The Electronic Frontier Foundation has announcedthe 1.0 release of the Privacy Badger browser extension. "As youbrowse the Web, Privacy Badger looks at any third party domains that areloaded on a given site and determines whether or not they appear to betracking you (e.g. by setting cookies that could be used for tracking, orfingerprinting your browser). If the same third party domain appears to betracking you on three or more different websites, Privacy Badger willconclude that the third party domain is a tracker and block futureconnections to it." The extension is distributed under GPLv3; seethis page for moreinformation.
Mozilla has posted awarning about a Firefox vulnerability that is currently being activelyexploited on the net. "The vulnerability comes from the interactionof the mechanism that enforces JavaScript context separation (the 'sameorigin policy') and Firefox’s PDF Viewer. Mozilla products that don’tcontain the PDF Viewer, such as Firefox for Android, are notvulnerable. The vulnerability does not enable the execution of arbitrarycode but the exploit was able to inject a JavaScript payload into the localfile context. This allowed it to search for and upload potentiallysensitive local files." There is asecurity update for the problem.
On his blog, Peter Grasch considers the future for the Simon speech-recognition system for KDE. He is passing the torch and will no longer be actively participating in the project, but he spent some time passing on his knowledge and some thoughts on where things might go from here. In addition, he built a working prototype of a speech-based command and control system for the Plasma desktop called Lera. "If anything, Lera is a starting point. The next steps would be to move Simon’s “eventsimulation†library into a separate framework, to be shared between Lera and Simon. Lera could then use this to type out the recognition results (see Simon’s Dictation plugin). Then, I would suggest porting a simplified notion of “Scenarios†to Lera, which should only really contain a set of commands, and maybe context information (vocabulary and “grammar†can be synthesized automatically from the command triggers). The implementation of training (acoustic model adaption) would then complete a very sensible, very usable version 1.0."
The ownCloud blog has a post about federated file sharing between ownCloud instances in ownCloud 8.1, but it also looks at the wider view of federation between various kinds of cloud servers. ownCloud founder Frank Karlitschek has a series of posts (It is Time to Federate Our Clouds, The Next Generation File Sync and Share Technology, and The Federated Architecture of Next Generation File Sync and Share) on federation technology and has also proposed a cross-cloud-platform federation API:"In addition, today Frank proposed a draft of a Federated Cloud Sharing API to the Open Cloud Mesh working group with the goal of jump-starting a discussion about what is needed to enable federation between different file sharing implementations. Sharing among ownClouds is great, but the true power of a federated file cloud is available when you can share among different implementations seamlessly, because you all speak the same common language. This is the goal of the Open Cloud Mesh working group (of which ownCloud is a member as well), and outside of that, drafts have been shared with a number of well known standards organizations around web technologies and fellow open source file share and sync projects to get the work started."
CentOS has updated kernel (C7: multiple vulnerabilities, one from 2014).Fedora has updated kernel (F22:three vulnerabilities).openSUSE has updated ghostscript(13.2, 13.1: code execution) and php5(13.2, 13.1: two vulnerabilities).Red Hat has updated kernel(RHEL7: multiple vulnerabilities, one from 2014) and kernel-rt (RHEL7; RHEL6: multiple vulnerabilities, one from 2014).Scientific Linux has updated kernel (SL7: multiple vulnerabilities, one from 2014).SUSE has updated oracle-update(Manager 2.1: multiple vulnerabilities).Ubuntu has updated cinder (15.04:arbitrary file reads), python-keystoneclient,python-keystonemiddleware (15.04, 14.04: two vulnerabilities, one from2014), and swift (15.04, 14.04, 12,04: twovulnerabilities, one from 2014).
PostgreSQL 9.5 Alpha 2 is due to be released on August 6. Not onlydoes the new version support UPSERT, more JSON functionality, and other newfeatures we looked at back in July, it alsohas some major enhancements for "big data" workloads. Among these arefaster sorts, TABLESAMPLE, GROUPING SETS andCUBE, BRIN indexes, and Foreign Data Wrapper improvements. Takentogether, these features strengthen arguments for using PostgreSQL for datawarehouses, and enable users to continue using it with bigger databases.
Debian has updated wordpress(regression in previous update).Debian-LTS has updated ia32-libs (multiple vulnerabilities).Red Hat has updated java-1.5.0-ibm (RHEL5,6: multiplevulnerabilities) and node.js (RHOSE2.1; RHOSE2.0: man-in-the-middle attack).SUSE has updated java-1_6_0-ibm(SLEM12: multiple vulnerabilities).Ubuntu has updated oxide-qt(15.04, 14.04: multiple vulnerabilities).
You might be surprised to learn that starting with Linux 2.6.31 (in 2009)it has been rather easy to crash the Linux kernel.This date marks the introduction of theperf_event subsystem.It is likely that perf_event is not any more prone to errors thanany other large kernel subsystem, but it has the distinction ofbeing subjected to intense testing from theperf_fuzzer tool, which methodically probes the interface for bugs.Click below (subscribers only) for the full article from perf_fuzzer authorVince Weaver.
The LibreOffice 5.0 release is out. "LibreOffice 5.0 sports a significantly improved user interface, with abetter management of the screen space and a cleaner look. In addition,it offers better interoperability with office suites such as MicrosoftOffice and Apple iWork, thanks to new and improved filters to handle nonstandard formats." See thispost from Michael Meeks for a detailed description of the work that wentinto this release.
The Electronic Frontier Foundation (EFF), privacy company Disconnect and acoalition of Internet companies have announced a stronger “Do Not Track†(DNT) setting for Web browsing—"a new policy standard that, coupled with privacy software, will better protect users from sites that try to secretly follow and record their Internet activity, and incentivize advertisers and data collection companies to respect a user’s choice not to be tracked online."
The Ada Initiative has announced that it is shutting down in mid-October. In the four years since it was founded, the organization has accomplished a lot to help create a less hostile environment for women in open technology and open culture. "We are proud of what we accomplished with the support of many thousands of volunteers, sponsors, and donors, and we expect all of our programs to continue on in some form without the Ada Initiative." Essentially, the organization found it hard to find others with the same "experiences, skills, strengths and passions" as co-founders Valerie Aurora and Mary Gardiner when they wanted to change roles within the initiative. "The Ada Initiative will shut down in approximately mid-October after using our remaining funds to complete our current obligations and do the tasks necessary to shut down the organization properly. We have several Ally Skills Workshops booked or in the process of being booked during our remaining months of operation. (We will not be booking additional Ally Skills Workshops through the Ada Initiative, but we will refer clients to other people who are teaching the Ally Skills Workshop.) We will teach Impostor Syndrome training classes in Sydney and Oakland in August, and release the materials under the Creative Commons Attribution Sharealike license. We will do the work to keep the Ada Initiative's web content online and available after the Ada Initiative shuts down."
Debian has updated apache2(multiple vulnerabilities), ghostscript(code execution), icedove (multiple vulnerabilities), icu (multiple vulnerabilities), and ruby-rack (denial of service).Fedora has updated bind (F22; F21:denial of service), bind99 (F22: denial ofservice), libuser (F21: multiplevulnerabilities), and openssh (F21: denial of service).Mageia has updated bind (MG4,5:denial of service), icu (MG4,5: codeexecution), and remind (MG4,5: buffer overflow).openSUSE has updated bind (13.2,13.1: denial of service) and libuser (13.2:privilege escalation).Oracle has updated java-1.6.0-openjdk (OL5: multiplevulnerabilities), kernel 2.6.39 (OL6; OL5:multiple vulnerabilities), kernel 2..6.32 (OL6; OL5:multiple vulnerabilities), kernel 3.8.13 (OL7; OL6: multiple vulnerabilities), and lxc (OL7; OL6: two vulnerabilities).Scientific Linux has updated bind (SL6; SL6,7:denial of service) and libuser (SL6: two vulnerabilities).
The 4.2-rc5 prepatch is out, and Linus iswishing things were going a bit more smoothly. "We're getting upthere to the later rc's, but it's looking like 4.2 might be one of thereleases needing more than the usual seven rc releases - things aren'tcalming down like I would wish, and we've still had some fairly annoyingissues pop up."
LWN looked at the Linux multipath TCPimplementation back in 2013. That code remains out of tree, but it nowseems that it isbeing used in some Samsung phones in Korea. "This serviceenables smartphone users to reach bandwidth of up to 1 Gbps on existingsmartphones. This is probably the fastest commercially deployed mobilenetwork. They achieve this high bandwidth by combining both fast LTE (withcarrier aggregation) and fast WiFi networks on Multipath TCP enabledsmartphones."(Thanks to Oliver Bonaventure).
At the OpenSSL blog, Rich Salz has announcedthe project's decision to migrate away from the "rather uniqueand idiosyncratic" OpenSSL license to the Apache 2.0 license.In order to make the change in an upcoming release, though, theproject "will soon require almost every contributor to have asigned a Contributor License Agreement (CLA) on file."Individual and corporate versions of the CLA are posted; trivialpatches will evidently not trigger the need for the submitter to signand file an agreement. Salz closes by noting that more details arestill to come, since "there is a lot of grunt work needed to clean up the backlog and untangle all the years of work from the time when nobody paid much attention to this sort of detail."
Mozilla has launched a multi-pronged campaign to challenge a recentchange in Windows that has the effect of overriding users' choice ofFirefox as the default web browser. Mozilla CEO Chris Beard posted ablog entry outlining the problem as well as an openletter to Microsoft CEO Satya Nadella. The change apparentlylanded with the recent Windows 10 release and, as Beard explains it,"while it is technically possible for people to preserve theirprevious settings and defaults, the design of the new Windows 10upgrade experience and user interface does not make this obvious noreasy." Mozilla has also posted tutorialsand videosto help users restore Firefox as their default browser.
FFmpeg leader Michael Niedermayer has announced his departure from the project. "I hope my resignation will make it easier for the teams to find backtogether and avoid a more complete split which would otherwise bethe result sooner or later as the trees diverge and merging allimprovements becomes too difficult for me to do."
Debconf15, which will be held in Heidelberg, Germany August 15-23, has announced its schedule as well as four featured speakers: Allison Randal, President, Open Source Initiative and DistinguishedTechnologist, HP; Peter Eckersly, Chief Computer Scientist, Electronic Frontier Foundation; John Sullivan, Executive Director, Free Software Foundation; and Jon 'maddog' Hall, Executive Director, Linux International. "The DebConf content team is pleased to announce the schedule ofDebConf15, the forthcoming Debian Developers Conference. From a total ofnearly 100 talk submissions, the team selected 75 talks. Due to the highnumber of submissions, several talks had to be shortened to 20 minuteslots, of which a total of 30 talks have made it to the schedule.In addition, around 50 meetings and discussions (BoFs) have beenorganized so far, as well as several other events like lightning talksessions, live demos, a movie screening, a poetry night or stand-upcomedy."
Oracle has announcedthe release of Oracle Linux 6.7. As usual this release features both aRed Hat compatible kernel and Oracle's enterprise kernel. Some notablefeatures include Open Security Content Automation Protocol (OpenSCAP),including the oscap utility for enhanced security auditing andcompliance, Load Balancing and High Availability with Keepalived andHAProxy, supported under Oracle Linux Premier Support subscriptions,Enhanced SSSD support for Active Directory, and more.See the releasenotes for details.
Here are a couple sad notes from theAda Initiative and the Apache SoftwareFoundation on the abrupt passing of NóirÃn Plunkett. "ThroughoutNóirÃn's time at the Foundation she was an Apache httpd contributor, ASFboard member, VP and ApacheCon organizer. NóirÃn's passionate contributionsand warm personality will be sorely missed. Many considered NóirÃn a friendand viewed NóirÃn's work to improving 'Women in Technology' as a greatcontribution to this cause."
In November of 2013, I decided to undertake a garage-hackingproject and build an in-vehicle infotainment (IVI) Linux box for myown car. Motivated hobbyists have done such things for years, ofcourse. But, after having followed the development of variousautomotive Linux projects (such as GENIVI and Tizen IVI), I wanted toput them to the test, rather than simply stuff a Raspberry Pi into theglove compartment and run Rhythmbox on a tiny screen on thedashboard. Interesting developments were happening at automakers andsoftware vendors, and they were worth exploring. It turned out to bea rather large project, so to cover it fully will take more than oneinstallment. The first major milestone involves understanding theunique hardware, power, and boot requirements of an IVI unit (as wellas finding a distribution that fits the bill).
Arch Linux has updated bind(denial of service), pacman(man-in-the-middle attack), and qemu(multiple vulnerabilities).CentOS has updated bind (C7; C5: denialof service) and bind97 (C5: denial of service).Debian has updated bind9 (denial of service).Debian-LTS has updated apache2 (denial of service) and bind9 (denial of service).Fedora has updated elfutils (F21:unspecified vulnerabilities), haproxy (F22; F21:information leak), hplip (F22:man-in-the-middle attack), libidn (F22; F21:information disclosure), php (F21: multiplevulnerabilities), roundcubemail (F22; F21:multiple vulnerabilities), subversion (F21:multiple vulnerabilities), and wpa_supplicant (F22: denial of service).Mageia has updated ansible(MG4,5: two vulnerabilities), freeradius(MG4,5: insufficient certificate verification), openssh (MG4,5: authentication limits bypass),python-django (MG4,5: multiplevulnerabilities), and springframework (MG5:denial of service).Oracle has updated bind (OL7; OL5:denial of service) and bind97 (OL5: denial of service).Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and qemu-kvm-rhev (RHOSP5,6: two vulnerabilities).Scientific Linux has updated bind(SL5: denial of service) and bind97 (SL5: denial of service).Slackware has updated bind (denial of service).SUSE has updated bind (SLE12; SLE11SP3,4: denial of service).Ubuntu has updated bind9 (15.04,14.04, 12.04: denial of service) and qemu(15.04, 14.04: multiple vulnerabilities).
Matt Thompson talkswith Allen Gunn, Executive Director of Aspiration, at Opensource.com. "I think you lead with a very earnest form of humility. The best forms of open are lovingly subversive, in that they draw others to form their own conclusions about the benefit of open rather than beating them over the head with it."
CentOS has updated clutter (C7:screen lock bypass) and qemu-kvm (C7: two vulnerabilities).Debian-LTS has updated icu(code execution).Mageia has updated chromium-browser (MG4,5: multiplevulnerabilities), expat (MG4,5: denial ofservice), icu (MG5; MG4: denial of service/code execution), stunnel (MG5: authentication bypass), thunderbird (MG4,5: multiple vulnerabilities),wesnoth (MG5; MG4: information leak), and wordpress (MG4: two vulnerabilities).Oracle has updated clutter (OL7:screen lock bypass) and qemu-kvm (OL7: two vulnerabilities).Red Hat has updated clutter(RHEL7: screen lock bypass).Scientific Linux has updated clutter (SL7: screen lock bypass) and qemu-kvm (SL7: two vulnerabilities).SUSE has updated xen (SLE12; SLE11SP4: two vulnerabilities).Ubuntu has updated apache2(15.04, 14.04, 12.04: two vulnerabilities), kernel (15.04; 14.04:multiple vulnerabilities), linux-lts-trusty(12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiplevulnerabilities), and linux-lts-vivid(14.04: multiple vulnerabilities).
Opensource.com followsup with the Dronecode Foundation, which was founded in October 2014."In the past year, Dronecode's developer community has grown from 1,200 to more than 2000 contributors, with more than 12,000 commits in the codebase. The rate of development is rapid with 1,000 commits being reviewed a month, with well over 2 million lines of code across the various Dronecode projects. Developers from Qualcomm, Intel, Parrot, Yuneec and many others are actively engaged in the development of the Dronecode technology stack. As a result, updates, new releases and project milestones are in motion all the time. For example, in late May, the APM project released version 3.3 of its flight code, and the PX4 project reached a milestone with the first RC candidate for release 1.0."
Here is anarticle on the "Threatpost" site about a set of remotely exploitablemedia-library vulnerabilities present on vast numbers of Android devices."An attacker in possession of their target’s phone number could sendan MMS or even a Google Hangouts message to an affected device thattriggers the vulnerability before the victim has a chance to open themessage. In some cases, the attack would delete the MMS in question,leaving behind only a notification that a message was sent."
The fourth 4.2 prepatch is out for testing.Linus says: "I really wish that things were calming down, but ithasn't happened quite yet. It's not like this is particularly big or scary,but it's also not at the stage where it's really starting to get quiet andthe bugs are really small and esoteric."
Here is theannouncement for Plasma Mobile, a KDE-based platform for smartphones."The goal for Plasma Mobile is to give the user full use of thedevice. It is designed as an inclusive system, intended to support allkinds of apps. Native apps are developed using Qt; it will also supportapps written in GTK, Android apps, Ubuntu apps, and many others, if thelicense allows and the app can be made to work at a technicallevel." There is a prototype build available for Nexus 5phones.
The etcd 2.1release is out. "For a quick overview, etcd is an open source,distributed, consistent key value store for shared configuration, servicediscovery, and scheduler coordination. By using etcd, applications canensure that even in the face of individual servers failing, the applicationwill continue to work. "New features include a new authentication/authorization API, variousrobustness improvements, better logging, and a new metrics API.
The GNUnet blog has thisstory about recent resistance from the IETF toward thestandardization of "special use" domain names (such as .onion or.gnu) "to reduce the likelihood of ICANN accidentally creating aconflicting gTLD assignment."Despite the provisions made in RFC 6761, the articlenotes that "there are also a number of DNS-centric people with atotally lack of alacrity in the dnsop WG to continue to stall theprocess by repeating arguments that were exchanged dozens of times inhundreds of e-mails." Among those offering resistance, itreports, is Internet Architecture Board Chair Andrew Sullivan, who"says the IETF should not support special use domain namesthreatening the DNS business model."
The firstdevelopment release of the upcoming openSUSE 42.1 distribution is now available. "Milestone is being used to avoid the term Alphabecause the milestone is able to be deployed without the additional futureitems and subsystems that will become available when Leap is officiallyreleased."As reported in June, openSUSE 42.1 is a newversion of the distribution based on the SUSE Linux Enterprise core.
At his blog, Allan Day announcesthe first major update to the GNOME Human InterfaceGuidelines since the first GNOME 3 version (released in2014). Day notes that the GNOME 3 HIG is structured arounddesign patterns, in the hopes that it can be updated regularly toreflect current practices. "These new guidelines are the directresult of design work that has happened in the past year. They attemptto distill everything we’ve learned through our own process of trialand error." Furthermore, "the HIG now links to therelevant GTK+ API reference documentation for each designcomponent. This is nice for knowing which widget does what; and makesthe design guidelines a more effective accompaniment to thetoolkit."
Though it got a bit of a late start due to some registration woes, thefirst day of EuroPython 2015began with an engaging and well-received keynote. It recounted the historyof a project that got its start just a year ago when the first Django Girls workshop was held atEuroPython 2014 in Berlin. The two women who started theproject, Ola Sitarska and Ola Sendecka, spoke about how the workshopto teach women about Python and the Django web framework all cametogether—and the amazing progress that has been made by the organization inits first year.
Red Hat has announcedthe general availability of RHEL 6.7. "As the basis for large,complex IT deployments, Red Hat Enterprise Linux 6.7 offers enterprise ITteams new capabilities to bolster system security, proactively identify andresolve business-critical IT issues, and confidently embrace some of thelatest open source technologies, such as Linux containers, withoutsacrificing operational stability." The releasenotes contain details.
One of the many approaches to improving system security consists ofreducing the attack surface of a given program by restricting the range ofsystem calls available to it. If an application has no need for access tothe network, say, then removing its ability to use the socket() systemcall should cause no loss in functionality while reducing the scope of themischief that can be made should that application be compromised. In theLinux world, this kind of sandboxing can be done using a security module orthe seccomp() system call. OpenBSD has lacked this capability sofar, but it may soon gain it via a somewhat different approach than hasbeen seen in Linux.
The Linux Foundation has announcedthe Cloud Native Computing Foundation. "This new organization aims to advance the state-of-the-art for building cloud native applications and services, allowing developers to take full advantage of existing and to-be-developed open source technologies. Cloud native refers to applications or services that are container-packaged, dynamically scheduled and micro services-oriented.Founding organizations include AT&T, Box, Cisco, Cloud Foundry Foundation, CoreOS, Cycle Computing, Docker, eBay, Goldman Sachs, Google, Huawei, IBM, Intel, Joyent, Kismatic, Mesosphere, Red Hat, Switch SUPERNAP, Twitter, Univa, VMware and Weaveworks. Other organizations are encouraged to participate as founding members in the coming weeks, as the organization establishes its governance model."
LWN.net