Welcome to LWN.net

Debsources is a project that provides a web-based interface into the source code of every package in the Debian software archive—not a small task by any means. But, as Stefano Zacchiroli and Matthieu Caneill explained in their DebConf 2015 session, Debsources is far more than a source-code browsing tool. It provides a searchable viewport into 20 years of free-software history, which makes it viable as a platform for many varieties of research and experimentation.

Full Story (comments: 9)

At the 2015 edition of TypeCon in Denver, Adobe's Frank Grießhammer presented his work reviving the famous Hershey fonts from the Mid-Century era of computing. The original fonts were tailor-made for early vector-based output devices but, although they have retained a loyal following (often as a historical curiosity), they have never before been produced as an installable digital font.

Full Story (comments: 5)

The GNU C Library (glibc) is a famously conservative project. In the past, that conservatism created a situation where there is no way to directly call a number of Linux system calls from a glibc-using program. As glibc has relaxed a bit in recent years, its developers have started to reconsider adding wrapper functions for previously inaccessible system calls. But, as the discussion shows, adding these wrappers is still not as straightforward as one might think.

Full Story (comments: 34)

As of this writing, the 4.2-rc7 prepatch is out and the final 4.2 kernel looks to be (probably) on-track to be released on August 23. Tradition says that it's time for a look at the development statistics for this cycle. 4.2, in a couple of ways, looks a bit different from recent cycles, with some older patterns reasserting themselves. Click below (subscribers only) for the full article.

Full Story (comments: 6)

One of the oft-recurring topics at GUADEC 2015 was the xdg-app application-packaging system currently being developed. Xdg-app's lead developer Alexander Larsson gave a presentation on its current status on the first day, and it featured prominently in Christian Hergert's keynote about reaching new developers as well as in Bastien Nocera's talk about hardware enablement. Perhaps the most practical discussion of the subject, however, came in Stephan Bergmann's talk about his recent attempts to bundle LibreOffice into an xdg-app package.

Full Story (comments: 26)

PostgreSQL 9.5 Alpha 2 is due to be released on August 6. Not only does the new version support UPSERT, more JSON functionality, and other new features we looked at back in July, it also has some major enhancements for "big data" workloads. Among these are faster sorts, TABLESAMPLE, GROUPING SETS and CUBE, BRIN indexes, and Foreign Data Wrapper improvements. Taken together, these features strengthen arguments for using PostgreSQL for data warehouses, and enable users to continue using it with bigger databases.

Full Story (comments: 24)

You might be surprised to learn that starting with Linux 2.6.31 (in 2009) it has been rather easy to crash the Linux kernel. This date marks the introduction of the perf_event subsystem. It is likely that perf_event is not any more prone to errors than any other large kernel subsystem, but it has the distinction of being subjected to intense testing from the perf_fuzzer tool, which methodically probes the interface for bugs.

Click below (subscribers only) for the full article from perf_fuzzer author Vince Weaver.

Full Story (comments: 13)

In November of 2013, I decided to undertake a garage-hacking project and build an in-vehicle infotainment (IVI) Linux box for my own car. Motivated hobbyists have done such things for years, of course. But, after having followed the development of various automotive Linux projects (such as GENIVI and Tizen IVI), I wanted to put them to the test, rather than simply stuff a Raspberry Pi into the glove compartment and run Rhythmbox on a tiny screen on the dashboard. Interesting developments were happening at automakers and software vendors, and they were worth exploring. It turned out to be a rather large project, so to cover it fully will take more than one installment. The first major milestone involves understanding the unique hardware, power, and boot requirements of an IVI unit (as well as finding a distribution that fits the bill).

Full Story (comments: 7)

Though it got a bit of a late start due to some registration woes, the first day of EuroPython 2015 began with an engaging and well-received keynote. It recounted the history of a project that got its start just a year ago when the first Django Girls workshop was held at EuroPython 2014 in Berlin. The two women who started the project, Ola Sitarska and Ola Sendecka, spoke about how the workshop to teach women about Python and the Django web framework all came together—and the amazing progress that has been made by the organization in its first year.

Full Story (comments: 10)

One of the many approaches to improving system security consists of reducing the attack surface of a given program by restricting the range of system calls available to it. If an application has no need for access to the network, say, then removing its ability to use the socket() system call should cause no loss in functionality while reducing the scope of the mischief that can be made should that application be compromised. In the Linux world, this kind of sandboxing can be done using a security module or the seccomp() system call. OpenBSD has lacked this capability so far, but it may soon gain it via a somewhat different approach than has been seen in Linux.

Full Story (comments: 73)

The Mozilla blog has disclosed that the official Mozilla instance of Bugzilla was recently compromised by an attacker who stole『security-sensitive information』related to unannounced vulnerabilities in Firefox—in particular, the PDF Viewer exploit discovered on August 5. The blog post explains that Mozilla has now taken several steps to reduce the risk of future attacks using Bugzilla as a stepping stone. "As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication. We are reducing the number of users with privileged access and limiting what each privileged user can do. In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in."

Comments (3 posted)

CentOS has updated spice (C7: code execution) and spice-server (C6: code execution).

Debian has updated chromium-browser (multiple vulnerabilities) and screen (denial of service).

Fedora has updated mediawiki (F21; F22: multiple vulnerabilities) and struts (F22: input validation bypass).

openSUSE has updated firefox (13.1, 13.2: multiple vulnerabilities).

Oracle has updated bind (O7; O6; O5: denial of service), bind97 (O5: multiple vulnerabilities), libXfont (O7; O6: multiple vulnerabilities), spice (O7: code execution), and spice-server (O6: code execution).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), openshift (RHOSE3: denial of service), openstack-nova (RHELOSP7: denial of service), qemu-kvm-rhev (RHELOSP7: information leak), spice (RHEL7: code execution), and spice-server (RHEL6: code execution).

Scientific Linux has updated spice-server (SL7; SL6: code execution).

Slackware has updated seamonkey (multiple vulnerabilities).

SUSE has updated kernel (SLELP12 3.12.43; 3.12.39; 3.12.38; 3.12.36; 3.12.32: multiple vulnerabilities).

Ubuntu has updated kernel (12.04: information leak; 14.04: code execution), libvdpau (12.04, 14.04, 15.04: multiple vulnerabilities), linux-lts-trusty (12.04: code execution), linux-ti-omap4 (12.04: information leak), and openslp-dfsg (12.04, 14.04, 15.04: denial of service).

Comments (none posted)

The Linux Test Project (LTP) has made a stable release for September 2015. The previous release was in April. This release has a number of new test cases including ones for user namespaces, virtual network interfaces, umount2(), getrandom(), and more. In addition, the network namespace test cases were rewritten and regression tests have been added for inotify, cpuset, futex_wake(), and recvmsg(). We looked at writing LTP test cases back in January.

Full Story (comments: none)

Arch Linux has updated bind (two denial of service flaws).

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and libXfont (C7; C6: three privilege escalation flaws).

Debian has updated bind9 (denial of service), qemu (multiple vulnerabilities), and qemu-kvm (two vulnerabilities).

Debian-LTS has updated openslp-dfsg (three vulnerabilities, one from 2010, another from 2012).

Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and libXfont (RHEL6,7: three privilege escalation flaws).

Scientific Linux has updated bind (SL6,7; SL5: denial of service), bind97 (SL5: denial of service), and libXfont (SL6,7: three privilege escalation flaws).

Slackware has updated bind (two denial of service flaws).

SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service), kernel (SLE11SP2: multiple vulnerabilities, three from 2014), and xen (SLE11SP3; SLED11SP3: multiple vulnerabilities).

Ubuntu has updated bind9 (denial of service).

Comments (none posted)

Arch Linux has updated chromium (multiple vulnerabilities).

CentOS has updated gdk-pixbuf2 (C7; C6: code execution), jakarta-taglibs-standard (C7; C6: code execution), nss-softokn (C7; C6: signature forgery), and pcs (C7; C6: privilege escalation).

Debian has updated pdns (denial of service).

Scientific Linux has updated nss-softokn (SL6,7: signature forgery) and pcs (SL6,7: privilege escalation).

Slackware has updated gdk (code execution).

SUSE has updated kvm (SLE11SP3: code execution) and firefox, nss (SLE12: multiple vulnerabilities).

Comments (none posted)

Version 3.7 of the LLVM compiler suite is out. "This release contains the work of the LLVM community over the past six months: full OpenMP 3.1 support (behind a flag), the On Request Compilation (ORC) JIT API, a new backend for Berkeley Packet Filter (BPF), Control Flow Integrity checking, as well as improved optimizations, new Clang warnings, many bug fixes, and more." See the release notes for LLVM and Clang for details.

Full Story (comments: 5)

Ars Technica reports that Microsoft, Google, Mozilla, Cisco, Intel, Netflix, and Amazon have launched a new consortium, the Alliance for Open Media. "The Alliance for Open Media would put an end to this problem [of patent licenses and royalties]. The group's first aim is to produce a video codec that's a meaningful improvement on HEVC. Many of the members already have their own work on next-generation codecs; Cisco has Thor, Mozilla has been working on Daala, and Google on VP9 and VP10. Daala and Thor are both also under consideration by the IETF's netvc working group, which is similarly trying to assemble a royalty-free video codec."

Comments (50 posted)

Fedora has updated qemu (F21: multiple vulnerabilities).

Oracle has updated gdk-pixbuf2 (OL7; OL6: code execution), jakarta-taglibs-standard (OL7; OL6: code execution), and nss-softokn (OL7; OL6: signature forgery).

Red Hat has updated nss-softokn (RHEL6,7: signature forgery) and pcs (RHEL6,7: privilege escalation).

Ubuntu has updated expat (15.04, 14.04, 12.04: denial of service) and gnutls28 (15.04: two vulnerabilities).

Comments (none posted)

The OpenSSL project looks at its security record for the last year. "The acceptable timeline for disclosure is a hot topic in the community: we meet CERT’s 45-day disclosure deadline more often than not, and we’ve never blown Project Zero’s 90-day baseline. Most importantly, we met the goal we set ourselves and released fixes for all HIGH severity issues in well under a month. We also landed mitigation for two high-profile protocol bugs, POODLE and Logjam. Those disclosure deadlines weren’t under our control but our response was prepared by the day the reports went public."

Comments (3 posted)

The ownCloud Contributor Conference 2015 (August 28-September 3 in Berlin, Germany) started off with some big announcements, including the publishing of the User Data Manifesto 2.0, the creation of the ownCloud Security Bug Bounty Program, and the release of the ownCloud Proxy app. "Designed for those of you who want your own private, secure “Dropbox” and don’t want the hassle of configuring routers, firewalls and DNS entries for access from anywhere, at any time, ownCloud Proxy is for you. It comes installed as an ownCloud community app in the new ownCloud community appliance, connects to relay servers in the cloud, and provides anytime, anywhere access to your files, on your PC running in your home network, quickly and easily. And, of course, you can grab it from the ownCloud app store and add it to an existing ownCloud server if you already have one running."

Comments (none posted)