lwn.net 피드 구독하기
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
업데이트: 31분 20초 지남

Subversion SHA1 collision problem statement

35분 54초 지남
Users of the Subversion source-code management system may want to take a look at this post from Mark Phippard. He explains how hash collisions can corrupt a repository and a couple of short-term workarounds. "The quick summary if you do not want to read this entire post is that the problem is really not that bad. If you run into it there are solutions to resolve it and you are not going to run into it in normal usage. There will also likely be some future updates to Subversion that avoid it entirely so if you regularly update your server and client when new releases come out you are probably safe not doing anything and just waiting for an update to happen."


[$] Moving Git past SHA-1

화, 2017/02/28 - 3:56오전
The SHA-1 hash algorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumed that this would happen before too long. On February 23, Google announced that it had succeeded at this task. While the technique used is computationally expensive, this event has clarified what most developers have known for some time: it is time to move away from SHA-1. While the migration has essentially been completed in some areas (SSL certificates, for example), there are still important places where it is heavily used, including at the core of the Git source-code management system. Unsurprisingly, the long-simmering discussion in the Git community on moving away from SHA-1 is now at a full boil.

Security updates for Monday

화, 2017/02/28 - 1:42오전
Security updates have been issued by Debian (apache2, radare2, and shadow), Mageia (firebird, libevent, and php-tcpdf), and openSUSE (chromium).

Stable kernels 4.9.13 and 4.4.52 (and 4.10.1)

월, 2017/02/27 - 12:24오전
The 4.9.13 and 4.4.52 stable kernels are out; these relatively small updates contain the usual set of important fixes.

Update: the 4.10.1 update is out as well (thanks to Thorsten Leemhuis).


Some weekend security updates

월, 2017/02/27 - 12:24오전
Security updates have been issued by CentOS (kernel and qemu-kvm), Debian (bind9, cakephp, munin, and shadow), Fedora (python-cjson, python-PyMySQL, quagga, util-linux, and xen), Mageia (kernel kmod and kernel-tmb), Oracle (kernel), Red Hat (kernel), and Scientific Linux (kernel).

Linus on Git and SHA-1

일, 2017/02/26 - 4:49오전
Linus Torvalds has posted a lengthy explanation of why the recently created SHA-1 collision is not an emergency for Git users. "In the pdf examples, the pdf format acted as the 'black box', and what you see is the printout which has only a very indirect relationship to the pdf encoding. But if you use git for source control like in the kernel, the stuff you really care about is source code, which is very much a transparent medium. If somebody inserts random odd generated crud in the middle of your source code, you will absolutely notice." That said, he notes that there is work in progress to move away from SHA-1.

[It seems that subversion users have an additional set of concerns; see this bug report conversation for the scary story.]


Cloudflare Reverse Proxies are Dumping Uninitialized Memory

토, 2017/02/25 - 3:47오전
Thanks to Josh Triplett for sending us this chromium bug report about a dump of unitialized memory caused by Cloudflare's reverse proxies. "A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers. We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security. "

Security updates for Friday

토, 2017/02/25 - 1:08오전
Security updates have been issued by Debian (libreoffice and phpmyadmin), Fedora (kopete and xrdp), Oracle (kernel and qemu-kvm), Red Hat (kernel and qemu-kvm), Scientific Linux (kernel and qemu-kvm), and Ubuntu (LibreOffice and php7.0).

Memory Error Detection Using GCC (Red Hat Developers blog)

금, 2017/02/24 - 4:47오전
Over at the Red Hat Developers blog, Martin Sebor looks at some new (or enhanced) warnings available in GCC 7 that will help catch various types of memory errors. For example: "The -Wformat-overflow=level option detects certain and likely buffer overflow in calls to the sprintf family of formatted output functions. The option starts by determining the size of the destination buffer, which can be allocated either statically or dynamically. It then iterates over directives in the format string, calculating the number of bytes each result in output. For integer directives like %i and %x it tries to determine either the exact value of the argument or its range of values and uses the result to calculate the exact or minimum and maximum number of bytes the directive can produce. Similarly for floating point directives such as %a and %f, and string directives such as %s. When it determines that the likely number of bytes a directive results in will not fit in the space remaining in the destination buffer it issues a warning."

Ancient local privilege escalation vulnerability in the kernel announced

금, 2017/02/24 - 3:22오전
Andrey Konovalov has announced the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller fuzzer (which LWN looked at around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). "[At] this point we have a use-after-free on some_object. An attacker can control what object that would be and overwrite it's content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel. I'll publish an exploit in a few days, giving people time to update."

Stable kernels 4.9.12 and 4.4.51

금, 2017/02/24 - 3:00오전
Greg Kroah-Hartman has announced the release of the 4.9.12 and 4.4.51 stable kernels. As usual, there are important fixes in the updates and users of those kernels should upgrade.

Security updates for Thursday

금, 2017/02/24 - 1:20오전
Security updates have been issued by Arch Linux (bzip2, kernel, and linux-zen), CentOS (kernel), Debian (bitlbee, kernel, and tomcat7), Fedora (diffoscope, mujs, pcre, plasma-desktop, and tomcat), Mageia (libpcap/tcpdump and spice), Oracle (kernel), Red Hat (kernel, kernel-rt, and python-oslo-middleware), SUSE (php5 and util-linux), Ubuntu (imagemagick), and openSUSE (gd, kernel, libXpm, and libquicktime).

LEDE v17.01.0 final

금, 2017/02/24 - 12:47오전
The final version of the LEDE router distribution's 17.01.0 release is now available. "LEDE 17.01.0 "Reboot" incorporates thousands of commits over the last nine months of effort. With this release, the LEDE development team closes out an intense effort to modernize many parts of OpenWrt and incorporate many new modules, packages, and technologies." LWN recently reviewed a release-candidate version of LEDE 17.01.

Announcing the first SHA1 collision

목, 2017/02/23 - 11:36오후
The Google security blog carries the news of the first deliberately constructed SHA-1 hash collision. "We started by creating a PDF prefix specifically crafted to allow us to generate two documents with arbitrary distinct visual contents, but that would hash to the same SHA-1 digest. In building this theoretical attack in practice we had to overcome some new challenges. We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed." The SHA-1 era is truly coming to an end, even if most attackers lack access to the computing resources needed for this particular exploit.


[$] LWN.net Weekly Edition for February 23, 2017

목, 2017/02/23 - 10:02오전
The LWN.net Weekly Edition for February 23, 2017 is available.

Turunen: Qt Roadmap for 2017

목, 2017/02/23 - 4:20오전
Tuukka Turunen presents a roadmap for Qt. "Qt 3D was first released with Qt 5.7 and in Qt 5.8 the focus was mostly on stability and performance. With Qt 5.9 we are providing many new features which significantly improve the functionality of Qt 3D. Notable new features include support for mesh morphing and keyframe animations, using Qt Quick items as a texture for 3D elements, as well as support for physically based rendering and particles. There are also multiple smaller features and improvements throughout the Qt 3D module."

Wednesday's security advisories

목, 2017/02/23 - 2:10오전

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).

Debian has updated tomcat7 (regression in previous update) and tomcat8 (regression in previous update).

Gentoo has updated archive-tar-minitar (file overwrites) and ghostscript-gpl (multiple vulnerabilities).

openSUSE has updated profanity (42.2, 42.1: user impersonation).

SUSE has updated php7 (SLE12: multiple vulnerabilities).

Ubuntu has updated kernel (14.04: three vulnerabilities), linux, linux-raspi2 (16.10: three vulnerabilities), linux, linux-snapdragon (16.04: multiple vulnerabilities), linux, linux-ti-omap4 (12.04: three vulnerabilities), linux-lts-trusty (12.04: three vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), and tcpdump (multiple vulnerabilities).


[$] Principled free-software license enforcement

목, 2017/02/23 - 1:47오전
Issues of when and how to enforce free-software licenses, and who should do it, have been on some people's minds recently, and Richard Fontana from Red Hat decided to continue the discussion at FOSDEM. This was a fairly lawyerly talk; phrases like "alleged violation" and "I think that..." were scattered throughout it to a degree not normally found in talks by developers. This is because Fontana is a lawyer at Red Hat, and he was talking about ideas which, while they are not official Red Hat positions, were developed following discussions between him and other members of the legal team at Red Hat.

Subscribers can click below for the full report of the talk by guest author Tom Yates.


A draft GLIBC year-2038 design document

목, 2017/02/23 - 12:56오전
The year-2038 apocalypse is now just under 21 years away. For those who are curious about how the GNU C Library plans to deal with this problem, there is a draft design document out for review. "In order to avoid duplicating APIs for 32-bit and 64-bit time, glibc will provide either one but not both for a given application; the application code will have to choose between 32-bit or 64-bit time support, and the same set of symbols (e.g. time_t or clock_gettime) will be provided in both cases."

Linux Plumbers Conference call for microconferences

수, 2017/02/22 - 11:32오후
The 2017 Linux Plumbers Conference is set for September 13 to 15 in Los Angeles, California. The core of this event is the microconferences, focused gatherings that address a specific range of problems. The call for microconferences for the 2017 event is now out. "Good microconferences result in solutions to these problems and concerns, while the best microconferences result in patches that implement those solutions."