| Whats New|
|[2005-02-18] mp3riot version 1.3 released|
|[2004-10-08] mp3riot version 1.2 is out.|
|[2004-04-30] Added section Bridging|
|[2004-01-09] working progress on mp3riot version 1.2|
|X.Org has disclosed a long list of vulnerabilities that have been fixed in
the X Window System client libraries; most of them expose clients to
attacks by a hostile server. "Most of the time X clients & servers
are run by the same user, with the server more privileged from the clients,
so this is not a problem, but there are scenarios in which a privileged
client can be connected to an unprivileged server, for instance, connecting
a setuid X client (such as a screen lock program) to a virtual X server
(such as Xvfb or Xephyr) which the user has modified to return invalid
data, potentially allowing the user to escalate their privileges."There are 30 CVE numbers assigned to these vulnerabilities; expect the
distributor updates to start flowing shortly.
|Numerous security issues in X Window System clients|
|Sarah Sharp reports
on the responseto the availability of a set of Outreach Program for
Women internships working on the Linux kernel. "As coordinator for
the Linux kernel OPW project, I was really worried about whether applicants
would be able to get patches into the kernel. Everyone knows that kernel
maintainers are the pickiest bastards^Wperfectionists about coding style,
getting the proper Signed-off-by, sending plain text email, etc. I thought
a couple applicants would be able to complete maybe one or two patches,
tops. Boy was I wrong!"In the end, 41 applicants submitted 374
patches to the kernel, of which 137 were accepted.
|Sharp: ??Linux Kernel Internships (OPW) Update|
|The Qt Blog introduces
"Boot to Qt", which is "a light-weight UI stack for embedded
linux, based on the Qt Framework - Boot to Qt is built on an Android
kernel/baselayer and offers an elegant means of developing beautiful and
performant embedded devices."Access is invitation-only currently;
a release is forecast for sometime around the end of the year.
|Introducing Boot to Qt|
request-tracker4(eight CVE numbers), and
the kfreebsd kernel(code execution).
Fedorahas updated python-virtualenv(F17, F18:
temporary file and information disclosure vulnerabilities),
krb5(F17, "UDP ping-pong
vulnerability"from 2002), and
nginx(F18: denial of service and
openSUSEhas updated samba(CIFS
share attribute verification failure).
Oraclehas updated kernel(EL5: denial of service).
Red Hathas updated java-1.5.0-ibm(RHEL5-6: 16 "unspecified"vulnerabilities).
|Thursday's security updates|
|The LWN.net Weekly Edition for May 23, 2013 is available.
|[$] LWN.net Weekly Edition for May 23, 2013|
|Google has announcedthat it will be phasing out the file download feature for projects hosted
on Google Code. "Downloads were implemented by Project Hosting on
Google Code to enable open source projects to make their files available
for public download. Unfortunately, downloads have become a source of abuse
with a significant increase in incidents recently. Due to this increasing
misuse of the service and a desire to keep our community safe and secure,
we are deprecating downloads."|
|Google Code to deprecate downloads|
|GigaOM assertsthat Google will be taking over the desktop (regardless of the underlying
operating system) with its Chrome browser. "For many Chrome is just
a browser. For others who use a Chromebox or Chromebook, like myself, it?s
my full-time operating system. The general consensus is that Chrome OS, the
platform used on these devices, can only browse the web and run either
extensions and web apps; something any browser can do. Simply put, the
general consensus is wrong and the signs are everywhere."|
|How Google plans to rule the computing world through Chrome (GigaOM)|
|The Electronic Frontier Foundation has sent out a
releaseabout how the US state of Vermont is going on the offensive
against patent trolls. "Not content to strike back against a single
troll, Vermont is also poised to pass a bill dealing with the problem as a
whole. The Vermont House and Senate recently passed a bill to combat 'bad
faith assertions of patent infringement'. And the latest word
is that Vermont's governor is about to sign it into law."|
|EFF: Vermont Is Mad as Hell at Patent Trolls|
|Designing an enumeration type (i.e. "enum") for a language may seem like a
straightforward exercise, but the recently "completed"discussions over
Python's PEP 435show that it has a few wrinkles. The discussion spanned several long
threads in two mailing lists
(python-ideas, python-devel) going back to Januaryin this particular
iteration, but the
idea is far older than that. Subscribers can click below for the full
article from this week's edition.
|[$] An "enum"for Python 3|
|CentOShas updated kernel(C5:
denial of service).
Fedorahas updated gallery3(F18; F17:
cross-site scripting) and openstack-keystone(F18: multiple
Mandrivahas updated krb5(UDP
ping-pong flaw in kpasswd).
Red Hathas updated kernel(RHEL5:
denial of service).
Scientific Linuxhas updated kernel(SL5: denial of service).
SUSEhas updated java-1_6_0-openjdk(multiple vulnerabilities) and kernel(privilege escalation).
Ubuntuhas updated libtiff(two
|Security updates for Wednesday|
|While it is not an official Debian release, the Debian GNU/Hurd team has announced the release of Debian GNU/Hurd 2013. GNU Hurd is a Unix-style kernel based on the Mach microkernel and Debian GNU/Hurd makes much of the Debian system available atop that kernel.
Debian GNU/Hurd is currently available for the i386 architecture with more than 10.000 software packages available (more than 75% of the Debian archive, and more to come!).
Please make sure to read the configuration information, the FAQ, and the translator primerto get a grasp of the great features of GNU/Hurd.
Due to the very small number of developers, our progress of the project has not been as fast as other successful operating systems, but we believe to have reached a very decent state, even with our limited resources.
|Debian GNU/Hurd 2013 released|
|Local privilege escalations seem to be regularly found in the Linux kernel
these days, but they usually aren't quite so old—more than two years
since the release of 2.6.37—or backported into even earlier kernels.
But CVE-2013-2094is just that kind of bug, with a now-public exploit that apparently dates
back to 2010.
Click below (subscribers only) for LWN's look at this vulnerability.
|[$] An unexpected perf feature|
|Version 1.5.0 of the QEMU hardware emulator is out. "This release
was developed in a little more than 90 days by over 130 unique authors
averaging 20 commits a day. This represents a year-to-year growth of over
38 percent making it the most active release in QEMU history."Some
of the new features include KVM-on-ARM support, a native GTK+ user
interface, and lots of hardware support and performance improvements. See
the change logfor lots of
|QEMU 1.5.0 released|
|Fedorahas updated tomcat(F18; F17:
information disclosure) and krb5(F18: UDP
ping-pong flaw in kpasswd).
openSUSEhas updated tiff(12.2; 12.1: buffer
overflows) and clamav(12.2; 12.1: multiple vulnerabilities).
Red Hathas updated kernel-rt(multiple vulnerabilities) and kernel(RHEL 6.2 EUS; RHEL 6.1 EUS: privilege
Slackwarehas updated kernel(privilege escalation).
|Tuesday's security updates|
|A new kernel tracing tool called "ktap"has made its first release. "KTAP have
different design principles from Linux mainstream dynamic tracing language
in that it's based on bytecode, so it doesn't depend upon GCC, doesn't
require compiling a kernel module, safe to use in production environment,
fulfilling the embedded ecosystem's tracing needs."It's in an
early state; the project is looking for testers and contributors.
|Ktap 0.1 released|