LWN Headlines | Heydon Consulting

User login

Navigation

books

linux on nec versa m400

drupal information

Latest images

News aggregator

Twitter

Wish List

As I am such a pain to buy for I have set up a wish list so when my birth day or other times of the year come around you can get me a pressy

hosted by

LWN Headlines

LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.

URL: http://lwn.net

Updated: 39 min 38 sec ago

The end of LinuxDevices?

Sat, 04/02/2012 - 6:57am

LinuxDevices.com is carrying a brief note from the "outgoing editor-in-chief" stating that the site's owner has been acquired. "At this point, the future of LinuxDevices.com is uncertain. What we can say for sure is that it has been a pleasure serving our readers -- the best in the business."

Slackware updates

Sat, 04/02/2012 - 6:52am

Slackware has been silent for some time (noted in this comment thread). Although we haven't seen any advisories in the LWN mailbox, the changelogs are showing some new updates. Slackware users should update their systems.

Stable kernels 3.0.19, 3.2.3 and 2.6.32.56

Sat, 04/02/2012 - 6:21am

Greg KH has released stable kernels 3.0.19, 3.2.3 and 2.6.32.56. All of them have important fixes across the board.

Update 3.2.4 has now been released to address a compilation problem in 3.2.3.

Friday's security updates

Sat, 04/02/2012 - 5:34am

CentOS has updated ghostscript (C6; C5; C4: multiple vulnerabilities), php (C6; C5; C4: remote code execution), and C5: php53 (remote code execution).

Debian has updated iceweasel (multiple vulnerabilities), iceape (multiple vulnerabilities), and php5 (remote code execution).

Mandriva has updated mozilla (multiple vulnerabilities).

Red Hat has updated RHEL5: php53 (remote code execution), RHEL4,5,6: php (remote code execution), ghostscript (RHEL5,6; RHEL4: multiple vulnerabilities), and RHEL5.6: freetype (code execution).

Scientific Linux has updated SL5: php53 (remote code execution), SL4,5,6: php (remote code execution), and ghostscript (SL5,6; SL4: multiple vulnerabilities).

PHP 5.3.10 released with critical security fix

Fri, 03/02/2012 - 9:26am

The PHP 5.3.10 release is out; it contains a fix for a remote code execution bug introduced recently by another security fix. Anybody running 5.3.9 should probably upgrade as soon as possible.

Critical PHP vulnerability being fixed (The H)

Fri, 03/02/2012 - 9:12am

The H is reporting that a critical remote code execution bug has been found in PHP that was caused by the recent fix for the widespread denial of service via hash collisions vulnerability. "The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web."

Security advisories for Thursday

Fri, 03/02/2012 - 7:25am

CentOS has updated openssl (C4: multiple vulnerabilities).

Debian has updated tomcat6 (multiple vulnerabilities).

Fedora has updated BackupPC (F15; F16: cross-site scripting), polipo (F15; F16: denial of service), moodle (F15; F16: multiple vulnerabilities), firefox (F16: multiple vulnerabilities), xulrunner (F16: multiple vulnerabilities), thunderbird (F16: multiple vulnerabilities), thunderbird-lightning (F16: multiple vulnerabilities), gstreamer-plugins-bad-free (F16: multiple vulnerabilities), and libvpx (F16: multiple vulnerabilities).

Mandriva has updated apache (multiple vulnerabilities).

Oracle has updated firefox (OL4; OL5; OL6: multiple vulnerabilities), seamonkey (OL4: multiple vulnerabilities), thunderbird (OL4; OL6: multiple vulnerabilities), and openssl (OL4: multiple vulnerabilities).

Red Hat has updated openssl (RHEL 4: multiple vulnerabilities)

Scientific Linux has updated thunderbird (SL4&5; SL6: multiple vulnerabilities), firefox (multiple vulnerabilities), seamonkey (SL4: multiple vulnerabilities), and openssl (SL4: multiple vulnerabilities).

Seigo: Spark answers

Fri, 03/02/2012 - 6:29am

Aaron Seigo answers questions about the Spark tablet, which is based on Plasma Active, that he announced on January 29. There is more information about the hardware and software, delivery timeframe (May 2012), and pre-orders: "Pre-order registration will open early next week. This was one piece in the puzzle that was taking a bit [longer] than I hoped for to come together, but it's finally slotted in and our distribution partner has got the necessary infrastructure settled. I'll lift the veil off of the pre-order and our distribution strategy when it goes live."

Gettys: Bufferbloat demonstration videos

Fri, 03/02/2012 - 4:51am

Jim Gettys says: "If people have heard of bufferbloat at all, it is usually just an abstraction despite having personal experience with it. Bufferbloat can occur in your operating system, your home router, your broadband gear, wireless, and almost anywhere in the Internet. They still think that if experience poor Internet speed means they must need more bandwidth, and take vast speed variation for granted. Sometimes, adding bandwidth can actually hurt rather than help. Most people have no idea what they can do about bufferbloat. So I’ve been working to put together several demos to help make bufferbloat concrete, and demonstrate at least partial mitigation." Definitely useful viewing for anybody who is concerned with the problem and how to begin addressing it.

[$] LWN.net Weekly Edition for February 2, 2012

Thu, 02/02/2012 - 12:26pm

The LWN.net Weekly Edition for February 2, 2012 is available.

Kuhn: Some Thoughts on Conservancy's GPL Enforcement

Thu, 02/02/2012 - 5:52am

Bradley Kuhn has posted a lengthy explanation of the Software Freedom Conservancy's GPL enforcement activities and the demands they make. "I started using this request regularly around 2002 because violators express a concern that, if they came into compliance due to my efforts, what was to stop others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say: 'Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate'."

The Document Foundation will be based in Berlin

Thu, 02/02/2012 - 5:13am

The Document Foundation has announced that its long-awaited legal entity will be based in Berlin. "'After many months of work in close cooperation with the authorities, we were able to keep the spirit of the community bylaws, and incorporate them into legally binding statutes, that ensure the promises that TDF has made in its manifesto', says Michael (Mike) Schinagl, a Berlin-based lawyer and contributor to various free software projects, who has been driving the legal aspects of the foundation set-up from the very beginning."

Wednesday's security update

Thu, 02/02/2012 - 5:10am

CentOS has updated thunderbird (C4, C5, C6: multiple vulnerabilities), firefox (C4, C5, C6: multiple vulnerabilities) and seamonkey (C4: multiple vulnerabilities).

Fedora has updated smokeping (F15, F16: cross-site scripting), krb5 (F15: denial of service), and sudo (F16: privilege escalation).

Red Hat has updated thunderbird (RHEL4-5, RHEL6: multiple vulnerabilities), firefox (RHEL4-6: multiple vulnerabilities), and seamonkey (RHEL4: multiple vulnerabilities).

Ubuntu has updated usbmuxd (code execution via hostile USB device).

[$] A tempest in a toybox

Thu, 02/02/2012 - 3:26am

The eLinux.org web site is currently promoting a project to write a replacement for Busybox under a permissive license. Normally, the writing of more free software is seen as a good thing, but, in this case, there have been complaints about the perceived motivation behind the project. What this discussion shows is that there are some divisions within our community on how our licenses should be enforced - and even what those licenses say.

Apache HTTP Server 2.2.22 released

Thu, 02/02/2012 - 2:13am

Version 2.2.22 of the Apache web server is out. The main point of this release appears to be the fixing of six different CVE numbers, so people with their own Apache builds probably want to grab the update.

Almost There - PyPy's ARM Backend

Thu, 02/02/2012 - 1:48am

The PyPy Status Blog has an update on the status of the PyPy port to the ARM architecture. "The current results on ARM, as shown in the graph below, show that the JIT currently gives a speedup of about 3.5 times compared to CPython on ARM. The benchmarks were run on the before mentioned BeagleBoard-xM with a 1GHz ARM Cortex-A8 processor and 512MB of memory. The operating system on the board is Ubuntu 11.04 for ARM."

Greg Kroah-Hartman moves to the Linux Foundation

Thu, 02/02/2012 - 1:11am

The Linux Foundation has announced that Greg Kroah-Hartman has joined the organization as a fellow. "In his role as Linux Foundation Fellow, Kroah-Hartman will continue his work as the maintainer for the Linux stable kernel branch and a variety of subsystems while working in a fully neutral environment. He will also work more closely with Linux Foundation members, workgroups, Labs projects, and staff on key initiatives to advance Linux."

Kernel prepatch 3.3-rc2

Wed, 01/02/2012 - 9:51am

The 3.3-rc2 prepatch is out, a little later than would have ordinarily been expected. "The diffstat is pretty flat - indicative of mostly small changes spread out. Which is what I like seeing, and we don't always see at this point. There's some file movement (8250-based serial and the arm mx5 -> imx merge), but otherwise really not a lot of excitement. Good." That said, there are quite a few changes in this prepatch; see the short-form changelog in the announcement for details. Thirteen of those changes are reverts for patches that didn't work out.

FOSDEM speaker interviews

Wed, 01/02/2012 - 7:54am

The last set of interviews with FOSDEM speakers has been released. This list includes Juan David Gonzalez Cobas and Javier Serrano (open hardware), Bryan Østergaard (community management), Ben Klang (Adhearsion), Soren Hansen (monitoring), Kristian Høgsberg (Wayland), Anil Madhavapeddy (UNIX I/O), Carl-Daniel Hailfinger (coreboot), and Claire Corgnou (average Jane and Joe).

Security advisories for Tuesday

Wed, 01/02/2012 - 6:35am

CentOS has updated C6: ruby (denial of service), ruby (C5;C4: denial of service/predictable random numbers), C6: t1lib (multiple vulnerabilities), C6: openssl (multiple vulnerabilities), C6: glibc (denial of service), and C4: php (multiple vulnerabilities).

Debian has updated curl (multiple vulnerabilities), php5 (multiple vulnerabilities), and php5 (fixes a regression from the previous update).

Oracle has updated OL6: ruby (denial of service), ruby (OL5; OL4: denial of service/predictable random numbers) and OL4: php (multiple vulnerabilities).

Red Hat has updated RHEL6: ruby (denial of service), RHEL4&5: ruby (denial of service/predictable random numbers), and RHEL4: php (multiple vulnerabilities).

Scientific Linux has updated SL4, SL5: ruby (denial of service/predictable random numbers), SL4: php (multiple vulnerabilities), SL6: ruby (denial of service).

Ubuntu has updated accountsservice (privilege escalation) and software-properties (man-in-the-middle attack).