By jake As several LWN readers have pointed out, John-Mark Gurney posted a message to the freebsd-current mailing list on February 17 noting that the random number generator (RNG) in the FreeBSD “current” kernel has been broken for the last four months. “If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling
randomdev_init_reader, which means that read_random(9) was not returning
good random data. read_random(9) is used by arc4random(9) which is
the primary method that arc4random(3) is seeded from.
This means most/all keys generated may be predictable and must be
regenerated. This includes, but not limited to, ssh keys and keys
generated by openssl. This is purely a kernel issue, and a simple
kernel upgrade w/ the patch is sufficient to fix the issue.”
By ris Opensource.com has an interview
with John Sullivan, Executive Director of FSF. “I stay involved because I think it’s one of the most important social movements in existence, and it needs help—a lot of help. As more and more of the world’s social, cultural, economic, and political interactions are mediated by technology, control over the technology becomes incredibly important for the exercise of any basic individual freedoms. I love the people I meet in this work, and the enormity of the challenge.”
Fedora has updated libvirt (F20:
two vulnerabilities) and qemu (F20: privilege escalation).
openSUSE has updated dbus-1,
(13.2, 13.1: denial of service).
Slackware has updated patch (symlink attack), seamonkey (multiple vulnerabilities), and sudo (information disclosure).
SUSE has updated bind
(SLES11 SP2: denial of service), clamav (SLES11 SP1,2,3, SLES10 SP4:
multiple vulnerabilities), java-1_6_0-ibm
(SLEM LS12: two unspecified vulnerabilities), java-1_7_1-ibm (SLE12: two unspecified
vulnerabilities), and ntp (SLES11 SP1:
Ubuntu has updated xorg-server,
xorg-server-lts-trusty, xorg-server-lts-utopic (14.10, 14.04, 12.04:
By ris Bryce Harrington has announced
the release of Wayland 1.7.0. “The Wayland protocol may be
considered “done” but that doesn’t mean
there’s not work to be done. This release focused on major improvements
to Wayland’s documentation, minor improvements to the testsuite, and
some scattered bugfixes to the code itself.”
Debian-LTS has updated e2fsprogs
(code execution) and nss (two vulnerabilities).
Fedora has updated android-tools
(F21: code execution), bugzilla (F21; F20:
command injection), community-mysql (F20:
multiple unspecified vulnerabilities), dbus
(F21: denial of service), libvirt (F21:
multiple vulnerabilities), moodle (F21:
multiple vulnerabilities), mutt (F21; F20:
denial of service), ntp (F21; F20: two vulnerabilities), perl-Gtk2
code execution), pigz (F21; F20: directory traversal), postgresql (F20: multiple vulnerabilities),
puppetlabs-stdlib (F21; F20: privilege escalation),
roundcubemail (F21; F20: cross-site scripting), rubygem-actionpack (F21: two information
leaks), rubygem-sprockets (F21; F20: directory traversal), unzip (F21: multiple vulnerabilities), and virt-who (F21: information leak).
Gentoo has updated cpio (two vulnerabilities), libpng (memory overwrite), and oracle-jre-bin (multiple vulnerabilities).
Mageia has updated cups (buffer overflow), krb5 (multiple vulnerabilities), and rsync (denial of service).
SUSE has updated krb5 (SLE12; SLE12:
multiple vulnerabilities) and ntp
(SLES11 SP2: multiple vulnerabilities).
By corbet The Haskell.org site is currently reporting that its Debian package
repository, deb.haskell.org, has been compromised.
“`deb.haskell.org` was already offline and suspended shortly after
these traffic changes were detected by the host monitoring system, meaning
the window for package compromise was very very small. We’re continuing to
investigate the breach and the extent to which it might have
By corbet When one thinks about the PHP language, terms like “strong typing” and
“strict checking” do not normally come to mind. But, as the project works
toward its next major release (to be called PHP 7), it has become
embroiled in a fierce debate over the proposed addition of some simple
typing features to the language. To some, PHP is growing up into a safer,
better-defined language, while others see the changes as possibly
destroying the character of a historically freewheeling language.
Click below (subscribers only) for the full article.
By corbet Do you have an opinion on whether the next kernel release should be called
3.20 or 4.0? Linus is currently running a
poll on Google+ to get a sense for what people would prefer. “So
– continue with v3.20, because bigger numbers are sexy, or just move to
v4.0 and reset the numbers to something smaller?”
As of this writing, the 4.0 option appears to be winning.
openSUSE has updated clamav
(13.1, 13.2: multiple vulnerabilities), roundcubemail (13.1, 13.2: cross-site scripting), and tcpdump (13.1, 13.2: multiple vulnerabilities).
SUSE has updated ntp
(SLES/SLED12: multiple vulnerabilities).
Ubuntu has updated clamav
(10.04: code execution).
By jake Over at Linux Journal, Joey Bernard looks at Distro Astro, which is a Linux distribution for astronomy. It collects programs of interest to those running telescopes and planetariums, including various image collection and processing applications.
“After aiming your telescope, you need to collect some images or do some astrophotography. While you can do some of this with software like KStars, you have software specifically designed to do image capture. Some, like wxAstroCapture, are specifically written for use in astronomy. With it, you can set up automatic guiding and batch image collection. You then can go have a nice hot cup of coffee while your telescope collects your data. To help you keep track of all of these observations, you can use the Observation Manager, a logging program to maintain your records.”