Odprtokodni pogled

Opensource view


Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Posodobljeno: 44 min 8 sec nazaj

Hansen: SKS Keyserver Network Under Attack

Pon, 07/01/2019 - 19:54
GnuPG contributors Robert J. Hansen (rjh) and Daniel Kahn Gillmor (dkg) were victims of a certificate spamming attack over the past week.

This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.

This attack cannot be mitigated by the SKS keyserver network in any reasonable time period. It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network.

(Thanks to Kareem Khazem.)

Google's Fuchsia OS Developer Site Debuts (Forbes)

Pon, 07/01/2019 - 16:29
Forbes reports that Google has launched a new website, fuchsia.dev, with documentation and source for Fuchsia OS, including the Zircon microkernel. "Zircon was previously known as Magenta and it was designed to scale to any application from embedded RTOS (Real-Time Operating Systems) to mobile and desktop devices of all kinds. As a result, there has been much speculation that Fuchsia will be the natural successor to Android and Chrome OS, combining capabilities of both with backwards compatibility to run legacy applications built on either. In short, this thing is designed to run on anything from 32-bit or 64-bit ARM cores to 64-bit X86 processors and it has a potential to be rather disruptive."

Security updates for Monday

Pon, 07/01/2019 - 15:48
Security updates have been issued by Debian (expat, golang-go.crypto, gpac, and rdesktop), Fedora (chromium, GraphicsMagick, kernel, kernel-headers, pdns, and xen), openSUSE (chromium, dbus-1, evince, libvirt, postgresql96, tomcat, and wireshark), Oracle (thunderbird and vim), Scientific Linux (thunderbird), Slackware (irssi), SUSE (gvfs), and Ubuntu (linux-lts-xenial, linux-aws, linux-azure and linux-oem, linux-oracle, linux-raspi2, linux-snapdragon).

Mageia 7 released

Pon, 07/01/2019 - 14:52
The Mageia distribution has released version 7. "Mageia 7 comes with a huge variety of desktops and window managers, improved support for Wayland and for hybrid graphics cards. On a more fun note, an effort was made to enhance gaming in Mageia, so there are many new upgrades and additions to the game collection." See the release notes for details.

Kernel prepatch 5.2-rc7

Ned, 06/30/2019 - 22:14
The 5.2-rc7 kernel prepatch is out for testing. "All small and fairly uninteresting. Arch updates, networking, core kernel, filesystems, misc drivers. Nothing stands out - just read the appended shortlog."

FreeDOS turns 25 years old: An origin story (Opensource.com)

Sob, 06/29/2019 - 00:51
Over on Opensource.com, FreeDOS founder Jim Hall writes about the origin of the MS-DOS replacement on the 25th anniversary of FreeDOS. "While I announced the project as PD-DOS (for "public domain," although the abbreviation was meant to mimic IBM's "PC-DOS"), we soon changed the name to Free-DOS and later FreeDOS. I started working on it right away. First, I shared the utilities I had written to expand the DOS command line. Many of them reproduced MS-DOS features, including CLS, DATE, DEL, FIND, HELP, and MORE. Some added new features to DOS that I borrowed from Unix, such as TEE and TRCH (a simple implementation of Unix's tr). I contributed over a dozen FreeDOS utilities By sharing my utilities, I gave other developers a starting point. And by sharing my source code under the GNU General Public License (GNU GPL), I implicitly allowed others to add new features and fix bugs."

Cook: package hardening asymptote

Sob, 06/29/2019 - 00:43
On his blog, Kees Cook looks at some graphs of package hardening efforts in Ubuntu and Debian, noting that they have nearly completely flattened out over the last few years. He wonders what might be the next hardening feature on the horizon and speculates some on that: "What new compiler feature adoption could be measured? I think there are still a few good candidates… How about enabling -fstack-clash-protection (only in GCC, Clang still hasn’t implemented it). Or how about getting serious and using forward-edge Control Flow Integrity? (Clang has -fsanitize=cfi for general purpose function prototype based enforcement, and GCC has the more limited -fvtable-verify for C++ objects.) Where is backward-edge CFI? (Is everyone waiting for CET?)"

[$] The io.weight I/O-bandwidth controller

Pet, 06/28/2019 - 16:26
Part of the kernel's job is to arbitrate access to the available hardware resources and ensure that every process gets its fair share, with "its fair share" being defined by policies specified by the administrator. One resource that must be managed this way is I/O bandwidth to storage devices; if due care is not taken, an I/O-hungry process can easily saturate a device, starving out others. The kernel has had a few I/O-bandwidth controllers over the years, but the results have never been entirely satisfactory. But there is a new controller on the block that might just get the job done.

Security updates for Friday

Pet, 06/28/2019 - 14:16
Security updates have been issued by Debian (expat and mupdf), Fedora (drupal7-uuid, php-brumann-polyfill-unserialize, and php-typo3-phar-stream-wrapper2), openSUSE (thunderbird), Oracle (thunderbird and vim), SUSE (glibc), and Ubuntu (poppler).

[$] Providing wider access to bpf()

Čet, 06/27/2019 - 15:56
The bpf() system call allows user space to load a BPF program into the kernel for execution, manipulate BPF maps, and carry out a number of other BPF-related functions. BPF programs are verified and sandboxed, but they are still running in a privileged context and, depending on the type of program loaded, are capable of creating various types of mayhem. As a result, most BPF operations, including the loading of almost all types of BPF program, are restricted to processes with the CAP_SYS_ADMIN capability — those running as root, as a general rule. BPF programs are useful in many contexts, though, so there has long been interest in making access to bpf() more widely available. One step in that direction has been posted by Song Liu; it works by adding a novel security-policy mechanism to the kernel.

Stable kernels 4.14.131, 4.9.184, and 4.4.184

Čet, 06/27/2019 - 15:40
Greg Kroah-Hartman has released the 4.14.131, 4.9.184, and 4.4.184 stable kernels. Each contains a single patch that fixes a problem in the TCP SACK panic fixes that was commonly seen by the Steam gaming community.

Security updates for Thursday

Čet, 06/27/2019 - 15:01
Security updates have been issued by Fedora (drupal7-uuid, php-brumann-polyfill-unserialize, and php-typo3-phar-stream-wrapper2), openSUSE (ansible, compat-openssl098, exempi, glib2, gstreamer-0_10-plugins-base, gstreamer-plugins-base, libmediainfo, libssh2_org, SDL2, sqlite3, and wireshark), Oracle (firefox), Red Hat (thunderbird and vim), Scientific Linux (firefox), SUSE (java-1_8_0-ibm), and Ubuntu (bzip2 and expat).

[$] LWN.net Weekly Edition for June 27, 2019

Čet, 06/27/2019 - 01:31
The LWN.net Weekly Edition for June 27, 2019 is available.

[$] An openSUSE foundation proposal

Sre, 06/26/2019 - 20:59
Over the past couple of months, things have been moving fairly swiftly toward the establishment of a separate entity to govern the openSUSE project. The idea is mainly meant to set up an organization that can receive and disburse funds on behalf of the project, rather than as some kind of move away from its parent company, SUSE. Also, while SUSE seems to be in a healthy position with a strong interest in supporting and working on openSUSE, that could change down the road, so a foundation or similar organization seems like the right way to go. At this point, the first draft of the foundation proposal has been posted; it generally has the support of SUSE management, so it is time to see what thoughts the community has.

Security updates for Wednesday

Sre, 06/26/2019 - 15:11
Security updates have been issued by Debian (python3.4), Oracle (firefox), Red Hat (firefox and kernel-alt), SUSE (ImageMagick and SUSE Manager Server 3.2), and Ubuntu (bzip2).

[$] CVE-less vulnerabilities

Tor, 06/25/2019 - 21:49
More bugs in free software are being found these days, which is good for many reasons, but there are some possible downsides to that as well. In addition, projects like OSS-Fuzz are finding lots of bugs in an automated fashion—many of which may be security relevant. The sheer number of bugs being reported is overwhelming many (most?) free-software projects, which simply do not have enough eyeballs to fix, or even triage, many of the reports they receive. A discussion about that is currently playing out on the oss-security mailing list.

GitLab 12.0

Tor, 06/25/2019 - 19:04
GitLab 12.0 has been released. "GitLab gives users the ability to automatically create review apps for each merge request. This allows anyone to see how the design or UX has been changed. In GitLab 12.0, we are expanding the ability to discuss those changes by bringing the ability to insert visual review tools directly into the Review App itself. With a small code snippet, users can enable designers, product managers, and other stakeholders to quickly provide feedback on a merge request without leaving the app." Other features include the ability to easily access a project's Dependency List, restrict access by IP address, and much more.

Three stable kernel updates

Tor, 06/25/2019 - 15:35
Stable kernels 5.1.15, 4.19.56, and 4.14.130 have been released. The all contain important fixes and users should upgrade.

Security updates for Tuesday

Tor, 06/25/2019 - 15:26
Security updates have been issued by CentOS (python), Debian (bzip2, libvirt, python2.7, python3.4, rdesktop, and thunderbird), Fedora (thunderbird and tomcat), openSUSE (aubio, docker, enigmail, GraphicsMagick, and python-Jinja2), SUSE (kernel, libvirt, postgresql96, and tomcat), and Ubuntu (ceph, firefox, imagemagick, libmysofa, linux, linux-hwe, neutron, and policykit-desktop-privileges).

Introducing people.kernel.org

Tor, 06/25/2019 - 15:10
Konstantin Ryabitsev has announced a new public blogging platform for kernel developers. "Ever since the demise of Google+, many developers have expressed a desire to have a service that would provide a way to create and manage content in a format that would be more rich and easier to access than email messages sent to LKML. Today, we would like to introduce people.kernel.org, which is an ActivityPub-enabled federated platform powered by WriteFreely and hosted by very nice and accommodating folks at write.as." (LWN looked at WriteFreely back in March).