| |||||||||||||
Welcome to LWN.netHeadlines for April 8, 2013Stable kernels 3.8.6, 3.4.39, and 3.0.72
[Kernel] Posted Apr 5, 2013 18:24 UTC (Fri) by n8willis
Greg Kroah-Hartman has released the 3.8.6, 3.4.39, and 3.0.72 stable kernels. Each includes a number of important updates and changes.
Ubuntu 13.04 (Raring Ringtail) Beta 2 released
[Distributions] Posted Apr 5, 2013 17:28 UTC (Fri) by corbet
The second and final Ubuntu 13.04 beta release is available for testers; Kubuntu, Edubuntu, Lubuntu, Xubuntu and Ubuntu Studio versions are also available. And as if that weren't enough: "We also welcome two new flavors, Ubuntu Gnome and UbuntuKylin, which are participating in the Ubuntu release process for the first time this cycle." See the technical overview page for instructions and information on new features.
Friday's security updates
[Security] Posted Apr 5, 2013 14:53 UTC (Fri) by n8willis
Fedora has updated py-bcrypt (F17, F18; authentication bypass), firefox (F18; multiple vulnerabilities), thunderbird (F18; multiple vulnerabilities), and xulrunner (F18; multiple vulnerabilities). Mageia has updated bind (multiple vulnerabilities), dhcp (denial of service), firefox (multiple vulnerabilities), libxslt (denial of service), and thunderbird (multiple vulnerabilities). Mandriva has updated bash (denial of service), clamav (multiple unspecified vulnerabilities), coreutils (multiple vulnerabilities), cronie (information disclosure), cups (unauthorized administrative access), exif (denial of service), fetchmail (multiple vulnerabilities), and libexif (multiple vulnerabilities). Mandriva has also re-issued several earlier updates to fix incorrectly-assigned advisory IDs: apache-mod_security, arpwatch, and automake. Today's bash update was also issued earlier, at that time incorrectly labeled as MDVSA-2013:019. openSUSE has updated apache2 (multiple vulnerabilities), dhcp (denial of service), firefox (multiple vulnerabilities), NRPE (code execution), postgresql91 (multiple vulnerabilities), and postgresql92 (multiple vulnerabilities). Red Hat has updated openstack-glance (information leak), openstack-keystone (multiple vulnerabilities), openstack-nova (multiple vulnerabilities), and puppet (multiple vulnerabilities). Slackware has updated subversion (multiple denial-of-service vulnerabilities). Ubuntu has updated firefox (multiple vulnerabilities) and unity-firefox-extension (multiple vulnerabilities).
Thursday's security updates
[Security] Posted Apr 4, 2013 16:10 UTC (Thu) by jake
Debian has updated libxslt (denial of service), postgresql-8.4 (guessable random numbers), and postgresql-9.1 (multiple vulnerabilities including remote database file corruption). Mandriva has updated apache (multiple vulnerabilities), apache-mod_security (access rules bypass), arpwatch (insecure privilege dropping), and automake (code execution). openSUSE has updated bind (12.1: multiple vulnerabilities), ruby (11.4: denial of service), dhcp (12.1, 12.2; 12.3: denial of service), nrpe (code execution), jakarta-commons-httpclient (12.2, 12.3: insecure SSL certificate checking), and jakarta-commons-httpclient3 (12.1: insecure SSL certificate checking). Oracle has updated firefox (OL5: multiple vulnerabilities). SUSE has updated rails (multiple vulnerabilities), rubygem-json_pure (code execution), rubygem-extlib (denial of service), rubygem-crack (denial of service), and puppet (SLE11: multiple vulnerabilities). Ubuntu has updated Oneiric backport kernel (10.04: multiple vulnerabilities), postgresql (multiple vulnerabilities including remote database file corruption), and libav (12.04, 12.10: code execution).
A serious PostgreSQL security fix
[Security] Posted Apr 4, 2013 13:54 UTC (Thu) by corbet
The PostgreSQL project has announced the release of versions 9.2.4, 9.1.9, 9.0.13 and 8.4.17 containing a number of security fixes, including this one: "CVE-2013-1899, makes it possible for a connection request containing a database name that begins with '-' to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request." The developers recommend an immediate upgrade. Update: See also the 2013-04-04 security release FAQ. "This is a good general rule for database security: do not allow port access to the database server from untrusted networks unless it is absolutely necessary. This is as true, or more true, of other database systems as it is of PostgreSQL."
Security Engineering, Second Edition available online
[Security] Posted Apr 4, 2013 13:40 UTC (Thu) by corbet
The NoVA Infosec site notes that Ross Anderson's Security Engineering, Second Edition is available online in PDF form. "'Security Engineering: A Guide to Building Dependable Distributed Systems' written by Ross Anderson of the University of Cambridge and published by Wiley has been one of the 'goto' references for teaching security over the past decade. Although more academic than many of the modern-day security books out there, 'Security Engineering' not only covers the basics of security but also some of the intricacies of building secure systems from the ground up." The reviews include one from Bruce Schneier calling it "the best book on the topic there is".
[$] LWN.net Weekly Edition for April 4, 2013
Posted Apr 4, 2013 1:26 UTC (Thu)The LWN.net Weekly Edition for April 4, 2013 is available. Inside this week's LWN.net Weekly Edition
Google's "Blink" rendering engine
[Development] Posted Apr 3, 2013 22:05 UTC (Wed) by corbet
Google has announced that it is forking the WebKit rendering engine to make a new project called Blink. "Chromium uses a different multi-process architecture than other WebKit-based browsers, and supporting multiple architectures over the years has led to increasing complexity for both the WebKit and Chromium projects. This has slowed down the collective pace of innovation - so today, we are introducing Blink, a new open source rendering engine based on WebKit."
Security advisories for Wednesday
[Security] Posted Apr 3, 2013 17:01 UTC (Wed) by ris
CentOS has updated xulrunner (C6; C5: multiple vulnerabilities), firefox (C6; C5: multiple vulnerabilities), and thunderbird (C6; C5: multiple vulnerabilities). Fedora has updated moodle (F18; F17: multiple vulnerabilities), php (F18; F17: multiple vulnerabilities), 389-ds-base (F18: information exposure), mingw-openssl (F18: multiple vulnerabilities), and perl (F17: denial of service). Mageia has updated php (multiple vulnerabilities), firebird (remote code execution), privoxy (proxy spoofing), and zoneminder (command execution). openSUSE has updated ruby (denial of service). Oracle has updated thunderbird (OL6: multiple vulnerabilities) and firefox (OL6: multiple vulnerabilities). Red Hat has updated kernel (privilege escalation), firefox (multiple vulnerabilities), thunderbird (multiple vulnerabilities), rubygem-actionpack (cross-site scripting), ruby193-rubygem-activerecord (denial of service), jenkins (man-in-the-middle attacks), and ruby193-ruby (multiple vulnerabilities). Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities) Slackware has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities). Ubuntu has updated kernel (11:10: multiple vulnerabilities).
Mozilla and Samsung building a new browser engine
[Development] Posted Apr 3, 2013 16:07 UTC (Wed) by corbet
The Mozilla project has announced a collaboration with Samsung to build "Servo", a next-generation browser rendering engine. "Servo is an attempt to rebuild the Web browser from the ground up on modern hardware, rethinking old assumptions along the way. This means addressing the causes of security vulnerabilities while designing a platform that can fully utilize the performance of tomorrow’s massively parallel hardware to enable new and richer experiences on the Web. To those ends, Servo is written in Rust, a new, safe systems language developed by Mozilla along with a growing community of enthusiasts."
MATE 1.6 released
[Development] Posted Apr 3, 2013 14:04 UTC (Wed) by corbet
Version 1.6 of the MATE desktop environment is available. "This release is a giant step forward from the 1.4 release. In this release, we have replaced many deprecated packages and libraries with new technologies available in GLib. We have also added a lot of new features to MATE." See the announcement for a list of those new features.
Baker: Celebrating 15 Years of a Better Web
[Announcements] Posted Apr 3, 2013 13:57 UTC (Wed) by corbet
Mitchell Baker looks back at Mozilla's first 15 years and ponders the years to come as well. "In the coming era both the opportunities and threats to the Web are just as big as they were 15 years ago. As the role of data grows and device capabilities expand, the Internet will become an even more central part of our lives. The need for individuals to have some control over how this works and what we experience is fundamental. Mozilla can — and must — play a key role again. We have the vision, the products and the technology to do this. We know how to enable people to participate, both by contributing to our specific activities and coming up with their own ideas that advance the bigger cause of enriching the Web."
Tuesday's security updates
[Security] Posted Apr 2, 2013 16:29 UTC (Tue) by ris
openSUSE has updated fail2ban (12.x; 11.4: unspecified vulnerability), openstack-keystone (revocation check bypass), and libxslt (12.x; 11.4: denial of service). Ubuntu has updated libxslt (denial of service) and poppler (multiple vulnerabilities).
McIntyre: Scanning for assembly code in Free Software packages
[Development] Posted Apr 2, 2013 3:04 UTC (Tue) by jake
On his blog, Steve McIntyre writes about work he has been doing to identify assembly code in Linux packages:
In the Linaro Enterprise Group, my task for the last several weeks was to work through a huge number of packages looking for assembly code. Why? So that we could identify code that would need porting to work well on AArch64, the new 64-bit execution state coming to the ARM world Real Soon Now.
Working with some Ubuntu and Fedora developers, we generated a list of packages included in each distribution that seemed to contain assembly code of some sort. Then I worked through that list, checking to see:
That work resulted in a report with his findings.
Subsurface mourns Jan Schubert
[Announcements] Posted Apr 1, 2013 21:29 UTC (Mon) by corbet
The Subsurface project mourns the loss of Jan Schubert. "It is with great sadness that we say a final 'Tschüss' to one of our most active and engaging developers. Without Jan, Subsurface would not support the needs of technical divers the way it does today."
Security advisories for Monday
[Security] Posted Apr 1, 2013 16:46 UTC (Mon) by ris
Debian has updated bind9 (denial of service). Fedora has updated rubygem-actionpack (F18; F17: multiple vulnerabilities), gajim (F18; F17: man-in-the-middle attack), drupal7-views (F18; F17: cross-site scripting), rubygem-activesupport (F18; F17: XML parsing vulnerability), mantis (F18; F17: multiple vulnerabilities), httpd (F18: cross-site scripting), rubygem-activerecord (F18: denial of service), glibc (F18: denial of service), sssd (F18: privilege violation), kernel (F17: multiple vulnerabilities), puppet (F17: multiple vulnerabilities). openSUSE has updated privoxy (11.4: proxy spoofing).
A look at C++14: Papers Part 2
[Development] Posted Apr 1, 2013 15:07 UTC (Mon) by corbet
Here's the second part in the C++14 papers series on the "Meeting C++" site. "A proposal for Executors, objects that can execute units of work packaged as function objects. So this is another possible approach to task based parallelism, where the executor object is used as a reusable thread, that can handled a queue of tasks. One possible implementation of an executor is a thread-pool, but other implementations are possible."
Kernel prepatch 3.9-rc5
[Kernel] Posted Apr 1, 2013 5:45 UTC (Mon) by mkerrisk
The 3.9-rc5 kernel prepatch is out. Linus says: "Nothing really peculiar stands out. Exynos DRM updates, IBM RamSan driver updates are a bit larger, l2tp update... The rest is pretty much small patches spread out all over. Mostly drivers (block, net, media, tty, usb), networking, and some filesystem updates (btrfs, nfs). Some arch updates (x86, arc). Things seem to be calming down a bit, and everything seems largely on track for a 3.9 release in a few weeks."
Yorba crowdfunding Geary development
[Development] Posted Mar 29, 2013 17:24 UTC (Fri) by n8willis
Back in August 2012, Yorba Foundation founder Adam Dingle spoke at GUADEC about the complexities of crowdfunding development for open source applications. This week, the group officially launched a campaign at IndieGoGo to underwrite development of its open source email client Geary. The target is US $100,000, which, as executive director Jim Nelson explains, is a number chosen to support three full-time developers for the next release cycle. "I doubt there’s a widely-used desktop application out there developed for less than US$100,000 — it’s just that the price tag might be hidden from its users." The campaign runs for one month; among the many factors Dingle spoke of that differentiate between funding sites, IndieGoGo only distributes funds if the target is met.
Friday's security updates
[Security] Posted Mar 29, 2013 14:42 UTC (Fri) by n8willis
CentOS has updated bind (C6; denial of service) and bind97 (C5; denial of service). Debian has updated rails (multiple vulnerabilities). openSUSE has updated clamav (security hardening fixes). Oracle has updated bind (OL6; denial of service) and bind97 (OL5; denial of service). Red Hat has updated bind (denial of service) and bind97 (denial of service). Scientific Linux has updated bind (denial of service) and bind97 (denial of service). Slackware has updated libssh (denial of service). Ubuntu has updated bind (denial of service).
|
|||||||||||||