Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com) 1

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

SuSE

Windows 10 Gets A New Linux: openSUSE (fossbytes.com) 189

An anonymous reader writes: "Running Linux binaries natively on Windows... that sounds awesome indeed," writes Hannes Kuhnemund, the senior product manager for SUSE Linux Enterprise. He's written a blog post describing how to run openSUSE Leap 42.2 and SUSE Linux Enterprise Server 12 SP2 on Windows 10, according to Fossbytes, which reports that currently users have two options -- openSUSE Leap 42.2 and SUSE Linux Enterprise Server 12 SP2. Currently it's Ubuntu that's enabled by default in the Windows Subsystem for Linux, although there's already a project on GitHub that also lets you install Arch Linux. "It's quite unfortunate that Microsoft enabled the wrong Linux (that's my personal opinion) by default within the Windows Subsystem for Linux (WSL)," writes Kuhnemund, "and it is time to change it to the real stuff.
Ubuntu

Windows 10 Upgrade Bug Disabled Cntrl-C In Bash (infoworld.com) 277

An anonymous reader quotes InfoWorld: A massive set of changes to the Windows Subsystem for Linux (WSL) was rolled into Windows Insider build 15002... If this is any hint, Microsoft's goal is nothing short of making it a credible alternative to other Linux distributions... Some of the fixes also implement functionality that wasn't available before to Linux apps in WSL, such as support for kernel memory overcommit and previously omitted network stack options. Other changes enhance integration between WSL and the rest of Windows...

[O]ne major issue in build 15002 is that Ctrl-C in a Bash session no longer works. Microsoft provided an uncommon level of detail for how this bug crept in, saying it had to do with synchronization between the Windows and Bash development teams. The next Insider build should have a fix. But for people doing serious work with Linux command-line apps, not having Ctrl-C is a little like driving a car when only the front brakes work.

Debian

Linux.com Announces The Best Linux Distros for 2017 (linux.com) 224

Friday Linux.com published their list of "what might well be the best Linux distributions to be found from the ever-expanding crop of possibilities... according to task." Here's their winners (as chosen by Jack Wallen), along with a short excerpt of his analysis.
  • Best distro for sysadmins : Parrot Linux. "Based on Debian and offers nearly every penetration testing tool you could possibly want. You will also find tools for cryptography, cloud, anonymity, digital forensics, programming, and even productivity."
  • Best lightweight distribution: LXLE. "Manages to combine a perfect blend of small footprint with large productivity."
  • Best desktop distribution: Elementary OS "I'm certain Elementary OS Loki will do the impossible and usurp Linux Mint from the coveted 'best desktop distribution' for 2017."
  • Best Linux for IoT: Snappy Ubuntu Core "Can already be found in the likes of various hacker boards (such as the Raspberry Pi) as well as Erle-Copter drones, Dell Edge Gateways, Nextcloud Box, and LimeSDR."
  • Best non-enterprise server distribution: CentOS. "Since 2004, CentOS has enjoyed a massive community-driven support system."
  • Best enterprise server distribution: SUSE. "Don't be surprised if, by the end of 2017, SUSE further chips away at the current Red Hat market share."

Wallen also chose Gentoo for "Best distribution for those with something to prove," saying "This is for those who know Linux better than most and want a distribution built specifically to their needs... a source-based Linux distribution that starts out as a live instance and requires you to then build everything you need from source." And surprisingly, he didn't mention his own favorite Linux distro, Bodhi Linux, which he describes elsewhere as "a melding of Ubuntu and Enlightenment".


Google

Android Was 2016's Most Vulnerable Product, Oracle the (bleepingcomputer.com) 147

An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).

Networking

Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices (ubuntu.com) 181

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.

They'll be publishing their complete findings in a new paper in January.
Operating Systems

Linux Mint 18.1 'Serena' Is Here For Christmas (betanews.com) 62

Long time reader BrianFagioli writes: if you love Linux Mint and use it regularly, I have very good news -- version 18.1 'Serena' is finally here. There are two desktop environments from which to choose -- Cinnamon and Mate. Regardless of which version you choose, please know that it is based on Ubuntu 16.04, which offers long-term support (LTS). In other words, Linux Mint 18.1 will be supported until 2021. Linux Mint 18.1 comes with the updated Cinnamon 3.2 which looks to be wonderful. The Mint team touts a new screensaver/ login screen in the desktop environment, and yeah, it looks good.
Security

Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com) 164

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."
Bug

5-Year-Old Critical Linux Vulnerability Patched (threatpost.com) 68

msm1267 quotes Kaspersky Lab's ThreatPost: A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years. Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introd in August 2011.

A patch was pushed to the mainline Linux kernel December 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes. The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.

"Basically it's a bait-and-switch," the researcher told Threatpost. "The bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react."
Open Source

Linux Mint 18.1 'Serena' BETA Ubuntu-based Operating System Now Available For Download (betanews.com) 137

BrianFagioli shares his story on Beta News: Feeling fatigued by Windows 10 and its constant updates and privacy concerns? Can't afford one of those beautiful new MacBook Pro laptops? Don't forget, Linux-based desktop operating systems are just a free download away, folks!

If you do decide to jump on the open source bandwagon, a good place to start is Linux Mint. Both the Mate and Cinnamon desktop environments should prove familiar to Windows converts, and since it is based on Ubuntu, there is a ton of compatible packages. Today, the first beta of Linux Mint 18.1 'Serena' becomes available for download.

Here's the release notes for both Cinammon and MATE.
Cloud

Canonical Sues Cloud Provider Over 'Unofficial' Ubuntu Images (ostatic.com) 47

An anonymous reader quotes OStatic's update on Canonical's lawsuit against a cloud provider: Canonical posted Thursday that they've been in a dispute with "a European cloud provider" over the use of their own homespun version of Ubuntu on their cloud servers. Their implementation disables even the most basic of security features and Canonical is worried something bad could happen and it'd reflect badly back on them... They said they've spent months trying to get the unnamed provider to use the standard Ubuntu as delivered to other commercial operations to no avail. Canonical feels they have no choice but to "take legal steps to remove these images." They're sure Red Hat and Microsoft wouldn't be treated like this.
Mark Shuttleworth, the founder of Ubuntu, wrote in his blog post that Ubuntu is "the leading cloud OS, running most workloads in public clouds today," whereas these homegrown images "are likely to behave unpredictably on update in weirdly creative and mysterious ways... We hear about these issues all the time, because users assume there is a problem with Ubuntu on that cloud; users expect that 'all things that claim to be Ubuntu are genuine', and they have a right to expect that...

"To count some of the ways we have seen home-grown images create operational and security nightmares for users: clouds have baked private keys into their public images, so that any user could SSH into any machine; clouds have made changes that then blocked security updates for over a week... When things like this happen, users are left feeling let down. As the company behind Ubuntu, it falls to Canonical to take action."
Operating Systems

Taking a Stand Against Unofficial Ubuntu Images (ubuntu.com) 103

Canonical isn't pleased with cloud providers who are publishing broken, insecure images of Ubuntu despite being notified several times. In a blogpost, Mark Shuttleworth, the founder of Ubuntu, and the Executive Chairman and VP, Product Strategy at Canonical, made the situation public for all to see. An excerpt from the blog post: We are currently in dispute with a European cloud provider which has breached its contract and is publishing insecure, broken images of Ubuntu despite many months of coaxing to do it properly. The home-grown images on the cloud, VPS and bare metal services of this provider disable fundamental security mechanisms and modify the system in ways that are unsupportable. They are likely to behave unpredictably on update in weirdly creative and mysterious ways (the internet is full of fun examples). We hear about these issues all the time, because users assume there is a problem with Ubuntu on that cloud; users expect that 'all things that claim to be Ubuntu are genuine', and they have a right to expect that. We have spent many months of back and forth in which we unsuccessfully tried to establish the same operational framework on this cloud that already exists on tens of clouds around the world. We have on multiple occasions been promised it will be rectified to no avail. We are now ready to take legal steps to remove these images. We will seek to avoid affecting existing running users, but we must act to prevent future users from being misled. We do not make this move lightly, but have come to the view that the value of Ubuntu to its users rests on these commitments to security, quality and updates.
Open Source

A Windows 10 Alternative: Ubuntu-Based Zorin OS Linux Distro (betanews.com) 191

"With a click of a button, you can change the desktop layout to match that of Windows versions and Gnome 3. The Ultimate edition...also features Ubuntu, Gnome 2 and macOS-like layouts." BrianFagioli shares an article about a Linux-based operating system "designed for Windows-switchers." While the company does charge for an "Ultimate" version, the "Core" edition of Zorin OS 12 is entirely free... "As Zorin OS 12 is based on Ubuntu 16.04 LTS, it will be supported with security updates until April 2021. This makes Zorin OS 12 the ideal choice for large deployments in businesses, governments, schools and organisations", says The Zorin OS Team"... Zorin OS features some really great features, such as Google Drive integration with the file browser.
Although unlike Windows 10, its default browser is Chromium.
Desktops (Apple)

Microsoft Announces Visual Studio For Mac (venturebeat.com) 83

On the sidelines of major announcements such as Microsoft joining the Linux Foundation, and Google joining the .NET Foundation, at its Connect(); 2016 developer conference, Microsoft also announced that it bringing Visual Studio for rival platform Mac. The company also announced a preview of the next version of SQL Server, and a preview of Azure App Service support for containers. From a Venture Beat report:"We want to help developers achieve more and capitalize on the industry's shift toward cloud-first and mobile-first experiences using the tools and platforms of their choice," Microsoft Cloud and enterprise executive vice president Scott Guthrie said in a statement. "By collaborating with the community to provide open, flexible, and intelligent tools and cloud services, we're helping every developer deliver unprecedented levels of innovation." The fact that Microsoft is bringing its IDE to macOS would have arguably been the biggest news of the day, had the company not leaked the information itself earlier this week. Still, a preview of Visual Studio for Mac is now available, letting developers write cloud, mobile, and macOS apps on Apple's desktop operating system using .NET and C#. It's a big deal, given that Microsoft once made a point of locking in developers by only offering its tools on Windows. This has changed over time, with a big highlight in April 2015 when Microsoft launched Visual Studio Code, its cross-platform code editor, for Windows, Mac, and Linux.More info on Microsoft releasing SQL Server Preview for Ubuntu and Red Hat Enterprise Linux.
Microsoft

Microsoft Joins the Linux Foundation (techcrunch.com) 202

Microsoft today said it is joining the Linux Foundation as a high-paying Platinum member. Linux Foundation executive director Jim Zemlin said, "This may come as a surprise to you, but they were not big fans," describing the two's previous relationship. From a report on TechCrunch: The new Microsoft under CEO Satya Nadella, however, is singing a very different tune. Today's Microsoft is one of the biggest open source contributors around. Over the course of just the last few years, it has essentially built Canonical's Ubuntu distribution into Windows 10, brought SQL Server to Linux, open-sourced core parts of its .NET platform and partnered with Red Hat, SUSE and others. As Zemlin noted, Microsoft has also contributed to a number of Linux Foundation-managed projects like Node.js, OpenDaylight, the Open Container Initiative, the R Consortium and the Open API Initiative.ArsTechnica has more details.
Security

Cryptsetup Vulnerability Grants Root Shell Access On Some Linux Systems (threatpost.com) 89

msm1267 quotes a report from Threatpost: A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data. Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they're likely vulnerable. Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria. According to a post published to the Full Disclosure mailing list, the vulnerability (CVE-2016-4484) affects packages 2.1 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs -- a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven't tested them yet. The report adds: "The problem stems from the incorrect handling of a password check when a partition is ciphered with LUKS, or Linux Unified Key Setup, a disk encryption specification that's standard for Linux. Assuming an attacker has access to the computer's console, when presented with the LUKS password prompt, they could exploit the vulnerability simply by pressing 'Enter' over and over again until a shell appears. The researchers say the exploit could take as few as 70 seconds. After a user exceeds the maximum number of three password tries, the boot sequence continues normally. Another script in the utility doesn't realize this, and drops a BusyBox shell. After carrying out the exploit, the attacker could obtain a root initramfs, or rescue shell. Since the shell can be executed in the initrd, or initial ram disk, environment, it can lead to a handful of scary outcomes, including elevation of privilege, information disclosure, or denial of service."
Windows

Open Source Pioneer Munich Debates Report That Suggests Abandoning Linux for Windows 10 (techrepublic.com) 176

As an open-source software pioneer, Munich spent years moving away from Windows, but now politicians are debating a report that suggests the city could eventually abandon Linux. A report on TechRepublic adds: If the authority ruling Germany's third largest city backs proposals to make Windows 10 and Microsoft Office available across the council, it would be a significant step away from open-source software for an organization once seen as its champion. Over a nine-year period starting in 2004, the council moved about 15,000 staff from using Windows and Office to LiMux -- a custom version of the Ubuntu desktop OS -- and other open source software. At the time, Munich was one of the largest organizations to reject Windows, and Microsoft took the city's leaving so seriously that then CEO Steve Ballmer flew to Munich to meet the mayor. Now a report commissioned by current mayor Dieter Reiter to help determine the future of IT at the council has outlined a project to make Windows 10 and Microsoft Office available to all departments, and give staff the choice about whether to use Windows or LiMux.
Ubuntu

Ubuntu Budgie Is Now An Official Ubuntu Flavor (softpedia.com) 49

prisoninmate writes from a report via Softpedia: After two successful major releases, budgie-remix has finally been accepted as an official Ubuntu flavor, earlier today during a meeting where four Canonical technicians voted positive. As such, we're extremely happy to inform our readers that the new Ubuntu flavor is called Ubuntu Budgie. In April this year, when budgie-remix hit the road towards its first major release, versioned 16.04, we reported that David Mohammed was kind enough to inform Softpedia about the fact that he got in touch with Ubuntu MATE leader Martin Wimpress, who urged the developer to target Ubuntu 16.10 for an official status. budgie-remix 16.10 arrived as well this fall shortly after the release of Ubuntu 16.10 (Yakkety Yak), and the dream of becoming an official Ubuntu flavor is now a reality. Re-branding of the official website and the entire distribution is ongoing. "We now move full steam ahead and look forward to working with the Ubuntu Develop Membership Board to examine and work through the technical aspects [...] 17.04 will be our first official release under the new name," said David Mohammed in the announcement.
Operating Systems

Mythbuntu Linux Has Been Discontinued (softpedia.com) 49

"Mythbuntu as a separate distribution will cease to exist. We will take the necessary steps to pull Mythbuntu specific packages from the repositories unless someone steps up to take these packages over," read Friday's announcement. prisoninmate writes: Mythbuntu was an operating system based on the widely-used Ubuntu Linux distro and built around the MythTV free and open source digital video recorder (DVR) project... The Mythbuntu team recommends users who want to use Mythbuntu to install the latest release of the Xubuntu Linux operating system and then add the Mythbuntu PPA (Personal Package Archive), which will continue to provide the latest MythTV releases and other related packages...

The first release of the OS was back when Ubuntu 7.10 (Gutsy Gibbon) was announced, and the last one was Mythbuntu 16.04.1 LTS (Xenial Xerus). From this point...there will be no new ISO images anymore. Also, the mythbuntu-desktop and Mythbuntu-Control-Centre packages are now discontinued and won't be available from the Ubuntu repositories anymore. However, users will still be able to install the MythTV software and configure it as they see fit.

Cloud

AWS Releases Amazon Linux Container Image For Use in On-Premises Data Centers (venturebeat.com) 33

Amazon Web Services, a division of Amazon that offers cloud computing and storage services, has released a container image of its Amazon Linux operating system -- which has, until now, only been accessible on AWS virtual machine instances -- that customers can now deploy on their own servers. From a report on VentureBeat: Of course, other Linux distributions are available for use in companies' on-premises data centers -- CentOS, CoreOS, Red Hat Enterprise Linux, Canonical's Ubuntu, and so on. Now companies that are used to Amazon Linux in the cloud can work with it on-premises, too. It's available from AWS' EC2 Container Registry. Amazon Linux is not currently available for instant deployment on other public clouds, whether Oracle's, Google's, Microsoft's, or IBM's. "It is built from the same source code and packages as the AMI and will give you a smooth path to container adoption," AWS chief evangelist Jeff Barr wrote in a blog post. "You can use it as-is or as the basis for your own images."

Slashdot Top Deals