CoreOS has announcedthe release of a container-security tool called Clair. "Clair scanseach container layer and provides a notification of vulnerabilities thatmay be a threat, based on the Common Vulnerabilities and Exposures database(CVE) and similar databases from Red Hat, Ubuntu, and Debian. Since layerscan be shared between many containers, introspection is vital to build aninventory of packages and match that against known CVEs."
The Tor blog is carrying a post from interim executive director Roger Dingledine that accuses Carnegie Mellon University (CMU) of accepting $1 million from the FBI to de-anonymize Tor users."There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users." Cryptographer Matthew Green has also weighed in (among others, including Forbes and Ars Technica): "If CMU really did conduct Tor de-anonymization research for the benefit of the FBI, the people they identified were allegedly not doing the nicest things. It's hard to feel particularly sympathetic.Except for one small detail: there's no reason to believe that the defendants were the only people affected."
Arch Linux has updated flashplugin (multiple vulnerabilities) and powerdns (denial of service).Fedora has updated lxc (F22; F21:directory traversal).Mageia has updated flash-player-plugin (multiple vulnerabilities).openSUSE has updated git (13.2,13.1: code execution), java-1_7_0-openjdk(42.1: multiple vulnerabilities), and xen (13.1; 42.1: multiple vulnerabilities, one from 2014).
Mozilla has announcedthe availability of a developer preview for version 2.5 of Firefox OS. Newfeatures include an add-on mechanism, tracking protection, and more. Thereis also a version of the system packaged as an Android app, allowing it tobe tried on an Android device without wiping Android itself. "Ifyou’re curious to see what Firefox OS is all about, or just interested intesting out new features, the Firefox OS 2.5 Developer Preview app makes itvery simple to get started with very little risk involved. By downloadingthe app, you can experience Firefox OS and explore many of itscapabilities, without flashing hardware. If you decide you’re done tryingit out, the app can be removed as simply as any other app."
The darktable project has unveiledthe first release-candidate (RC) packages for its upcoming version 2.0milestone. Darktable retains its focus as a high-end photo editor inthe forthcoming release, with new features that target professionalworkflows and experienced users. But there are also improvements thatwill be appreciated by casual shutterbugs.
Bitdefender Labs takesa look at Linux.Encoder.1 ransomware. "Linux.Encoder.1 isexecuted on the victim’s Linux box after remote attackers leverage a flawin the popular Magento content management system app. Once executed, theTrojan looks for the /home, /root and /var/lib/mysql folders and startsencrypting their contents. Just like Windows-based ransomware, it encryptsthe contents of these files using AES (a symmetric key encryptionalgorithm), which provides enough strength and speed while keeping systemresources usage to a minimum. The symmetric key is then encrypted with anasymmetric encryption algorithm (RSA) and is prepended to the file, alongwith the initialization vector used by AES." Once the files areencrypted the hackers demand a fee in exchange for the RSA private key todecrypt the AES symmetric one. However, Bitdefender researchers were ableto recover the AES key without having to decrypt it with the RSA privatekey. One can also thwart this threat with some good backups. (Thanks to Richard Moore)
Google has released its TensorFlowmachine-learning library under the Apache 2.0 license."TensorFlow is an open source software library for numericalcomputation using data flow graphs. Nodes in the graph representmathematical operations, while the graph edges represent themultidimensional data arrays (tensors) communicated between them."For those who are unfamiliar with this type of programming, thisbasic MNIST tutorial gives a feel for how it works with TensorFlow.
Knowledge Ecology International looks at Article 14.17 of the Trans-PacificPartnership (TPP), which has a provision banning requirements totransfer or provide access to software source code."I'm wondering how the GPL fares here, and how much money Microsoft spent lobbying to get this included in the TPP, or if the NSA has a role in this. One aspect of this provision is that governments cannot insist on source code transparency, for mass market software, even to address concerns over security or interoperability."
The videos ofthe talks from the inaugural systemd.conf event have been posted.There are about two-dozen talks on the development of systemd itself andsystems that use it.
Dave Jones has announced, atlong last, a new release of the Trinity kernel fuzz-testing tool."At last weeks kernel summit, a number of people expressed just howuseful they find Trinity and how much they were bummed to find out I wasn’tworking on it any more. With that feedback, I felt motivated to clean thedecks and get 1.6 out."
It is not often that Linux kernel development attracts the attention of amainstream newspaper like TheWashington Post; lengthy features on the kernel community's approach tosecurity are even more uncommon. So when just such a feature hit the net, it attracteda lot of attention. This article has gotten mixed reactions, with manyseeing it as a direct attack on Linux. The motivations behind the articleare hard to know, but history suggests that we may look back on it ashaving given us a much-needed push in a direction we should have been going forsome time.
Kees Cook has announced the KernelSelf Protection Project, which is meant to be "a community of people to work on the various kernelself-protection technologies (most of which are found in PaX andGrsecurity)". This is an outgrowth of his Kernel Summit talk about incorporatinghardening and self-protection features into the mainline kernel. "Between the companies that recognize the critical nature of this work,and with Linux Foundation's Core Infrastructure Initiative happy tostart funding specific work in this area, I think we can really make adent." He is looking for others who are also interested in doing some of this work.
The Washington Post has a lengthy look into an unusual subject for the mainstream press: Linux kernel security. There are quotes from Linus Torvalds and others in the kernel community along with some from various security researchers. The thrust seems to be that the kernel has been slow to adopt defensive mechanisms, which is a topic that also came up at the Kernel Summit. "The rift between Torvalds and security experts is a particular source of worry for those who see Linux becoming the dominant operating system at a time when technology is blurring the borders between the online and Âoffline worlds. Much as Windows long was the standard for personal computers, Linux runs on most of the Internet’s servers. It also operates on medical equipment, sensitive databases and computers on many kinds of vehicles, including tiny drones and warships.'If you don’t treat security like a religious fanatic, you are going to be hurt like you can't imagine. And Linus never took seriously the religious fanaticism around security,' said Dave Aitel, a former National Security Agency research scientist and founder of Immunity, a Florida-based security company."
Here's alengthy Washington Post feature on the security (or lack thereof) ofthe Linux kernel; it features a number of familiar names. "Even manyLinux enthusiasts see a problem with this from a security perspective:There is no systemic mechanism for identifying and remedying problemsbefore hackers discover them, or for incorporating the latest advances indefensive technologies. And there is no chief security officer for theLinux kernel."
The openSUSELeap 42.1 release is now available. "Version 42.1 is the firstversion of openSUSE Leap that uses source from SUSE Linux Enterprise (SLE)providing a level of stability that will prove to be unmatched by otherLinux distributions. Bonding community development and enterprisereliability provides more cohesion for the project and its contributor’smaintenance updates. openSUSE Leap will benefit from the enterprisemaintenance effort and will have some of the same packages and updates asSLE, which is different from previous openSUSE versions that createdseparate maintenance streams." See thisJune LWN article for some background on this new approach to theopenSUSE distribution.
Mary Gardiner has posted amemorial to Telsa Gwynne. "Telsa was also a critical inspirationto me as an activist: in the early 2000s (and still) it was hugelycontroversial to either believe that open source communities could stillwork if they were more civil (the entire LinuxChix project was partly anexperiment with that), and even more so to insist that they shouldbe. Telsa is the earliest person I can think of who stood up in an opensource development community and asked it to change its norms in thedirection of civility." Telsa withdrew from our community someyears ago, but she will be much missed just the same.
LWN's 2015 Kernel Summit page nowhas coverage from the open day of the event, which focused primarily ontechnical topics. Subscribers are invited to have a look. Coverage fromthe final day is in the works and will be posted within the next day orso.
Firefox 42 has been released. This version features private browsing withtracking protection, site security and privacy controls in the ControlCenter, WebRTC improvements, and more. See the releasenotes for more information.
The 1957 Chevrolet Bel Air was a beautiful car, kernel.orgadministrator Konstantin Ryabitsev said at the beginning of his Korea LinuxForum talk. It had roomy seats, lots of features, and a smooth ride; itwas all about power and comfort. But if you got into an accident with thiscar, it would kill you; it was not designed around the idea that thingsmight go wrong. Our computer systems in 2015 mirror the Bel Air of 1957;they are not designed around humans and the mistakes they make.Konstantin had a simple message for the audience: take a cue from theautomotive industry and design and build systemsthat do not fail catastrophically when errors are made.
The Fedora 23 release is now available. "We're pleased to bring you the latest incarnations of the threemain Fedora editions — Fedora Workstation, Fedora Cloud, and FedoraServer, each built with love by the Fedora community to custom-fit yourneeds in different areas. Fedora 23 is also available in alternatedesktop Spins, curated software Labs, and special images for the ARMprocessor architecture." See therelease notes for details; LWN lookedforward to this release in August.
The GNU project has released GNU Hurd 0.7, GNU Mach 1.6, and GNU MIG 1.6.The Mach 3.0 Interface Generator (MIG) translates Remote Procedure Call(RPC) definition files to C code, and is required to compile any packagesthat are receiving or invoking RPCs, such as GNU Mach, GNU Hurd, and theGNU C Library (glibc) when compiled for the Hurd. GNU Mach is amicrokernel, upon which a GNU Hurd system is based. The GNU Hurd is theGNU project's replacement for the Unix kernel. These releases containimprovements and bug fixes.
Linus has released the 4.3 kernel right onthe 63-day schedule. "So on the whole, this remains a rather calmrelease cycle until the very end. And with the release of 4.3, obviouslythe merge window for 4.4 is open, and let's keep our fingers crossed thatthat will be an equally calm release." 4.3 includes the ability toadd BPF programs to user-space probes, the "PIDs controller" (ananti-fork-bomb measure), the removal of theext3 filesystem, support for identifier locatoraddressing, the ability to handle pagefaults in user space, and more.
A major new release of Denemo,the GNU music-notation program, has been madeavailable. Version 2.0 incorporates a significant refactoring ofthe user interface; the application now includes a general-purposeObject Inspector and Editor as well as separate tools for editingscores, movements, staffs, and voices. There is also asearch-and-replace feature capable of searching for rhythmic patternsand a layout editor for arranging scores.
The Tor Project has announced the beta release of a new,off-the-record (OTR) chat client called Tor Messenger. As expected,chat session traffic is sent entirely over Tor. In addition, theapplication requires the use of OTR encryption—rather thanmerely providing it as an option. The beta is available for Linux,Windows, and Mac OS X systems. A blogpost provides specifics about the implementation details.
The Software Freedom Conservancy has posted an updateon the GPL-infringement suit against VMware filed by ChristophHellwig. "The lawsuit continues to progress. VMware has filed astatement of defense, in which they assert arguments for the dismissal ofthe action. Christoph, with the assistance of his lawyer Till Jaeger, hasfiled his response to these arguments. Unfortunately, VMware has explicitlyasked for the filings not to be published and, accordingly, Conservancy hasnot been able to review either document. With the guidance of counsel,Christoph was able to provide Conservancy with a high-level summary of thefilings from which we are able to provide this update. VMware's statementof defense primarily focuses on two issues. First, VMware questionsChristoph's copyright interest in the Linux kernel and his right to bringthis action. Second, VMware claims vmklinux is an 'interoperability module'which communicates through a stable interface called VMK API."
The Tor Project's .onion (hidden services) addresses have been formallyapproved as a Special Use Domain Name by the Internet Engineering TaskForce (IETF). "[Jacob] Appelbaum, a security researcher and advocate at the Tor Project andAlec Muffett, a software engineer at Facebook, co-authored the Requestfor Comments (RFC 7686) to the IETF. Hidden services are used by humanrights defenders, political organizers, journalists, diplomats, andordinary people around the world who want to chat, email, blog or doother everyday work privately and without the use of a centralized,hackable server."
CentOS has updated qemu-kvm (C7: denial of service).Debian has updated openjdk-7 (multiple vulnerabilities) and php5 (two vulnerabilities).openSUSE has updated squid (13.2,13.1: nonce replay vulnerability) and wireshark (13.2, 13.1: multiple vulnerabilities).Red Hat has updated kubernetes(RHOSE3: directory path traversal).Ubuntu has updated ntp (multiplevulnerabilities), openjdk-7 (15.10, 15.04,14.04: multiple vulnerabilities), and php5 (denial of service).
One of the biggest freedoms associated with free software is the ability toreplace a program with an updated or modified version. Even so, of themany millions of people using Linux-powered phones, few are able torun a mainline kernel on those phones, even if they have the technicalskills to do the replacement. The sad fact is that no mainstream phoneavailable runs mainline kernels. A session at the 2015 Kernel Summit, ledby Rob Herring, explored this problem and what might be done to address it.
One of the recurring features of Linux Foundation events is an on-stagediscussion between Dirk Hohndel and Linus Torvalds on a variety ofkernel-related topics. The KoreaLinux Forum in Seoul, South Korea did not diverge from this pattern. The pair talked about a wide range of topics; there were fewsurprises and little that will be controversial, but the discussion did include someinsights into how the community is doing and where the kernel is going.
The Electronic Frontier Foundation has announcedthat its petition for an exemption to the US Digital Millennium CopyrightAct for automotive software has been accepted. "Because Section 1201prohibits unlocking 'access controls' on the software, car companies havebeen able to threaten legal action against anyone who needs to get aroundthose restrictions, no matter how legitimate the reason. While thecopyright office removed this legal cloud from much car software research,it also delayed implementation of the exemption for one year."
The Electronic Frontier Foundation reportsthat the Librarian of Congress has granted security researchers and othersthe right to inspect and modify the software in their cars and othervehicles. "EFF also won an [DMCA] exemption for users who want to play video games after the publisher cuts off support. For example, some players may need to modify an old video game so it doesn’t perform a check with an authentication server that has since been shut down. The Librarian also granted EFF’s petition to renew a previous exemption to jailbreak smartphones, and extended that to other mobile devices, including tablets and smartwatches. This clarifies the law around jailbreaking, making clear that users are allowed to run operating systems and applications from any source, not just those approved by the manufacturer. EFF also won the renewal and partial expansion of the exemptions for remix videos that use excerpts from DVDs, Blu-Ray discs, or downloading services."
Arch Linux has updated vorbis-tools (denial of service).CentOS has updated ntp (C7; C6: two vulnerabilities).Debian-LTS has updated libxml2(regression in previous update).Mageia has updated iceape/sqlite3 (multiple vulnerabilities) and virtualbox (two vulnerabilities).openSUSE has updated nodejs(13.2, 13.1: denial of service), haproxy(13.2: information leak), and libressl(13.2: two vulnerabilities).Oracle has updated ntp (OL7; OL6: twovulnerabilities) and qemu-kvm (OL7: denial of service).Red Hat has updated ntp (RHEL6,7:two vulnerabilities) and qemu-kvm (RHEL7: denial of service).Scientific Linux has updated ntp(SL6,7: two vulnerabilities) and qemu-kvm(SL7: denial of service).Ubuntu has updated apport (privilege escalation).
The first beta release of KDevelop 5.0.0 is available.The code base has been ported to Qt 5 and KDE frameworks 5,the legacy C++ parser and semantic analysis plugin has been replaced with amuch more powerful one that is based on Clang, the hand-written CMakeinterpreter has been removed in favor of upstream CMake, plus more features,code cleanup and bug fixes.
LWN.net