Linus has released the 4.4-rc5 prepatch."If you have all your Christmas shopping done, I wouldheartily recommend giving rc5 a whirl in between the eggnogs and thedecorations. And if you're not celebrating the holidays, you have noexcuse for not testing it all out."
Mozilla has announced the first round of projects to receive support from the organization's new “Foundational Technology†grant program. The program offers funding to open-source projects outside of Mozilla that are regarded as important building blocks for work done within Mozilla. The recipients announced are Buildbot, CodeMirror, Discourse, Read The Docs, Mercurial, Django, and Bro. The post contains further details on the specific development goals associated with each grant. More selections are yet to come, and applications are open.
Over at Opensource.com, Seth Kenlon looks at realtime video editing with Open Broadcast Studio (OBS). The article describes OBS sources and scenes, compositing, filters, output options, and more. "It may be a relatively niche market, but not all video editing is done in post production. There are use cases for live, on-the-fly video editing and basic compositing. You've seen it done yourself, whether you realize it or not—news broadcasts, live webcasts, and live TV events usually use multiple-camera setups controlled by one central software suite.Open Broadcast Studio (formerly Open Broadcaster Software) is an open source central control room for live, realtime video editing. It features instant encoding using x264 (an open source h.264 encoder) and AAC and streams to services like YouTube, DailyMotion, Twitch, your own streaming server, or just to a file."
Greg Kroah-Hartman has released the 4.3.2stable kernel. It fixes a problem with time validation in X.509certificate handling that has been present since 4.3.0 (CVE-2015-5327). Ifyou are not using those certificates, though, you don't need to upgradefrom 4.3.1; others should upgrade.
Arch Linux has updated flashplugin (many vulnerabilities) and libxml2 (multiple vulnerabilities).Debian has updated chromium-browser (many vulnerabilities) and xen (multiple vulnerabilities).Debian-LTS has updated arts(privilege escalation) and kdelibs(privilege escalation).Fedora has updated pax-utils(F23: multiple vulnerabilities).openSUSE has updated flash-player(13.2, 13.1: many vulnerabilities), gpg2(42.1: two vulnerabilities), mariadb (13.2; 13.1:multiple vulnerabilities), mysql (many vulnerabilities), and thunderbird (13.2, 13.1: multiple vulnerabilities).Oracle has updated libpng (OL7; OL6: twovulnerabilities) and libpng12 (OL7: two vulnerabilities).Scientific Linux has updated libpng (SL6: three vulnerabilities).SUSE has updated flash-player (SLE11SP4, SLE11SP3; SLE12SP1, SLE12: many vulnerabilities).
There have been no kernel updates from Greg Kroah-Hartman since earlyNovember, but that has ended with a bang:4.3.1,4.2.7,4.1.14,3.14.58, and3.10.94 are all available with the usualset of important fixes.
Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated libpng (C6:code execution).Debian-LTS has updated dhcpcd (multiple vulnerabilities), foomatic-filters (code execution), gnutls26 (padding oracle attack), and libphp-phpmailer (header injection).Fedora has updated ImageMagick(F23: multiple vulnerabilities) and potrace (F23; F22: denial of service).Mageia has updated chromium-browser-stable (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).openSUSE has updated kernel(Leap42.1: multiple vulnerabilities).Oracle has updated git (OL7: codeexecution) and kernel (OL7: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities), kernel(RHEL7.1: multiple vulnerabilities), libpng(RHEL7: code execution), and libpng12(RHEL7: multiple vulnerabilities).
Version 4.4 of the WordPress blogging platform (and, these days, general content-managementsystem) has been released.Highlights in this update include responsive image displays,integration of a REST API into Wordpress core, improved caching forcomment queries, and provider support for the oEmbedcontent-embedding format. Provider support means that "now youcan embed your posts on other WordPress sites. Simply drop a post URLinto the editor and see an instant embed preview, complete with thetitle, excerpt, and featured image if you’ve set one. We’ll eveninclude your site icon and links for comments and sharing." Accompanying the release is a new default theme named "Twenty Sixteen"that was "built to look great on any device. A fluid griddesign, flexible header, fun color schemes, and more, will all makeyour content shine."
TechCrunch reportsthat the Firefox OS phone experiment has come to an end. "Firefox OSproved the flexibility of the Web, scaling from low-end smartphones all theway up to HD TVs. However, we weren’t able to offer the best userexperience possible and so we will stop offering Firefox OS smartphonesthrough carrier channels."
Opensource.com takesa look at a court case in Germany addressing the GPLv3 terminationprovisions. "In the Halle court case, the defendant, a higher education institution in Germany, offered certain software for download to its employees and students. The plaintiff provided a written warning of copyright infringement based on a GPL violation to the defendant, including a cease-and-desist declaration with a penalty clause. The defendant refused to sign the declaration but removed the software from its website. The plaintiff filed for a preliminary injunction.The court ruled that the plaintiff was entitled to a preliminary injunction. The defendant had made the plaintiff's copyrighted software publicly available and was in violation of both GPLv2 and GPLv3 as the defendant had not accompanied the software with the license text and the complete corresponding source code."
Given the processing requirements for high-speed networking, it is notsurprising that there is interest in offloading some of that work todedicated hardware. Linux has always carefully limited the supportprovided for such offloading, though; it has been just over ten years sincesupport for TCP offload engines wasdefinitively blocked from entering theLinux network stack. That rejection was driven by a number of concerns,with a reluctance to entrust network-protocol processing to closed-source,unextendable, unfixable software being near the top of the list. Nearly ten years later,offload engines are again the topic of fierce discussion. The hardware haschanged, but the concerns have not; indeed, some of the problems beingworked around now show why those concerns were valid in the first place.
CentOS has updated libxml2 (C6: multiple vulnerabilities).Debian-LTS has updated bouncycastle (invalid curve attack) and linux-2.6 (multiple vulnerabilities).Fedora has updated audiofile(F22: buffer overflow), LibRaw (F23: twovulnerabilities), and python-django (F23: information disclosure).openSUSE has updated thunderbird(Leap42.1: multiple vulnerabilities).Oracle has updated libxml2 (OL7; OL6: multiple vulnerabilities).Red Hat has updated git (RHEL7:code execution) and kernel (RHEL7: denial of service).SUSE has updated java-1_7_0-ibm(SLE11SP3: many vulnerabilities).Ubuntu has updated libsndfile (multiple vulnerabilities).
Version 3.6.0 of theNetHack dungeon adventure game has been released. This is the firstofficial release in over ten years. "Unlike previous releases,which focused on the general game fixes, this release consists of a seriesof foundational changes in the team, underlying infrastructure and changesto the approach to game development. Those of you expecting a huge raft ofnew features will probably be disappointed. Although we have included anumber of new features, the focus of this release was to get the foundationestablished so that we can build on it going forward." There hasbeen enough change, though, that old save files will not work with thisversion.
For a far-outside view, it's hard to beat thisVentureBeat article, wherein a venture capitalist talks about how"open-source companies" are taking over. "The OSS companies thatwill be pillars of IT in the future are the companies that leverage asuccessful OSS project for sales, marketing, and engineering prioritizationbut have a product and business strategy that includes some proprietaryenhancements. They’ve figured out that customers are more than happy to payfor an enterprise-grade version of the complete product, which may havesecurity, management, or integration enhancements and come withsupport. And they also understand that keeping this type of functionalityproprietary won’t alienate the community supporting the project the waysomething such as a performance enhancement would."
Apple has released its Swift programming language under the Apache 2.0 license, and it's available for Linux. The code can be found on GitHub. "Swift makes it easy to write software that is incredibly fast and safe by design. Now that Swift is open source, you can help make the best general purpose programming language available everywhere."
Version 17.3 of theUbuntu-based Linux Mint Cinnamon distribution has been released. This is along-term support release, with support planned until 2019. There is along listof new features for this release, many of which come with theCinnamon 2.8 desktop environment.
Day7 in the ongoing Perl 6 advent calendar is concerned with how thelanguage handles Unicode. "However, Perl 6 does this work for you,keeping track of these collections of codepoints internally, so that youjust have to think in terms of what you would see the characters as. Ifyou’ve ever had to dance around with substring operations to make sure youdidn’t split between a letter and a diacritic, this will be your happiestday in programming."
The 4.4-rc4 prepatch is out."Another week, another rc. We had a few more commits than last week(mostly due to the networking fixes merge), but on the whole it's beenpretty calm."
The OpenSSL project has released versions 0.9.8zh, 1.0.0t, 1.0.1q, and1.0.2e with fixes for a number of "moderate" security issues. Theannouncement also notes that this will be the last update for the 0.9.8 and1.0.0 branches, so users of those versions are advised to upgrade.
Version 2.1.10 of the GNU Privacy Guard is out. There are a number of new features in this release; they include a trust-on-first-usekey acceptance mechanism and the ability to fetch public keysanonymously via Tor.
Debian has updated openssl(multiple vulnerabilities) and redis(denial of service).Debian-LTS has updated openssl (memory leak).openSUSE has updated cyrus-imapd (13.1: integer overflow), LibVNCServer (Leap 42.1: multiplevulnerabilities), and python-django (13.2, 13.1: information leak).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and openshift (RHOSE3.0, 3.1: information leak).SUSE has updated java-1_6_0-ibm (SLE12: multiple vulnerabilities), java-1_7_1-ibm (SLE11: multiple vulnerabilities), and kernel (SLE12: multiple vulnerabilities).
This lengthypaper from Phillip Rogaway tries to describe the moral responsibilitiesof the cryptographic community — responsibilities that, he believes, thatcommunity has failed to live up to. Worth a read."We need to erect a much expanded commons on the Internet. We need torealize popular services in a secure, distributed, and decentralized way,powered by free software and free/open hardware. We need to build systemsbeyond the reach of super-sized companies and spy agencies. Such servicesmust be based on strong cryptography. Emphasizing that prerequisite, weneed to expand our cryptographic commons."
On his blog, Lubomir Rintel discusses IPv6 privacy issues and how they are being handled by NetworkManager. "Creation of a privacy stable address relies on a pseudo-random key that’s only known the the host itself and never revealed to other hosts in the network. This key is then hashed using a cryptographically secure algorithm along with values specific for a particular network connection. It includes an identifier of the network interface, the network prefix and possibly other values specific to the network such as the wireless SSID. The use of the secret key makes it impossible to predict the resulting address for the other hosts while the network-specific data causes it to be different when entering a different network.This also solves the duplicate address problem nicely. The random key makes collisions unlikely. If, in spite of this, a collision occurs then the hash can be salted with a DAD failure counter and a different address can be generated instead of failing the network connectivity. Now that’s clever."
PHP 7 has been released. Along with some new language features, the biggest change is said to be much better performance and reduced memory use. "PHP 7.0 brings you unprecedented levels of real-world performance and throughput by utilizing the new and advanced Zend Engine 3.0, designed and refactored for speed and reduced memory consumption. This translates to real-world benefits: greatly decreased response times, superior user experiences, and the ability to serve more users with fewer servers to maximize the power of your PHP 7.0 deployment." We looked at the new features in PHP 7 in an article in this week's edition.
The Electronic Frontier Foundation has announcedthe public beta test of the Let's Encrypt initiative, which aims to makeencrypted web traffic the norm. "There are a number of flaws in theCA system, but when it comes to encrypting the Web, two in particular standout: cost and difficulty. Most CAs today charge for certificates. Whilesome are very cheap, every dollar of expense means a large swath of peoplewho can't afford to host a secure website. The larger barrier, though, isdifficulty. Once someone has purchased a certificate, they need to installit on their website, a time consuming and error-prone process that requiressignificant technical skill, which is a cost in itself. Let's Encrypt isnot only free but also automated, in order to make HTTPS encryption moreaccessible than ever."
CentOS has updated jakarta-commons-collections (C6: codeexecution) and libreport (C6: information leak).Debian has updated cups-filters(code execution).Fedora has updated keepass (F22:password locking options removed) and thunderbird (F23: multiple vulnerabilities).Slackware has updated libpng (twovulnerabilities) and mozilla (multiple vulnerabilities).Ubuntu has updated linux-lts-trusty (12.04: two vulnerabilities), openjdk-6 (12.04: multiple vulnerabilities), and qemu (multiple vulnerabilities).
While the event had a certain amount of drama surrounding it, the announcement of the end for the Debian Live project seems likely to haveless of an impact than it first appeared. The loss of the leaddeveloper will certainly be felt—and the treatment he and the projectreceived seems rather baffling—but the project looks like it will continuein some form. So Debian will still have tools to create live CDs and other media goingforward, but what appears to be a long-simmering dispute between projectfounder and leader DanielBaumann and the Debian CD and installer teams has been "resolved", albeitin an unfortunate fashion. Subscribers can click below for the full story from this week's Distributions page.
Arch Linux has updated chromium (multiple vulnerabilities).Debian has updated gnutls26 (padding oracle attack), icedove (multiple vulnerabilities), and putty (memory corruption).Fedora has updated putty (F23; F22: memory corruption).openSUSE has updated dracut(Leap42.1: multiple issues) and znc (SPH for SLE12; Leap42.1: denial of service).SUSE has updated dhcpcd(SLE11SP2,3,4: multiple vulnerabilities), java-1_6_0-ibm (SLE11SP3: multiplevulnerabilities), and java-1_7_1-ibm(SLE12: multiple vulnerabilities).Ubuntu has updated kernel (14.04:denial of service) and linux-lts-utopic(14.04: denial of service).
CryptoPeak Solutions is suing many tech and retail giants, claiming theirHTTPS websites infringe an encryption patent titled "Auto-Escrowable andAuto-Certifiable Cryptosystems". Ars Technica reports:"The latest batch of cases was lodged November 25. The cases name AT&T, Costco, Expedia, GoPro, Groupon, Netflix, Pinterest, Shutterfly, Starwood Hotels, Target, and Yahoo, among others. All the lawsuits include virtually identical language."Defendant has committed direct infringement by its actions that compriseusing one or more websites that utilize Elliptic Curve Cryptography (“ECCâ€)Cipher Suites for the Transport Layer Security (“TLSâ€) protocol (the“Accused Instrumentalitiesâ€)," according to the lawsuits."
Mozilla leader Mitchell Baker has announced that the Thunderbird emailclient projectwill, eventually, be spun out of Mozilla. "Therefore I believe Thunderbird should would thrive best by separating itself from reliance on Mozilla development systems and in some cases, Mozilla technology. The current setting isn’t stable, and we should start actively looking into how we can transition in an orderly way to a future where Thunderbird and Firefox are un-coupled."
Debian-LTS has updated imagemagick (denial of service), libsndfile (multiple vulnerabilities), libxml2 (multiple vulnerabilities), and nss (code execution).Fedora has updated abrt (F23: twovulnerabilities), mingw-libpng (F23;F22; F21:denial of service), python-pycurl (F22:use-after-free vulnerability), and seamonkey (F21: multiple vulnerabilities).Mageia has updated lightdm (denial of service), python-cryptography (denial of service), and thunderbird (multiple vulnerabilities).openSUSE has updated cyrus-imapd(Leap42.1, 13.2: two vulnerabilities), ffmpeg (Leap42.1: multiple vulnerabilities),GnuPG (13.2, 13.1: two vulnerabilities), libksba (Leap42.1: denial of service), libpng12 (Leap42.1: two vulnerabilities), libpng16 (Leap42.1: denial of service), libsndfile (Leap42.1: multiplevulnerabilities), ppp (Leap42.1, 13.2,13.1: denial of service), and virtualbox(13.1: two vulnerabilities).Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities) and thunderbird (OL7; OL6: multiple vulnerabilities).Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).
Matthew Garrett arguesthat meritocracy does not work as intended in development communities."When people criticise meritocracy, they're not criticising theconcept of treating contributions based on their merit. They're criticisingthe idea that humans are sufficiently self-aware that they will be able toidentify and reject every subconscious prejudice that will affect theirtreatment of others. It's not a criticism of a desirable goal, it's acriticism of a flawed implementation."
The 4.4-rc3 kernel prepatch is out fortesting. "I don't think there's anything particularly exciting,although that obviously depends on whether some particular issue ended upaffecting you or not. Most of it is pretty tiny random fixups."
The 2015 Ubuntu Community Council (CC) elections have been concluded. The results of the vote, as announced on the Ubuntu Fridge blog, are the seven individuals who will serve on the CC for the next two years: Daniel Holbach, Laura Czajkowski, Svetlana Belkin, Michael Hall, Scarlett Clark, C de-Avillez, and Marco Ceppi.A detailed account of the ballot results, complete with links to each candidate's biographical page, is also online.
Happy Thanksgiving to those who celebrate it, from all of us here at LWN.Happy November 26 to everyone else :)Debian has updated dpkg (codeexecution), nspr (code execution), python-django (information disclosure), and smokeping (code execution).Debian-LTS has updated eglibc(two vulnerabilities), python-django(information disclosure), and redmine (multiple vulnerabilities).Fedora has updated abrt (F21:information disclosure), jenkins (F22:three vulnerabilities), jenkins-remoting(F22: three vulnerabilities), and libreport(F21: information disclosure).openSUSE has updated libpng12(13.2, 13.1: two vulnerabilities), libpng16(13.2, 13.1: denial ofservice), and strongswan (authentication bypass).Oracle has updated abrt andlibreport (OL7: multiple vulnerabilities), glibc (OL7;OL7: multiple vulnerabilities), kernel (OL7: multiple vulnerabilities), NetworkManager (OL7: denial of service), sssd (OL7: unspecified), and tigervnc (OL7: two vulnerabilities).Red Hat has updated git19-git(RHSC2: code execution), java-1.5.0-ibm(RHEL5&6: multiple vulnerabilities), ntp (RHEL6: denial of service), and thunderbird (multiple vulnerabilities).SUSE has updated kernel(SLE11SP3: multiple vulnerabilities).Ubuntu has updated dpkg (codeexecution) and openjdk-7 (15.10, 15.04, 14.04: unspecified vulnerability).
Software Freedom Conservancy has announceda major fundraising effort. "Pointing to the difficulty of relying on corporate funding while pursuing important but controversial issues, like GPL compliance, Conservancy has structured its fundraiser to increase individual support. The organization needs at least 750 annual Supporters to continue its basic community services and 2500 to avoid hibernating its enforcement efforts. If Conservancy does not meet its goals, it will be forced to radically restructure and wind down a substantial portion of its operations."
Debian has updated libcommons-collections3-java (unsanitized input data) and symfony (two vulnerabilities).Debian-LTS has updated putty (memory corruption).Fedora has updated grub2 (F23:Secure Boot circumvention), krb5 (F21:multiple vulnerabilities), libpng10 (F23; F22; F21: two vulnerabilities), sblim-sfcb(F23; F22;F21: denial of service), and wpa_supplicant (F22: denial of service).Slackware has updated pcre (code execution).SUSE has updated linux-3.12.32(SLELP12: two vulnerabilities), linux-3.12.36 (SLELP12: two vulnerabilities),linux-3.12.38 (SLELP12: twovulnerabilities), linux-3.12.39 (SLELP12:two vulnerabilities), linux-3.12.43(SLELP12: two vulnerabilities), linux-3.12.44 (SLELP12: two vulnerabilities),and linux-3.12.44 (SLELP12: two vulnerabilities).Ubuntu has updated icedtea-web(15.10, 15.04, 14.04: applet execution) and python-django (15.10, 15.04, 14.04, 12.04: information disclosure).
RAID5 support in the MD driver has been part of mainline Linux since2.4.0 was released in early 2001. During this time it has been usedwidely by hobbyists and small installations, but there hasbeen little evidence of any impact on the larger or "enterprise"sites. Anecdotal evidence suggests that such sites are usually happier with so-called "hardware RAID" configurations where a purpose-builtcomputer, whether attached by PCI or fibre channel or similar,is dedicated to managing the array.This situation could begin to change with the 4.4 kernel, which brings someenhancements to the MD driver that should make itmore competitive with hardware-RAID controllers.
Red Hat has announcedthe release of Red Hat Enterprise Linux 7.2. "New features and capabilities focus on security, networking, and system administration, along with a continued emphasis on enterprise-ready tooling for the development and deployment of Linux container-based applications. In addition, Red Hat Enterprise Linux 7.2 includes compatibility with the new Red Hat Insights, an add-on operational analytics offering designed to increase IT efficiency and reduce downtime through the proactive identification of known risks and technical issues."
Martin Gräßlin looksat the security of the Plasma desktop running under Wayland; it'sbetter than X11, but with some ground yet to cover."Now imagine you want to write a key logger in a Plasma/Waylandworld. How would you do it? I asked myself this question recently, thoughtabout it, found a possible solution and had a key logger in less than 10minutes: ouch."
ThisLibre Graphics World article looks at the challenges faced by the20-year-old GIMP project. "If you've been following GIMP's progressover recent years, you couldn't help yourself noticing the decreasingactivity in terms of both commits (a rather lousy metric) and amount ofparticipants (a more sensible one).'GIMP is dying', say some. 'GIMP developers are slacking', sayothers. 'You've got to go for crowdfunding' is yet another popularnotion. And no matter what, there's always a few whitebearded folks whowould blame the team for not going with changes from the FilmGIMP branch.So what's actually going on and what's the outlook for the project?"
LWN.net