LWN.net

New stable kernels 3.9.4, 3.4.47, and 3.0.80

ris — 2013-05-24T19:43:27+00:00

There are three new stable kernels available: 3.9.4, 3.4.47, and 3.0.80. All contain important fixes.

Security issue in livecd-tools causes password issue in Fedora cloud images

ris — 2013-05-24T18:12:50+00:00

A security issue has been identified in the tool used by the Fedora Project to create cloud images. "Images generated by this tool, including Fedora Project “official” AMIs (Amazon Machine Images), AMIs whose heritage can be traced to official Fedora AMIs, as well as some images using the AMI format in non-Amazon clouds, are affected, as described below." The flaw has been assigned CVE-2013-2069.

Debian Project mourns the loss of Ray Dassen

ris — 2013-05-24T17:46:59+00:00

Long time Debian developer Ray Dassen died on May 18. "The Debian Project honours Ray's great work and his strong dedication to Debian and Free Software. His technical knowledge and his ability to share that knowledge with others will be missed. His contributions will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others."

Security advisories for Friday

ris — 2013-05-24T17:22:58+00:00

Debian has updated libdmx (multiple vulnerabilities), libxv (multiple vulnerabilities), libxvmc (multiple vulnerabilities), libfixes (multiple vulnerabilities), libxrender (multiple vulnerabilities), mesa (multiple vulnerabilities), xserver-xorg-video-openchrome (multiple vulnerabilities), libxt (multiple vulnerabilities), libxcursor (multiple vulnerabilities), libxext (multiple vulnerabilities), libxi (multiple vulnerabilities), libxrandr (multiple vulnerabilities), libxp (multiple vulnerabilities), libxcb (multiple vulnerabilities), libfs (multiple vulnerabilities), libxres (multiple vulnerabilities), libxtst (multiple vulnerabilities), libxxf86dga (multiple vulnerabilities), libxinerama (multiple vulnerabilities), libxxf86vm (multiple vulnerabilities), and libxvmc (regression in previous update).

openSUSE has updated kernel (multiple vulnerabilities), firefox (multiple vulnerabilities), and icedtea-web (multiple vulnerabilities).

Red Hat has updated kvm (privilege escalation).

SUSE has updated kernel (privilege escalation).

Ubuntu has updated kernel (13.04; 12.10; 12.04 LTS: multiple vulnerabilities), quantal HWE kernel (12.04 LTS: multiple vulnerabilities), and OMAP4 kernel (12.10: multiple vulnerabilities).

Numerous security issues in X Window System clients

corbet — 2013-05-23T15:45:37+00:00

X.Org has disclosed a long list of vulnerabilities that have been fixed in the X Window System client libraries; most of them expose clients to attacks by a hostile server. "Most of the time X clients & servers are run by the same user, with the server more privileged from the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges." There are 30 CVE numbers assigned to these vulnerabilities; expect the distributor updates to start flowing shortly.

Sharp: Linux Kernel Internships (OPW) Update

corbet — 2013-05-23T15:37:00+00:00

Sarah Sharp reports on the response to the availability of a set of Outreach Program for Women internships working on the Linux kernel. "As coordinator for the Linux kernel OPW project, I was really worried about whether applicants would be able to get patches into the kernel. Everyone knows that kernel maintainers are the pickiest bastards^Wperfectionists about coding style, getting the proper Signed-off-by, sending plain text email, etc. I thought a couple applicants would be able to complete maybe one or two patches, tops. Boy was I wrong!" In the end, 41 applicants submitted 374 patches to the kernel, of which 137 were accepted.

Introducing Boot to Qt

corbet — 2013-05-23T14:26:18+00:00

The Qt Blog introduces "Boot to Qt", which is "a light-weight UI stack for embedded linux, based on the Qt Framework - Boot to Qt is built on an Android kernel/baselayer and offers an elegant means of developing beautiful and performant embedded devices." Access is invitation-only currently; a release is forecast for sometime around the end of the year.

Thursday's security updates

corbet — 2013-05-23T13:57:34+00:00

Debian has updated request-tracker4 (eight CVE numbers), and the kfreebsd kernel (code execution).

Fedora has updated python-virtualenv (F17, F18: temporary file and information disclosure vulnerabilities), krb5 (F17, "UDP ping-pong vulnerability" from 2002), and nginx (F18: denial of service and information disclosure).

openSUSE has updated samba (CIFS share attribute verification failure).

Oracle has updated kernel (EL5: denial of service).

Red Hat has updated java-1.5.0-ibm (RHEL5-6: 16 "unspecified" vulnerabilities).

[$] LWN.net Weekly Edition for May 23, 2013

corbet — 2013-05-23T00:40:47+00:00

The LWN.net Weekly Edition for May 23, 2013 is available.

Google Code to deprecate downloads

corbet — 2013-05-22T20:35:09+00:00

Google has announced that it will be phasing out the file download feature for projects hosted on Google Code. "Downloads were implemented by Project Hosting on Google Code to enable open source projects to make their files available for public download. Unfortunately, downloads have become a source of abuse with a significant increase in incidents recently. Due to this increasing misuse of the service and a desire to keep our community safe and secure, we are deprecating downloads."

How Google plans to rule the computing world through Chrome (GigaOM)

corbet — 2013-05-22T19:58:13+00:00

GigaOM asserts that Google will be taking over the desktop (regardless of the underlying operating system) with its Chrome browser. "For many Chrome is just a browser. For others who use a Chromebox or Chromebook, like myself, it’s my full-time operating system. The general consensus is that Chrome OS, the platform used on these devices, can only browse the web and run either extensions and web apps; something any browser can do. Simply put, the general consensus is wrong and the signs are everywhere."

EFF: Vermont Is Mad as Hell at Patent Trolls

corbet — 2013-05-22T19:15:50+00:00

The Electronic Frontier Foundation has sent out a release about how the US state of Vermont is going on the offensive against patent trolls. "Not content to strike back against a single troll, Vermont is also poised to pass a bill dealing with the problem as a whole. The Vermont House and Senate recently passed a bill to combat 'bad faith assertions of patent infringement'. And the latest word is that Vermont's governor is about to sign it into law."

[$] An "enum" for Python 3

jake — 2013-05-22T18:18:32+00:00

Designing an enumeration type (i.e. "enum") for a language may seem like a straightforward exercise, but the recently "completed" discussions over Python's PEP 435 show that it has a few wrinkles. The discussion spanned several long threads in two mailing lists (python-ideas, python-devel) going back to January in this particular iteration, but the idea is far older than that. Subscribers can click below for the full article from this week's edition.

Security updates for Wednesday

ris — 2013-05-22T16:51:06+00:00

CentOS has updated kernel (C5: denial of service).

Fedora has updated gallery3 (F18; F17: cross-site scripting) and openstack-keystone (F18: multiple vulnerabilities).

Mandriva has updated krb5 (UDP ping-pong flaw in kpasswd).

Red Hat has updated kernel (RHEL5: denial of service).

Scientific Linux has updated kernel (SL5: denial of service).

SUSE has updated java-1_6_0-openjdk (multiple vulnerabilities) and kernel (privilege escalation).

Ubuntu has updated libtiff (two vulnerabilities).

Debian GNU/Hurd 2013 released

jake — 2013-05-22T02:36:18+00:00

While it is not an official Debian release, the Debian GNU/Hurd team has announced the release of Debian GNU/Hurd 2013. GNU Hurd is a Unix-style kernel based on the Mach microkernel and Debian GNU/Hurd makes much of the Debian system available atop that kernel.

Debian GNU/Hurd is currently available for the i386 architecture with more than 10.000 software packages available (more than 75% of the Debian archive, and more to come!).

Please make sure to read the configuration information, the FAQ, and the translator primer to get a grasp of the great features of GNU/Hurd.

Due to the very small number of developers, our progress of the project has not been as fast as other successful operating systems, but we believe to have reached a very decent state, even with our limited resources.