[$] LWN.net Weekly Edition for May 16, 2013
Posted May 16, 2013 1:08 UTC (Thu)
The LWN.net Weekly Edition for May 16, 2013 is available.
Inside this week's LWN.net Weekly Edition
- Front: XBMC on/for Android; DRM in HTML5 published; PyPy 2.0
- Security: Linux web servers pushing malware; New vulnerabilities in gpsd, httpd, java, kernel, ...
- Kernel: copy_range(); 3.10 merge window conclusion; Smarter shrinkers; User-space page fault handling.
- Distributions: Always-releasable Debian; Fedora, Ubuntu, ...
- Development: PostgreSQL 9.3 beta; Packetfence 4.0; Go 1.1; Tahoe-LAFS 1.10; ...
- Announcements: Linux Foundation New Members; no software patents in New Zealand, events.
Security advisories for Wednesday
[Security] Posted May 15, 2013 17:19 UTC (Wed) by ris
CentOS has updated firefox (C6; C5:
multiple vulnerabilities) and thunderbird (C6; C5:
multiple vulnerabilities). CentOS has also released a testing kernel that fixes CVE-2013-2094 (more information).
Debian has updated kernel (multiple vulnerabilities).
Fedora has updated tinc (F18;
F17: code execution), xen (F18; F17:
denial of service), and curl (F18: cookie information disclosure).
Mandriva has updated firefox
Red Hat has updated firefox
(multiple vulnerabilities), thunderbird
(multiple vulnerabilities), java-1.7.0-ibm
(multiple vulnerabilities), java-1.6.0-ibm
(multiple vulnerabilities), flash-plugin
(multiple vulnerabilities), and acroread
Scientific Linux has updated firefox
(multiple vulnerabilities) and thunderbird
Ubuntu has updated firefox (multiple
vulnerabilities) and thunderbird (multiple
Comments (none posted)
[$] A look at the PyPy 2.0 release
[Front] Posted May 15, 2013 15:31 UTC (Wed) by jake
It's hard to say why, but May appears to be the month where we look in on PyPy.
years ago, we had a May 2010 introduction to
followed by an experiment using it in May
2011. This year, the PyPy
2.0 release was made on May 9—that, coupled with our evident
tradition, makes for a good reason to look in on this Python
interpreter written in Python. Subscribers can click below for our report
on the release from this week's edition.
Full Story (comments: 9)
Local root vulnerability in the kernel
[Security] Posted May 15, 2013 14:05 UTC (Wed) by corbet
b0a873ebb, merged for the 2.6.37 kernel, included an out of bounds
reference bug that went undetected until Tommi Rantala discovered it
with the Trinity fuzzing tool this April. It wasn't seen as a security bug by the kernel
developers until an
exploit was posted; the problem is now known as CVE-2013-2094.
Mainline kernels 2.6.37-3.9 are vulnerable, but Red Hat also backported the
bug into the 2.6.32-based kernel found in RHEL6. Expect distributor
Comments (38 posted)
[$] PostgreSQL 9.3 beta: Federated databases and more
[Development] Posted May 14, 2013 20:04 UTC (Tue) by jake
In Berkeley, California — the birthplace of PostgreSQL — it's spring: plum
and cherry blossoms, courting finches and college students, new plans for
the summer, and the first beta release of the database
system. Every year, the first beta of the next PostgreSQL version comes out
in April or May, for a final release in September. PostgreSQL
9.3 beta 1 was released to the public on May 13th, and contains a
couple dozen new features both for database administrators and application
developers. Subscribers can click below for a look at some of the new
features by guest author Josh Berkus.
Full Story (comments: 30)
Extended stable support for the 3.8 kernel
[Kernel] Posted May 14, 2013 19:46 UTC (Tue) by corbet
Canonical has announced that the Ubuntu kernel team will be providing
stable updates for the 3.8 kernel now that Greg Kroah-Hartman has moved
on. This support will last as long as support for the Ubuntu 13.04
release: through August 2014. "We welcome any feedback and contribution to this effort. We will be
posting the first review cycle patch set in a week or two."
Full Story (comments: 21)
Stable kernel 3.2.45
[Kernel] Posted May 14, 2013 18:30 UTC (Tue) by ris
Ben Hutchings has released stable kernel 3.2.45 with lots of important fixes throughout
Comments (none posted)
Tuesday's security updates
[Security] Posted May 14, 2013 18:27 UTC (Tue) by ris
CentOS has updated httpd (C6;
C5: multiple vulnerabilities).
Fedora has updated php-geshi (F18; F17: multiple vulnerabilities)
and libtiff (F18: multiple vulnerabilities).
Oracle has updated httpd (OL6; OL5:
Red Hat has updated httpd (multiple
Scientific Linux has updated httpd
SUSE has updated kernel (multiple vulnerabilities).
Comments (none posted)
Go language 1.1 released
[Development] Posted May 13, 2013 23:19 UTC (Mon) by corbet
Version 1.1 of the "Go" programming language has been released.
The bulk of the work seems to be in performance improvements, but there's a
number of new features as well, including a race detector and an expanded
library. See the release notes
Comments (17 posted)
Security advisories for Monday
[Security] Posted May 13, 2013 18:22 UTC (Mon) by ris
CentOS has updated hypervkvpd (C5:
denial of service).
Debian has updated xen (multiple
vulnerabilities) and mysql (multiple
Fedora has updated plexus-archiver (F18; F17:
denial of service) and php-sabredav-Sabre_DAV (F18; F17:
local file exposure).
Mageia has updated telepathy-idle
(certificate validation error) and kdelibs
(username and password disclosure).
Mandriva has updated mesa (code
openSUSE has updated strongswan (12.2; 12.1:
authentication bypass), xorg-x11-server
(information disclosure), java-1_6_0-openjdk (multiple vulnerabilities),
and python-httplib2 (SSL certificate
Oracle has updated enterprise kernel (OL6; OL5:
Comments (1 posted)
PostgreSQL 9.3 Beta 1 released
[Development] Posted May 13, 2013 16:36 UTC (Mon) by corbet
The first PostgreSQL 9.3 beta is out for testing. There are plenty of new
features in this release, including writable foreign tables, automatically
updatable VIEWs, lateral joins, indexed regular expression searches,
checksums to detect filesystem-induced data corruption, and more. "In 9.3, PostgreSQL has greatly reduced its requirement for SysV shared
memory, changing to mmap(). This allows easier installation and
configuration of PostgreSQL, but means that we need our users to
rigorously test and ensure that no memory management issues have been
introduced by the change."
Full Story (comments: 4)
Kernel prepatch 3.10-rc1
[Kernel] Posted May 12, 2013 1:09 UTC (Sun) by corbet
Linus has announced the 3.10-rc1 kernel
prepatch and the closure of the merge window for this development cycle.
All told, nearly 12,000 changesets were pulled into the mainline during the
merge window, making it the busiest such ever. See
this article (subscribers only)
for a summary
of changes merged since
last week's merge window update.
Comments (16 posted)
A new set of stable kernel updates
[Kernel] Posted May 11, 2013 22:57 UTC (Sat) by corbet
The 3.9.2, 3.8.13, 3.4.45, and 3.0.78 stable updates are out with the usual
collection of important fixes. Greg says: "NOTE, this is the LAST
3.8.y kernel release, please move to the 3.9.y kernel series at this time.
It is end-of-life, dead, gone, buried, and put way behind us never to be
spoken of again. Seriously, move on, it's just not worth it
Comments (2 posted)
Gawk 4.1.0 released
[Development] Posted May 11, 2013 16:41 UTC (Sat) by corbet
Version 4.1.0 of Gawk (the GNU Awk interpreter) is out. There's lots of
new features, including high-precision arithmetic, a completely reworked
dynamic extension interface, and more.
Full Story (comments: 21)
Results of the Apache OpenOffice 4.0 Logo Survey
[Development] Posted May 10, 2013 18:30 UTC (Fri) by n8willis
Rob Weir has posted an analysis of the logo contest recently held for Apache OpenOffice. The main blog post showcases the leading vote-getters, but the real meat comes in the detailed report, which breaks down the survey by demographics and examines various ways of interpreting what boils down to a set of individual personal preferences. "With an ordinal interpretation we can look at histograms (counts of scores), at the mode (most frequent response), median (the middle value) and the variation ratio (fraction of scores not in the mode). With an interval interpretation we would assign each point on the scale a numeric value, e.g., 1 for Strongly Dislike to 5 for Strongly Like. Then we could take these scores and calculate means and standard deviations." The logo-selection process now moves to revisions by the leading candidates, aiming for the upcoming 4.0 release.
Comments (117 posted)
A proposal for an always-releasable Debian
[Distributions] Posted May 10, 2013 14:33 UTC (Fri) by corbet
Lars Wirzenius and Russ Allbery have posted an essay calling for changes in
how the Debian release cycle works; it is mostly aimed at reducing the
length of freezes to something close to zero. "The fundamental change is to start keeping our "testing" branch
as close to releasable as possible, at all times. For individual
projects, this corresponds to keeping the master or trunk branch
in version control ready to be released. Practitioners of agile
development models, for example, do this quite successfully, by
applying continuous integration, automatic testing, and by having
a development culture that if there's a severe bug in master,
fixing that gets highest priority."
Full Story (comments: 47)
Friday's security updates
[Security] Posted May 10, 2013 14:29 UTC (Fri) by n8willis
Fedora has updated owncloud
Mageia has updated mesa (code execution).
Oracle has updated hypervkvpd
(denial of service).
Red Hat has updated hypervkvpd
(denial of service) and openstack-keystone (password disclosure).
Scientific Linux has updated hypervkvpd (denial of service).
Ubuntu has updated gpsd (code
Comments (none posted)
PacketFence 4.0 released
[Development] Posted May 10, 2013 13:36 UTC (Fri) by corbet
PacketFence is a free
network access control system — the system that decides whether you get to
use the local WiFi network, for example. Version
4.0 is now available. "Packet Fence 4.0 introduces a brand new
modern, fast and responsive web administrative interface. It also
simplifies the definition of authentication sources in one place and allows
dynamic computation of roles. The portal profiles can now be entirely
managed from the web interface, simplifying their definitions and
eliminating possible configuration mistakes."
Comments (3 posted)
Fedora account system (FAS) potential information disclosure
[Distributions] Posted May 9, 2013 22:51 UTC (Thu) by jake
Fedora project leader Robyn Bergeron has announced an information disclosure bug in the Fedora account system that may have exposed certain types of information (hashed passwords, security questions and encrypted answers, etc.) from unapproved members. It has been present since 2008, but could only be exploited by authenticated users, furthermore:
Review of logs has shown no cases where this bug was used in our
production account system, however our staging version was also
vulnerable and we are unable to confirm the information was not
accessed there. Moving forward, additional logging will be added to our
We recommend (but do not require) that all users take this time to
change their passwords, update their security questions/answers and
review their other account information.
Full Story (comments: 17)
Three Ubuntu releases reach end of life
[Distributions] Posted May 9, 2013 22:32 UTC (Thu) by jake
Three releases of Ubuntu reached their end of life on May 9, 2013, which
will no longer receive updates of any kind. Users of Ubuntu 8.04 LTS ("Hardy Heron"), Ubuntu 10.04 LTS Desktop ("Lucid Lynx"), and Ubuntu 11.10 ("Oneiric Ocelot") should upgrade.
Comments (8 posted)