LWN featured content
A kernel change breaks GlusterFS
[Kernel] Posted Mar 27, 2013 20:33 UTC (Wed) by mkerrisk
Linus Torvalds has railed frequently and loudly against kernel
developers breaking user space. But that rule is not ironclad; there
are exceptions. The story of how a kernel change caused a GlusterFS
breakage shows that there are sometimes unfortunate twists to those
exceptions.
Full Story (comments: 29)
PyCon: Evangelizing Python
[Front] Posted Mar 27, 2013 16:50 UTC (Wed) by jake
Python core developer Raymond Hettinger's PyCon 2013 keynote had elements of a revival meeting
sermon, but it was also meant to spread the "religion" well beyond those
inside the meeting tent. Hettinger specifically tasked attendees to use
his "What makes Python awesome?" talk as a sales tool with
management and other Python
skeptics. Subscribers can get the full coverage of the talk from this
week's edition at the link below.
Full Story (comments: 73)
Multipath TCP: an overview
[Kernel] Posted Mar 26, 2013 22:36 UTC (Tue) by corbet
The world was a simpler place when the TCP/IP network protocol suite was
first designed. The net was slow and primitive and it was often a triumph
to get a connection to a far-away host at all. The machines at either end
of a TCP session normally did not have to concern themselves with how that
connection was made; such details were left to routers. As a result, TCP
is built around the notion of a (single) connection between two hosts. The
Multipath TCP (MPTCP) project looks
to change that view of networking by adding support for multiple transport
paths to the endpoints; it offers a lot of benefits, but designing a
deployable protocol for today's Internet is surprisingly hard.
Full Story (comments: 70)
Anatomy of a user namespaces vulnerability
[Kernel] Posted Mar 20, 2013 21:10 UTC (Wed) by mkerrisk
An exploit posted on March 13
revealed a rather easily exploitable security vulnerability (CVE 2013-1858)
in the implementation of user namespaces. That exploit enables an
unprivileged user to escalate to full root privileges. Although a fix was
quickly provided, it is nevertheless instructive to look in some detail at
the vulnerability, both to better understand the nature of this kind of
exploit and also to briefly consider how this vulnerability came to appear
inside the user namespaces implementation.
Full Story (comments: 30)
When does the FSF own your code?
[Front] Posted Mar 19, 2013 15:12 UTC (Tue) by corbet
Many pixels have been expended in the discussion of contributor agreements
that transfer copyright from developers to a company or
foundation. But, for developers in many projects, the discussion is moot,
in that the requirement for an agreement exists and the papers must be
signed before
contributions to the project can be made. But, even then, there are some
interesting details that merit attention. A recent discussion regarding
one developer's contributions to the Emacs Org mode project shows how
expansive and poorly understood such agreements can be in some cases.
Full Story (comments: 49)
The trouble with CAP_SYS_RAWIO
[Kernel] Posted Mar 13, 2013 14:34 UTC (Wed) by mkerrisk
A February linux-kernel mailing list discussion of a patch that extends
the use of the CAP_COMPROMISE_KERNEL capability soon evolved into
a discussion of the specific uses (or abuses) of the CAP_SYS_RAWIO
capability within the kernel. However, in reality, the discussion once
again exposes some general difficulties in the Linux capabilities
implementation—difficulties that seem to have no easy solution.
Full Story (comments: 38)
LC-Asia: An Android upstreaming update
[Kernel] Posted Mar 12, 2013 15:10 UTC (Tue) by corbet
Many people have talked about the Android kernel code and its relation
to the mainline. One of the people who has done the most to help bring
Android and the mainline closer together is John Stultz; at the 2013 Linaro
Connect Asia event, he
talked about the status of the Android code. The picture that emerged
shows that a lot of progress has been made, but there is still a lot of
work yet to be done.
Click below (subscribers only) for the full report.
Full Story (comments: 17)
Ubuntu unveils its next-generation shell and display server
[Distributions] Posted Mar 6, 2013 22:09 UTC (Wed) by n8willis
Ubuntu publicly announced its plan for the future of its Unity
graphical shell on March 4, a plan that includes a new compositing
window manager designed to run on the distribution's device platforms
as well as on desktop systems. The plan will reimplement the Unity
shell in Qt and replace Compiz with a new display stack called Mir that
will incorporate a compositor, input manager, and several other
pieces. Mir is not designed to use the Wayland display protocol
(although the Ubuntu specification suggests it could be added later),
a decision that raised the ire of developers in several other
projects.
Full Story (comments: 46)
Namespaces in operation, part 6: more on user namespaces
[Kernel] Posted Mar 6, 2013 17:32 UTC (Wed) by mkerrisk
In this article, we continue last week's
discussion of user namespaces. In particular, we look in more detail
at the interaction of user namespaces and capabilities as well as the
combination of user namespaces with other types of namespaces.
Full Story (comments: 23)
The conclusion of the 3.9 merge window
[Kernel] Posted Mar 5, 2013 16:37 UTC (Tue) by corbet
By the time that Linus released the 3.9-rc1
kernel prepatch and closed the merge window for this cycle, he had pulled a
total of 10,265 non-merge changesets into the mainline repository. That is
just over 2,000 changes since last week's
summary. Subscribers can click below for a look at the last merges for 3.9.
Full Story (comments: 42)
| |
Current news
Stable kernels 3.8.6, 3.4.39, and 3.0.72
[Kernel] Posted Apr 5, 2013 18:24 UTC (Fri) by n8willis
Greg Kroah-Hartman has released the 3.8.6, 3.4.39, and 3.0.72 stable kernels. Each includes a
number of important updates and changes.
Comments (8 posted)
Ubuntu 13.04 (Raring Ringtail) Beta 2 released
[Distributions] Posted Apr 5, 2013 17:28 UTC (Fri) by corbet
The second and final Ubuntu 13.04 beta release is available for testers;
Kubuntu, Edubuntu, Lubuntu, Xubuntu and Ubuntu Studio versions are also
available. And as if that weren't enough: "We also welcome two new
flavors, Ubuntu Gnome and UbuntuKylin, which are participating in the Ubuntu
release process for the first time this cycle." See the
technical overview page for instructions and information on new
features.
Full Story (comments: 3)
Friday's security updates
[Security] Posted Apr 5, 2013 14:53 UTC (Fri) by n8willis
Fedora has updated py-bcrypt (F17, F18; authentication bypass), firefox (F18; multiple vulnerabilities), thunderbird (F18; multiple
vulnerabilities), and xulrunner (F18;
multiple vulnerabilities).
Mageia has updated bind
(multiple vulnerabilities), dhcp
(denial of service), firefox (multiple
vulnerabilities), libxslt (denial of
service), and thunderbird (multiple
vulnerabilities).
Mandriva has updated bash
(denial of service), clamav (multiple
unspecified vulnerabilities), coreutils (multiple
vulnerabilities), cronie (information
disclosure), cups (unauthorized
administrative access), exif (denial of service), fetchmail (multiple vulnerabilities), and
libexif (multiple vulnerabilities).
Mandriva has also re-issued several earlier updates to
fix incorrectly-assigned advisory IDs: apache-mod_security, arpwatch, and automake. Today's bash update
was also issued earlier, at that time incorrectly labeled as MDVSA-2013:019.
openSUSE has updated apache2
(multiple vulnerabilities), dhcp
(denial of service), firefox (multiple
vulnerabilities), NRPE (code
execution), postgresql91 (multiple
vulnerabilities), and postgresql92
(multiple vulnerabilities).
Red Hat has updated openstack-glance (information leak), openstack-keystone (multiple
vulnerabilities), openstack-nova
(multiple vulnerabilities), and puppet
(multiple vulnerabilities).
Slackware has updated subversion (multiple denial-of-service
vulnerabilities).
Ubuntu has updated firefox
(multiple vulnerabilities) and unity-firefox-extension (multiple vulnerabilities).
Comments (none posted)
Thursday's security updates
[Security] Posted Apr 4, 2013 16:10 UTC (Thu) by jake
Debian has updated libxslt (denial
of service), postgresql-8.4 (guessable
random numbers), and postgresql-9.1 (multiple
vulnerabilities including remote database file corruption).
Mandriva has updated apache
(multiple vulnerabilities), apache-mod_security (access rules bypass), arpwatch (insecure privilege dropping), and automake (code execution).
openSUSE has updated bind (12.1:
multiple vulnerabilities), ruby (11.4:
denial of service), dhcp (12.1,
12.2; 12.3:
denial of service), nrpe (code execution),
jakarta-commons-httpclient (12.2, 12.3:
insecure SSL certificate checking), and jakarta-commons-httpclient3 (12.1: insecure
SSL certificate checking).
Oracle has updated firefox (OL5:
multiple vulnerabilities).
SUSE has updated rails (multiple
vulnerabilities), rubygem-json_pure (code
execution), rubygem-extlib (denial of
service), rubygem-crack (denial of
service), and puppet (SLE11: multiple
vulnerabilities).
Ubuntu has updated Oneiric backport
kernel (10.04: multiple vulnerabilities), postgresql (multiple
vulnerabilities including remote database file corruption), and libav (12.04, 12.10: code execution).
Comments (none posted)
A serious PostgreSQL security fix
[Security] Posted Apr 4, 2013 13:54 UTC (Thu) by corbet
The PostgreSQL project has announced the release
of versions 9.2.4, 9.1.9, 9.0.13 and 8.4.17 containing a number of security
fixes, including this one: "CVE-2013-1899, makes it possible for a
connection request containing a database name that begins with '-' to be
crafted that can damage or destroy files within a server's data
directory. Anyone with access to the port the PostgreSQL server listens on
can initiate this request." The developers recommend an immediate
upgrade.
Update: See also the
2013-04-04 security release FAQ. "This is a good general rule
for database security: do not allow port access to the database server from
untrusted networks unless it is absolutely necessary. This is as true, or
more true, of other database systems as it is of PostgreSQL."
Comments (26 posted)
Security Engineering, Second Edition available online
[Security] Posted Apr 4, 2013 13:40 UTC (Thu) by corbet
The NoVA Infosec site notes
that Ross Anderson's Security Engineering, Second Edition is available online in PDF
form. "'Security Engineering: A Guide to Building Dependable
Distributed Systems' written by Ross Anderson of the University of
Cambridge and published by Wiley has been one of the 'goto' references for
teaching security over the past decade. Although more academic than many of
the modern-day security books out there, 'Security Engineering' not only
covers the basics of security but also some of the intricacies of building
secure systems from the ground up." The reviews include one from
Bruce Schneier calling it "the best book on the topic there
is".
Comments (1 posted)
Google's "Blink" rendering engine
[Development] Posted Apr 3, 2013 22:05 UTC (Wed) by corbet
Google has announced
that it is forking the WebKit rendering engine to make a new project called
Blink. "Chromium uses a different multi-process architecture than
other WebKit-based browsers, and supporting multiple architectures over the
years has led to increasing complexity for both the WebKit and Chromium
projects. This has slowed down the collective pace of innovation - so
today, we are introducing Blink, a new open source rendering engine based
on WebKit."
Comments (25 posted)
Security advisories for Wednesday
[Security] Posted Apr 3, 2013 17:01 UTC (Wed) by ris
CentOS has updated xulrunner (C6; C5:
multiple vulnerabilities), firefox (C6; C5:
multiple vulnerabilities), and thunderbird (C6; C5:
multiple vulnerabilities).
Fedora has updated moodle (F18; F17:
multiple vulnerabilities), php (F18;
F17: multiple vulnerabilities), 389-ds-base (F18: information exposure), mingw-openssl (F18: multiple vulnerabilities),
and perl (F17: denial of service).
Mageia has updated php (multiple
vulnerabilities), firebird (remote code
execution), privoxy (proxy spoofing), and
zoneminder (command execution).
openSUSE has updated ruby (denial of
service).
Oracle has updated thunderbird (OL6:
multiple vulnerabilities) and firefox (OL6:
multiple vulnerabilities).
Red Hat has updated kernel
(privilege escalation), firefox (multiple
vulnerabilities), thunderbird (multiple
vulnerabilities), rubygem-actionpack
(cross-site scripting), ruby193-rubygem-activerecord (denial of
service), jenkins (man-in-the-middle
attacks), and ruby193-ruby (multiple
vulnerabilities).
Scientific Linux has updated firefox
(multiple vulnerabilities) and thunderbird (multiple vulnerabilities)
Slackware has updated firefox
(multiple vulnerabilities) and thunderbird
(multiple vulnerabilities).
Ubuntu has updated kernel (11:10:
multiple vulnerabilities).
Comments (none posted)
Mozilla and Samsung building a new browser engine
[Development] Posted Apr 3, 2013 16:07 UTC (Wed) by corbet
The Mozilla project has announced
a collaboration with Samsung to build "Servo", a next-generation browser
rendering engine. "Servo is an attempt to rebuild the Web browser
from the ground up on modern hardware, rethinking old assumptions along the
way. This means addressing the causes of security vulnerabilities while
designing a platform that can fully utilize the performance of tomorrow’s
massively parallel hardware to enable new and richer experiences on the
Web. To those ends, Servo is written in Rust, a new, safe systems language
developed by Mozilla along with a growing community of enthusiasts."
Comments (57 posted)
MATE 1.6 released
[Development] Posted Apr 3, 2013 14:04 UTC (Wed) by corbet
Version 1.6
of the MATE desktop environment is available. "This release is a
giant step forward from the 1.4 release. In this release, we have replaced
many deprecated packages and libraries with new technologies available in
GLib. We have also added a lot of new features to MATE." See the
announcement for a list of those new features.
Comments (2 posted)
--> More news items
|