Recent Features
| |||||||||||||
Welcome to LWN.netHeadlines for June 19, 2013Friday's security updates
[Security] Posted Jun 14, 2013 16:11 UTC (Fri) by n8willis
Fedora has updated gallery3 (F17, F18; insecure URL handling) and xen (multiple vulnerabilities). Mandriva has updated apache (multiple vulnerabilities) and subversion (denial of service). openSUSE has updated libxcb (integer overflow), libXext (multiple vulnerabilities), libXfixes (integer overflow), libXt (multiple vulnerabilities), libXrender (integer overflow), libXv (multiple vulnerabilities), nfs-utils (12.2, 12.3; information disclosure), nginx (information disclosure), subversion (multiple vulnerabilities) and telepathy-gabble (TLS bypass). Oracle has updated kernel (OL5, OL6; multiple vulnerabilities). Scientific Linux has updated krb5 (denial of service). Ubuntu has updated kernel (10.04, 10.04 EC2, 12.04, 12.04 OMAP4, 12.04 HWE, 12.10, 12.10 OMAP4, 13.04 OMAP4; multiple vulnerabilities), keystone (insecure authentication), and libdbus (denial of service).
Meeks: LibreOffice's under-the-hood progress in 4.1.0 (beta)
[Development] Posted Jun 13, 2013 23:39 UTC (Thu) by jake
On his blog, Michael Meeks has a look at some of the less visible (to the user) changes to LibreOffice for 4.1. He describes changes like the completion of the switch to GNU make, code cleanup (including more German comment translation), eliminating bugs that result in crashes, refactoring the Calc spreadsheet core, and more. "One of the tasks that most irritates and has distracted new developers from doing interesting feature work on the code-base over many years has been our build system. At the start of LibreOffice, there was an incomplete transition to using GNU make, which required us to use both the horrible old dmake tool as well as gnumake, with configure using a Perl script to generate a shell script configuring a set of environment variables that had to be sourced into your shell in order to compile (making it impossible to re-configure from that shell), with a Perl build script that batched compilation with two layers of parallelism, forcing you to over- or undercommit on any modern builder."
Red Hat discloses RHEL roadmap (TechTarget)
[Distributions] Posted Jun 13, 2013 21:06 UTC (Thu) by jake
TechTarget has an interview with Denise Dumas, Red Hat's director of software engineering, about RHEL 6.5 and 7. In it, Dumas outlines some changes coming in those releases, particularly in the areas of storage, networking, in-place upgrades from RHEL 6, and the default desktop:
We think that people who are accustomed to Gnome 2 will use classic mode until they're ready to experiment with modern mode. Classic mode is going to be the default for RHEL 7, and we're in the final stages now. We're tweaking it and having people experiment with it. The last thing we want to do is disrupt our customers' workflows.
I think it's been hard for the Gnome guys, because they really, really love modern mode, because that's where their hearts are. But they've done a great job putting together classic mode for us, and I think it's going to keep people working on RHEL 5, 6 and 7 who don't want to retrain their fingers each time they switch operating systems -- I think classic mode's going to be really helpful for them.
Stable kernels 3.9.6, 3.4.49, and 3.0.82
[Kernel] Posted Jun 13, 2013 19:46 UTC (Thu) by jake
Greg Kroah-Hartman has announced the release of the 3.9.6, 3.4.49, and 3.0.82 stable kernels. Users of those kernels should upgrade. Update: As noted in this G+ post, the code name for 3.9.6 has changed to "Black Squirrel Wakeup Call".
Thursday's security updates
[Security] Posted Jun 13, 2013 17:26 UTC (Thu) by jake
CentOS has updated krb5 (C5; C6: denial of service from 2002). Debian has updated dbus (denial of service). Fedora has updated perl-Dancer (F17; F18: header injection), kernel (F18: multiple vulnerabilities), and 389-ds-base (F17: information disclosure). openSUSE has updated kernel (12.1: code execution). The distribution also announced that 12.1 has reached end of life and will no longer be updated. Oracle has updated kernel (OL5; OL6: two vulnerabilities) and krb5 (OL5; OL6: denial of service from 2002) Red Hat has updated krb5 (denial of service from 2002) and python-keystoneclient (RH OpenStack: PKI token expiration botch). Scientific Linux has updated kernel (SL6: multiple vulnerabilities).
[$] LWN.net Weekly Edition for June 13, 2013
Posted Jun 13, 2013 1:10 UTC (Thu)The LWN.net Weekly Edition for June 13, 2013 is available. Inside this week's LWN.net Weekly Edition
FSFE: German Parliament tells government to strictly limit patents on software
[Announcements] Posted Jun 12, 2013 18:48 UTC (Wed) by ris
The Free Software Foundation Europe reports that the German Parliament decided upon a joint motion to limit software patents. "The Parliament urges the German Government to take steps to limit the granting of patents on computer programs. Software should exclusively be covered by copyright, and the rights of the copyright holders should not be devalued by third parties' software patents. The only exception where patents should be allowed are computer programs which replace a mechanical or electromagnetic component. In addition the Parliament made clear that governmental actions related to patents must never interfere with the legality of distributing Free Software."
Security advisories for Wednesday
[Security] Posted Jun 12, 2013 18:35 UTC (Wed) by ris
CentOS has updated kernel (C6: multiple vulnerabilities). Fedora has a big KDE update for F18, fixing a flaw in the way PasteMacroExpander performs password generation. The following packages have been updated: audiocd-kio, analitza, bovo, bomber, blinken, kdeplasma-addons, ark, cantor, dragon, filelight, gwenview, juk, granatier, kajongg, kalgebra, kamera, kalzium, kanagram, kapman, kate, kblackbox, kaccessible, kactivities, katomic, jovie, kblocks, kbreakout, kbounce, kbrunch, kcalc, kcharselect, kcolorchooser, kdeartwork, kde-baseapps, kdeadmin, kdeaccessibility, kde-base-artwork, kdeedu, kdebindings, kdegraphics, kdegames, kdegraphics-mobipocket, kdegraphics-strigi-analyzer, kdenetwork, kde-l10n, kdemultimedia, kdegraphics-thumbnailers, kdelibs, kdepim, kde-print-manager, kdepim-runtime, kdesdk, kdeutils, kde-wallpapers, kde-workspace, kdetoys, kfloppy, kdf, kde-runtime, kfourinline, kdiamond, kgeography, kgamma, kgoldrunner, kgpg, killbots, kiriki, kigo, kig, khangman, kjumpingcube, kiten, klickety, klines, klettres, kimono, kmag, kmahjongg, kmines, kmix, kmousetool, kmplot, kmouth, knetwalk, kolf, knavalbattle, kollision, konquest, kolourpaint, kremotecontrol, kreversi, kruler, ksameplugin, kscd, kross-interpreters, konsole, kshisen, kpat, ksnakeduel, ksirk, kspaceduel, ksnapshot, ksudoku, ksquares, kstars, ktouch, ktimer, kturtle, ktuberling, kwallet, kubrick, kwordquiz, libkcddb, libkdegames, libkexiv2, libkipi, libkmahjongg, lskat, nepomuk-core, marble, libksane, nepomuk-widgets, libkdcraw, libkcompactdisc, libkdeedu, okular, palapeli, oxygen-icon-theme, pairs, parley, pykde4, smokegen, ruby-qt, smokekde, ruby-korundum, smokeqt, picmi, qyoto, rocs, step, superkaramba, svgpart, sweeper, and kdepimlibs. Mandriva has updated wireshark (multiple vulnerabilities). Oracle has updated kernel (OL6: multiple vulnerabilities). Red Hat has updated flash-plugin (code execution). Ubuntu has updated php5 (13.04: code execution) and telepathy-gabble (denial of service/man-in-the-middle attack).
U-Boot Creator Wolfgang Denk on the Great Achievements of Embedded Linux (Linux.com)
[Development] Posted Jun 12, 2013 0:27 UTC (Wed) by jake
Linux.com interviews Wolfgang Denk, creator of the U-Boot bootloader, about two great things that embedded Linux has achieved: abstracting away hardware differences for application developers and the rapid adoption of the Yocto project. "But the really dramatic changes do not happen in Linux, but in the hardware. If you consider the landslide-like move from Power Architecture to ARM systems in the last two or three years it is highly notable that this happened without disconcertment for both developers and users: thanks to Linux, the low level hardware details are well abstracted away, and on application level it does not really matter at all which exact architecture or SoC you are working with. This is really a great achievement."
Tuesday's security updates
[Security] Posted Jun 11, 2013 18:15 UTC (Tue) by ris
Debian has updated pymongo (denial of service) and chromium-browser (multiple vulnerabilities). Fedora has updated nrpe (F18; F17: code execution), rubygem-passenger (F18; F17: insecure temp files), mingw-gnutls (F18; F17: denial of service), libraw (F18; F17: code execution), socat (F18; F17: denial of service), gnutls (F18; F17: denial of service), and livecd-tools (F17: no root password). openSUSE has updated kernel (11.4: multiple vulnerabilities), xulrunner (12.3: multiple vulnerabilities), subversion (11.4: multiple vulnerabilities), samba (12.3: supersedes previous update), xorg-x11-server (12.3: information disclosure), acroread (11.4: multiple vulnerabilities), icedtea-web (11.4: multiple vulnerabilities), tiff (12.3: two vulnerabilities), libxml2 (12.3: use after free), firefox (12.3: multiple vulnerabilities), wireshark (12.3: multiple vulnerabilities), openstack-keystone (12.3: delayed token invalidation), kernel (12.3: privilege escalation/denial of service), flash-player (12.3: multiple vulnerabilities), gpg2 (11.4: memory access violations), java-1_7_0-openjdk (12.3: multiple vulnerabilities), icedtea-web (11.4: multiple vulnerabilities), krb5 (11.4: denial of service), python-httplib2 (12.3: SSL certificate verification failure), openconnect (12.3: code execution), strongswan (11.4: authentication bypass), acroread (12.3: multiple vulnerabilities), and java-1_6_0-openjdk (11.4: multiple vulnerabilities). Red Hat has updated kernel (RHEL6; RHEL6.3 EUS: multiple vulnerabilities). Slackware has updated php (code execution). SUSE has updated java-1_4_2-ibm (multiple vulnerabilities). Ubuntu has updated xserver-xorg-video-openchrome (multiple vulnerabilities).
[$] A report from pgCon 2013
[Front] Posted Jun 10, 2013 21:15 UTC (Mon) by jake
This year's pgCon, which concluded May 25th, included an unusually high number of changes to the PostgreSQL community, codebase, and development. Contributors introduced multiple new major projects which will substantially change how people use PostgreSQL, including parallel query, a new binary document store type, and pluggable storage. In addition, Tom Lane switched jobs, four new committers were selected, pgCon had the highest attendance ever at 256 registrations, and held its first unconference after the regular conference. Subscribers can click below for the report by guest author Josh Berkus.
FreeBSD 8.4 released
[Distributions] Posted Jun 10, 2013 19:18 UTC (Mon) by ris
The FreeBSD Release Engineering Team has announced the availability of FreeBSD 8.4. See the detailed release notes for more information.
Security advisories for Monday
[Security] Posted Jun 10, 2013 17:22 UTC (Mon) by ris
Debian has updated subversion (denial of service) and mesa (code execution). Fedora has updated heat-jeos (F18: no root password), xorg-x11-server (F17: information disclosure), and telepathy-gabble (F18: man-in-the-middle attack). openSUSE has updated strongswan (authentication bypass), seamonkey (multiple vulnerabilities), curl (12.3; 11.4: cookie information disclosure), xorg-x11-server (information disclosure), gpg2 (memory access violations), clamav (12.3; 11.4: multiple vulnerabilities), libvirt (denial of service), PackageKit (only allow patches for regular updates), flash-player (multiple vulnerabilities), icedtea-web (multiple vulnerabilities), thunderbird (multiple vulnerabilities), mozilla (multiple vulnerabilities), icedtea-web (more vulnerabilities), krb5 (denial of service), wireshark (multiple vulnerabilities), xen (multiple vulnerabilities), telepathy-idle (certificate validation error), samba (multiple vulnerabilities), tiff (two vulnerabilities), and kernel (12.3; 11.4: multiple vulnerabilities). SUSE has updated java-1_7_0-ibm (multiple vulnerabilities) and java-1_5_0-ibm (multiple vulnerabilities).
Kernel prepatch 3.10-rc5
[Kernel] Posted Jun 9, 2013 16:50 UTC (Sun) by corbet
Linus's 3.10-rc5 announcement makes it clear that he's getting a little grumpy with the number of patches heading into the mainline. "Guys, guys, guys. I'm going to have to start cursing again unless you stop sending me non-critical stuff. So the next pull request I get that has "cleanups" or just pointless churn, I'm going to call you guys out on, and try to come up with new ways to insult you, your mother, and your deceased pet hamster."
The Wayland Situation: Facts About X vs. Wayland (Phoronix)
[Development] Posted Jun 8, 2013 17:25 UTC (Sat) by jake
Over at Phoronix, Eric Griffith has attempted to set the record straight on X and Wayland, with assistance from X/Wayland developer Daniel Stone. He looks at the failings of X and the corresponding "fixings of Wayland", along with some misconceptions about the two and some generic advantages for Wayland. "'X is Network Transparent.' Wrong. [It's] not. Core X and DRI-1 were network transparent. No one uses either one. Shared-Memory, DRI-2 and DRI-3000 are NOT network transparent, they do NOT work over the network. Modern day X comes down to synchronous, poorly done VNC. If it was poorly done, async, VNC then maybe we could make it work. But [it's] not. Xlib is synchronous (and the movement to XCB is a slow one) which makes networking a NIGHTMARE."
[$] Little things that matter in language design
[Front] Posted Jun 8, 2013 0:46 UTC (Sat) by jake
The designers of a new programming language are probably most interested in the big features — the things that just couldn't be done with whichever language they are trying to escape from. So they are probably thinking of the type system, the data model, the concurrency support, the approach to polymorphism, or whatever it is that they feel will affect the expressiveness of the language in the way they want. But there are lots of little things to consider too, and guest author Neil Brown looks at some of them in an article from next week's edition.
New stable kernels
[Kernel] Posted Jun 7, 2013 20:14 UTC (Fri) by n8willis
A new batch of stable kernel releases is available. Greg Kroah-Hartman has released 3.0.81, 3.4.48, and 3.9.5, each containing important fixes. Meanwhile, Luis Henriques has released 3.5.7.14 and Kamal Mostafa has released 3.8.13.2, both from Canonical's extended stable tree.
Friday's security updates
[Security] Posted Jun 7, 2013 14:18 UTC (Fri) by n8willis
Fedora has updated bzr (F17, F18; denial of service) and mediawiki (F17, F18; insecure file uploading). Mageia has updated flightgear (denial of service), krb5 (denial of service), libraw (code execution), libvirt (denial of service), moodle (multiple vulnerabilities), nginx (denial of service), php-geshi (multiple vulnerabilities), socat (denial of service), sssd (symbolic link attack), and wireshark (M2, denial of service; M3, multiple vulnerabilities).
rsyslog 7.4 released
[Development] Posted Jun 6, 2013 21:13 UTC (Thu) by jake
Version 7.4 of the rsyslog system logger has been released. This is the first version of the new 7.4 stable branch and it joins version 7.2.7 as supported versions of the tool. New headline features include support for the systemd journal (both as input and output) along with log file encryption, signatures, and anonymization.
Security updates for Thursday
[Security] Posted Jun 6, 2013 16:16 UTC (Thu) by jake
Fedora has updated cgit (F17; F18: directory traversal), mod_security (F17; F18: denial of service), pki-tps (F17: two vulernabilities), libxcb (F18: code execution), libXfixes (F18: code execution), libXt (F18: two vulnerabilities), libXtst (F18: code execution), libXv (F18: two code execution flaws), and libXxf86dga (F18: two code execution flaws). openSUSE has updated Mesa (12.2: code execution). Ubuntu has updated a bunch of X libraries for the recent X client vulnerabilities: libdmx, libfs, libx11, libxcb, libxcursor, libxext, libxfixes, libxinerama, libxp, libxrandr, libxrender, libxres, libxt, libxtst, libxv, libxvmc, libxxf86dga, libxxf86vm, and libxi.
|
|||||||||||||