Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012." Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.

According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

darthcamaro (735685) writes "Red Hat's open source oVirt project hit a major milestone this week with the release of version 3.4. It's got improved storage handling so users can mix and match different resource types, though the big new feature is one that seems painfully obvious. For the first time oVirt users can have the oVirt Manager and oVirt VMs on the same physical machine. 'So, typically, customers deployed the oVirt engine on a physical machine or on a virtual machine that wasn't managed or monitored,' Scott Herold, principal product manager for Red Hat Enterprise Virtualization said. 'The oVirt 3.4 release adds the ability for oVirt to self-host its engine, including monitoring and recovery of the virtual machine.'" (Wikipedia describes oVirt as "a free platform virtualization management web application community project.")

First time accepted submitter BlazeMiskulin writes "With XP approaching end-of-life, I find myself in a situation that I'm guessing is common: What to do with Mom's machine (or 'grandma's machine' for the younger of you). Since a change has to be made, this seems like a good time to move to a Linux distro. My mother (82) uses her computer for e-mail and web-browsing only. I know that any distro will be able to handle her needs. I've been using Linux (Ubuntu, CentOS, and Redhat--usually with KDE interface) for about 10 years now, but I know that my preferences are quite different from hers.

I have my own ideas, but I'm curious what others think: What combination of distro and UI would you recommend for an old, basic-level user who is accustomed to the XP interface and adverse to change?" My Grandmother seems happy running KDE on Debian.

An anonymous reader writes "The Fedora Project is now going to enforce a "Don't Ask, Don't Tell" policy for contributors. What the project's engineering committee is asking their members to conceal is a contributor's nationality, country of origin, or area of residence. There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?"

sfcrazy writes "It's not The Onion: Red Hat has partnered with Uhuru Software to bring Microsoft .NET Apps and SQL server capabilities to Red Hat's Platform-as-a-Service solution OpenShift." This brings OpenShift to Windows, and not .NET applications to GNU/Linux OpenShift installations. RedHat customers have apparently been asking for this for a while. The source is available: "The consistent model for managing both Linux and Windows systems that OpenShift provides allow organizations to achieve greater efficiency and agility. Windows is now a full-fledged member of the Open Source world of OpenShift. In keeping with the spirit of Open Source, Uhuru has made all of its OpenShift integration software for Windows available to the community and is working to have it officially integrated into OpenShift Origin."

In related news (OpenShift is usually used on top of OpenStack), darthcamaro writes "The OpenStack cloud platform keeps on gaining new converts. The latest is GoDaddy which today announced it is now officially supporting the OpenStack Foundation. How GoDaddy came to officially join the OpenStack Foundation is interesting, apparently the OpenStack Foundation found out that GoDaddy was using OpenStack though job postings."

rjmarvin writes "Karanbir Singh and a handful of other CentOS developers are now full-time Red Hat employees, working in-house on the CentOS distribution with more transparent processes and methods. None of the CentOS developers will be working on Red Hat Enterprise Linux. The CentOS project would become another distribution and community cared for by Red Hat, like Fedora, and Red Hat CTO Brian Stevens says the company is planning its future around OpenStack, not just Linux."

angry tapir writes "Oracle is continuing its legal battle against third-party software support providers it alleges are performing such services in a manner that violates its intellectual property. Last week, Oracle sued StratisCom, a Georgia company that offers customers support for Oracle's Solaris OS, claiming it had 'misappropriated and distributed copyright, proprietary software code, along with the login credentials necessary to download this code from Oracle's password-protected websites.'"

New submitter hymie! writes "Nagios is a commonly used IT tool that monitors computers, networks, and websites. It supports the use of plug-ins, many of which were developed independently by the community. Holger Weiß, formerly of nagios-plugins.org, announced that 'Yesterday, the DNS records [of nagios-plugins.org] were modified to point to web space controlled by Nagios Enterprises instead. This change was done without prior notice. To make things worse, large parts of our web site were copied and are now served (with slight modifications) by Nagios. Again, this was done without contacting us, and without our permission. This means we cannot use the name 'Nagios Plugins' any longer.' Further discussion is available in a Bugzilla thread."

darthcamaro writes "What follows in the footsteps of Heisenbug, Spherical Cow and Beefy Miracle? Apparently the answer is 'null' as is nothing. Fedora Linux 21 could well have no funky new name as its past predecessors have all had, thanks to a recent vote by the Fedora board to move away from the existing naming practices. Fedora 21 itself will not be out in the first half of 2014 either, instead the plan is now for a release sometime around August. A delayed release however doesn't mean something is wrong as Red Hat's community Linux distro aims to re-invent itself."

An anonymous reader writes with news that Red Hat and the CentOS project are "joining forces" to develop the next version of CentOS. For years, CentOS has been a popular choice for users who want to use Red Hat Enterprise Linux without having to pay for it. Some of the CentOS developers are moving to Red Hat, but they won't be working on RHEL — they say the "firewall" between the two distros will remain in place. CentOS Project Chair Karanbir Singh said, 'The changes we make are going to be community inclusive, and promoted, proposed, formalised, and actioned in an open community centric manner on the centos-devel mailing list. And I highly encourage everyone to come along and participate.'

An anonymous reader writes "Red Hat developers doing some holiday hacking have managed to get a bootable system with systemd + KDBUS on Fedora 20. KDBUS is a new DBus implementation for the Linux kernel that provides greater security and better performance than the DBus daemon in user-space. Systemd in turn interfaces with KDBUS for user-space interaction. Testing was done on Fedora 20 but the systemd + KDBUS configuration should work on any modern distribution when using the newest code."

First time accepted submitter Gavin King writes with news that the Ceylon language hit 1.0 "Ceylon 1.0 is a modern, modular, statically typed programming language for the Java and JavaScript virtual machines. The language features, an emphasis upon readability and a strong bias toward omission or elimination of potentially-harmful constructs; an extremely powerful type system combining subtype and parametric polymorphism with declaration-site variance, including first-class union and intersection types, and using principal types for local type inference and flow-dependent typing; a unique treatment of function and tuple types, enabling powerful abstractions; first-class constructs for defining modules and dependencies between modules; a very flexible syntax including comprehensions and support for expressing tree-like structures; and fully-reified generic types, on both the JVM and JavaScript virtual machines, and a unique typesafe metamodel. More information may be found in the feature list and quick introduction." If you think Ceylon is cool, you might find Ur/Web interesting too.

Red Hat has two primary Cloud Evangelists: Gordon Haff and Richard Morrell. Richard says this about himself: "I'm Red Hat's Cloud Security Blogger and Cloud Evangelist based in Europe. Passionate about good code and Open Hybrid Cloud. Founder of SmoothWall protecting millions of networks for 13 years globally. My blogging and my podcasting is my own editorial and does not represent the views of Red Hat..." We have known Richard since the 20th Century, so this interview has been a long time coming. In it, he talks about how Red Hat is working to become as strong in the Open Source cloud world as it already is in GNU/Linux. This interview may not "represent the views of Red Hat," but it obviously represents the views of a loyal Red Hat employee who is also a long-time Linux enthusiast.

wjcofkc writes "The United States Government has officially called in the calvary over the problems with Healthcare.gov. Tech titans Oracle, Red Hat and Google have been tapped to join the effort to fix the website that went live a month ago, only to quickly roll over and die. While a tech surge of engineers to fix such a complex problem is arguably not the greatest idea, if you're going to do so, you might as well bring in the big guns. The question is: can they make the end of November deadline?"

darthcamaro writes "It was ten years ago this past Sunday September 22nd, that the Red Hat sponsored Fedora project was born. The first Fedora release didn't come until six weeks later in November of 2003. Over the last 10 years the project has transformed itself from being entirely controlled by Red Hat to being a true community effort. In a video interview, the current Fedora Project Leader, Robyn Bergeron talks about the past and the future of Fedora. 'We need to think about how we're actually making the sausage,' Bergeron said. 'I think we can try and abstract and automate the things we have to do a lot, so our really awesome people's brains can be applied to solving problems that aren't yet automate-able.'"

sfcrazy writes "After shooting down Canonical's Mir, Intel and Red Hat teams have increased collaboration on the development of Wayland. Developers at Intel and Red Hat are working together to 'merge and stabilize the patches to enable Wayland support in GNOME,' as Christian Schaller writes on his blog. The teams are also looking into improving the stack further. Weston won't be used anymore, so GNOME Shell will become the Wayland compositor. It must be noted that Canonical earlier committed to supporting and embracing Wayland. Despite that promise, the company silently stopped contribution, and it was later learned that they were secretly working on their own display server, Mir. Intel's management recently rejected patches for Mir, leaving its maintainance to Canonical. Before Intel's rejection, GNOME and KDE also refused to adopt Mir. Intel's message is clear to Canonical: if you promise to contribute, then do so."

Nerval's Lobster writes "Linux vendors Red Hat and SUSE are pushing to make sure Linux-based virtual machines are an important part of datacenter-based hybrid clouds. The two are taking significantly different tacks toward the same destination, however. SUSE is using the visibility and cloud hype of VMware by extending its partnership with the virtualization provider to promote its SUSE Linux Enterprise Server for VMware as an alternative operating system for virtual machines running on VMware's vCloud Hybrid Service. Red Hat is happy to include VMware in its plans, but isn't limiting itself either to VMware-based clouds or, in fact, the idea that a Linux vendor has to tag along with a cloud- or virtualization developer to find its place in mixed infrastructures. 'We do not buy into the premise that a private or a hybrid platform based on one vendor's technologies and products is the answer,' wrote Bryan Che, general manager of Red Hat's Cloud Business Unit. More than 25 percent of customers want clouds or datacenter infrastructures using virtualization products from more than one vendor, according to a buyers' guide published in August by market researcher IDC."

An anonymous reader writes "Best Buy and Barnes and Noble have a problem with showrooming — shoppers checking out the merchandise in their stores and then proceeding to order the goods at a discounted prices online. And Red Hat might have a similar problem with people (not just college kids and software professionals boning up on their skills at home, either) using the free-as-in-beer CentOS rather than licensing Red Hat Enterprise Linux and paying support fees. But according to CEO Jim Whitehurst, Red Hat's competitive position may actually be helped by CentOS in the same way that counterfeit Windows products sold on the streets in the Far East may have helped Microsoft — by cementing their position as the technology standard, in a marketplace that also includes entrants from SuSE, Debian, Oracle, and Ubuntu, just among Linux-based entrants. Who does Whitehurst consider to be Red Hat's most direct threat? VMWare."

Brandon Butler writes "Red Hat made its first $1 billion commercializing Linux. Now, it hopes to make even more doing the same for OpenStack. Red Hat executives say OpenStack – the open source cloud computing platform – is just like Linux. The code just needs to be massaged into a commercially-hardened package before enterprises will really use it. But just because Red Hat successfully commercialized Linux does not guarantee its OpenStack effort will go as well. Proponents say businesses will trust Red Hat as an OpenStack distribution company because of its work in the Linux world. But others say building a private cloud takes a lot more than just throwing some code on top of a RHEL OS."