All posts by jake

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/848416/rss

Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/848223/rss

Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography).

[$] Alternative syntax for Python’s lambda

Post Syndicated from jake original https://lwn.net/Articles/847960/rss

The Python lambda
keyword, which can be used to create small, anonymous functions,
comes from the world of functional
programming
, but is perhaps not the most beloved of Python features.
In part, that may be because it is somewhat clunky to use, especially in
comparison to the shorthand notation offered by other languages, such as
JavaScript. That has led to some discussions on possible changes to lambda in Python
mailing lists since mid-February.

[$] PipeWire: The Linux audio/video bus

Post Syndicated from jake original https://lwn.net/Articles/847412/rss

For more than a decade, PulseAudio
has been serving the Linux desktop as its predominant audio
mixing and routing daemon — and its audio API. Unfortunately,
PulseAudio’s internal architecture does not fit the growing
sandboxed-applications use case, even though there have been attempts to amend that. PipeWire, a new daemon created (in part)
out of these attempts, will replace
PulseAudio
in the upcoming Fedora 34 release. It is a coming
transition that deserves a look.

Mageia 8 has been released

Post Syndicated from jake original https://lwn.net/Articles/847625/rss

The Mageia distribution has announced
the release of Mageia 8. It comes with the usual array of new
packages, including a 5.10.16 kernel, Plasma 5.20.4,
GNOME 3.38, Firefox 78, Chromium 88, LibreOffice 7.0.4.2, and more.
ARM support has continued to develop, with both AArch64 and ARMv7
now having all packages built and being close to primary architectures
now. Support for Wi-Fi installation in the classical installer using WPA2
encryption has been added, as well as improved support for newer
filesystems allowing installations on F2FS. Support for NILFS, XFS, exFAT
and Windows 10 NTFS has been improved to allow for better partition
management. The Live installer has also had significant development. Boot
times have been greatly reduced with the use of Zstd compression and
improved hardware detection and the support for installing updates as a
final step of the installation has been added. Zstd compression has also
been applied to the rescue mode, allowing for faster startup, support for
encrypted LVM/LUKS has also been added.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/847581/rss

Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/847390/rss

Security updates have been issued by Arch Linux (ansible-base, keycloak, mumble, and postgresql), Debian (firefox-esr and nodejs), Fedora (dotnet3.1, dotnet5.0, keylime, php-horde-Horde-Text-Filter, radare2, scap-security-guide, and wireshark), openSUSE (postgresql, postgresql13 and python-djangorestframework), Red Hat (Ansible, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (php7, postgresql-jdbc, python-cryptography, rpmlint, and webkit2gtk3), and Ubuntu (dnsmasq, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux-oem-5.10, linux-oem-5.6, screen, and xterm).

[$] A pair of Python vulnerabilities

Post Syndicated from jake original https://lwn.net/Articles/846847/rss

Two separate vulnerabilities led to the fast-tracked release
of Python 3.9.2 and 3.8.8 on February 19, though source-only
releases
of 3.7.10 and 3.6.13 came a few days earlier. The
vulnerabilities may be problematic for some Python users and
workloads; one could potentially lead to remote code execution. The other
is, arguably, not exactly a flaw in the Python standard library—it simply
also follows an older standard—but it can lead to web cache
poisoning
attacks.

[$] NumPy 1.20 has been released

Post Syndicated from jake original https://lwn.net/Articles/847039/rss

NumPy is a Python library that adds
an array data type to the language, along with providing operators
appropriate to working on arrays and matrices. By wrapping fast Fortran and
C numerical routines, NumPy allows Python
programmers to write performant code in what is normally a relatively slow
language. NumPy 1.20.0 was
announced
on January 30, in what its developers describe as the largest
release in the history of the project. That makes for a good opportunity to
show a little bit about what NumPy is, how to use it, and to describe what’s new in the
release.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/846787/rss

Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro).

[$] What goes into default Debian?

Post Syndicated from jake original https://lwn.net/Articles/846405/rss

The venerable locate
file-finding utility has long been available for Linux systems, though its
origins are in the BSD world. It is a generally useful tool, but does have
a cost beyond just the disk space it occupies in the filesystem; there is a
periodic daemon (updatedb)
that runs to keep the file-name database up to date. As a recent
debian-devel discussion shows, though, people have differing ideas of
just how important the tool is—and whether it should be part of the default installation of Debian.

[$] Malware in open-source web extensions

Post Syndicated from jake original https://lwn.net/Articles/846272/rss

On February 4, millions of browser tabs were
suddenly terminated. Not everyone was surprised; the dozen people who spent the last
four months waiting for this tragedy to occur watched in relief as the
first
in a rapid stream of GitHub
comments
began pouring in. The Great Suspender, a Chrome
extension that suspended inactive tabs,
with around two-million users, had been forcibly uninstalled because it contained
malware. This was a serious problem for users, in part due to the difficulty in
recovering the lost tabs, but the extension’s malevolence had been
painfully obvious to anyone who cared to investigate it.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/845999/rss

Security updates have been issued by Arch Linux (ansible, chromium, cups, docker, firefox, gitlab, glibc, helm, lib32-glibc, minio, nextcloud, opendoas, opera, php, php7, privoxy, python-django, python-jinja, python2-jinja, thunderbird, vivaldi, and wireshark-cli), Fedora (jasper, linux-firmware, php, python-cryptography, spice-vdagent, subversion, and thunderbird), Mageia (gssproxy and phpldapadmin), openSUSE (chromium, containerd, docker, docker-runc,, librepo, nextcloud, and privoxy), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, kernel, openvswitch, and wpa_supplicant), and Ubuntu (wpa).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/845750/rss

Security updates have been issued by Debian (firejail and netty), Fedora (java-1.8.0-openjdk, java-11-openjdk, rubygem-mechanize, and xpdf), Mageia (gstreamer1.0-plugins-bad, nethack, and perl-Email-MIME and perl-Email-MIME-ContentType), openSUSE (firejail, java-11-openjdk, python, and rclone), Red Hat (dotnet, dotnet3.1, dotnet5.0, and rh-nodejs12-nodejs), SUSE (firefox, kernel, python, python36, and subversion), and Ubuntu (gnome-autoar, junit4, openvswitch, postsrsd, and sqlite3).

[$] Python cryptography, Rust, and Gentoo

Post Syndicated from jake original https://lwn.net/Articles/845535/rss

There is always a certain amount of tension between the goals of those
using older, less-popular architectures and the goals of projects targeting
more mainstream users and systems. In many ways, our community has been
spoiled by the number of architectures supported by GCC, but a lot of new
software is not being written in C—and existing software is migrating away
from it.
The Rust language is
often the choice these days for both new and existing code bases, but it is
built with LLVM, which supports fewer architectures than GCC
supports—and Linux runs on. So the question that arises is how much these older, non-Rusty
architectures should be able to hold back future development; the answer,
in several places now, has been “not much”.

[$] Visiting another world

Post Syndicated from jake original https://lwn.net/Articles/845446/rss

The world wide web is truly a wondrous invention, but it is not without
flaws. There are massive privacy woes that stem from its standards and
implementation; it is also so fiendishly complex that few can truly grok
all of its expanse. That complexity affords enormous flexibility, for good
or ill.
Those who are looking for a simpler way to exchange
information—or hearken back to web prehistory—may find the Gemini project worth a look.

Two new “experimental” stable kernels

Post Syndicated from jake original https://lwn.net/Articles/845207/rss

Greg Kroah-Hartman has released the 4.9.256
and 4.4.256 in order to try to figure out
if there are any user-space problems caused by the overflow of the minor version number for those
stable-kernel series. “With this release, KERNEL_VERSION(4, 9, 256) is the same as KERNEL_VERSION(4, 10, 0).

Nothing in the kernel build itself breaks with this change, but given that this
is a userspace visible change, and some crazy tools (like glibc and gcc) have
logic that checks the kernel version for different reasons, I wanted to do this
release as an ’empty’ release to ensure that everything still works
properly.” Those who could be affected would be well-advised to
test this change immediately as he plans another 4.9 release in a
week’s time.