Day7 in the ongoing Perl 6 advent calendar is concerned with how thelanguage handles Unicode. "However, Perl 6 does this work for you,keeping track of these collections of codepoints internally, so that youjust have to think in terms of what you would see the characters as. Ifyou’ve ever had to dance around with substring operations to make sure youdidn’t split between a letter and a diacritic, this will be your happiestday in programming."
The 4.4-rc4 prepatch is out."Another week, another rc. We had a few more commits than last week(mostly due to the networking fixes merge), but on the whole it's beenpretty calm."
The OpenSSL project has released versions 0.9.8zh, 1.0.0t, 1.0.1q, and1.0.2e with fixes for a number of "moderate" security issues. Theannouncement also notes that this will be the last update for the 0.9.8 and1.0.0 branches, so users of those versions are advised to upgrade.
Version 2.1.10 of the GNU Privacy Guard is out. There are a number of new features in this release; they include a trust-on-first-usekey acceptance mechanism and the ability to fetch public keysanonymously via Tor.
Debian has updated openssl(multiple vulnerabilities) and redis(denial of service).Debian-LTS has updated openssl (memory leak).openSUSE has updated cyrus-imapd (13.1: integer overflow), LibVNCServer (Leap 42.1: multiplevulnerabilities), and python-django (13.2, 13.1: information leak).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and openshift (RHOSE3.0, 3.1: information leak).SUSE has updated java-1_6_0-ibm (SLE12: multiple vulnerabilities), java-1_7_1-ibm (SLE11: multiple vulnerabilities), and kernel (SLE12: multiple vulnerabilities).
This lengthypaper from Phillip Rogaway tries to describe the moral responsibilitiesof the cryptographic community — responsibilities that, he believes, thatcommunity has failed to live up to. Worth a read."We need to erect a much expanded commons on the Internet. We need torealize popular services in a secure, distributed, and decentralized way,powered by free software and free/open hardware. We need to build systemsbeyond the reach of super-sized companies and spy agencies. Such servicesmust be based on strong cryptography. Emphasizing that prerequisite, weneed to expand our cryptographic commons."
On his blog, Lubomir Rintel discusses IPv6 privacy issues and how they are being handled by NetworkManager. "Creation of a privacy stable address relies on a pseudo-random key that’s only known the the host itself and never revealed to other hosts in the network. This key is then hashed using a cryptographically secure algorithm along with values specific for a particular network connection. It includes an identifier of the network interface, the network prefix and possibly other values specific to the network such as the wireless SSID. The use of the secret key makes it impossible to predict the resulting address for the other hosts while the network-specific data causes it to be different when entering a different network.This also solves the duplicate address problem nicely. The random key makes collisions unlikely. If, in spite of this, a collision occurs then the hash can be salted with a DAD failure counter and a different address can be generated instead of failing the network connectivity. Now that’s clever."
PHP 7 has been released. Along with some new language features, the biggest change is said to be much better performance and reduced memory use. "PHP 7.0 brings you unprecedented levels of real-world performance and throughput by utilizing the new and advanced Zend Engine 3.0, designed and refactored for speed and reduced memory consumption. This translates to real-world benefits: greatly decreased response times, superior user experiences, and the ability to serve more users with fewer servers to maximize the power of your PHP 7.0 deployment." We looked at the new features in PHP 7 in an article in this week's edition.
The Electronic Frontier Foundation has announcedthe public beta test of the Let's Encrypt initiative, which aims to makeencrypted web traffic the norm. "There are a number of flaws in theCA system, but when it comes to encrypting the Web, two in particular standout: cost and difficulty. Most CAs today charge for certificates. Whilesome are very cheap, every dollar of expense means a large swath of peoplewho can't afford to host a secure website. The larger barrier, though, isdifficulty. Once someone has purchased a certificate, they need to installit on their website, a time consuming and error-prone process that requiressignificant technical skill, which is a cost in itself. Let's Encrypt isnot only free but also automated, in order to make HTTPS encryption moreaccessible than ever."
CentOS has updated jakarta-commons-collections (C6: codeexecution) and libreport (C6: information leak).Debian has updated cups-filters(code execution).Fedora has updated keepass (F22:password locking options removed) and thunderbird (F23: multiple vulnerabilities).Slackware has updated libpng (twovulnerabilities) and mozilla (multiple vulnerabilities).Ubuntu has updated linux-lts-trusty (12.04: two vulnerabilities), openjdk-6 (12.04: multiple vulnerabilities), and qemu (multiple vulnerabilities).
While the event had a certain amount of drama surrounding it, the announcement of the end for the Debian Live project seems likely to haveless of an impact than it first appeared. The loss of the leaddeveloper will certainly be felt—and the treatment he and the projectreceived seems rather baffling—but the project looks like it will continuein some form. So Debian will still have tools to create live CDs and other media goingforward, but what appears to be a long-simmering dispute between projectfounder and leader DanielBaumann and the Debian CD and installer teams has been "resolved", albeitin an unfortunate fashion. Subscribers can click below for the full story from this week's Distributions page.
Arch Linux has updated chromium (multiple vulnerabilities).Debian has updated gnutls26 (padding oracle attack), icedove (multiple vulnerabilities), and putty (memory corruption).Fedora has updated putty (F23; F22: memory corruption).openSUSE has updated dracut(Leap42.1: multiple issues) and znc (SPH for SLE12; Leap42.1: denial of service).SUSE has updated dhcpcd(SLE11SP2,3,4: multiple vulnerabilities), java-1_6_0-ibm (SLE11SP3: multiplevulnerabilities), and java-1_7_1-ibm(SLE12: multiple vulnerabilities).Ubuntu has updated kernel (14.04:denial of service) and linux-lts-utopic(14.04: denial of service).
CryptoPeak Solutions is suing many tech and retail giants, claiming theirHTTPS websites infringe an encryption patent titled "Auto-Escrowable andAuto-Certifiable Cryptosystems". Ars Technica reports:"The latest batch of cases was lodged November 25. The cases name AT&T, Costco, Expedia, GoPro, Groupon, Netflix, Pinterest, Shutterfly, Starwood Hotels, Target, and Yahoo, among others. All the lawsuits include virtually identical language."Defendant has committed direct infringement by its actions that compriseusing one or more websites that utilize Elliptic Curve Cryptography (“ECCâ€)Cipher Suites for the Transport Layer Security (“TLSâ€) protocol (the“Accused Instrumentalitiesâ€)," according to the lawsuits."
Mozilla leader Mitchell Baker has announced that the Thunderbird emailclient projectwill, eventually, be spun out of Mozilla. "Therefore I believe Thunderbird should would thrive best by separating itself from reliance on Mozilla development systems and in some cases, Mozilla technology. The current setting isn’t stable, and we should start actively looking into how we can transition in an orderly way to a future where Thunderbird and Firefox are un-coupled."
Debian-LTS has updated imagemagick (denial of service), libsndfile (multiple vulnerabilities), libxml2 (multiple vulnerabilities), and nss (code execution).Fedora has updated abrt (F23: twovulnerabilities), mingw-libpng (F23;F22; F21:denial of service), python-pycurl (F22:use-after-free vulnerability), and seamonkey (F21: multiple vulnerabilities).Mageia has updated lightdm (denial of service), python-cryptography (denial of service), and thunderbird (multiple vulnerabilities).openSUSE has updated cyrus-imapd(Leap42.1, 13.2: two vulnerabilities), ffmpeg (Leap42.1: multiple vulnerabilities),GnuPG (13.2, 13.1: two vulnerabilities), libksba (Leap42.1: denial of service), libpng12 (Leap42.1: two vulnerabilities), libpng16 (Leap42.1: denial of service), libsndfile (Leap42.1: multiplevulnerabilities), ppp (Leap42.1, 13.2,13.1: denial of service), and virtualbox(13.1: two vulnerabilities).Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities) and thunderbird (OL7; OL6: multiple vulnerabilities).Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).
Matthew Garrett arguesthat meritocracy does not work as intended in development communities."When people criticise meritocracy, they're not criticising theconcept of treating contributions based on their merit. They're criticisingthe idea that humans are sufficiently self-aware that they will be able toidentify and reject every subconscious prejudice that will affect theirtreatment of others. It's not a criticism of a desirable goal, it's acriticism of a flawed implementation."
The 4.4-rc3 kernel prepatch is out fortesting. "I don't think there's anything particularly exciting,although that obviously depends on whether some particular issue ended upaffecting you or not. Most of it is pretty tiny random fixups."
The 2015 Ubuntu Community Council (CC) elections have been concluded. The results of the vote, as announced on the Ubuntu Fridge blog, are the seven individuals who will serve on the CC for the next two years: Daniel Holbach, Laura Czajkowski, Svetlana Belkin, Michael Hall, Scarlett Clark, C de-Avillez, and Marco Ceppi.A detailed account of the ballot results, complete with links to each candidate's biographical page, is also online.
Happy Thanksgiving to those who celebrate it, from all of us here at LWN.Happy November 26 to everyone else :)Debian has updated dpkg (codeexecution), nspr (code execution), python-django (information disclosure), and smokeping (code execution).Debian-LTS has updated eglibc(two vulnerabilities), python-django(information disclosure), and redmine (multiple vulnerabilities).Fedora has updated abrt (F21:information disclosure), jenkins (F22:three vulnerabilities), jenkins-remoting(F22: three vulnerabilities), and libreport(F21: information disclosure).openSUSE has updated libpng12(13.2, 13.1: two vulnerabilities), libpng16(13.2, 13.1: denial ofservice), and strongswan (authentication bypass).Oracle has updated abrt andlibreport (OL7: multiple vulnerabilities), glibc (OL7;OL7: multiple vulnerabilities), kernel (OL7: multiple vulnerabilities), NetworkManager (OL7: denial of service), sssd (OL7: unspecified), and tigervnc (OL7: two vulnerabilities).Red Hat has updated git19-git(RHSC2: code execution), java-1.5.0-ibm(RHEL5&6: multiple vulnerabilities), ntp (RHEL6: denial of service), and thunderbird (multiple vulnerabilities).SUSE has updated kernel(SLE11SP3: multiple vulnerabilities).Ubuntu has updated dpkg (codeexecution) and openjdk-7 (15.10, 15.04, 14.04: unspecified vulnerability).
Software Freedom Conservancy has announceda major fundraising effort. "Pointing to the difficulty of relying on corporate funding while pursuing important but controversial issues, like GPL compliance, Conservancy has structured its fundraiser to increase individual support. The organization needs at least 750 annual Supporters to continue its basic community services and 2500 to avoid hibernating its enforcement efforts. If Conservancy does not meet its goals, it will be forced to radically restructure and wind down a substantial portion of its operations."
Debian has updated libcommons-collections3-java (unsanitized input data) and symfony (two vulnerabilities).Debian-LTS has updated putty (memory corruption).Fedora has updated grub2 (F23:Secure Boot circumvention), krb5 (F21:multiple vulnerabilities), libpng10 (F23; F22; F21: two vulnerabilities), sblim-sfcb(F23; F22;F21: denial of service), and wpa_supplicant (F22: denial of service).Slackware has updated pcre (code execution).SUSE has updated linux-3.12.32(SLELP12: two vulnerabilities), linux-3.12.36 (SLELP12: two vulnerabilities),linux-3.12.38 (SLELP12: twovulnerabilities), linux-3.12.39 (SLELP12:two vulnerabilities), linux-3.12.43(SLELP12: two vulnerabilities), linux-3.12.44 (SLELP12: two vulnerabilities),and linux-3.12.44 (SLELP12: two vulnerabilities).Ubuntu has updated icedtea-web(15.10, 15.04, 14.04: applet execution) and python-django (15.10, 15.04, 14.04, 12.04: information disclosure).
RAID5 support in the MD driver has been part of mainline Linux since2.4.0 was released in early 2001. During this time it has been usedwidely by hobbyists and small installations, but there hasbeen little evidence of any impact on the larger or "enterprise"sites. Anecdotal evidence suggests that such sites are usually happier with so-called "hardware RAID" configurations where a purpose-builtcomputer, whether attached by PCI or fibre channel or similar,is dedicated to managing the array.This situation could begin to change with the 4.4 kernel, which brings someenhancements to the MD driver that should make itmore competitive with hardware-RAID controllers.
Red Hat has announcedthe release of Red Hat Enterprise Linux 7.2. "New features and capabilities focus on security, networking, and system administration, along with a continued emphasis on enterprise-ready tooling for the development and deployment of Linux container-based applications. In addition, Red Hat Enterprise Linux 7.2 includes compatibility with the new Red Hat Insights, an add-on operational analytics offering designed to increase IT efficiency and reduce downtime through the proactive identification of known risks and technical issues."
Martin Gräßlin looksat the security of the Plasma desktop running under Wayland; it'sbetter than X11, but with some ground yet to cover."Now imagine you want to write a key logger in a Plasma/Waylandworld. How would you do it? I asked myself this question recently, thoughtabout it, found a possible solution and had a key logger in less than 10minutes: ouch."
ThisLibre Graphics World article looks at the challenges faced by the20-year-old GIMP project. "If you've been following GIMP's progressover recent years, you couldn't help yourself noticing the decreasingactivity in terms of both commits (a rather lousy metric) and amount ofparticipants (a more sensible one).'GIMP is dying', say some. 'GIMP developers are slacking', sayothers. 'You've got to go for crowdfunding' is yet another popularnotion. And no matter what, there's always a few whitebearded folks whowould blame the team for not going with changes from the FilmGIMP branch.So what's actually going on and what's the outlook for the project?"
The second 4.4 prepatch is out for testing.Linus says: "Things are looking fairly normal in 4.4-land, with nohuge surprises in rc2. There were a couple of late features: parischugepage support and some late slub bulk allocator patches were not onlymerged at the end of the week, but they strictly speaking should have beenmerge window things."
Lennart Poettering introduces thesd-event API for the implementation of event loops. "sd-event.h, ofcourse, is not the first event loop API around, and it doesn't implementany really novel concepts. When we started working on it we tried to do ourhomework, and checked the various existing event loop APIs, maybe lookingfor candidates to adopt instead of doing our own, and to learn about thestrengths and weaknesses of the various implementationsexisting. Ultimately, we found no implementation that could deliver what weneeded, or where it would be easy to add the missing bits: as usual in thesystemd project, we wanted something that allows us access to all theLinux-specific bits, instead of limiting itself to the least commondenominator of UNIX."
Matthew Garrett continueshis campaign against Canonical's "intellectualproperty rights policy". "The reality is that if Debian had hadan identical policy in 2004, Ubuntu wouldn't exist. The effort required tostrip all Debian trademarks from the source packages would have beenimmense, and this would have had to be repeated for every release. Whilethis policy is in place, nobody's going to be able to take Ubuntu and buildsomething better."
The Pitivi0.95 release is out, bringing a lot of changes to this longstandingvideo editor project. "This one packs a lot of bugfixes andarchitectural work to further stabilize the GES backend. In this blog post,I’ll give you an overview of the new and interesting stuff this releasebrings, coming out from a year of hard work. It’s pretty epic and you’re infor a few surprises, so I suggest listening to this song while you’rereading this blog post."
The "Detectify Labs" site has put up alengthy analysis of the user tracking taking place in many Chromebrowser extensions. "Google, claiming that Chrome is the safest webbrowser out there, is actually making it very simple for extensions to hidehow aggressively they are tracking their users. We have also discoveredexactly how intrusive this sort of tracking actually is and how thesetracking companies actually do a lot of things trying to hide it. Due tothe fact that the gathering of data is made inside an extension, all otherextensions created to prevent tracking (such as Ghostery) are completelybypassed." At the end they note that the situation with Firefox isnot a whole lot better.
Version 7 of the Nmap security scannerhas been released. "It is the product of three and a half years ofwork, nearly 3200 code commits, and more than a dozen point releases sincethe big Nmap 6 release in May 2012. Nmap turned 18 years old in Septemberthis year and celebrates its birthday with 171 new NSE scripts, expandedIPv6 support, world-class SSL/TLS analysis, and more user-requestedfeatures than ever."
Brian Warner talksabout why Samsung has an open-source group in this Linux.com article."If you want the full economic and technical benefit of consumingopen source, you hire people who are already influential in the projectsthat matter to you. You then ask them to continue doing exactly what theydo: write great code, manage great releases, and contribute to the overallstability of the project. This is the single best way to ensure stabilityand predictability in your software supply chain."
Arch Linux has updated jenkins (multiple vulnerabilities).Debian-LTS has updated libpng (multiple vulnerabilities) and openafs (multiple vulnerabilities).Fedora has updated cyrus-imapd (F22: information disclosure) and pdns (F22: denial of service).openSUSE has updated dracut (13.2: unspecified vulnerability) and putty (Leap42.1, 13.2, 13.1: memory corruption).Red Hat has updated nss, nss-util, nspr (RHEL6.2, 6.4, 6.5, 6.6: code execution).Ubuntu has updated lxcfs (15.10, 15.04: privilege escalation).
Microsoft has announcedthat its Visual Studio Codetool is now available under the MIT license. "Code combines thestreamlined UI of a modern editor with rich code assistance and navigation,and an integrated debugging experience – without the need for a fullIDE." The code for Code can be found in its GitHub repository.
One of the many weak links in Internet security is the domain name system(DNS); it is subject to attacks that, among other things, can misleadapplications regarding the IP address of a system they wish to connect to.That, in turn, can cause connections to go to the wrong place, facilitatingman-in-the-middle attacks and more. The DNSSECprotocol extensions are meant to address this threat by setting up acryptographically secure chain of trust for DNS information. When DNSSECis set up properly, applications should be able to trust the results ofdomain lookups. As the discussion over anattempt to better integrate DNSSEC into the GNU C Library shows,though, ensuring that DNS lookups are safe is still not a straightforwardproblem.
Red Hat has announcedthe availability of Red Hat Software Collections 2.1. Red HatDeveloper Toolset 4 was also released. "Applications built with Red Hat Software Collections can be deployed into production with greater confidence, as most software collections and components are supported for three years. In addition to Red Hat Enterprise Linux 6 and 7, applications built with Red Hat Software Collections can also be deployed to Red Hat Enterprise Linux Atomic Host and OpenShift, Red Hat’s Platform-as-a-Service (PaaS) offering, giving more choice and flexibility for application portfolios."
Arch Linux has updated lib32-libpng (two vulnerabilities) and libpng (two vulnerabilities).CentOS has updated xen (C5: code execution).Fedora has updated cyrus-imapd(F23: information disclosure), pdns (F23:denial of service), python-pygments (F23:shell execution), and webkitgtk4 (F23: two vulnerabilities).Gentoo has updated adobe-flash (multiple vulnerabilities).Mageia has updated chromium-browser-stable (information leak), iceape (multiple vulnerabilities), krb5 (code execution), and mariadb (multiple vulnerabilities).openSUSE has updated xen (13.2: multiple vulnerabilities).Oracle has updated xen (OL5: codeexecution).Red Hat has updated xen (RHEL5:code execution).Scientific Linux has updated xen(SL5: code execution).SUSE has updated krb5(SLEDebuginfo11SP3: denial of service).Ubuntu has updated libxml2(multiple vulnerabilities) and strongswan(15.10, 15.04, 14.04: authentication bypass).
Linus has released the 4.4-rc1 prepatch andclosed the merge window for this cycle. "Just looking at the patchitself, things look fairly normal at a high level, possibly a bit moredriver-heavy than usual with about 75% of the patch being drivers, and 10%being architecture updates. The remaining 15% is documentation, filesystem,core networking (as opposed to network drivers), tooling and some coreinfrastructure."
The basic form of the LWN site was first laid out in early 1998, with sometweaks when the site code was replaced in 2002; since then, it has beenmostly static. Meanwhile, the web has moved on, leaving LWN lookingincreasingly dated, especially on small-screen devices. We have beenworking (sporadically) on a new layout for the last year and some, and manyreaders have helped us out by testing it. Now the time has come to switchto the new mode by default.<p>Hopefully, the result is a cleaner screen and much better usability onmobile devices.
LWN.net