Microsoft and Adobe’s October Patch Tuesday – Security Snippets

SecuritySnippets

  • Microsoft’s Monthly: It’s remote code execution holes all the way down in this months Patch Tuesday. From a bundle of Internet Explorere fixes in MS13-080 to a crunchy critical remote code execution and extra ‘important’ privilege escalation holes in Windows drivers, MS13-081 going all the way back to XP SP3 and all the way up to Windows 8. But wait, there’s more according to the cumulative advisory, MS13-Oct. Critical remote code execution holes in .NET Framework (MS13-082) and Windows Common Control Library (MS13-083) and “Important” remote code execution holes SharePoint Server (MS13-084), Excel (MS13-085 and Word (MS13-086) are also reported. There’s also an information disclosure hole in SilverLight (MS13-087). Fixes available from your friendly Microsoft Update service.
  • Adobe patches help up: Adobe’s fixes for this month have also been released. As well as the usual Reader and Acrobat fixes, developers who use Adobe’s RoboHelp will want to check out APSB13-24 as its a critical hole which could enable code execution. Adobe are priority rating 3, as it’s “not historically been a target for attackers”, but there’s always a first time.

PC-BSD 9.2, Percona Server 5.6 and Perl 11? – Snippets

Snippets.png

  • PC-BSD 9.2 arrives: Like your BSD with the sharp bits filed off for ease of use? PC-BSD is a user-friendly version of FreeBSD built for the desktop, but, as the newly released PC-BSD 9.2 shows, that doesn’t mean you get to miss out on features. For example, the FreeBSD 9.2 based PC-BSD 9.2 comes with bootable ZFS environments, so you can create a boot environment and select it from GRUB2. There’s also a Boot Manager GUI so you don’t need to fiddle with the command line for boot changes, an installer which can restore from a ZFS replicated backup and updated Life-Preserver utility for creating ZFS snapshots. The developers have also migrated all their sourced to GitHub, updated Warden (their utility for managing BSD jails) and switched to a new CDN for ISO images and packages. The bad news? That CDN seems to be rather slow to say the least when it comes to downloading the ISO image, so practice patience.
  • Percona percolate fresh MySQL server: Percona, the other other company that builds a MySQL based server, has announced Percona Server 5.6.13-61.0, the first GA release of a MySQL 5.6 based Percona Server with all the improvements of 5.6’s community edition, but with the slots for plugins filled. That means that there’s a thread pool for performance, clustering for HA, a PAM plugin for authentication and all on top of an XtraDB storage engine – the kind of things Oracle would ask you to buy as part of their MySQL Enterprise offering. You can download the newly released edition from Percona.
  • Perl 11?: A curio on the radar is the appearance of a site called perl11.org. There’s little detail on who is behind it but it says it is a project to modernise Perl 5 at the runtime level by giving it a pluggable virtual machine, AST and compiler. Will it happen? Who knows, but there’s some interesting links in there especially to the amusing if slightly sweary Stevan’s Little Announcement for moe.

Rubinus 2.0 has eyes on Ruby 2.1

rubinius_logo_black_on_whiteAlthough Ruby 2.1 hasn’t been released yet, the just release Rubinus Ruby runtime’s version 2.0 is aiming towards being Ruby 2.1 compatible. Rubinus, for those who don’t know of it, is an implementation of Ruby which uses an LLVM JIT compiler, generational garbage collector and native threads to give a Ruby runtime that can run efficiently on all CPU cores of a modern platform. The developers are also maintainers of RubySpec, a 20,000 plus strong library of specifications which map MRI (Matz’s Ruby Implementation), created to assist maintain compatibility with the ‘reference’ Ruby implementation; RubySpec is now used by many other Ruby implementations to ensure compatibility.

As the developers explain while the Ruby 2.1 MRI runtime hasn’t been released yet, they are aiming to improve compatibility with the leading edge of Ruby. This comes with a sacrifice though; historically the Rubinus developers have tried to support multiple Ruby versions and all the oddness that happens in any system where the specification is the implementation. The developers hope that this change, along with a focus on creating concurrent distributed applications, will make “Ruby competitive with Go, Erlang, Clojure, Scala and Node” in that domain. This means, they say, performance and stability of that kind of application will be prioritised over supporting some legacy Ruby code or “quirky Ruby feature”. In preparation for a more componentised Ruby, Rubinus 2.0 has isolated the standard library into a Ruby gem. There’s also a new release system for the Rubunius platform with a new versioning scheme being introduced in the transition between 2.0 and 3.0.

The developers also outline their own future thoughts and plans for Rubinus, including better (and less) concurrency coordination, less finely grained locks replacing the Ruby GIL, a more concurrent and parallel garbage collector and a more Ruby semantics informed JIT. The plans set out are focussed on making sure Ruby isn’t left behind in the new slew of languages and as the Rubinus team say “developers who are happy writing Ruby shouldn’t be forced to leave it because of technical limitations” – limitations they are setting out to remove.

Apache Lucene and Solr go 4.5

solrThe text-search library Lucene and Solr, the search platform built on top of it, have both been updated to version 4.5. Version 4.4 came out in July so what’s changed in this version bump?

Well, first of all, for Lucene, the DocValues mechanism which allows typed storage to be associated with documents has been updated to allow for missing values and there’s now an in-memory supporting DocIDSet which is more efficient for carrying around smaller lists of documents. Other changes can be found in the Lucene 4.5 release notes.

Solr 4.5, as usual, benefits and supports these changes as it is built on Lucene, but the search platform has also had its own set of improvements. For example, when running a sharded cluster, its possible to now set up custom routing to the various shards, including routing based on field values. Faceted searches are now multi-threaded, the solr.xml configuration file is now storable in ZooKeeper and the CloudSolrServer has the ability to send updates directly to shard leaders. Again, more details are available in the Solr 4.5 release notes and the PDF of the updated Solr reference guide is available through the Apache mirrors. Both Lucene and Solr also have various bugfixes and performance improvements.

NetBSD 6.1.2, Lua JVM, Meego/Symbian’s long walk and MariaDB/Debian – Snippets

Snippets.png

  • NetBSD 6.1.2 released: The second security/bug-fix release for NetBSD 6.1 is now available with one security fix and fixes for KVM shutdown, USB device enumeration, networking with npf, udf file systems and pthreads. There’s also updated timezone data, a corrected regression for some X apps and a fix for some Emacs 24 crashes.
  • A Lua JVM?: An intriguing experiment has appeared in the form of luje, a “toy” Java virtual machine written in Lua. It on-the-fly compiles the Java byte code into Lua scripts and then runs them with LuaJIT. “Right now it excels at anything which involves tight loops and float or doubles in local variables” say the developer, David Given, noting it can beat the Hotspot/JIT in those cases, but it does badly with longs and many other things. The code is a 0.1 release, is fragile and incompletly implemented, but if interesting JIT tricks are your thing, this is one to look at.
  • Crunch time for Meego/Symbian: It looks like the end for Nokia’s support of Meego and Symbian support of devices through the company’s store is coming with the blocking of new app publication from 1 January 2014.
  • MariaDB’s heading to Debian: Colin Charles passes on the news that Debian’s MySQL package team have a plan for MariaDB 5.5, that it’s been uploaded to Debian unstable and should appear in unstable in due course.

LibreOffice updated, iPython sponsored, Warden contained – Snippets

snippets03

  • LibreOffice gets a maintenance bump: There’s an update for LibreOffice 4.1, the just announced 4.1.2 but the Document Foundation are still not up to recommending it for enterprise adoption and say a 4.0.5 (and soon 4.0.6) version of the office suite is still recommended for that. As usual they’ve scattered the changelogs over 3 different documents (at some point they might think about consolidating minor point updates changelogs into oooh a single release note), but in summary, things have been fixed most of which are listed in the RC1 changelog.
  • iPython gets Microsoft mad money: The iPython project, which creates a Python based architecture for interactive notebooks, visualisation, interpreters and parallel computing work, has just announced $100,000 sponsorship from Microsoft. Apparently they did one heck of a demo for the Microsoft Research folks. The sponsorship went through NumFocus who are sponsored by J.P.Morgan and Microsoft among others to promote open source scientific software.
  • More containers: Everyone’s got a plan for managing containers these days. This time it’s Cloud Foundry’s warden, an Apache licensed “simple API for managing isolated environments”. The server readme provides more details; apparently initially developed with LXC, Warden no longer depends on LXC. It uses aufs or overlayfs depending on edition of Ubuntu Linux and talks JSON over sockets between its server and clients.

Arduino’s x86 and TI/ARM treats

TRE_iso
Arduino Tre – Bristling with connections

Arduino has been working with both Intel and TI to create two new boards, both of which are quite interesting departures from their previous designs. Both run Linux, in different ways but while one tries to replace the AVR microcontroller of the classic Arduino, the other hugs the classic Arduino deep into its design.

The first board announced was the Arduino Galileo which is powered by Intel’s Quark SoC X1000 running at 400Mhz and in due to be available in November and, according to some reports, will be “less than $80”. The processor is a 32-bit “Pentium-class” chip and the datasheet(pdf) details how the board has a set of 3.3V (or jumper settable 5V) connectors which are Arduino Uno R3 pin compatible. There’s also 10/100 Ethernet, a PCI Express mini card slot, micro-SD slot and USB client and USB host connectors on the board. This is very much an Intel rendering of what an Arduino would be with Intel’s Quark at its core; note, for example, that for a board of its spec, there’s no video out of any form, despite being closer to the Raspberry Pi and BeagleBone Black in pricing and that from the higher side. It’s an interesting iteration which gets Intel into the emerging market of small embeddable devices, but will it play with the makers – it doesn’t look easy to go from a Galileo to a production device.

The other board may be more exciting for makers, even if it is not available till next Spring and being shown now only as a sneak peek. Designed as part of a collaboration between Arduino and the BeagleBoard.org foundation, the Arduino Tre is a double processor sandwich with a 1GHz TI Sitara AM335x processor running Linux wrapped around a Atmega32u4 based Arduino – yes, the BeagleBone Black and Arduino have had a love-child and the Tre is the result; an ARM based Linux running processor to do the heavy compute lifting and networking and a classic Arduino to do the interfacing. The Tre is covered in connectors to wire up to, with the Arduino shield pins in the centre and the BeagleBone style cape connectors still on the board but separated by a whole Arduino now.

How this’ll work in practice, who knows, but it opens up a range of opportunities, especially as the Tre, unlike the Galileo, has HDMI video out too. Again no official pricing and this is down for a Spring landing so a bit of a wait. Till then, if you haven’t got one, get yourself a BeagleBone Black and interface it to your Arduino to simulate at least some of the experience.

Which reminds me… (he said getting his BeagleBone Black out)…