Brief items
Security
The FBI tells everybody to reboot their router
This CERT advisory warns of over 500,000 home routers that have been compromised by the VPNFilter malware and is advising everybody to reboot their routers to (partially) remove it. This Talos Intelligence page has a lot more information about VPNFilter, though a lot apparently remains unknown. "At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques."
A set of Git security releases
Git versions v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4 have all been released with fixes to a couple of security issues. The nastier of the two (CVE-2018-11235) enables arbitrary code execution controlled by a hostile repository. See this Microsoft blog entry for more details — after updating.Security quotes of the week
But the much more important thing is that management has to be
willing to **fund** bug remediation. That was true for Chrome; it
doesn't seem to be as true for the Linux Kernel, for whatever
reason.
— Ted Ts'o
People trying to fix Syzkaller and other fuzzer-found bugs on 20% time, or on the weekends, or as a background activity during low-bandwidth meetings, or as an unfunded mandate that doesn't show up on anyone's quarterly objectives upon which they are graded, is just not going to scale.
And I have some bad news. I recently got the ad info from my
Facebook account and there it is, in the file
advertisers_who_uploaded_a_contact_list_with_your_information.html. American
Red Cross Blood Donors. Yes, it looks like the people I chose to
trust with some of my most sensitive personal info have given it to
the least trusted company on the Internet.
— Don
Marti
The slightest quiver of uncertainly in the packet filter
implementations will trigger CERT conference calls, corporate sev2
incidents, and personal line-by-line hand-execution code audits by
technical leads. The discovery of yet another parsing bug in a
userspace daemon is called a "Tuesday".
— Mark Atwood
Kernel development
Kernel release status
The current development kernel is 4.17-rc7, released on May 27. This appears likely to be the final prepatch for this development cycle: "So this week wasn't as calm as the previous weeks have been, but despite that I suspect this is the last rc."
Stable updates:
4.16.12,
4.14.44,
4.9.103,
4.4.133, and
3.18.110 were released on May 25.
The (quite large)
4.16.13,
4.14.45,
4.9.104,
4.4.134, and
3.18.111 updates followed on May 30; 4.14.46 came out a few hours later to fix a
perf regression. A few hours after that,
4.14.47,
4.9.105,
4.4.135 and 3.18.112 came out with
a single commit reverting a networking patch "that
should not have gotten backported
".
Distributions
openSUSE Leap 15 released
OpenSUSE Leap 15 has been released. "With a brand new look developed by the community, openSUSE Leap 15 brings plenty of community packages built on top of a core from SUSE Linux Enterprise (SLE) 15 sources, with the two major releases being built in parallel from the beginning for the first time. Leap 15 shares a common core with SLE 15, which is due for release in the coming months. The first release of Leap was version 42.1, and it was based on the first Service Pack (SP1) of SLE 12. Three years later SUSE’s enterprise version and openSUSE’s community version are now aligned at 15 with a fresh rebase." Leap 15 will receive maintenance and security updates for at least 3 years.
Distribution quotes of the week
Gentoo is a living body which is still looking for ways to evolve. It has its phases of stagnation but it also has peaks of activity ready to dissolve the existing metastructure and rebuild it into something new. Changes are proposed every once and then; many of them are forgotten but some of them add to Gentoo's history.
— Michał Górny
Wow… look at all the cobwebs around here! No posts in two years. But the
need for a pacman
release post has dragged me back. I clearly still
remembered the password, so that is a bonus!
— Allan
McRae
...
As always, this is a bug free release. But if you spot something you think is a bug, please file a bug report and we can assign blame – which is more important than fixing! (The pool for developer who created the first pacman bug of this release is still open at the time of posting.)
Development
Emacs 26.1 released
Version 26.1 of the Emacs editor is out. Highlights include a built-in Lisp threading mechanism that provides some concurrency, double buffering when running under X, a redesigned flymake mode, 24-bit color support in text mode, and a systemd unit file.Development quote of the week
This decision has been made after a long time having Budgie Desktop being a separate project, which to this date has only repeatedly harmed the Budgie Desktop project due to other projects specifically looking to add vendor specific value-add and ensuring it is never upstream within this project. As such the project is now officially back under the stewardship of Solus (original authors) and will be developed with our goals in mind, as it once was. It should also be observed that Budgie has been an incredibly quiet project for almost the entire duration of the project being split out from Solus. This will now be remedied as we merge back into Solus, and all previous decisions will now be re-evaluated (Qt? Wayland? gtk4? etc).
— Solus
Project (Thanks to Paul Wise)
Miscellaneous
Robin "Roblimo" Miller
The Linux Journal mourns the passing of Robin Miller, a longtime presence in our community. "Miller was perhaps best known by the community for his role as Editor in Chief of Open Source Technology Group, the company that owned Slashdot, SourceForge.net, freshmeat, Linux.com, NewsForge, and ThinkGeek from 2000 to 2008."
Page editor: Jake Edge
Next page:
Announcements>>