LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Tuesday, August 18th, 2015

    Time Event
    12:22a
    Schaller: An Open Letter to Apache Foundation and Apache OpenOffice team
    Christian Schaller has posted an open letter to the Apache Software Foundation with a non-trivial request: "So dear Apache developers, for the sake of open source and free software, please recommend people to go and download LibreOffice, the free office suite that is being actively maintained and developed and which has the best chance of giving them a great experience using free software. OpenOffice is an important part of open source history, but that is also what it is at this point in time."

    In this context, it's interesting to note that OpenOffice project chair Jan Iverson recently stepped down, listing resistance to an effort to cooperate with LibreOffice as one of the main reasons. The project currently looks set to name Dennis Hamilton (who is running unopposed) as its new chair.

    2:12p
    [$] Development statistics for the 4.2 kernel
    As of this writing, the 4.2-rc7 prepatch is
    out and the final 4.2
    kernel looks to be (probably) on-track to be released on August 23.
    Tradition says that
    it's time for a look at the development statistics for this cycle. 4.2, in
    a couple of ways, looks a bit different from recent cycles, with some older
    patterns reasserting themselves.
    Click below (subscribers only) for the full article.
    6:08p
    Security advisories for Tuesday

    CentOS has updated glibc (C5: code execution from 2013), mysql55-mysql (C5: multiple unspecified vulnerabilities, one from 2014), net-snmp (C7; C6: code execution), sqlite (C6: code execution), sqlite (C7: three vulnerabilities), and subversion (C6: three vulnerabilities).

    Debian has updated apache2 (two vulnerabilities), gdk-pixbuf (code execution), and nss (two vulnerabilities).

    Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).

    Fedora has updated erlang (F22; F21: man-in-the-middle vulnerability), firefox (F22: many vulnerabilities), flac (F21: two vulnerabilities from 2014), gnutls (F21: code execution), golang (F22; F21: HTTP request smuggling), nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi (F22; F21: denial of service), and webkitgtk4 (F22: three unspecified vulnerabilities).

    Mageia has updated kdepim (M4: no attachment encryption from 2014).

    openSUSE has updated subversion (two vulnerabilities) and virtualbox (two vulnerabilities).

    Oracle has updated glibc (OL5: code execution from 2013), mysql55-mysql (OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp (OL7; OL6: code execution), sqlite (OL7: three vulnerabilities), sqlite (OL6: code execution), and subversion (OL6: three vulnerabilities).

    Red Hat has updated net-snmp (RHEL6&7: code execution).

    Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecified vulnerabilities, one from 2014), net-snmp (SL6&7: code execution), sqlite (SL6: code execution), and subversion (SL6: three vulnerabilities).

    Ubuntu has updated kernel (12.04: three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), linux-lts-vivid (14.04: denial of service), linux-ti-omap4 (12.04: three vulnerabilities), and net-snmp (two vulnerabilities, one from 2014).

    11:48p
    Ruoho: Multiple Vulnerabilities in Pocket
    On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. "The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs.

    These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers.    " He was able to get more information, such as the contents of /etc/passwd on Pocket's Amazon EC2 servers.
    (Thanks to Scott Bronson and Pete Flugstad.)

    << Previous Day 2015/08/18
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org