LWN Headlines

Wayland/Weston 1.1 released

The 1.1 release of the Wayland / Weston compositor system is out. New features include backends for the Raspberry Pi system and the Linux fbdev device, a number of performance improvements, a touchscreen calibration feature, a new software development kit, and more.

Tuesday's security advisories

CentOS has updated 389-ds-base (C6: information exposure).

Fedora has updated gsi-openssh (F18; F17: unauthorized account access) and seamonkey (F18; F17: multiple vulnerabilities).

openSUSE has updated opera (multiple vulnerabilities) and subversion (multiple vulnerabilities).

Oracle has updated 389-ds-base (OL6: information exposure).

Red Hat has updated 389-ds-base (RHEL6: information exposure).

Scientific Linux has updated 389-ds-base (SL6: information exposure).

Ubuntu has updated haproxy (code execution) and curl (cookie information disclosure).

Xen becomes a Linux Foundation project

The Linux Foundation has announced that the Xen project has come under the Foundation's "collaborative project" umbrella. "The Xen Project is an open source virtualization platform licensed under the GPLv2 with a similar governance structure to the Linux kernel. Designed from the start for cloud computing, the project has more than a decade of development and is being used by more than 10 million users. As the project experiences contributions from an increasingly diverse group of companies, it is looking to The Linux Foundation to be a neutral forum for providing guidance and facilitating a collaborative network."

Security updates for Monday

Fedora has updated libarchive (F18; F17: denial of service), clamav (F18; F17: unspecified vulnerabilities), drupal7-ctools (F18; F17: access bypass), xen (F18; F17: /usr/libexec/xendomains is not executable), and mod_security (F18; F17: file disclosure, denial of service).

Mandriva has updated poppler (multiple vulnerabilities).

openSUSE has updated flashplayer (11.4: multiple vulnerabilities).

Oracle has updated enterprise kernel (OL6; OL5: multiple vulnerabilities).

Scientific Linux has updated subversion (multiple vulnerabilities).

SUSE has updated flash-player (multiple vulnerabilities) and kernel (multiple vulnerabilities).

Ubuntu 13.04 (Raring Ringtail) Beta 2 released

The second and final Ubuntu 13.04 beta release is available for testers; Kubuntu, Edubuntu, Lubuntu, Xubuntu and Ubuntu Studio versions are also available. And as if that weren't enough: "We also welcome two new flavors, Ubuntu Gnome and UbuntuKylin, which are participating in the Ubuntu release process for the first time this cycle." See the technical overview page for instructions and information on new features.

Friday's security updates

Fedora has updated py-bcrypt (F17, F18; authentication bypass), firefox (F18; multiple vulnerabilities), thunderbird (F18; multiple vulnerabilities), and xulrunner (F18; multiple vulnerabilities).

Mageia has updated bind (multiple vulnerabilities), dhcp (denial of service), firefox (multiple vulnerabilities), libxslt (denial of service), and thunderbird (multiple vulnerabilities).

Mandriva has updated bash (denial of service), clamav (multiple unspecified vulnerabilities), coreutils (multiple vulnerabilities), cronie (information disclosure), cups (unauthorized administrative access), exif (denial of service), fetchmail (multiple vulnerabilities), and libexif (multiple vulnerabilities).

Mandriva has also re-issued several earlier updates to fix incorrectly-assigned advisory IDs: apache-mod_security, arpwatch, and automake. Today's bash update was also issued earlier, at that time incorrectly labeled as MDVSA-2013:019.

openSUSE has updated apache2 (multiple vulnerabilities), dhcp (denial of service), firefox (multiple vulnerabilities), NRPE (code execution), postgresql91 (multiple vulnerabilities), and postgresql92 (multiple vulnerabilities).

Red Hat has updated openstack-glance (information leak), openstack-keystone (multiple vulnerabilities), openstack-nova (multiple vulnerabilities), and puppet (multiple vulnerabilities).

Slackware has updated subversion (multiple denial-of-service vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities) and unity-firefox-extension (multiple vulnerabilities).

Thursday's security updates

Debian has updated libxslt (denial of service), postgresql-8.4 (guessable random numbers), and postgresql-9.1 (multiple vulnerabilities including remote database file corruption).

Mandriva has updated apache (multiple vulnerabilities), apache-mod_security (access rules bypass), arpwatch (insecure privilege dropping), and automake (code execution).

openSUSE has updated bind (12.1: multiple vulnerabilities), ruby (11.4: denial of service), dhcp (12.1, 12.2; 12.3: denial of service), nrpe (code execution), jakarta-commons-httpclient (12.2, 12.3: insecure SSL certificate checking), and jakarta-commons-httpclient3 (12.1: insecure SSL certificate checking).

Oracle has updated firefox (OL5: multiple vulnerabilities).

SUSE has updated rails (multiple vulnerabilities), rubygem-json_pure (code execution), rubygem-extlib (denial of service), rubygem-crack (denial of service), and puppet (SLE11: multiple vulnerabilities).

Ubuntu has updated Oneiric backport kernel (10.04: multiple vulnerabilities), postgresql (multiple vulnerabilities including remote database file corruption), and libav (12.04, 12.10: code execution).

A serious PostgreSQL security fix

The PostgreSQL project has announced the release of versions 9.2.4, 9.1.9, 9.0.13 and 8.4.17 containing a number of security fixes, including this one: "CVE-2013-1899, makes it possible for a connection request containing a database name that begins with '-' to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request." The developers recommend an immediate upgrade.

Update: See also the 2013-04-04 security release FAQ. "This is a good general rule for database security: do not allow port access to the database server from untrusted networks unless it is absolutely necessary. This is as true, or more true, of other database systems as it is of PostgreSQL."

Security Engineering, Second Edition available online

The NoVA Infosec site notes that Ross Anderson's Security Engineering, Second Edition is available online in PDF form. "'Security Engineering: A Guide to Building Dependable Distributed Systems' written by Ross Anderson of the University of Cambridge and published by Wiley has been one of the 'goto' references for teaching security over the past decade. Although more academic than many of the modern-day security books out there, 'Security Engineering' not only covers the basics of security but also some of the intricacies of building secure systems from the ground up." The reviews include one from Bruce Schneier calling it "the best book on the topic there is".

Google's "Blink" rendering engine

Google has announced that it is forking the WebKit rendering engine to make a new project called Blink. "Chromium uses a different multi-process architecture than other WebKit-based browsers, and supporting multiple architectures over the years has led to increasing complexity for both the WebKit and Chromium projects. This has slowed down the collective pace of innovation - so today, we are introducing Blink, a new open source rendering engine based on WebKit."

Security advisories for Wednesday

CentOS has updated xulrunner (C6; C5: multiple vulnerabilities), firefox (C6; C5: multiple vulnerabilities), and thunderbird (C6; C5: multiple vulnerabilities).

Fedora has updated moodle (F18; F17: multiple vulnerabilities), php (F18; F17: multiple vulnerabilities), 389-ds-base (F18: information exposure), mingw-openssl (F18: multiple vulnerabilities), and perl (F17: denial of service).

Mageia has updated php (multiple vulnerabilities), firebird (remote code execution), privoxy (proxy spoofing), and zoneminder (command execution).

openSUSE has updated ruby (denial of service).

Oracle has updated thunderbird (OL6: multiple vulnerabilities) and firefox (OL6: multiple vulnerabilities).

Red Hat has updated kernel (privilege escalation), firefox (multiple vulnerabilities), thunderbird (multiple vulnerabilities), rubygem-actionpack (cross-site scripting), ruby193-rubygem-activerecord (denial of service), jenkins (man-in-the-middle attacks), and ruby193-ruby (multiple vulnerabilities).

Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities)

Slackware has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities).

Ubuntu has updated kernel (11:10: multiple vulnerabilities).

Mozilla and Samsung building a new browser engine

The Mozilla project has announced a collaboration with Samsung to build "Servo", a next-generation browser rendering engine. "Servo is an attempt to rebuild the Web browser from the ground up on modern hardware, rethinking old assumptions along the way. This means addressing the causes of security vulnerabilities while designing a platform that can fully utilize the performance of tomorrow’s massively parallel hardware to enable new and richer experiences on the Web. To those ends, Servo is written in Rust, a new, safe systems language developed by Mozilla along with a growing community of enthusiasts."

MATE 1.6 released

Version 1.6 of the MATE desktop environment is available. "This release is a giant step forward from the 1.4 release. In this release, we have replaced many deprecated packages and libraries with new technologies available in GLib. We have also added a lot of new features to MATE." See the announcement for a list of those new features.

Baker: Celebrating 15 Years of a Better Web

Mitchell Baker looks back at Mozilla's first 15 years and ponders the years to come as well. "In the coming era both the opportunities and threats to the Web are just as big as they were 15 years ago. As the role of data grows and device capabilities expand, the Internet will become an even more central part of our lives. The need for individuals to have some control over how this works and what we experience is fundamental. Mozilla can — and must — play a key role again. We have the vision, the products and the technology to do this. We know how to enable people to participate, both by contributing to our specific activities and coming up with their own ideas that advance the bigger cause of enriching the Web."

McIntyre: Scanning for assembly code in Free Software packages

On his blog, Steve McIntyre writes about work he has been doing to identify assembly code in Linux packages: In the Linaro Enterprise Group, my task for the last several weeks was to work through a huge number of packages looking for assembly code. Why? So that we could identify code that would need porting to work well on AArch64, the new 64-bit execution state coming to the ARM world Real Soon Now.

Working with some Ubuntu and Fedora developers, we generated a list of packages included in each distribution that seemed to contain assembly code of some sort. Then I worked through that list, checking to see:

  1. if there was actually any assembly there;
  2. if so, what it was for, and
  3. whether it was actually used

That work resulted in a report with his findings.

Subsurface mourns Jan Schubert

The subsurface project mourns the loss of Jan Schubert. "It is with great sadness that we say a final 'Tschüss' to one of our most active and engaging developers. Without Jan, Subsurface would not support the needs of technical divers the way it does today."

Pages