Canonical has disclosed that the Ubuntu forum system has been compromised. “The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table. They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed.”
Linus has released the 4.7-rc7 kernel prepatch. “Anyway, there’s a couple of regressions still being looked at, but unless anything odd happens, this is going to be the last rc. However, due to my travel schedule, I won’t be doing the final 4.7 next weekend, and people will have two weeks to report (and fix) any remaining bugs.
Yeah, that’s the ticket. My travel schedule isn’t screwing anything up, instead think of it as you guys getting a BONUS WEEK! Yay!”
Python applications, like those written in other languages, often need to obtain random data for purposes ranging from cryptographic key generation to initialization of scientific models. For years, the standard way of getting that data is via a call to os.urandom(), which is documented to “return a string of n random bytes suitable for cryptographic use.” An enhancement in Python 3.5 caused a subtle change in how os.urandom() behaves on Linux systems, leading to some long, heated discussions about how randomness should be obtained in Python programs. When the dust settles, Python benevolent dictator for life (BDFL) Guido van Rossum will have the unenviable task of choosing between two competing proposals.
The last time LWN looked at formatted kernel documentation in January, it seemed like the merging of AsciiDoc support for the kernel’s structured source-code documentation (“kernel-doc”) comments, was imminent. As Jonathan Corbet, in the capacity of the kernel documentation maintainer, wrote: "A good-enough solution that exists now should not be held up overly long in the hopes that vague ideas for something else might turn into real, working code." Sometimes, however, the threat that something not quite perfect might be merged is enough to motivate people to turn those vague ideas into something real.
Subscribers can click below to see the full story by guest author (and the developer behind most of the Sphinx work) Jani Nikula.
The 4.7-rc6 kernel prepatch is out, right on schedule. “I’d love to tell you that things are calming down, and we’re shrinking, but that would be a lie. It’s not like this is a huge rc, but it’s definitely bigger than the previous rc’s were. I don’t think that’s necessarily a big problem, it seems to be mostly timing.”
The “Bits Please” blog has a detailed description of how one breaks full-disk encryption on an Android phone. Included therein is a lot of information on how full-disk encryption works on Android devices and its inherent limitations. “Instead of creating a scheme which directly uses the hardware key without ever divulging it to software or firmware, the code above performs the encryption and validation of the key blobs using keys which are directly available to the TrustZone software! Note that the keys are also constant – they are directly derived from the SHK (which is fused into the hardware) and from two ‘hard-coded’ strings. Let’s take a moment to explore some of the implications of this finding.”
CoreOS has announced the availability of version 3.0 of the etcd distributed key-value store. “etcd 3.0 marks the first stable release of the etcd3 API and data model. Upgrades are simple, because the same etcd2 JSON endpoints and internal cluster protocol are still provided in etcd3. Nevertheless, etcd3 is a wholesale API redesign based on feedback from etcd2 users and experience with scaling etcd2 in practice. This post highlights some notable etcd3 improvements in efficiency, reliability, and concurrency control.”
The PulseAudio 9.0 release is out. Changes include improvements to automatic routing, beamforming support, use of the Linux memfd mechanism for transport, higher sample-rate support, and more; see the release notes for details.
See also: this article from Arun Raghavan on how the beamforming feature works. “The basic idea is that if you have a number of microphones (a mic array) in some known arrangement, it is possible to ‘point’ or steer the array in a particular direction, so sounds coming from that direction are made louder, while sounds from other directions are rendered softer (attenuated).”
The -stable kernel release process faces a contradictory set of constraints. Developers naturally want to get as many fixes into -stable as possible but, at the same time, there is a strong desire to avoid introducing new regressions there. Each -stable release is, after all, intended to be more stable than its predecessor. At times there have been complaints that -stable is too accepting and too prone to regressions, but not many specifics. But, it turns out, this is an area where at least a little bit of objective research can be done.
The developers of “Project Triforce,” an effort to run the “american fuzzy lop” fuzz-testing tool in a system-wide manner, have posted a detailed description of what they are up to. “AFL is an awesome tool. The power of an easy to use, feedback-driven fuzzer has produced an absolutely staggering number of bugs. Still, at first AFL required being able to build the executable, something sadly not available on a lot of targets. With the addition of AFL’s qemu_mode, it became possible to fuzz binaries without source, exposing a whole new world of targets to AFL. I’d been on a number of Linux container engagements recently where we’d managed to escape through kernel exploits. I fell asleep one night to several AFL screens running, and I awoke suddenly with a crazy idea: ‘Run AFL on the Linux Kernel.’”
The 4.7-rc5 kernel prepatch is out. “I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn’t feel that way – my Fridays end up feeling very busy. But looking at the numbers, we’re pretty much where we normally are at this time of the rc series.”
The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a set of netfilter fixes that, it has just been disclosed, fix a couple of severe local privilege-escalation vulnerabilities. Anybody who is running a site with user and network namespaces enabled will want to update their kernels in short order. The fixes were originally committed into 4.6-rc2 in April with no comment regarding their implications.
Version 4.7 of the Xen hypervisor has been released. “With dozens of major improvements, many more bug fixes and small improvements, and significant improvements to Drivers and Devices, Xen Project 4.7 reflects a thriving community around the Xen Project Hypervisor.” Some of the new features include live patching, better dom0 robustness, better migration support between non-identical hosts, scheduler improvements, and more. See the release notes for more information.
Back in 2009, Sony removed the “install other OS” option from its PS3 game consoles, removing the ability to install Linux on those machines. It then went after developers who figured out how to jailbreak the device. Ars technica reports that Sony has now settled a class-action lawsuit over those actions. “Under the terms of the accord, which has not been approved by a California federal judge yet, gamers are eligible to receive $55 if they used Linux on the console. The proposed settlement, which will be vetted by a judge next month, also provides $9 to each console owner that bought a PS3 based on Sony’s claims about ‘Other OS’ functionality.” The lawyers, instead, get over $2 million.
Not to be left behind by a certain competing project, the developers of the Flatpak packaging system have put out a press release proclaiming its virtues. “The Linux desktop has long been held back by platform fragmentation. This has been a burden on developers, and creates a high barrier to entry for third party application developers. Flatpak aims to change all that. From the very start its primary goal has been to allow the same application to run across a myriad of Linux distributions and operating systems. In doing so, it greatly increases the number of users that application developers can easily reach.”
After several schedule slips, the Fedora 24 release is available. “The Fedora Project has embarked on a great journey… redefining what an operating system should be for users and developers. Such innovation does not come overnight, and Fedora 24 is one big step on the road to the next generation of Linux distributions. But that does not mean that Fedora 24 is some ‘interim’ release; there are great new features for Fedora users to deploy in their production environments right now!” See the Fedora 24 approved features list for an idea of what’s in this release.
The collective thoughts of the interwebz
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.