LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The LWN.net Weekly Edition for November 17, 2016 is available.
Inside this week's LWN.net Weekly Edition
Clement Lefebvre has announced the release of Cinnamon 3.2. This version has QT 5.7+ support, support for libinput touchpads as well as synaptics, and many more changes across the stack.
Getting live-patching capabilities into the mainline kernel has been a multi-year process. Basic patching support was merged for the 4.0 release, but further work has been stalled over disagreements on how the consistency model — the code ensuring that a patch is safe to apply to a running kernel — should work. The addition of kernel stack validation has addressed the biggest of the objections, so, arguably, it is time to move forward. At the 2016 Linux Plumbers Conference, developers working on live patching got together to discuss current challenges and future directions.
Click below (subscribers only) for the full report from LPC 2016.
Fedora Magazine has a brief overview of the changes to be found in the workstation version of the Fedora 25 release. "Wayland now replaces the old X11 display server by default. Its goal is to provide a smoother, richer experience when navigating Fedora Workstation. Like all software, there may still be some bugs. You can still choose the old X11 server if required."
The LWN.net Weekly Edition for November 10, 2016 is available.
Inside this week's LWN.net Weekly Edition
Arch Linux has updated drupal (multiple vulnerabilities), php (multiple vulnerabilities), slock (screen locking bypass), and w3m (multiple vulnerabilities).
CentOS has updated 389-ds-base (C6: multiple vulnerabilities), firefox (C6; C5: multiple vulnerabilities), java-1.7.0-openjdk (C5: multiple vulnerabilities), kernel (C6: two vulnerabilities), nss (C6; C5: multiple vulnerabilities), nss-util (C6: multiple vulnerabilities), and policycoreutils (C6: sandbox escape).
Debian has updated wireshark (multiple vulnerabilities).
Debian-LTS has updated drupal7 (multiple vulnerabilities), gst-plugins-bad0.10 (multiple vulnerabilities), sniffit (privilege escalation), and wireshark (multiple vulnerabilities).
Fedora has updated 389-ds-base (F25: information leak), ansible (F25: two vulnerabilities), bind (F25: denial of service), bind99 (F25: denial of service), chromium (F25; F23: multiple vulnerabilities), chromium-native_client (F25: multiple vulnerabilities), curl (F25: multiple vulnerabilities), docker (F25; F25: access bypass), dracut (F25: information disclosure), firefox (F25 (v49.02); F25 (V50.0); F23: multiple vulnerabilities), ghostscript (F25: two vulnerabilities), icu (F25: code execution), java-1.8.0-openjdk-aarch32 (F25: multiple vulnerabilities), kernel (F25; F24: denial of service), libgit2 (F25: unspecified), libwebp (F25: integer overflows), mingw-gnutls (F25: information leak), mingw-libwebp (F25: integer overflows), mingw-nettle (F25: information leak), moodle (F25: multiple vulnerabilities), python-cryptography (F25; F24; F23: bad key generation), python-django (F25: two vulnerabilities), quagga (F25: multiple vulnerabilities), sudo (F25: privilege escalation), tomcat (F25: multiple vulnerabilities), tre (F25: code execution), and xen (F25: multiple vulnerabilities) (Note: Fedora 25 will be released tomorrow).
Gentoo has updated imlib2 (multiple vulnerabilities), mit-krb5 (multiple vulnerabilities), mongodb (denial of service), and qemu (multiple vulnerabilities).
openSUSE has updated java-1_8_0-openjdk (13.2: multiple vulnerabilities), firefox, nss (Leap42.2, Leap42.1, 13.2: multiple vulnerabilities), and php5 (13.2: use after free).
Oracle has updated kernel 4.1.12 (OL7; OL6: multiple vulnerabilities), kernel 3.8.13 (OL7; OL6: multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities).
Red Hat has updated ipsilon (RHEL7: information leak/denial of service).
Slackware has updated firefox (multiple vulnerabilities).
Ubuntu has updated firefox (multiple vulnerabilities) and imagemagick (multiple vulnerabilities).
Neil Brown writes: "For a little longer than a year now, I have been using Notmuch as my primary means of reading email. Though the experience has not been without some annoyances, I feel that it has been a net improvement and expect to keep using Notmuch for quite some time." Click below (subscribers only) for his full report.
Dave Täht has been working to save the Internet for the last six years (at least). Recently, his focus has been on improving the performance of networking over WiFi — performance that has been disappointing for as long as anybody can remember. The good news, as related in his 2016 Linux Plumbers Conference talk, is that WiFi can be fixed, and the fixes aren't even all that hard to do. Users with the right hardware and a willingness to run experimental software can have fast WiFi now, and it should be available for the rest of us before too long.
Linus has released the 4.9-rc6 kernel prepatch for testing. "We're getting further in the rc series, and while things have stayed pretty calm, I'm not sure if we're quite there yet. There's a few outstanding issues that just shouldn't be issues at rc6 time, so we'll just have to see. This may be one of those releases that have an rc8, which considering the size of 4.9 is perhaps not that unusual."
The LWN.net Weekly Edition for November 3, 2016 is available.
Inside this week's LWN.net Weekly Edition
The stable kernel machine continues to produce updates; the latest are 4.8.9 and 4.4.33. Each contains the usual set of important fixes. Note that 4.8.10 and 4.4.34 are already in the review process; they can be expected on or after November 21.
The opening session at the 2016 Kernel Summit, led by Jiri Kosina, had to do with the process of creating stable kernel updates. There is, he said, a bit of a disconnect between what the various parties involved want, and that has led to trouble for the consumers of the stable kernel releases.
Click below (subscribers only) for the first article from LWN's 2016 Kernel Summit coverage
Debian has updated drupal7 (multiple vulnerabilities) and gst-plugins-bad1.0 (code execution).
Debian-LTS has updated akonadi (denial of service) and curl (multiple vulnerabilities).
Mageia has updated derby (information leak), dracut (information leak), gnuchess (code execution from 2015), irssi (information leak), libtiff (multiple vulnerabilities), memcached (three code execution flaws), python-pillow (two vulnerabilities), resteasy (code execution), sudo (privilege escalation), systemd (denial of service), tar (file overwrite), and wireshark (multiple vulnerabilities).
openSUSE has updated ghostscript (42.1: regression in previous security update), GraphicsMagick (42.1, 13.2: denial of service), ImageMagick (13.2: denial of service), jasper (42.2, 42.1: multiple vulnerabilities, some from 2015, 2014, and 2008), memcached (42.2; 42.1, 13.2: three code execution flaws), otrs (42.2, 13.2:), php5 (42.2; 42.1: three vulnerabilities), and util-linux (42.1: denial of service).
Ubuntu has updated openjdk-7 (14.04: multiple vulnerabilities).
The Rowhammer vulnerability affects hardware at the deepest levels. It has proved to be surprisingly exploitable on a number of different systems, leaving security-oriented developers at a loss. Since it is a hardware vulnerability, it would appear that solutions, too, must be placed in the hardware. Now, though, an interesting software-based mitigation mechanism is under discussion on the linux-kernel mailing list. The ultimate effectiveness of this defense is unproven, but it does show that there may be hope for a solution that doesn't require buying new computers.
The Linux Foundation has announced that it is consolidating three conferences under one name going forward. LinuxCon, CloudOpen, and ContainerCon join together under the "Linux Foundation Open Source Summit" name. For 2017, that encompasses three events: OSS Japan in Tokyo May 31-June 2, OSS North America in Los Angeles September 11-13, and OSS Europe in Prague October 23-25. "The Linux Foundation Open Source Summit in North America and Europe will also contain a brand new event, Community Leadership Conference. Attendees will have access to sessions across all events in a single venue, enabling them to collaborate and share information across a wide range of open source topics and areas of technology. They can take advantage of not only unparalleled educational opportunities, but also an expo hall, networking activities, hackathons, additional co-located events and The Linux Foundation’s diversity initiatives, including free childcare, nursing rooms, non-binary restrooms and a diversity luncheon."
The LWN.net Weekly Edition for October 27, 2016 is available.
Inside this week's LWN.net Weekly Edition
The Tor blog has a post about the refresh of its Tor-enabled Android phone prototype, which is now in a workable state though it still has some rough edges. There is also a worrisome trend that the post highlights: "It is unfortunate that Google seems to see locking down Android as the only solution to the fragmentation and resulting insecurity of the Android platform. We believe that more transparent development and release processes, along with deals for longer device firmware support from SoC vendors, would go a long way to ensuring that it is easier for good OEM players to stay up to date. Simply moving more components to Google Play, even though it will keep those components up to date, does not solve the systemic problem that there are still no OEM incentives to update the base system. Users of old AOSP base systems will always be vulnerable to library, daemon, and operating system issues. Simply giving them slightly more up to date apps is a bandaid that both reduces freedom and does not solve the root security problems. Moreover, as more components and apps are moved to closed source versions, Google is reducing its ability to resist the demand that backdoors be introduced. It is much harder to backdoor an open source component (especially with reproducible builds and binary transparency) than a closed source one."
Just about everyone who runs a Unix server on the internet uses SSH for remote access, and almost everyone who does that will be familiar with the log footprints of automated password-guessing bots. Although decently-secure passwords do much to harden a server against such attacks, the costs of dealing with the continual stream of failed logins can be considerable. There are ways to mitigate these costs.
Arch Linux has updated firefox (multiple vulnerabilities), libgit2 (two vulnerabilities), python-django (two vulnerabilities), and python2-django (two vulnerabilities).
Debian has updated firefox-esr (multiple vulnerabilities).
Fedora has updated bind99 (F24: two vulnerabilities), firefox (F24: multiple vulnerabilities), and kernel (F24: denial of service).
Gentoo has updated libuv (privilege escalation from 2015).
Mageia has updated nss, firefox (multiple vulnerabilities).
Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and nss and nss-util (OL7; OL6; OL5: two vulnerabilities).
Red Hat has updated openssl (RHEL6: denial of service).
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds