ceph, have been updated to new upstreamversions with a variety of new features.This release also includes the first release of snappy Ubuntu Core, anew distribution model based on transactional updates." LWN looked at Snappy in January.
Ars Technica reportson a wpa_supplicant bugthat might leave Linux and other systems open to remote code execution."That's because the code fails to check the length of incoming SSIDinformation and writes information beyond the valid 32 octets of data tomemory beyond the range it was allocated. SSID information 'is transmittedin an element that has a 8-bit length field and potential maximum payloadlength of 255 octets,' [wpa_supplicant maintainer Jouni] Malinen wrote,and the code 'was not sufficiently verifying the payload length on one ofthe code paths using the SSID received from a peer device. This can resultin copying arbitrary data from an attacker to a fixed length buffer of 32bytes (i.e., a possible overflow of up to 223 bytes). The overflow canoverride a couple of variables in the struct, including a pointer that getsfreed. In addition, about 150 bytes (the exact length depending onarchitecture) can be written beyond the end of the heapallocation.'"
Arch Linux has updated glibc(code execution).Fedora has updated chrony (F21:three vulnerabilities), gnupg2 (F20: denialof service), java-1.7.0-openjdk (F20:unspecified), java-1.8.0-openjdk (F21:unspecified), kernel (F21; F20: denial of service), ntp (F20: two vulnerabilities), python (F20: denial of service from 2013), spatialite-tools (F21: three vulnerabilities),and sqlite (F21: three vulnerabilities).Oracle has updated kvm (OL5: two vulnerabilities).
Few readers will have failed to notice by now that the attempted merging ofthe kdbus interprocess communication system into the 4.1 kernel has failedto go as well as its proponents would have liked. As of this writing, thediscussion continues and nothing has been merged. This article constitutesan attempt to derive a bit of light from the massive amounts of heat thathave been generated so far, with a specific focus on the issue of metadataand capabilities.
Opensource.com introducesSourcegraph. "Sourcegraph is a code search engine and browsing tool that semantically indexes all the open source code available on the web. You can search for code by repository, package, or function and click on fully linked code to read the docs, jump to definitions, and instantly find usage examples. And you can do all of this in your web browser, without having to configure any editor plugin."
Version 5.1 of the GNU Compiler Collection is out. "GCC 5.1 is amajor release containing substantial new functionality not available in GCC4.9.x or previous GCC releases." Some of that new functionalityincludes full C++14 language support, quite a few optimizationimprovements, partial OpenACC support, OpenMP 4.0 support, anexperimental JIT library, and more; see the changelog for details.
The Daily Dot reportsthat the Tor project is receiving some funding from the US Defense AdvancedResearch Projects Agency (DARPA) to improve Tor's hidden services. "The Dark Net road map moving forward is ambitious. Tor plans to double the encryption strength of hidden service’s identity key and to allow offline storage for that key, a major security upgrade.Next-generation hidden services may be run from multiple hosts to better deal with denial of service attacks and high traffic in general, a potentially big power boost that further closes the gap between the Dark Net and normal websites."
Fedora 22 Beta has been released. It comes in Workstation, Server, andCloud editions, as well as several spins. This version replaces yum withDNF for package management, as discussed in this recent LWN article. The Cloud edition features thelatest versions of rpm-ostree and rpm-ostree-toolbox and introduces theAtomic command line tool. The Server edition features a new database serverrole based on PostgreSQL, an updated Cockpit, and XFS as the defaultfilesystem. The Workstation product has also seen a number of enhancementsand improvements, including a redesigned GNOME Shell notification system,transitional Wayland support, and much more.
Arch Linux has updated jdk8-openjdk (multiple vulnerabilities), jre8-openjdk (multiple vulnerabilities), jre8-openjdk-headless (multiple vulnerabilities), and tcpdump (denial of service).CentOS has updated glibc (C6: twovulnerabilities).Debian-LTS has updated python-django-markupfield (information leak).Red Hat has updated glibc (RHEL6:two vulnerabilities) and kernel (RHEL6: multiple vulnerabilities).Scientific Linux has updated glibc (SL6: two vulnerabilities).SUSE has updated Real Time LinuxKernel (SLERTE11 SP3: multiple vulnerabilities).Ubuntu has updated mysql-5.5(14.10, 14.04, 12.04: multiple vulnerabilities), openjdk-6 (12.04, 10.04: multiplevulnerabilities), openjdk-7 (14.10, 14.04:multiple vulnerabilities), and php5 (14.10,14.04, 12.04, 10.04: multiple vulnerabilities).
O'Reilly has posted anexcerpt from Puppet Best Practices, an upcoming book about thePuppet system configuration tool. It's a good place to look for thosewanting an introduction to how Puppet works. "Puppet can be somewhatalien to technologists who have a background in automation scripting. Wheremost of our scripts scripts are procedural, Puppet is declarative. While adeclarative language has many major advantages for configurationmanagement, it does impose some interesting restrictions on the approacheswe use to solve common problems."
NetworkWorld takesa look at two VMWare projects that are aimed at running containersinside the VM. "VMware has created Photon as an OS that can run in vSphere. VMware says it’s a “lightweight†Linux OS that has only the basic elements required to package applications in containers and run them inside virtual machines. Because of its minimalist feature set, Project Photon is meant to boot up quickly, which is a key advantage of using containers.Project Photon supports many container image platforms, including thosefrom Docker (which is both an open source container runtime and the name ofthe company that is commercializing it), as well as container images fromCoreOS (called “rktâ€) and Pivotal (named “Gardenâ€)." VMWare alsoannounced a beta version of Project Lightwave, "which is an identity and access management tool meant to provide an extra security layer for containers."
Version 4.0 of theArdour audio editing system is available. This release features Windowssupport, more flexible audio support (JACK is no longer required), a lot ofuser-interface work, and official OS X and Windows support.
PacketFence is a free network accesscontrol system; the 5.0release is now available. Changes include a new active clusteringmode, better device fingerprinting, better performance monitoring, theelimination of plaintext passwords, and more.
At his blog, Christian Schaller announcesthat Red Hat has joined the KhronosGroup, the consortium behind (among other things) the OpenGLstandard. Schaller notes that "the reason we are joining isbecause of all the important changes that are happening in Graphicsand GPU compute these days and our wish to have more direct input ofthe direction of some of these technologies. Our efforts are likely tofocus on improving the OpenGL specification by proposing some newextensions to OpenGL, and of course providing input and help withmoving the new Vulkan standard forward."
It has been roughly a year and a half since the last release of the GNU Hurd operatingsystem, so it may be of interest to some readers that GNU Hurd 0.6 has beenreleased along withGNU Mach 1.5 (the microkernel that Hurdruns on) and GNU MIG 1.5 (the Mach Interface Generator, whichgenerates code to handle remote procedure calls). New features includeprocfs and random translators; cleanups and stylistic fixes, some of whichcame from static analysis; message dispatching improvements; integerhashing performance improvements; a split of the init server into astartup server and an init program based on System V init; and more. "GNU Hurd runs on 32-bit x86 machines. A version running on 64-bit x86(x86_64) machines is in progress. Volunteers interested in ports toother architectures are sought; please contact us (see below) if you'dlike to help.To compile the Hurd, you need a toolchain configured to target i?86-gnu;you cannot use a toolchain targeting GNU/Linux. Also note that youcannot run the Hurd "in isolation": you'll need to add further componentssuch as the GNU Mach microkernel and the GNU C Library (glibc), to turnit into a runnable system."
On his blog, Josh Boyer looks at the choice of the 4.0 kernel for Fedora 22. While the underpinnings of the live kernel patching feature have been merged, even when it is fully operational it is probably not something that Fedora (and perhaps other distributions) will use often (or at all). "In reality, we might not ever really leverage the live patching functionality in Fedora itself. It is understandable that people want to patch their kernel without rebooting, but the mechanism is mostly targeted at small bugfixes and security patches. You cannot, for example, live patch from version 4.0 to 4.1. Given that the Fedora kernel rebases both from stable kernel (e.g. 3.19.2 to 3.19.3) and major release kernels over the lifetime of a Fedora release, we don't have much opportunity to build the live patches."
In the first two installments in this series on plotting tools(which covered gnuplot and matplotlib), we introduced tools for creating plots and graphs, and used the termsinterchangeably to refer to the typical scientific plot relating oneset of quantities to another. In this article we use the term "graph"in its mathematical, graph-theory context, meaning a set of nodes connected byedges. There is a strong family resemblance among graph-theory graphs,flowcharts, and network diagrams—so much so that some of the sametools can be coerced into creating all of them. We will now surveyseveral mature free-software systems for building these typesof visualizations. At least one of these tools will likely be useful if youare ever in need of an automated way to diagram source-codeinterdependencies, make an organizational chart, visualize a computernetwork, or organize a sports tournament. We will start with agraphical charting tool and a flexible graphing system that can easily be called by other programs.
The first half of our report from the Python LanguageSummit is now available. Subscribers can click below to access reports from five sessions held before lunch covering topics like the atomicity of Python operations, making Python 3 more attractive to developers, PyParallel, infrastructure for Python development, and Python 3 adoption. We will be adding more reports to this page as they become available.
Open Invention Network (OIN) has announced that it hasupdated its Linux System patent non-aggression coverage. "For thisupdate, 115 new packages will be added to the Linux System, out of almost 800 proposed by various parties. Key additions are the referenceimplementations of the popular Go and Lua programming languages, Nginx,Openshift, and development tools like CMake and Maven. This update willrepresent an increase of approximately 5% of the total number of packagescovered in the Linux System, a reflection of the incremental and disciplinednature of the update process."
A beta version of Plasma 5.3 has been released.This release features enhanced power management, better Bluetoothcapabilities, improved Plasma widgets, a tech preview of Plasma MediaCenter, big steps towards Wayland support, and lots of bug fixes.
LWN.net