Share on Twitter.
Get the most dependable SMTP service for your business. You wished you got it sooner!
July 14, 2015
The Linux Foundation's Core Infrastructure Initiative has completed its first-pass survey
of the Linux toolset, and is underscoring which OS tools are initially most at risk.
While there's still lots of attention on higher-profile packages like crypto tools, web
servers and mail transfer agents, there's also quite a few packages that everyone uses and
that nobody cares about such as compression and image libraries appearing high on the list
of security vulnerabilities.
The foundation's Census Project has released the final version of a survey by David Wheeler
and Samir Khakimov, from the Open Source Software Projects Needing Security Investments.
While Wheeler and Khakimov write that their work was somewhat constrained by time, and to
this date concentrated mainly on tools associated with Debian, it's still worrying.
The list of most exposed packages is drawn from a range of metrics-– how much maintenance it
actually receives, how popular it is, and how important it is: that is, can you live without it?
After their automated assessment of more than 350 projects, the pair then ran human eyeballs
to identify what they believe to be the most exposed to security vulnerabilities in the Linux
While the list includes more than twenty utilities, some of which are highly exposed to internet
risks (mail transfer agents, DHCP, BIND tools, SMTP and so on), the survey is measuring not the “level
of bugginess” per se, but rather how much damage a bug could possibly do, and therefore how much TLC
a particular tool or project needs to run smoothly.
So while OpenSSL and OpenSSH are rated as critically important, those two projects are already
operating under the CII's wing.
But of course, that's not true of tools like the widespread Bzip2 compression tool, which hasn't
changed at all in the past five years and doesn't operate a source code repository.
Likewise, reports that BIND 9 has a huge backlog of security issues is equally worrying. Additionally, 'wget'
has a fair number of hacks.
And while the vital gzip tool has many contributors, the last formal release was in 2013.
For its part, libxpat1 is also singled out-- maintenance was effectively halted in 2012, and its bug
reports link produces an error page. And keyutils (used to manage security keys) has no bug tracker at all
and no mailing list.
We will keep you posted on these and other Linux and open source news developments.
In other Linux community news
The United States National Security Agency's X-KEY SCORE software, revealed by Edward Snowden as
capable of sniffing and analysing just about any data from anywhere, runs on Red Hat Enterprise Linux.
This is according to NSA's Glenn Greenwald, who last week wrote that XKEYSCORE “is a piece of Linux
software that is typically deployed on Red Hat servers.”
“It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster
are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by
the cron scheduling service.”
The NSA is a known contributor to some specific open source projects, although there aren't
that many considering the secret nature of the federal agency.
To be sure, the Xen Project admitted as much when it launched its Xen 4.5 solution in 2014. There's no
reason it shouldn't also be a user as it operates under the same constraints as plenty of other organizations
who feel that open source solutions best meets their specific needs.
However, news that the NSA uses open source software could dismay those who feel that such
efforts promote greater openness, as the NSA promotes rather different values.
On the upside, XKEYSCORE appears to operate at enormous scale, so Linux system admins have
proof of concept of open source software's impressive scalability.
Greenwald doesn't say if the NSA uses the free version of MySQL or Oracle's fee-for-licence
version, however. We'll keep you posted on these and other developments.
In other Linux and open source news
The new Linux 4.2-rc1 kernel features an incredible one million lines of extra code, and
Linus Torvalds rates it the biggest release candidate ever in terms of the volume of new code
Torvalds, the original Linux creator back in 1991, writes that “if you count the size in pure
number of lines changed, this really seems to be the biggest release candidate we've ever had,
with over a million lines added, and about a quarter million lines removed.”
Most of those new lines of code come from the new AMD GPU register description header-- new code
that Torvalds says comprises “41 percent of the entire patch” and has created a “somewhat odd
situation where a single driver is about half of the whole rc1 in number of lines.”
Torvalds added that the new 4.2rc1 kernel knocks off the previous champion, 3.11rc1, which grew
because it added the 'Lustre' filesystem.
Also new to version 4.2 are the Renesas H8/300 architecture, “in a newly cleaned-up form” and
“quite a bit of low-level x86 changes-- both source code re-organization for x86 entry code and lots
of FPU handling cleanups.”
Torvalds rates the x86 injections as fairly unusual because low-level x86 code being fairly stable
and seldom seeing those kinds of big changes.
“Outside of the drivers and architectures, there's a fair amount of filesystem elements, including
some fundamental changes and cleanups to symlink handling,” Torvalds concludes.
“And all the usual updates to various filesystems, networking, cryptography, tools, testing, you
name it,” he added.
In other Linux and open source news
It was long in the tooth, but Linux kernel 3.14.40 LTS has finally arrived, as announced by
Greg Hartman on the kernel mailinglist. The new kernel brings with it a number of important new improvements to the ARM and PowerPC
architectures, as well as several updated drivers.
According to the attached shortlog, Linux kernel 3.14.40, which is an LTS (Long Term Support)
release, brings improvements to many hardware architectures, including ARM, Alpha, AVR32, FRV,
CRIS, IA64, M32R, m68k, MicroBlaze, MIPS, mn10300, OpenRISC, PA-RISC, PowerPC, s390, SPARC, Xtensa,
and of course, last but not least, the x86 platform.
"I'm announcing the release of the 3.14.40 LTS (long term support) kernel. All users of the 3.14
kernel series must upgrade," says Greg Hartman.
The updated 3.14.y git tree can be browsed at the normal kernel.org site.
The new Linux kernel 3.14.40 LTS also updates various Ethernet drivers, for Broadcom, Intel,
Mellanox, Freescale, Emulex and Realtek hardware manufacturers.
Some Acer Bluetooth drivers have been updated as well, along with some networking fixes for
both the IPv4 and IPv6 network protocols.
Several file systems received important updates in Linux kernel 3.14.40 LTS. Among these, we
can mention Amiga Fast File System (AFFS), autofs4, Ceph, CIFS, Coda (Constant Data Availability),
Debugfs, Exportfs, ncpfs, OCFS2, and NFS.
Naturally, many other internal components of the Linux kernel have been improved in this release.
Users who utilize the Linux 3.14 series are urged to upgrade as soon as the new 3.14.40 LTS
packages arrives in the official software repositories of their GNU/Linux operating systems.
You can also download Linux kernel 3.14.40 LTS from the kernel.org website and compile it yourself,
if you prefer.
The Debian project is touting new ports for ARM and POWER architectures, a new list of software
updates, an upgraded Gnome desktop and improved security in its just-released Jessie newest version.
But we expect that the switch to System D as the default init system will divert at least
some attention from the new release. Time will tell anyway.
Promising that System D provides “advanced monitoring, logging, and service management capabilities”,
Jessie – the upgrade to Wheezy – still lets old timers' favourites, sysvinit and co-exist with
the new init system.
After a brief trial with Xfce, Jessie sees Debian return to the Gnome fold, using version 3.14
of the venerable desktop as its default.
The MATE and Cinnamon desktops are also available, or users can opt for Xcfe (version 4.10)
if they prefer.
As well as abandoning SSLv3 in Jessie, Debian's system admins have put hardened compiler
flags in more packages, and switched the stack protector flag to stack-protector-strong.
However, there's a new package-- needrestart, also to help security along. “If any services
running on the system require a restart to take advantage of some changes in the upgraded packages,
then it offers to perform these restarts”, the release notes say.
Overall, the Gnome desktop has been made workmate-friendly-- if someone leaves music playing when
they leave the machine, workmates can press pause without knowing the password.
The new release announcement simply points to upgraded versions of everything from Apache
and Asterisk to Tomcat and Xen, adding that a full install includes “43,000 other ready-to-use
software packages built from nearly 20,100 source packages.”
As could be expected, all package versions shipping with Jessie are of the latest release.
Additional supporting services include a browsable view of all source code, and a new code
search to make browsing less daunting, Debian Code Search (since there's 130 GB of source code,
it's no surprise that it uses up 616 pages of results).
Linux OS creator Linus Torvalds has decided it's time for version 4.0 of the Linux kernel. The news didn't
come as a surprise to most in the IT community, however.
To be sure, Torvalds has been wondering about Linux kernel release numbering for a while, notably
in a Google+ post last week.
He now seems to have taken the plunge in the direction, by declaring that the version of the
kernel he's working in is “Linux 4.0-rc1”. In a recent poll, about 56 percent of Linux users say they felt the time is right to go for version 4.0 of the kernel.
Torvalds writes “People preferred 4.0, and 4.0 it shall be. Unless somebody can come up with a
good argument against it, that's what it will be.”
Over on Git, Torvalds is even more blasé about the numbering change, offering the following
“After extensive statistical analysis of my G+ polling, I've come to the inescapable
conclusion that internet polls are bad.”
He goes on to deride responses to the poll before saying “But hey, I asked, so I'll honor the votes.”
Torvalds says the new release is small, but the full list of additions to version 4.0 look to be
pretty substantial-- on top of non-disruptive patching, the new version will support IBM's new Z-13
mainframe, Intel's Quark system-on-a-chip, support for the the OASIS Virt-IO 1.0 specification
and lots of graphics enhancements over and above what would reasonably be expected.
In other Linux and open source news
For the past two to three years, Ubuntu on mobile phones has been an ongoing project for the
Ubuntu team and quite an ambitious one at that.
Much like Microsoft and its new One Windows ideology, Team Canonical hatched the scheme for
a unified cross-device application ecosystem long ago, but progress has been rather slow in and of
To be sure, Meizu has been a critical part of the new OS development program at Canonical
with various demo builds and a rumor of a Ubuntu-powered Meizu mobile handset arriving soon, ever
since the MX 3 was the company's flagship offer.
Today, Meizu posted a rather interesting teaser on Facebook. The image of the new smartphone
seems to suggest a new OS, which will join the ranks of Flyme and YunOS and probably be unveiled at
this year's MWC.
We can instinctively point a finger towards Ubuntu Touch, which we will hopefully see in mass-production
This tidbit is further backed up by some rumors of an Ubuntu MX4 hitting the market, possibly in March or April.
The current flagship device has been a long-standing candidate for the Ubuntu experience, but we
can definitely expect some surprises here and there.
Last week, Canonical threw a curve ball by announcing that the BQ Aquaris E4.5 will be the
pioneer of Ubuntu on a Smartphone.
Keeping that element in mind, it's not certain if the MX-4 or MX-4 Pro version will offer a
higher-end hardware for the new OS or if Meizu will bring in an entirely new phone to the scene. Time
At any rate, and no matter how you look at this, the news is exciting. The Ubuntu Touch platform
itself is an interesting concept from Canonical.
The main idea behind it is a uniform Linux kernel and a set of base technologies that form
a cross-device application platform.
What this implies is an improved level of uniformity and compatibility, allowing users to share pretty
much the same set of applications, both on mobile and desktop devices.
To further add to the excitement, Ubuntu Touch also promises a full desktop experience and perhaps
even in the near future, a full desktop Ubuntu session running straight from the phone or tablet once
hooked up to a larger screen.
The latter, also known as "Full Desktop Convergence" is kind of experimental at this time, so it
might be a little while until we are actually able to dock our phones and use them as an everyday work
PC replacement for example.
There are also some hardware requirements for the feature to work correctly, but they are definitely
not out of reach for current generation mobile devices so let's hope we finally see a full-featured
Ubuntu experience on a Meizu device soon.
It's now confirmed today that version 3.19 of the Linux kernel has been released today by Linux OS inventor
Linus Torvalds. News of the release emerged in a typically economical Sunday evening post to the Linux Kernel Mailing List,
in which Torvalds noted that there are still a couple of bugs in the release but they were pretty obscure so “while I
was tempted a couple of times to do an rc8, there really wasn't any reason for it,” he was quoted
New in this release is improved product support for Intel and AMD graphics, plus support for LZ4
compression in the SquasFS which should make for better Linux performance on Live CDs. (Do people still
run Linux off of live CDs?)
Owners of Lenovo, Dell, Acer and Toshiba hardware will now find Linux plays better with some of
their unique hardware features, especially keyboard backlights. And there's been a few more changes.
For example, the KVM Hypervisor has dropped support for the IA-64 chip, a milestone in that architecture's
To be sure, Torvalds' post says that the next version of the Linux kernel will be known as 3.20.
That's not something he was keen on saying in late 2013, when he said “I would actually prefer to not
go into the twenties, so I can see it happening in a year or so, and we'll have 4.0 follow 3.19 or something
Torvalds' musings at the time imagined release 4.0 might be dedicated to “just stability and bug-fixes”.
Little or nothing's been heard of that idea in the months since, so release 3.20 looks like more of the same.
Source: The Linux Foundation
Get the most reliable SMTP service for your business. You wished you got it sooner!
All logos, trade marks or service marks on this website are the property of their respective
companies or owners.
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development,
professional Web hosting services, Linux
security, Linux Web development, etc.
Inquire about our reasonable advertising rates
on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn
about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.