News & Information       http://info.owt.com

Linux

10/22/2018   LinuxSecurity.com
LinuxSecurity.com: Paramiko could allow unintended access to network services.
10/22/2018   LinuxSecurity.com
LinuxSecurity.com: Net-SNMP could be made to crash if it received specially crafted network traffic.
10/22/2018   LinuxSecurity.com
LinuxSecurity.com: libssh could allow unintended access to network services.
10/22/2018   LinuxSecurity.com
LinuxSecurity.com: Requests could be made to expose sensitive information if it received a specially crafted HTTP header.
10/22/2018   LinuxSecurity.com
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:2942
10/22/2018   LinuxSecurity.com
LinuxSecurity.com: An update that fixes 17 vulnerabilities is now available.
10/22/2018   LinuxSecurity.com
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:2943
10/22/2018   LinuxSecurity.com
LinuxSecurity.com: This is a follow-up update for the recently discovered -dSAFER issues reported by Tavis Ormandy. Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an
10/22/2018   Linux Journal

News briefs for October 22, 2018.

Greg Kroah-Hartman released Linux kernel 4.19 this morning and handed the kernel tree back to Linus, writing "You can have the joy of dealing with the merge window."

Linus Torvalds "is meeting with Linux's top 40 or so developers at the Maintainers' Summit", at the Open Source Summit Europe in Edinburgh, Scotland, ZDNet reports. He isn't scheduled to speak, but "this is his first step back in taking over Linux's reins."

Linspire 8.0 RC1 was released over the weekend. The stable release is expected in December (don't use this release in production environments), and RC2, which should be more feature-complete, is expected in November. Among other changes, in this version, iMac Pro support has been improved and Oracle Java is now in the repositories. It uses the MATE 1.20.1 desktop, kernel 4.15 and Chrome 69.

IPFire 2.21 - Core Update 124 is out, and according to the release announcement, it "brings new features and immensely improves security and performance of the whole system". It's now available on AWS EC2, is updated to kernel version 4.14.72 and the security of its SSH daemon has been improved, among other new features.

A recently discovered Apache vulnerability could affect thousands of applications. Dark Reading reports that the issue is with "the way that thousands of code projects are using Apache .htaccess, leaving them vulnerable to unauthorized access and a subsequent file upload attack in which auto-executing code is uploaded to an application."

10/22/2018   Linux Journal
System76 logo

Can "by hackers, for hackers" sell laptops? System76 sold an Oryx Pro to Rob, and he's here to tell you about it.

I should start by saying that although I'm definitely no newbie to Linux, I'm new to the world of dedicated Linux laptops. I started with Linux in 1996, when Red Hat 4.0 had just adopted the 2.0 kernel and Debian 1.3 hadn't yet been released. I've run a variety of distros with varying degrees of satisfaction ever since, always looking for the Holy Grail of a desktop UNIX that just plain worked.

About 15 years ago after becoming frustrated with the state of Linux on laptop hardware (in a phrase, "nonexistent hardware support"), I switched my laptops over to Macs and didn't look back. It was a true-blue UNIX that just plain worked, and I was happy. But I increasingly found myself frustrated by things I expected from Linux that weren't available on macOS, and which things like Homebrew and MacPorts and Fink could only partly address.

My last MacBook Pro is now four years old, so it was time to shop around again. After being underwhelmed by this generation of MacBooks, I decided to take the risk on a Linux laptop again.

Oh my, an awful lot has changed in 15 years!

System76

System76 is a Denver-based firm with a "by hackers, for hackers" ethos. It's not the first outfit to have tried to deliver on this promise, nor will it be the last. It follows in a long line pioneered by Red Hat and VA Research, and it will continue in the future with businesses yet to be founded. At this moment in history though, System76 seems to be doing a pretty good job of maintaining that standard.

Inquiries

My initial contact with System76 came by visiting the website and requesting a quote for one of its third-generation Oryx Pro models. The sales staff were responsive, polite and didn't seem to have their personalities obliterated into uniform perfection like the Stepford Salesforce of Lenovo or Dell. I also never caught a whiff of a hard sell from any of them. On three occasions just before being able to put down my hard-earned dinero on an Oryx Pro, my life went sideways, and my laptop fund went to pay for strange emergencies that arose out of nowhere, but the System76 sales staff were cheerfully uncaring about this. The impression I got was they believed they knew were going to miss a sale right then, but whether they missed it forever depended on how they behaved in that instant. It's an enlightened view from which more vendors could stand to learn.

10/20/2018   LinuxSecurity.com
LinuxSecurity.com: A vulnerability has been discovered in exiv2 (CVE-2018-16336), a C++ library and a command line utility to manage image metadata, resulting in remote denial of service (heap-based buffer over-read/overflow) via
10/20/2018   LinuxSecurity.com
LinuxSecurity.com: Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file (CVE-2016-5319). In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function
10/20/2018   Linux Journal
Tor and Tails

Tails is a live media Linux distro designed to boot into a highly secure desktop environment. Tor is a browser that prevents somebody watching your internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

Learn why anonymity matters and how you can protect yourself with this Linux Journal Weekend Reading.

Tor Hidden Services 

Why should clients get all the privacy? Give your servers some privacy too!

Tails above the Rest: the Installation

How to get and validate the Tails distribution and install it. We will follow up with what Tails can and can't do to protect your privacy, and how to use Tails in a way that minimizes your risk. Then we will finish with some more advanced features of Tails, including the use of a persistent volume (with this feature, depending on your needs, you could conceivably use Tails as your main Linux distribution).

Tails above the Rest, Part II

Now that you have Tails installed, let's start using it. Read on to find out how to get started.

Tails above the Rest, Part III

In the first two parts on this series, we gave an overview of Tails, including how to get the distribution securely, and once you have it, how to use some of the basic tools. Here, we cover some of the more advanced features of Tails, such as some of its log-in options, its suite of encryption tools and the persistent disk.

Tor Security for Android and Desktop Linux 

The Tor Project presents an effective countermeasure against hostile and disingenuous carriers and ISPs that, on a properly rooted and capable Android device or Linux system, can force all network traffic through Tor encrypted entry points (guard nodes) with custom rules for iptables. This action renders all device network activity opaque to the upstream carrier—barring exceptional intervention, all efforts to track a user are afterwards futile.

A Bundle of Tor

The best way to set up Tor on your personal machine.

Dolphins in the NSA Dragnet

10/19/2018   InfoWorld Linux

Canonical’s Ubuntu distribution for Linux has earned a reputation for being user-friendly, with editions aimed at desktop, server, cloud, and IoT users. This changelog tracks updates to Ubuntu across its release cycle, including its LTS (long term support) releases. 

To read this article in full, please click here

(Insider Story)
10/19/2018   LinuxSecurity.com
LinuxSecurity.com: Updated ghostscript packages fix many bugs and security vulnerabilities: Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961) Saved execution stacks can leak operator arrays. (CVE-2018-18073)
10/19/2018   LinuxSecurity.com
LinuxSecurity.com: The updated clamav packages fix a security vulnerability: Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition on an affected device (CVE-2018-15378).
10/19/2018   Linux Journal

Linux isn't a story anymore.

That's a good thing, but not an interesting one. Let me explain.

Journalism's main product is the story. In newsrooms, the three words uttered most often by editors to reporters are "What's the story?"

As I was taught by an editor long ago—and as I have found to be true constantly ever since—all stories are about three things:

  1. A character. Usually human, but not always. Could be a cause. A sports team. A political party. Could be good, or bad, or neither. All that matters is that the character is interesting. You can also have more than one, but a single one is better.
  2. A problem or conflict. A situation that challenges the character, or characters, further defining them and making them more interesting. Problems and conflict keep people interested, so they keep reading, watching, listening, turning pages, talking to others about it, and "move the narrative along" (as the news watchers like to say).
  3. Movement toward resolution. Doesn't matter if the end never arrives. Hell, look at soap operas. You just have to keep the story moving in the direction of conclusion. Newsroom aphorism: "No story ever starts with 'Happily ever after'." Another: "If your team is up forty points with five minutes left, your new story is about how you get out of the parking lot ahead of traffic."

All three of those are why Linux isn't much of a story any more, even though it's bigger in the world than it has ever been.

Linux had character when it was easy to cast as an underdog operating system, and the problem was beating Windows. Linus Torvalds, the father of Linux, did his best not to be interesting, but his fans made him interesting anyway:

Us included. The above is from a slide show that was featured in a story I wrote back in 2002 that's off-web at the moment, but also beside the point, which is that Linus and his penguins were characters in stories that were interesting at the time and aren't anymore.

That's because Linux has achieved the world domination it longed for in the early years.

Yes, Linus as a character got interesting for a few minutes last month (top results in a Google News search for "Linus Torvalds" range from 22 to 29 days old), but that story is too stale to be interesting now, even though the issues around it still matter.

10/19/2018   Linux Journal

News briefs for October 19, 2018.

Two new openSUSE Tumbleweed snapshots provide KDE users with a newer version of Applications 18.08.2, and all Tumbleweed users can update kernel 4.18.13. Last week's snapshots included newer versions of KDE's Plasma 5.14 and Frameworks 5.50.0. For more info on the recent updates, visit opensuse.org.

Nominations are open for 2019 Red Hat Women in Open Source Awards. This is the fifth year of the awards that "were created and are sponsored by Red Hat to honor women who make important contributions to open source projects and communities, or those making innovative use of open source methodology". Nominations are being accepted until November 12, 2018. See the 2019 Women in Open Source Award Page for further details.

OpenSSH 7.9 was released today. It's available from the mirrors here.

ZDNet reports that some VestaCP servers were compromised by a new malware strain called Linux/ChachaDDOS. The unknown attacker "contaminated the project's source code with malware that logs passwords, open shells, and can launch DDoS attacks." Evidently the malicious code was added to the official GitHub repository on May 31 and removed June 13. See the ESET report for more information.

A new release of Kraft, "the Qt- and KDE based software to help to organize business docs in small companies", is now available. Version 0.82 reworks the calculation dialog that does calculations for templates and also sending documents via email was improved. See the Changelog for more details.

10/19/2018   Linux Journal

In part II of this series of articles on doing date math from the command line we want to try to solve a problem we noted in part I: passing the date command a date specification something like "the first Monday after some date".

10/18/2018   Linux Journal

News briefs for October 18, 2018.

Ubuntu 18.10 "Cosmic Cuttlefish" expected to be released today. According to Phoronix, the biggest change for users will be the revised default theme for the GNOME Shell experience, now known as "Yaru". Ubuntu 18.10 will also have the Linux 4.18 kernel, "which means better hardware support, various performance improvements, and other optimizations compared to Ubuntu 18.04's Linux 4.15".

Arm launches the IoT-focused Mbed Linux OS and also extends Pelion IoT Platform services. According to Linux.com, Mbed Linux "combines the Linux kernel with tools and recipes from the Intel-backed Yocto Project. The distro also integrates security and IoT connectivity code from its open source Mbed RTOS". In addition, the Pelion IoT Platform "will align with Intel's Secure Device Onboard (SDO) provisioning technology to make it easier for IoT vendors and customers to onboard both x86 and Arm-based devices using a common Pelion platform. Arm also announced Pelion related partnerships with myDevices and Arduino."

GitHub updated its platform this week, which included many developer-centric changes and security features, but the most notable change is the "expansion of the Security Alerts feature, which also now supports Java and .NET projects, on top of the original JavaScript, Ruby and Python", ZDNet reports.

MongoDB recently announced it will be released under the new Server Side Public License: "The SSPL clarifies the conditions for making MongoDB publicly available as a service, to ensure we can continue to invest in building MongoDB for our users rather than in costly litigation over enforcing the AGPL. All subsequent versions and patch releases to prior versions of MongoDB made after October 16th, 2018 will be issued under the new SSPL."

Google plans to charge smartphone makers to pre-install apps like Gmail and YouTube on Android handsets sold in Europe. The Verge quotes Android leader Hiroshi Lockheimer, "Since the pre-installation of Google Search and Chrome together with our other apps helped us fund the development and free distribution of Android, we will introduce a new paid licensing agreement for smartphones and tablets shipped into the [European Economic Area]."

10/18/2018   Linux Journal
Forge Your Future with Open Source Book Cover

Excerpt from Forge Your Future with Open Source by VM (Vicky) Brasseur, Copyright © 2018 The Pragmatic Programmers LLC. Reproduced with the permission of the publisher.

Even new programmers can provide a lot of value with their code reviews. You don't have to be a Rockstar Ninja 10x Unicorn Diva programmer with years and years of experience to have valuable insights. In fact, you don't even have to be a programmer at all. You just have to be knowledgable enough to spot patterns. While you won't be able to do a complete review without programming knowledge, you may still spot things that could use some work or clarification.

If you're not a Rockstar Ninja 10x Unicorn Diva programmer, not only is your code review feedback still valuable, but you can also learn a great deal in the process: Code layout, programming style, domain knowledge, best practices, neat little programming tricks you'd not have seen otherwise, and sometimes antipatterns (or "how not to do things"). So don't let the fact that you're unfamiliar with the code, the project, or the language hold you back from reviewing code contributions. Give it a go and see what there is to learn and discover.

"But," you may wail, "how is that even possible?! I don't know how to program very well! How could I ever do anything valuable on a code review?" Calm yourself, friend. You have a lot to offer here. Earlier I mentioned pattern-spotting, and that's a good place to start. If the contribution you're reviewing looks a lot more complicated than everything around it, you've just spotted a potential problem. Does the code use different indentations or variable naming than elsewhere in the file? That's another potential problem. Is the code contribution really long, when everything else in the file is much shorter? That could be a sign something is wrong. You don't have to be that Rockstar Ninja 10x Unicorn Diva programmer to spot these things; you only have to be familiar with programming and—most importantly—you only have to be looking at the code.

Do be careful as you start code review for a project with which you're not very familiar. Some projects would rather not receive reviews from people who aren't yet skilled in the code in question, as those reviews often can contain errors or inconsistencies with how the project typically operates. Inexperienced reviewers also can confuse inexperienced contributors, who might not know that the person providing feedback to them is not very familiar with the code or the project. Always check the CONTRIBUTING file or ask a core contributor before you start reviewing code contributions, rather than risk stepping on toes or providing feedback when none is wanted.

10/17/2018   Linux Journal

News briefs for October 17, 2018.

elementary OS Juno is now available. This new major version sports a ton of updates and improvements with three major goals: 1) "provide a more refined user experience; 2) "improve productivity for new and seasoned users alike"; and 3) "take our developer platform to the next level".

The KDE Project yesterday announced the first point release of the KDE Plasma 5.14 desktop series. Plasma 5.14.1 adds new translations and some important bugfixes. See the changelog for further details.

Chrome 70 is now available. This release removes the controversial change from the last version, and now allows users to stop the browser from automatically signing in to their Google accounts after logging in to one of its apps, The Verge reports. You still need to opt-out and specifically change this setting, however. Other changes include support for progressive web apps on Windows. See the "New in Chrome 70" post for more information on this release.

Docker has raised $92 million in new funding. According to TechCrunch, "the new funding is a signal that while Docker may have lost its race with Google's Kubernetes over whose toolkit would be the most widely adopted, the San Francisco-based company has become the champion for businesses that want to move to the modern hybrid application development and information technology operations model of programming."

Mozilla has created badges for Firefox users who want to show their support. You can grab the code for the badges here. Mozilla notes that the "images are hosted on a Mozilla CDN for convenience and performance only. We do no tracking of traffic to the CDN".

10/17/2018   Linux Journal

Various efforts always are underway to implement Secure Boot and to add features that will allow vendors to lock users out of controlling their own systems. In that scenario, users would look helplessly on while their systems refused to boot any kernels but those controlled by the vendors.

The vendors' motivation is clear—if they control the kernel, they can then stream media on that computer without risking copyright infringement by the user. If the vendor doesn't control the system, the user might always have some secret piece of software ready to catch and store any streamed media that could then be shared with others who would not pay the media company for the privilege.

Recently, Chen Yu and other developers tried to submit patches to enhance Secure Boot so that when the user hibernated the system, the kernel itself would encrypt its running image. This would appear to be completely unnecessary, since as Pavel Machek pointed out, there is already uswsusp (userspace software suspend), which encrypts the running image before suspending the system. As Pavel said, the only difference was that uswusp ran in userspace and not kernel space.

Perhaps in an effort to draw Chen into admitting the deeper motives behind the patch submission, Pavel asked Chen to elucidate exactly what security hole his patches addressed and how they would deal with them. Pavel would ask that question over and over again before the end of the discussion, and he would not receive an answer.

Chen offered a variety of justifications for the patch, including letting users do less work, but none of them answered the fundamental question: why was this patch needed as a security enhancement in the first place? And eventually, Pavel called it like he saw it. He said, "Purpose here is to prevent the user from reading/modifying kernel memory content on machine he owns. Strange as it may sound, that is what 'secure' boot requires (and what Disney wants)."

The discussion ended inconclusively, but not utterly. It's clear that Pavel, and a group of core kernel developers including Linus Torvalds, will continue to guard against allowing vendors to control user systems. This seems to be one of the fundamental values of the Linux kernel—to prevent the reemergence of the kind of situation we had in the 1980s, where vendors had ultimate control over virtually all software, while users were at the mercy of business decisions they didn't agree with but could do nothing about.

Note: if you're mentioned above and want to post a response above the comment section, send a message with your response text to ljeditor@linuxjournal.com.

10/10/2018   Virtualization
eWEEK DATA POINTS: HCI offers a compelling solution for complex IT environments, and enterprises that were early adopters of the technology have taken its potential to the bank.
10/03/2018   Virtualization
Flash storage pioneer, which has seen hard times, has fine-tuned its strategy and is going only after what it calls the “extreme-performance” storage market. It also has a new hot-shot flash array to talk about.
10/01/2018   InfoWorld Linux

Built with ambitions of powering the WebAssembly world, an embeddable runtime for the WebAssembly (aka Wasm) binary format is in development, called Wasmjit.

Still a proof of concept, Wasmjit is targeted as a Linux kernel module to host Emscripten-generated WebAssembly modules. Developer Rian Hunter, who previously built the Linux client for the Dropbox file-hosting service, has offered a beta release to encourage developer participation.

Wasmjit was introduced as an open source project in late September. Principal goals of Wasmjit include:

To read this article in full, please click here

09/27/2018   Virtualization
The third major release of the open-source Kubernetes container orchestration system in 2018 is now out, providing users with a stable release of a key security feature that has been in development for two years, while previewing a new sandboxing isolation capability.