LWN.net Logo

Advertisement

The MCAs allow the community to select projects in 31 categories. Vote now and make sure your voice is heard!

Advertise here

Welcome to LWN.net

Headlines for February 4, 2012

The end of LinuxDevices?
[Announcements] Posted Feb 3, 2012 19:57 UTC (Fri) by corbet

LinuxDevices.com is carrying a brief note from the "outgoing editor-in-chief" stating that the site's owner has been acquired. "At this point, the future of LinuxDevices.com is uncertain. What we can say for sure is that it has been a pleasure serving our readers -- the best in the business."

Comments (3 posted)

Slackware updates
[Security] Posted Feb 3, 2012 19:52 UTC (Fri) by ris

Slackware has been silent for some time (noted in this comment thread). Although we haven't seen any advisories in the LWN mailbox, the changelogs are showing some new updates. Slackware users should update their systems.

Comments (1 posted)

Stable kernels 3.0.19, 3.2.3 and 2.6.32.56
[Kernel] Posted Feb 3, 2012 19:21 UTC (Fri) by ris

Greg KH has released stable kernels 3.0.19, 3.2.3 and 2.6.32.56. All of them have important fixes across the board.

Update 3.2.4 has now been released to address a compilation problem in 3.2.3.

Comments (8 posted)

Friday's security updates
[Security] Posted Feb 3, 2012 18:34 UTC (Fri) by ris

CentOS has updated ghostscript (C6; C5; C4: multiple vulnerabilities), php (C6; C5; C4: remote code execution), and C5: php53 (remote code execution).

Debian has updated iceweasel (multiple vulnerabilities), iceape (multiple vulnerabilities), and php5 (remote code execution).

Mandriva has updated mozilla (multiple vulnerabilities).

Red Hat has updated RHEL5: php53 (remote code execution), RHEL4,5,6: php (remote code execution), ghostscript (RHEL5,6; RHEL4: multiple vulnerabilities), and RHEL5.6: freetype (code execution).

Scientific Linux has updated SL5: php53 (remote code execution), SL4,5,6: php (remote code execution), and ghostscript (SL5,6; SL4: multiple vulnerabilities).

Comments (none posted)

PHP 5.3.10 released with critical security fix
[Security] Posted Feb 2, 2012 22:26 UTC (Thu) by corbet

The PHP 5.3.10 release is out; it contains a fix for a remote code execution bug introduced recently by another security fix. Anybody running 5.3.9 should probably upgrade as soon as possible.

Full Story (comments: 5)

Critical PHP vulnerability being fixed (The H)
[Security] Posted Feb 2, 2012 22:12 UTC (Thu) by jake

The H is reporting that a critical remote code execution bug has been found in PHP that was caused by the recent fix for the widespread denial of service via hash collisions vulnerability. "The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web."

Comments (5 posted)

Security advisories for Thursday
[Security] Posted Feb 2, 2012 20:25 UTC (Thu) by jake

CentOS has updated openssl (C4: multiple vulnerabilities).

Debian has updated tomcat6 (multiple vulnerabilities).

Fedora has updated BackupPC (F15; F16: cross-site scripting), polipo (F15; F16: denial of service), moodle (F15; F16: multiple vulnerabilities), firefox (F16: multiple vulnerabilities), xulrunner (F16: multiple vulnerabilities), thunderbird (F16: multiple vulnerabilities), thunderbird-lightning (F16: multiple vulnerabilities), gstreamer-plugins-bad-free (F16: multiple vulnerabilities), and libvpx (F16: multiple vulnerabilities).

Mandriva has updated apache (multiple vulnerabilities).

Oracle has updated firefox (OL4; OL5; OL6: multiple vulnerabilities), seamonkey (OL4: multiple vulnerabilities), thunderbird (OL4; OL6: multiple vulnerabilities), and openssl (OL4: multiple vulnerabilities).

Red Hat has updated openssl (RHEL 4: multiple vulnerabilities)

Scientific Linux has updated thunderbird (SL4&5; SL6: multiple vulnerabilities), firefox (multiple vulnerabilities), seamonkey (SL4: multiple vulnerabilities), and openssl (SL4: multiple vulnerabilities).

Comments (none posted)

Seigo: Spark answers
[Announcements] Posted Feb 2, 2012 19:29 UTC (Thu) by jake

Aaron Seigo answers questions about the Spark tablet, which is based on Plasma Active, that he announced on January 29. There is more information about the hardware and software, delivery timeframe (May 2012), and pre-orders: "Pre-order registration will open early next week. This was one piece in the puzzle that was taking a bit [longer] than I hoped for to come together, but it's finally slotted in and our distribution partner has got the necessary infrastructure settled. I'll lift the veil off of the pre-order and our distribution strategy when it goes live."

Comments (1 posted)

Gettys: Bufferbloat demonstration videos
[Announcements] Posted Feb 2, 2012 17:51 UTC (Thu) by corbet

Jim Gettys says: "If people have heard of bufferbloat at all, it is usually just an abstraction despite having personal experience with it. Bufferbloat can occur in your operating system, your home router, your broadband gear, wireless, and almost anywhere in the Internet. They still think that if experience poor Internet speed means they must need more bandwidth, and take vast speed variation for granted. Sometimes, adding bandwidth can actually hurt rather than help. Most people have no idea what they can do about bufferbloat. So I’ve been working to put together several demos to help make bufferbloat concrete, and demonstrate at least partial mitigation." Definitely useful viewing for anybody who is concerned with the problem and how to begin addressing it.

Comments (28 posted)

[$] LWN.net Weekly Edition for February 2, 2012
Posted Feb 2, 2012 1:26 UTC (Thu)

The LWN.net Weekly Edition for February 2, 2012 is available.

Inside this week's LWN.net Weekly Edition

  • Front: A tempest in a toybox; The trickiness of the education market; Thoughts from LWN's UTF8 conversion.
  • Security: Format string vulnerabilities; New vulnerabilities in chromium, curl, ktsuss, sudo, ...
  • Kernel: What happened to disk performance in 2.6.39; Preparing for user-space checkpoint/restore; Betrayed by a bitfield.
  • Distributions: FreeBSD and release engineering; Debian, Red Hat, UDS, The case for the /usr merge.
  • Development: Linux screen recording; Firefix, Git, Mercurial, ...
  • Announcements: CERN OHL; TDF; GNU-edu; ACTA; FOSDEM speakers; Articles by Garrett, Kuhn, Seigo, ...
Read more

Kuhn: Some Thoughts on Conservancy's GPL Enforcement
[Announcements] Posted Feb 1, 2012 18:52 UTC (Wed) by corbet

Bradley Kuhn has posted a lengthy explanation of the Software Freedom Conservancy's GPL enforcement activities and the demands they make. "I started using this request regularly around 2002 because violators express a concern that, if they came into compliance due to my efforts, what was to stop others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say: 'Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate'."

Comments (1 posted)

The Document Foundation will be based in Berlin
[Announcements] Posted Feb 1, 2012 18:13 UTC (Wed) by corbet

The Document Foundation has announced that its long-awaited legal entity will be based in Berlin. "'After many months of work in close cooperation with the authorities, we were able to keep the spirit of the community bylaws, and incorporate them into legally binding statutes, that ensure the promises that TDF has made in its manifesto', says Michael (Mike) Schinagl, a Berlin-based lawyer and contributor to various free software projects, who has been driving the legal aspects of the foundation set-up from the very beginning."

Full Story (comments: none)

Wednesday's security update
[Security] Posted Feb 1, 2012 18:10 UTC (Wed) by corbet

CentOS has updated thunderbird (C4, C5, C6: multiple vulnerabilities), firefox (C4, C5, C6: multiple vulnerabilities) and seamonkey (C4: multiple vulnerabilities).

Fedora has updated smokeping (F15, F16: cross-site scripting), krb5 (F15: denial of service), and sudo (F16: privilege escalation).

Red Hat has updated thunderbird (RHEL4-5, RHEL6: multiple vulnerabilities), firefox (RHEL4-6: multiple vulnerabilities), and seamonkey (RHEL4: multiple vulnerabilities).

Ubuntu has updated usbmuxd (code execution via hostile USB device).

Comments (none posted)

[$] A tempest in a toybox
[Front] Posted Feb 1, 2012 16:26 UTC (Wed) by corbet

The eLinux.org web site is currently promoting a project to write a replacement for Busybox under a permissive license. Normally, the writing of more free software is seen as a good thing, but, in this case, there have been complaints about the perceived motivation behind the project. What this discussion shows is that there are some divisions within our community on how our licenses should be enforced - and even what those licenses say.

Full Story (comments: 141)

Apache HTTP Server 2.2.22 released
[Security] Posted Feb 1, 2012 15:13 UTC (Wed) by corbet

Version 2.2.22 of the Apache web server is out. The main point of this release appears to be the fixing of six different CVE numbers, so people with their own Apache builds probably want to grab the update.

Full Story (comments: none)

Almost There - PyPy's ARM Backend
[Development] Posted Feb 1, 2012 14:48 UTC (Wed) by corbet

The PyPy Status Blog has an update on the status of the PyPy port to the ARM architecture. "The current results on ARM, as shown in the graph below, show that the JIT currently gives a speedup of about 3.5 times compared to CPython on ARM. The benchmarks were run on the before mentioned BeagleBoard-xM with a 1GHz ARM Cortex-A8 processor and 512MB of memory. The operating system on the board is Ubuntu 11.04 for ARM."

Comments (none posted)

Greg Kroah-Hartman moves to the Linux Foundation
[Kernel] Posted Feb 1, 2012 14:11 UTC (Wed) by corbet

The Linux Foundation has announced that Greg Kroah-Hartman has joined the organization as a fellow. "In his role as Linux Foundation Fellow, Kroah-Hartman will continue his work as the maintainer for the Linux stable kernel branch and a variety of subsystems while working in a fully neutral environment. He will also work more closely with Linux Foundation members, workgroups, Labs projects, and staff on key initiatives to advance Linux."

Comments (10 posted)

Kernel prepatch 3.3-rc2
[Kernel] Posted Jan 31, 2012 22:51 UTC (Tue) by corbet

The 3.3-rc2 prepatch is out, a little later than would have ordinarily been expected. "The diffstat is pretty flat - indicative of mostly small changes spread out. Which is what I like seeing, and we don't always see at this point. There's some file movement (8250-based serial and the arm mx5 -> imx merge), but otherwise really not a lot of excitement. Good." That said, there are quite a few changes in this prepatch; see the short-form changelog in the announcement for details. Thirteen of those changes are reverts for patches that didn't work out.

Comments (none posted)

FOSDEM speaker interviews
[Announcements] Posted Jan 31, 2012 20:54 UTC (Tue) by ris

The last set of interviews with FOSDEM speakers has been released. This list includes Juan David Gonzalez Cobas and Javier Serrano (open hardware), Bryan Østergaard (community management), Ben Klang (Adhearsion), Soren Hansen (monitoring), Kristian Høgsberg (Wayland), Anil Madhavapeddy (UNIX I/O), Carl-Daniel Hailfinger (coreboot), and Claire Corgnou (average Jane and Joe).

Comments (none posted)

Security advisories for Tuesday
[Security] Posted Jan 31, 2012 19:35 UTC (Tue) by ris

CentOS has updated C6: ruby (denial of service), ruby (C5;C4: denial of service/predictable random numbers), C6: t1lib (multiple vulnerabilities), C6: openssl (multiple vulnerabilities), C6: glibc (denial of service), and C4: php (multiple vulnerabilities).

Debian has updated curl (multiple vulnerabilities), php5 (multiple vulnerabilities), and php5 (fixes a regression from the previous update).

Oracle has updated OL6: ruby (denial of service), ruby (OL5; OL4: denial of service/predictable random numbers) and OL4: php (multiple vulnerabilities).

Red Hat has updated RHEL6: ruby (denial of service), RHEL4&5: ruby (denial of service/predictable random numbers), and RHEL4: php (multiple vulnerabilities).

Scientific Linux has updated SL4, SL5: ruby (denial of service/predictable random numbers), SL4: php (multiple vulnerabilities), SL6: ruby (denial of service).

Ubuntu has updated accountsservice (privilege escalation) and software-properties (man-in-the-middle attack).

Comments (none posted)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds