Debian

Debian 'Stretch' Updated With 9.1 Release (debian.org) 25

An anonymous reader quotes Debian.org: The Debian project is pleased to announce the first update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems... Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media... Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
Bug

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net) 71

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.
Google

Linus Torvalds Now Reviews Gadgets On Google+ (zdnet.com) 50

An anonymous reader quotes ZDNet: If you know anything about Linus Torvalds, you know he's the mastermind and overlord of Linux. If you know him at all well, you know he's also an enthusiastic scuba diver and author of SubSurface, a do-it-all dive log program. And, if you know him really well, you'd know, like many other developers, he loves gadgets. Now, he's starting his own gadget review site on Google+: Working Gadgets...

"[W]hile waiting for my current build to finish, I decided to write a note about some of the gadgets I got that turned out to work, rather than all the crazy crap that didn't. Because while 90% of the cool toys I buy aren't all that great, there's still the ones that actually do live up to expectations. So the rule is: no rants. Just good stuff. Because this is about happy gadgets."

So far Linus has reviewed an automatic cat litter box, a scuba diving pressure regulator, and a Ubiquiti UniFi Wi-Fi access point that complements his Google WiFi mesh network.

Linus will be great at this. Just last week I saw him recommending a text editor.
Operating Systems

Slackware, Oldest Linux Distro Still In Active Development, Turns 24 63

sombragris writes: July 17 marked the 24th anniversary of Slackware Linux, the oldest GNU/Linux still in active development, being created in 1993 by Patrick Volkerding, who still serves as its BDFL. Version 14.2 was launched last year, and the development version (Slackware-current) currently offers kernel 4.9.38, gcc 7.1, glibc 2.25, mesa 17.1.5, and KDE and Xfce as official desktops, with many others available as 3rd party packages. Slackware is also among the Linux distributions which have not adopted systemd as its init system; instead, it uses a modified BSD init which is quite simple and effective. Slackware is known to be a solid, stable and fast setup, with easy defaults which is appreciated by many Linux users worldwide. Phoronix has a small writeup noting the anniversary and there's also a nice reddit thread.
Ubuntu

Ask Slashdot: Ubuntu 18.04 LTS Desktop Default Application Survey 278

Dustin Kirkland, Ubuntu Product and Strategy at Canonical, writes: Howdy all- Back in March, we asked the HackerNews community, "What do you want to see in Ubuntu 17.10?": https://ubu.one/AskHN. A passionate discussion ensued, the results of which are distilled into this post: http://ubu.one/thankHN. In fact, you can check that link, http://bit.ly/thankHN and see our progress so far this cycle. We already have a beta code in 17.10 available for your testing for several of those:

- GNOME replaced Unity
- Bluetooth improvements with a new BlueZ
- Switched to libinput
- 4K/Multimonitor/HiDPI improvements
- Upgraded to Network Manager 1.8
- New Subiquity server installer
- Minimal images (36MB, 18% smaller)

And several others have excellent work in progress, and will be complete by 17.10:

- Autoremove old kernels from /boot
- EXT4 encryption with fscrypt
- Better GPU/CUDA support

In summary -- your feedback matters! There are hundreds of engineers and designers working for *you* to continue making Ubuntu amazing! Along with the switch from Unity to GNOME, we're also reviewing some of the desktop applications we package and ship in Ubuntu. We're looking to crowdsource input on your favorite Linux applications across a broad set of classic desktop functionality. We invite you to contribute by listing the applications you find most useful in Linux in order of preference.


Click through for info on how to contribute.
Open Source

In Which Linus Torvalds Makes An 'Init' Joke (lkml.org) 357

Long-time Slashdot reader jawtheshark writes: In a recent Linux Kernel Mailing List post, Linux Torvalds finishes his mail with a little poke towards a certain init system. It is a very faint criticism, compared to his usual style. While Linus has no direct influence on the "choices" of distro maintainers, his opinion is usually valued.
In a discussion about how to set rlimit default values for setuid execs, Linus concluded his email by writing, "And yes, a large part of this may be that I no longer feel like I can trust "init" to do the sane thing. You all presumably know why."
GNOME

Fedora 26 Linux Distro Released (betanews.com) 66

Reader BrianFagioli writes: Today, Fedora 26 sheds its pre-release status and becomes available for download as a stable release. GNOME fans are in for a big treat, as version 3.24 is default. If you stick to stable Fedora releases, this will be your first time experiencing that version of the desktop environment since it was released in March. Also new is LibreOffice 5.3, which is an indispensable suite for productivity. If you still use mp3 music files I've moved onto streaming), support should be baked in for both encoding and decoding. "The latest version of Fedora's desktop-focused edition provides new tools and features for general users as well as developers. GNOME 3.24 is offered with Fedora 26 Workstation, which includes a host of updated functionality including Night Light, an application that subtly changes screen color based on time of day to reduce effect on sleep patterns, and LibreOffice 5.3, the latest update to the popular open source office productivity suite. For developers, GNOME 3.24 provides matured versions of Builder and Flatpak to make application development for a variety of systems, including Rust and Meson, easier across the board," says the Fedora Project.
Open Source

Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License (perens.com) 474

Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments: [I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...

This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."
Debian

Survey Finds Most Popular Linux Laptop Distros: Ubuntu and Arch (phoronix.com) 141

After collating 30,171 responses, Phoronixhas released some results from their first Linux Laptop Survey. An anonymous reader quotes their report: To little surprise, Ubuntu was the most popular Linux distribution running on the respondents' laptops. 38.9% of the respondents were said to be using Ubuntu while interesting in second place was Arch Linux at 27.1% followed by Debian at 15.3%. Rounding out the top ten were then Fedora at 14.8%, Linux Mint in 5th at 10.8%, openSUSE/SUSE in sixth at 4.2%, Gentoo in seventh at 3.9%, CentOS/RHEL in eighth at 3.1%, Solus in ninth at 2%, and Manjaro in tenth at 1.6%. The other Linux distributions had each commanded less than 1% of the overall response.
Only 10.3% of respondents said their most recent laptop purchase came pre-loaded with Linux. But 29.3% are now dual-booting their Linux laptop with Windows, while another 4.4% were dual-booting with yet another Linux distribution.
Windows

WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (thehackernews.com) 140

An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.
Operating Systems

OpenBSD Will Get Unique Kernels On Each Reboot (bleepingcomputer.com) 162

An anonymous reader quotes a report from Bleeping Computer: A new feature added in test snapshots for the upcoming OpenBSD 6.2 release will create a unique kernel every time an OpenBSD user reboots or upgrades his computer. This feature is named KARL -- Kernel Address Randomized Link -- and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time. Currently, for stable releases, the OpenBSD kernel uses a predefined order to link and load internal files inside the kernel binary, resulting in the same kernel for all users. Developed by Theo de Raadt, KARL will work by generating a new kernel binary at install, upgrade, and boot time. If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary, and the OS will generate a new kernel binary that will be used on the next boot/upgrade/reboot, constantly rotating kernels on reboots or upgrades. KARL should not be confused with ASLR -- Address Space Layout Randomization -- a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run. A similar technique exists for randomizing the memory location where the kernel loads -- called KASLR. The difference between the two is that KARL loads a different kernel binary in the same place, while KASLR loads the same binary in random locations. Currently Linux and Windows only support KASLR.
Security

Linux Is Not As Safe As You Think (betanews.com) 237

BrianFagioli writes via BetaNews: Would you be surprised if I told you that threat methods for Linux increased an astonishing 300 percent in 2016, while Microsoft's operating systems saw a decrease? Well, according to a new report, that is true. Does this mean Linux is unsafe? No way, Jose! There are some important takeaways here. Microsoft's Windows operating systems are still the most targeted platforms despite the year over year decline -- far beyond Linux. Also, just because there is an increase in malware attack methods doesn't necessarily mean that more systems will be infected. Let us not forget that it is easier to find a vulnerability with open source too; Microsoft largely uses closed source code. "At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down. In October, the Mirai code appeared freely available on the Internet. Since then, the AV-TEST systems have been investigating an increasing number of samples with spikes at the end of October, November and beginning of December," says AV Test of the Mirai malware. "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices. The detection systems of AV-TEST first detected the Tsunami malicious code in the year 2003. Although, at that time, practically no IoT devices existed, the Linux backdoor already offered attack functions which even today would be suitable for virtually unprotected attacks on routers: In this manner, Tsunami can download additional malicious code onto infected devices and thus make devices remote controllable for criminals. But the old malware can also be used for DDoS attacks. The Darlloz worm, known since 2013, as well as many other Linux and Unix malware programs, have similar attack patterns which AV-TEST has been detecting and analyzing for years."
Bug

'Severe' Systemd Bug Allowed Remote Code Execution For Two Years (itwire.com) 551

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.
Open Source

Linux Kernel 4.12 Officially Released (softpedia.com) 55

prisoninmate quotes Softpedia: After seven weeks of announcing release candidate versions, Linus Torvalds today informs the Linux community through a mailing list announcement about the general availability of the Linux 4.12 kernel series. Development on the Linux 4.12 kernel kicked off in mid-May with the first release candidate, and now, seven weeks later we can finally get our hands on the final release... A lot of great improvements, new hardware support, and new security features were added during all this time, which makes it one of the biggest releases, after Linux 4.9...

Prominent features of the Linux 4.12 kernel include initial support for AMD Radeon RX Vega graphics cards, intial Nvidia GeForce GTX 1000 "Pascal" accelerated support, implementation of Budget Fair Queueing (BFQ) and storage-I/O schedulers, more MD RAID enhancements, support for Raspberry Pi's Broadcom BCM2835 thermal driver, a lot of F2FS optimizations, as well as ioctl for the GETFSMAP space mapping ioctl for both XFS and EXT4 filesystems.

Linus said in announcing the release that "I think only 4.9 ends up having had more commits," also noting that 4.9 was a Long Term Support kernel, whereas "4.12 is just plain big."

"There's also nothing particularly odd going on in the tree - it's all just normal development, just more of it than usual."
Ubuntu

Ubuntu Disputes 'Ads In MOTD' Claims (twitter.com) 110

Thursday Lproven (Slashdot reader #6030) wrote: It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Click through for a condensed version of the complete response by Dustin Kirkland, Ubuntu Product and Strategy at Canonical.

Slashdot Top Deals