LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The LWN.net Weekly Edition for November 10, 2016 is available.
Inside this week's LWN.net Weekly Edition
Debian has updated libxslt (code execution).
Fedora has updated dbus (F23: code execution), firefox (F23: two vulnerabilities), and pacemaker (F23: privilege escalation).
openSUSE has updated mariadb (13.2: multiple vulnerabilities) and nodejs (Leap42.1, 13.2: code execution).
Red Hat has updated flash-plugin (RHEL5,6: multiple vulnerabilities).
Scientific Linux has updated libgcrypt (SL6: flawed random number generation) and pacemaker (SL6: privilege escalation).
Neil Brown writes: "For a little longer than a year now, I have been using Notmuch as my primary means of reading email. Though the experience has not been without some annoyances, I feel that it has been a net improvement and expect to keep using Notmuch for quite some time." Click below (subscribers only) for his full report.
The digiKam Software Collection 5.3.0 has been released. This version is available as an AppImage bundle. "AppImage is an open-source project dedicated to provide a simple way to distribute portable software as compressed binary file, that standard user can run as well, without to install special dependencies. All is included into the bundle, as last Qt5 and KF5 frameworks. AppImage use Fuse file-system, which is de-compressed into a temporary directory to start the application. You don't need to install digiKam on your system to be able to use it. Better, you can use the official digiKam from your Linux distribution in parallel, and test the new version without any conflict with one used in production. This permit to quickly test a new release without to wait an official package dedicated for your Linux box. Another AppImage advantage is to be able to provide quickly a pre-release bundle to test last patches applied to source code, outside the releases plan."
Dave Täht has been working to save the Internet for the last six years (at least). Recently, his focus has been on improving the performance of networking over WiFi — performance that has been disappointing for as long as anybody can remember. The good news, as related in his 2016 Linux Plumbers Conference talk, is that WiFi can be fixed, and the fixes aren't even all that hard to do. Users with the right hardware and a willingness to run experimental software can have fast WiFi now, and it should be available for the rest of us before too long.
The second service pack for SUSE Linux Enterprise Server, Desktop and other products, has been released. Highlights include software defined networking and network function virtualization, the new SUSE Package Hub for package updates, the ability to skip service pack releases (e.g. upgrade from SLES 12 to SLES 12-SP2), architecture support for AArch64 and Raspberry Pi, and much more.
The LWN.net Weekly Edition for November 3, 2016 is available.
Inside this week's LWN.net Weekly Edition
Debian has updated mat (information leak) and openjdk-7 (multiple vulnerabilities).
Debian-LTS has updated python-imaging (two vulnerabilities).
Fedora has updated ansible (F24: two vulnerabilities), ghostscript (F24: two vulnerabilities), icu (F24: code execution), java-1.8.0-openjdk-aarch32 (F24: multiple vulnerabilities), and kernel (F24: two vulnerabilities).
openSUSE has updated bind (Leap42.1; 13.2: denial of service).
Oracle has updated java-1.7.0-openjdk (OL6; OL5: multiple vulnerabilities) and libgcrypt (OL6: flawed random number generation).
Red Hat has updated chromium-browser (RHEL6: memory leak), libgcrypt (RHEL6,7: flawed random number generation), pacemaker (RHEL6: privilege escalation), and qemu-kvm-rhev (RHOSP8; RHOSP9: denial of service).
Scientific Linux has updated java-1.7.0-openjdk (SL5,6: multiple vulnerabilities).
The opening session at the 2016 Kernel Summit, led by Jiri Kosina, had to do with the process of creating stable kernel updates. There is, he said, a bit of a disconnect between what the various parties involved want, and that has led to trouble for the consumers of the stable kernel releases.
Click below (subscribers only) for the first article from LWN's 2016 Kernel Summit coverage
HackerBoards takes a look at the 64-bit Orange Pi. "Shenzhen Xunlong is keeping up its prolific pace in spinning off new Allwinner SoCs into open source SBCs, and now it has released its first 64-bit ARM model, and one of the cheapest quad-core -A53 boards around. The Orange Pi PC 2 runs Linux or Android on a new Allwinner H5 SoC featuring four Cortex-A53 cores and a more powerful Mali-450 GPU."
The Rowhammer vulnerability affects hardware at the deepest levels. It has proved to be surprisingly exploitable on a number of different systems, leaving security-oriented developers at a loss. Since it is a hardware vulnerability, it would appear that solutions, too, must be placed in the hardware. Now, though, an interesting software-based mitigation mechanism is under discussion on the linux-kernel mailing list. The ultimate effectiveness of this defense is unproven, but it does show that there may be hope for a solution that doesn't require buying new computers.
Debian has updated mysql-5.5 (multiple unspecified vulnerabilities).
Debian-LTS has updated libdatetime-timezone-perl (update tzdata), libxslt (code execution), memcached (multiple vulnerabilities, one from 2013), openjdk-7 (multiple vulnerabilities), and tzdata (update tzdata).
Fedora has updated 389-ds-base (F24: information leak), curl (F24: multiple vulnerabilities), firefox (F24: two vulnerabilities), and pacemaker (F24: privilege escalation).
Mageia has updated libtomcrypt (signature forgery), python-django (two vulnerabilities), and tomcat (multiple vulnerabilities).
openSUSE has updated chromium (SPH for SLE12; Leap42.1, 13.2: memory leak), dbus-1 (13.1: denial of service), jasper (13.1: multiple vulnerabilities), libraw (Leap42.1: memory leak), libxml2 (13.2: code execution), and firefox (13.1: two vulnerabilities).
Red Hat has updated java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities) and java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities).
The LWN.net Weekly Edition for October 27, 2016 is available.
Inside this week's LWN.net Weekly Edition
The 4.9-rc4 kernel prepatch is out for testing. Linus says: "So I'm not going to lie: this is not a small rc, and I'd have been happier if it was. But it's not unreasonably large for this (big) release either, so it's not like I'd start worrying. I'm currently still assuming that we'll end up with the usual seven release candidates, assuming things start calming down. We'll see how that goes as we get closer to a release."
Just about everyone who runs a Unix server on the internet uses SSH for remote access, and almost everyone who does that will be familiar with the log footprints of automated password-guessing bots. Although decently-secure passwords do much to harden a server against such attacks, the costs of dealing with the continual stream of failed logins can be considerable. There are ways to mitigate these costs.
Opensource.com celebrates 25 years of Vim. "Vim is a flexible, extensible text editor with a powerful plugin system, rock-solid integration with many development tools, and support for hundreds of programming languages and file formats. Twenty-five years after its creation, Bram Moolenaar still leads development and maintenance of the project—a feat in itself! Vim had been chugging along in maintenance mode for more than a decade, but in September 2016 version 8.0 was released, adding new features to the editor of use to modern programmers."
We live in an era of celebrity vulnerabilities; at the moment, an unpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking its turn on the runway. This one is more disconcerting than many due to its omnipresence and the ease with which it can be exploited. But there is also some unhappiness in the wider community about how this vulnerability has been handled by the kernel development community. It may well be time for the kernel project to rethink its approach to serious security problems.
ZDNet takes a look at the VoCore2, a coin-sized computer. "VoCore2 is an open source Linux computer and a fully-functional wireless router that is smaller than a coin. It can also act as a VPN gateway for a network, an AirPlay station to play lossless music, a private cloud to store your photos, video, and code, and much more. The Lite version of the VoCore2 features a 580MHz MT7688AN MediaTek system on chip (SoC), 64MB of DDR2 RAM, 8MB of NOR storage, and a single antenna slot for Wi-Fi that supports 150Mbps."
The LWN.net Weekly Edition for October 20, 2016 is available.
Inside this week's LWN.net Weekly Edition
Arch Linux has updated lib32-gdk-pixbuf2 (denial of service).
Debian has updated curl (multiple vulnerabilities) and memcached (code execution).
Fedora has updated kdepimlibs (F24: three vulnerabilities), libwebp (F24: integer overflows), and quagga (F24; F23: three vulnerabilities).
Gentoo has updated libreoffice (multiple vulnerabilities) and oracle-jre-bin (multiple vulnerabilities).
Mageia has updated bind (denial of service), kernel-tmb (multiple vulnerabilities), php-adodb (two vulnerabilities), and rpm (code execution from 2014).
openSUSE has updated jasper (13.2: multiple vulnerabilities, one from 2008).
Oracle has updated kernel 4.1.12 (OL7; OL6: code execution), kernel 3.8.13 (OL7; OL6: code execution).
Red Hat has updated docker (RHEL7: privilege escalation).
Scientific Linux has updated bind (SL5,6: denial of service) and bind97 (SL5: denial of service).
Slackware has updated bind (denial of service) and curl (multiple vulnerabilities).
SUSE has updated java-1_8_0-ibm (SLE12-SP1: three vulnerabilities) and xen (SOSC5, SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).
Ubuntu has updated curl (multiple vulnerabilities).
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds