Bug

Deserialization Issues Also Affect .NET, Not Just Java (bleepingcomputer.com) 187

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

Red Hat Software

Red Hat Acquires Data-Cleaning Company Permabit (fortune.com) 85

An anonymous reader quotes Fortune: Business software company Red Hat said on Monday that it is acquiring the technology assets of Permabit, a small company that specializes in cleaning up corporate data to make storage more efficient and data access faster. Terms of the deal were not disclosed but a Red Hat spokesman said 16 people from Permabit will be joining that company...

While the conventional wisdom is that data storage is cheap, it is not free. And with companies turning to more expensive flash storage, it saves money to remove redundant data, said Richard Fichera, vice president and principal analyst at Forrester Research... Red Hat, which sells a version of the Linux operating system used by many Fortune 500 companies, also offers its own storage software. And, it wants to become a more formidable challenger in data storage, a goal that can be furthered by buying Permabit's technology, Fichera said.

Slashdot reader See Attached points out that this week Red Hat also released RHEL 7.4, which introduces support for Network Bound Disk Encryption (NBDE) and system protection against intrusive USB devices.
Java

Red Hat And IBM Will Vote Against Java's Next Release (infoworld.com) 57

An anonymous reader quotes InfoWorld: The next edition of standard Java had been proceeding toward its planned July 27 release after earlier bumps in the road over modularity. But now Red Hat and IBM have opposed the module plan. "JDK 9 might be held up by this," Oracle's Georges Saab, vice president of development for the Java platform, said late Wednesday afternoon. "As is the case for all major Java SE releases, feedback from the Java Community Process may affect the timeline..."

Red Hat's Scott Stark, vice president of architecture for the company's JBoss group, expressed a number of concerns about how applications would work with the module system and its potential impact on the planned Java Enterprise Edition 9. Stark also said the module system, which is featured in Java Specification Request 376 and Project Jigsaw, could result in two worlds of Java: one for Jigsaw and one for everything else, including Java SE classloaders and OSGI. Stark's analysis received input from others in the Java community, including Sonatype.

"The result will be a weakened Java ecosystem at a time when rapid change is occurring in the server space with increasing use of languages like Go," Stark wrote, also predicting major challenges for applications dealing with services and reflection. His critique adds that "In some cases the implementation...contradicts years of modular application deployment best practices that are already commonly employed by the ecosystem as a whole." And he ultimately concludes that this effort to modularize Java has limitations which "almost certainly prevent the possibility of Java EE 9 from being based on Jigsaw, as to do so would require existing Java EE vendors to completely throw out compatibility, interoperability, and feature parity with past versions of the Java EE specification."
Music

Fedora Will Get Full Mp3 Support, As IIS Fraunhofer Terminates Mp3 Licensing Program (fedoramagazine.org) 133

An anonymous reader quotes Fedora Magazine: Both MP3 encoding and decoding will soon be officially supported in Fedora. Last November the patents covering MP3 decoding expired and Fedora Workstation enabled MP3 decoding via the mpg123 library and GStreamer... The MP3 codec and Open Source have had a troubled relationship over the past decade, especially within the United States. Historically, due to licensing issues Fedora has been unable to include MP3 decoding or encoding within the base distribution... A couple of weeks ago IIS Fraunhofer and Technicolor terminated their licensing program and just a few days ago Red Hat Legal provided the permission to ship MP3 encoding in Fedora.
Red Hat Software

Red Hat Suffers Massive Data Center Network Outage 85

An anonymous reader writes: According to multiple reports on Twitter, the Fedora Infrastructure Status page, and the #fedora-admin Freenode IRC channel, Red Hat is suffering a massive network outage at their primary data center. Details are sketchy at this point, but it looks to be impacting the Red Hat Customer Portal; as well as all their repositories (including Fedora, EPEL, Copr); their public build system, Koji; and a whole host of other popular services. There is no ETA for restoration of services at this point.
Red Hat Software

Interviews: Ask Red Hat CEO Jim Whitehurst A Question (redhat.com) 167

Jim Whitehurst joined Red Hat in 2008, as its valuation rose past $10 billion and the company entered the S&P 500. He believes that leaders should engage people, and then provide context for self-organizing, and in 2015 even published The Open Organization: Igniting Passion and Performance (donating all proceeds to the Electronic Frontier Foundation). The book describes a post-bureaucratic world of community-centric companies led with transparency and collaboration, with chapters on igniting passion, building engagement, and choosing meritocracy over democracy.

Jim's argued that Red Hat exemplifies "digital disruption," and recently predicted a world of open source infrastructure running proprietary business software. Fortune has already called Red Hat "one of the geekiest firms in the business," and their open source cloud computing platform OpenStack now competes directly with Amazon Web Services. Red Hat also sponsors the Fedora Project and works with the One Laptop Per Child initiative.

So leave your best questions in the comments. (Ask as many questions as you'd like, but please, one per comment.) We'll pick out the very best questions, and then forward them on for answers from Red Hat CEO Jim Whitehurst.
Red Hat Software

Red Hat CEO Predicts Open Source Infrastructures With Proprietary Business Functionality (fortune.com) 53

An anonymous reader summarizes the highlights of Fortune's new interview with Red Hat CEO James Whitehurst: A recruiter told Whitehurst the culture at Red Hat was "a little bit like that Blues Brothers movie, when Dan Aykroyd says, 'We're on a mission from God.'" But Whitehurst says geeky passion "makes it a great place to be a part of," and even argues that the success of Microsoft in the 1990s can be attributed to its Microsoft Developer Network, which led developers into Microsoft's platform and infrastructure. "Developers now are heavily using open-source tools and technology and, bluntly, I think that's why Microsoft had to open source .NET and why they're embracing more open source in general. Because open source is where innovation is coming from and is what developers are consuming, it forces vendors to participate."

Looking towards the future, Whitehurst says "A rough line would be almost to say most infrastructure is going to be open source and most business functionality above it is going to be proprietary." And he also warns open source companies, "if you don't have the unique business model that allows you to add value on top of the free functionality, in the end you're going to fail... a lot of open source companies have come and gone because they've been more focused on the functionality versus how they add value around the functionality."

Music

Red Hat Announces Fedora Will Support MP3 Playback (fedoraproject.org) 140

Long-time Slashdot reader jrincayc shares news from Red Hat's Fedora Engineering Manager, Tom Callaway. On the Fedora-legal mailing list, Callaway announced: Red Hat has determined that it is now acceptable for Fedora to include MP3 decoding functionality (not specific to any implementation, or binding by any unseen agreement). Encoding functionality is not permitted at this time.
And the same day Christian Schaller announced on the Gnome blog that mp3 playback would be supported in Fedora Workstation 25. You should be able to download the mp3 plugin on Day 1 through GNOME Software or through the missing codec installer in various GStreamer applications. For Fedora Workstation 26 I would not be surprised if we decide to ship it on the install media.
He added, "I know this has been a big wishlist item for a long time for a lot of people..."
Red Hat Software

Red Hat CEO: Linux Is Now The 'Default Choice' For The Cloud (bizjournals.com) 89

Speaking at the "All Things Open" conference, Red Hat CEO Jim Whitehurst remembered when Linux "was just a 'bunch of geeks' getting together figuring it all out on an 8286 chip" 25 years ago. An anonymous reader quotes BizJournals: "It went from being kind of a hacker movement to truly what I'll say [is] a viable alternative to traditional software," Whitehurst says, adding that Red Hat was a part of that push. Over the years, it came out from under the radar, being what Whitehurst calls "the default choice for a next-generation of infrastructure," particularly when it comes to cloud architectures... He points to Google, Microsoft and Facebook, all having open sourced their machine learning systems. "They recognize the company that builds the community around that piece of technology, that technology is going to win."
Mozilla

Rust Implements An IDE Protocol From Red Hat's Collaboration With Microsoft and Codenvy (infoworld.com) 49

An anonymous reader quotes InfoWorld: Developers of Mozilla's Rust language, devised for fast and safe system-level programming, have unveiled the first release of the Rust Language Service, a project that provides IDEs and editors with live, contextual information about Rust code. RLS is one of the first implementations of the Language Server Protocol, co-developed by Microsoft, Codenvy, and Red Hat to standardize communications between IDEs and language runtimes.

It's another sign of Rust's effort to be an A-list language across the board -- not only by providing better solutions to common programming problems, but also cultivating first-class, cutting-edge tooling support from beyond its ecosystem...

The Rust Language Service is "pre-alpha", and the whole Language Service Protocol is only currently supported by two IDEs -- Eclipse and Microsoft's Visual Studio Code. Earlier InfoWorld described it as "a JSON-based data exchange protocol for providing language services consistently across different code editors and IDEs," and one of the Rust developers has already developed a sample RLS client for Visual Studio Code.
Security

'Most Serious' Linux Privilege-Escalation Bug Ever Is Under Active Exploit (arstechnica.com) 109

Reader operator_error shares an ArsTechnica report: A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

Debian

Systemd Rolls Out Its Own Mount Tool (phoronix.com) 541

An anonymous Slashdot reader writes: I'm surprised this hasn't surfaced on Slashdot already, but yesterday Phoronix reported that systemd will soon be handling file system mounts, along with all the other stuff that systemd has encompassed. The report generated the usual systemd arguments over on Reddit.com/r/linux with Lennart Poettering, systemd developer and architect, chiming in with a few clarifications.
Lennart argued it will greatly improve the handling of removable media like USB sticks.
Open Source

Microsoft PowerShell Goes Open Source and Lands On Linux and Mac (pcworld.com) 400

Microsoft announced on Thursday that it is open sourcing PowerShell, its system administration, scripting, and configuration management tool that has been a default part of Windows for several years. The company says it will soon release PowerShell on Mac and Linux platforms. PCWorld reports: The company is also releasing alpha versions of PowerShell for Linux (specifically Ubuntu, Centos and Redhat) and Mac OS X. A new PowerShell GitHub page gives people the ability to download binaries of the software, as well as access to the app's source code. PowerShell on Linux and Mac will let people who have already built proficiency with Microsoft's scripting language take those skills and bring them to new platforms. Meanwhile, people who are used to working on those platforms will have access to a new and very powerful tool for getting work done. It's part of Microsoft's ongoing moves to open up products that the company has previously kept locked to platforms that it owned. The company's open sourcing of its .NET programming frameworks in 2014 paved the way for this launch, by making the building blocks of PowerShell available on Linux and OS X. By making PowerShell available on Linux, Microsoft has taken the skills of Windows administrators who are already used to the software, and made them more marketable. It has also made it possible for hardcore Linux users to get access to an additional set of tools that they can use to manage a variety of systems.
Red Hat Software

Red Hat Exec Marries A Couple At Red Hat Summit (cio.com) 62

On the second day of the Red Hat Summit this week, attendees found themselves invited to a wedding during one of the general sessions. The groom was Matt Hargrave, a Red Hat client from Texas, and, it probably goes without saying, a huge fan of the company. The bride was Shannon Montague, a sign language interpreter, and "maybe the most understanding bride ever," jokes Slashdot reader itwbennett: "Pushing a commit to github isn't the same as committing to a life partner. There is no forking this project," Red Hat EVP Paul Cormier told a Texas couple, as he united them in holy matrimony... Red Hat CEO Jim Whitehurst was ring bearer. You can watch the ceremony on YouTube.
"After today your relationship will have newly architected infrastructure. And, of course, collaboration is...critical." I'm wondering if Slashdot readers can suggest more geeky marriage vows -- or have any other geeky wedding stories to share.
IOS

.NET Core 1.0 Released, Now Officially Supported By Red Hat (arstechnica.com) 123

Microsoft on Monday announced the release of .NET Core, the open source .NET runtime platform. Finally! (It was first announced in 2014). The company also released ASP.NET Core 1.0, the open-source version of Microsoft's Web development stack. ArsTechnica reports:Microsoft picked an unusual venue to announce the release: the Red Hat Summit. One of the purposes of .NET Core was to make Linux and OS X into first-class supported platforms, with .NET developers able to reach Windows, OS X, Linux, and (with Xamarin) iOS and Android, too. At the summit today, Red Hat announced that this release would be actively supported by the company on Red Hat Enterprise Linux.
KDE

KDE Bug Fixed After 13 Years (kate-editor.org) 118

About 50 KDE developers met this week in the Swiss Alps for the annual Randa Meetings, "seven days of intense in-person work, pushing KDE technologies forward and discussing how to address the next-generation demands for software systems." Christoph Cullmann, who maintains the Kate editor, blogs that during this year's sprint, they finally fixed a 13-year-old bug. He'd filed the bug report himself -- back in 2003 -- and writes that over the next 13 years, no one ever found the time to fix it. (Even though the bug received 333 "importance" votes...) After finally being marked Resolved, the bug's tracking page at KDE.org began receiving additional comments marveling at how much time had passed. Just think, when this bug was first reported:
-- The current Linux Kernel was 2.6.31...
-- Windows XP was the most current desktop verison. Vista was still 3 years away.
-- Top 2 Linux verions? Mandrake and Redhat (Fedora wouldn't be released for another 2 months, Ubuntu's first was more than a year away.)

Cloud

Ubuntu Linux Continues To Dominate OpenStack and Other Clouds (zdnet.com) 23

An anonymous reader quotes a report from ZDNet: One reason Ubuntu is increasing its lead is that Jujo, Canonical's application modeling and deployment DevOps tool, has been gaining in popularity. In the latest OpenStack user survey, we see that OpenStack is finally gaining real momentum in private clouds. We also see that Ubuntu Linux is continuing to dominate OpenStack. As Canonical cloud marketing manager Bill Bauman said, "Ubuntu OpenStack continues to dominate the majority of deployments with 55 percent of production OpenStack clouds. The previous survey showed Ubuntu OpenStack at 33 percent of production clouds. Ubuntu has seen almost 67 percent growth in an area where Ubuntu was already the market leader. These numbers are a huge testament to the community support Ubuntu OpenStack receives every day." The Cloud Market's latest analysis of operating systems on the Amazon Elastic Compute Cloud (EC2) shows Ubuntu with just over 215,000 instances. Ubuntu is followed by Amazon's own Amazon Linux Amazon Machine Image (AMI), with 86,000 instances. Further back, you'll find Windows with 26,000 instances. In fourth and fifth place, respectively, you'll find Red Hat Enterprise Linux (RHEL) with 16,500 instances and then CentOS with 12,500 instances.
Red Hat Software

Red Hat Expands Red Hat Developer Program With No-Cost Red Hat Enterprise Linux (betanews.com) 50

An anonymous reader shares a report on BetaNews: Red Hat -- fresh from celebrating a historic $2 billion in annual revenue -- releases a developer-focused gift to the world. The Red Hat Enterprise Linux Developer Suite is totally free, including an RHEL license and valuable developer tools, like the JBoss Middleware portfolio. This is through the Red Hat Developer Program. If you want to take advantage of this amazing offer, you can sign up through the company's website Red Hat seems a bit late to the party. Many argue that the company should've made its update-only subscription for individuals free from the beginning -- especially considering it isn't a major source of revenue for the company. Exciting time for developers, nonetheless.
Open Source

Red Hat Becomes First $2 Billion Open-Source Company (zdnet.com) 116

An anonymous reader quotes a report from ZDNet: Red Hat just became the first open-source company to make a cool 2 billion bucks. Not bad considering Red Hat became the first billion dollar Linux company only four years ago. Red Hat did it the old-fashioned way: They earned the money instead of playing upon the gullibility of venture capitalists. Red Hat's total revenue for its fourth quarter was $544 million. That's up 17 percent in U.S. dollars year-over-year, or 21 percent measured constant currency. Subscription revenue for the quarter was $480 million, up 18 percent in U.S. dollars year-over-year, or 22 percent measured in constant currency. Subscription revenue in the quarter was 88 percent of total revenue. Analysts estimated Red Hat would make $534 million. Looking ahead for its 2016 FY Red Hat expects to see between $2.380 billion to $2.420 billion. At this rate, Red Hat should easily become the first $3 billion open-source company.
While Red Hat's president and CEO Jim Whitehurst credits the "hybrid cloud infrastructures," Red Hat's subscription revenue can largely be ascribed to Red Hat's flagship product: Red Hat Enterprise Linux. Still, RHEL, which is now available on Microsoft Azure, is becoming a prominent cloud operating system.
Security

One Solution to MITRE's Overworked CVE System: Build a New One (helpnetsecurity.com) 47

An anonymous reader writes: For the last 17 years, the American not-for-profit MITRE Corporation has been editing and maintaining the list of Common Vulnerabilities and Exposures (CVEs). According to a number of researchers, MITRE has lately been doing a lousy job when it comes to assigning these numbers, forcing researchers to do without them or to delay public disclosure of vulnerabilities indefinitely. The problem is getting worse by the day, and the situation has spurred Kurt Seifried, a "Red Hat Product Security Cloud guy" and a CVE Editorial Board member, to create a complementary system for numbering vulnerabilities.

Slashdot Top Deals