|
|
Log in / Subscribe / Register

Brief items

Security

Critical security problem in Libgcrypt 1.9.0

The GNU Privacy Guard (GnuPG or GPG) project has announced a critical security bug in Libgcrypt version 1.9.0 released January 19. "Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt." Version 1.9.1 has been released to address the problem and all users of 1.9.0 should update immediately. It is a heap buffer overflow, but no version of GnuPG uses the 1.9 series yet. "Exploiting this bug is simple and thus immediate action for 1.9.0 users is required. A CVE-id has not yet been assigned. We track this bug at https://dev.gnupg.org/T5275. The 1.9.0 tarballs on our FTP server have been renamed so that scripts won't be able to get this version anymore."

Full Story (comments: 27)

Kernel development

Kernel release status

The current development kernel is 5.11-rc6, released on January 31. "Things look a little calmer than last week, and over-all very average for rc6. So - like always this late in the release schedule - I'd certainly have liked things to be even calmer, but nothing here really stands out."

Stable updates: 5.10.12, 5.4.94, 4.19.172, 4.14.218, 4.9.254, and 4.4.254 were released on January 30, followed by 5.10.13, 5.4.95, 4.19.173, 4.14.219, 4.9.255, and 4.4.255 on February 3.

Comments (none posted)

Kroah-Hartman: Helping Out With LTS Kernel Releases

Greg Kroah-Hartman has a suggestion for anybody who would like to help him maintain long-term-stable kernel releases. "All I request is that people test the -rc releases when I announce them, and let me know if they work or not for their systems/workloads/tests/whatever. [...] But, if you want to do more, I always really appreciate when people email me, or stable@vger.kernel.org, git commit ids that are needed to be backported to specific stable kernel trees because they found them in their testing/development efforts."

Comments (2 posted)

Distributions

Solus 4.2 released

Version 4.2 of the desktop-oriented Solus distribution is available. "We recognized that Desktop Icons was an important part of the workflow of many users, so we spent considerable time during this development cycle ensuring there was a solution for them as well as our downstream users of Budgie. Expanding on this, Solus 4.2 defaults to having desktop icons enabled to make Solus more approachable to new users." Some more information on the desktop changes can be found in this blog entry from December.

Comments (1 posted)

Development

Malcolm: Static analysis updates in GCC 11

David Malcolm describes the progress in the GCC static analyzer for the upcoming GCC 11 release. "In GCC 10, I added the new -fanalyzer option, a static analysis pass for identifying various problems at compile-time, rather than at runtime. The initial implementation was aimed at early adopters, who found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd Edlinger, who discovered the issue, had to wade through many false positives accompanying the real issue. Other users also managed to get the analyzer to crash on their code. I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust."

Comments (1 posted)

GNU C library 2.33 released

Version 2.33 of the GNU C library is out. Changes this time include a number of dynamic linker improvements, 32-bit RISC-V support, and a number of security fixes.

Full Story (comments: 25)

LibreOffice 7.1 Community released

The LibreOffice 7.1 "Community" release is out. "LibreOffice 7.1 Community adds several interoperability improvements with DOCX/XLSX/PPTX files: improvements to Writer tables (better import/export and management of table functions, and better support for change tracking in floating tables); a better management of cached field results in Writer; support of spacing below the header's last paragraph in DOC/DOCX files; and additional SmartArt improvements when importing PPTX files." The announcement also goes on at length about the new "community" label and how this release "is not targeted at enterprises".

Full Story (comments: 5)

Development quotes of the week

The term “community” means different things to different people. I’ve heard some people talk about community as some sort of amorphous blob that will give them free work. Some think it’s a bunch of jobless degenerates who need haircuts. Some think it’s where their friends are. Some think it’s where their enemies are. Some people believe community is a mythical beast, something so fantastical that can’t possibly exist, like unicorns, dragons, or Canadians. When we don’t know what something is, it enters the world of myth and it becomes both everything and nothing at the same time. I think many of us have forgotten what community is.
Josh Bressers

Aside from the technical aspects of the countermeasure, it is interesting to note that its Clang implementation was derived from the GCC implementation, but led to an issue being reported in the GCC codebase. The Clang-generated code got validated by Firefox People, tested by Rust people who reported several bugs, some impacting both Clang and GCC implementation, the circle is complete!
Serge Guelton, Sylvestre Ledru, and Josh Stone (Thanks to Paul Wise)

Comments (4 posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds