Security updates have been issued by Arch Linux (chromium and vlc), Debian (erlang), Mageia (ffmpeg, tor, and wireshark), openSUSE (chromium, opensaml, openssh, openvswitch, and php7), Oracle (postgresql), Red Hat (chromium-browser, postgresql, rh-postgresql94-postgresql, rh-postgresql95-postgresql, and rh-postgresql96-postgresql), SUSE (firefox, java-1_6_0-ibm, opensaml, and xen), and Ubuntu (kernel, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-azure, linux-gcp, linux-hwe, linux-lts-trusty, linux-lts-xenial, linux-aws, and rsync).
At Opensource.com, Mike Bursell looks at blockchain security from the angle of trust. Unlike cryptocurrencies, which are pseudonymous typically, other kinds of blockchains will require mapping users to real-life identities; that raises the trust issue.
“What’s really interesting is that, if you’re thinking about moving to a permissioned blockchain or distributed ledger with permissioned actors, then you’re going to have to spend some time thinking about trust. You’re unlikely to be using a proof-of-work system for making blocks—there’s little point in a permissioned system—so who decides what comprises a “valid” block that the rest of the system should agree on? Well, you can rotate around some (or all) of the entities, or you can have a random choice, or you can elect a small number of über-trusted entities. Combinations of these schemes may also work.
If these entities all exist within one trust domain, which you control, then fine, but what if they’re distributors, or customers, or partners, or other banks, or manufacturers, or semi-autonomous drones, or vehicles in a commercial fleet? You really need to ensure that the trust relationships that you’re encoding into your implementation/deployment truly reflect the legal and IRL [in real life] trust relationships that you have with the entities that are being represented in your system.
And the problem is that, once you’ve deployed that system, it’s likely to be very difficult to backtrack, adjust, or reset the trust relationships that you’ve designed.”
Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, kernel, liblouis, qemu-kvm, sssd, and thunderbird), Debian (heimdal and nova), openSUSE (shibboleth-sp), Oracle (java-1.7.0-openjdk), Red Hat (Red Hat OpenShift Enterprise), Scientific Linux (openafs), SUSE (kernel), and Ubuntu (rsync).
Voice computing has long been a staple of science fiction, but it has
only relatively recently made its way into fairly common mainstream use.
Gadgets like mobile
phones and “smart” home assistant devices (e.g. Amazon Echo, Google Home)
have brought voice-based user interfaces to the masses. The voice
processing for those gadgets relies on various proprietary services “in the
cloud”, which generally leaves the free-software world out in the cold.
been FOSS speech-recognition efforts over
the years, but Mozilla’s recent
announcement of the release of its voice-recognition code and voice
data set should help further the goal of FOSS voice interfaces.
Linux containers are something of an amorphous beast, at least with
respect to the kernel. There are lots of facilities that the kernel
provides (namespaces, control groups, seccomp, and so on) that can be
composed by user-space tools into containers of various shapes and
colors; the kernel is blissfully unaware of how user space views that
composition. But there is interest in having the kernel be more aware of
containers and for it to be able to distinguish what user space considers
to be a single container. One particular use case for the kernel managing
container identifiers is the audit
subsystem, which needs unforgeable IDs for containers that can be
Security updates have been issued by Debian (curl, libxml2, optipng, and sox), Fedora (kernel, mediawiki, moodle, nodejs-balanced-match, nodejs-brace-expansion, and python-werkzeug), openSUSE (optipng), Oracle (kernel and qemu-kvm), Red Hat (kernel, kernel-rt, qemu-kvm, and qemu-kvm-rhev), SUSE (kernel), and Ubuntu (thunderbird).
Amazon has announced the release of FreeRTOS kernel version 10, with a new license: “FreeRTOS was created in 2003 by Richard Barry. It rapidly became popular, consistently ranking very high in EETimes surveys on embedded operating systems. After 15 years of maintaining this critical piece of software infrastructure with very limited human resources, last year Richard joined Amazon.
Today we are releasing the core open source code as FreeRTOS kernel version 10, now under the MIT license (instead of its previous modified GPLv2 license). Simplified licensing has long been requested by the FreeRTOS community. The specific choice of the MIT license was based on the needs of the embedded systems community: the MIT license is commonly used in open hardware projects, and is generally whitelisted for enterprise use.” While the modified GPLv2 was removed, it was replaced with a slightly modified MIT license that adds: “If you wish to use our Amazon FreeRTOS name, please do so in a
fair use way that does not cause confusion.” There is concern that change makes it a different license; the Open Source Initiative and Amazon open-source folks are working on clarifying that.
Security updates have been issued by Debian (bzr and exim4), Mageia (ghostscript, libtiff, mediawiki, postgresql, thunderbird, and vlc), openSUSE (kernel-firmware and samba), Oracle (samba4), SUSE (xen), and Ubuntu (exim4, libxcursor, and libxfont, libxfont1, libxfont2).
The reminder that the feature freeze for
Python 3.7 is coming up fairly soon (January 29) was met with a
flurry of activity on the python-dev mailing list. Numerous Python
enhancement proposals (PEPs) were updated or newly proposed; other features
or changes have been discussed as well. One of the updated PEPs is proposing a
new type of class, a
“data class”, to be added to the standard library. Data classes would
serve much the same purpose as structures or records in other languages and
would use the relatively new type annotations
feature to support static type checking of the use of the classes.
Out-of-tree drivers are a maintenance headache, since customers may want to
use them in newer kernels.
But even those drivers that get
merged into the mainline may need to be backported at times. Coccinelle developer Julia Lawall
introduced the audience at Open Source Summit Europe to some new tools
that can help make both forward-porting and backporting drivers easier.
Security updates have been issued by Arch Linux (roundcubemail), Debian (optipng, samba, and vlc), Fedora (compat-openssl10, fedpkg, git, jbig2dec, ldns, memcached, openssl, perl-Net-Ping-External, python-copr, python-XStatic-jquery-ui, rpkg, thunderbird, and xen), SUSE (tomcat), and Ubuntu (db, db4.8, db5.3, linux, linux-raspi2, linux-aws, linux-azure, linux-gcp, and samba).
Management Engine (ME), which is a separate processor and operating
system running outside of user control on most x86 systems, has long been
of concern to users who are security and privacy conscious. Google and
been working on ways to eliminate as much of that functionality as possible
(while still being able to boot and run the system). Ronald Minnich from
Google came to Prague to talk about those efforts at the 2017 Embedded
Linux Conference Europe.
Google has announced that it has released its container-diff tool under the Apache v2 license.
“container-diff helps users investigate image changes by computing semantic diffs between images. What this means is that container-diff figures out on a low-level what data changed, and then combines this with an understanding of package manager information to output this information in a format that’s actually readable to users. The tool can find differences in system packages, language-level packages, and files in a container image.
Users can specify images in several formats – from local Docker daemon (using the prefix `daemon://` on the image path), a remote registry (using the prefix `remote://`), or a file in the .tar in the format exported by “docker save” command. You can also combine these formats to compute the diff between a local version of an image and a remote version.”
Security updates have been issued by Arch Linux (firefox, flashplugin, lib32-flashplugin, and mediawiki), CentOS (kernel and php), Debian (firefox-esr, jackson-databind, and mediawiki), Fedora (apr, apr-util, chromium, compat-openssl10, firefox, ghostscript, hostapd, icu, ImageMagick, jackson-databind, krb5, lame, liblouis, nagios, nodejs, perl-Catalyst-Plugin-Static-Simple, php, php-PHPMailer, poppler, poppler-data, rubygem-ox, systemd, webkitgtk4, wget, wordpress, and xen), Mageia (flash-player-plugin, icu, jackson-databind, php, and roundcubemail), Oracle (kernel and php), Red Hat (openstack-aodh), SUSE (wget and xen), and Ubuntu (apport and webkit2gtk).
After 16 years of evolution, the SciPy project has reached version
1.0. SciPy, a free-software project, has become one of the most
popular computational toolkits for scientists from a wide range of
disciplines, and is largely responsible for the ascendancy of Python
in many areas of scientific research. While the 1.0 release is
significant, much of the underlying software has been stable
for some time; the “1.0” version number reflects that
the project as a whole is on solid footing.
On October 30, 2017, a group
of Czech researchers from Masaryk University presented the ROCA paper
at the ACM CCS Conference, which earned
the Real-World Impact
Award. We briefly mentioned ROCA when
it was first reported
but haven’t dug into details of the vulnerability yet. Because of its
far-ranging impact, it seems important to review the vulnerability in
light of the new results published recently.
The Netconf 2017,
Part 2 and Netdev 2.2 conferences were
recently held in Seoul, South Korea. Netconf is an invitation-only
gathering of kernel
networking developers, while Netdev is an open conference for the Linux
networking community. Attendees have put together reports
from all five days (two for Netconf and three for Netdev) that LWN is
happy to publish for them. So far, we have coverage from the first day of
each—with more coming soon.