All posts by corbet

Schaller: Looking back at Fedora Workstation so far

Post Syndicated from corbet original https://lwn.net/Articles/737056/rss

Christian Schaller has posted a
list of the Fedora Workstation project’s accomplishments
since its
inception. “Wayland – We been the biggest contributor since we
joined the effort and have taken the lead on putting in place all the
pieces needed for actually using it on a desktop, including starting to
ship it as our primary offering in Fedora Workstation 25. This includes
putting a lot of effort into ensuring that XWayland works smoothly to
ensure full legacy application support.

The list as a whole is quite long.

[$] A look at the 4.14 development cycle

Post Syndicated from corbet original https://lwn.net/Articles/736578/rss

The 4.14 kernel, due in the first half of November, is moving into the
relatively slow part of the development cycle as of this writing. The time
is thus ripe for a look at the changes that went into this kernel cycle and
how they got there. While 4.14 is a fairly typical kernel development
cycle, there are a couple of aspects that stand out this time around.

Firefox 57 coming soon: a Quantum leap (Fedora Magazine)

Post Syndicated from corbet original https://lwn.net/Articles/737022/rss

The upcoming Firefox 57 release presents a challenge to distributors, who
have to decide when and how to ship a major update that will break a bunch
of older extensions. This
Fedora Magazine article
describes the plan that Fedora has come up with
for this transition. “Users probably shouldn’t ‘hold back at FF56 as
my favorite extensions don’t work.’ Recall that security fixes only come
from new versions, and they’ll all be WebExtension only. The Extended
Support Release version will also switch to WebExtensions only at the next
release. This date, June 2018, marks the deadline for ESR users to migrate
their extensions.

Security updates for Friday

Post Syndicated from corbet original https://lwn.net/Articles/737017/rss

Security updates have been issued by Arch Linux (chromium), Debian (jackson-databind, libvirt, and mysql-5.5), Fedora (SDL2_image), Mageia (db53, kernel, poppler, and wpa_supplicant, hostapd), Oracle (httpd), Red Hat (ansible, chromium-browser, httpd, java-1.8.0-openjdk, kernel, and kernel-rt), and Scientific Linux (httpd and kernel).

LEDE v17.01.4 service release

Post Syndicated from corbet original https://lwn.net/Articles/736917/rss

Version 17.01.4 of the LEDE router distribution is available with a number
of important fixes.
While this release includes fixes for the bugs in the WPA Protocol
disclosed earlier this week, these fixes do not fix the problem on the
client-side. You still need to update all your client devices. As some
client devices might never receive an update, an optional AP-side
workaround was introduced in hostapd to complicate these attacks,
slowing them down.

Apache OpenOffice 4.1.4 released

Post Syndicated from corbet original https://lwn.net/Articles/736898/rss

The OpenOffice
4.1.4 release
is finally available; see this article for some background on this
release. The announcement is all bright and sunny, but a look at the
August 16 Apache board minutes
shows concern about the state of
the project. Indeed, the OpenOffice project management committee was,
according to these minutes, supposed to post an announcement about the
state of the project; it would appear that has not yet happened.

Samsung to support Linux distributions on Galaxy handsets

Post Syndicated from corbet original https://lwn.net/Articles/736895/rss

Here’s a
Samsung press release
describing the company’s move into the “run Linux
on your phone” space. “Installed as an app, Linux on Galaxy gives
smartphones the capability to run multiple operating systems, enabling
developers to work with their preferred Linux-based distributions on their
mobile devices. Whenever they need to use a function that is not available
on the smartphone OS, users can simply switch to the app and run any
program they need to in a Linux OS environment.

Ubuntu 17.10 (Artful Aardvark) released

Post Syndicated from corbet original https://lwn.net/Articles/736893/rss

The Ubuntu 17.10 release is out. “Under the hood, there have been updates to many core packages, including
a new 4.13-based kernel, glibc 2.26, gcc 7.2, and much more.

Ubuntu Desktop has had a major overhaul, with the switch from Unity as
our default desktop to GNOME3 and gnome-shell. Along with that, there
are the usual incremental improvements, with newer versions of GTK and
Qt, and updates to major packages like Firefox and LibreOffice.”
See the
release notes
for more information.

Security updates for Thursday

Post Syndicated from corbet original https://lwn.net/Articles/736892/rss

Security updates have been issued by CentOS (wpa_supplicant), Debian (db, db4.7, db4.8, graphicsmagick, imagemagick, nss, and yadifa), Fedora (ImageMagick, rubygem-rmagick, and upx), Mageia (flash-player-plugin, libxfont, openvpn, ruby, webmin, and wireshark), openSUSE (cacti, git, and upx), Oracle (wpa_supplicant), Red Hat (kernel-rt, rh-nodejs4-nodejs-tough-cookie, rh-nodejs6-nodejs-tough-cookie, and wpa_supplicant), Scientific Linux (wpa_supplicant), and Slackware (libXres, wpa_supplicant, and xorg).

Tips to Secure Your Network in the Wake of KRACK (Linux.com)

Post Syndicated from corbet original https://lwn.net/Articles/736798/rss

Konstantin Ryabitsev argues
on Linux.com that WiFi security is only a part of the problem.
Wi-Fi is merely the first link in a long chain of communication
happening over channels that we should not trust. If I were to guess, the
Wi-Fi router you’re using has probably not received a security update since
the day it got put together. Worse, it probably came with default or easily
guessable administrative credentials that were never changed. Unless you
set up and configured that router yourself and you can remember the last
time you updated its firmware, you should assume that it is now controlled
by someone else and cannot be trusted.

Ruiz: Fleet Commander: production ready!

Post Syndicated from corbet original https://lwn.net/Articles/736772/rss

Alberto Ruiz announces
that Fleet Commander is ready for production use.
Fleet Commander is an integrated solution for large Linux desktop
deployments that provides a configuration management interface that is
controlled centrally and that covers desktop, applications and network
configuration. For people familiar with Group Policy Objects in Active
Directory in Windows, it is very similar.

Green: Falling through the KRACKs

Post Syndicated from corbet original https://lwn.net/Articles/736615/rss

Matthew Green explores
the origins
of the KRACK vulnerability.
I don’t want to spend much time talking about KRACK itself, because
the vulnerability is pretty straightforward. Instead, I want to talk about
why this vulnerability continues to exist so many years after WPA was
standardized. And separately, to answer a question: how did this attack
slip through, despite the fact that the 802.11i handshake was formally
proven secure?

[$] Point releases for the GNU C Library

Post Syndicated from corbet original https://lwn.net/Articles/736429/rss

The GNU C Library (glibc) project produces regular releases on an
approximately six-month cadence. The current release is 2.26
from early August; the 2.27 release is expected at the beginning of
February 2018. Unlike many other projects, though, glibc does not normally
create point releases for important fixes between the major releases.
The last point release from glibc was 2.14.1, which came out in 2011.
A discussion on the need for a 2.26 point release led to questions about
whether such releases have a useful place in the current
software-development environment.

An enforcement clarification from the kernel community

Post Syndicated from corbet original https://lwn.net/Articles/736492/rss

The Linux Foundation’s Technical Advisory board, in response to concerns
about exploitative license enforcement around the kernel, has put together
this patch adding a document to the kernel
describing its view of license enforcement. This document has been signed
or acknowledged by a long list of kernel developers.
In particular, it seeks to
reduce the effect of the “GPLv2 death penalty” by stating that a violator’s
license to the software will be reinstated upon a timely return to
compliance. “We view legal action as a last resort, to be initiated
only when other community efforts have failed to resolve the problem.

Finally, once a non-compliance issue is resolved, we hope the user will feel
welcome to join us in our efforts on this project. Working together, we will
be stronger.”

See this
blog post from Greg Kroah-Hartman
for more information.

“KRACK”: a severe WiFi protocol flaw

Post Syndicated from corbet original https://lwn.net/Articles/736486/rss

The “krackattacks” web site
discloses a set of WiFi protocol flaws that defeat most of the protection
that WPA2 encryption is supposed to provide. “In a key
reinstallation attack, the adversary tricks a victim into reinstalling an
already-in-use key. This is achieved by manipulating and replaying
cryptographic handshake messages. When the victim reinstalls the key,
associated parameters such as the incremental transmit packet number
(i.e. nonce) and receive packet number (i.e. replay counter) are reset to
their initial value. Essentially, to guarantee security, a key should only
be installed and used once. Unfortunately, we found this is not guaranteed
by the WPA2 protocol
“.

Bottomley: Using Elliptic Curve Cryptography with TPM2

Post Syndicated from corbet original https://lwn.net/Articles/736425/rss

James Bottomley describes
the use of the trusted platform module
with elliptic-curve
cryptography, with a substantial digression into how the elliptic-curve
algorithm itself works.
The initial attraction is the same as for RSA keys: making it
impossible to extract your private key from the system. However, the
mathematical calculations for EC keys are much simpler than for RSA keys
and don’t involve finding strong primes, so it’s much simpler for the TPM
(being a fairly weak calculation machine) to derive private and public EC
keys.

[$] unsafe_put_user() turns out to be unsafe

Post Syndicated from corbet original https://lwn.net/Articles/736348/rss

When a veteran kernel developer introduces a severe security hole into the
kernel, it can be instructive to look at how the vulnerability came about.
Among other things, it can point the finger at an API that lends itself
toward the creation of such problems. And, as it turns out, the knowledge
that the API is dangerous at the outset and marking it as such may not be
enough to prevent problems.