Brief items
Security
CVE-2019-5736: runc container breakout
Anybody running containerized workloads with runc (used by Docker, cri-o, containerd, and Kubernetes, among others) will want to make note of a newly disclosed vulnerability known as CVE-2019-5736. "The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host." LXC is also evidently vulnerable to a variant of the exploit.
Google releases ClusterFuzz
Google has announced the release of its ClusterFuzz fuzz-testing system as free software. "ClusterFuzz has found more than 16,000 bugs in Chrome and more than 11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day."
Security quotes of the week
Instant Ink requires an internet connection for your printer. HP explains that they monitor your ink levels, so they know when to send you more, but as described in their Terms of Service the other reason for this is to remotely disable your ink cartridges if you cancel, or if there are any issues with your payment.
We've done a lot of work on our email infrastructure, and are doing our best to be a responsible citizen within the constraint of having to launder mail and forge identity on an industrial scale, but it's coming to the point where it just may not be possible to run such a service at such a scale anymore. [...]
Of course we do not have any plans to stop providing email any time soon, but it might be worth thinking about what you can do to reduce your dependency on email lists. At the current rate of degradation, it might be non-viable quicker than you'd think. Maybe this is unduly gloomy, but the entire internet's direction of travel has been away from services like Mailman, and its velocity is only increasing.
Kernel development
Kernel release status
The current development kernel is 5.0-rc6, released on February 10. Linus said: "So while I would have wished for less at this point, nothing in there looks all that odd or scary. I think we're still solidly on track for a normal release."
Stable updates: 4.4.174 was released
on February 8. The patches went out
for review on February 7; this release contains a backport of a fix
for the FragmentSmack denial-of-service vulnerability. "Many
thanks to Ben Hutchings for this release, it's pretty much just his work
here in doing the backporting of networking fixes to help resolve
"FragmentSmack" (i.e. CVE-2018-5391).
"
The (huge) 4.20.8, 4.19.21, 4.14.99, and 4.9.156 updates were released on February 12.
Distributions
Distribution quotes of the week
Development
GTK+ renamed to GTK
The GTK+ toolkit project has, after extensive deliberation, decided to remove the "+" from its name. "Over the years, we had discussions about removing the '+' from the project name. The 'plus' was added to 'GTK' once it was moved out of the GIMP sources tree and the project gained utilities like GLib and the GTK type system, in order to distinguish it from the previous, in-tree version. Very few people are aware of this history, and it's kind of confusing from the perspective of both newcomers and even expert users; people join the wrong IRC channel, the URLs on wikis are fairly ugly, etc."
LibreOffice 6.2 released
The LibreOffice 6.2 release is out. The headline feature this time around appears to be "NotebookBar": "a radical new approach to the user interface - based on the MUFFIN concept". Other changes include a reworking of the context menus, better change-tracking performance, better interoperability with proprietary file formats, and more.
Plasma 5.15 released
KDE has announced the release of Plasma 5.15. "Plasma 5.15 brings a number of changes to the configuration interfaces, including more options for complex network configurations. Many icons have been added or redesigned to make them clearer. Integration with third-party technologies like GTK and Firefox has been improved substantially." This release also features improvements to the Discover software manager. Many other tweaks and improvements are covered in the changelog.
PyPy 7.0.0 released
Version 7.0.0 of the PyPy Python interpreter is out. This release supports no less than three upstream Python versions: 2.7, 3.5, and 3.6 (as an alpha release). "All the interpreters are based on much the same codebase, thus the triple release".
Development quotes of the week
Miscellaneous
The CNCF 2018 annual report
For those wondering what the Cloud Native Computing Foundation is up to, its 2018 annual report [PDF] is now out. "KubeCon + CloudNativeCon has expanded from its start with 500 attendees in 2015 to become one of the largest and most successful open source conferences ever. The KubeCon + CloudNativeCon North America event in Seattle, held December 10-13, 2018, was our biggest yet and was sold out several weeks ahead of time with 8,000 attendees."
FSF Annual Report now available
The Free Software Foundation has announced that its annual report for fiscal year 2017 is available. "The Annual Report reviews the FSF's activities, accomplishments, and financial picture from October 1, 2016 to September 30, 2017. It is the result of a full external financial audit, along with a focused study of program results. It examines the impact of the FSF's events, programs, and activities, including the annual LibrePlanet conference, the Respects Your Freedom (RYF) hardware certification program, and the fight against Digital Restrictions Management (DRM)."
The OpenStack Foundation's 2018 annual report
The OpenStack Foundation has issued its 2018 annual report. "2018 was a productive year for the OpenStack community. A total of 1,972 contributors approved more than 65,000 changes and published two major releases of all components, code named Queens and Rocky. The component project teams completed work on themes related to integrating with other OpenStack components, other OpenStack Foundation Open Infrastructure Projects, and projects from adjacent communities. They also worked on stability, performance, and usability improvements. In addition to that component-specific work, the community continued to expand our OpenStack-wide goals process, using a few smaller topics to refine the goal selection process and understand how best to complete initiatives on such a large scale."
Page editor: Jake Edge
Next page:
Announcements>>