Brief items
Security
Intel's AMT remote vulnerability
The fears of vulnerabilities lurking in Intel's "management engine" technology have just shown some validity: Intel has announced a remotely exploitable vulnerability in it's "active management technology" engine. "There is an escalation of privilege vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs."
See Matthew Garrett's writeup for a more comprehensible summary of what is known at this time.
Cook: security things in Linux v4.11
Kees Cook has done his usual roundup of new security features, this time for the 4.11 kernel. It lists seven different features and fixes with security implications, including: "A common way attackers use to escape confinement is by rewriting the user-mode helper sysctls (e.g. /proc/sys/kernel/modprobe) to run something of their choosing in the init namespace. To reduce attack surface within the kernel, Greg KH introduced CONFIG_STATIC_USERMODEHELPER, which switches all user-mode helper binaries to a single read-only path (which defaults to /sbin/usermode-helper). Userspace will need to support this with a new helper tool that can demultiplex the kernel request to a set of known binaries."
Security quotes of the week
99% of the PGP-encrypted emails we get to security@golang.org are bogus
security reports. Whereas "cleartext" security reports are only about 5-10%
bogus. Getting a PGP-encrypted email to security@golang.org has basically
become a reliable signal that the report is going to be bogus, so I stopped
caring about spending the 5 minutes decrypting the damn thing (logging in
to the key server to get the key, remembering how to use gpg).
— Brad
Fitzpatrick (Thanks to Paul Wise.)
What happens when intelligence agencies go to war with each other and don't
tell the rest of us? I think there's something going on between the US and
Russia that the public is just seeing pieces of. We have no idea why, or
where it will go next, and can only speculate.
— Bruce
Schneier
Kernel development
Kernel release status
The 4.11 kernel was released on April 30; in the announcement Linus said: "So after that extra week with an rc8, things were pretty calm, and I'm much happier releasing a final 4.11 now."
Some headline features in 4.11 include: a new perf ftrace command restarting the work of better integrating the perf and ftrace subsystems, I/O scheduling support for the multiqueue block subsystem, journaling for device-mapper RAID 4/5/6 volumes, SipHash support, some swapping scalability improvements, a new LZ4 compression implementation, the new statx() system call, and more. As always, see the KernelNewbies 4.11 page for lots of details.
Stable updates: 4.10.13, 4.9.25, and 4.4.64 were released on April 27, 4.4.65 and 3.18.51 on April 30, and 4.10.14, 4.9.26, and 4.4.66 on May 3.
Quotes of the week
If every maintainer finds a way to (optionally) reduce the size of
the code they maintain by 2K then we'll get a much smaller kernel
pretty soon.
— Nicolas Pitre
First, to think they didn't get valuable work in return from
upstream is missing the forest for the trees. With every release of
upstream, grsecurity would get tens of thousands of commits. If
there wasn't benefit in these changes, grsecurity would never
forward port to the latest upstream. The fact that it is a notable
event that grsecurity has ceased updating their public patches is
because people using grsecurity suddenly aren't getting the
upstream changes, in addition to them not getting new grsecurity
features. It is a totally false equivalency to say "upstream has
[created work for|used code from] grsecurity without giving
anything valuable in return"
— Kees Cook (worth reading the whole thing)
Distributions
Bits from the Debian Release Team: release update
The Debian release team has a few words about the upcoming Debian 9 "stretch" release. "At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 "stretch" would no longer be a blocker to release. The likely, although not certain outcome is that stretch will not have Secure Boot support." If stretch does not release with Secure Boot support, it is possible that it will be introduced later. Other than that, the number of Release Critical bugs continues to drop and the team is considering the arrangements for the stretch release.
Ubuntu 12.04 (Precise Pangolin) End of Life
Support for Ubuntu 12.04 (Precise Pangolin) is at an end. There will be no more updates as of April 28, 2017. "The supported upgrade path from Ubuntu 12.04 is via Ubuntu 14.04. Users are encouraged to evaluate and upgrade to our latest 16.04 LTS release via 14.04."
Distribution quote of the week
Obviously, not everyone finds organizing such an operation fun -- I for one
would find doing this myself abhorrent, my contributions are 10% code fixes
90% wise-ass remarks -- but Debian is pretty diverse, and some of us have a
modicum of skill here.
— Adam Borowski
Development
F-Droid’s Android App Finally Gets a UI Makeover (xda developers)
Xda developers looks at improvements coming to the F-Droid repository of free/open source apps for Android. The next version of F-Droid will have screenshot and feature graphics, bulk download and install, improved notifications for downloads and pending updates, and the ability to translate apps metadata. "F-Droid is conducting further field tests to ensure that usability issues with the new design are identified and resolved before the alpha releases for v0.103 is rolled out to the public. The team is also inviting feedback and suggestions to further improve the client. Additionally, the team mentions that this is one of the many improvements happening to the broader F-Droid ecosystem in 2017, and there’s more to come."
GCC 7.1 Released
GNU Compiler Collection 7.1 has been released, 30 years after the 1.0 release. "This release features various improvements in the emitted diagnostics, including improved locations, location ranges, suggestions for misspelled identifiers, option names, fix-it hints and various new warnings have been added." There is also experimental support for all of the current C++17 draft, improved optimizers, and more. (LWN previewed the 7.1 release in early April.)
Devcic: Have You Heard? KDE Applications 17.04 and Plasma 5.9.5 Now Available
Ivana Isadora Devcic takes a look at the recently released KDE Applications 17.04 and Plasma 5.9.5. In file management there have been improvements to the Dolphin file manager, the Okular PDF viewer, and the archiving tool Ark. The video editor Kdenlive has seen the biggest improvements among multimedia applications. Several educational applications have also seen some changes. "The most obvious changes introduced in Plasma 5.9.5 are related to window decorations and other visual tweaks. Themes in the System Settings module are now sorted, Plastik window decoration supports the global menu, and Aurorae window decorations support the global menu button. KWin will respect theme colors in buttons, and you will be able to edit the default color scheme of your Plasma Desktop."
Rockbox 3.14 released
Rockbox is a replacement firmware for a number of digital audio players. The project seemed to have faded away along with much of the audio-player market in general, but Rockbox is now back with the release of version 3.14. "Over 4 years have passed since the last release, and in that time we've been busy adding features and fixing bugs to give you the best Rockbox experience yet on the widest range of targets ever." Support for a number of devices has been added, performance and battery life has been improved, and a number of features have been added; see the announcement for details.
Tor 0.3.0.6 is released: a new series is stable
Tor 0.3.0.6, the first stable release of the Tor 0.3.0 series, is available. "With the 0.3.0 series, clients and relays now use Ed25519 keys to authenticate their link connections to relays, rather than the old RSA1024 keys that they used before. (Circuit crypto has been Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced the guard selection and replacement algorithm to behave more robustly in the presence of unreliable networks, and to resist guard- capture attacks."
Development quote of the week
An open source strategy forgives the occasional misstep as long as you keep walking.
— James
Vasile and Karl Fogel
Page editor: Jake Edge
Next page:
Announcements>>