Since opening its doors in 2008, GitHub has grown to become the largestactive project-hosting service for open-source software. But it hasalso attracted a fair share of criticism for some of itsimplementation choices—with one of the leading complaints beingthat it takes a lax approach to software licensing. That, in turn,leads to a glut of repositories bearing little or no licensingdetails. The company recently announced a new tool to help combat thelicense-confusion issue: a site-wide API for querying and reportinglicense information. Whether that API is up to the task, however,remains to be seen.
CentOS has updated bind (C6: denial of service).Debian has updated libssh2 (information leak), mod-gnutls (restriction bypass), and xen (multiple vulnerabilities).Debian-LTS has updated axis (verification bypass).Mageia has updated gnupg,libgcrypt (information leak), icu (codeexecution), pngcrush (denial of service), and vsftpd (unauthorized access).openSUSE has updated autofs(13.2, 13.1: privilege escalation), glusterfs (13.1: denial of service), percona-toolkit (13.2, 13.1:man-in-the-middle attack), and putty (13.2,13.1: information disclosure).Oracle has updated bind (OL6: denial of service).Red Hat has updated bind(RHEL6,7: denial of service).Ubuntu has updated ecryptfs-utils(information disclosure) and icu (12.04:regression in previous update).
As Michal Hocko noted at the beginning of his session at the 2015 Linux Storage, Filesystem, and Memory Management Summit, the news that thememory-management code will normally retry small allocations indefinitelyrather than returning a failure status came as a surprise to manydevelopers. In this session, the assembled group attempted to come up withways to safely change this behavior. Click below (subscribers only) forthe full report from LSFMM 2015.
The Project Zero blog looksat the "Rowhammer" bug. "“Rowhammer†is a problem with somerecent DRAM devices in which repeatedly accessing a row of memory can causebit flips in adjacent rows. We tested a selection of laptops and found thata subset of them exhibited the problem. We built two working privilegeescalation exploits that use this effect. One exploit usesrowhammer-induced bit flips to gain kernel privileges on x86-64 Linux whenrun as an unprivileged userland process. When run on a machine vulnerableto the rowhammer problem, the process was able to induce bit flips in pagetable entries (PTEs). It was able to use this to gain write access to itsown page table, and hence gain read-write access to all of physicalmemory." (Thanks to Paul Wise)
VMware has publisheda statement on the lawsuit filed by Christoph Hellwig allegingcopyright infringement. "On March 5, 2015, Software Freedom Conservancy (SFC) announced a lawsuit in Germany, filed by Christoph Hellwig against VMware, alleging a failure to comply with the General Public License (GPL). We believe the lawsuit is without merit, and we are disappointed that the SFC and plaintiff have resorted to litigation given the considerable efforts we have made to understand and address their concerns.We see huge value in supporting multiple development methodologies, including free and open source software, and we appreciate the crucial role of free and open source software in the data center. In particular, VMware devotes significant effort supporting customer usage of Linux and F/OSS based software stacks and workloads."LWN recently covered the lawsuit. (Thanksto Emmanuel Seyman)
The Fedora Project has announced the release of Fedora 22 Alpha."The Alpha release contains all the exciting features of Fedora 22's editions in a form that anyone can help test. This testing, guided bythe Fedora QA team, helps us target and identify bugs. When these bugsare fixed, we make a Beta release available. A Beta release iscode-complete and bears a very strong resemblance to the third andfinal release. The final release of Fedora 22 is expected in May."
Mandriva has updated kernel (multiple vulnerabilities).Oracle has updated 389-ds-base(OL7: multiple vulnerabilities), glibc(OL7: multiple vulnerabilities), hivex(OL7: privilege escalation), openssh (OL7:two vulnerabilities), and pcre (OL7: information leak).Red Hat has updated qpid-cpp (RHE MRG for RHEL7; RHE MRG for RHEL6; RHE MRG for RHEL5: multiple vulnerabilities).Scientific Linux has updated 389-ds-base (SL6: information disclosure).Ubuntu has updated apache2(multiple vulnerabilities), oxide-qt(14.10, 14.04: multiple vulnerabilities), and firefox (14.10, 14.04, 12.04: regression inprevious update).
A brief "codeof conflict" was merged into the kernel's documentationdirectory for the 4.0-rc3 release. The idea is to describe the parametersfor acceptable discourse without laying down a lot of rules; it also namesthe Linux Foundation's technical advisory board as a body to turn to incase of unacceptable behavior. This document has been explicitlyacknowledged by a large number of prominent kernel developers.
The 4.0-rc3 prepatch is out. "Backon track with a Sunday afternoon release schedule, since there was nothingparticularly odd going on this week, and no last-minute bugs that I knew ofand wanted to get fixed holding things up."
Debian project leader Lucas Nussbaum has confirmed the appointment of threenew members to the Debian technical committee. The new members are DidierRaboud, Tollef Fog Heen, and Sam Hartman; they will be replacing IanJackson, Russ Allbery, and Colin Watson.
At his blog, David Edmundson writesabout the state of high-DPI support in KDE. "For someapplications supporting high DPI has been easy. It is a single oneline in KWrite, and suddenly all icons look spot on with noregressions. For applications such as Dolphin which do a lot moregraphical tasks, this has not been so trivial. There are a lot ofimages involved, and a lot of complicated code around caching thesewhich conflicts with the high resolution support without some furtherwork." He is personally trackingthe progress of many applications, but notes that there are manyunsolved issues. "There are still many applications without a frameworks release even in the upcoming 15.04 applications release. Even in the next applications release in 15.08 August we are still unlikely to see a released PIM stack.Is it a good idea to add an option into our UIs that improves some applications at the cost of consistency? It's not an easy answer."This update is Edmunsdon's second post on the subject; the first, fromNovember 2014, is also quite informative.
The Samba team has announced the first release in the new stable 4.2.xseries. This release adds transparent file compression, access to"Snapper" snapshots via the Windows Explorer "previous versions" dialog,better clustering support, and much more. This release also marks the endof support for Samba 3.
When Karen Sandler, the executive director of the Software Freedom Conservancy, spokerecently at the Linux Foundation's CollaborationSummit, she spent some time on the Linux Compliance Project, an effortto improve compliance with the Linux kernel's licensing rules. Thisproject, launched with some fanfare in 2012,has been relatively quiet ever since. Karen neglected to mention that thissituation was about to change; that had to wait for theannouncement on March 5 of the filing of a lawsuit against VMware alleging copyright infringement for its use of kernel code.Subscribers can click below for the full story.
Fedora has updated bind (F21; F20:denial of service), lftp (F21:automatically accepting ssh keys), and rubygem-actionpack (F20: two information leaks).openSUSE has updated vsftpd(13.2, 13.1: access restriction bypass).Ubuntu has updated icu (14.10,14.04, 12.04: multiple vulnerabilities, some from 2013).
Thus far, this series on network-attached storage (NAS) distributions haslooked at three different approaches to the problem. OpenMediaVaultprovides a NAS server using traditional Linux filesystems, Rockstor baseseverything on the Btrfs filesystem, and FreeNAS is a FreeBSD-based systemusing ZFS. This fourth (and probably final) installment in this series goesback to Btrfs with a look at EasyNAS,which is another attempt to make the unique features of Btrfs available in a dedicated NAS distribution.
GitLab and Gitorious have announcedthat GitLab will acquire Gitorious. "Starting today, Gitorious.org users can import their existing projects into GitLab.com by clicking the “Import projects from Gitorious.org†link when creating a new project. Gitorious.org will stay online until the end of May 2015 to give people time to migrate their repositories."
The 4.0-rc2 kernel prepatch is out. "So rc2 missed the usual Sunday afternoon timing, because I spent mostof the weekend debugging an issue that happened on an old Mac Mini Ihave around, and I hate making even early -rc releases with problemson machines that I have direct access to. Even if it only affected oldmachines that actual developers are unlikely to have or at least use.Today I got the patch from Daniel Vetter to fix it, so instead ofdoing a Sunday evening rc2, it's a Tuesday morning one. Go get it. Itworks better for the delay."
The IPython interactive developmentsystem project has announced its 3.0release. "Support for languages other than Python is greatlyimproved, notebook UI has been significantly redesigned, and a lot ofimprovement has happened in the experimental interactive widgets. Themessage protocol and document format have both been updated, whilemaintaining better compatibility with previous versions than priorupdates. The notebook webapp now enables editing of any text file, and evena web-based terminal (on Unix platforms)." (LWN looked at IPython in 2014).
Version 2.2.0 of the VLC media player has been released. According to the announcement, highlights in the new version include automatic, hardware-accelerated rotation of portrait-orientation videos such as those shot on smartphones, resuming playback at the last point watched in the previous session, in-application download and installation of extensions, support for interactive Blu-Ray menus, and "compatibility with a very large number of unusual codecs." The release is available for Linux, Android, and Android TV, plus various Windows and Apple platforms.
Version 3.6 of the LLVM compiler suite is out. Changes include "manymany bug fixes, optimization improvements, support for more proposed C++1z features in Clang, better native Windowscompatibility, embedding LLVM IR in native object files, Go bindings,and more." Details can be found in the LLVM 3.6release notes and the Clang3.6 release notes.
Ars Technica takes a look at Linux gaming and at what effect SteamOS has had already for gaming on Linux. The article also considers the future and where SteamOS might (or might not) take things. "This all brings up another major question for SteamOS followers: how long is this "beta" going to last, exactly? While Valve has unquestionably built a viable Linux gaming market from practically nothing, the company's lackadaisical development timeline might be holding the market back from growing even more. In the last year, the initial excitement behind the SteamOS beta launch seems to have given way to "Valve Time" malaise in some ways."
CentOS has updated thunderbird (C6; C5:multiple vulnerabilities).Debian has updated cups (codeexecution), iceweasel (multiplevulnerabilities), kfreebsd-9 (denial ofservice), and libgtk2-perl (code execution).Fedora has updated libhtp (F20:denial of service).Gentoo has updated samba(multiple vulnerabilities, some from 2012 and 2013).Mageia has updated apache-poi(denial of service), cabextract (privilegeescalation), e2fsprogs (two code executionflaws), firefox, thunderbird (multiplevulnerabilities), and sympa (information disclosure).openSUSE has updated cups (13.2,13.1: code execution)and snack (13.2, 13.1: code execution from 2012).Oracle has updated firefox (OL5:multiple vulnerabilities) and thunderbird(OL6: multiple vulnerabilities).Red Hat has announced that RHEL5.9 support will end on March 31.Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (SL6, SL5: multiple vulnerabilities).Slackware has updated thunderbird(multiple vulnerabilities) and firefox(multiple vulnerabilities).SUSE has updated java-1_5_0-ibm(SLE10SP4: many vulnerabilities) and java-1_6_0-ibm (SLE11SP2: two unspecified vulnerabilities).Ubuntu has updated EC2 kernel(10.04: two vulnerabilities), firefox(14.10, 14.04, 12.04: many vulnerabilities), kernel (14.10; 14.04;12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).
The newest update to the Krita digitalpainting application has been released.Version 2.9 introduces several new user-interface features, updates to thelayers system, and a variety of tool and rendering improvements. The 2.9development cycle was also the project's first to be centered around acrowdfunding campaign.
CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).Debian-LTS has updated openjdk-6 (multiple vulnerabilities).Fedora has updated dump (F21; F20: code execution) and samba (F21; F20: root code execution).Gentoo has updated grep (denial of service).Mageia has updated freetype2 (many vulnerabilities) and samba (root code execution).openSUSE has updated samba (13.2,13.1: two vulnerabilities).Oracle has updated firefox (OL7; OL6: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities) and thunderbird (RHEL5,6: multiple vulnerabilities).SUSE has updated Samba(SLE11 SP3: root code execution).Ubuntu has updated freetype (many vulnerabilities).
Mozilla has released Firefox 36.0. The releasenotes mention a few new features, including support for the fullHTTP/2 protocol. This version will no longer accept insecure RC4 cipherswhenever possible and certificates with 1024-bit RSA keys will be phasedout. See the release notes for more information.
A traditional feature of the tools track at the Linux Foundation'sCollaborationSummit is an update from the developers of the GNU C Library(glibc); that tradition was upheld in fine form at the 2015 event. Glibcdeveloper Roland McGrath noted that while the project is a criticalcomponent in vast numbers of Linux installations, it does not have a lot ofdevelopers working on it. Still, even with a relatively small developerbase, some real progress has been made over the last year.
The Beautiful Queen Marya Morevna is a Russian folk tale. The MorevnaProject makes anime videos about Morevna, using free software. This progressreport covers the status of their newest episode. "Our mainanimation tool is Synfig Studio and for the past years it was improved alot. I guess it’s needles to say, that the new episode will be producedusing the latest development version of Synfig. For current stage of theproject it is important to ensure that the tool is stable enough forproduction, so last weeks we were concentrated on fixing the criticalbugs. As result of this work, wehave published the first Release Candidate for the new stable versionof Synfig Studio, which is going to be numbered as 1.0 by the way."(Thanks to Paul Wise)
The first beta in the GNOME 3.15 development series has beenreleased. GNOME 3.15.90 features a new GNOME shell theme, redesignednotifications in GNOME shell, codec installation integrated ingnome-software, a login screen on Wayland, and more.
The Samba 4.1.17, 4.0.25 and 3.6.25releases are available; they fix an unpleasant code-executionvulnerability. See thisRed Hat security blog entry for more information. "CVE-2015-0240is a security flaw in the smbd file server daemon. It can be exploited by amalicious Samba client, by sending specially-crafted packets to the Sambaserver. No [authentication] is required to exploit this flaw. It can result inremotely controlled execution of arbitrary code as root."
Linus has closed the merge window for this release and released 4.0-rc1 — meaning, of course, that the currentplan is to call the release "4.0". "But nobody shouldnotice. Because moving to 4.0 does *not* mean that we somehow changed whatpeople see. It's all just more of the same, just with smaller numbers sothat I can do releases without having to take off my socks again."The codename has also changed to "Hurr durr I'ma sheep."
Ubuntu has announced the release of the second point release for its 14.04long-term support (LTS). 14.04.2 comes with an updated kernel and X Windowstack to support more hardware, along with "security updates andcorrections for other high-impact bugs" all on updated installationmedia "so that fewer updates will need tobe downloaded after installation". It is available for all of themembers of the Ubuntu clan: Kubuntu, Edubuntu, Xubuntu,Mythbuntu, Ubuntu GNOME, Lubuntu,Ubuntu Kylin, and Ubuntu Studio.One other note from the Ubuntu world: a featurefreeze is in effect for 15.04 ("Vivid Vervet"), which is due in April.
On his blog, Matthew Green gives an update on the plans to audit the TrueCrypt disk encryption tool. Green led an effort in 2013 to raise money for an audit of the TrueCrypt source code, which sort of ran aground when TrueCrypt abruptly shut down in May 2014. "It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet."
Version 7.9 of the GDB debugger is out. Changes include enhancements tothe Python scripting API, the ability to compile and inject code into thedebugged program, signal-handling improvements, and more.
Debian has updated libreoffice(denial of service).Fedora has updated cups (F20:code execution), dbus (F20: denial ofservice), and freetype (F21; F20: many vulnerabilities).Mageia has updated cpio(privilege escalation), kernel-linus (manyvulnerabilities, two from 2013), kernel-rt(many vulnerabilities, two from 2013), kernel-tmb (many vulnerabilities, twofrom 2013), kernel-vserver (manyvulnerabilities, two from 2013), ruby-sprockets (information disclosure), sudo (information disclosure), and tomcat (HTTP request smuggling).openSUSE has updated tigervnc(13.2: information leak/denial of service) and xorg-x11-server (13.2, 13.1: informationleak/denial of service).Red Hat has updated openstack-glance (access restriction bypass).SUSE has updated java-1_7_0-openjdk (many vulnerabilities, lotsunspecified).Ubuntu has updated nss(TLS certificate update).
Here is astatement from the Electronic Frontier Foundation on the revelationthat Lenovo has been shipping insecure man-in-the-middle malware on itslaptops. "Lenovo has not just injected ads in a wildly inappropriatemanner, but engineered a massive security catastrophe for its users. Theuse of a single certificate for all of the MITM attacks means that allHTTPS security for at least Internet Explorer, Chrome, and Safari forWindows, on all of these Lenovo laptops, is now broken." Foradditional amusement, see Lenovo'sstatement on the issue.There are a lot of Lenovo users in LWN's audience. Presumably most of themhave long since done away with the original software, but those who mighthave kept it around would be well advised to look into the issue; this site can evidently indicatewhether a machine is vulnerable or not.
Debian has updated bind9 (denialof service).Debian-LTS has updated linux-2.6(multiple vulnerabilities, one from 2013).Fedora has updated drupal7-path_breadcrumbs (F21; F20:access restriction bypass).openSUSE has updated perl-YAML-LibYAML (13.2, 13.1: multiplevulnerabilities, one each from 2013 and 2012) and php5 (13.2, 13.1: multiple vulnerabilities).SUSE has updated xntp (SLE10SP4:multiple vulnerabilities).Ubuntu has updated bind9 (14.10,14.04, 12.04: denial of service).
LWN.net