Welcome to LWN.net

[Announcements] Posted Apr 8, 2013 22:24 UTC (Mon) by ris

The Linux Foundation has announced the OpenDaylight Project, a community-led and industry-supported open source framework that will create a more open and transparent approach to Software-Defined Networking (SDN). "Founded on the principles of open and transparent development, OpenDaylight unites technology industry leaders to establish the largest SDN open source project to date, with the goal of a common and open SDN platform for developers to utilize, contribute to and build commercial products and technologies upon. The OpenDaylight Project is committed to furthering adoption of SDN as well as accelerating innovation on top of the platform in new and differentiated ways in a vendor-neutral and open environment where anyone can participate based on the merit of their contributions." Founding members include Big Switch Networks, Brocade, Cisco, Citrix, Ericsson, IBM, Juniper Networks, Microsoft, NEC, Red Hat and VMware.

Comments (none posted)

[Kernel] Posted Apr 8, 2013 19:03 UTC (Mon) by corbet

It is a small set of patches but still worthy of note: Avionic Design (in partnership with NVIDIA) has contributed 3D support for the graphics engine in the NVIDIA Tegra series of systems-on-chip. The corresponding user-space code has been posted on Github.

Comments (5 posted)

[Announcements] Posted Apr 8, 2013 19:00 UTC (Mon) by ris

OASIS, the standards group that developed the OpenDocument Format, has completed the process of becoming accredited by the American National Standards Institute (ANSI). The Standards Blog covers the announcement. "Receiving accreditation accomplishes two goals: first, it provides a third-party validation that the SSO in question meets a set of articulated goals that have been internationally agreed to be valuable and important. And second, it qualifies the SSO to have its standards be considered by ISO/IEC for adoption, without having to resort to one of the less formal processes available to consortia (such as the Publicly Available Standard, or PAS process – for which OASIS qualified in 2005, in order to submit its OpenDocument Format for adoption as an ISO/IEC standard)."

Comments (none posted)

[Security] Posted Apr 8, 2013 18:32 UTC (Mon) by ris

Fedora has updated postgresql (F18; F17: multiple vulnerabilities), squid (F18; F17: denial of service), bind (F18; F17: denial of service), asterisk (F18: code execution), asterisk (F17: multiple vulnerabilities), roundcubemail (F18; F17: file disclosure), mongodb (F18; F17: file disclosure), mingw-lib archive (F18; F17: denial of service), nodejs (F18: multiple vulnerabilities), libuv (F18: multiple vulnerabilities), v8 (F18: multiple vulnerabilities), and ngircd (F18: denial of service).

Mageia has updated libuser (multiple vulnerabilities), gajim (man-in-the-middle attack), and postgresql (multiple vulnerabilities).

Mandriva has updated freeradius (multiple vulnerabilities), freetype2 (multiple vulnerabilities), gnupg (memory access violations), gnutls (plaintext recovery), html2ps (directory traversal), krb5 (denial of service), libgssglue (privilege escalation), libjpeg (code execution), libssh (multiple vulnerabilities), libtiff (code execution), libxslt (multiple vulnerabilities), ncpfs (multiple vulnerabilities), net-snmp (denial of service), nss (multiple vulnerabilities), openssh (denial of service), openssl (multiple vulnerabilities), proftpd (privilege escalation), sudo (privilege escalation), wireshark (multiple vulnerabilities), libxml2 (multiple vulnerabilities), xinetd (service disclosure flaw), bind (denial of service), dhcp (denial of service), accountsservice (file permission bypass), and awstats (unspecified vulnerability).

openSUSE has updated mozilla (multiple vulnerabilities), apache2 (cross-site scripting), postgresql (multiple vulnerabilities), xen (12.1; 12.2: multiple vulnerabilities), jakarta-commons-httpclient3 (incorrect certificate validation), opera (multiple vulnerabilities), thttpd (denial of service), and puppet (multiple vulnerabilities).

Slackware has updated seamonkey (multiple vulnerabilities).

SUSE has updated postgresql (multiple vulnerabilities).

Ubuntu has updated thunderbird (multiple vulnerabilities).

Comments (none posted)

[Kernel] Posted Apr 8, 2013 7:03 UTC (Mon) by mkerrisk

The 3.9-rc6 kernel prepatch is out. Linus says: "Nothing really exciting stands out, I think the appended ShortLog gives a good overview for people who want to wallow in the details… Things seem to be on track, which means that unless something comes up, rc7 will probably be the last rc as usual"

Comments (1 posted)

[Kernel] Posted Apr 5, 2013 18:24 UTC (Fri) by n8willis

Greg Kroah-Hartman has released the 3.8.6, 3.4.39, and 3.0.72 stable kernels. Each includes a number of important updates and changes.

Comments (10 posted)

[Distributions] Posted Apr 5, 2013 17:28 UTC (Fri) by corbet

The second and final Ubuntu 13.04 beta release is available for testers; Kubuntu, Edubuntu, Lubuntu, Xubuntu and Ubuntu Studio versions are also available. And as if that weren't enough: "We also welcome two new flavors, Ubuntu Gnome and UbuntuKylin, which are participating in the Ubuntu release process for the first time this cycle." See the technical overview page for instructions and information on new features.

Full Story (comments: 12)

[Security] Posted Apr 5, 2013 14:53 UTC (Fri) by n8willis

Fedora has updated py-bcrypt (F17, F18; authentication bypass), firefox (F18; multiple vulnerabilities), thunderbird (F18; multiple vulnerabilities), and xulrunner (F18; multiple vulnerabilities).

Mageia has updated bind (multiple vulnerabilities), dhcp (denial of service), firefox (multiple vulnerabilities), libxslt (denial of service), and thunderbird (multiple vulnerabilities).

Mandriva has updated bash (denial of service), clamav (multiple unspecified vulnerabilities), coreutils (multiple vulnerabilities), cronie (information disclosure), cups (unauthorized administrative access), exif (denial of service), fetchmail (multiple vulnerabilities), and libexif (multiple vulnerabilities).

Mandriva has also re-issued several earlier updates to fix incorrectly-assigned advisory IDs: apache-mod_security, arpwatch, and automake. Today's bash update was also issued earlier, at that time incorrectly labeled as MDVSA-2013:019.

openSUSE has updated apache2 (multiple vulnerabilities), dhcp (denial of service), firefox (multiple vulnerabilities), NRPE (code execution), postgresql91 (multiple vulnerabilities), and postgresql92 (multiple vulnerabilities).

Red Hat has updated openstack-glance (information leak), openstack-keystone (multiple vulnerabilities), openstack-nova (multiple vulnerabilities), and puppet (multiple vulnerabilities).

Slackware has updated subversion (multiple denial-of-service vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities) and unity-firefox-extension (multiple vulnerabilities).

Comments (none posted)

[Security] Posted Apr 4, 2013 16:10 UTC (Thu) by jake

Debian has updated libxslt (denial of service), postgresql-8.4 (guessable random numbers), and postgresql-9.1 (multiple vulnerabilities including remote database file corruption).

Mandriva has updated apache (multiple vulnerabilities), apache-mod_security (access rules bypass), arpwatch (insecure privilege dropping), and automake (code execution).

openSUSE has updated bind (12.1: multiple vulnerabilities), ruby (11.4: denial of service), dhcp (12.1, 12.2; 12.3: denial of service), nrpe (code execution), jakarta-commons-httpclient (12.2, 12.3: insecure SSL certificate checking), and jakarta-commons-httpclient3 (12.1: insecure SSL certificate checking).

Oracle has updated firefox (OL5: multiple vulnerabilities).

SUSE has updated rails (multiple vulnerabilities), rubygem-json_pure (code execution), rubygem-extlib (denial of service), rubygem-crack (denial of service), and puppet (SLE11: multiple vulnerabilities).

Ubuntu has updated Oneiric backport kernel (10.04: multiple vulnerabilities), postgresql (multiple vulnerabilities including remote database file corruption), and libav (12.04, 12.10: code execution).

Comments (none posted)

[Security] Posted Apr 4, 2013 13:54 UTC (Thu) by corbet

The PostgreSQL project has announced the release of versions 9.2.4, 9.1.9, 9.0.13 and 8.4.17 containing a number of security fixes, including this one: "CVE-2013-1899, makes it possible for a connection request containing a database name that begins with '-' to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request." The developers recommend an immediate upgrade.

Update: See also the 2013-04-04 security release FAQ. "This is a good general rule for database security: do not allow port access to the database server from untrusted networks unless it is absolutely necessary. This is as true, or more true, of other database systems as it is of PostgreSQL."

Comments (36 posted)

[Security] Posted Apr 4, 2013 13:40 UTC (Thu) by corbet

The NoVA Infosec site notes that Ross Anderson's Security Engineering, Second Edition is available online in PDF form. "'Security Engineering: A Guide to Building Dependable Distributed Systems' written by Ross Anderson of the University of Cambridge and published by Wiley has been one of the 'goto' references for teaching security over the past decade. Although more academic than many of the modern-day security books out there, 'Security Engineering' not only covers the basics of security but also some of the intricacies of building secure systems from the ground up." The reviews include one from Bruce Schneier calling it "the best book on the topic there is".

Comments (1 posted)

Posted Apr 4, 2013 1:26 UTC (Thu)

The LWN.net Weekly Edition for April 4, 2013 is available.

Inside this week's LWN.net Weekly Edition

• Front: Python Software Foundation; VP8 patent wars; PyDAW.
• Security: Exploiting digital cameras; New vulnerabilities in bind, glibc, mantis, moodle, ...
• Kernel: Per-process reclaim; A VFS deadlock post-mortem; In-kernel memory compression.
• Distributions: Schrödinger's 😻 and outside-the-box naming; Scientific Linux, Ubuntu, Firefox OS, ...
• Development: Python bytecodes; crowdfunding Geary; new browser engines; C++14 papers; ...
• Announcements: Subsurface mourns Jan Schubert, software patents, 15 years of Mozilla, crowdfunding and the JOBS Act, ...

Read more

[Development] Posted Apr 3, 2013 22:05 UTC (Wed) by corbet

Google has announced that it is forking the WebKit rendering engine to make a new project called Blink. "Chromium uses a different multi-process architecture than other WebKit-based browsers, and supporting multiple architectures over the years has led to increasing complexity for both the WebKit and Chromium projects. This has slowed down the collective pace of innovation - so today, we are introducing Blink, a new open source rendering engine based on WebKit."

Comments (29 posted)

[Security] Posted Apr 3, 2013 17:01 UTC (Wed) by ris

CentOS has updated xulrunner (C6; C5: multiple vulnerabilities), firefox (C6; C5: multiple vulnerabilities), and thunderbird (C6; C5: multiple vulnerabilities).

Fedora has updated moodle (F18; F17: multiple vulnerabilities), php (F18; F17: multiple vulnerabilities), 389-ds-base (F18: information exposure), mingw-openssl (F18: multiple vulnerabilities), and perl (F17: denial of service).

Mageia has updated php (multiple vulnerabilities), firebird (remote code execution), privoxy (proxy spoofing), and zoneminder (command execution).

openSUSE has updated ruby (denial of service).

Oracle has updated thunderbird (OL6: multiple vulnerabilities) and firefox (OL6: multiple vulnerabilities).

Red Hat has updated kernel (privilege escalation), firefox (multiple vulnerabilities), thunderbird (multiple vulnerabilities), rubygem-actionpack (cross-site scripting), ruby193-rubygem-activerecord (denial of service), jenkins (man-in-the-middle attacks), and ruby193-ruby (multiple vulnerabilities).

Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities)

Slackware has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities).

Ubuntu has updated kernel (11:10: multiple vulnerabilities).

Comments (none posted)

[Development] Posted Apr 3, 2013 16:07 UTC (Wed) by corbet

The Mozilla project has announced a collaboration with Samsung to build "Servo", a next-generation browser rendering engine. "Servo is an attempt to rebuild the Web browser from the ground up on modern hardware, rethinking old assumptions along the way. This means addressing the causes of security vulnerabilities while designing a platform that can fully utilize the performance of tomorrow’s massively parallel hardware to enable new and richer experiences on the Web. To those ends, Servo is written in Rust, a new, safe systems language developed by Mozilla along with a growing community of enthusiasts."

Comments (63 posted)

[Development] Posted Apr 3, 2013 14:04 UTC (Wed) by corbet

Version 1.6 of the MATE desktop environment is available. "This release is a giant step forward from the 1.4 release. In this release, we have replaced many deprecated packages and libraries with new technologies available in GLib. We have also added a lot of new features to MATE." See the announcement for a list of those new features.

Comments (2 posted)

[Announcements] Posted Apr 3, 2013 13:57 UTC (Wed) by corbet

Mitchell Baker looks back at Mozilla's first 15 years and ponders the years to come as well. "In the coming era both the opportunities and threats to the Web are just as big as they were 15 years ago. As the role of data grows and device capabilities expand, the Internet will become an even more central part of our lives. The need for individuals to have some control over how this works and what we experience is fundamental. Mozilla can — and must — play a key role again. We have the vision, the products and the technology to do this. We know how to enable people to participate, both by contributing to our specific activities and coming up with their own ideas that advance the bigger cause of enriching the Web."

Comments (none posted)

[Security] Posted Apr 2, 2013 16:29 UTC (Tue) by ris

openSUSE has updated fail2ban (12.x; 11.4: unspecified vulnerability), openstack-keystone (revocation check bypass), and libxslt (12.x; 11.4: denial of service).

Ubuntu has updated libxslt (denial of service) and poppler (multiple vulnerabilities).

Comments (none posted)

[Development] Posted Apr 2, 2013 3:04 UTC (Tue) by jake

On his blog, Steve McIntyre writes about work he has been doing to identify assembly code in Linux packages:

That work resulted in a report with his findings.

Comments (30 posted)

[Announcements] Posted Apr 1, 2013 21:29 UTC (Mon) by corbet

The Subsurface project mourns the loss of Jan Schubert. "It is with great sadness that we say a final 'Tschüss' to one of our most active and engaging developers. Without Jan, Subsurface would not support the needs of technical divers the way it does today."

Comments (none posted)

• Next 20 items