LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The LWN.net Weekly Edition for December 15, 2016 is available.
Inside this week's LWN.net Weekly Edition
A freenode volunteer identified a suspected compromise of their e-mail accounts, which could have provided an unauthorized user with limited access to some data sent through internal e-mail systems. "Naturally, we instigated audit procedures immediately so as to ensure the security of the production network and accompanying infrastructure. The investigation is ongoing, but at this time we have no reason to believe that any other unauthorised access was gained. Nevertheless, in the interests of transparency and security for our users, we wish to notify anyone who may have been affected." It is recommended that you change your Freenode password as a precaution. (Thanks to Paul Wise)
The Domain Name System (DNS) is an amazing technological achievement, but it suffers from a historical excess of trust, which makes it possible for people who rely on it to be lied to. The DNS Security Extensions (formally DNSSEC-bis, more usually just DNSSEC) are a mechanism for including robust trust information within the DNS. Here we discuss briefly what DNSSEC does, how it does it, and how (and whether) you can use it to secure your domains.
Debian has updated tor (denial of service).
Debian-LTS has updated tor (denial of service).
Fedora has updated freeipa (F25: two vulnerabilities), game-music-emu (F25: multiple vulnerabilities), openjpeg2 (F25: two vulnerabilities), and xen (F25: multiple vulnerabilities).
Red Hat has updated kernel (RHEL5: use after free) and xen (RHEL5: privilege escalation).
Scientific Linux has updated kernel (SL5: use after free) and xen (SL5: privilege escalation).
SUSE has updated dnsmasq (SLE11-SP4: denial of service).
Ubuntu has updated samba (three vulnerabilities).
Back in 2007, the announcement that AMD intended to reverse its longstanding position and create an upstream driver for its graphics processors was joyfully received by Linux users worldwide. As 2017 approaches, an attempt by AMD to merge a driver for an upcoming graphics chip has been rejected by the kernel's graphics subsystem maintainer — a decision that engendered rather less joy. A look at this discussion reveals a pattern seen many times before; the positions and decisions taken can seem arbitrary to the wider world but they are not without their reasons and will, hopefully, lead to a better kernel in the long run.
Here's an exercise in nostalgia: opensource.com looks at a bunch of old distributions. "Debian is now famous for its package management system, but there are mere hints of that in this early release. The dpkg command exists, but it's an interactive menu-based system—a sort of clunky aptitude, with several layers of menu selections and, unsurprisingly, a fraction of available packages. Even so, you can sense the convenience factor in the design concept. You download three floppy images and end up with a bootable system, and then use a simple text menu to install more goodies."
The LWN.net Weekly Edition for December 8, 2016 is available.
Inside this week's LWN.net Weekly Edition
Google has announced the release of a set of security tests that check cryptographic software libraries for known weaknesses, called Project Wycheproof. "Our first set of tests are written in Java, because Java has a common cryptographic interface. This allowed us to test multiple providers with a single test suite. While this interface is somewhat low level, and should not be used directly, we still apply a "defense in depth" argument and expect that the implementations are as robust as possible. For example, we consider weak default values to be a significant security flaw. We are converting as many tests into sets of test vectors to simplify porting the tests to other languages."
Recently Chris Evans, an IT security expert currently working for Tesla, published a series of blog posts about security vulnerabilities in the GStreamer multimedia framework. A combination of the Chrome browser and GNOME-based desktops creates a particularly scary vulnerability. Evans also made a provocative statement: that vulnerabilities of this severity currently wouldn't happen in Windows 10. Is the state of security on the Linux desktop really that bad — and what can be done about it?
Subscribers can click below for the full story from this week's edition.
The Tor blog looks at some features in Tor 0.2.9.8, the first stable version of the 0.2.9.x series. The post covers Single Onion Services, Shared Randomness, and a mandatory ntor handshake. The changelog has more details.
The maintainer model is deeply ingrained into the culture of the free-software community; for any bit of code, there is usually a developer (or a small group of developers) charged with that code's maintenance. Good maintainers can help a project run smoothly, while poor maintainers can run things into the ground. What is to be done to save a project with the latter type of maintainer? Forking can be an option in some cases but, in many others, it's not a practical alternative. The Debian project is currently discussing its approach to bad maintainers — a discussion which has taken a surprising turn.
Arch Linux has updated qt5-webengine (multiple vulnerabilities).
CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).
Debian has updated php5 (unknown), samba (multiple vulnerabilities), tomcat7 (multiple vulnerabilities), and tomcat8 (multiple vulnerabilities).
Debian-LTS has updated game-music-emu (multiple vulnerabilities), icedove (multiple vulnerabilities), libupnp (code execution), libupnp4 (code execution), most (command execution), nagios3 (two vulnerabilities), php5 (multiple vulnerabilities), tomcat6 (privilege escalation), tomcat6 (regression in previous update), and tomcat7 (privilege escalation).
Fedora has updated firefox (F23: denial of service), gd (F24: three vulnerabilities), golang (F23: denial of service), kernel (F25; F24: out of bounds stack read), perl-DBD-MySQL (F23: two vulnerabilities), unzip (F25; F24: buffer overflows), and xen (F23: multiple vulnerabilities).
openSUSE has updated firefox (42.2, 42.1, 13.2: multiple vulnerabilities), gc (13.2: code execution), and lxc (42.2, 42.1, 13.2: directory traversal).
SUSE has updated kernel (SLE12-SP1: two vulnerabilities) and xen (SLE11-SP4: multiple vulnerabilities).
Ubuntu has updated apt (16.10: regression in previous update).
The LWN.net Weekly Edition for December 1, 2016 is available.
Inside this week's LWN.net Weekly Edition
OpenSSH 7.4 is out. It is primary a bugfix release, and four CVE numbers have been assigned for the issues it fixes. This release also removes server-side support for the ancient v1 SSH protocol, adds a new proxy multiplexing mode, makes it possible to disable all forwarding forevermore, and more.
As covered here in January, changes to the GNU C Library's memory-allocation routines have broken the "unexec" method used to build the Emacs editor. Fixing this problem has proved to be more challenging than originally thought; that issue has now come to a head in a disagreement that could cost the Emacs community one of its maintainers.
The GoboLinux project has announced the release of GoboLinux 016. The distribution takes a different approach to filesystem organization so that multiple versions of programs can all be installed at the same time. GoboLinux 016 has a new feature called Runner to manage that: "Runner is a brand new filesystem virtualization tool, specifically designed for GoboLinux. It dynamically changes a process' view of /System/Index based on the program's Dependencies file. From day one, GoboLinux has always supported keeping multiple versions of a program installed on disk at the same time, but when two versions had conflicts, you had to choose which one would be activated in the system as the default. With Runner, you don't need to worry about which version of a given dependency is currently linked (or activated) in /System/Index: Runner gives the process its own virtual /System/Index with all the right dependencies." Other features include the GoboNet wireless network manager and a desktop based on the awesome window manager.
The LWN.net Weekly Edition for November 17, 2016 is available.
Inside this week's LWN.net Weekly Edition
Ars Technica has a review of the Fedora 25 release. "What's perhaps most remarkable for a change that's so low-level, and in fact one that's taking a lot of X functionality and moving lower down into the stack, is how unlikely you are to notice it. During testing so far (encompassing about two weeks of use as I write this), the transition to Wayland has been totally transparent. Even better, GNOME 3.22 feels considerably smoother with Wayland."
Getting live-patching capabilities into the mainline kernel has been a multi-year process. Basic patching support was merged for the 4.0 release, but further work has been stalled over disagreements on how the consistency model — the code ensuring that a patch is safe to apply to a running kernel — should work. The addition of kernel stack validation has addressed the biggest of the objections, so, arguably, it is time to move forward. At the 2016 Linux Plumbers Conference, developers working on live patching got together to discuss current challenges and future directions.
Click below (subscribers only) for the full report from LPC 2016.
Arch Linux has updated flashplugin (multiple vulnerabilities) and lib32-flashplugin (multiple vulnerabilities).
Debian has updated libupnp (two vulnerabilities).
Debian-LTS has updated firefox-esr (multiple vulnerabilities) and icu (two vulnerabilities, one from 2014).
Fedora has updated chromium (F25; F24: multiple vulnerabilities), firefox (F25; F24: denial of service), gstreamer-plugins-bad-free (F24: code execution), gstreamer-plugins-good (F24: multiple vulnerabilities), and libgsf (F24: denial of service).
Mageia has updated chromium-browser-stable (multiple vulnerabilities) and firefox (multiple vulnerabilities).
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds