LWN.net

The end of LinuxDevices?

corbet — 2012-02-03T19:57:13+00:00

LinuxDevices.com is carrying a brief note from the "outgoing editor-in-chief" stating that the site's owner has been acquired. "At this point, the future of LinuxDevices.com is uncertain. What we can say for sure is that it has been a pleasure serving our readers -- the best in the business."

Slackware updates

ris — 2012-02-03T19:52:27+00:00

Slackware has been silent for some time (noted in this comment thread). Although we haven't seen any advisories in the LWN mailbox, the changelogs are showing some new updates. Slackware users should update their systems.

Stable kernels 3.0.19, 3.2.3 and 2.6.32.56

ris — 2012-02-03T19:21:49+00:00

Greg KH has released stable kernels 3.0.19, 3.2.3 and 2.6.32.56. All of them have important fixes across the board.

Update 3.2.4 has now been released to address a compilation problem in 3.2.3.

Friday's security updates

ris — 2012-02-03T18:34:11+00:00

CentOS has updated ghostscript (C6; C5; C4: multiple vulnerabilities), php (C6; C5; C4: remote code execution), and C5: php53 (remote code execution).

Debian has updated iceweasel (multiple vulnerabilities), iceape (multiple vulnerabilities), and php5 (remote code execution).

Mandriva has updated mozilla (multiple vulnerabilities).

Red Hat has updated RHEL5: php53 (remote code execution), RHEL4,5,6: php (remote code execution), ghostscript (RHEL5,6; RHEL4: multiple vulnerabilities), and RHEL5.6: freetype (code execution).

Scientific Linux has updated SL5: php53 (remote code execution), SL4,5,6: php (remote code execution), and ghostscript (SL5,6; SL4: multiple vulnerabilities).

PHP 5.3.10 released with critical security fix

corbet — 2012-02-02T22:26:35+00:00

The PHP 5.3.10 release is out; it contains a fix for a remote code execution bug introduced recently by another security fix. Anybody running 5.3.9 should probably upgrade as soon as possible.

Critical PHP vulnerability being fixed (The H)

jake — 2012-02-02T22:12:21+00:00

The H is reporting that a critical remote code execution bug has been found in PHP that was caused by the recent fix for the widespread denial of service via hash collisions vulnerability. "The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web."

Security advisories for Thursday

jake — 2012-02-02T20:25:38+00:00

CentOS has updated openssl (C4: multiple vulnerabilities).

Debian has updated tomcat6 (multiple vulnerabilities).

Fedora has updated BackupPC (F15; F16: cross-site scripting), polipo (F15; F16: denial of service), moodle (F15; F16: multiple vulnerabilities), firefox (F16: multiple vulnerabilities), xulrunner (F16: multiple vulnerabilities), thunderbird (F16: multiple vulnerabilities), thunderbird-lightning (F16: multiple vulnerabilities), gstreamer-plugins-bad-free (F16: multiple vulnerabilities), and libvpx (F16: multiple vulnerabilities).

Mandriva has updated apache (multiple vulnerabilities).

Oracle has updated firefox (OL4; OL5; OL6: multiple vulnerabilities), seamonkey (OL4: multiple vulnerabilities), thunderbird (OL4; OL6: multiple vulnerabilities), and openssl (OL4: multiple vulnerabilities).

Red Hat has updated openssl (RHEL 4: multiple vulnerabilities)

Scientific Linux has updated thunderbird (SL4&5; SL6: multiple vulnerabilities), firefox (multiple vulnerabilities), seamonkey (SL4: multiple vulnerabilities), and openssl (SL4: multiple vulnerabilities).

Seigo: Spark answers

jake — 2012-02-02T19:29:15+00:00

Aaron Seigo answers questions about the Spark tablet, which is based on Plasma Active, that he announced on January 29. There is more information about the hardware and software, delivery timeframe (May 2012), and pre-orders: "Pre-order registration will open early next week. This was one piece in the puzzle that was taking a bit [longer] than I hoped for to come together, but it's finally slotted in and our distribution partner has got the necessary infrastructure settled. I'll lift the veil off of the pre-order and our distribution strategy when it goes live."

Gettys: Bufferbloat demonstration videos

corbet — 2012-02-02T17:51:36+00:00

Jim Gettys says: "If people have heard of bufferbloat at all, it is usually just an abstraction despite having personal experience with it. Bufferbloat can occur in your operating system, your home router, your broadband gear, wireless, and almost anywhere in the Internet. They still think that if experience poor Internet speed means they must need more bandwidth, and take vast speed variation for granted. Sometimes, adding bandwidth can actually hurt rather than help. Most people have no idea what they can do about bufferbloat. So I’ve been working to put together several demos to help make bufferbloat concrete, and demonstrate at least partial mitigation." Definitely useful viewing for anybody who is concerned with the problem and how to begin addressing it.

[$] LWN.net Weekly Edition for February 2, 2012

corbet — 2012-02-02T01:26:00+00:00

The LWN.net Weekly Edition for February 2, 2012 is available.

Kuhn: Some Thoughts on Conservancy's GPL Enforcement

corbet — 2012-02-01T18:52:43+00:00

Bradley Kuhn has posted a lengthy explanation of the Software Freedom Conservancy's GPL enforcement activities and the demands they make. "I started using this request regularly around 2002 because violators express a concern that, if they came into compliance due to my efforts, what was to stop others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say: 'Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate'."

The Document Foundation will be based in Berlin

corbet — 2012-02-01T18:13:11+00:00

The Document Foundation has announced that its long-awaited legal entity will be based in Berlin. "'After many months of work in close cooperation with the authorities, we were able to keep the spirit of the community bylaws, and incorporate them into legally binding statutes, that ensure the promises that TDF has made in its manifesto', says Michael (Mike) Schinagl, a Berlin-based lawyer and contributor to various free software projects, who has been driving the legal aspects of the foundation set-up from the very beginning."

Wednesday's security update

corbet — 2012-02-01T18:10:47+00:00

CentOS has updated thunderbird (C4, C5, C6: multiple vulnerabilities), firefox (C4, C5, C6: multiple vulnerabilities) and seamonkey (C4: multiple vulnerabilities).

Fedora has updated smokeping (F15, F16: cross-site scripting), krb5 (F15: denial of service), and sudo (F16: privilege escalation).

Red Hat has updated thunderbird (RHEL4-5, RHEL6: multiple vulnerabilities), firefox (RHEL4-6: multiple vulnerabilities), and seamonkey (RHEL4: multiple vulnerabilities).

Ubuntu has updated usbmuxd (code execution via hostile USB device).

[$] A tempest in a toybox

corbet — 2012-02-01T16:26:38+00:00

The eLinux.org web site is currently promoting a project to write a replacement for Busybox under a permissive license. Normally, the writing of more free software is seen as a good thing, but, in this case, there have been complaints about the perceived motivation behind the project. What this discussion shows is that there are some divisions within our community on how our licenses should be enforced - and even what those licenses say.

Apache HTTP Server 2.2.22 released

corbet — 2012-02-01T15:13:43+00:00

Version 2.2.22 of the Apache web server is out. The main point of this release appears to be the fixing of six different CVE numbers, so people with their own Apache builds probably want to grab the update.