LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
It has been said that an important part of a maintainer's role is to say "no". Just how this "no" is said can define the style and effectiveness of a maintainer. Linus Torvalds recently displayed just how effective his style can be when saying "no" to a pair of fairly innocuous patches to add a new ioctl() command for block devices — patches in their fifth revision that had already received "Reviewed-by" tags from Christoph Hellwig.
Subscribers can click below to see Neil Brown's look at how this all played out.
Linus has released the 4.6-rc1 kernel prepatch and closed the merge window for this development cycle. "So I'm closing the merge window a day early, partly because I have some upcoming travel, but partly because this has actually been one of the bigger merge windows in a while, and if somebody was planning on trying to sneak in any last-minute features, I really don't want to hear about it any more."
The LWN.net Weekly Edition for March 24, 2016 is available.
Inside this week's LWN.net Weekly Edition
Version 1.8 of the GStreamer multimedia framework is now available. New is support for hardware-accelerated zero-copy video decoding on Android, a new tracing system that will support more advanced debugging tools, initial support for the Vulkan API, and the debut of the new, simplified GstPlayer playback API (which we looked at in October). There are many other additions and improvement; see the release notes for full details.
KubeCon EU, held in London March 10th, was the second conference dedicated to the Kubernetes container orchestration system. The sold-out attendance of 500 showed how popular the project has become since the release of version 1.0 by Google in July 2015. One week after the conference, version 1.2 was released, which included many long-awaited features.
Subscribers can click below for part 1 of our coverage—two talks about new 1.2 features—by guest author Josh Berkus.
Arch Linux has updated botan (multiple vulnerabilities) and expat (code execution).
CentOS has updated java-1.7.0-openjdk (C6; C5; C7: sandbox bypass) and java-1.8.0-openjdk (C6; C7: sandbox bypass).
Fedora has updated php-pecl-http (F23: multiple vulnerabilities) and torbrowser-launcher (F23: signature verification bypass).
Mageia has updated filezilla (M5: code execution), git (M5: code execution), iceape (M5: multiple vulnerabilities), krb5 (M5: null pointer dereference), libotr (M5: code execution), moodle (M5: multiple vulnerabilities), openafs (M5: multiple vulnerabilities), pidgin-otr (M5: code execution), webkit (M5: multiple vulnerabilities), and webkit2 (M5: multiple vulnerabilities).
openSUSE has updated quagga (Leap 42.1: code execution).
Oracle has updated java-1.7.0-openjdk (O7; O6; O5: sandbox bypass) and java-1.8.0-openjdk (O7; O6: sandbox bypass).
Red Hat has updated java-1.7.0-openjdk (RHEL6; RHEL7: sandbox bypass), java-1.7.0-oracle (RHEL7: sandbox bypass), java-1.8.0-openjdk (RHEL6, RHEL7: sandbox bypass), and java-1.8.0-oracle (RHEL7: sandbox bypass).
Scientific Linux has updated java-1.7.0-openjdk (SL6; SL7: sandbox bypass) and java-1.8.0-openjdk (SL6; SL7: sandbox bypass).
Ubuntu has updated openjdk-7 (14.04, 15.10: sandbox bypass).
The LWN.net Weekly Edition for March 17, 2016 is available.
Inside this week's LWN.net Weekly Edition
The security circus continues to get sillier, it seems. WIRED is reporting on the "Badlock" bug that is being "reported" by SerNet—with the requisite catchy name, logo, and web site—but without any details for three weeks. "But another bug is on the horizon that is setting a new bar for brand-name bug disclosures. It’s called Badlock and it’s already receiving a lot of controversial attention, even though the exact nature of the bug—and most importantly, the patches to fix it—won’t be disclosed for another three weeks. The bug affects unknown versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network."
Josh Bressers's blog post also has some thoughts on the "disclosure": "The thing everyone always should remember in a situation like this is there are a lot of really smart people on the planet. If you think of something clever or discover something new, there are huge odds someone else did too. 3 weeks almost guarantees someone else can figure out whatever it is you found. It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person."
![[Car Hacker's Handbook]](https://static.lwn.net/images/2016/03-carhackers-cover-sm.png "Car Hacker's Handbook")
No Starch Press recently released a book about working with automotive software systems: The Car Hacker's Handbook: A Guide for the Penetration Tester, written by Craig Smith. The book is an expansion of Smith's popular and widely circulated e-book of the same title. The old version remains available online at no cost, but there is considerably more content in the new revision—enough to make it a tempting purchase not just for automotive-software fans in general, but for those interested in embedded-device security and in reverse engineering other classes of consumer product.
CentOS has updated foomatic (C6: three vulnerabilities, one from 2010), git (C7; C6: two code execution flaws), kernel (C6: two vulnerabilities), krb5 (C6: two vulnerabilities), and tomcat6 (C6: Security Manager bypass from 2014).
Debian has updated inspircd (denial of service), pidgin-otr (?:), and redmine (multiple unspecified information disclosure flaws).
Fedora has updated dropbear (F23; F22: information disclosure), kernel (F22; F23: three vulnerabilities), putty (F23; F22: code execution), and qemu (F23: multiple vulnerabilities).
openSUSE has updated dropbear (42.1, 13.2: information disclosure), graphite2 (42.1: three vulnerabilities), libssh (13.2: insecure sessions), perl (13.2: two vulnerabilities), pidgin-otr (42.1, 13.2: code execution), quagga (13.2: code execution), samba (42.1: ACL bypass), thunderbird (42.1, 13.2: multiple vulnerabilities), and tomcat (42.1: multiple vulnerabilities).
Oracle has updated git (OL7; OL6: two code execution flaws) and kernel 3.8.13 (OL7; OL6: two vulnerabilities).
Red Hat has updated python-django (RHOSP7OT for RHEL7; RHOSP7 for RHEL7; RHOSP6 for RHEL7; RHOSP5 for RHEL7; RHOSP5 for RHEL6: two vulnerabilities).
SUSE has updated rubygem-actionview-4_2 (OSC6, ES2.1: code execution) and xen (SLE12SP1: many vulnerabilities, some from 2014 and 2013).
Ubuntu has updated quagga (two vulnerabilities, one from 2013) and tiff (multiple vulnerabilities).
The kernel's control-group mechanism allows processes to be divided into groups for the purposes of tracking and resource control. Both the API and underlying implementation of this mechanism have been going through considerable change in recent years. As part of that change, the newer control-group API has lost the ability to separately manage threads within a process, a loss that is not welcome in some quarters. Current work to replace that functionality is not finding an entirely warm reception either, though.
Citus Data has announced that its CitusDB distributed database has been released, under an open-source license (AGPLv3), as a PostgreSQL extension. "First, Citus 5.0 now fully uses the PostgreSQL extension APIs. In other words, Citus becomes the first distributed database in the world that doesn't fork the underlying database. This means Citus users can immediately benefit from new features in PostgreSQL, such as semi-structured data types (json, jsonb), UPSERT, or when 9.6 arrives no more full table vacuums. Also, users can keep working with their existing Postgres drivers and tools."
The LWN.net Weekly Edition for March 10, 2016 is available.
Inside this week's LWN.net Weekly Edition
GNOME 3.20 has been released. "This release brings significant improvements to many of our core applications, such as system upgrades and reviews in Software, simple photo editing in Photos and improved search in Files. Improvements to our platform include shortcut help windows which are now available in many applications, a refined font and better control of location services." See the release notes for details.
Last year, guest author Linda Jacobson participated as an intern in the Outreachy program. She shares her experiences along with those of other participants in this project that is targeted at helping to increase diversity in the open-source world.
Subscribers can click below for the full article from this week's edition.
Debian has updated libmatroska (information leak) and pixman (code execution).
Fedora has updated krb5 (F23: null pointer dereference), webkitgtk (F23: multiple vulnerabilities), and webkitgtk4 (F23: denial of service).
openSUSE has updated bind (Leap42.1: two vulnerabilities).
Oracle has updated foomatic (OL6: two vulnerabilities), kernel (OL6: memory leak), krb5 (OL6: two vulnerabilities), and tomcat6 (OL6: Security Manager bypass).
Red Hat has updated foomatic (RHEL6: three vulnerabilities), git (RHEL6,7: code execution), git19-git (RHSCL: code execution), kernel (RHEL6: memory leak), krb5 (RHEL6: two vulnerabilities), nss-util (RHEL6.2, 6.4, 6.5, 6.6, 7.1: code execution), RHOSE (multiple vulnerabilities), and tomcat6 (RHEL6: Security Manager bypass).
Scientific Linux has updated foomatic (SL6: three vulnerabilities), git (SL6,7: code execution), kernel (SL6: memory leak), krb5 (SL6: two vulnerabilities), and tomcat6 (SL6: Security Manager bypass).
SUSE has updated rubygem-actionview-4_1 (SOSC5: two vulnerabilities).
The LWN.net Weekly Edition for March 3, 2016 is available.
Inside this week's LWN.net Weekly Edition
KDE Plasma 5.6 has been released. This version brings many improvements to the task manager, KRunner, activities, and Wayland support. The look and feel has been enhanced with a slicker Plasma theme and smoother widgets. For those that missed having a weather widget, that feature has returned. See the changelog for details.
If your software deals with untrusted user input, it's a good idea to run a fuzzer against the program. For the Linux kernel, the most effective fuzzer of recent years has been Dave Jones's Trinity system call tester. But there's a new system call fuzzer in town, Dmitry Vyukov's syzkaller, and early results from it look promising — over 150 bugs uncovered in the mainline kernel (plus several dozen in Google's internal kernels) in a few months of operation.
Click below (subscribers only) for the full article by David Drysdale.
Ars Technica reports that former Intel CEO, chairman, and first employee hired Andy Grove has died. "Intel may have been a footnote in history were it not for Grove. The company started its life making DRAM chips. With this business under pressure from dumped Japanese DRAM, Grove changed the company's direction, deciding to build microprocessors instead. After a few early iterations, this work led to the development of the x86 processor line that made Intel a household name and one of the largest companies in the world. Grove was also instrumental in persuading IBM to use Intel's x86 processors for its newly invented Personal Computer."
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds