Arch Linux has updated ruby (man-in-the-middle attack).CentOS has updated openssl (C5: multiple vulnerabilities).Debian-LTS has updated ia32-libs (multiple vulnerabilities).Oracle has updated openssl (OL5: multiple vulnerabilities).Red Hat has updated kernel(RHEL6.4: privilege escalation).Scientific Linux has updated xorg-x11-server (SL7, SL6: information leak/denial of service).Ubuntu has updated apport (14.10,14.04: privilege escalation), libx11,libxrender (14.10, 14.04, 12.04: code execution), and ntp (14.10, 14.04, 12.04: multiple vulnerabilities).
The Document Foundation's project Document Liberation looks at its progressduring the past year. "During 2014, members of the project released a new framework library,called librevenge, which contains all the document interfaces and helpertypes, in order to simplify the dependency chain. In addition, they starteda new library for importing Adobe PageMaker documents, libpagemaker,written as part of Google Summer of Code 2014 by Anurag Kanungo.Existing libraries have also been extended with the addition of moreformats, like libwps with the addition of Microsoft Works Spreadsheet andDatabase by Laurent Alonso. He is now working on adding support for Lotus1-2-3, which is one of the most famous legacy applications for personalcomputers. Laurent has also added support for more than twenty legacy Macformats to libmwaw."
Jan HubiÄka has posted a lengthydiscussion of the optimization improvements found in the upcomingGCC 5.0 release. "Identical code folding is a new pass(contributed by Martin LiÅ¡ka, SUSE) looking for functions with the samecode and variables with the same constructors. If some are found, one copyis removed and replaced one by an alias to another where possible. This isespecially important for C++ code bases that tend to contain duplicatedfunctions as a result of template instantiations."
Linus has released the 4.0 kernel right onschedule. "Feature-wise, 4.0 doesn't have all that muchspecial. Much have been made of the new kernel patching infrastructure, butrealistically, that not only wasn't the reason for the version numberchange, we've had much bigger changes in other versions. So this is verymuch a 'solid code progress' release." Beyond the (incomplete)live-patching mechanism, this release includes the removal of theremap_file_pages() system call, improved persistent memory support, the lazytime mount option, and thekernel address sanitizer.
Aaron Turon has posted alengthy introduction to concurrency in the Rust programming language."Every data type knows whether it can safely be sent between oraccessed by multiple threads, and Rust enforces this safe usage; there areno data races, even for lock-free data structures. Thread safety isn't justdocumentation; it's law."
Arch Linux has updated mediawiki (multiple vulnerabilities).CentOS has updated xorg-x11-server (C7: information leak/denial of service).Debian has updated dpkg(integrity-verification bypass).Fedora has updated arj (F21:multiple vulnerabilities),echoping (F20; F21: multiple vulnerabilities), and python-dulwich (F20; F21:code execution).Mageia has updated batik(M4: information leak), chromium-browser-stable (M4: multiple vulnerabilities), jakarta-taglibs-standard (M4: code execution), less (M4: information leak), mediawiki (M4: multiple vulnerabilities), openldap (M4: denial of service), qt-creator (M4: key-verification failure), suricata (M4: denial of service), and xerces-c (M4: denial of service).Mandriva has updated arj(BS1: multiple vulnerabilities), less(BS1,2: information leak), mediawiki (BS1: multiple vulnerabilities), and ntp (BS1,2: multiple vulnerabilities).Oracle has updated xorg-x11-server (O6; O7: information leak/denial of service).Red Hat has updated qemu-kvm-rhev (RHEL OSP: privilege escalation) and xorg-x11-server (RHEL6,7: information leak/denial of service).Scientific Linux has updated krb5 (SL6: multiple vulnerabilities).SUSE has updated libXfont(SLE12: multiple vulnerabilities).Ubuntu has updated dpkg (integrity-verification bypass).
As was discussed in this LWN article, theX.Org Foundation recently held an election to choose four board members anddecide whether to change the organization's by-laws to enable it to becomea member of Software in the Public Interest (SPI). The resultsare now available. The board members elected are Peter Hutterer, MartinPeres, Rob Clark, and Daniel Vetter. The measure to change the by-laws didnot pass, though, despite receiving only two "no" votes, because therequired two-thirds majority was not reached.
The Linux Foundation (LF) has announcedthat it will serve as host of the Let's Encryptproject, as well as the Internet Security Research Group (ISRG).Let's Encrypt is the free, automated SSL/TLS certificate authoritythat was announced in November 2014 by the Electronic Frontier Foundation(EFF) to provide TLS certificates for every domain on the web. ISRG isthe non-profit organization created to spearhead efforts like Let'sEncrypt (which, as of now, is ISRG's only public project). In the LFannouncement, executive director Jim Zemlin notes that "byhosting this important encryption project in a neutral forum we canaccelerate the work towards a free, automated and easy securitycertification process that benefits millions of people around theworld."
From the OpenStack community comes the sad announcement of the passing ofChris Yeoh, a longtime free-software developer. "Chris was humble, helpful and honest. The OpenStack and broader Open Sourcecommunities are poorer for his passing." Those with memories ofChris are encouraged to contribute them to a collection being put togetherfor his daughter.
The freedreno project wasstarted by Rob Clark to create a free-software driver for the Adreno familyof GPUs, which are used by the Qualcomm Snapdragon system-on-chip (SoC)family. He presented a status report on the project, along with some history andfuture plans, at the EmbeddedLinux Conference, which was held in San Jose, CA, March 23-25.Click below (subscribers only) for the full report from ELC 2015.
Threat Post takesa look at two TrueCrypt forks, VeraCrypt and CipherShed. AlthoughTrueCrypt development was discontinued last year, the code underwent a twophase audit and passed with a relatively clean bill of health."VeraCrypt and CipherShed have addressed many of the shortcomingsidentified not only by the audit, but by others who have scrutinized theTrueCrypt code in recent years. VeraCrypt’s [Mounir] Idrassi, for example,said he replaced TrueCrypt’s lone support of the RIPEMD-160 algorithm withSHA-256 support for system encryption. He said VeraCrypt has also tried tosimplify the build process, especially for Linux and Mac OS X systems, sothat other less common configurations could be used." The results of the audit of TrueCrypt are available in PDF format; phase1 was completed in February 2014, and phase2 was completed March 2015.
Arch Linux has updated tor (denial of service).Debian has updated arj (multiple vulnerabilities), libgd2 (denial of service), mailman (path traversal attack), and tor (denial of service).Debian-LTS has updated mailman (path traversal attack) and tor (denial of service).Fedora has updated chicken (F21; F20:buffer overflow), kernel (F20: multiplevulnerabilities), libxml2 (F21: denial of service), and seamonkey (F21; F20: multiple vulnerabilities).Gentoo has updated firefox (multiple vulnerabilities).Mandriva has updated cups-filters(MBS2.0: remote command execution), libtasn1 (MBS1.0, MBS2.0: denial of service),and python-django (MBS1.0: cross-site scripting).Red Hat has updated kernel(RHEL6.5: multiple vulnerabilities).Ubuntu has updated firefox(14.10, 14.04, 12.04: certificate verification bypass) and oxide-qt (14.10, 14.04: multiple vulnerabilities).
Linus has released 4.0-rc7 after a delay ofa couple of days for the holiday. "But it's still pretty small, andthings are on track for 4.0 next weekend. There's a tiny chance that I'lldecide to delay 4.0 by a week just because I'm traveling the week after,and I might want to avoid opening the merge window. We'll see how I feelabout it next weekend."
Linux Australia has reporteda breach on the Conference Management (Zookeepr) hosting server. Thisserver hosted the conference systems for linux.conf.au 2013, 2014 and 2015,and for PyCon Australia 2013 and 2014. "The database dumps whichoccurred during the breach include information provided during conferenceregistration - First and Last Names, physical and email addresses, and anyphone contact details provided, as well as a hashed version of the userpassword. As Zookeepr uses a third party credit card payment gateway forcredit card processing, the database dumps do not contain any credit cardor banking details."
Linux.com talkswith Linus Torvalds about the development of Git. "Just to pickan example: the concept of 'merging' was generally considered to besomething really quite painful and hard in most SCM's. You'd plan yourmerges, because they were big deals. That's not acceptable to me, since Icommonly do tens of merges a day when in the merge window, and even then,the biggest overhead shouldn't be the merge itself, it should be testingthe result. The 'git' part of the merge is just a couple of seconds, itshould take me much longer just to write the merge explanationmessage."
The Tor Project and the Electronic Frontier Foundation (EFF) have announceda mentoring program entitled the "Tor Summer of Privacy" (TorSoP). Akin to theGoogle Summer of Code, TorSoP will provide financial support andmentorship for a group of students to work on privacy-related freesoftware. Three student positions are available this year;applications will be accepted through April 10. More details(including project ideas) are provided on the TorSoP page.
The Rust team at Mozilla Research has announced the first beta release of Rust 1.0. The release notes detail a number of important changes, but the announcement adds some additional noteworthy items. "The Beta release also marks a turning point in our approach to stability. During the alpha cycle, the use of unstable APIs and language features was permitted, but triggered a warning. As of the Beta release, the use of unstable APIs will become an error (unless you are using Nightly builds or building from source)." A new continuous-integration infrastructure has also been deployed. The final release is currently expected around May 15.
The Engine Yard blog has anintroduction to the changes coming in the PHP 7 release."My personal favorite addition to PHP 7 is the addition of theCombined Comparison Operator, <=>,otherwise known as thespaceship operator. [...] It effectively works like strcmp(), orversion_compare(), returning -1 if the left operand is smaller than theright, 0 if they are equal, and 1 if the left is greater than theright. The major difference being that it can be used on any two operands,not just strings, but also integers, floats, arrays, etc."
Google has announcedthe issuing of alengthy report [PDF] on the state of Android security. "In 2014,the Android platform made numerous significant improvements in platformsecurity technology, including enabling deployment of full disk encryption,expanding the use of hardware- protected cryptography, and improving theAndroid application sandbox with an SELinux- based Mandatory Access Controlsystem (MAC). Developers were also provided with improved tools to detectand react to security vulnerabilities, including the nogotofail project andthe SecurityProvider. We provided device manufacturers with ongoingsupport for fixing security vulnerabilities in devices, includingdevelopment of 79 security patches, and improved the ability to respond topotential vulnerabilities in key areas, such as the updateable WebView inAndroid 5.0."
At his blog, cryptographer Matt Green announced that the Open Crypto Audit project's review of the now-abandoned TrueCrypt encryption tool is complete, and that "based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances." TrueCrypt was abruptly abandoned by its anonymous developers in 2014, leading some to suspect that a serious vulnerability had been discovered. The final Open Crypto Audit report [PDF] suggests otherwise, which is good news for users as well as for the multiple open-source projects that have subsequently developed TrueCrypt-compatibility support.
Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated thunderbird (C5: multiple vulnerabilities).Debian has updated iceweasel (multiple vulnerabilities).Mandriva has updated flac(BS2: multiple vulnerabilities), graphviz (BS2: format-string vulnerability), owncloud(BS1; BS2: multiple vulnerabilities), and tor(BS1: denial of service).openSUSE has updated php5(13.1, 13.2: multiple vulnerabilities) and python-Django (13.2: multiple vulnerabilities).Oracle has updated firefox(O5: multiple vulnerabilities) and thunderbird (O6; O7: multiple vulnerabilities).Scientific Linux has updated thunderbird (multiple vulnerabilities).SUSE has updated kernel(SLES11: multiple vulnerabilities).Ubuntu has updated tiff(regression fix for previous update).
Version1.8 of the Django web platform is out. "This version has beendesignated as a long-term support (LTS) release, which means that securityand data loss fixes will be applied for at least the next threeyears." New features include support for multiple template engines,complex SQL expressions, some PostgreSQL-specific add-ons, and more; see the releasenotes for details.
In a thought-provoking—and characteristically amusing—talk at the Vault conference,Dave Chinner looked at the history of XFS, its current status, and where the filesystem may be heading.In keeping with the title of the talk (shared by this article), he sees parallels in what drove the original development of XFS and what will bedriving new filesystems.Chinner's vision of the future for today's filesystems, and not justof XFS, may be a bit surprising or controversial—possibly both.
Firefox 37.0 has been released. This release features improved protectionagainst site impersonation via OneCRL centralized certificate revocation,Bing search now uses HTTPS for secure searching, opportunistic encryptingof HTTP traffic where the server supports HTTP/2 AltSvc, and more. See thereleasenotes for details.
Arch Linux has updated musl (code execution).Debian has updated openldap(multiple vulnerabilities).Mandriva has updated dokuwiki(MBS1.0: multiple vulnerabilities) and phpmyadmin (MBS1.0: information leak).openSUSE has updated gd (13.2,13.1: denial of service) and seamonkey(13.2, 13.1: two vulnerabilities).Oracle has updated libxml2 (OL7:denial of service) and postgresql (OL7; OL6:multiple vulnerabilities).SUSE has updated firefox (SLE12:two vulnerabilities).Ubuntu has updated jakarta-taglibs-standard (14.10, 14.04: code execution).
Linus has released 4.0-rc6 right onschedule. "Things are calming down nicely, and there are fixes allover. The NUMA balancing performance regression is fixed, and things arelooking up again in general. There were a number of i915 issues and a KVMdouble-fault thing that meant that for a while there I was pretty sure thatthis would be a release that will go to rc8, but that may beunnecessary."
More than a decade after its last major rewrite, the GNU Mailman mailinglist manager project aimsto release its 3.0 suite in April, during the sprints following PyConNorth America. Mailman 3 is a major rewrite that includes a new usermembership system, a REST API, an archiver replacement for Pipermail, and abetter web interface for subscriptions and settings — but it carries withit a few new dependencies as well. Brave system administrators can try outthefifthbeta version now.Subscribers can click below for the full story from next week's edition.
The LibreOffice project was announced withgreat fanfare in September 2010. Nearly one year later, the OpenOffice.orgproject (from which LibreOffice was forked) wascut loose from Oracle andfound a new home as an Apache project. It is fair to say that the rivalrybetween the two projects in the time since then has been strong.Predictions that one project or the other would fail have not been borneout, but that does not mean that the two projects are equally successful.A look at the two projects' development communities reveals someinteresting differences.Click below (subscribers only) for the full article.
Debian has updated openssl(regression in previous update) and python-django (cross-site scripting).Debian-LTS has updated gnutls26(multiple vulnerabilities).openSUSE has updated less (13.2,13.1: information leak) and tor (13.2,13.1: denial of service).Oracle has updated firefox (OL7; OL6: multiple vulnerabilities).SUSE has updated firefox(SLE11 SP3: multiple vulnerabilities).Ubuntu has updated batik (14.10,14.04, 12.04: information leak) and libarchive (14.10, 14.04, 12.04: directory traversal).
The GNOME 3.16 release is out. "This is another exciting release for GNOME, and brings many new featuresand improvements, including redesigned notifications, a new shelltheme, new scrollbars, and a refresh for the file manager. 3.16 alsoincludes improvements to the Image Viewer, Music, Photos and Videos.We are also including three new preview apps for the first time: Books,Calendar and Characters." See the releasenotes for more information.
The LibreOffice project has announced the accelerated development of a newonline offering. "Development of LibreOffice Online started back in 2011, with theavailability of a proof of concept of the client front end, based on HTML5technology. That proof of concept will be developed into a state of the artcloud application, which will become the free alternative to proprietarysolutions such as Google Docs and Office 365, and the first to nativelysupport the Open Document Format (ODF) standard." The currenteffort is supported by IceWarp and Collabora; see thisFAQ and MichaelMeeks's posting for more information. For those wanting to downloadit, though, note the "the availability of LibreOffice Online will be communicated at a laterstage."
The ACM has announcedthat the 2014 A. M. Turing award has gone to MichaelStonebraker. Among many other things, he was the original creator of thedatabase management system now known as PostgreSQL.
The Free Software Foundation Europe has a reminder that Document FreedomDay is happening from March 24 12:00 UTC until March 26 12:00 UTC."Document Freedom Day is the global campaign for document liberation by local groups throughout the world.So far more than 50 groups registered their events in over 25 countriesranging from Asia, Europa, Africa, to South and North America."
The 2015 Linux Plumbers Conference (LPC) has announced that two microconferences have been accepted for the event, which will be held August 19-21 in Seattle. The Checkpoint/Restart and Energy-aware scheduling and CPU power management microconferences will be held at LPC. Registration for the conference will open on March 27 and it will be co-located with LinuxCon North America, which will be held August 17-19.
LWN.net