All posts by jake

Masnick: Techdirt’s First Amendment Fight For Its Life

Post Syndicated from jake original http://lwn.net/Articles/711485/rss

Over at Techdirt, Mike Masnick writes about a libel suit filed against the site: “As you may have heard, last week we were sued for $15 million by Shiva Ayyadurai, who claims to have invented email. We have written, at great length, about his claims and our opinion — backed up by detailed and thorough evidence — that email existed long before Ayyadurai created any software. We believe the legal claims in the lawsuit are meritless, and we intend to fight them and to win.
There is a larger point here. Defamation claims like this can force independent media companies to capitulate and shut down due to mounting legal costs. Ayyadurai’s attorney, Charles Harder, has already shown that this model can lead to exactly that result. His efforts helped put a much larger and much more well-resourced company than Techdirt completely out of business.

Thursday’s security updates

Post Syndicated from jake original http://lwn.net/Articles/711446/rss

Debian has updated bind9 (three
vulnerabilities), ikiwiki (three
vulnerabilities), and python-pysaml2 (XML
external entity attack).

Debian-LTS has updated libav (two
vulnerabilities).

Fedora has updated compat-guile18 (F25; F24:
insecure directory creation), mingw-flac
(F25: three vulnerabilities from 2015), qpid-java (F25: information disclosure), and
springframework-security (F25: security
constraint bypass).

openSUSE has updated flash-player
(13.2: multiple vulnerabilities).

Red Hat has updated memcached
(RHMAP4.2: two vulnerabilities).

Slackware has updated bind
(denial of service), gnutls (multiple
vulnerabilities), and irssi (multiple vulnerabilities).

SUSE has updated bind (SLE12-SP2,SP1; SLE12; SLE11-SP4,SP3: three vulnerabilities) and flash-player (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated bind9 (three
vulnerabilities) and libvncserver (two vulnerabilities).

[$] Python 2.8?

Post Syndicated from jake original http://lwn.net/Articles/711061/rss

The appearance of a “Python 2.8” got the attention of the Python core
developers in early December. It is based on Python 2.7, with
features backported from Python 3.x. In general, there was little
support for the effort—core developers tend to clearly see Python 3 as
the way forward—but no opposition to it either. The Python license makes
it clear that these kinds of efforts are legal and even
encouraged—any real opposition to the project lies in its name.

Subscribers can click below for the full article from this week’s edition.

My WATCH runs GNU/Linux And It Is Amazing (LearntEmail)

Post Syndicated from jake original http://lwn.net/Articles/710914/rss

The LearntEmail blog has a look at running AsteroidOS on the LG Watch Urbane smartwatch.
It looks like a watch, it smells like a watch, but it runs like a normal computer. Wayland, systemd, polkit, dbus and friends look very friendly to hacking. Even Qt is better than android, but that’s debatable.

My next project – run Gtk+ on the watch 🙂” (Thanks to Paul Wise.)

Security updates for Friday

Post Syndicated from jake original http://lwn.net/Articles/710892/rss

Debian-LTS has updated pcsc-lite
(privilege escalation).

Fedora has updated flac (F25:
three vulnerabilities from 2015), pcsc-lite
(F25: privilege escalation), php-PHPMailer
(F25: code execution), subversion (F25:
denial of service), thunderbird (F25: multiple vulnerabilities),
and tinymce (F25: cross-site scripting).

Mageia has updated bash (code
execution), thunderbird (multiple vulnerabilities), tor (denial of service), and unrtf (code execution).

openSUSE has updated kopete (SPH for SLE12; 42.2, 42.1, 13.2: encryption botch).

Red Hat has updated puppet-tripleo (OSP10.0: access restriction bypass).

Ubuntu has updated exim4
(information leak).

Security updates for Thursday

Post Syndicated from jake original http://lwn.net/Articles/710797/rss

Debian has updated libvncserver
(two vulnerabilities) and pcsc-lite
(privilege escalation).

Debian-LTS has updated python-crypto (DLA-773-3; DLA-773-2: regression(s?) in previous security
update for CVE-2013-7459).

Fedora has updated bzip2 (F24:
denial of service), libpng (F24: denial of
service), and seamonkey (F24: multiple vulnerabilities).

openSUSE has updated ImageMagick
(42.2, 42.1: multiple vulnerabilities), libgme (42.2, 42.1: multiple vulnerabilities),
and thunderbird (13.1: multiple vulnerabilities).

Oracle has updated ghostscript (OL7; OL6: multiple vulnerabilities, one
from 2013), gstreamer-plugins-bad-free
(OL7: three vulnerabilities), gstreamer-plugins-good (OL7: multiple vulnerabilities), gstreamer1-plugins-bad-free (OL7: multiple vulnerabilities), and gstreamer1-plugins-good (OL7: multiple vulnerabilities).

Red Hat has updated gstreamer-plugins-bad-free (RHEL7: three
vulnerabilities), gstreamer-plugins-good
(RHEL7: multiple vulnerabilities), gstreamer1-plugins-bad-free
(RHEL7: multiple vulnerabilities), and gstreamer1-plugins-good
(RHEL7: multiple vulnerabilities).

Scientific Linux has updated gstreamer-plugins-bad-free (SL7: three
vulnerabilities), gstreamer-plugins-good
(SL7: multiple vulnerabilities), gstreamer1-plugins-bad-free
(SL7: multiple vulnerabilities), and gstreamer1-plugins-good
(SL7: multiple vulnerabilities).

Ubuntu has updated nss (three vulnerabilities).

[$] New features in Python 3.6

Post Syndicated from jake original http://lwn.net/Articles/709780/rss

The Python 3.6 release occurred on
December 23, only one week later than planned
all the way
back in October 2015. Python 3.6 adds a number of new
features, including more support for asynchronous operations (generators
and comprehensions), a filesystem path protocol, a new literal string
formatting option, two random-number-related features, a frame evaluation API
for debuggers and just-in-time (JIT) compilation, and more. Some of these
features have
been described in LWN articles along the way, but many haven’t, so an
overview of the highlights of the new release is in order.

Subscribers can click below to see the article that will appear in next
week’s edition.

Security updates for Friday

Post Syndicated from jake original http://lwn.net/Articles/710355/rss

Debian has updated dcmtk (code
execution from 2015).

Debian-LTS has updated curl (code
execution) and libxi (regression in
previous update).

Fedora has updated js-jquery
(F24: cross-site scripting), js-jquery1 (F25; F24:
cross-site scripting), smack (F25: TLS
bypass), and tracker (F24: adding sandboxing).

Gentoo has updated mod_wsgi
(privilege escalation from 2014).

Mageia has updated game-music-emu
(multiple vulnerabilities), gstreamer1.0-plugins-good (multiple vulnerabilities), hdf5 (multiple vulnerabilities), kernel,
kmod
(three vulnerabilities), libgsf
(denial of service), openjpeg2 (multiple vulnerabilities), roundcubemail (code execution), and samba (authentication bypass).

openSUSE has updated irc-otr
(42.2: information disclosure).

Slackware has updated python (two
vulnerabilities) and samba (three vulnerabilities).

SUSE has updated gstreamer-plugins-bad (SLE12: multiple vulnerabilities) and gstreamer-plugins-good (SLE12: multiple vulnerabilities).

Top open source creative tools in 2016 (opensource.com)

Post Syndicated from jake original http://lwn.net/Articles/710094/rss

Over at opensource.com, Máirín Duffy has a lengthy overview of the open-source creative tools available. She covers the core applications (GIMP, Inkscape, Scribus, MyPaint, Blender, and Krita) for design, as well as tools for video, photography, 2D animation, audio, music, and more. “These six applications are the juggernauts of open source design tools. They are well-established, mature projects with full feature sets, stable releases, and active development communities. All six applications are cross-platform; each is available on Linux, OS X, and Windows, although in some cases the Linux versions are the most quickly updated. These applications are so widely known, I’ve also included highlights of the latest features available that you may have missed if you don’t closely follow their development.

If you’d like to follow new developments more closely, and perhaps even help out by testing the latest development versions of the first four of these applications—GIMP, Inkscape, Scribus, and MyPaint—you can install them easily on Linux using Flatpak.”

The Year Encryption Won (Wired)

Post Syndicated from jake original http://lwn.net/Articles/710093/rss

It’s not entirely clear that the title is justified, but Wired does cover some progress on the encryption front in 2016. “End-to-end encryption, which ensures that the only people who can see your communications are you and the person on the receiving end, certainly isn’t new. But in 2016, encryption went mainstream, reaching billions of people all over the world. Even more significantly, it overcame its most aggressive legal challenge yet, in a prolonged standoff between Apple and the FBI. And just this week, a Congressional committee affirmed the importance of encryption, giving hope that future laws around the topic will include at least a modicum of sanity.

There’s still a long way to go, and any gains that were made could potentially be rolled back, but for now it’s worth taking a step back to appreciate just how far encryption came this year. As far as silver linings go, you could do a lot worse.”

Friday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/710081/rss

Arch Linux has updated openssh
(multiple vulnerabilities) and samba (three vulnerabilities).

Debian-LTS has updated nss
(timing side-channel).

Fedora has updated botan (F25; F24:
integer overflow), gdk-pixbuf2 (F25:
unspecified), kernel (F25; F24: denial of service), samba (F25: two vulnerabilities), and xen (F24: multiple vulnerabilities).

Mageia has updated libgd (two
vulnerabilities), php (two
vulnerabilities), and squid (two vulnerabilities).

SUSE has updated dnsmasq (OSCC5:
denial of service from 2015), ImageMagick (SLE12: multiple vulnerabilities, one from 2014), kernel (SLE11SP2; SLE11SP3: two vulnerabilities), and libgme (SLE12: multiple vulnerabilities).

Larsson: A stable base for Flatpak: 0.8

Post Syndicated from jake original http://lwn.net/Articles/710017/rss

On his blog, Alexander Larsson reflects on the Flatpak 0.8 release and his plans for the application packaging and distribution format going forward.
My goal is to get the 0.8 series into the Debian 9 release, and as many other distributions as possible, so that people who create flatpaks can consider the features it supports as a reliable baseline.

Sandboxing has always been one of the pillars of Flatpak, but even more important to me is cross-distro application distribution, even if not sandboxed. This is important because it gives upstream developers a way to directly interact with their users, without having an intermediate distributor. With 0.8 I think we have reached a level where the support for this is solid. So, if you ever thought about experimenting with Flatpak, now is the time!

How to find Android apps that respect user privacy (opensource.com)

Post Syndicated from jake original http://lwn.net/Articles/710016/rss

Over at opensource.com, Joshua Allen Holm writes about two projects (Privacy Friendly Apps and Simple Mobile Tools) that are producing Android apps that are open source, privacy respecting, and only request the privileges they need. “Below, I take a look at two projects producing a wide variety of Android apps designed to only request the permissions they require to function. These apps cover a wide range of functions with each app being focused on doing only one task and doing that task well. Users looking for well designed, functional apps with no extra features and no anti-features (i.e., advertisements) should consider checking these apps out. Developers, especially those just getting started with developing for Android, should take a look at the source code for these apps to learn about developing apps with a focus on using minimal permissions and respecting users’ privacy.

Thursday’s security updates

Post Syndicated from jake original http://lwn.net/Articles/709980/rss

CentOS has updated gstreamer-plugins-bad-free (C6: two code
execution flaws), gstreamer-plugins-good
(C6: multiple vulnerabilities), thunderbird (C7; C6: multiple vulnerabilities), and vim (C7; C6: code execution).

Debian-LTS has updated imagemagick (multiple vulnerabilities) and libgd2 (code execution).

Fedora has updated dovecot (F24:
denial of service), msgpuck (F25; F24: two denial of service flaws), and
tarantool (F25; F24: two denial of service flaws).

openSUSE has updated gd (13.2:
code execution), GraphicsMagick (two
vulnerabilities), ImageMagick (13.2: multiple vulnerabilities),
mcabber (42.2: information disclosure from
2015), php5 (13.2: three vulnerabilities),
qemu (42.2: multiple vulnerabilities), and shellinabox (HTTP fallback from 2015).

Oracle has updated gstreamer-plugins-bad-free (OL6: two code
execution flaws), gstreamer-plugins-good
(OL6: multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities), kernel
3.8.13
(OL7; OL6: two vulnerabilities), kernel 4.1.12
OL7; OL6:
code execution), and thunderbird (OL7; OL6: multiple vulnerabilities).

Red Hat has updated openstack-cinder/glance/nova (RHOSP8.0: denial
of service from 2015).

SUSE has updated firefox (SLE12; SLE11SP4&3; SLE11SP2: multiple vulnerabilities), kernel (SLE12: two vulnerabilities), and
xen (SLE12; SLE12SP2; SLE12SP1; SLE11SP4: three vulnerabilities).

[$] Using systemd for more secure services in Fedora

Post Syndicated from jake original http://lwn.net/Articles/709755/rss

The AF_PACKET local privilege escalation (also known as CVE-2016-8655)
has been fixed by most distributions at
this point; stable kernels addressing the problem were released on December 10. But, as a
discussion on the fedora-devel mailing list shows, systemd now provides
options that could help mitigate CVE-2016-8655 and, more importantly, other
vulnerabilities that remain undiscovered or have yet to be introduced. The
genesis for the discussion was a blog
post
from Lennart Poettering about the RestrictAddressFamilies
directive, but recent systemd versions have other sandboxing features that
could be used to head off the next vulnerability.

Introducing GoboLinux 016

Post Syndicated from jake original http://lwn.net/Articles/709482/rss

The GoboLinux project has announced the release of GoboLinux 016. The distribution takes a different approach to filesystem organization so that multiple versions of programs can all be installed at the same time. GoboLinux 016 has a new feature called Runner to manage that: “Runner is a brand new filesystem virtualization tool, specifically designed for GoboLinux. It dynamically changes a process’ view of /System/Index based on the program’s Dependencies file.

From day one, GoboLinux has always supported keeping multiple versions of a program installed on disk at the same time, but when two versions had conflicts, you had to choose which one would be activated in the system as the default.

With Runner, you don’t need to worry about which version of a given dependency is currently linked (or activated) in /System/Index: Runner gives the process its own virtual /System/Index with all the right dependencies.” Other features include the GoboNet wireless network manager and a desktop based on the awesome window manager.

Security advisories for Friday

Post Syndicated from jake original http://lwn.net/Articles/709455/rss

Arch Linux has updated flashplugin (multiple vulnerabilities) and lib32-flashplugin (multiple vulnerabilities).

Debian has updated libupnp (two vulnerabilities).

Debian-LTS has updated firefox-esr (multiple vulnerabilities) and icu (two vulnerabilities, one from 2014).

Fedora has updated chromium (F25; F24: multiple vulnerabilities),
firefox (F25; F24: denial of service), gstreamer-plugins-bad-free (F24: code
execution), gstreamer-plugins-good (F24:
multiple vulnerabilities), and libgsf (F24: denial of service).

Mageia has updated chromium-browser-stable (multiple vulnerabilities) and firefox (multiple vulnerabilities).

Pythonic code review (Red Hat Security Blog)

Post Syndicated from jake original http://lwn.net/Articles/709384/rss

Over at the Red Hat Security Blog, Ilya Etingof writes about code reviews, in general, along with some specific thoughts on Pythonic versus non-Pythonic idioms in code. “People coming from Java tend to turn everything into a class. That’s probably because Java heavily enforces the OOP paradigm. Python programmers enjoy a freedom of picking a programming model that is best suited for the task.

The choice of object-based implementations look reasonable to me when there is a clear abstraction for the task being solved. Statefulness and duck-typed objects are another strong reason for going the OOP way.

If the author’s priority is to keep related functions together, pushing them to a class is an option to consider. Such classes may never need instantiation, though.

Free-standing functions are easy to grasp, concise and light. When a function does not cause side-effects, it’s also good for functional programming.”