| |||||||||||||
Welcome to LWN.netHeadlines for April 9, 2013Kernel prepatch 3.9-rc4
[Kernel] Posted Mar 24, 2013 9:47 UTC (Sun) by mkerrisk
The 3.9-rc4 kernel prepatch is out. Linus says: "Another week, another -rc. And things haven't calmed down, meaning that the nice small and calm -rc2 was definitely the outlier so far. … While it hasn't been as calm as I'd like things to be, it's not like things have been hugely exciting either. Most of this really is pretty trivial. It's all over, with the bulk in drivers (drm, md, net, mtd, usb, sound), but also some arch updates (powerpc, arm, sparc, x86) and filesystem work (cifs, ext4)."
Regehr: GCC 4.8 Breaks Broken SPEC 2006 Benchmarks
[Development] Posted Mar 23, 2013 13:32 UTC (Sat) by corbet
John Regehr explains how new optimizations in GCC 4.8.0 can break code making use of undefined behavior. "A C compiler, upon seeing d[++k], is permitted to assume that the incremented value of k is within the array bounds, since otherwise undefined behavior occurs. For the code here, GCC can infer that k is in the range 0..15. A bit later, when GCC sees k<16, it says to itself: 'Aha-- that expression is always true, so we have an infinite loop.'"
GCC 4.8.0 released
[Development] Posted Mar 22, 2013 23:21 UTC (Fri) by corbet
The GCC 4.8.0 release is out. "Extending the widest support for hardware architectures in the industry, GCC 4.8 has gained support for the upcoming 64-bit ARM instruction set architecture, AArch64. GCC 4.8 also features support for Hardware Transactional Memory on the upcoming Intel Haswell CPU architecture." There's a lot of new stuff in this release; see the changes file and LWN's GCC 4.8.0 coverage for details.
OpenSSH 6.2 released
[Development] Posted Mar 22, 2013 15:12 UTC (Fri) by corbet
OpenSSH 6.2 is out. New features include some new encryption modes, the ability to require multiple authentication protocols (requiring both public key and a password, for example), key revocation list support, better seccomp-filter sandbox support, and more.
Friday's security updates
[Security] Posted Mar 22, 2013 14:38 UTC (Fri) by n8willis
CentOS has updated boost (code execution) and qt (information disclosure). Fedora has updated kernel (multiple vulnerabilities), mediawiki (F17, F18; session fixation flaw), perl (denial of service), and privoxy (F17, F18; proxy spoofing). openSUSE has updated telepathy-gabble (denial of service). Oracle has updated boost (code execution) and qt (information disclosure). Red Hat has updated boost (code execution), Django (multiple vulnerabilities), openstack-cinder (multiple vulnerabilities), openstack-nova (multiple vulnerabilities), openstack-packstack (insecure file handling), and qt (information disclosure). Scientific Linux has updated boost (code execution) and qt (information disclosure).
Blum: Adria Richards, PyCon, and How We All Lost
[Announcements] Posted Mar 22, 2013 14:04 UTC (Fri) by corbet
Perhaps the best description and analysis of the unfortunate events at PyCon can be found in this post from Amanda Blum. In short, she concludes that everybody lost in this incident. Any comments posted should, please, have something new to say and demonstrate the highest level of respect for others, whether or not you agree with them. See also: What really happened at PyCon.
Russell: GCC and C vs C++ Speed, Measured
[Development] Posted Mar 22, 2013 13:49 UTC (Fri) by corbet
Rusty Russell ran an investigation to determine whether code compiled with the GCC C++ compiler is slower than code from the C compiler. "With this in mind, and Ian Taylor’s bold assertion that 'The C subset of C++ is as efficient as C', I wanted to test what had changed with some actual measurements. So I grabbed gcc 4.7.2 (the last release which could do this), and built it with C and C++ compilers." His conclusion is that the speed of the compiler is the same regardless of how it was built; using C++ does not slow things down.
China to standardize on Ubuntu
[Distributions] Posted Mar 22, 2013 13:36 UTC (Fri) by corbet
Canonical has announced a collaboration with the Chinese government to create a standard operating system reference architecture based on the Ubuntu distribution. "The initial work of the CCN Joint Lab is focused on the development of an enhanced version of the Ubuntu desktop with features specific to the Chinese market. The new version is called Ubuntu Kylin and the first version will be released in April 2013 in conjunction with Ubuntu’s global release schedule. Future work will extend beyond the desktop to other platforms."
PyCon US 2013 videos posted
[Announcements] Posted Mar 21, 2013 15:21 UTC (Thu) by corbet
For those who could not attend PyCon US 2013, videos from the talks are now available.
Security updates for Thursday
[Security] Posted Mar 21, 2013 14:03 UTC (Thu) by jake
Debian has updated libapache2-mod-perl2 (regression in previous security fix) and smokeping (cross-site scripting). Fedora has updated firebird (F17; F18: remote code execution). openSUSE has updated typo3-cms (two vulnerabilities) and pidgin (multiple vulnerabilities). Red Hat has updated java-1.6.0-sun (Web Start and browser plugin EOL). Ubuntu has updated python-nova (two vulnerabilities), python-keystone (12.10: incorrect revocation checking), clamav (multiple unspecified vulnerabilities), and OMAP4 kernel (12.10: multiple vulnerabilities).
LWN.net Weekly Edition for March 21, 2013
Posted Mar 21, 2013 0:31 UTC (Thu)The LWN.net Weekly Edition for March 21, 2013 is available. Inside this week's LWN.net Weekly Edition
Anatomy of a user namespaces vulnerability
[Kernel] Posted Mar 20, 2013 21:10 UTC (Wed) by mkerrisk
An exploit posted on March 13 revealed a rather easily exploitable security vulnerability (CVE 2013-1858) in the implementation of user namespaces. That exploit enables an unprivileged user to escalate to full root privileges. Although a fix was quickly provided, it is nevertheless instructive to look in some detail at the vulnerability, both to better understand the nature of this kind of exploit and also to briefly consider how this vulnerability came to appear inside the user namespaces implementation.
Stable kernel updates
[Kernel] Posted Mar 20, 2013 20:49 UTC (Wed) by ris
Four stable kernels have been released; 3.8.4, 3.4.37, 3.2.41, and 3.0.70. All of them contain important fixes.
Tor 2012 Annual Report
[Announcements] Posted Mar 20, 2013 18:18 UTC (Wed) by ris
The Tor Project has announced the availability of its 2012 annual report. (PDF) "Tor’s daily usage continues to increase in size and diversity, bringing secure, global channels of communication and privacy tools to journalists, law enforcement, governments, human rights activists, business leaders, militaries, abuse victims and average citizens concerned about online privacy." (Thanks to Paul Wise)
Security advisories for Wednesday
[Security] Posted Mar 20, 2013 17:53 UTC (Wed) by ris
CentOS has updated sssd (C6: privilege violation). Fedora has updated telepathy-gabble (F18: denial of service), gnome-online-accounts (F18: information disclosure), kernel (F18: privilege escalation), and sudo (F17: privilege escalation). openSUSE has updated transmission (code execution), wireshark (12.3, 12.2, 12.1; 11.4: multiple vulnerabilities), sudo (12.3, 12.2, 12.1; 11.4: privilege escalation), firebird (12.3, 12.2, 12.1; 11.4: code execution), perl (12.3, 12.2, 12.1; 11.4: multiple vulnerabilities), krb5 (denial of service), and java-1_7_0-openjdk (code execution). Oracle has updated sssd (OL6: privilege violation). Red Hat has updated kernel (RHEL 6.1 EUS; RHEL 6.3 EUS: kernel-mode code execution) and sssd (RHEL6: privilege violation). Scientific Linux has updated sssd (SL6: privilege violation). SUSE has updated Ruby on Rails (multiple vulnerabilities) and rubygem-merb-core (multiple vulnerabilities). Ubuntu has updated perl (denial of service).
Plasma Media Center 1.0.0 released
[Development] Posted Mar 20, 2013 13:31 UTC (Wed) by corbet
The first release of the Plasma Media Center has been announced. "KDE's Plasma Media Center (PMC) is aimed towards a unified media experience on PCs, Tablets, Netbooks, TVs and any other device that is capable of running KDE. PMC can be used to view images, play music or watch videos."
MongoDB 2.4 release
[Development] Posted Mar 20, 2013 12:51 UTC (Wed) by corbet
Version 2.4 of the MongoDB "NoSQL" database system has been released. Headline features include a new text search facility, spherical geometry support, hash-based sharding, Kerberos authentication, and more; see the release notes for details.
Goodbye Malcolm (Tredinnick)
[Announcements] Posted Mar 19, 2013 18:50 UTC (Tue) by corbet
The Django community mourns the passing of Malcolm Tredinnick. "Malcolm was a long-time contributor to Django, a model community member, a brilliant mind, and a friend. His contributions to Django — and to many other open source projects — are nearly impossible to enumerate. Many on the core Django team had their first patches reviewed by him; his mentorship enriched us. His consideration, patience, and dedication will always be an inspiration to us."
Ubuntu to halve support length for non-LTS releases (The H)
[Distributions] Posted Mar 19, 2013 18:18 UTC (Tue) by ris
The H reports that support for Ubuntu's non-LTS releases will be shortened to nine months. "In a meeting of the Ubuntu Technical Board last night, the technical leadership of Canonical's Linux distribution decided to halve the support time for non-LTS releases to nine months. At the same time, the developers want to make it easier for users of the distribution to get up-to-date packages on a regular basis without the need to perform explicit upgrades of the whole distribution. Attending the meeting, Matt Zimmerman, Colin Watson and Stéphane Graber unanimously agreed on these points and also clearly voted against moving Ubuntu into a rolling release model. The changes will be implemented in the maintenance schedule starting with the release of Ubuntu 13.04 ("Raring Ringtail") on 25 April."
Tuesday's security updates
[Security] Posted Mar 19, 2013 15:59 UTC (Tue) by ris
CentOS has updated krb5 (C6: denial of service). Mageia has updated clamav (multiple vulnerabilities). Oracle has updated krb5 (OL6: denial of service). Red Hat has updated krb5 (RHEL6: denial of service). Scientific Linux has updated krb5 (SL6: denial of service). SUSE has updated java5 (SLES 10 SP3 LTSS: multiple vulnerabilities), java2 (SUSE CORE 9: multiple vulnerabilities). Ubuntu has updated kernel (12.04 LTS; 12.10: multiple vulnerabilities) and Quantal HWE kernel (12.04 LTS: multiple vulnerabilities).
|
|||||||||||||