Planet Kristof

September 26, 2016

Linux Weekly News

Announcing the KDE Advisory Board

KDE e.V. introduces the KDE Advisory Board. "One of the core goals of the Advisory Board is to provide KDE with insights into the needs of the various organizations that surround us. We are very aware that we need the ability to combine our efforts for greater impact and the only way we can do that is by adopting a more diverse view from outside of our organization on topics that are relevant to us. This will allow all of us to benefit from one another's experience."

by ris at September 26, 2016 09:21 PM

Security advisories for Monday

Debian has updated imagemagick (code execution), libarchive (three vulnerabilities), openssl (regression in previous update), and unadf (two vulnerabilities).

Debian-LTS has updated dropbear (two vulnerabilities), dwarfutils (two vulnerabilities), mactelnet (code execution), openssl (multiple vulnerabilities), and policycoreutils (sandbox escape).

Fedora has updated bash (F24; F23: code execution) and firefox (F24; F23: multiple vulnerabilities).

Gentoo has updated bundler (installs malicious gem files) and qemu (multiple vulnerabilities).

Mageia has updated gdk-pixbuf2.0 (denial of service), golang (denial of service), libarchive (file overwrite), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), and wireshark (multiple vulnerabilities).

openSUSE has updated curl (Leap42.1: multiple vulnerabilities), flash-player (13.1: multiple vulnerabilities), gd (Leap42.1: multiple vulnerabilities), gtk2 (Leap42.1; 13.2: code execution), firefox, nss (Leap42.1, 13.2: multiple vulnerabilities), samba (Leap42.1: crypto downgrade), thunderbird (13.1: multiple vulnerabilities), tiff (13.1: multiple vulnerabilities), and wpa_supplicant (Leap42.1: multiple vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Ubuntu has updated openssl (regression in previous update).

by ris at September 26, 2016 04:23 PM

OpenSSL security advisory for September 26

This OpenSSL security advisory is notable in that it's the second one in four days; sites that updated after the first one may need to do so again. "This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification."

by corbet at September 26, 2016 01:12 PM

Kernel prepatch 4.8-rc8

The 4.8-rc8 kernel prepatch is out. "Things actually did start to calm down this week, but I didn't get the feeling that there was no point in doing one final rc, so here we are. I expect the final 4.8 release next weekend, unless something really unexpected comes up."

by corbet at September 26, 2016 01:04 PM

Prodromou: Adopt a pump.io server

Evan Prodromou, creator of identi.ca and pump.io, has put a call out for interested parties to adopt the administration of public pump.io microblogging servers, which he is currently funding out of his own pocket. "Almost all of them are on $5/month Digital Ocean droplets, which makes them relatively cheap for a single person to support. If you decide you want to adopt a server, E14N will sell you the domain and all the software and data for $1. But you'll be obligated to keep the server running pump.io for at least a year, and if you decide you don't want to run it, you have to sell it back to me." There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other pump.io instances. He notes that one important exception is the identi.ca site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.

by n8willis at September 26, 2016 08:27 AM

September 24, 2016

Linux Weekly News

Stable kernel updates 4.7.5 and 4.4.22

The 4.7.5 and 4.4.22 stable kernel updates are available. These are relatively large updates containing the usual important fixes.

by corbet at September 24, 2016 02:02 PM

September 23, 2016

Linux Weekly News

Mitchell: The MIT License, Line by Line

At his blog, Kyle E. Mitchell ("who is not your attorney") takes a close, line-by-line reading of the popular MIT software license. The details he points out begin on line one with the license's title: "'The MIT License' is a not a single license, but a family of license forms derived from language prepared for releases from the Massachusetts Institute of Technology. It has seen a lot of changes over the years, both for the original projects that used it, and also as a model for other projects. The Fedora Project maintains a kind of cabinet of MIT license curiosities, with insipid variations preserved in plain text like anatomical specimens in formaldehyde, tracing a wayward kind of evolution."

Despite the license being only 171 words, Mitchell finds quite a bit to expand on, such as the ambiguities of the phrase "to deal in the Software without restriction": "As a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn’t clear whether The MIT License includes a patent license. The general language 'deal in' and some of the example verbs, especially 'use', point toward a patent license, albeit a very unclear one. The fact that the license comes from the copyright holder, who may or may not have patent rights in inventions in the software, as well as most of the example verbs and the definition of 'the Software' itself, all point strongly toward a copyright license." Nevertheless, Mitchell notes, "despite some crusty verbiage and lawyerly affectation, one hundred and seventy one little words can get a hell of a lot of legal work done."

by n8willis at September 23, 2016 04:11 PM

Friday's security updates

Debian has updated firefox-esr (multiple vulnerabilities).

Debian-LTS has updated wordpress (multiple vulnerabilities).

Fedora has updated distribution-gpg-keys (F23: privilege escalation), mock (F23: privilege escalation), openvas-libraries (F24; F23: multiple vulnerabilities), openvas-scanner (F24; F23: denial of service), and shiro (F24: access control bypass).

openSUSE has updated pdns (13.2, Leap 42.1: multiple vulnerabilities).

Oracle has updated kernel (4.1.12 O6; O7: multiple vulnerabilities; 3.8.13 O7; O6: multiple vulnerabilities; 2.6.39 O6; O5: multiple vulnerabilities).

Slackware has updated openssl (14.0, 14.1, 14.2, -current: multiple vulnerabilities) and pidgin (13.0, 13.1, 13.137, 14.0, 14.1: mysterious vulnerabilities).

Ubuntu has updated openssl (12.04, 14.04, 16.04: multiple vulnerabilities).

by n8willis at September 23, 2016 01:55 PM