The 4.1-rc7 prepatch is out."Normally rc7 tends to be the last rc release, and there's not a lotgoing on to really merit anything else this time around. However, we dostill have some pending regressions, and as mentioned last week I also havemy yearly family vacation coming up, so we'll have an rc8 and an extra weekbefore 4.1 actually gets released."
The Let's Encrypt project has announced that it has created the root and intermediate keys and certificates it will use to sign certificates. Let's Encrypt is the no-cost certificate authority announced by the Electronic Frontier Foundation (EFF) back in November. In April, the Linux Foundation announced that it would be hosting the project. "The keys and certificates that will underlie Let’s Encrypt have been generated. This was done during a key ceremony at a secure facility today." The intermediate certificates will be cross-signed by IdenTrust so that they will be accepted by browsers before the Let's Encrypt root certificate has been propagated. A bit more news from the blog post: "In the next few weeks, we’ll be saying some more about our plans for going live."
Arch Linux has updated pcre (codeexecution).CentOS has updated openssl (C7; C6: cipherdowngrade).Fedora has updated batik (F22; F21; F20: information leak), netty (F21: httpOnly cookie bypass), andpcs (F22; F21; F20: two vulnerabilities).openSUSE has updated e2fsprogs (13.2; 13.1:two vulnerabilities) and fuse (13.1:privilege escalation).Oracle has updated openssl (OL7; OL6:cipher downgrade).Red Hat has updated openssl(RHEL6&7: cipher downgrade).
GNU Octave, which is ahigh-level programming language for numerical computations that is largelycompatible with MATLAB, has made its 4.0 release. There are lots of newfeatures in this major release, which are described in the release notes.Some of those features include defaulting to the graphical user interfaceinstead of the command-line interface, OpenGL graphics and Qt widgets bydefault, a new syntax for object-oriented programming usingclassdef, audio functions, better MATLAB compatibility, and more.
Debian has updated libapache-mod-jk (information disclosure).Debian-LTS has updated mercurial(two code execution flaws).Oracle has updated kernel (OL5:unspecified vulnerabilities).Red Hat has updated php54(RHSC6&7: multiple vulnerabilities), php55 (RHSC6&7: multiple vulnerabilities),python27 (RHSC6&7: multiplevulnerabilities, two from 2013), and thermostat1 (RHSC6&7: code execution).Ubuntu has updated t1utils(14.10, 14.04: code execution).
Here's anarticle on the Red Hat security blog on the use of Systemtap to applyemergency security fixes. "With the vulnerability-band-aid approachchosen, we need to express our intent in the systemtap scriptinglanguage. The model is simple: for each place where the state change is tobe done we place a probe. In each probe handler, we detect whether thecontext indicates an exploit is in progress and, if so, make changes to thecontext. We might also need additional probes to detect and capture statefrom before the vulnerable section of code, for diagnosticpurposes."
At the 2015 Automotive Linux Summit in Tokyo, Dan Cauchy from theLinux Foundation (LF) kicked off the first day's program with anannouncement: that the LF's Automotive Grade Linux (AGL) workgroup hasdecided to build its own Linux distribution, which it plans to run asan ongoing, long-term project. While the desire for aworkgroup to create a distribution tailored to its needs is nothingnew, the announcement had several in the crowd wondering what thisdecision meant for Tizen IVI—which, up until now, has served asthe reference distribution for AGL. Tizen, of course, is also anLF-hosted project, and it has made in-vehicle infotainment (IVI) oneof its high-priority use cases.
The OpenVZ team has announcedthe open source code release of several Virtuozzo userspace utilities. Theutilities include prlctl, a unified command line tool to manage virtualmachines and containers; libprlsdk, Virtuozzo API C++ and python libraries,used for local and remote communications with a dispatcher managementservice; prl-disp-service, a primary Containers and Virtual machinesmanagement service; libvzctl, a low-level library for Containersmanagement; libvzevent, a low-level library for Containers life-cyclenotifications from the kernel; vzctl, a utility to control a Containers;and vztt, a utility for Containers templates management.
Linux.com talkswith Dan Cauchy, general manager of automotive at the Linux Foundation,about the release of the AGL Requirements Specification. "In July2014, AGL released its first AGL reference platform built on the Tizen IVI platform running HTML5 apps. The new release instead details precise specifications and requirements for any AGL-compliant IVI stack. For the first time, automakers, automotive suppliers, and open source developers can collaborate on refining the spec -- the first draft of a common, Linux-based software stack for the connected car."
Firefox 38.0.5 has been released. This version introduces Pocket, whichhelps you keep track of articles and videos. Clean formatting for articlesand blog posts with Reader View is also a new feature. See the releasenotes for more information.
Software Freedom Conservancy has announceda long-term campaign to increase education and understanding aboutcommunity-driven GPL enforcement processes. "Conservancy invitesdevelopers and other Open Source and Free Software contributors to emailtheir questions on GPL enforcement to<enforcement-questions@sfconservancy.org>. Conservancy cannot promiseto answer every question; Conservancy will use the collected questions overthe coming months to provide more educational and informational materialsabout GPL enforcement, and in particular about Conservancy's GPL Compliance Project for Linux Developers."
Mauro Carvalho Chehab, the maintainer of the kernel's media subsystem, hasposted the first two in a series of articles on digital video broadcastingsupport in Linux. Part 1gives an overview of how the devices and protocols work, while part 2looks at digital TV network interface use. "Supporting embeddedDigital TV hardware is complex, considering that such hardware generallyhas multiple components that can be rewired in runtime to dynamicallychange the stream pipelines and provide flexibility for things likerecording a video stream, then tuning into another channel to see adifferent program. This article describes how the DVB pipelines are setupand the needs that should be addressed by the Linux Kernel."
At his blog, Chris Ball announces "GitTorrent," his new project designed to let developers host Git repositories on BitTorrent. The system takes advantage of Git's ability to run over arbitrary network protocols. "We ask for the commit we want and connect to a node with BitTorrent, but once connected we conduct this Smart Protocol negotiation in an overlay connection on top of the BitTorrent wire protocol, in what’s called a BitTorrent Extension. Then the remote node makes us a packfile and tells us the hash of that packfile, and then we start downloading that packfile from it and any other nodes who are seeding it using Standard BitTorrent. We can authenticate the packfile we receive, because after we uncompress it we know which Git commit our graph is supposed to end up at; if we don’t end up there, the other node lied to us, and we should try talking to someone else instead." The project is, obviously, a new one that still has important ground to cover—such as dealing with comments or pull requests—but there are interesting ideas to consider already.
The Document Foundation has announced the availability of the LibreOfficeviewer for Android systems. And it's not just for viewing:"LibreOffice Viewer also offers basic editing capabilities, like modifying words in existing paragraphs and changing font styles such asbold and italics.Editing is still an experimental feature which has to be enabledseparately in the settings, and is not stable enough for missioncritical tasks."
The folks at Banyan have looked into thesecurity state of the images stored on Docker Hub and published theirresults. "More than a third of all images have highpriority vulnerabilities and close to two-thirds have high or mediumpriority vulnerabilities. These statistics are especially troublesomebecause these images are also some of the most downloaded images (severalof them have hundreds of thousands of downloads)."
Arch Linux has updated curl(information leak).Debian-LTS has updated dulwich(code execution), eglibc (code execution),exactimage (denial of service), and libnokogiri-ruby (information disclosure from 2012).Fedora has updated ca-certificates (F20: CA update),hostapd (F21; F20: denial of service), java-1.8.0-openjdk (F20: insecure tmp fileuse), LibRaw (F21: denial of service), mingw-LibRaw (F21: denial of service), openslp (F20: two denial of service flaws, onefrom 2010, one from 2012), php (F21;F20: multiple vulnerabilities), postgresql (F22: three vulnerabilities), andrawtherapee (F22: denial of service).Mageia has updated fuse(privilege escalation), kernel-linus(denial of service), and kernel-tmb (denial of service).openSUSE has updated glibc,glibc-testsuite, glibc-utils, glibc.i686 (13.2, 13.1: two vulnerabilities).SUSE has updated firefox (SLE12:multiple vulnerabilities).
In 2013, we reported that SourceForge.net had started to redirectthe download links clicked on by some users, providing those users with aninstaller program that bundled in not just the software the user hadrequested, but a set of side-loaded "utilities" as well. The practiceraised the ire of many in the community, even though it was anoptional service that SourceForge offered to project owners. Mattersmay have changed recently, however, as the GIMP project discovered that"GIMP for Windows" downloads had suddenly become side-loadinginstallers—and that the project could no longer access the SourceForgeaccount that was used to distribute them.
LWN staff celebrated the US Memorial Day holiday on Monday this week, sothe Weekly Edition will come out on the holiday schedule — one day laterthan usual. We will return to our normal schedule next week. Thank youall, as always, for supporting LWN.
Ars Technica reportsthat the US Justice Department has sided with Oracle in its dispute withGoogle. "The dispute centers on Google copying names, declarations, and header lines of the Java APIs in Android. Oracle filed suit, and in 2012, a San Francisco federal judge sided with Google. The judge ruled that the code in question could not be copyrighted. Oracle prevailed on appeal, however. A federal appeals court ruled that the "declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection."Google maintained that the code at issue is not entitled to copyrightprotection because it constitutes a "method of operation" or "system" thatallows programs to communicate with one another." (Thanks to Martin Michlmayr)
Debian has updated ntfs-3g(incomplete fix in previous update).Debian-LTS has updated ntfs-3g(incomplete fix in previous update).Red Hat has updated kernel(RHEL6.4: privilege escalation) and qemu-kvm (RHEL6.5: code execution).Ubuntu has updated ntfs-3g(15.04: incomplete fix in previous update) and openldap (15.04, 14.10, 14.04, 12.04: denial of service).
The GNOME community is mourning the loss of developer Marco Pesenti Gritti,who passed away on May 23. "He was the most passionate and dedicated hacker I knew, and I know he wasextremely respected in the GNOME community, for his work on Epiphany,Evince and Sugar among many others, just like he was at litl. Those whoknew him personally know he was also an awesome human being."
Scott Kitterman has posted aseries of emails around the the Ubuntu Community Council's decision toremove Jonathan Riddell as the leader of the Kubuntu project. He has alsostatedhis intent to leave the Ubuntu community. "I also wish to extendmy personal apology to the Kubuntu community for keeping this private foras long as we did. Generally, I don’t believe such an approach isconsistent with our values, but I supported keeping it private in the hopethat it would be easier to achieve a mutually beneficial resolution of thesituation privately. Now that it’s clear that is not going to happen, I(and others in the KC) could not in good faith keep this private."
If you run PostgreSQL and have applied one of the updates that werereleased on May 22, it would be a good idea to read thispage about an unfortunate bug in those releases. In somecases, the problem can cause the server to fail to restart after a crash.There is a new release in the works; meanwhile, a workaround is available.
Ars Technica takesa look at the latest malware threat. "A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers' DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add "follows" to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.The malware, dubbed "Linux/Moose" by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device."
The Fedora 22 release is out. "If this release had ahuman analogue, it'd be Fedora 21 after it'd been to college,landed a good job, and kept its New Year's Resolution to go to thegym on a regular basis. What we're saying is that Fedora 22 hasbuilt on the foundation we laid with Fedora 21 and the work tocreate distinct editions of Fedora focused on the desktop, server,and cloud (respectively). It's not radically different, but thereare a fair amount of new features coupled with features we'vealready introduced but have improved for Fedora 22." LWN's preview of Fedora 22 was published in theMay 21 Weekly Edition.
An anonymous reader has pointed out that Mandriva iscurrently being liquidated (page in French). The company brought in€553,000 in 2013, but that is seemingly not enough to keep it going in2015. It is a sad end for a company that has been pursuing the desktopLinux dream since 1998.
The fifth 4.1 prepatch is out for testing."So we're on schedule for a normal 4.1 release, if it wasn't for thefact that the timing looks like the next merge window would hit our yearlyfamily vacation. So we'll see how that turns out, I might end up delayingthe release just to avoid that (or just delay opening the mergewindow)."
There have been two bugs causing filesystem corruption in the newsrecently. One of them, a bug in ext4, has gotten the bulk of theattention, despite the fact that it is an old bug that is hard to trigger.The other, however, is recent and able to cause data loss onfilesystems installed on a RAID 0 array. Both are interestingexamples of how things can go wrong, and, thus, merit a closer look.
At his blog, Bastien Nocera announcesthe 1.0 release of iio-sensor-proxy,a framework for accessing the various environmental sensors (e.g.,accelerometer, magnetometer, proximity, or ambient-light sensors) builtin to recent laptops. The proxy is a daemon that listens to theIndustrial I/O (IIO) subsystem and provides access to the sensorreadings over D-Bus. As of right now, support for ambient-lightsensors and accelerometers is working; other sensor types are indevelopment. The current API is based on those used by Android andiOS, but may be expanded in the future. "For future versions,we'll want to export the raw accelerometer readings, so thatapplications, including games, can make use of them, which might bringup security issues. SDL, Firefox, WebKit could all do with beingadapted, in the near future."
The announcement of Clear Containers (which guest author Arjan van de Ven described in an LWN article from this week) seems to have sparked some interesting work on QEMU that resulted in qboot: "a minimal x86 firmware that runs on QEMU and, together witha slimmed-down QEMU configuration, boots a virtual machine in 40milliseconds on an Ivy Bridge Core i7 processor." Paolo Bonzini announced the project (code is available at git://github.com/bonzini/qboot.git), which is quite new: "The first commit to qboot is more or less 24 hours old, so there isdefinitely more work to do, in particular to extract ACPI tables fromQEMU and present them to the guest. This is probably another day ofwork or so, and it will enable multiprocessor guests with little or noimpact on the boot times. SMBIOS information is also available from QEMU."
Debian has updated libmodule-signature-perl (multiple vulnerabilities).Debian-LTS has updated dnsmasq(information disclosure).Fedora has updated wordpress (F21; F20:three vulnerabilities).Oracle has updated docker (OL7; OL6: multiple vulnerabilities).Red Hat has updated java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities, one from 2005)and java-1.7.1-ibm (RHEL6&7: multiple vulnerabilities, onefrom 2005).SUSE has updated gstreamer-0_10-plugins-bad (SLE11SP3: codeexecution) and xen (SLE12: multiple vulnerabilities).
The PostgreSQL development community is working toward the 9.5 release,currently planned for the third quarter of this year. Development activityis at peak levels as the planned feature freeze for this release approaches.While this activity is resulting in the merging of some interestingfunctionality, including the long-awaited "upsert" feature,it is also revealing some fault lines within the community. The fact that PostgreSQLlacks the review resources needed to keep up with its natural rate ofchange has been understood for years; many other projects suffer from thesame problem. But the pressures on PostgreSQL seem to be becoming moreacute, leading to concerns about fairness in the community and thedurability of the project's cherished reputation for high-quality software.
Lars Knoll marks the20th anniversary of the Qt toolkit on the Qt blog. "From thebeginning, Qt has been released with both open source and commerciallicensing options. Over the years, we have worked on expanding this model,and nowadays, Qt is actually developed as an open source project. In thissense Qt is actually in a rather unique position, having a strong ecosystemwith passionate people, as well as a commercial entity behind it, whichbacks up and funds most of the development."
Over at Linux.com, John Mark Walker examineswhy companies aren't making money on pure open source ventures. "It is not that there is no money in selling open source software, but rather that the business models have shifted. Whereas, under the old proprietary world, a larger percentage of money went to pure software vendors, now that money has spread among a larger spectrum of companies and industries; lots of people get paid to work on or with open source software, but an increasing number of them don’t work for software vendors, per se. In addition to looking in all the wrong places, the current investment model is suspicious of an open source approach. The vast majority of venture capitalists, especially in Silicon Valley, are very risk averse and shy away from open source products that, in their view, will not give as large a return on their investment. In order to secure the funding required to scale a company, investors will frequently require that the startup company include proprietary bits as tools to increase revenue and margins. These two factors - diffusion of revenue and risk-averse investors - combine to both give a false impression and, in part due to the false impression, prevent pure open source software vendors from getting funding."
Linux Journal takes alook at the C.H.I.P. mini-computer, an open software and hardwaredevice that comes with a Debian-based OS. "The official public release is scheduled for next year, but crowdfunding backers will be able to land a "Kernel Hacker" package this September. This package is aimed at Linux developers who want to help to contribute to kernel modifications for the C.H.I.P. before its final release."
Linus has released the 4.1-rc4 kernelprepatch, saying: "So here it is, last-minute fix and all. The -rc4patch is a bit bigger than the previous ones, but that seems to be mainlydue to normal random timing - just the fluctuation of when submaintainertrees get pushed."
Arch Linux has updated thunderbird (multiple vulnerabilities).CentOS has updated thunderbird(C7: multiple vulnerabilities).Debian has updated libmodule-signature-perl (multiple vulnerabilities).Debian-LTS has updated dpkg (integrity-verification bypass), nbd (denial of service), and tiff (multiple vulnerabilities).Fedora has updated java-1.8.0-openjdk (F21: unspecifiedvulnerability), NetworkManager (F21: denialof service), phpMyAdmin (F21; F20: two vulnerabilities), qemu (F21: code execution), and t1utils (F21; F20: multiple vulnerabilities).Mageia has updated ruby-rest-client (two vulnerabilities) and virtualbox (code execution).openSUSE has updated flash-player(11.4: multiple vulnerabilities), qemu (13.2; 13.1:code execution), and firefox (11.4: multiple vulnerabilities).Red Hat has updated thunderbird(RHEL5,6,7: multiple vulnerabilities).Slackware has updated thunderbird (multiple vulnerabilities).SUSE has updated KVM (SLE11SP3:code execution), qemu (SLE12: two vulnerabilities), and spice (SLE12; SLESDK12: denial of service).
LWN.net