All posts by jake

Ingebrigtsen: The End of Gmane?

Post Syndicated from jake original http://lwn.net/Articles/695695/rss

On his blog, Gmane creator and maintainer Lars Magne Ingebrigtsen warns that the email-to-news (and web) gateway may be disappearing soon. The site, which is hosted by his employer, has been under a distributed denial of service (DDoS) attack for the last few weeks, but there are other problems as well. “And now the DDoS stuff, which I have no idea why is happening, but I can only assume that somebody is angry about something.

Probably me being a wise ass.

So… it’s been 14 years… I’m old now. I almost threw up earlier tonight because I’m so stressed about the situation. I should retire and read comic books and watch films. Oh, and the day job. Work, work, work. Oh, and Gnus.

I’m thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don’t want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess…” The site, which has been relied on by many (including LWN) since it started in 2002, is down now and it appears to be unclear when (or if) it will be back.

Security advisories for Thursday

Post Syndicated from jake original http://lwn.net/Articles/695681/rss

Debian has updated xen (multiple vulnerabilities, one
from 2015).

Debian-LTS has updated tardiff
(two vulnerabilities from 2015).

Fedora has updated httpd (F23:
HTTP redirect), libarchive (F24: code
execution), and libvirt (F23:
authentication bypass).

openSUSE has updated dropbear
(42.1, 13.2: multiple vulnerabilities), go (13.2: HTTP request
smuggling flaws from 2015), karchive (42.1,
13.2: code execution), mbedtls (42.1: three
vulnerabilities), python (42.1, 13.2: three
vulnerabilities), and tiff (13.2: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (multiple vulnerabilities).

EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment

Post Syndicated from jake original http://lwn.net/Articles/695118/rss

The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew “bunnie” Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional:
These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing.

Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials.”

Security updates for Thursday

Post Syndicated from jake original http://lwn.net/Articles/695088/rss

Arch Linux has updated bind
(denial of service).

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian-LTS has updated libarchive
(multiple vulnerabilities, most from 2015).

Fedora has updated openssh (F24:
user enumeration via timing side-channel) and p7zip (F24: two code execution flaws).

openSUSE has updated dhcp (42.1:
denial of service).

Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), and
openstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).

Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated obs-service-source_validator (SLE12: code execution).

Automotive Grade Linux Releases 2.0 Spec Amid Growing Support (Linux.com)

Post Syndicated from jake original http://lwn.net/Articles/694550/rss

Over at Linux.com, Eric Brown writes about the release of Automotive Grade Linux (AGL) Unified Code Base (UCB) 2.0 for in-vehicle infotainment (IVI) systems. “The latest version adds features like audio routing, rear seat display support, the beginnings of an app platform, and new development boards including the DragonBoard, Wandboard, and Raspberry Pi.

AGL’s Yocto Project derived UCB distro, which is also based on part on the GENIVI and Tizen automotive specs, was first released in January. UCB 1.0 followed an experimental AGL stack in 2014 and an AGL Requirements Specification in June, 2015.

UCB is scheduled for a 3.0 release in early 2017, at which point some automotive manufacturers will finally use it in production cars. Most of the IVI software will be based on UCB, but carmakers can also differentiate with their own features.” We looked at AGL UCB 1.0 back in January.

Security advisories for Thursday

Post Syndicated from jake original http://lwn.net/Articles/694513/rss

Fedora has updated gnutls (F23:
certificate verification botch).

Gentoo has updated flash (many vulnerabilities).

openSUSE has updated flash-player
(13.2: many vulnerabilities) and kernel (42.1:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL 5↦6: many vulnerabilities) and rh-nginx18-nginx (RHSC: multiple vulnerabilities).

SUSE has updated MozillaFirefox,
MozillaFirefox-branding-SLE, mozilla-nss
(SLE11: multiple vulnerabilities).

Gräßlin: Multi-screen woes in Plasma 5.7

Post Syndicated from jake original http://lwn.net/Articles/694157/rss

On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. “Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows.

Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it.

Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry.”

Portals: Using GTK+ in a Flatpak

Post Syndicated from jake original http://lwn.net/Articles/693890/rss

On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox.

Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system.

Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t.

Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access.

Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system.

The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox.”

10 million Android phones infected by all-powerful auto-rooting apps (Ars Technica)

Post Syndicated from jake original http://lwn.net/Articles/693798/rss

Ars Technica reports on the “HummingBad” malware that has infected millions of Android devices: “Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware’s ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android.” The article is based on a report [PDF] from Check Point, though the article notes that “researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices“.

Thursday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/693722/rss

Debian has updated horizon (two
vulnerabilities, one from 2015).

openSUSE has updated ImageMagick
(13.2: many vulnerabilities, lots from 2014 and 2015) and qemu (42.1: many vulnerabilities, lots from 2015).

Scientific Linux has updated ocaml (SL7: information leak from 2015).

Ubuntu has updated tomcat8
(16.04: denial of service).
In addition, Ubuntu has announced the end of
life for 15.10
on July 28 and the end of
life for 14.04.x hardware-enablement (HWE) stacks
on August 4.

LWN weekly edition one day late this week

Post Syndicated from jake original http://lwn.net/Articles/693582/rss

Those who are anxiously awaiting this week’s edition later today (or tomorrow, depending on time zone) will have to wait another day. The US Independence Day holiday fell on Monday, so LWN staff took that day off for barbecues, fireworks, and other festivities. That means the edition will go out sometime in the early morning hours UTC on Friday, July 8. For those who celebrated the holiday, we hope you had a great one; for those who didn’t, we certainly hope you had a great day too! We will be back on our normal schedule next week.

Linux Mint 18 Cinnamon and MATE editions released

Post Syndicated from jake original http://lwn.net/Articles/693126/rss

Linux Mint 18 has been released with Cinnamon and MATE editions. “Linux Mint 18 is a long term support release which will be supported until 2021. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use.” The MATE edition has MATE 1.14 along with many other updates listed on the What’s New page. The Cinnamon edition has Cinnamon 3.0 (which we recently reviewed) and lots of other new packages described on its What’s New page. The release notes pages (MATE, Cinnamon) also have important information on the releases.

Security updates for Thursday

Post Syndicated from jake original http://lwn.net/Articles/693081/rss

Debian has updated libcommons-fileupload-java (denial of
service), libreoffice (code execution), tomcat8 (multiple vulnerabilities, some from
2015), and xerces-c (denial of service).

Debian-LTS has updated libgd2
(denial of service), php5 (multiple
vulnerabilities), and xerces-c (denial of service).

Fedora has updated setroubleshoot (F23; F22: code
execution) and xguest (F23: insecure
password creation).

Ubuntu has updated libreoffice
(16.04, 15.10, 12.04: code execution).

[$] Networking without an operating system

Post Syndicated from jake original http://lwn.net/Articles/692638/rss

At last year’s PyCon
in Montréal, Josh Triplett introduced the
work he and others have done to port Python to run in the GRUB boot loader. At this
year’s PyCon in Portland, Oregon, he updated attendees on progress that has
been made in the BIOS Implementation Test Suite (BITS) to
add networking support. True to form, his presentation came with an
eye-opening demonstration of the networking implemented in BITS.

Defending Our Brand (Let’s Encrypt)

Post Syndicated from jake original http://lwn.net/Articles/692555/rss

It seems that the Comodo TLS certificate authority (CA) has filed for three trademarks using variations of “Let’s Encrypt”. As might be guessed, the Let’s Encrypt project is less than pleased by Comodo trying to coopt its name. “Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization.

If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web.”

[Thanks to Paul Wise.]

Thursday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/692513/rss

Debian-LTS has updated squidguard
(cross-site scripting).

Fedora has updated php-symfony-security-acl (F24: unspecified). Also, Fedora
has sent out a reminder that Fedora 22
will reach its end of life on July 19.

Mageia has updated chromium-browser-stable (multiple vulnerabilities), kernel-linus (multiple vulnerabilities, one from 2013), kernel-tmb (multiple vulnerabilities, one from 2013), libimobiledevice (socket listening on all
network interfaces), and python (three vulnerabilities).

openSUSE has updated libarchive
(42.1: code execution), mariadb (13.2: many
unspecified vulnerabilities), and obs-service-source_validator (42.1; 13.2:
code execution).

Red Hat has updated libxml2
(RHEL6&7: multiple vulnerabilities) and setroubleshoot and
setroubleshoot-plugins
(RHEL7: three vulnerabilities).

Horn: Exploiting Recursion in the Linux Kernel

Post Syndicated from jake original http://lwn.net/Articles/692070/rss

On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. “However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they’re still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064.”

Kernel prepatch 4.7-rc4

Post Syndicated from jake original http://lwn.net/Articles/692032/rss

The
4.7-rc4 prepatch is now available for
testing. Linus Torvalds said that it is “pretty small” with
nothing particularly worrisome“. The development cycle proceeds
apace with the usual sorts of changes: “The statistics look very normal: about two thirds drivers, with the
rest being half architecture updates and half “misc” (small
filesystem updates,. some documentation, and a smattering of patches
elsewhere).