| |||||||||||||
Welcome to LWN.netHeadlines for October 8, 2013[$] Shumway lands in Firefox
[Front] Posted Oct 7, 2013 21:26 UTC (Mon) by n8willis
White paper: the economic value of the Long Term Support Initiative
[Announcements] Posted Oct 7, 2013 17:41 UTC (Mon) by corbet
The Linux Foundation has announced the availability of a white paper (registration required) estimating the economic value of the Long Term Support Initiative, an effort which supports stable kernel releases for the consumer electronics industry. The resulting value is about $3 million per release. "LTSI is important because device makers are doing significant back-porting, bug testing and driver development on their own, which carries substantial cost in terms of time-to-market, as well as development and engineering effort to maintain those custom kernels. Through collaboration in this initiative, these CE vendors are reducing the duplication of effort currently prevalent in the consumer electronics industry. This new paper helps calculate that total cost savings in more definite terms."
Security advisories for Monday
[Security] Posted Oct 7, 2013 16:43 UTC (Mon) by ris
Debian has updated icedtea-web (code execution). Fedora has updated xen (F18; F19: information leak). Gentoo has updated aircrack-ng (code execution), gegl (code execution), isync (information disclosure), nginx (multiple vulnerabilities), and poppler (multiple vulnerabilities). Mageia has updated libvirt (multiple vulnerabilities), openjpa (code execution), polkit (multiple vulnerabilities), and proftpd (denial of service). openSUSE has updated gpg2 (12.2: information disclosure) and systemd (12.2; 12.3: privilege escalation).
Want to run the Linux Plumbers Conference in 2014?
[Announcements] Posted Oct 7, 2013 14:44 UTC (Mon) by corbet
The Linux Foundation's Technical Advisory Board is currently accepting applications from groups wishing to organize the 2014 Linux Plumber's Conference; the current plan is to co-locate that conference with LinuxCon Europe in Düsseldorf, Germany, but hosting it in Chicago with LinuxCon North America is also a possibility. See this page for information about out to put together a bid; the deadline is November 3.
Kernel prepatch 3.12-rc4
[Kernel] Posted Oct 6, 2013 21:28 UTC (Sun) by corbet
The fourth 3.12 prepatch is out for testing. "Hmm. rc4 has more new commits than rc3, which doesn't make me feel all warm and fuzzy, but nothing major really stands out. More filesystem updates than normal at this stage, perhaps, but I suspect that is just happenstance. We have cifs, xfs, btrfs, fuse and nilfs2 fixes here."
Stable kernel updates
[Kernel] Posted Oct 5, 2013 17:49 UTC (Sat) by corbet
The latest set of stable updates is 3.11.4, 3.10.15, 3.4.65, and 3.0.99. Greg has included a warning that the long-lived 3.0 series will be coming to a close "within a few weeks," so users of that kernel should be thinking about moving on.
Attacking Tor: how the NSA targets users' online anonymity (The Guardian)
[Security] Posted Oct 4, 2013 23:39 UTC (Fri) by n8willis
Writing at The Guardian, Bruce Schneier explains in his latest Edward Snowden–related piece that the US National Security Agency (NSA) had tried unsuccessfully to mount an attack against the Tor network, in hopes of bypassing the service's anonymity protections. Nevertheless, the NSA is still able to identify Tor traffic and track individual Tor users (despite not knowing their identities), which can lead to further surveillance. "After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems." By targeting a Tor user, the agency could then leverage attacks like browser exploits to get into the user's system; nevertheless, so far the design of Tor itself seems to be functioning as planned.
Friday's security updates
[Security] Posted Oct 4, 2013 14:18 UTC (Fri) by n8willis
Fedora has updated icedtea-web (F18; code execution) and rubygems (F18; F19: denial of service). Gentoo has updated perl-Module-Signature (code execution). openSUSE has updated boost (input validation bypass).
Intel powers an Arduino for the first time with new “Galileo” board (ars technica)
[Announcements] Posted Oct 3, 2013 23:13 UTC (Thu) by jake
Ars technica covers Intel's announcement of the Galileo development board, which contains a Quark 32-bit x86 CPU and is targeted at the "Internet of Things". It was designed in conjunction with Arduino and has connections for existing Arduino "shields" in addition to USB, Ethernet, RS-232 serial, and PCIe. "Intel will be donating 50,000 Galileo boards to universities around the world as part of the collaboration, and it will be available to hobbyists for $60 or less by November 29. That price makes Galileo quite competitive with existing Arduino boards, most of which aren't as feature complete. Intel promises full compatibility with Arduino software and existing hardware, which could make this a very attractive board for complex projects." Galileo is also open hardware, with schematics and other information available at its home page.
Security advisories for Thursday
[Security] Posted Oct 3, 2013 15:35 UTC (Thu) by jake
Fedora has updated kernel (F18: random number reuse in ansi_cprng). Mandriva has updated proftpd (BS1.0, ES5.0: denial of service). Oracle has updated ccid (OL5: code execution), kernel (OL5; OL6: denial of service), php53 (OL5: multiple vulnerabilities), sudo (OL5: three privilege escalation flaws), and xinetd (OL5: information leak). Red Hat has discontinued updates for acroread because Adobe has stopped updating it. The "update" will disable the web browser plugin. SUSE has updated icedtea-web (SLE11 SP2, SP3: two code execution flaws).
Garrett: The state of XMir
[Development] Posted Oct 3, 2013 6:57 UTC (Thu) by corbet
Matthew Garrett has posted an assessment of where XMir development stands. "This is an unfortunate situation to be in. Ubuntu Desktop was told that they were switching to XMir, but Mir development seems to be driven primarily by the needs of Ubuntu Phone. XMir has to do things that no other Mir client will ever cope with, and unless Mir development takes that into account it's inevitably going to suffer breakage like this. Canonical management needs to resolve this if there's any hope of ever shipping XMir as the default desktop environment."
[$] LWN.net Weekly Edition for October 3, 2013
Posted Oct 3, 2013 0:54 UTC (Thu)The LWN.net Weekly Edition for October 3, 2013 is available. Inside this week's LWN.net Weekly Edition
[$] Integrity and embedded devices
[Security] Posted Oct 2, 2013 19:20 UTC (Wed) by jake
David Safford's talk for the 2013 Linux Security Summit was in two parts—with two separate sets of slides. That's because the US Department of Homeland Security (DHS), which sponsored IBM's work on hardware roots of trust for embedded devices—part one of the talk—was quite clear that it didn't want to be associated with any kind of device cracking. So part two, which concerned circumventing "verified boot" on a Samsung ARM Chromebook, had to be a completely separate talk. The DHS's misgivings notwithstanding, the two topics are clearly related; understanding both leads to a clearer picture of the security of our devices. Subscribers can get the full report on the talk from this week's Security page.
Security advisories for Wednesday
[Security] Posted Oct 2, 2013 16:18 UTC (Wed) by ris
Fedora has updated libvirt (F19: multiple vulnerabilities), python-djblets (F18: multiple vulnerabilities), and ReviewBoard (F18: multiple vulnerabilities). Red Hat has updated MRG Grid (RHEL6; RHEL5: denial of service). Ubuntu has updated nas (13.04; 12.10; 12.04 LTS: multiple vulnerabilities) and python3.3 (13.04; 12.10: multiple vulnerabilities).
No Mir by default in Ubuntu 13.10
[Distributions] Posted Oct 2, 2013 6:21 UTC (Wed) by corbet
Developers at Canonical have concluded that the Mir desktop server (or, more specifically, the XMir layer) will not be ready in time to be shipped as the default configuration in the 13.10 release — though they do still plan to go with Mir for Ubuntu Touch. "More specifically, the multi-monitor support in XMir is working, but not to the extent we'd like to see it for all of our users. The core of Mir is working reliable, but with XMir being a key component for our 13.10 goals, we didn't want to compromise overall Ubuntu quality by shipping it."
Rempt: Ten years of working on Krita
[Development] Posted Oct 1, 2013 23:44 UTC (Tue) by jake
On his blog, Boudewijn Rempt has an interesting walk down memory lane about the history of the Krita digital painting program. It started its life in 1998 as a Qt wrapper around GIMP, called "kimp", though the first real Krita code came from a KOffice application called KImage, which changed to KImageShop, Krayon, and, finally, in 2002, Krita (Swedish for crayon). His account has controversies, flame wars, development setbacks, and more, resulting in the high-quality application that we have today. "I didn't know C++ back then, but neither was I a novice programmer. I'd been earning the daily bread for me and my family for about ten years, first as an Oracle PL/SQL developer, then Visual Basic, then Java. I had written and gotten published a book on Python and Qt, so I knew Qt as well. I had no experience with graphics, though... In October 2003 it was not possible to paint with Krita: all tools except for the layer move tool had been disabled. The paint tool was the first thing I worked on, and I was very proud when I had a tool that could place squares on the canvas -- and the size of the squares was sensitive to the tablet pressure!"
Stable kernel updates
[Kernel] Posted Oct 1, 2013 21:26 UTC (Tue) by ris
Greg KH has released stable kernels 3.11.3, 3.10.14, 3.4.64, and 3.0.98. All contain important fixes.
[$] NUMA scheduling progress
[Kernel] Posted Oct 1, 2013 17:02 UTC (Tue) by corbet
NUMA balancing was a topic of fierce debate through much of 2012; that discussion culminated with the merging of Mel Gorman's NUMA balancing infrastructure patch set into the 3.8 kernel. Those patches provided the basic structure upon which a NUMA balancing solution could be built, but did not attempt to solve the problem in a comprehensive way. Since then, one might be forgiven for thinking that the developers involved have lost interest; not much NUMA-related code has found its way into the mainline. But, as can be seen in Mel's basic scheduler support for NUMA balancing patch set, which weighs in at 63 individual changesets, quite a bit of work has been happening in this area.
Tuesday's security updates
[Security] Posted Oct 1, 2013 16:50 UTC (Tue) by ris
Fedora has updated kernel (F19: off by one error), libvirt (F18: multiple vulnerabilities), and xpdf (F18; F19: code execution). openSUSE has updated glibc (12.3: multiple vulnerabilities) and icedtea-web (12.x; 11.4: code execution). Red Hat has updated ccid (RHEL5: code execution), kernel (RHEL5: denial of service), php53 (RHEL5: multiple vulnerabilities), samba3x (RHEL5: multiple vulnerabilities), sssd (RHEL5: file modification), sudo (RHEL5: privilege escalation), and xinetd (RHEL5: service disclosure flaw). Ubuntu has updated EC2 kernel (10.04 LTS: multiple vulnerabilities), hplip (12.10; 12.04 LTS; 10.04 LTS: multiple vulnerabilities), kernel (10.04 LTS: multiple vulnerabilities), libkdcraw (12.04 LTS: denial of service), python2.6 (10.04 LTS: man in the middle attack), python2.7 (13.04; 12.10; 12.04 LTS: multiple vulnerabilities), python3.2 (12.10; 12.04 LTS: multiple vulnerabilities), txt2man (13.04; 12.10; 12.04 LTS: file overwrite), and vino (13.04; 12.10; 12.04 LTS: denial of service).
FreeBSD 9.2 released
[Distributions] Posted Sep 30, 2013 22:47 UTC (Mon) by ris
The FreeBSD Release Engineering Team has announced the availability of FreeBSD 9.2. This release features some ZFS filesystem enhancements along with various updated packages. The release notes contain the details.
|
|||||||||||||
![[The racing demo in Shumway]](/images/2013/10-shumway-racing-sm.png)
Mozilla has