LWN.net Logo

Welcome to LWN.net

Headlines for June 18, 2013

Trusting upstream
[Front] Posted Jun 4, 2013 19:49 UTC (Tue) by jake

[Armijn Hemel]

When one is trying to determine if there are compliance problems in a body of source code—either code from a device maker or from someone in the supply chain for a device—the sheer number of files to consider can be a difficult hurdle. A simple technique can reduce the search space significantly, though it does require a bit of a "leap of faith", according to Armijn Hemel. He presented his technique, along with a case study and a war story or two at LinuxCon Japan.

Full Story (comments: 6)

Tuesday's security updates
[Security] Posted Jun 4, 2013 16:41 UTC (Tue) by ris

CentOS has updated qemu-kvm (C6: unauthorized file access) and mesa (C6; C5: multiple vulnerabilities).

Debian has updated telepathy-gabble (man-in-the-middle attack).

Oracle has updated qemu-kvm (OL6: unauthorized file access) and mesa OL6; OL5: multiple vulnerabilities).

Red Hat has updated qemu-kvm (RHEL6: unauthorized file access) and mesa (RHEL6; RHEL5: multiple vulnerabilities).

Scientific Linux has updated qemu-kvm (unauthorized file access) and mesa (SL6; SL5: multiple vulnerabilities).

Ubuntu has updated python-keystoneclient (13.04: denial of service).

Comments (none posted)

Processing goes 2.0 with an OpenGL core (The H)
[Development] Posted Jun 4, 2013 14:12 UTC (Tue) by corbet

The H looks at the Processing 2.0 release. "The new version of the language, which has been in development since mid-2011, brings OpenGL rendering to the core of the platform, replacing the older software-based P2D and P3D renderers with new OpenGL-accelerated P2D and P3D renderers. A new OpenGL library, based on work done on the Android version of Processing, has also been incorporated and OpenGL is now part of the core of Processing." For some background on Processing, see this LWN article from last October.

Comments (none posted)

PulseAudio 4.0 released
[Development] Posted Jun 4, 2013 13:44 UTC (Tue) by corbet

Version 4.0 of the PulseAudio audio server is out. Changes include better low-latency request handling, improved JACK integration, a new role-based audio "ducking" module, various performance improvements, and more; see the release notes for details.

Full Story (comments: 28)

Grover: Fedora for short-lifespan server instances
[Distributions] Posted Jun 4, 2013 0:50 UTC (Tue) by jake

On his blog, Andy Grover has some thoughts on how to make Fedora more relevant for servers. Because of the 13-month supported lifespan of a Fedora release, administrators are typically wary of using it, but new deployment schemes make it more viable. "Let's come back to the odd fact that Fedora is both a precursor to RHEL, and yet almost never used in production as a server OS. I think this is going to change. In a world where instances are deployed constantly, instances are born and die but the herd lives on. Once everyone has their infrastructure encoded into a configuration management system, Fedora's short release cycle becomes much less of a burden. If I have service foo deployed on a Fedora X instance, I will never be upgrading that instance. Instead I'll be provisioning a new Fedora X+1 instance to run the foo service, start it, and throw the old instance in the proverbial bitbucket once the new one works."

Comments (27 posted)

Security advisories for Monday
[Security] Posted Jun 3, 2013 17:21 UTC (Mon) by ris

Debian has updated iceweasel (multiple vulnerabilities), wireshark (multiple vulnerabilities), and krb5 (UDP ping-pong flaw in kpasswd).

Fedora has updated nagios-plugins (F18: should be built with PIE flags), transifex-client (F18; F17: invalid HTTPS server certificate), xorg-x11-drv-openchrome (F18; F17: multiple vulnerabilities), thunderbird (F17: multiple vulnerabilities), glibc (F17: denial of service), libXinerama (F18: multiple vulnerabilities), libXrender (F18: multiple vulnerabilities), libXext (F18: multiple vulnerabilities), libXres (F18: multiple vulnerabilities), libXi F18: multiple vulnerabilities), libXvMC (F18: multiple vulnerabilities), libXxf86vm (F18: multiple vulnerabilities), libXrandr (F18: multiple vulnerabilities), libXcursor (F18: multiple vulnerabilities), libdmx (F18: multiple vulnerabilities), and libFS (F18: multiple vulnerabilities).

openSUSE has updated kernel (multiple vulnerabilities), wireshark (multiple vulnerabilities), and gpg2 (memory access violations).

SUSE has updated firefox (multiple vulnerabilities) and icedtea-web (multiple vulnerabilities).

Comments (8 posted)

GCC 4.8.1 released
[Development] Posted Jun 3, 2013 16:07 UTC (Mon) by corbet

The GCC 4.8.1 release is out. It is primarily a bug-fix release, but it is not limited to that: "Support for C++11 ref-qualifiers has been added to GCC 4.8.1, making G++ the first C++ compiler to implement all the major language features of the C++11 standard."

Full Story (comments: 39)

Kernel prepatch 3.10-rc4
[Kernel] Posted Jun 3, 2013 13:37 UTC (Mon) by corbet

The fourth 3.10 prepatch is available for testing. "Anyway, rc4 is smaller than rc3 (yay!). But it could certainly be smaller still (boo!). There's the usual gaggle of driver fixes (drm, pinctrl, scsi target, fbdev, xen), but also filesystems (cifs, xfs, with small fixes to reiserfs and nfs)." Note that it is only available via git for now; patches and tarballs will follow eventually.

Comments (none posted)

Open Source guru Atul Chitnis, 51, no more (CIOL)
[Announcements] Posted Jun 3, 2013 13:11 UTC (Mon) by corbet

CIOL reports that Atul Chitnis has passed away. "His was a name that was synonymous with open source. He championed its cause for a major part of his life. Finally, his fruitful existence, touching millions of lives, was to be stolen away by cancer." Your editor had a number of encounters with Atul over the years, including one visit to FOSS.in; he will be much missed.

Comments (4 posted)

Stable kernel 3.2.46
[Kernel] Posted May 31, 2013 19:44 UTC (Fri) by n8willis

Ben Hutchings has released kernel 3.2.46, containing the usual array of updates and fixes.

Comments (none posted)

Friday's security updates
[Security] Posted May 31, 2013 13:47 UTC (Fri) by n8willis

CentOS has updated gnutls (denial of service) and libtirpc (denial of service).

Fedora has updated xmp (F17, F18; code execution).

Mandriva has updated gnutls (denial of service).

Oracle has updated gnutls (OL5, OL6; denial of service) and libtirpc (denial of service).

Red Hat has updated gnutls (denial of service), kernel (multiple vulnerabilities), and libtirpc (denial of service).

Scientific Linux has updated gnutls (denial of service) and libtirpc (denial of service).

SUSE has updated kernel (code execution).

Ubuntu has updated kernel (12.04, 12.04 Quantal hwe, 12.04 Raring hwe, 12.10, 13.04; code execution).

Comments (2 posted)

LWN.net Weekly Edition for May 31, 2013
Posted May 31, 2013 1:21 UTC (Fri)

The LWN.net Weekly Edition for May 31, 2013 is available.

Inside this week's LWN.net Weekly Edition

  • Front: The open source talent war; Linus and Dirk at LinuxCon Japan; Reserved font names.
  • Security: Pondering the X client vulnerabilities; New vulnerabilities in chromium, kvm, moodle, owncloud, ...
  • Kernel: IPC and kdbus; Atomic I/O operations; Kernel skiplists.
  • Distributions: TDC: A runnable Linux IVI image; Boot to Qt, Fedora, Ubuntu, ...
  • Development: IVI audio routing in Tizen; Elpy 1.0; OpenRelativity; GSoc 2013 projects announced; ...
  • Announcements: Linux Foundation New Members, events.
Read more

The Linus and Dirk show
[Kernel] Posted May 30, 2013 21:27 UTC (Thu) by jake

[Linus Torvalds and Dirk Hohndel]

Linus Torvalds and Dirk Hohndel sat down at LinuxCon Japan 2013 for a "fireside chat" (sans fire), ostensibly to discuss where Linux is going. While they touched on that subject, the conversation was wide-ranging over both Linux and non-Linux topics, from privacy to diversity and from educational systems to how operating systems will look in 20-30 years. Subscribers can click below for the full story from this week's edition.

Full Story (comments: 99)

Google: Disclosure timeline for vulnerabilities under active attack
[Security] Posted May 30, 2013 20:51 UTC (Thu) by corbet

Google has announced that it will be disclosing information on actively-exploited vulnerabilities after seven days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves."

Comments (2 posted)

Ubuntu bug #1 closed
[Distributions] Posted May 30, 2013 20:47 UTC (Thu) by corbet

Ubuntu's bug #1 has served as a sort of rallying point for the project. Mark Shuttleworth has now closed that bug, saying that it is time to move on. "Android may not be my or your first choice of Linux, but it is without doubt an open source platform that offers both practical and economic benefits to users and industry. So we have both competition, and good representation for open source, in personal computing. Even though we have only played a small part in that shift, I think it's important for us to recognize that the shift has taken place. So from Ubuntu's perspective, this bug is now closed."

Comments (87 posted)

Security advisories for Thursday
[Security] Posted May 30, 2013 16:05 UTC (Thu) by ris

Debian has updated gnutls (denial of service).

Fedora has updated pmount (F18; F17: should be built with PIE flags), python-backports-ssl_match_hostname (F18; F17: denial of service), ruby (F18; F17: object taint bypassing), and spnavcfg (F18; F17: should be built with PIE flags).

Ubuntu has updated gnutls (denial of service) and OMAP kernel (13.04: privilege escalation).

Comments (none posted)

Atomic I/O operations
[Kernel] Posted May 30, 2013 2:48 UTC (Thu) by corbet

[Chris Mason] According to Btrfs developer Chris Mason, tuning Linux filesystems to work well on solid-state storage devices is a lot like working on an old, clunky car. Lots of work goes into just trying to make the thing run with decent performance. Old cars may have mainly hardware-related problems, but, with Linux, the bottleneck is almost always to be found in the software. It is, he said, hard to give a customer a high-performance device and expect them to actually see that performance in their application. Fixing this problem will require work in a lot of areas. One of those areas, supporting and using atomic I/O operations, shows particular potential.

Click below (subscribers only) for the full report from LinuxCon Japan.

Full Story (comments: 19)

Attack wave on Ruby on Rails (The H)
[Security] Posted May 29, 2013 20:28 UTC (Wed) by ris

The H reports increasing attempts to compromise servers via a security hole in Ruby on Rails. "On his blog, security expert Jeff Jarmoc reports that the criminals are trying to exploit one of the vulnerabilities described by CVE identifier 2013-0156. Although the holes were closed back in January, more than enough servers on the net are probably still running an obsolete version of Ruby." The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18.

Comments (none posted)

Wednesday's security updates
[Security] Posted May 29, 2013 17:57 UTC (Wed) by ris

CentOS has updated tomcat5 (C5: privilege escalation), haproxy (C6: code execution), and tomcat6 (C6: multiple vulnerabilities).

Debian has updated chromium-browser (multiple vulnerabilities) and otrs2 (privilege escalation).

Fedora has updated gypsy (F18; F17: multiple vulnerabilities), flightgear (F18; F17: code execution), gpsd (F18; F17: denial of service), kdelibs (F18; F17: username and password disclosure), moodle (F18; F17: multiple vulnerabilities), libvirt (F18: denial of service), and varnish (F17: should be built with PIE flags).

Mandriva has updated socat (ES 5.0; BS 1.0: multiple vulnerabilities).

Oracle has updated tomcat6 (OL6: multiple vulnerabilities) and tomcat5 (OL5: privilege escalation).

Red Hat has updated haproxy (RHEL6: code execution), tomcat6 (RHEL6: multiple vulnerabilities), and tomcat5 (RHEL5: privilege escalation).

Scientific Linux has updated haproxy (SL6: code execution), tomcat6 (SL6: multiple vulnerabilities), and tomcat5 (SL5: privilege escalation).

SUSE has updated SUSE Manager (authentication checking problem) and firefox (SLE 11 SP2; SLE 10 SP4: multiple vulnerabilities).

Ubuntu has updated tomcat (multiple vulnerabilities), nova (regression in previous update), and kdelibs (username and password disclosure).

Comments (none posted)

LibreOffice 4.1.0 Beta1 available
[Development] Posted May 28, 2013 19:39 UTC (Tue) by ris

The Document Foundation has announced the first Beta release of LibreOffice 4.1. "The upcoming 4.1 will be our sixth major release in two and a half years, and comes with a nice set of new features." See the list of known bugs before you start testing.

Comments (59 posted)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds