Debian 9 Stretches Its Wings

The latest release of Debian, code-named Stretch, has been released after 26 months of development. Debian 9 will be supported for the next five years, making it one of the longest supported community-based distributions. Ubuntu LTS is supported for three years on desktops and five years on severs; CentOS is supported for 10 years.

Debian has done some reshuffling with default software: MariaDB has replaced MySQL as the default database, and since the Mozilla and Debian communities have sorted out their trademark dispute, you can now use vanilla Firefox and Thunderbird instead of rebranded Iceweasel and Icedove.

Debian is primarily a leading server operating system, but it's well revered among the desktop users who need reliable and stable systems. Debian is a Gnome distribution, and Stretch comes with a generation-older Gnome Shell 3.22. That's the only downside of using Debian on the desktop; you are often stuck with very old packages.

Looking at the continuous disclosure of security bugs in Linux, Debian is maintaining a very tight grip on security.

"Thanks to the Reproducible Builds project, over 90% of the source packages included in Debian 9 will build bit-for-bit identical binary packages. This is an important verification feature which protects users from malicious attempts to tamper with compilers and build networks. Future Debian releases will include tools and metadata so that end-users can validate the provenance of packages within the archive," said the release announcement.

The X display server no longer needs "root" privileges, which has been a major criticism and security risk.

This is also the first release of Debian that features the modern branch of GnuPG in the gnupg package. "This brings with it elliptic curve cryptography, better defaults, a more modular architecture, and improved smart card support. We will continue to supply the classic branch of GnuPG as gnupg1 for people who need it, but it is now deprecated," said the release announcement. This release has also improved UEFI support, which now also supports installing on 32-bit UEFI firmware with a 64-bit kernel. The Debian Live images now include support for UEFI booting as a new feature, too.

Debian is known for wide support for architecture. This release supports 10 architectures, including 64-bit PC/Intel EM64T/x86-64 (amd64), 32-bit PC/Intel IA-32 (i386), 64-bit little-endian Motorola/IBM PowerPC (ppc64el), and 64-bit IBM S/390 (s390x) for ARM; armel and armhf for older and more recent 32-bit hardware, plus arm64 for the 64-bit AArch64 architecture; and, in addition to the two 32-bit mips (big endian) and mipsel (little endian) for MIPS, a new mips64el architecture for 64-bit little-endian hardware.

Debian 9 is available for free download

Serious Stack Clash Bug Affects Linux Systems

Security researchers at Qualys have discovered an old vulnerability in Linux systems that can be exploited executing arbitrary code on system.

The flaw is related to the way the computer uses the stack (a special memory region). As the programs need more memory, this region grows and can come close to another stack. This vicinity may confuse the program with other memory regions.

"An attacker could use this flaw to jump over the stack guard page, causing controlled memory corruption on the process stack or the adjacent memory region, thus increasing their privileges on the system," Red Hat explained in a security advisory.

The vulnerability has been christened Stack Clash and assigned CVE-2017-1000364 for the Linux kernel and CVE-2017-1000366 for glibc.

Ironically this jump is not a new problem, it has been around for more than a decade now and was exploited earlier in 2005 and 2010. Linux fixed the issue by adding a protection called stack guard page after the 2010 exploit.

"Access to the stack guard page triggers a trap, so it serves as a divider between a stack memory region and other memory regions in the process address space so that sequential stack access cannot be fluently transformed into access to another memory region adjacent to the stack (and vice versa)," wrote Red Hat.

However, Qualys discovered that despite stack guard page protection, stack clashes are still exploitable.

Qualys worked closely with Linux vendors to develop patches. The company also managed to develop seven exploits and seven proofs of concept for this weakness to help write patches.

More Online

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • System76 Releases Pop!_OS

    An Ubuntu-based operating system designed for professionals.

  • System76 Announces Their Own Distro, Pop!_OS

    Pop!_OS is based on Ubuntu and uses the Gnome stack.

  • Rackspace Announces OpenStack

    Open source cloud computing OS based on existing Rackspace technology and NASA's Nebula Cloud Platform

  • News

    This month in the news: Samsung to bring Linux to the Galaxy phone, System76 releases Pop!_OS, Linux comes to Windows, Docker embraces Kubernetes, and we are under a Bad Rabbit attack. 

  • News

    In the news: Microsoft gets an Open Source Web browser; Canonical launches MicroK8s; A new Raspberry Pi board; OpenStack Foundation changes name of the OpenStack Summit; Red Hat Enterprise Linux 8 beta; and System76 announces a line of US-made PCs.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95