News & Information


07/21/2018 The package networkmanager-vpnc before version 1.2.6-1 is vulnerable to privilege escalation.
07/21/2018 The package apache before version 2.4.34-1 is vulnerable to denial of service.
07/21/2018 CVE-2018-7033 Fix for issue in accounting_storage/mysql plugin by always escaping strings within the slurmdbd.
07/20/2018 Fabian Henneke discovered a cross-site scripting vulnerability in the password change form of GOsa, a web-based LDAP administration program.
07/20/2018 The package znc before version 1.7.1-1 is vulnerable to multiple issues including privilege escalation and directory traversal.
07/20/2018   Linux Journal

News briefs for June 20, 2018.

Vivaldi Technologies has added a new privacy-focused search engine called Qwant to its Vivaldi web browser. Qwant doesn't store cookies or search history. Softpedia News quotes CEO and co-founder of Vivaldi Jon von Tetzchner: "We believe that the Internet can do better. We do not believe in tracking our users or in data profiling." You need version 1.15 of Vivaldi in order to enable Qwant.

Microsoft has made its PowerShell Core available in the Snap Store as a Snap application, OMG Ubuntu reports, allowing "Linux users and admins on various distros to run the latest version of PowerShell securely and safely across desktop, laptop and IoT."

Red Hat Ansible Engine 2.6 is now available. According to the press release, this new version "adds new content for automating across hybrid and multicloud environments, along with simplified connections to network APIs and updates for Ansible deployments overseeing Windows environments". It allows users "to more rapidly expand their infrastructure, without expanding manpower" and focuses on three areas of automation: multicloud, network and Windows.

Google, Microsoft, Twitter and Facebook announced the Open-Source Data Transfer Project to promote universal data portability. Phoronix reports that the initiative "is to enable consumers to transfer data directly from one server to another, without the need for downloading/uploading of the content". See also the Google Open Source blog for more information.

The Apache Software Foundation (ASF) released its annual report last week, which announced that the Foundation received open-source code worth more than $600 million by volunteer project contributors over a 12-month period. According to the post on IT Web, the report also covered one of the biggest crises for the ASF: "the Equifax data breach that affected 143 million consumers in the US and Canada as a result of a vulnerability in Apache Struts".

07/20/2018   Linux Journal

For this article, I'm moving back into the realm of chemistry software—specifically, the General Atomistic Modelling Graphic Interface, or GAMGI. GAMGI provides a very complete set of tools that allows you to design and visualize fairly complex molecules.

GAMGI has the special ability to make creating repeating structures much easier, which is handy when you're trying to create crystalline structures.

GAMGI should be available in the package repositories of most Linux distributions. For example, on Debian-based distros, you can install GAMGI with the following command:

sudo apt-get install gamgi

There are also data and documentation packages (gamgi-data and gamgi-doc), and when you first start to use GAMGI, it's a good idea to install those packages as well.

Once the packages are installed, you can start GAMGI from the command line or from your desktop environment's menu system. When it starts up, you get a blank canvas to begin your work.

Figure 1. When you start GAMGI, you get a minimal set of tools to help begin your project.

This interface is probably one of the more minimal ones of the chemistry packages that you are likely to use, but it hides all of the functionality that is present within GAMGI. It is object-oriented, in that all of the main elements are treated as independent objects, with properties and relationships to other objects. These elements include atoms, bonds, molecules and crystal planes. Each of them are built up of a number of the earlier ones. One extra piece that GAMGI has is the ability to work with orbitals. Let's walk through an example of a salt crystal (NaCl) to show how you can use GAMGI to do graphical analysis.

When looking at a crystalline structure, you'll want to start by creating a cell in the window. You do this by clicking the Cell→Create menu item. Then you'll get a pop-up window where you can set several properties of the new cell.

Figure 2. When you create a new cell for crystal structures, you can set several different properties on how it will be constructed.

Since salt is a cubic crystal, you'll want to set the system value to c (for cubic), and set the lattice value to F (for face-centered). For each of these, you can get a full set of allowed values by clicking the associated "List" button. Clicking Ok creates the cell.

07/20/2018 The dns-root-data update to 2017072601~deb8u2 broke dnsmasq's init script, making dnsmasq no longer start when dns-root-data was installed.
07/19/2018 The linux-base package has been updated to support the package of Linux 4.9 that was recently added to Debian 8. This resolves a dependency that was not satisfiable by the jessie and jessie-security suites.
07/19/2018 CVE-2015-1239 Fix for denial of service (process crash) via a crafted PDF.
07/19/2018 Update to 0.26.5 (CVE-2018-10887, CVE-2018-10888)
07/19/2018 This release fixes a directory and symbolic link traversal vulnerability in Archive::Zip::Archive Perl module that allows an attacker to writite into an arbitrary file accesible by a local user.
07/19/2018 - Fix Side Channel Based ECDSA Key Extraction (CVE-2018-12437) (PR #408) - Fix potential stack overflow when DER flexi-decoding (CVE-2018-0739) (PR #373) - Fix two-key 3DES (PR #390) - Fix accelerated CTR mode (PR #359) - Fix Fortuna PRNG (PR #363) - Fix compilation on platforms where cc doesn't point to gcc (PR #382) - Fix using the wrong environment variable LT instead of LIBTOOL (PR #392) - Fix [More...]
07/19/2018 Fix heap memory corruption, CVE-2017-17833
07/19/2018   Linux Journal

News briefs for July 19, 2018.

System76 has moved into its new manufacturing facility in Denver, Colorado. The company will begin making computers in the US, rather than just assembling them. See the System76 blog post for photos of the new digs.

Ubuntu 17.10 "Artful Aardvark" has reached end of life today, so there will be no more security updates for that version. If you're running Ubuntu 17.10, you need to upgrade to 18.04 now. See the post on It's FOSS for more information and instructions on how to upgrade.

Google has rebranded its Cloud Launcher platform, and it now will be called the Google Cloud Platform Marketplace (or GCP Marketplace). LinuxInsider reports that "it will offer production-ready commercial Kubernetes apps, promising simplified deployment, billing and third-party licensing."

Single-player survival game Stranded Deep is now available for Linux, GamingOnLinux reports, although users were reporting a few issues earlier this week. Stranded Deep is available on Steam.

Cutelyst, a C++ web framework based on Qt, has a new release. The update includes several bug fixes and some build issues with buildroot. See Dantti's Blog for all the details. Cutelyst is available on GitHub.

07/19/2018   Linux Journal

Dietmar Eggemann posted a patch from Quentin Perret to take advantage of energy-efficient CPUs on asymmetric multiprocessor (AMP) systems. AMP is distinguished from SMP (symmetric multiprocessor) systems in that an SMP system uses several instances of only one type of CPU, while an AMP system might use CPUs of differing speeds, feature-sets and so on.

Quentin's patch was an effort to take advantage of differences in power consumption between the CPUs on an AMP system. It attempted to identify the most efficient CPU that was not already saturated with processes and assign newly awakened processes to it. If no CPUs fit the bill, standard SMP-type methods of processor assignment would be used instead.

Dietmar explained, "The selection of the most energy-efficient CPU for a task is achieved by estimating the impact on system-level active energy resulting from the placement of the task on each candidate CPU. The best CPU energy-wise is then selected if it saves a large enough amount of energy with respect to prev_cpu."

He acknowledged that this algorithm was a brute-force approach that could work well only on systems with a relatively small number of CPUs. He said, "This patch is an attempt to do something useful, as writing a fast heuristic that performs reasonably well on a broad spectrum of architectures isn't an easy task."

Patrick Bellasi and Joel Fernandes had no serious objections to the patch and offered some technical suggestions. The discussion delved into various technical issues and specific ways of addressing them, with no one raising any controversial issues.

This is the type of situation with a patch where it might look like a lack of opposition could let it sail into the kernel tree, but really, it just hasn't been thoroughly examined by Linux bigwigs yet. Once the various contributors have gotten the patch as good as they can get it without deeper feedback, they'll probably send it up the ladder for inclusion in the main source tree. At that point, the security folks will jump all over it, looking for ways that a malicious user might force processes all onto only one particular CPU (essentially mounting a denial-of-service attack) or some such thing. Even if the patch survives that scrutiny, one of the other big-time kernel people, or even Linus Torvalds, could reject the patch on the grounds that it should represent a solution for large-scale systems as well as small.

07/18/2018   Linux Journal

News briefs for July 18, 2018.

Google is being fined $5 billion USD for Android antitrust violations, The Verge reports. The EU Commission claims Google has abused Android dominance in three ways: "Google has been bundling its search engine and Chrome apps into the operating system. Google has also allegedly blocked phone makers from creating devices that run forked versions of Android, and 'made payments to certain large manufacturers and mobile network operators' to exclusively bundle the Google Search app on handsets." It has 90 days to bring its "illegal conduct to an end in an effective manner". Google plans to appeal this decision.

Qt Creator version 4.7.0 is now available. The release announcement notes that with this release, the Clang code model now is on by default to keep up with developments in C++. In addition, "the Clang code model provides much better information about issues in code without going through the edit-compile-analyze cycle explicitly." You can download the open-source version here.

ownCloud's new version 10.0.9 includes improved password policy, S3 Object Storage integration and pending shares feature. According to the ownCloud press release, this new version increases security as "password policies can now be defined for all users, and a password history prevents previously used passwords from being set and the ability to accept or reject pending shares of received files provides additional control and security." You can download ownCloud here and its corresponding apps here.

Netgate announces that pfSense Gold will be free with the 2.4.4 release, including all services previously offered under the pfSense Gold subscription, such as the pfSense Book and monthly online Hangouts (video conferences). In addition, AutoConfigBackup (ACB) also will be free and will conform to GDPR best practices. The 2.4.4 release is planned for September 2018.

Kobol is relaunching Helios4 via its own funding campaign. The open-spec NAS SBC and fanned system "runs Debian on a Marvell Armada 388 SoC with 2GB ECC RAM and offers 1x GbE, 2x USB 3.0, and 4x SATA 3.0 ports for up to 48TB". According to the Linux Gizmos post, "So far, the Full Kit is half funded while the Basic Kit has drawn little interest. Kobol says that it will refund the money if the campaign doesn't reach its 500-unit goal by Aug. 5. Shipments are due in October."

07/18/2018   Linux Journal

Learn why at rest encryption doesn't mean encryption when your laptop is asleep.

There are many steps you can take to harden a computer, and a common recommendation you'll see in hardening guides is to enable disk encryption. Disk encryption also often is referred to as "at rest encryption", especially in security compliance guides, and many compliance regimes, such as PCI, mandate the use of at rest encryption. This term refers to the fact that data is encrypted "at rest" or when the disk is unmounted and not in use. At rest encryption can be an important part of system-hardening, yet many administrators who enable it, whether on workstations or servers, may end up with a false sense of security if they don't understand not only what disk encryption protects you from, but also, and more important, what it doesn't.

What Disk Encryption Does

In the context of Linux servers and workstations, disk encryption generally means you are using a system such as LUKS to encrypt either the entire root partition or only a particularly sensitive mountpoint. For instance, some Linux distributions offer the option of leaving the root partition unencrypted, and they encrypt each user's /home directories independently, to be unlocked when the user logs in. In the case of servers, you might leave root unencrypted and add encryption only to specific disks that contain sensitive data (like database files).

In a workstation, you notice when a system is encrypted at rest because it will prompt you for a passphrase to unlock the disk at boot time. Servers typically are a bit trickier, because usually administrators prefer that a server come back up after a reboot without manual intervention. Although some servers may provide a console-based prompt to unlock the disk at boot time, administrators are more likely to have configured LUKS so that the key resides on a separate unencrypted partition. Or, the server may retrieve the key from the network using their configuration management or a centralized secrets management tool like Vault, so there is less of a risk of the key being stolen by an attacker with access to the filesystem.

The main thing that at rest encryption protects you from is data loss due to theft or improper decommissioning of hard drives. If someone steals your laptop while it's powered off, your data will be protected. If someone goes into a data center and physically removes drives from a server with at rest encryption in place, the drives will spin down, and the data on them will be encrypted. The same goes for disks in a server that has been retired. Administrators are supposed to perform secure wiping or full disk destruction procedures to remove sensitive data from drives before disposal, but if the administrator was lazy, disk encryption can help ensure that the data is still protected if it gets into the wrong hands.

07/17/2018   Linux Journal

Open source software has been around for a long time. But calling it open source only began in 1998. Here's some history:

Christine Peterson came up with the term "open source software" in 1997 and (as she reports at that link) a collection of like-minded geeks decided on February 3, 1998 to get behind it in a big way. Eric S. Raymond became the lead evangelist when he published Goodbye, "free software"; hello, "open source" on February 8th. Bruce Perens led creating the Open Source Initiative later that month. Here at Linux Journal, we were all over it from the start as well. (Here's one example.)

"Open source" took off so rapidly that O'Reilly started OSCON the next year, making this year's OSCON, happening now, the 19th one. (FWIW, at the 2005 OSCON, O'Reilly and Google together gave me an award for "Best Communicator" on the topic. I was at least among the most enthusiastic.)

Google's Ngram Viewer, which searches through all scanned books from 1800 to 2008, shows (see above) that use of "open source" hockey-sticked quickly. Today on Google, "open source" gets 116 million results.

But interest has been trailing off, as we see from Google Trends, which follows "interest over time." Here's how that looks since 2004:

07/17/2018   Linux Journal

News briefs for July 17, 2018.

IBM has a new container called Nabla designed for security first, ZDNet reports. IBM claims it's "more secure than Docker or other containers by cutting operating system calls to the bare minimum and thereby reducing its attack surface as small as possible". See also this article for more information on Nabla and this article on how to get started running the containers.

Humble Bundle is offering a "Linux Geek Bundle" of ebooks from No Starch Press for $1 (or more—your choice) right now, in connection with It's FOSS. The Linux Geek bundle's books are worth $571 and are available in PDF, ePUB and MOBI format, and are DRM-free. Part of the purchase price will be donated to the EFF. See the It's FOSS post for the list of titles and more info.

More information on the upcoming Atari VCS console due to launch next year has been released in a Q&A on Medium with Rob Wyatt, System Architect for the Atari VCS project. Rob provides more details on the hardware specs: "The VCS hardware will be powered by an AMD Bristol Ridge family APU with Radeon R7 graphics and is now going to get 8 gigabytes of unified memory. This is a huge upgrade from what was originally specified and unlike other consoles it's all available, we won't reserve 25% of hardware resources for system use." In addition, the Q&A covers the Atari VCS "open platform" and "Sandbox", compatible controllers and more.

Google's Chrome OS team is working on redesigning its Files app for Chromebooks "with a new 'My Files' section that promises to help you better organize your local files, including those from any Android and Linux apps you might have installed." See the Softpedia News post for more information on this redesigned app for Android and Linux files and how to test it via the Chrome OS Canary experimental channel.

Catfish 1.4.6 has been released, and it has now officially joined the Xfce family. According to the announcement, it's "lightweight, fast, and a perfect companion to the Thunar file manager. With the transition from Launchpad to Xfce, things have moved around a bit. Update your bookmarks accordingly!" Other new features include an improved thumbnailer, translation updates and several bug fixes. New releases of Catfish now can be found at the Xfce release archive.

07/17/2018   Linux Journal

Google's Project Fi is a great cell-phone service, but the data-only SIMs make it incredible for network projects!

I have a lot of cell phones. I have iPhones (old and new), Android phones (old, new, very old and funny-shaped), and I have a few legacy phones that aren't either Android or iPhone. Remember Maemo? Yeah, and I still have one of those old Nokia phones somewhere too. Admittedly, part of the reason I have such a collection is that I tend to hoard nostalgic technology, but part of it is practical too.

I've used phones as IP cameras for BirdTopia (my recorded and streamed bird-feeder collection). I've created WiFi-only audiobook devices that I use when I'm out and about. I've used old phones as SONOS remotes, Plex players, Chromecast initiators and countless other tasks that tiny little computers are perfect for doing. One of the frustrating things about using old cell phones for projects like that though is they only have WiFi access, because adding multiple devices to a cell plan becomes expensive quickly. That's not the case anymore, however, thanks to Google's Project Fi.

Most people love Project Fi because of the tower-hopping features or because of the fair pricing. I like those features too, but the real bonus for me is the "data only" SIM option. Like most people, I rarely make phone calls anymore, and there are so many chat apps, texting isn't very important either. With most cell-phone plans, there's an "access" fee per line. With Project Fi, additional devices don't cost anything more! (But, more about that later.) The Project Fi experience is worth investigating.

What's the Deal?

Project Fi is a play on the term "WiFi" and is pronounced "Project Fye", as opposed to "Project Fee", which is what I called it at first. Several features set Project Fi apart from other cell-phone plans.

First, Project Fi uses towers from three carriers: T-Mobile, US Cellular and Sprint. When using supported hardware, Project Fi constantly monitors signal strength and seamlessly transitions between the various towers. Depending on where you live, this can mean constant access to the fastest network or a better chance of having any coverage at all. (I'm in the latter group, as I live in a rural area.)

The second standout feature of Project Fi is the pricing model. Every phone pays a $20/month fee for unlimited calls and texts. On top of that, all phones and devices share a data pool that costs $10/GB. The data cost isn't remarkably low, but Google handles it very well. I recently discovered that it's not billed in full $10 increments (Figure 1). If you use 10.01GB of data, you pay $10.01, not $20.

07/16/2018   Linux Journal

News briefs for July 16, 2018.

Debian "stretch" has a new update, 9.5, the fifth update of the Debian 9 stable release. This version addresses several security issues and other problems. You can upgrade your current installation from one of Debian's HTTP mirrors.

Red Hat announced that 14 additional companies have adopted the GPL Cooperation Commitment, which means that "more than 39 percent of corporate contributions to the Linux kernel, including six of the top 10 contributors" are now represented. According to the Red Hat press release, these commitments "reflect the belief that responsible compliance in open source licensing is important and that license enforcement in the open source ecosystem operates by different norms." Companies joining the growing movement include Amazon, Arm, Canonical, GitLab, Intel Corporation, Liferay, Linaro, MariaDB, NEC, Pivotal, Royal Philips, SAS, Toyota and VMware.

The Linux Audio Conference announced that all videos from the 2018 conference in Berlin are now available. You can find the links here.

Latte Dock v0.8 is now available. New features include multiple layouts simultaneously, smart dynamic background, unify global shortcuts for applets and tasks, and much more. Latte v0.8 is compatible with Plasma >= 5.12, KDE Frameworks >= 5.38, Qt >= 5.9. You can download it from here.

Ubuntu has improved the user interface of its Snap Store website. It's FOSS reports that the updates make "it more useful for the users by adding developer verification, categories, improved search".

07/16/2018   Virtualization
SOLUTION ANALYSIS: Workspot’s cloud-native VDI broker deploys cloud desktops, apps and GPU workstations on Microsoft Azure in one day and simplifies VDI management with its single pane-of- glass approach.
07/10/2018   InfoWorld Linux
In today’s Linux tip, we look at the find command – a tool that will prove very useful when you’re trying to locate a file or set of files based on almost any criteria.
06/28/2018   Virtualization
VMware is continuing to add new services to its portfolio that help organizations manage and deploy containers with the Kubernetes container orchestration platform.
06/27/2018   Virtualization
The second major release of Kubernetes in 2018 brings new dynamic kubelet management capabilities, as well as general availability for the IPVS load balancing feature.