User: Password:
|
|
Subscribe / Log in / New account

Welcome to LWN.net

LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.

[$] LWN.net Weekly Edition for September 1, 2016
Posted Sep 1, 2016 1:39 UTC (Thu)

The LWN.net Weekly Edition for September 1, 2016 is available.

Inside this week's LWN.net Weekly Edition

  • Front: GNOME privacy; Token-based authorship information from Git; GPL enforcement.
  • Security: State of the Kernel Self Protection Project; New vulnerabilities in freeipa, mediawiki, phpmyadmin, webkitgtk4, ...
  • Kernel: Inside the mind of a Coccinelle programmer; Atomic patterns.
  • Distributions: Trying out openSUSE Tumbleweed; Maru OS, Fedora, openSUSE, ...
  • Development: Extending GNOME Software; Twisted 16.4; Pump.io 1.0.0; NetworkManager 1.4; ...
  • Announcements: Events.
Read more

Anticipating KDE's 20th anniversary
[Development] Posted Sep 6, 2016 6:38 UTC (Tue) by corbet

The announcement of a project to develop the "Kool Desktop Environment" went out on October 14, 1996. As the 20th anniversary of that announcement approaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "This book presents 37 stories about the technical, social and cultural aspects that shaped the way the KDE community operates today. It has been written as part of the 20th anniversary of KDE. From community founders and veterans to newcomers, with insights from different perspectives and points of view, the book provides you with a thrilling trip through the history of such an amazing geek family."

Comments (none posted)

[$] The kernel community confronts GPL enforcement
[Front] Posted Aug 31, 2016 19:11 UTC (Wed) by corbet

Some of the most important discussions associated with the annual Kernel Summit do not happen at the event itself; instead, they unfold prior to the summit on the planning mailing list. There is value in learning what developers feel needs to be talked about and, often, important issues can be resolved before the summit itself takes place. That list has just hosted (indeed, is still hosting as of this writing) a voluminous discussion on license enforcement that was described by some participants as being "pointless" or worse. But that discussion has served a valuable purpose: it has brought to the light a debate that has long festered under the surface, and it has clarified where some of the real disagreements lie.

Full Story (comments: 50)

Kernel prepatch 4.8-rc5
[Kernel] Posted Sep 5, 2016 6:56 UTC (Mon) by corbet

The 4.8-rc5 kernel prepatch is available for testing. "So rc5 is noticeably bigger than rc4 was, and my hope last week that we were starting to calm down and shrink the releases seems to have been premature. [...] Not that any of this looks worrisome per se, but if things don't start calming down from now, this may be one of those releases that will need an rc8. We'll see."

Comments (none posted)

[$] Trying out openSUSE Tumbleweed
[Distributions] Posted Aug 27, 2016 5:22 UTC (Sat) by corbet

While distribution-hopping is common among newcomers to Linux, longtime users tend to settle into a distribution they like and stay put thereafter. In the end, Linux distributions are more alike than different, and one's time is better spent getting real work done rather than looking for a shinier version of the operating system. Your editor, however, somehow never got that memo; that's what comes from ignoring Twitter, perhaps. So there is a new distribution on the main desktop machine; this time around it's openSUSE Tumbleweed.

Full Story (comments: 7)

Z-Wave protocol specification now public
[Development] Posted Sep 2, 2016 22:58 UTC (Fri) by n8willis

The Z-Wave wireless home-automation protocol has been released to the public. In years past, the specification was only available to purchasers of the Z-Wave Alliance's development kit, forcing open-source implementations to reverse-engineer the protocol. The official press release notes that there are several such projects, including OpenZWave; Z-Wave support is also vital to higher-level Internet-of-Things abstraction systems like AllJoyn.

Comments (7 posted)

LWN.net Weekly Edition for August 25, 2016
Posted Aug 25, 2016 2:24 UTC (Thu)

The LWN.net Weekly Edition for August 25, 2016 is available.

Inside this week's LWN.net Weekly Edition

  • Front: 25 Years of Linux; Mass-transit in GNOME Maps.
  • Security: A different sort of "Fake Linus Torvalds"; New vulnerabilities in firewalld, glibc, gnupg, kernel, ...
  • Kernel: Restartable sequences; Btrfs; Network filtering for control groups; MMIO operations.
  • Distributions: Bringing OSTree to real-world desktops.
  • Development: GNOME updates from GUADEC; KDE Applications 16.08; Introducing OpenStreetView; Mozilla rebranding; ...
  • Announcements: Gilles Chanteperdrix; Event calendars.
Read more

Friday's security updates
[Security] Posted Sep 2, 2016 15:43 UTC (Fri) by n8willis

Arch Linux has updated chromium (multiple vulnerabilities) and webkit2gtk (multiple vulnerabilities).

Debian has updated libidn (multiple vulnerabilities).

Debian-LTS has updated mailman (password disclosure).

Fedora has updated canl-c (F24; F23: proxy manipulation), krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).

openSUSE has updated karchive (SLE12: command execution).

Oracle has updated ipa (O7; O6: denial of service).

Comments (none posted)

25 Years of Linux — so far
[Front] Posted Aug 24, 2016 16:26 UTC (Wed) by corbet

On August 25, 1991, an obscure student in Finland named Linus Benedict Torvalds posted a message to the comp.os.minix Usenet newsgroup saying that he was working on a free operating system as a project to learn about the x86 architecture. He cannot possibly have known that he was launching a project that would change the computing industry in fundamental ways. Twenty-five years later, it is fair to say that none of us foresaw where Linux would go — a lesson that should be taken to heart when trying to imagine where it might go from here.

Full Story (comments: 21)

Suspect in kernel.org breakin arrested
[Announcements] Posted Sep 2, 2016 14:08 UTC (Fri) by corbet

The US Department of Justice has announced that it has arrested a suspect in the 2011 kernel.org breakin. "[Donald Ryan] Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorized access to the four servers by using the credentials of an individual associated with the Linux Kernel Organization. According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers."

Comments (19 posted)

LWN.net Weekly Edition for August 18, 2016
Posted Aug 18, 2016 0:16 UTC (Thu)

The LWN.net Weekly Edition for August 18, 2016 is available.

Inside this week's LWN.net Weekly Edition

  • Front: VMware lawsuit; GNOME Newcomers; GTK+ Flowgraphs.
  • Security: Resisting the centralization of network infrastructure; New vulnerabilities in imagemagick, kernel, postgresql, squid, ...
  • Kernel: The stalled CPU controller; Filesystem mounts in user namespaces; Bus1.
  • Distributions: A report from Fedora Flock; OpenMandriva Lx 3.0, Fuchsia, ...
  • Development: Multi-threaded emulation for QEMU; Go 1.7; Ardour 5.0; WordPress 4.6; ...
  • Announcements: SPI officers, TDF and FSFE strengthen their relationship, FSF annual report, ...
Read more

Contemplating the possible retirement of Apache OpenOffice
[Development] Posted Sep 2, 2016 7:02 UTC (Fri) by corbet

Outgoing Apache OpenOffice project management committee (PMC) chair Dennis Hamilton has begun the discussion of a possible (note possible at this point) shutdown of the project. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue. In responses to concerns raised in June, the PMC is currently tasked by the ASF Board to account for this inability and to provide a remedy. An indicator of the seriousness of the Board's concern is the PMC been requested to report to the Board every month, starting in August, rather than quarterly, the normal case. One option for remedy that must be considered is retirement of the project. The request is for the PMC's consideration among other possible options." (Thanks to James Hogarth.)

Also of interest is this note on how the handling of CVE-2016-1513 went.

Full Story (comments: 194)

Bus1: a new Linux interprocess communication proposal
[Kernel] Posted Aug 17, 2016 19:44 UTC (Wed) by corbet

Anyone who has been paying attention to Linux kernel development in recent years would be aware that IPC — interprocess communication — is not a solved problem. There are certainly many partial solutions, from pipes and signals, through sockets and shared memory, to more special-purpose solutions like Cross Memory Attach and Android's binder. But it seems there are still some use cases that aren't fully addressed by current solutions, leading to new solutions being occasionally proposed to try to meet those needs. The latest proposal is called "bus1".

Full Story (comments: 37)

OpenBSD 6.0
[Distributions] Posted Sep 1, 2016 20:54 UTC (Thu) by ris

OpenBSD 6.0 has been released. An EFI bootloader has been added to the armv7 platform along with other improvements for that platform. Also in this release, new and improved hardware support, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements, and more. The announcement also contains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, and LibreSSL 2.4.2.

Comments (6 posted)

LWN.net Weekly Edition for August 11, 2016
Posted Aug 11, 2016 0:03 UTC (Thu)

The LWN.net Weekly Edition for August 11, 2016 is available.

Inside this week's LWN.net Weekly Edition

  • Front: Guix 0.11; Better types in C using sparse and smatch.
  • Security: The TCP "challenge ACK" side channel; New vulnerabilities in chromium, firefox, libreoffice, openssh, ...
  • Kernel: The 4.8 merge window closes; Android privilege escalations; The NET policy mechanism.
  • Distributions: Debian to shift to a modern GnuPG; Bedrock, Copperhead, Fedora, Ubuntu, ...
  • Development: A proposal for online key backup; Booktype 2.1, Kirigami initial release; Discourse 1.6; ...
  • Announcements: Christoph Hellwig's case against VMware dismissed, EFF Pioneer Award Winners, Tor Social Contract, Federal Source Code Policy, ...
Read more

Thursday's security updates
[Security] Posted Sep 1, 2016 15:08 UTC (Thu) by n8willis

Debian-LTS has updated cacti (authentication bypass).

Mageia has updated eog (M5: out-of-bounds write), python3/python (M5: HTTPoxy attack), redis (M5: information leak), and webkit2 (M5: multiple vulnerabilities).

openSUSE has updated cracklib (Leap 42.1: code execution), gd (13.2: out-of-bounds read), and libgcrypt (13.2: flawed random number generation).

Red Hat has updated ipa (RHEL 6,7: denial of service).

Slackware has updated mozilla thunderbird (14.1, 14.2: unspecified vulnerabilities).

Comments (none posted)

The TCP "challenge ACK" side channel
[Security] Posted Aug 10, 2016 21:14 UTC (Wed) by jake

Side-channel attacks against various kinds of protocols (typically networking or cryptographic) are both dangerous and often hard for developers and reviewers to spot. They are generally passive attacks, which makes them hard to detect as well. A recent paper [PDF] describes in detail one such attack against the kernel's TCP networking stack; the bug (CVE-2016-5696) has existed since Linux 3.6, which was released in 2012. Ironically, the bug was introduced because Linux has implemented a countermeasure against another type of attack.

Full Story (comments: 15)

Building a new Tor that can resist next-generation state surveillance (ars technica)
[Security] Posted Sep 1, 2016 9:07 UTC (Thu) by corbet

Here's a lengthy ars technica article on efforts to replace Tor with something more secure. "As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users."

Comments (none posted)

LWN.net Weekly Edition for August 4, 2016
Posted Aug 4, 2016 1:30 UTC (Thu)

The LWN.net Weekly Edition for August 4, 2016 is available.

Inside this week's LWN.net Weekly Edition

  • Front: The Internet of Onions; Why Uber dropped PostgreSQL; News from LWN.
  • Security: Felony PGP; New vulnerabilities in dropbear, mozilla, tiff, wireshark, ...
  • Kernel: 4.8 Merge window part 2; Hardened usercopy; 4.7 Development statistics.
  • Distributions: Disallowing perf_event_open(); TP-Link agrees to allow third-party firmware, Debian and Tor Services available as Onion Services, ...
  • Development: Free software and smartcards; Firefox 48; Django 1.10; LibreOffice 5.2; ...
  • Announcements: SPI board election, The End of Gmane?, ...
Read more

Apache OpenOffice CVE-2016-1513 hotfix released
[Security] Posted Aug 31, 2016 17:45 UTC (Wed) by ris

LWN covered a memory corruption vulnerability (CVE-2016-1513) in Apache OpenOffice that was disclosed before a fix was available. Now a hotfix for the problem has been released. "The official Apache OpenOffice security bulletin was announced on July 21, 2016. Affected is Apache OpenOffice 4.1.2 and older on all platforms and all languages. OpenOffice.org versions are also affected. The Apache OpenOffice project recommends to update to the latest version 4.1.2 and then to download and install the Zip file from the table below. Please follow the installation instructions in the respective Readme file." (Thanks to Cesar Eduardo Barros)

Comments (21 posted)

--> More news items


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds