Friday's security updates
[Security] Posted Jun 14, 2013 16:11 UTC (Fri) by n8willis
Fedora has updated gallery3 (F17, F18; insecure URL handling) and xen (multiple vulnerabilities).
Mandriva has updated apache
(multiple vulnerabilities) and subversion
(denial of service).
openSUSE has updated libxcb
(integer overflow), libXext (multiple
vulnerabilities), libXfixes (integer
overflow), libXt (multiple
vulnerabilities), libXrender (integer
overflow), libXv (multiple
vulnerabilities), nfs-utils (12.2, 12.3; information disclosure), nginx (information disclosure), subversion (multiple vulnerabilities) and telepathy-gabble (TLS bypass).
Oracle has updated kernel (OL5, OL6;
multiple vulnerabilities).
Scientific Linux has updated krb5 (denial of service).
Ubuntu has updated kernel (10.04, 10.04
EC2, 12.04, 12.04 OMAP4, 12.04 HWE, 12.10, 12.10
OMAP4, 13.04 OMAP4; multiple
vulnerabilities), keystone (insecure authentication), and libdbus
(denial of service).
Comments (none posted)
Meeks: LibreOffice's under-the-hood progress in 4.1.0 (beta)
[Development] Posted Jun 13, 2013 23:39 UTC (Thu) by jake
On his blog, Michael Meeks has a look at some of the less visible (to the user) changes to LibreOffice for 4.1. He describes changes like the completion of the switch to GNU make, code cleanup (including more German comment translation), eliminating bugs that result in crashes, refactoring the Calc spreadsheet core, and more. "One of the tasks that most irritates and has distracted new developers from doing interesting feature work on the code-base over many years has been our build system. At the start of LibreOffice, there was an incomplete transition to using GNU make, which required us to use both the horrible old dmake tool as well as gnumake, with configure using a Perl script to generate a shell script configuring a set of environment variables that had to be sourced into your shell in order to compile (making it impossible to re-configure from that shell), with a Perl build script that batched compilation with two layers of parallelism, forcing you to over- or undercommit on any modern builder."
Comments (94 posted)
Red Hat discloses RHEL roadmap (TechTarget)
[Distributions] Posted Jun 13, 2013 21:06 UTC (Thu) by jake
TechTarget has an interview with Denise Dumas, Red Hat's director of software engineering, about RHEL 6.5 and 7. In it, Dumas outlines some changes coming in those releases, particularly in the areas of storage, networking, in-place upgrades from RHEL 6, and the default desktop:
We think that people who are accustomed to Gnome 2 will use classic mode until they're ready to experiment with modern mode. Classic mode is going to be the default for RHEL 7, and we're in the final stages now. We're tweaking it and having people experiment with it. The last thing we want to do is disrupt our customers' workflows.
I think it's been hard for the Gnome guys, because they really, really love modern mode, because that's where their hearts are. But they've done a great job putting together classic mode for us, and I think it's going to keep people working on RHEL 5, 6 and 7 who don't want to retrain their fingers each time they switch operating systems -- I think classic mode's going to be really helpful for them.
Comments (230 posted)
Stable kernels 3.9.6, 3.4.49, and 3.0.82
[Kernel] Posted Jun 13, 2013 19:46 UTC (Thu) by jake
Greg Kroah-Hartman has announced the release of the
3.9.6, 3.4.49, and
3.0.82 stable kernels. Users of those
kernels should upgrade.
Update: As noted in this G+ post,
the code name for 3.9.6 has changed to "Black Squirrel Wakeup Call".
Comments (none posted)
Thursday's security updates
[Security] Posted Jun 13, 2013 17:26 UTC (Thu) by jake
CentOS has updated krb5 (C5; C6: denial
of service from 2002).
Debian has updated dbus (denial of
service).
Fedora has updated perl-Dancer (F17; F18:
header injection), kernel (F18:
multiple vulnerabilities), and 389-ds-base
(F17: information disclosure).
openSUSE has updated kernel (12.1:
code execution). The distribution also announced that 12.1 has reached end of life
and will no longer be updated.
Oracle has updated kernel (OL5; OL6: two
vulnerabilities) and krb5 (OL5; OL6: denial of service from 2002)
Red Hat has updated krb5 (denial of
service from 2002) and python-keystoneclient
(RH OpenStack: PKI token expiration botch).
Scientific Linux has updated kernel
(SL6: multiple vulnerabilities).
Comments (none posted)
[$] LWN.net Weekly Edition for June 13, 2013
Posted Jun 13, 2013 1:10 UTC (Thu)
The LWN.net Weekly Edition for June 13, 2013 is available.
Inside this week's LWN.net Weekly Edition
- Front: A report from pgCon; Topics from LinuxCon Japan; RSS reading in Firefox
- Security: Tizen content scanning and app obfuscation; New vulnerabilities in cgit, chromium, kernel, php, ...
- Kernel: Skiplists API and benchmarks; Hot adding and removing memory; OPW—kernel edition
- Distributions: Tizen compliance; FreeBSD, ...
- Development: Little things in language design; Facts about X vs Wayland; The achievements of embedded Linux; Debian's systemd survey; ...
- Announcements: German Parliament tells government to strictly limit patents on software, events.
Read more
FSFE: German Parliament tells government to strictly limit patents on software
[Announcements] Posted Jun 12, 2013 18:48 UTC (Wed) by ris
The Free Software Foundation Europe reports that the German Parliament
decided upon a joint motion to limit software patents. "The
Parliament urges the German Government to take steps to limit
the granting of patents on computer programs. Software should
exclusively be covered by copyright, and the rights of the copyright
holders should not be devalued by third parties' software patents. The
only exception where patents should be allowed are computer programs
which replace a mechanical or electromagnetic component. In addition the
Parliament made clear that governmental actions related to patents must
never interfere with the legality of distributing Free Software."
Full Story (comments: 10)
Security advisories for Wednesday
[Security] Posted Jun 12, 2013 18:35 UTC (Wed) by ris
CentOS has updated kernel (C6:
multiple vulnerabilities).
Fedora has a big KDE update for F18, fixing a flaw in the way
PasteMacroExpander performs password generation. The following packages
have been updated: audiocd-kio, analitza, bovo, bomber,
blinken, kdeplasma-addons, ark, cantor,
dragon, filelight, gwenview, juk,
granatier, kajongg, kalgebra, kamera, kalzium, kanagram, kapman, kate,
kblackbox, kaccessible, kactivities, katomic, jovie, kblocks, kbreakout, kbounce, kbrunch, kcalc, kcharselect, kcolorchooser, kdeartwork, kde-baseapps, kdeadmin, kdeaccessibility, kde-base-artwork, kdeedu, kdebindings, kdegraphics, kdegames, kdegraphics-mobipocket, kdegraphics-strigi-analyzer, kdenetwork, kde-l10n, kdemultimedia, kdegraphics-thumbnailers, kdelibs, kdepim, kde-print-manager, kdepim-runtime, kdesdk, kdeutils, kde-wallpapers, kde-workspace, kdetoys, kfloppy, kdf,
kde-runtime, kfourinline, kdiamond, kgeography, kgamma, kgoldrunner, kgpg, killbots, kiriki, kigo,
kig, khangman, kjumpingcube, kiten, klickety, klines, klettres, kimono, kmag,
kmahjongg, kmines, kmix,
kmousetool, kmplot, kmouth, knetwalk, kolf, knavalbattle, kollision, konquest, kolourpaint, kremotecontrol, kreversi, kruler, ksameplugin, kscd, kross-interpreters, konsole, kshisen, kpat,
ksnakeduel, ksirk, kspaceduel, ksnapshot, ksudoku, ksquares, kstars, ktouch, ktimer, kturtle, ktuberling, kwallet, kubrick, kwordquiz, libkcddb, libkdegames, libkexiv2, libkipi, libkmahjongg, lskat, nepomuk-core, marble, libksane, nepomuk-widgets, libkdcraw, libkcompactdisc, libkdeedu, okular, palapeli, oxygen-icon-theme, pairs, parley,
pykde4, smokegen, ruby-qt, smokekde, ruby-korundum, smokeqt, picmi, qyoto,
rocs, step,
superkaramba, svgpart, sweeper, and kdepimlibs.
Mandriva has updated wireshark
(multiple vulnerabilities).
Oracle has updated kernel (OL6:
multiple vulnerabilities).
Red Hat has updated flash-plugin
(code execution).
Ubuntu has updated php5 (13.04: code
execution) and telepathy-gabble (denial of
service/man-in-the-middle attack).
Comments (13 posted)
U-Boot Creator Wolfgang Denk on the Great Achievements of Embedded Linux (Linux.com)
[Development] Posted Jun 12, 2013 0:27 UTC (Wed) by jake
Linux.com interviews Wolfgang Denk, creator of the U-Boot bootloader, about two great things that embedded Linux has achieved: abstracting away hardware differences for application developers and the rapid adoption of the Yocto project. "But the really dramatic changes do not happen in Linux, but in the hardware. If you consider the landslide-like move from Power Architecture to ARM systems in the last two or three years it is highly notable that this happened without disconcertment for both developers and users: thanks to Linux, the low level hardware details are well abstracted away, and on application level it does not really matter at all which exact architecture or SoC you are working with. This is really a great achievement."
Comments (none posted)
Tuesday's security updates
[Security] Posted Jun 11, 2013 18:15 UTC (Tue) by ris
Debian has updated pymongo (denial
of service) and chromium-browser (multiple
vulnerabilities).
Fedora has updated nrpe (F18;
F17: code execution),
rubygem-passenger (F18; F17: insecure temp files), mingw-gnutls
(F18; F17:
denial of service), libraw (F18; F17: code execution), socat (F18; F17:
denial of service), gnutls (F18; F17: denial of service), and livecd-tools (F17: no root password).
openSUSE has updated kernel (11.4:
multiple vulnerabilities), xulrunner
(12.3: multiple vulnerabilities), subversion (11.4: multiple vulnerabilities),
samba (12.3: supersedes previous update),
xorg-x11-server (12.3: information
disclosure), acroread (11.4: multiple
vulnerabilities), icedtea-web (11.4:
multiple vulnerabilities), tiff (12.3: two
vulnerabilities), libxml2 (12.3: use after
free), firefox (12.3: multiple
vulnerabilities), wireshark (12.3: multiple
vulnerabilities), openstack-keystone (12.3:
delayed token invalidation), kernel (12.3:
privilege escalation/denial of service), flash-player (12.3: multiple vulnerabilities),
gpg2 (11.4: memory access violations), java-1_7_0-openjdk (12.3: multiple
vulnerabilities), icedtea-web (11.4:
multiple vulnerabilities), krb5 (11.4:
denial of service), python-httplib2 (12.3:
SSL certificate verification failure), openconnect (12.3: code execution), strongswan (11.4: authentication bypass), acroread (12.3: multiple vulnerabilities), and
java-1_6_0-openjdk (11.4: multiple
vulnerabilities).
Red Hat has updated kernel (RHEL6; RHEL6.3 EUS: multiple vulnerabilities).
Slackware has updated php (code
execution).
SUSE has updated java-1_4_2-ibm
(multiple vulnerabilities).
Ubuntu has updated xserver-xorg-video-openchrome (multiple
vulnerabilities).
Comments (none posted)
[$] A report from pgCon 2013
[Front] Posted Jun 10, 2013 21:15 UTC (Mon) by jake
This year's pgCon, which concluded May 25th,
included an unusually high number of changes to the PostgreSQL community,
codebase, and development. Contributors introduced multiple new major
projects which will substantially change how people use PostgreSQL,
including parallel query, a new binary document store type, and pluggable
storage. In addition, Tom Lane switched jobs, four new committers were
selected, pgCon
had the highest attendance ever at 256 registrations, and held its first unconference after the
regular conference. Subscribers can click below for the report by guest
author Josh Berkus.
Full Story (comments: 6)
FreeBSD 8.4 released
[Distributions] Posted Jun 10, 2013 19:18 UTC (Mon) by ris
The FreeBSD Release Engineering Team has announced the
availability of FreeBSD 8.4. See the detailed
release notes for more information.
Comments (none posted)
Security advisories for Monday
[Security] Posted Jun 10, 2013 17:22 UTC (Mon) by ris
Debian has updated subversion
(denial of service) and mesa (code
execution).
Fedora has updated heat-jeos (F18:
no root password), xorg-x11-server (F17:
information disclosure), and telepathy-gabble (F18: man-in-the-middle
attack).
openSUSE has updated strongswan
(authentication bypass), seamonkey
(multiple vulnerabilities), curl (12.3; 11.4:
cookie information disclosure), xorg-x11-server (information disclosure), gpg2 (memory access violations), clamav
(12.3; 11.4: multiple vulnerabilities), libvirt (denial of service), PackageKit (only allow patches for regular
updates), flash-player (multiple
vulnerabilities), icedtea-web (multiple
vulnerabilities), thunderbird (multiple
vulnerabilities), mozilla (multiple
vulnerabilities), icedtea-web (more
vulnerabilities), krb5 (denial of service),
wireshark (multiple vulnerabilities), xen (multiple vulnerabilities), telepathy-idle (certificate validation error),
samba (multiple vulnerabilities), tiff (two vulnerabilities), and kernel
(12.3; 11.4: multiple vulnerabilities).
SUSE has updated java-1_7_0-ibm
(multiple vulnerabilities) and java-1_5_0-ibm (multiple vulnerabilities).
Comments (none posted)
Kernel prepatch 3.10-rc5
[Kernel] Posted Jun 9, 2013 16:50 UTC (Sun) by corbet
Linus's 3.10-rc5 announcement makes it
clear that he's getting a little grumpy with the number of patches heading
into the mainline. "Guys, guys, guys. I'm going to have to start
cursing again unless you stop sending me non-critical stuff. So the next
pull request I get that has "cleanups" or just pointless churn, I'm going
to call you guys out on, and try to come up with new ways to insult you,
your mother, and your deceased pet hamster."
Comments (32 posted)
The Wayland Situation: Facts About X vs. Wayland (Phoronix)
[Development] Posted Jun 8, 2013 17:25 UTC (Sat) by jake
Over at Phoronix, Eric Griffith has attempted to set the record straight on X and Wayland, with assistance from X/Wayland developer Daniel Stone. He looks at the failings of X and the corresponding "fixings of Wayland", along with some misconceptions about the two and some generic advantages for Wayland. "'X is Network Transparent.' Wrong. [It's] not. Core X and DRI-1 were network transparent. No one uses either one. Shared-Memory, DRI-2 and DRI-3000 are NOT network transparent, they do NOT work over the network. Modern day X comes down to synchronous, poorly done VNC. If it was poorly done, async, VNC then maybe we could make it work. But [it's] not. Xlib is synchronous (and the movement to XCB is a slow one) which makes networking a NIGHTMARE."
Comments (137 posted)
[$] Little things that matter in language design
[Front] Posted Jun 8, 2013 0:46 UTC (Sat) by jake
The designers of a new programming language are probably most interested in
the big features — the things that just couldn't be done with whichever
language they are trying to escape from. So they are probably
thinking of the type system, the data model, the concurrency support,
the approach to polymorphism, or whatever it is that they feel will
affect the expressiveness of the language in the way they want. But there
are lots of little things to consider too, and guest author Neil Brown
looks at some of them in an article from next week's edition.
Full Story (comments: 147)
New stable kernels
[Kernel] Posted Jun 7, 2013 20:14 UTC (Fri) by n8willis
A new batch of stable kernel releases is available. Greg
Kroah-Hartman has released 3.0.81, 3.4.48, and 3.9.5, each containing important fixes.
Meanwhile, Luis Henriques has released 3.5.7.14 and Kamal Mostafa has released 3.8.13.2, both from Canonical's extended stable
tree.
Comments (none posted)
Friday's security updates
[Security] Posted Jun 7, 2013 14:18 UTC (Fri) by n8willis
Fedora has updated bzr (F17, F18; denial of service) and
mediawiki (F17, F18; insecure file uploading).
Mageia has updated flightgear
(denial of service), krb5 (denial of
service), libraw (code execution), libvirt (denial of service), moodle (multiple vulnerabilities), nginx (denial of service), php-geshi (multiple vulnerabilities), socat (denial of service), sssd (symbolic link attack), and
wireshark (M2, denial of service; M3, multiple vulnerabilities).
Comments (none posted)
rsyslog 7.4 released
[Development] Posted Jun 6, 2013 21:13 UTC (Thu) by jake
Version 7.4 of the rsyslog system logger has been released. This is the first version of the new 7.4 stable branch and it joins version 7.2.7 as supported versions of the tool. New headline features include support for the systemd journal (both as input and output) along with log file encryption, signatures, and anonymization.
Comments (17 posted)
Security updates for Thursday
[Security] Posted Jun 6, 2013 16:16 UTC (Thu) by jake
Fedora has updated cgit (F17;
F18: directory traversal),
mod_security (F17; F18: denial of service), pki-tps (F17: two vulernabilities), libxcb (F18: code execution), libXfixes (F18: code execution), libXt (F18: two vulnerabilities), libXtst (F18: code execution), libXv (F18: two code execution flaws), and libXxf86dga (F18: two code execution flaws).
openSUSE has updated Mesa (12.2:
code execution).
Ubuntu has updated a bunch of X libraries for the recent X client vulnerabilities: libdmx, libfs, libx11, libxcb, libxcursor, libxext, libxfixes, libxinerama, libxp, libxrandr, libxrender, libxres, libxt, libxtst, libxv, libxvmc, libxxf86dga, libxxf86vm, and libxi.
Comments (none posted)