All posts by corbet

[$] Supporting UEFI secure boot in Debian

Post Syndicated from corbet original

The Debian project can be accused of many things, but jumping too quickly
on leading-technology is not one of them. That can be seen in, among other
things, the fact that there is still not a version of the distribution that
supports the UEFI secure boot mechanism. But, as Ben Hutchings explained
during his 2016 Kernel Recipes talk, such support is in the works, and it
will be implemented in a uniquely Debian-like manner.

[$] OpenSSL after Heartbleed

Post Syndicated from corbet original

Rich Salz and Tim Hudson started off their LinuxCon Europe 2016 talk by
stating that April 3, 2014 shall forever be known as the “re-key the
Internet date.” That, of course, was the day that the Heartbleed vulnerability in the OpenSSL
library was disclosed. A lot has happened with OpenSSL since that day, to
the point that, Salz said, this should be the last talk he gives that ever
mentions that particular vulnerability. In the last two years, the project
has recovered from Heartbleed and is now more vital than ever before.

The 4.8 kernel has been released

Post Syndicated from corbet original

Linus Torvalds has announced the availability
of the 4.8 kernel:
So the last week was really quiet, which maybe means that I could
probably just have skipped rc8 after all. Oh well, no real harm done.

Some of the headline changes in this release include
support for transparent huge pages in the tmpfs filesystem,
a new formatted documentation subsystem and
a number of documentation changes to match,
a new timeout subsystem that should address
the latency problems experienced by its predecessor,
continued work on the express data path for
high-performance network routing,
build-system improvements allowing the use
of GCC plugins,
the hardened usercopy security work,
and much more. The KernelNewbies 4.8 page is
still under construction as of this writing, but should contain lots of
details in the near future.

[$] Why kernel development still uses email

Post Syndicated from corbet original

In a world full of fancy development tools and sites, the kernel project’s
dependence on email and mailing lists can seem quaintly dated, if not
positively prehistoric. But, as Greg Kroah-Hartman pointed out in a Kernel
talk titled “Patches carved into stone tablets”, there are some
good reasons for the kernel community’s choices. Rather than being a
holdover from an older era, email remains the best way to manage a project
as large as the kernel.

Qubes OS 3.2 released

Post Syndicated from corbet original

of the Qubes OS distribution is available. “This is an
incremental improvement over the 3.1 version that we released earlier this
year. A lot of work went into making this release more polished, more
stable and easier to use than our previous releases.
” Changes
include a new management infrastructure, the ability to assign individual
USB devices to virtual machines and a switch to the Xfce4 desktop. See the release
for details.

PostgreSQL 9.6 released

Post Syndicated from corbet original

The PostgreSQL 9.6 release is available. “This release will allow users to both scale up and scale out
high performance database workloads. New features include parallel
query, synchronous replication improvements, phrase search, and
improvements to performance and usability, as well as many more
” See the announcement text and the
release notes
for more information.

[$] Systemd programming, 30 months later

Post Syndicated from corbet original

Some time ago, we published a pair of articles about systemd
programming that extolled the value of providing high-quality unit files in
upstream packages. The hope was that all distributions would use them and
that problems could be fixed centrally rather than each distribution fixing
its own problems independently. Now, 30 months later, it seems like a
good time to see how well that worked out for nfs-utils, the focus of much
of that discussion. Did distributors benefit from upstream unit files, and
what sort of problems were encountered?

OpenSSL security advisory for September 26

Post Syndicated from corbet original

This OpenSSL
security advisory
is notable in that it’s the second one in four days;
sites that updated after the first one may need to do so again.
This security update addresses issues that were caused by patches
included in our previous security update, released on 22nd September
2016. Given the Critical severity of one of these flaws we have
chosen to release this advisory immediately to prevent upgrades to the
affected version, rather than delaying in order to provide our usual
public pre-notification.

Garrett: Microsoft aren’t forcing Lenovo to block free operating systems

Post Syndicated from corbet original

Matthew Garrett looks at
the real problem
behind the inability of some Lenovo laptops to run
Linux. “The real problem here is that Intel do very little to ensure
that free operating systems work well on their consumer hardware – we still
have no information from Intel on how to configure systems to ensure good
power management, we have no support for storage devices in “RAID” mode and
we have no indication that this is going to get better in future. If Intel
had provided that support, this issue would never have occurred.

A pile of security updates for Thursday

Post Syndicated from corbet original

Arch Linux has updated
firefox (multiple vulnerabilities),
irssi (code execution), and
tomcat7 (proxy injection).

CentOS has updated
firefox (C5, C6, C7: multiple vulnerabilities).

Debian has updated
wireshark (LTS: dissector vulnerabilities),
irssi (denial of service), and
openssl (multiple vulnerabilities).

Fedora has updated
drupal7-google_analytics (F23, F24: cross-site scripting),
drupal7-panels (F23, F24: multiple
jasper (F23: multiple code-execution
mod_cluster (F24: “remote
nodejs-string-dot-prototype-dot-repeat (F23: “update for security
php-horde-Horde-Mime-Viewer (F23,
cross-site scripting),
php-horde-Horde-Text-Filter (F23,
cross-site scripting),
xen (F23: multiple

Mageia has updated
chromium-browser-stable (29 CVEs),
curl (code execution),
file-roller (file deletion),
flash-player-plugin (26 CVEs),
icu (code execution),
jsch (path traversal vulnerability),
libksba (denial of service),
nodejs (remote code execution),
slock (lock bypass), and
tomcat (traffic redirection).

openSUSE has updated
opera (multiple vulnerabilities).

Oracle has updated
firefox (OL5,
OL7: multiple

Scientific Linux has updated
firefox (SL5-7: multiple vulnerabilities).

Slackware has updated
irssi (denial of service),
pidgin (17 CVE numbers), and
firefox (multiple vulnerabilities).

SUSE has updated
java-1_7_1-ibm (SLES12: three CVEs
described as “Unspecified vulnerability in Oracle Java SE 7u101 and
8u92 allows local users to affect confidentiality, integrity, and
availability via vectors related to Deployment
“), and
java-1_6-0-ibm (SLES11: one
unspecified vulnerability).

Ubuntu has updated
firefox (multiple vulnerabilities),
gdk-pixbuf (code execution),
irssi (denial of service), and
thunderbird (code execution).

Note that there appear to be differences of opinion as to whether the irssi
vulnerability can be exploited for code execution.

[$] BBR congestion control

Post Syndicated from corbet original

Congestion-control algorithms are unglamorous bits of code that allow
network protocols (usually TCP) to maximize the throughput of any given
connection while simultaneously sharing the available bandwidth equitably
with other users. New algorithms tend not to generate a great deal of
excitement; the addition of TCP
New Vegas
during the 4.8 merge window drew little fanfare, for example.
The BBR (Bottleneck Bandwidth and RTT)
algorithm just released by Google, though, is attracting rather more
attention; it moves away from the mechanisms traditionally used by these
algorithms in an attempt to get better results in a network characterized by
wireless links, meddling middleboxes, and bufferbloat.