Planet Kristof

October 21, 2016

Linux Weekly News

[$] Dirty COW and clean commit messages

We live in an era of celebrity vulnerabilities; at the moment, an unpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking its turn on the runway. This one is more disconcerting than many due to its omnipresence and the ease with which it can be exploited. But there is also some unhappiness in the wider community about how this vulnerability has been handled by the kernel development community. It may well be time for the kernel project to rethink its approach to serious security problems.

by corbet at October 21, 2016 05:08 PM

Friday's security updates

Debian-LTS has updated bind9 (denial of service).

Fedora has updated libgit2 (F23: two vulnerabilities).

Mageia has updated kernel (three vulnerabilities), libtiff (multiple vulnerabilities, two from 2015), and openslp (code execution).

openSUSE has updated dbus-1 (13.2: code execution), ghostscript-library (42.1: three vulnerabilities, one from 2013), roundcubemail (42.1: two vulnerabilities), and squidGuard (42.1: cross-site scripting from 2015).

Red Hat has updated bind (RHEL6&5: denial of service) and bind97 (RHEL5: denial of service).

Scientific Linux has updated bind (SL6&5: denial of service) and bind97 (SL5: denial of service).

Ubuntu has updated bind9 (12.04: denial of service).

by jake at October 21, 2016 02:50 PM

October 20, 2016

Linux Weekly News

Ranking the Web With Radical Transparency (Linux.com)

Linux.com interviews Sylvain Zimmer, founder of the Common Search project, which is an effort to create an open web search engine. "Being transparent means that you can actually understand why our top search result came first, and why the second had a lower ranking. This is why people will be able to trust us and be sure we aren't manipulating results. However for this to work, it needs to apply not only to the results themselves but to the whole organization. This is what we mean by 'radical transparency.' Being a nonprofit doesn't automatically clear us of any ulterior motives, we need to go much further. As a community, we will be able to work on the ranking algorithm collaboratively and in the open, because the code is open source and the data is publicly available. We think that this means the trust in the fairness of the results will actually grow with the size of the community."

by jake at October 20, 2016 11:29 PM

More information about Dirty COW (aka CVE-2016-5195)

The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.

by jake at October 20, 2016 09:12 PM

HighScalability

Future Tidal Wave of Mobile Video

In this article I will examine the growing trends of Internet Mobile video and how consumer behaviour is rapidly adopting to a world of ‘always on content’ and discuss the impact on the underlying infrastructure.

by Jeff Webb at October 20, 2016 04:23 PM

Linux Weekly News

Security advisories for Thursday

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian has updated kernel (multiple vulnerabilities, one from 2015).

Debian-LTS has updated kernel (multiple vulnerabilities, one from 2015) and libxvmc (code execution).

Fedora has updated glibc-arm-linux-gnu (F23: denial of service) and perl-DBD-MySQL (F23: denial of service).

Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), and java-1.8.0-oracle (RHEL7&6: multiple vulnerabilities).

Scientific Linux has updated java-1.8.0-openjdk (SL7&6: multiple vulnerabilities).

SUSE has updated quagga (SLE11: code execution).

Ubuntu has updated kernel (12.04; 14.04; 16.04; 16.10: privilege escalation), linux-lts-trusty (12.04: privilege escalation), linux-lts-xenial (14.04: privilege escalation), linux-raspi2 (16.04: privilege escalation), linux-snapdragon (16.04: privilege escalation), and linux-ti-omap4 (12.04: privilege escalation).

by jake at October 20, 2016 03:49 PM

An important set of stable kernel updates

The 4.8.3, 4.7.9, and 4.4.26 stable kernel updates have been released. There's nothing in the announcements to indicate this, but they all contain a fix for CVE-2016-5195, a bug that can allow local attackers to overwrite files they should not have write access to. So the "all users must upgrade" message seems more than usually applicable this time around.

by corbet at October 20, 2016 01:44 PM

HighScalability

Gone Fishin'

Well, not exactly Fishin', but I'll be on a month long vacation starting today. I won't be posting (much) new content, so we'll all have a break. Disappointing, I know. Please use this time for quiet contemplation and other inappropriate activities. See you on down the road...

by Todd Hoff at October 20, 2016 03:07 AM

Linux Weekly News

[$] LWN.net Weekly Edition for October 20, 2016

The LWN.net Weekly Edition for October 20, 2016 is available.

by corbet at October 20, 2016 12:02 AM

October 19, 2016

Linux Weekly News

Security advisories for Wednesday

Debian has updated quagga (stack overrun) and tor (denial of service).

Debian-LTS has updated dwarfutils (multiple vulnerabilities), guile-2.0 (two vulnerabilities), libass (two vulnerabilities), libgd2 (two vulnerabilities), libxv (insufficient validation), and tor (denial of service).

Fedora has updated epiphany (F24: unspecified), ghostscript (F24; F23: multiple vulnerabilities), glibc-arm-linux-gnu (F24: denial of service), guile (F24: two vulnerabilities), libgit2 (F24: two vulnerabilities), openssh (F23: null pointer dereference), qemu (F24: multiple vulnerabilities), and webkitgtk4 (F24: unspecified).

Mageia has updated asterisk (denial of service), flash-player-plugin (multiple vulnerabilities), kernel (multiple vulnerabilities), and mailman (password disclosure).

Red Hat has updated java-1.8.0-openjdk (RHEL6, 7: multiple vulnerabilities), kernel (RHEL6.7: use-after-free), and mariadb-galera (RHOSP8: SQL injection/privilege escalation).

by ris at October 19, 2016 04:52 PM

Live kernel patches for Ubuntu

Canonical has announced the availability of a live kernel patch service for the 16.04 LTS release. "It’s the best way to ensure that machines are safe at the kernel level, while guaranteeing uptime, especially for container hosts where a single machine may be running thousands of different workloads." Up to three systems can be patched for free; the service requires a fee thereafter. There is a long FAQ about the service in this blog post; it appears to be based on the mainline live-patching functionality with some Canonical add-ons.

by corbet at October 19, 2016 02:33 PM

October 18, 2016

Linux Weekly News

Kügler: Plasma’s road ahead

Sebastian Kügler reports on KDE's Plasma team meeting. "We took this opportunity to also look and plan ahead a bit further into the future. In what areas are we lacking, where do we want or need to improve? Where do we want to take Plasma in the next two years?" Specific topics include release schedule changes, UI and theming improvements, feature backlog, Wayland, mobile, and more. (Thanks to Paul Wise)

by ris at October 18, 2016 07:36 PM

Tuesday's security updates

Debian-LTS has updated libarchive (three vulnerabilities), libxrandr (insufficient validation), libxrender (insufficient validation), and quagga (stack overrun).

openSUSE has updated ffmpeg (Leap42.1; SPH for SLE12: multiple vulnerabilities) and kcoreaddons (Leap42.1, 13.2; SPH for SLE12: HTML injection).

Red Hat has updated atomic-openshift (RHOSCP: authentication bypass), kernel (RHEL6.5: privilege escalation), and openssl (RHEL6.7: multiple vulnerabilities).

by ris at October 18, 2016 04:22 PM

[$] Graphics world domination may be closer than it appears

The mainline kernel has support for a wide range of hardware. One place where support has traditionally been lacking, though, is graphics adapters. As a result, a great many people are still using proprietary, out-of-tree GPU drivers. Daniel Vetter went before the crowd at Kernel Recipes 2016 to say that the situation is not as bad as some think; indeed, he said, in this area as well as others, world domination is proceeding according to plan.

by corbet at October 18, 2016 02:25 PM