The CFP deadline for the 2017 linux.conf.au (January 16-20, Hobart) is August 5; the organizers are warning that, contrary to the usual LCAtradition, that deadline will not be extended this year. So anybodywho thinks they may want to speak at LCA should get going on a proposal;see the CFP page forinstructions.
OpenSSH 7.3 is out. This release fixes a number of security issues (mostlyrelated to timing attacks) and adds a handful of new minor features. Thedevelopers also warn that RSA keys less than 1024 bits will be refused in anear-future release.
The Androidsecurity bulletin for July covers the issues that have recently beenfixed for supported Android devices. "The most severe of theseissues is a Critical security vulnerability that could enable remote codeexecution on an affected device through multiple methods such as email, webbrowsing, and MMS when processing media files." There are severaldozen CVE numbers listed overall, including 31 Qualcomm-specificvulnerabilities dating as far back as 2013.
Jehan Pagès writesabout the current GIMP development release and the plan from here."I want to imagine a future where most big graphics programintegrates GEGL, where Blender for instance would have GEGL as the newimplementation of nodes, with image processing graphs which can beexchanged between programs, where darktable would share buffers with GIMPso that images can be edited in one program and updated in real time in theother, and so on. Well of course the short/mid-term improvements will benon-destructive editing with live preview on high bit depth images, andthat’s already awesomely cool right?" See also theannouncement for more information on the GIMP 2.9.4 release.
Software in the PublicInterest (SPI) has completed its 2016 board elections. There weretwo open seats on the board in addition to four board members whoseterms were expiring. The six newly elected members of the board are Luca Filipozzi, Joerg Jaspert, Jimmy Kaplowitz, Andrew Tridgell,Valerie Young, and Martin Zobel-Helas. The fullresults, including voter statistics, are also available.
On his blog, Gmane creator and maintainer Lars Magne Ingebrigtsen warns that the email-to-news (and web) gateway may be disappearing soon. The site, which is hosted by his employer, has been under a distributed denial of service (DDoS) attack for the last few weeks, but there are other problems as well. "And now the DDoS stuff, which I have no idea why is happening, but I can only assume that somebody is angry about something.Probably me being a wise ass.So… it’s been 14 years… I’m old now. I almost threw up earlier tonight because I’m so stressed about the situation. I should retire and read comic books and watch films. Oh, and the day job. Work, work, work. Oh, and Gnus.I’m thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don’t want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess…" The site, which has been relied on by many (including LWN) since it started in 2002, is down now and it appears to be unclear when (or if) it will be back.
A few years ago, the hardware vendor Yubico made a bit of a splashwhen it introduced its YubiKey line of inexpensive hardware securitytokens powered by open-source software. With its most recent productrelease, however, Yubico has dropped open source and started deploying onlyproprietary software in its devices. Consequently, many communitymembers have started looking for a viable replacement that will adhereto open-source principles. At present, one of the leading contendersfor Yubico's departed customers is Nitrokey, which manufactures a lineof hardware tokens capable of generating one-time passwords (OTPs),storing and using OpenPGP keys, and several other features. Thedevices made by Nitrokey run open-source software and are open hardwareas well.
Shari Steele has posted a statement from theTor project on the results of an investigation into the allegations ofharassment (and worse) within Tor and how the project will respond. "I ampleased, therefore, to announce that both the Tor Project and the Torcommunity are taking active steps to strengthen our ability to handleproblems of unprofessional behavior. Specifically, the Tor Project hascreated an anti-harassment policy, a conflicts of interest policy,procedures for submitting complaints, and an internal complaint reviewprocess. They were recently approved by Tor’s board of directors, and theywill be rolled out internally this week."
Harald Sitter reportson a discussion at recent sprint focused on making Snap packaging usefulfor KDE. "Shipping things users can use on Linux has been a pain in the rearsince forever and these bundles are meant to change that. As such weas KDE should have a strong interest and presence in this field in thehopes of shaping a future that is useful to us. After all, we are oneof the biggest source distributors, and the primary reason we don'talso offer generic binary packages of our applications is because thisnever scaled and was altogether terrible to pull off from a KDE pointof view." He and Scarlett Clark are working on somehigh level mass automation of snap building on top of KDE Neon's existingdeb binaries. (Thanks to Jos van den Oever)
OpenVZ 7.0 has been released.The new release focuses on merging OpenVZ and Virtuozzo source codebase andreplacing its hypervisor with KVM. There are many other improvements andnew features in container management and more.
InfoWorld takesa look at the upcoming OpenBSD 6.0 release. "Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications by way of a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement.""
Arch Linux has updated chromium (multiple vulnerabilities), python-django (cross-site scripting), and python2-django (cross-site scripting).Debian has updated openssh (userenumeration via timing side-channel), perl(two vulnerabilities), and phpmyadmin(multiple vulnerabilities).Debian-LTS has updated squid3 (denial of service).Fedora has updated ca-certificates (F24: certificate update), gd (F24: multiple vulnerabilities), httpd (F24: HTTP redirect),kf5-karchive (F24; F23: command execution, over a hundredrelated KDE Frameworks packages were included in this update), libgcrypt (F24: key leak), libidn (F24: multiple vulnerabilities), libvirt (F24: authentication bypass), and mingw-gnutls (F24: certificate verification vulnerability).openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2:multiple vulnerabilities) and gnugk(Leap42.1, 13.2: denial of service).Red Hat has updated mariadb55-mariadb (RHSCL: manyvulnerabilities) and mysql55-mysql (RHSCL:many vulnerabilities).Slackware has updated bind (denial of service).
Linus has returned from his travels and released the 4.7 kernel. The most significantchanges in this release includethe tracing histograms feature,in-kernel tracing analysis via the ability to attach BPF programs to tracepoints,the LoadPin security module,better out-of-memory detection,faster filesystem operations with parallelpathname lookups,the schedutil CPU frequency governor, andmore. See the KernelNewbies4.7 page for lots of details.
At his blog, Matthias Clasen exploresthe recent enhancements to the the classic GNU gettext utility.Thanks in large part to new maintainer Daiki Ueno, gettext nowunderstands many more file formats—thus enabling developers to easilyextract strings from a wide variety of source files for translation.In addition to programming languages, Clasen notes, gettextunderstands .desktop files, GSettings schemas, GtkBuilder ui files,and Appdata files. "If you don’t want to wait for your favorite format to come with built-in its support, you can also include its files with your application; gettext will look for such files in $XDG_DATA_DIRS/gettext/its/."
The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew "bunnie" Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional:"These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing. Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials."
Arch Linux has updated bind(denial of service).CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).Debian-LTS has updated libarchive(multiple vulnerabilities, most from 2015).Fedora has updated openssh (F24:user enumeration via timing side-channel) and p7zip (F24: two code execution flaws).openSUSE has updated dhcp (42.1:denial of service).Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), andopenstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).SUSE has updated obs-service-source_validator (SLE12: code execution).
Congratulations are due to Alan Cox, who was awardedan honorary degree by Swansea University for his work with Linux."Alan started working on Version 0. There were bugs and problems hecould correct. He put Linux on a machine in the Swansea University computernetwork, which revealed many problems in networking which he sorted out;later he rewrote the networking software. Alan brought to Linux softwareengineering discipline: Linux software releases that were tested, correctedand above all stable. On graduating, Alan worked at Swansea University, setup the UK Linux server and distributed thousands of systems."
Benjamin Smedberg writesthat the Firefox browser will soon start taking a more active approach tothe elimination of Flash content. "Starting in August, Firefox willblock certain Flash content that is not essential to the user experience,while continuing to support legacy Flash content. These and future changeswill bring Firefox users enhanced security, improved battery life, fasterpage load, and better browser responsiveness."
Debian has updated apache2 (HTTP redirect).Debian-LTS has updated apache2 (HTTP redirect).Fedora has updated ecryptfs-utils(F24: two vulnerabilities), kernel (F24; F23:multiple vulnerabilities), php-doctrine-orm (F24; F23:privilege escalation), and spice (F24: two vulnerabilities).Gentoo has updated ansible (codeexecution), arpwatch (privilege escalationfrom 2012), bugzilla (multiplevulnerabilities from 2014), commons-beanutils (code execution from 2014),dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).openSUSE has updated ImageMagick(Leap42.1: many vulnerabilities), nodejs(Leap42.1, 13.2: buffer overflow), and samba (13.2: crypto downgrade).Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).SUSE has updated flash-player(SLE12-SP1: multiple vulnerabilities).Ubuntu has updated python-django(16.04: cross-site scripting).
The Register reportsthat longtime Tor contributor Lucky Green is quitting and closing down thenode and bridge authority he operates. "Practically, it's a bigdeal. Bridge Authorities are part of the infrastructure that lets users getaround some ISP-level blocks on the network (not, however, defeating deeppacket inspection). They're also incorporated in the Tor code, meaning thatto remove a Bridge Authority is going to need an update." Theshutdown is scheduled for August 31. (Thanks to Nomen Nescio)
The Software Freedom Conservancy is one of the few organizations involvedin GPL enforcement, and it has publishedprinciples regarding enforcement practices that seek compliance and notfinancial penalties. Bradley Kuhn and Karen Sandler urgeothers doing GPL enforcement to follow principles set forth by theSFC. "One impetus in drafting the Principles was our discovery ofongoing enforcement efforts that did not fit with the GPL enforcementcommunity traditions and norms established for the last twodecades. Publishing the previously unwritten guidelines has quicklyseparated the wheat from the chaff. Specifically, we remain aware ofmultiple non-community-oriented GPL enforcement efforts, where none ofthose engaged in these efforts have endorsed our principles nor pledged toabide by them. These “GPL monetizersâ€, who trace their roots to nefariousbusiness models that seek to catch users in minor violations in order tosell an alternative proprietary license, stand in stark contrast to thework that Conservancy, FSF and gpl-violations.org have done foryears." The actions of one individual prompted the netfilterproject to make a statement endorsing the principles, which we covered earlier this month.
Version 1.0 of the QtWebBrowser has been released.Qt WebBrowser is a browser for embedded devices developed using thecapabilities of Qt and Qt WebEngine. "The browser is optimized for embedded touch displays (running Linux), but you can play with it on the desktop platforms, too! Just make sure that you have Qt WebEngine, Qt Quick, and Qt VirtualKeyboard installed (version 5.7 or newer). For optimal performance on embedded devices you should plan for hardware-accelerated OpenGL, and around 1 GiByte of memory for the whole system. Anyhow, depending on your system configuration and the pages to be supported there is room for optimization."
ComputerWorld talkswith Jim Hall, a contributor to FreeDOS. "FreeDOS (it was originally dubbed ‘PD-DOS’ for ‘Public Domain DOS’, but the name was changed to reflect that it’s actually released under the GNU General Public License) dates back to June 1994, meaning it is just over 22 years old — a formidable lifespan compared to many open source projects.“And if you consider the DOS platform, MS-DOS 1.0 dates back to 1981, ‘DOS’ as an operating system has been around for 35 years! That’s not too shabby,†Hall said. (Version 1.0 of MS-DOS — then marketed by IBM as PC DOS — was released in August 1981.)" (Thanks to Paul Wise)
Canonical has disclosedthat the Ubuntu forum system has been compromised. "The attacker hadthe ability to inject certain formatted SQL to the Forums database on theForums database servers. This gave them the ability to read from any tablebut we believe they only ever read from the ‘user’ table. They used thisaccess to download portions of the ‘user’ table which contained usernames,email addresses and IPs for 2 million users. No active passwords wereaccessed."
The lowRISC project, which is an effort to develop a fully open-source, Linux-powered system-on-chip based on the RISC-V architecture, has published notes from the fourth RISC-V workshop. Notably, the post explains, the members of the RISC-V foundation voted to keep the RISC-V instruction-set architecture (ISA) and related standards open and license-free to all parties. There are also accounts included of the work on RISC-V interrupts, heterogeneous multicore RISC-V processors, support for non-volatile memory, and Debian's RISC-V port.
Over at Linux.com, Eric Brown writes about the release of Automotive Grade Linux (AGL) Unified Code Base (UCB) 2.0 for in-vehicle infotainment (IVI) systems. "The latest version adds features like audio routing, rear seat display support, the beginnings of an app platform, and new development boards including the DragonBoard, Wandboard, and Raspberry Pi.AGL’s Yocto Project derived UCB distro, which is also based on part on the GENIVI and Tizen automotive specs, was first released in January. UCB 1.0 followed an experimental AGL stack in 2014 and an AGL Requirements Specification in June, 2015.UCB is scheduled for a 3.0 release in early 2017, at which point some automotive manufacturers will finally use it in production cars. Most of the IVI software will be based on UCB, but carmakers can also differentiate with their own features." We looked at AGL UCB 1.0 back in January.
Fedora has updated gnutls (F23:certificate verification botch).Gentoo has updated flash (many vulnerabilities).openSUSE has updated flash-player(13.2: many vulnerabilities) and kernel (42.1:multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL 5↦6: many vulnerabilities) and rh-nginx18-nginx (RHSC: multiple vulnerabilities).SUSE has updated MozillaFirefox,MozillaFirefox-branding-SLE, mozilla-nss (SLE11: multiple vulnerabilities).
The Tor Project has announced a new board of directors. "As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the bestpossible leadership. The importance of Tor's mission requires it; thepublic standing of the organization makes it possible; and we are committedto achieve it. We had that duty in mind when we conducted an ExecutiveDirector search last year, and appreciate the leadership Shari Steele hasbrought. To support her, we further believe that it is time that we passthe baton of board oversight as the Tor Project moves into its seconddecade of operations."
CentOS has updated kernel (C6:privilege escalation).Fedora has updated python (F24:heap corruption), python3 (F24: heap corruption), and squid (F24; F23: multiple vulnerabilities).Mageia has updated flash-player-plugin (multiple vulnerabilities).Oracle has updated kernel (OL6: privilege escalation).Red Hat has updated kernel(RHEL7: denial of service) and kernel(RHEL6: privilege escalation).Scientific Linux has updated thunderbird (SL5,6,7: code execution).Ubuntu has updated pidgin (15.10,14.04, 12.04: multiple vulnerabilities).
Software in the Public Interest has announced its 2015 AnnualReport (PDF), covering the 2015 calendar year. The annual reportcovers SPI's finances, elections, board members, committees, associatedprojects, and other significant changes throughout the year.
Dave Herman reportsthat with Firefox 48, Mozilla will ship its first Rust component to alldesktop platforms. "One of the first groups at Mozilla to make useof Rust was the Media Playback team. Now, it’s certainly easy to see thatmedia is at the heart of the modern Web experience. What may be lessobvious to the non-paranoid is that every time a browser plays a seeminglyinnocuous video (say, a chameleon poppingbubbles), it’s reading data delivered in a complex format and createdby someone you don’t know and don’t trust. And as it turns out, mediaformats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in Web browsers’ implementation code.This makes a memory-safe programming language like Rust a compelling addition to Mozilla’s tool-chest for protecting against potentially malicious media content on the Web."
On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. "Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows.Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screenâ€. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it.Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry."
Linus has released the 4.7-rc7 kernelprepatch. "Anyway, there's a couple of regressions still being looked at, butunless anything odd happens, this is going to be the last rc. However,due to my travel schedule, I won't be doing the final 4.7 nextweekend, and people will have two weeks to report (and fix) anyremaining bugs.Yeah, that's the ticket. My travel schedule isn't screwing anythingup, instead think of it as you guys getting a BONUS WEEK! Yay!"See the current list of reportedregressions for the known issues remaining in the 4.7 kernel.
Python applications, like those written in other languages, often need toobtain random data for purposes ranging from cryptographic key generationto initialization of scientific models. For years, the standard way ofgetting that data is via a call to os.urandom(), which is documented to "return astring of n random bytes suitable for cryptographic use." Anenhancement in Python 3.5 caused a subtle change in howos.urandom() behaves on Linux systems, leading to some long,heated discussions about how randomness should be obtained in Python programs. When the dustsettles, Python benevolent dictator for life (BDFL) Guido van Rossum willhave the unenviable task of choosing between two competing proposals.
On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox."Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system.Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t.Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access.Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system.The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox."
LWN.net