msm1267 writes: The glibc vulnerability disclosed this week has some experts on edge because of how DNS can leveraged in exploits. Dan Kaminsky said that while man-in-the-middle attacks are one vector, it would appear that it's also possible to exploit the bug and attack most Linux servers via DNS caching-only servers. 'This would be substantially worse if it went through the caching ecosystem; 99 percent of attack vectors go through that system,' Kaminsky said. Glibc, or the GNU C library, is used by most flavors of Linux and also a number of popular web services and frameworks, giving attacks potentially massive horizontal scale. The major Linux distros have patched and pushed updates to servers; source code is also available for homegrown Linux builds.

LichtSpektren writes: Ubuntu developer Dustin Kirkland has posted on his blog that Canonical plans to officially support the ZFS file system for the next Ubuntu LTS release, 16.04 "Xenial Xerus." The file system, which originates in Solaris UNIX, is renowned for its feature set (Kirkland touts "snapshots, copy-on-write cloning, continuous integrity checking against data corruption, automatic repair, efficient data compression") and its stability. "You'll find zfs.ko automatically built and installed on your Ubuntu systems. No more DKMS-built modules!" N.B. ext4 will still be the default file system due to the unresolved licensing conflict between Linux's GPLv2 and ZFS's CDDL.

Last week you asked questions of Ubuntu Unleashed author Matthew Helmke, about everything from system D to the future of Ubuntu and Canonical; he's responded, at length. Read on for Matthew's answers.

An anonymous reader writes: Today Google's online security team publicly disclosed a severe vulnerability in the Gnu C Library's DNS client. Due to the ubiquity of Glibc, this affects an astounding number of machines and software running on the internet, and raises questions about whether Glibc ought to still be the preferred C library when alternatives like musl are gaining maturity. As one example of the range of software affected, nearly every Bitcoin implementation is affected. Reader msm1267 adds some information about the vulnerability, discovered independently by security researchers at Red Hat as well as at Google, which has since been patched: The flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function is used, Google said today in its advisory. "A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches," Red Hat said in an advisory. It's likely that all Linux servers and web frameworks such as Rails, PHP and Python are affected, as well as Android apps running glibc.

An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.

An anonymous reader writes: In late 2014 NVIDIA announced their GPUs would begin requiring signed firmware images before the open-source driver could enable hardware acceleration. That led the Nouveau developers to call the latest GPUs "very open-source unfriendly", but that criticism can now be laid to rest as NVIDIA has finally released the signed firmware and basic open-source driver code. The open-source driver can now move on with its open-source 3D enablement for Maxwell GPUs and the NVIDIA developer is hoping it will be ready for the next kernel cycle (Linux 4.6).

The Linux Foundation is announcing FD.io ("Fido"), a Linux Foundation Project. FD.io is an open source project to provide an IO services framework for the next wave of network and storage software. Early support for FD.io comes from founding members 6WIND, Brocade, Cavium, Cisco, Comcast, Ericsson, Huawei, Inocybe Technologies, Intel Corporation, Mesophere, Metaswitch Networks (Project Calico), PLUMgrid and Red Hat.

Architected as a collection of sub-projects, FD.io provides a modular, extensible user space IO services framework that supports rapid development of high-throughput, low-latency and resource-efficient IO services. The design of FD.io is hardware, kernel, and deployment (bare metal, VM, container) agnostic.

jones_supa writes: Software developer Pavlo Rudyi has written a blog post about his experiences with the various desktop environments currently supporting Wayland. The results are not a big surprise, but nevertheless it is great to see the continued interest in Wayland and the ongoing work by many different parties in ensuring that Wayland will eventually be able to dominate the Linux desktop. To summarize, Pavlo found Weston to be "good," GNOME is "perfect," KDE is "bad," and Enlightenment is "good." He also created a video from his testing. Have you done any testing? What's your experience?

An anonymous reader writes: The popular Linux process viewer htop got a new major revision, and now runs natively on FreeBSD, OpenBSD and Mac OS X. The author discussed the process of making the tool cross-platform earlier this year at FOSDEM. Htop also got some new features, including mouse wheel support via ncurses 6 and listing process environment variables.

JG0LD writes with this news from Network World: A breach-of-contract and copyright lawsuit filed nearly 13 years ago by a successor company to business Linux vendor Caldera International against IBM may be drawing to a close at last, after a U.S. District Court judge issued an order in favor of the latter company earlier this week.
Here's the decision itself (PDF). Also at The Register.

An anonymous reader writes: With this month's Raspbian OS update, the Debian-based operating system for the Raspberry Pi ships experimental OpenGL driver support. This driver has been developed over the past two years by a former Intel developer with having a completely open and mainline DRM kernel driver and Mesa Gallium driver to open up the Pi as a replacement to the proprietary GPU driver.

New submitter Iamthecheese points to an article which says that a patch published on the Linux Kernel Mailing List indicates that AMD's forthcoming Zen processors will have as many as 32 cores per socket, but notes that while the article's headline says "Confirms," "the article text doesn't bear that out." Still, he writes, There are hints of such from last year. A leaked patch for the 14 nanometer AMD Zeppelin (Family 17h, Model 00h) reveals support for up to 32 cores. Another blog says pretty much the same thing. We recently discussed an announced 4+8 core AMD chip, but nothing like this.

New submitter Tenebrousedge writes: Docker container sizes continue a race to the bottom with a couple of environments weighing in at less than 10MB. Following on the heels of this week's story regarding small images based on Alpine Linux, it appears that the official Docker images will be moving from Debian/Ubuntu to Alpine Linux in the near future. How low will they go?

An anonymous reader writes: Tests were carried out at Phoronix of all Ubuntu Long-Term Support releases from the 6.06 "Dapper Drake" release to 16.04 "Xenial Xerus," looking at the long-term performance of (Ubuntu) Linux using a dual-socket AMD Opteron server. Their benchmarks of Ubuntu's LTS releases over 10 years found that the Radeon graphics performance improved substantially, the disk performance was similar while taking into account the switch from EXT3 to EXT4, and that the CPU performance had overall improved for many workloads thanks to the continued evolution of the GCC compiler.

jones_supa writes: Paolo Valente from University of Modena has submitted a Linux kernel patchset which replaces CFQ (Completely Fair Queueing) I/O scheduler with the last version of BFQ (Budget Fair Queuing, a proportional-share scheduler). This patchset first brings CFQ back to its state at the time when BFQ was forked from CFQ. Paolo explains: "Basically, this reduces CFQ to its engine, by removing every heuristic and improvement that has nothing to do with any heuristic or improvement in BFQ, and every heuristic and improvement whose goal is achieved in a different way in BFQ. Then, the second part of the patchset starts by replacing CFQ's engine with BFQ's engine, and goes on by adding current BFQ improvements and extra heuristics." He provides a link to the thread in which it is agreed on this idea, and a direct link to the e-mail describing the steps.

darthcamaro writes: Docker is about to get some real competition in the container runtime space, thanks to the lofficial aunch of rkt 1.0. CoreOS started building rkt in 2014 and after more than a year of security, performance and feature improvement are now ready to declare it 'production-ready.' While rkt is a docker runtime rival, docker apps will run in rkt, giving using a new runtime choice: "rkt will remain compatible with the Docker-specific image format, as well as its own native App Container Image (ACI). That means developers can build containers with Docker and run those containers with rkt. In addition, CoreOS will support the growing ecosystem of tools based around the ACI format."

Matthew Helmke (personal blog) is the author of the newly published 11th edition of Ubuntu Unleashed (published by Pearson); this updated edition of the book will cover the OS through Ubuntu's 15.10 and (forthcoming) 16.04 releases. Helmke is also a former Ubuntu Forum administrator, a musician, an entrepreneur, and a long-time Slashdot reader who now leads a "nice quiet life in Iowa." Ask Matthew about what it's like to be a Linux book author and community leader, and his thoughts on Canonical, the goods and bads of modern Linux distributions, and the future of Ubuntu -- especially relevant with the upcoming release of the first Ubuntu-based tablet. (Remember, Matthew isn't responsible for gripes you may have with either Ubuntu or Canonical, but he might have some good solutions to particular problems.) Ask as many questions as you'd like; we just ask that you keep them on-topic, and please stick to one question per post.

LichtSpektren writes: Several tech sites have now broke the news that Canonical has revealed their BQ Aquaris M10 Ubuntu Tablet. Joey-Elijah Sneddon builds the hype: "A stunning 10.1-inch IPS touch display powered a full HD 1920×1200 pixel resolution at 240 ppi. Inside is a 64-bit MediaTek MT8163A 1.5GHz quad-core processor, 2GB of RAM, and 16GB of internal memory. A micro SD memory card is included, adding storage expansion of up to 64GB. Furthermore, the converged slate includes an 8-megapixel rear camera with autofocus and dual LED flash (and capable of recording in full 1080p), plus a front facing 3-megapixel camera for video chats, vlogs and selfies. Front facing Dolby Atmos speakers will provide a superior sound experience during movie playback. The M10 measure 246mm x 171mm x 8.2mm, weighs just 470 grams — lighter than the Apple iPad Air — and has a 7280 mAh battery to give up to 10 hours of use. ... Tablet mode offers a side stage for running two apps side-by-side, plus a full range of legacy desktop applications, mobile apps and scopes. LibreOffice, Mozilla Firefox, The GIMP and Gedit are among a 'curated collection of legacy apps' to ship pre-installed on the tablet. It will also be possible for developers and enthusiasts to install virtually any ARM compatible app available on Ubuntu using the familiar 'apt-get' command." A photo gallery can also be seen on his website here. The price is not yet announced, but the Android version of the same tablet is currently on sale for €229.

An anonymous reader writes: For newer systems utilizing UEFI, running rm -rf / is enough to permanently brick your system. While it's a trivial command to run on Linux systems, Windows and other operating systems are also prone to this issue when using UEFI. The problem comes down to UEFI variables being mounted with read/write permissions and when recursively deleting everything, the UEFI variables get wiped too. Systemd developers have rejected mounting the EFI variables as read-only, since there are valid use-cases for writing to them. Mounting them read-only can also break other applications, so for now there is no good solution to avoid potentially bricking your system, but kernel developers are investigating the issue.

An anonymous reader writes: The oldest long-term supported Linux kernel branch finally reaches end of life next month, but before going into the deepest darkest corners of the Internet, it just dropped one more maintenance release, Linux kernel 2.6.32.70 LTS. Willy Tarreau dropped the news about the release of Linux kernel 2.6.32.70 LTS on January 29, 2016, informing all us that this will most likely be the last maintenance release in the series, as starting with February 2016 it will no longer be supported with security patches and bugfixes. Linux 2.6 first came out in December, 2003, and 2.6.16 (the first long-term release) in March 2006.