KDE.News looks at KDE sprints and their benefits. The organization is doing some fundraising to help support its sprints, so it is trying get the word out about these code-focused events: "To start with, KDE sprints are intensive sessions centered around coding. They take place in person over several days, during which time skillful developers eat, drink and sleep code. There are breaks to refresh and gain perspective, but mostly sprints involve hard, focused work. All of this developer time and effort is unpaid. However travel expenses for some developers are covered by KDE. KDE is a frugal organization with comparatively low administrative costs, and only one paid person who works part time. So the money donated for sprints goes to cover actual expenses. Who gets the money? Almost all of it goes to transportation companies."
Debian has updated php5 (multiple vulnerabilities).Debian-LTS has updated pykerberos(authentication botch) and python-django(two vulnerabilities).Fedora has updated mariadb (F21: unspecified).Mageia has updated cgit (codeexecution from 2014).Ubuntu has updated qemu, qemu-kvm(multiple vulnerabilities, including one from 2014).
The developers of the Grsecurity kernel-hardening patch set have announced that, due toclaimed ongoing GPL and trademark violations, the public distribution of the"stable" series of patches will stop. "We decided that it is unfairto our sponsors that the above mentioned unlawful players can get away withtheir activity. Therefore, two weeks from now, we will cease the publicdissemination of the stable series and will make it available to sponsorsonly. The test series, unfit in our view for production use, will howevercontinue to be available to the public to avoid impact to the GentooHardened and Arch Linux communities."
Arch Linux has updated gnutls (denial of service), jasper (denial of service), pcre (code execution), and python-django (denial of service).CentOS has updated httpd (C7: twovulnerabilities) and mariadb (C7: multiple vulnerabilities).Debian has updated twig (code execution).Debian-LTS has updated ruby1.8 (information disclosure) and ruby1.9.1 (information disclosure).Mageia has updated gnutls (MG4,5:two vulnerabilities), vlc (MG5: codeexecution), and wireshark (MG4,5: multiple vulnerabilities).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Ubuntu has updated gdk-pixbuf(15.04, 14.04, 12.04: code execution).
At the 2015 edition of TypeCon in Denver, Adobe's Frank Grießhammer presented hiswork reviving the famous Hershey fontsfrom the Mid-Century era of computing. The original fonts weretailor-made for early vector-based output devices but, although theyhave retained a loyal following (often as a historical curiosity), they have neverbefore beenproduced as an installable digital font.
Version 1.5 of the Go language has been released."This release includes significant changes to the implementation. The compiler tool chain was translated from C to Go, removing the last vestiges of C code from the Go code base. The garbage collector was completely redesigned, yielding a dramatic reduction [PDF] in garbage collection pause times. Related improvements to the scheduler allowed us to change the default GOMAXPROCS value (the number of concurrently executing goroutines) from 1 to the number of available CPUs. Changes to the linker enable distributing Go packages as shared libraries to link into Go programs, and building Go packages into archives or shared libraries that may be linked into or loaded by C programs (design doc)."
Opensource.com wishesLinux a happy 24th birthday, with a brief timeline of Linux history. "There's some debate in the Linux community as to whether we should be celebrating Linux's birthday today or on October 5 when the first public release was made, but Linus says he is O.K. with you celebrating either one, or both! So as we say happy birthday, let's take a quick look back at the years that have passed and how far we have come."
KDE has releasedPlasma 5.4 with some new features. "This release of Plasma brings many nice touches for our users such as much improved high DPI support, KRunner auto-completion and many new beautiful Breeze icons. It also lays the ground for the future with a tech preview of Wayland session available. We're shipping a few new components such as an Audio Volume Plasma Widget, monitor calibration tool and the User Manager tool comes out beta."
Linux.com has aninterview with Dustin Kirkland of Canonical's Ubuntu Product andStrategy team, about Ubuntu on the mainframe and more. "Canonical is doing a lot of different things in the enterprise space, to solve different problems. One of the interesting works going on at Canonical is Fan networking. We all know that the world is running out of IPv4 addresses (or already has). The obvious solution to this problem is IPv6, but it’s not universally available. Kirkland said, "There are still places where IPv6 doesn't exist -- little places like Amazon web services where you end up finding lots of containers." The problem multiplies as many instances in cloud need IP addresses. "Each of those instances can run hundreds of containers, each of those containers then needs to be addressable," said Kirkland."
Debian-LTS has updated extplorer (cross-site scripting), roundup (multiple vulnerabilities), and wesnoth-1.8 (information leak).Mageia has updated libcryptopp(MG4,5: information disclosure), mediawiki(MG4,5: multiple vulnerabilities), openssh(MG4,5: multiple vulnerabilities), php (MG5; MG4:multiple vulnerabilities), and x11-server(MG5: permission bypass).openSUSE has updated wireshark(13.2: multiple vulnerabilities) and xfsprogs (13.2, 13.1: information disclosure).Red Hat has updated rh-ruby22-ruby (RHSCL2: DNS hijacking).Slackware has updated gnutls (denial of service).SUSE has updated glibc(SLE11SP3,4: multiple vulnerabilities) and kvm (SLE11SP2: two vulnerabilities).
In the end, Linus decided to hold off one more week and release 4.2-rc8 instead of the final 4.2 kernel."It's not like there are any real outstanding issues, and I waffledbetween just doing the release and doing another -rc. But we did haveanother low-level x86 issue come up this week, and together with thefact that a number of people are on vacation, I decided that waitingan extra week isn't going to hurt. But it was close. It's a fairlysmall rc8, and I really feel like it could have gone either way."
Mozilla has announceda significant set of changes for authors of Firefox add-ons. These includea new API (and the deprecation of XUL and XPCOM), a process-basedsandboxing mechanism, mandatory signing of extensions, and more."For our add-on development community, these changes will bringbenefits, like greater cross-browser add-on compatibility, but will alsorequire redevelopment of a number of existing add-ons. We’re making a biginvestment by expanding the team of engineers, add-on reviewers, andevangelists who work on add-ons and support the community that developsthem. They will work with the community to improve and finalize theWebExtensions API, and will help developers of unsupported add-ons make thetransition to newer APIs and multi-process support."
Kent Overstreet, author of the bcacheblock caching layer, has announced that bcachehas metamorphosed into a fully featured copy-on-write filesystem."Well, years ago (going back to when I was still at Google), I andthe other people working on bcache realized that what we were working onwas, almost by accident, a good chunk of the functionality of a full blownfilesystem - and there was a really clean and elegant design to be hadthere if we took it and ran with it. And a fast one - the main goal ofbcachefs to match ext4 and xfs on performance and reliability, but with thefeatures of btrfs/zfs."
Fedora has updated pure-ftpd(F21: denial of service).Red Hat has updated openshift(RHOSE3: privilege escalation).SUSE has updated xen (SLE11SP1: two vulnerabilities).Ubuntu has updated subversion(15.04, 14.04, 12.04: multiple vulnerabilities) and firefox (15.04, 14.04, 12.04: regression inprevious update).
The GNU C Library (glibc) is a famously conservative project. In the past,that conservatism created a situation where there is no way to directlycall a number of Linux system calls from a glibc-using program. As glibchas relaxed a bit in recent years, its developers have started toreconsider adding wrapper functions for previously inaccessible systemcalls. But, as the discussion shows, adding these wrappers is still not asstraightforward as one might think.
Debian has updated conntrack (denial of service), openjdk-6 (multiple vulnerabilities), vlc (code execution), and zendframework (XML External Entity attack).Debian-LTS has updated conntrack (denial of service).Fedora has updated mariadb (F22:multiple vulnerabilities).Red Hat has updated mariadb55-mariadb (RHSCL2: multiplevulnerabilities) and rh-mariadb100-mariadb(RHSCL2: multiple vulnerabilities).SUSE has updated kvm (SLE11SP1: code execution).
Version 0.8 of the rkt container specification has been released. The changelog notes that this version adds support for running under the LKVM hypervisor and adds experimental support for user namespaces. Other features include improved integration with systemd and additional functional tests. An accompanying blog post goes into further detail for many of these new features.
CentOS has updated pam (C6; C7: denial of service).Debian has updated python-django (multiple vulnerabilities).Debian-LTS has updated wordpress (multiple vulnerabilities).Fedora has updated audit (F21; F22: unsafe escape-sequence handling), icecast (F21; F22: denial of service), kernel (F21; F22: information leak), openssh (F22: multiple vulnerabilities), rubygem-rack (F22: denial of service), rubygems (F21: DNS hijacking), strongswan (F21; F22: multiple vulnerabilities), and xfsprogs (F21: information leak).Oracle has updated pam (O6; O7: denial of service).Red Hat has updated kernel (RHEL6: privilege escalation) and pam (RHEL6, 7: denial of service).Scientific Linux has updated pam (SL6, 7: denial of service).Ubuntu has updated python-django (12.04, 14.04, 15.04: multiple vulnerabilities) and openssh (12.04, 14.04, 15.04: upstream regression resulting in denial of service).
On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. "The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs.These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers." He was able to get more information, such as the contents of /etc/passwd on Pocket's Amazon EC2 servers.(Thanks to Scott Bronson and Pete Flugstad.)
CentOS has updated glibc (C5:code execution from 2013), mysql55-mysql(C5: multiple unspecified vulnerabilities, one from 2014), net-snmp(C7; C6:code execution), sqlite (C6: codeexecution), sqlite (C7: threevulnerabilities), and subversion (C6: threevulnerabilities).Debian has updated apache2 (twovulnerabilities), gdk-pixbuf (codeexecution), and nss (two vulnerabilities).Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).Fedora has updated erlang (F22; F21:man-in-the-middle vulnerability), firefox(F22: many vulnerabilities), flac (F21: twovulnerabilities from 2014), gnutls (F21:code execution), golang (F22; F21: HTTP request smuggling),nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi(F22; F21:denial of service), and webkitgtk4 (F22:three unspecified vulnerabilities).Mageia has updated kdepim (M4: noattachment encryption from 2014).openSUSE has updated subversion(two vulnerabilities) and virtualbox (two vulnerabilities).Oracle has updated glibc (OL5:code execution from 2013), mysql55-mysql(OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp(OL7; OL6:code execution), sqlite (OL7: threevulnerabilities), sqlite (OL6: codeexecution), and subversion (OL6: three vulnerabilities).Red Hat has updated net-snmp(RHEL6&7: code execution).Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecifiedvulnerabilities, one from 2014), net-snmp(SL6&7: code execution), sqlite (SL6:code execution), and subversion (SL6: threevulnerabilities).Ubuntu has updated kernel (12.04:three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service),linux-lts-utopic (14.04: denial ofservice), linux-lts-vivid (14.04: denial ofservice), linux-ti-omap4 (12.04: threevulnerabilities), and net-snmp (twovulnerabilities, one from 2014).
As of this writing, the 4.2-rc7 prepatch isout and the final 4.2 kernel looks to be (probably) on-track to be released on August 23.Tradition says that it's time for a look at the development statistics for this cycle. 4.2, ina couple of ways, looks a bit different from recent cycles, with some olderpatterns reasserting themselves.Click below (subscribers only) for the full article.
Christian Schaller has posted anopen letter to the Apache Software Foundation with a non-trivialrequest: "So dear Apache developers, for the sake of open source andfree software, please recommend people to go and download LibreOffice, thefree office suite that is being actively maintained and developed and whichhas the best chance of giving them a great experience using freesoftware. OpenOffice is an important part of open source history, but thatis also what it is at this point in time."In this context, it's interesting to note that OpenOffice project chair JanIverson recently stepped down, listingresistance to an effort to cooperate with LibreOffice as one of the mainreasons. The project currently looks set to name Dennis Hamilton (who isrunning unopposed) as itsnew chair.
The Linux Foundation has announcedthe launch of the OpenMainframe Project. "In just the last few years, demand formainframe capabilities have drastically increased due to Big Data, mobileprocessing, cloud computing and virtualization. Linux excels in all theseareas, often being recognized as the operating system of the cloud and foradvancing the most complex technologies across data, mobile and virtualizedenvironments. Linux on the mainframe today has reached a critical mass suchthat vendors, users and academia need a neutral forum to work together toadvance Linux tools and technologies and increase enterpriseinnovation."
Greg Kroah-Hartman has announced the release of the 4.1.6, 3.14.51, and 3.10.87. As usual, there are important fixesthroughout the tree and users of those kernel series should upgrade.
Arch Linux has updated glibc(denial of service from 2014).Debian-LTS has updated libidn(information disclosure) and subversion (information disclosure).Fedora has updated bzr (F22; F21:denial of service from 2013), firefox (F21:multiple vulnerabilities), and flac (F22: two vulnerabilities).Gentoo has updated adobe-flash(multiple vulnerabilities), icecast (denialof service), and libgadu (threevulnerabilities from 2013 and 2014).openSUSE has updated firefox (13.2; 13.1:multiple vulnerabilities) and flash-player (13.2; 13.1: many vulnerabilities).Oracle has updated kernel 3.8.13 (OL7; OL6: tworemote denial of service flaws), kernel 2.6.39 (OL6; OL5: tworemote denial of service flaws), and kernel 2.6.32 (OL6; OL5: tworemote denial of service flaws).Red Hat has updated glibc (RHEL5:code execution from 2013), mysql55-mysql (RHEL5; RHSC2:multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecifiedvulnerabilities), sqlite (RHEL6:code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).Scientific Linux has updated sqlite (SL7: three vulnerabilities).Slackware has updated firefox(multiple vulnerabilities) and thunderbird(multiple vulnerabilities).Ubuntu has updated openssh(15.04, 14.04, 12.04: two vulnerabilities) and pollinate (15.04, 14.04: certificate update).
Linus has released the 4.2-rc7 prepatch,but he's still not sure about whether it will be the last for thisdevelopment cycle. "So this may be the last RC, and it might notbe. It will depend on whether anything more comes up next week, and howgood I feel about things come next Sunday. A part of me is convinced thatall the odd 32-bit compat issues etc fallout is finally fixed, but a partof me is still a bit leery."
Version 2.22 of the GNU C Library is out. The biggest user-visible changesare an update to Unicode 7.0.0 and the addition of a vectorized mathlibrary for the x86_64 architecture. Beyond that, of course, there isa pile of bug fixes, a few of which address security-related problems.
It would seem that reports of the demise of the Stagefright Android vulnerability may be rather premature. Exodus Intelligence is reporting that at least one of the fixes for integer overflow did not actually fully fix the problem, so MPEG4 files can still crash Android and potentially allow code execution. "Around July 31st, Exodus Intelligence security researcher Jordan Gruskovnjak noticed that there seemed to be a severe problem with the proposed patch. As the code was not yet shipped to Android devices, we had no ability to verify this authoritatively.In the following week, hackers converged in Las Vegas for the annual Black Hat conference during which the Stagefright vulnerability received much attention, both during the talk and at the various parties and events.After the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded. They were."
Arch Linux has updated freeradius(certificate verification botch) and subversion (two vulnerabilities).CentOS has updated kernel (C6:two remote denial of service flaws).Fedora has updated gnutls (F22:denial of service), nbd (F22; F21: denial of service), pcre (F22: code execution), andwordpress (F22; F21: multiple vulnerabilities).Mageia has updated gdk-pixbuf2.0(M5: code execution) and owncloud (three vulnerabilities).openSUSE has updated glibc (13.1:denial of service from 2014) and kernel(13.2: multiple vulnerabilities, some from 2014).Oracle has updated kernel (OL6:two remote denial of service flaws).Red Hat has updated kernel(RHEL6: two remote denial of service flaws).Scientific Linux has updated kernel (SL6: two remote denial of service flaws).SUSE has updated firefox(SLE11SP4, SP3: information leak).
Fedora Magazine reports on Fedora project leader Matthew Miller's keynote at Flock, which is the Fedora contributor conference. He outlined the state of the distribution using some graphs and statistics and said "we’re doing very well as a project and it’s thanks to all of you". The use of Internet Relay Chat (IRC) by the project was another topic: "Fedorans do like to work together. Last year there were 1,066 IRC meetings (official meetings, not just being in IRC talking), and 765 IRC meetings in 2015 alone. 'This shows how vibrant we are, but also is buried in IRC. There’s a lot of Fedora activity you don’t see on the Fedora Web site… I want to look at ways to make that more visible,' says Miller.There are efforts to make the activity more visible, says Miller. 'If I want to interact with the project, is somebody there? Yes, but we have millions of dead pages on the wiki… we need to make this more visible.'IRC is 'definitely a measure of engagement' but it’s also a high barrier of entry, says Miller. 'Wow that’s complicated. Wow, that’s still around?' is a common response from new contributors to IRC. The technology, and 'culture' can be confusing."
Debian has updated request-tracker4 (cross-site scripting).Red Hat has updated flash-plugin(RHEL5&6: many vulnerabilities).SUSE has updated firefox (SLE12:information leak), java-1_7_0-ibm(SLE11SP3, SP2: many vulnerabilities), and kernel-rt (SLE11SP3: many vulnerabilities,including some from 2014).
One of the oft-recurring topics at GUADEC 2015 wasthe xdg-app application-packaging system currently being developed.Xdg-app's lead developer Alexander Larsson gave a presentation on itscurrent status on the first day, and it featured prominently inChristian Hergert's keynote about reaching new developers as well as inBastien Nocera's talk about hardware enablement. Perhaps the mostpractical discussion of the subject, however, came in StephanBergmann's talk about his recent attempts to bundle LibreOffice intoan xdg-app package.
Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).Debian has updated gnutls28 (denial of service), iceweasel (multiple vulnerabilities), and wordpress (multiple vulnerabilities).Fedora has updated devscripts (F22; F21: twovulnerabilities), kernel (F22; F21: information leak), pure-ftpd (F22: denial of service), xen(F22; F21:code execution), and xfsprogs (F22:information disclosure from 2012).Mageia has updated firefox(MG4,5: multiple vulnerabilities), flash-player-plugin (MG4,5: multiplevulnerabilities), and qemu (MG4,5: multiple vulnerabilities).openSUSE has updated gnutls(13.2, 13.1: denial of service).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.5: use-after-free flaw).Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).SUSE has updated flash-player (SLE12; SLED11SP4,SP3: multiple vulnerabilities).Ubuntu has updated firefox(15.04, 14.04, 12.04: multiple vulnerabilities) and ubufox (15.04, 14.04, 12.04: multiple vulnerabilities).
The 1.8release of the Docker container system is out, with a number of newfeatures. "Docker Content Trust is a new feature in Docker Engine1.8 that makes it possible to verify the publisher of Docker images. When apublisher pushes an image to a remote registry, Docker signs the image witha private key. When you later pull this image, Docker uses the publisher’spublic key to verify that the image you are about to run is exactly whatthe publisher created, has not been tampered with, and is up todate."
Cisco, it seems, is unhappy with the patent mess around video codecs, so ithas launcheda project called "Thor" to make one that can be freely distributed."The effort is being staffed by some of the world’s most foremostcodec experts, including the legendary Gisle Bjøntegaard and ArildFuldseth, both of whom have been heavy contributors to prior videocodecs. We also hired patent lawyers and consultants familiar with thistechnology area. We created a new codec development process which wouldallow us to work through the long list of patents in this space, andcontinually evolve our codec to work around or avoid those patents."
Mozilla has released Firefox 40. There are several new features listed inthe release notes suchas; improved scrolling, graphics, and video playback performance with offmain thread compositing, added protection against unwanted softwaredownloads, a new style for add-on manager based on the in-contentpreferences style, and an improved graphic blocklist mechanism.
Kali Linux is a Debian-based distribution oriented toward penetrationtesting and related tasks; the 2.0release is now available. "There’s a new 4.0 kernel, now based onDebian Jessie, improved hardware and wireless driver coverage, support fora variety of Desktop Environments (gnome, kde, xfce, mate, e17, lxde,i3wm), updated desktop environment and tools – and the list goes on. Butthese bulletpoint items are essentially a side effect of the real changesthat have taken place in our development backend. Ready to hear the realnews? Take a deep breath, it’s a long list." At the top of thatlist is that Kali is now a rolling distribution.
Arch Linux has updated ppp (denial of service).Debian has updated subversion (two vulnerabilities).Debian-LTS has updated opensaml2 (denial of service).Fedora has updated elasticsearch(F22: multiple vulnerabilities), lxc (F22; F21: twovulnerabilities), and rubygems (F22: DNS hijacking).
The OpenSSH 7.0 release is out. It fixes a number of problems and adds afew new configuration features, but the main focus of 7.0 is taking thingsout: "This focus of this release is primarily to deprecate weak, legacyand/or unsafe cryptography." More old crypto is slated for removalin 7.1; see the announcement for the list.
Ubuntu has announcedthe release of the file-synchronization code behind its "Ubuntu One"service. The release is about as "over-the-wall" as it gets, though:"Will you take patches? In general, no. We won’t have anybodyassigned to reviewing and accepting code. We’d encourage interestedmaintainers to fork the code and build out a community around it."
CentOS has updated firefox (C7; C6; C5: information leak).Debian has updated activemq(denial of service) and opensaml2 (problemwith previous update).Debian-LTS has updated xmltooling (denial of service).Fedora has updated community-mysql (F22; F21: unspecified vulnerabilities) and firefox (F22; F21: information leak).Mageia has updated cacti (MG4,5:multiple vulnerabilities), firefox (MG4,5:information leak), ghostscript (MG4,5:buffer overflow), libunwind (MG4,5: bufferoverflow), lxc (MG5: two vulnerabilities),and wordpress (MG4: multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: information leak).Red Hat has updated firefox(RHEL5,6,7: information leak).Scientific Linux has updated firefox (SL5,6,7: information leak).Slackware has updated firefox(information leak) and nss (information leak).
The 4.2-rc6 kernel prepatch is out. Linussays: "So last week I wasn't very happy about the state of the releasecandidates, but things are looking up. Not only is rc6 finallyshrinking noticeably, the issues I was worried about had fixes come inearly in the week, and so I don't have anything big pending. Assumingnothing new comes up, I suspect we will end up with the regularrelease schedule after all (ie in two weeks). Knock wood."
The third update to the 14.04 Long Term Support release is available forDesktop, Server, Cloud, and Core products, as well as other flavors ofUbuntu with long-term support. "We have expanded our hardwareenablement offering since 12.04, and with 14.04.3, this point release contains an updated kernel and X stack fornew installations to support new hardware across all our supportedarchitectures, not just x86."
Firefox 39.0.3 has been released. According to the releasenotes there are various security fixes. This does include a fix forthe recently report active exploit.
CentOS Linux 6.7 has been released for x86 and x86_64. "There aremany fundamental changes in this release, compared with the past CentOSLinux 6 releases, and we highly recommend everyone study the upstreamRelease Notes as well as the upstream Technical Notes about the changes andhow they might impact your installation. (See the 'Further Reading' sectionof the CentOS release notes."
LWN.net