LWN.net

A traditional feature of the tools track at the Linux Foundation'sCollaborationSummit is an update from the developers of the GNU C Library(glibc); that tradition was upheld in fine form at the 2015 event. Glibcdeveloper Roland McGrath noted that while the project is a criticalcomponent in vast numbers of Linux installations, it does not have a lot ofdevelopers working on it. Still, even with a relatively small developerbase, some real progress has been made over the last year.

Debian has updated kernel (multiple vulnerabilities).Debian-LTS has updated samba (root code execution).Fedora has updated php (F21: twovulnerabilities), sox (F21: codeexecution), sudo (F20: informationdisclosure), and unzip (F20: multiple vulnerabilities).Oracle has updated samba (OL7; OL6: rootcode execution), samba3x (OL5: root codeexecution), and samba4 (OL6: root code execution).Red Hat has updated libyaml(RHEL6: denial of service), samba (RHEL7; RHEL6.2,6.4, 6.5; RHEL6: root code execution),samba3x (RHEL5; RHEL5.6, 5.9: root code execution), andsamba4 (RHEL6; RHEL6.4, 6.5: root code execution).Scientific Linux has updated samba (SL7; SL6,7; SL5: root code execution) and samba4 (SL6: root code execution).SUSE has updated php5 (SLE12: multiple vulnerabilities).Ubuntu has updated ca-certificates (certificate update), e2fsprogs (code execution), and samba (14.10, 14.04, 12.04: root code execution).

The Beautiful Queen Marya Morevna is a Russian folk tale. The MorevnaProject makes anime videos about Morevna, using free software. This progressreport covers the status of their newest episode. "Our mainanimation tool is Synfig Studio and for the past years it was improved alot. I guess it’s needles to say, that the new episode will be producedusing the latest development version of Synfig. For current stage of theproject it is important to ensure that the tool is stable enough forproduction, so last weeks we were concentrated on fixing the criticalbugs. As result of this work, wehave published the first Release Candidate for the new stable versionof Synfig Studio, which is going to be numbered as 1.0 by the way."(Thanks to Paul Wise)

The first beta in the GNOME 3.15 development series has beenreleased. GNOME 3.15.90 features a new GNOME shell theme, redesignednotifications in GNOME shell, codec installation integrated ingnome-software, a login screen on Wayland, and more.

CentOS has updated samba (C7; C6: rootcode execution), samba3x (C5: root codeexecution), and samba4 (C6: root code execution).Debian has updated e2fsprogs(incomplete fix for code execution), eglibc (multiple vulnerabilities), ruby-redcloth (cross-site scripting), samba (root code execution), sudo (information disclosure), typo3-src (authentication bypass), and xdg-utils (command execution).Fedora has updated apache-poi (F21: XML-handling flaws), apache-poi (F20: denial of service), cups (F21: buffer overflow),drupal6-views (F21; F20: multiple vulnerabilities), e2fsprogs (F20: code execution), sudo (F21: information disclosure), and tomcat (F21: multiple vulnerabilities).Mageia has updated bind (denial of service).openSUSE has updated glibc (13.2,13.1: multiple vulnerabilities).SUSE has updated java-1_6_0-ibm(SLES10 SP4: multiple unspecified vulnerabilities),java-1_7_0-ibm (SLE11 SP3; SLES11 SP2: multiple unspecifiedvulnerabilities), and samba (SLE12: root code execution).

The Samba 4.1.17, 4.0.25 and 3.6.25releases are available; they fix an unpleasant code-executionvulnerability. See thisRed Hat security blog entry for more information. "CVE-2015-0240is a security flaw in the smbd file server daemon. It can be exploited by amalicious Samba client, by sending specially-crafted packets to the Sambaserver. No [authentication] is required to exploit this flaw. It can result inremotely controlled execution of arbitrary code as root."

Linus has closed the merge window for this release and released 4.0-rc1 — meaning, of course, that the currentplan is to call the release "4.0". "But nobody shouldnotice. Because moving to 4.0 does *not* mean that we somehow changed whatpeople see. It's all just more of the same, just with smaller numbers sothat I can do releases without having to take off my socks again."The codename has also changed to "Hurr durr I'ma sheep."

Ubuntu has announced the release of the second point release for its 14.04long-term support (LTS). 14.04.2 comes with an updated kernel and X Windowstack to support more hardware, along with "security updates andcorrections for other high-impact bugs" all on updated installationmedia "so that fewer updates will need tobe downloaded after installation". It is available for all of themembers of the Ubuntu clan: Kubuntu, Edubuntu, Xubuntu,Mythbuntu, Ubuntu GNOME, Lubuntu,Ubuntu Kylin, and Ubuntu Studio.One other note from the Ubuntu world: a featurefreeze is in effect for 15.04 ("Vivid Vervet"), which is due in April.

On his blog, Matthew Green gives an update on the plans to audit the TrueCrypt disk encryption tool. Green led an effort in 2013 to raise money for an audit of the TrueCrypt source code, which sort of ran aground when TrueCrypt abruptly shut down in May 2014. "It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet."

Version 7.9 of the GDB debugger is out. Changes include enhancements tothe Python scripting API, the ability to compile and inject code into thedebugged program, signal-handling improvements, and more.

Debian has updated libreoffice(denial of service).Fedora has updated cups (F20:code execution), dbus (F20: denial ofservice), and freetype (F21; F20: many vulnerabilities).Mageia has updated cpio(privilege escalation), kernel-linus (manyvulnerabilities, two from 2013), kernel-rt(many vulnerabilities, two from 2013), kernel-tmb (many vulnerabilities, twofrom 2013), kernel-vserver (manyvulnerabilities, two from 2013), ruby-sprockets (information disclosure), sudo (information disclosure), and tomcat (HTTP request smuggling).openSUSE has updated tigervnc(13.2: information leak/denial of service) and xorg-x11-server (13.2, 13.1: informationleak/denial of service).Red Hat has updated openstack-glance (access restriction bypass).SUSE has updated java-1_7_0-openjdk (many vulnerabilities, lotsunspecified).Ubuntu has updated nss(TLS certificate update).

Here is astatement from the Electronic Frontier Foundation on the revelationthat Lenovo has been shipping insecure man-in-the-middle malware on itslaptops. "Lenovo has not just injected ads in a wildly inappropriatemanner, but engineered a massive security catastrophe for its users. Theuse of a single certificate for all of the MITM attacks means that allHTTPS security for at least Internet Explorer, Chrome, and Safari forWindows, on all of these Lenovo laptops, is now broken." Foradditional amusement, see Lenovo'sstatement on the issue.There are a lot of Lenovo users in LWN's audience. Presumably most of themhave long since done away with the original software, but those who mighthave kept it around would be well advised to look into the issue; this site can evidently indicatewhether a machine is vulnerable or not.

Debian has updated bind9 (denialof service).Debian-LTS has updated linux-2.6(multiple vulnerabilities, one from 2013).Fedora has updated drupal7-path_breadcrumbs (F21; F20:access restriction bypass).openSUSE has updated perl-YAML-LibYAML (13.2, 13.1: multiplevulnerabilities, one each from 2013 and 2012) and php5 (13.2, 13.1: multiple vulnerabilities).SUSE has updated xntp (SLE10SP4:multiple vulnerabilities).Ubuntu has updated bind9 (14.10,14.04, 12.04: denial of service).

The LWN.net Weekly Edition for February 19, 2015 is available.

Fedora has updated file (F21:multiple vulnerabilities).Gentoo has updated chromium (multiple vulnerabilities).Mageia has updated dbus (denial of service), glibc (two vulnerabilities), kernel (multiple vulnerabilities), patch (multiple vulnerabilities), postgresql (multiple vulnerabilities), and x11-server (information leak/denial of service).openSUSE has updated mdadm (13.2:command injection).Ubuntu has updated php5 (14.10,14.04, 12.04: multiple vulnerabilities) and unzip (14.10, 14.04, 12.04: code execution).

As several LWN readers have pointed out, John-Mark Gurney posted a message to the freebsd-current mailing list on February 17 noting that the random number generator (RNG) in the FreeBSD "current" kernel has been broken for the last four months. "If you are running a current kernel r273872 or later, please upgradeyour kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not callingrandomdev_init_reader, which means that read_random(9) was not returninggood random data. read_random(9) is used by arc4random(9) which isthe primary method that arc4random(3) is seeded from.This means most/all keys generated may be predictable and must beregenerated. This includes, but not limited to, ssh keys and keysgenerated by openssl. This is purely a kernel issue, and a simplekernel upgrade w/ the patch is sufficient to fix the issue."

Opensource.com has an interviewwith John Sullivan, Executive Director of FSF. "I stay involved because I think it's one of the most important social movements in existence, and it needs help—a lot of help. As more and more of the world's social, cultural, economic, and political interactions are mediated by technology, control over the technology becomes incredibly important for the exercise of any basic individual freedoms. I love the people I meet in this work, and the enormity of the challenge."

Fedora has updated libvirt (F20:two vulnerabilities) and qemu (F20: privilege escalation).openSUSE has updated dbus-1,(13.2, 13.1: denial of service).Slackware has updated patch (symlink attack), seamonkey (multiple vulnerabilities), and sudo (information disclosure).SUSE has updated bind(SLES11 SP2: denial of service), clamav (SLES11 SP1,2,3, SLES10 SP4:multiple vulnerabilities), java-1_6_0-ibm(SLEM LS12: two unspecified vulnerabilities), java-1_7_1-ibm (SLE12: two unspecifiedvulnerabilities), and ntp (SLES11 SP1:multiple vulnerabilities).Ubuntu has updated xorg-server,xorg-server-lts-trusty, xorg-server-lts-utopic (14.10, 14.04, 12.04:two vulnerabilities).

Bryce Harrington has announcedthe release of Wayland 1.7.0. "The Wayland protocol may beconsidered "done" but that doesn't mean there's not work to be done. This release focused on major improvementsto Wayland's documentation, minor improvements to the testsuite, andsome scattered bugfixes to the code itself."

Debian-LTS has updated e2fsprogs(code execution) and nss (two vulnerabilities).Fedora has updated android-tools(F21: code execution), bugzilla (F21; F20:command injection), community-mysql (F20:multiple unspecified vulnerabilities), dbus(F21: denial of service), libvirt (F21:multiple vulnerabilities), moodle (F21:multiple vulnerabilities), mutt (F21; F20:denial of service), ntp (F21; F20: two vulnerabilities), perl-Gtk2(F21; F20:code execution), pigz (F21; F20: directory traversal), postgresql (F20: multiple vulnerabilities),puppetlabs-stdlib (F21; F20: privilege escalation),roundcubemail (F21; F20: cross-site scripting), rubygem-actionpack (F21: two informationleaks), rubygem-sprockets (F21; F20: directory traversal), unzip (F21: multiple vulnerabilities), and virt-who (F21: information leak).Gentoo has updated cpio (two vulnerabilities), libpng (memory overwrite), and oracle-jre-bin (multiple vulnerabilities).Mageia has updated cups (buffer overflow), krb5 (multiple vulnerabilities), and rsync (denial of service).SUSE has updated krb5 (SLE12; SLE12:multiple vulnerabilities) and ntp(SLES11 SP2: multiple vulnerabilities).

The Haskell.org site is currently reporting that its Debian packagerepository, deb.haskell.org, has been compromised."`deb.haskell.org` was already offline and suspended shortly afterthese traffic changes were detected by the host monitoring system, meaningthe window for package compromise was very very small. We're continuing toinvestigate the breach and the extent to which it might havespread."

When one thinks about the PHP language, terms like "strong typing" and"strict checking" do not normally come to mind. But, as the project workstoward its next major release (to be called PHP 7), it has becomeembroiled in a fierce debate over the proposed addition of some simpletyping features to the language. To some, PHP is growing up into a safer,better-defined language, while others see the changes as possiblydestroying the character of a historically freewheeling language.Click below (subscribers only) for the full article.

Do you have an opinion on whether the next kernel release should be called3.20 or 4.0? Linus is currently running apoll on Google+ to get a sense for what people would prefer. "So- continue with v3.20, because bigger numbers are sexy, or just move tov4.0 and reset the numbers to something smaller?"As of this writing, the 4.0 option appears to be winning.

openSUSE has updated clamav(13.1, 13.2: multiple vulnerabilities), roundcubemail (13.1, 13.2: cross-site scripting), and tcpdump (13.1, 13.2: multiple vulnerabilities).SUSE has updated ntp(SLES/SLED12: multiple vulnerabilities).Ubuntu has updated clamav(10.04: code execution).

Over at Linux Journal, Joey Bernard looks at Distro Astro, which is a Linux distribution for astronomy. It collects programs of interest to those running telescopes and planetariums, including various image collection and processing applications."After aiming your telescope, you need to collect some images or do some astrophotography. While you can do some of this with software like KStars, you have software specifically designed to do image capture. Some, like wxAstroCapture, are specifically written for use in astronomy. With it, you can set up automatic guiding and batch image collection. You then can go have a nice hot cup of coffee while your telescope collects your data. To help you keep track of all of these observations, you can use the Observation Manager, a logging program to maintain your records."

Debian has updated dbus (denialof service) and xorg-server (informationleak/denial of service).Debian-LTS has updated postgresql-8.4 (multiple vulnerabilities).Mageia has updated chromium-browser-stable (multiplevulnerabilities), e2fsprogs (codeexecution), hivex (privilege escalation),ntp (two vulnerabilities), owasp-esapi-java (crypto botch from 2013), perl-Gtk2 (code execution), and xdg-utils (code execution).Mandriva has updated e2fsprogs(code execution), elfutils (privilegeescalation), ntp (two vulnerabilities), perl-Gtk2 (code execution), and postgresql (multiple vulnerabilities).openSUSE has updated jython(13.2, 13.1: code execution from 2013).Oracle has updated kernel (OL5:two vulnerabilities) and kernel (OL5:unspecified vulnerabilities).Scientific Linux has updated subversion (SL7: three vulnerabilities).SUSE has updated krb5 (SLE11SP3: multiple vulnerabilities) and ntp (SLE11SP3: multiple vulnerabilities).Ubuntu has updated postgresql-8.4,postgresql-9.1, postgresql-9.3, postgresql-9.4 (multiple vulnerabilities).

The LWN.net Weekly Edition for February 12, 2015 is available.

The free-software community has frequently advocated thedevelopment of new decentralized, federated network services—forexample, promoting XMPP as an alternative to AOL Instant Messenger,StatusNet as an alternative to Twitter, or Diaspora as an alternativeto Facebook. The recently launched Matrix project takes on a different service: IRC-like multi-user chat.

Greg KH has released another batch of stable kernels: 3.18.7, 3.14.33, and 3.10.69. All contain the usual set ofimportant updates.

CentOS has updated kernel (C5: denial of service) and subversion (C7; C6: multiple vulnerabilities).Debian has updated ruby1.8 (denial of service).openSUSE has updated krb5 (13.2:multiple vulnerabilities) and xen (13.2: multiple vulnerabilities).Oracle has updated subversion (OL7; OL6: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6 Supplementary:multiple vulnerabilities), kernel (RHEL5: denial of service), and subversion (RHEL7; RHEL6: multiple vulnerabilities).Scientific Linux has updated kernel (SL5: denial of service), shim (SL7: multiple vulnerabilities), and subversion (SL6: two vulnerabilities).Ubuntu has updated krb5 (multiplevulnerabilities) and oxide-qt (14.10,14.04: multiple vulnerabilities).

Last week the Red Hat developer blog looked at some changes coming with GCC5.This week's articlecovers how those changes will be handled in Fedora. "One consequence of this decision will be that Fedora 22 and Fedora 23 will both have GCC 5, but they’ll be fundamentally different. The C++ library (libstdc++.so) will becompatible between F22 and F23 (in fact, it will be almost exactly the same,modulo some extra patches from upstream that might be pulled into the later F23 build). The difference will be all the other DSOs that link to it. That’s important for Fedora developers to note.Specifically, FESCo’s decision means the C++ standard library headers installed by thelibstdc++-devel RPM will have a different default value for the _GLIBCXX_USE_CXX11_ABI macro (0 in F22 and 1 in F23) but the libstdc++.so library will be largely the same in F22 and F23, because that library contains all the symbol definitions for both the old ABI and the new ABI, so that the same library works for both cases."

Debian has updated ruby1.9.1(multiple vulnerabilities) and unrtf (code execution).Mageia has updated clamav (heap overflow), moodle (information disclosure), and polarssl (code execution).Mandriva has updated cabextract (denial of service), clamav (heap overflow), glibc (code execution), otrs (privilege escalation), and zarafa (denial of service).openSUSE has updated curl (13.2,13.1: two vulnerabilities), grep (13.2:heap buffer overrun), llvm (13.1: insecuretemporary files), openvas-manager (13.2:sql injection), and rsync (13.2, 13.1: code execution).Ubuntu has updated binutils(multiple vulnerabilities) and ntp (two vulnerabilities).

Version8 of the ownCloud server is available. "This new release bringsimproved sharing and collaboration between clouds and introduces fasterways of getting at your files with favorites and improved search."See the feature page for details.

Debian has updated liblivemedia(code execution), libxml2(regression/incomplete fix in previous update), and ntp (incomplete fix in previous update).Debian-LTS has updated krb5(multiple vulnerabilities), libxml2(regression/incomplete fix in previous update), ntp (multiple vulnerabilities), sympa (information disclosure), unzip (two vulnerabilities), and wpasupplicant (command execution).Fedora has updated e2fsprogs(F21: code execution), jasper (F21;F20: two vulnerabilities), kernel (F20: two vulnerabilities),mantis (F21; F20: multiple vulnerabilities), maradns (F20: security hardening), postgresql (F21: multiple vulnerabilities), and websvn (F21; F20: information disclosure).Gentoo has updated adobe-flash(multiple vulnerabilities), antiword(denial of service), bind (denial ofservice), libav (multiple vulnerabilities),libevent (code execution), mediawiki (multiple vulnerabilities), nginx (information disclosure), and tcpdump (multiple vulnerabilities).Mageia has updated flash-player-plugin (multiple vulnerabilities).openSUSE has updated flash-player (13.2, 13.1; 11.4:multiple vulnerabilities), privoxy (13.2,13.1: multiple vulnerabilities), unzip(13.2, 13.1: code execution), virtualbox(13.2, 13.1: multiple vulnerabilities), and vorbis-tools (13.2, 13.1: denial of service).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).SUSE has updated flash-player(SLE12: multiple vulnerabilities) and flash-player, flash-player-gnome,flash-player-kde4 (SLE11 SP3: multiple vulnerabilities).