LWN.net

The LWN.net Weekly Edition for January 19, 2017 is available.

Nobody starts a free-software project hoping that it will fail, so it is arare project indeed that plans for its eventual demise. But not allprojects succeed, and a project that doesn't plan for failure risks is doingits users harm. Dan Callahan joined Mozilla to work on the Personaauthentication project, and he was there for its recent shutdown. At the 2017linux.conf.au in Hobart, Tasmania, he used his keynote slot to talk aboutthe lessons that have been learned about designing a project for failure.

Arch Linux has updated webkit2gtk (multiple vulnerabilities).CentOS has updated qemu-kvm (C7: denial of service).Debian-LTS has updated icoutils (multiple vulnerabilities).Fedora has updated icoutils (F25; F24:three vulnerabilities), mingw-libgsf (F25:denial of service), and php-PHPMailer (F24:three vulnerabilities).openSUSE has updated bind (42.2, 42.1; 13.2: three denial of service flaws), libgit2 (13.2: two vulnerabilities), openjpeg2 (13.2: multiple vulnerabilities), pdns (42.2, 42.1, 13.2: multiplevulnerabilities), qemu (42.2: multiplevulnerabilities), and squid (42.2: threevulnerabilities, one from 2014).Oracle has updated kernel (OL7:three vulnerabilities) and qemu-kvm (OL7: denial of service).Red Hat has updated docker(RHEL7: privilege escalation), docker-latest (RHEL7: privilege escalation),kernel (RHEL7: three vulnerabilities),kernel-rt (RHEL7; RHEMRG2.5: three vulnerabilities), qemu-kvm (RHEL7: denial of service), and runc (RHEL7: privilege escalation).Scientific Linux has updated kernel (SL7: three vulnerabilities) and qemu-kvm (SL7: denial of service).SUSE has updated kernel(SLE12-SP2: multiple vulnerabilities).Ubuntu has updated nvidia-graphics-drivers-304 and nvidia-graphics-drivers-340 (denial of service).

The Free Software Foundation has reworked its high-priorityproject list to reflect its view of computing in 2017. See thechangelog for a list of the changes that were made. Among otherthings, the Gnash flash player has fallen off the list. "Smart phones are the mostwidely used form of personal computer today. Thus, the need for a fullyfree phone operating system is crucial to the proliferation of softwarefreedom."

Arch Linux has updated python-crypto (code execution) and python2-crypto (code execution).CentOS has updated bind (C7; C6; C5: denial of service) and bind97 (C5: denial of service).Debian-LTS has updated pdns-recursor (code execution).Fedora has updated bind (F24:three denial of service flaws), bind99(F24: three denial of service flaws), and SimGear (F25: file overwrites).Gentoo has updated file (multiple vulnerabilities), libxml2 (multiple vulnerabilities), miniupnpc (denial of service), pidgin (multiple vulnerabilities), vlc (code execution), and xdelta (code execution).openSUSE has updated ark (42.2, 42.1; SPH for SLE12: code execution), encfs (42.2, 42.1, 13.2: code execution from2014), gstreamer-0_10-plugins-bad (13.2:code execution), gstreamer-0_10-plugins-base (13.2: codeexecution), gstreamer-0_10-plugins-good(13.2: multiple vulnerabilities), gstreamer-plugins-bad (42.1; 13.2:three vulnerabilities), gstreamer-plugins-base (42.1; 13.2:code execution), gstreamer-plugins-good (42.1; 13.2:multiple vulnerabilities), icinga (14.2,14.1: two vulnerabilities), icoutils (42.2; 42.1; 13.2: multiple vulnerabilities), openjpeg2 (42.2: multiple vulnerabilities), pcsc-lite (42.2, 42.1, 13.2: privilegeescalation), and python-pycrypto (14.2,14.1, 13.2: denial of service).Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), and docker-engine docker-engine-selinux (OL7; OL6: two vulnerabilities).Red Hat has updated kernel(RHEL6.5: code execution).Scientific Linux has updated bind (SL7; SL5,6:denial of service) and bind97 (SL5: denial of service).

Keith Packard is the chief architect for The Machine project at HPE; wecovered his talk on this project back in2015. At the 2017 linux.conf.au Kernel Miniconf, Packard focused on onespecific aspect of The Machine's hardware and software configuration: howstorage is managed and presented to applications. Like much that is beingdone with this project, its storage architecture is an interestingcombination of new ideas and long-established techniques.

Alexandre Prokoudine looks atuser-visible changes for the GNU Image Manipulation Program (GIMP) over2016. Changes include better handling of layers, channels, masks, andpaths, remembering defaults across sessions, improved configurability,color management, and more.

Calligra 3.0 has been released.The Calligra Suite includes office, graphics, and project managementapplications. "We havechosen to cut back on the number of applications. Krita has left us to beindependent and although it was emotional it was also done with completesupport from both sides. We are saying goodbye to Author, which neverdifferentiated itself from Words. We also removed Brainstorm the purpose ofwhich will be better fitted by a new application (nothing planned from ourside). Flow and Stage has gone in this release but we intend to bring themback in the future." The 3.x series updates the applications to useKDE Frameworks 5 and Qt5.

The Linux Test Project test suite stable release for January 2017 is out.There are new test cases, a new shell test library and many tests rewrittento make use of it, and much more. LWN looked at LTP last December.

Arch Linux has updated libgit2 (multiple vulnerabilities), nginx (privilege escalation), nginx-mainline (privilege escalation), and wordpress (multiple vulnerabilities).Debian has updated icoutils(three vulnerabilities), pdns (multiplevulnerabilities), pdns-recursor (denial ofservice), python-bottle (regression inprevious update), and tiff (multiple vulnerabilities).Debian-LTS has updated botan1.10(integer overflow), gcc-mozilla (update toGCC 4.8), icedove (multiplevulnerabilities), libx11 (denial ofservice), otrs2 (code execution), python-bottle (regression in previous update),wireless-regdb (radio regulations updates), and xen (two vulnerabilities).Fedora has updated bind (F25:three denial of service flaws), bind99(F25: three denial of service flaws), ca-certificates (F25; F24:certificate update), docker-latest (F25:privilege escalation), gnutls (F24:multiple vulnerabilities), libgit2 (F25: multiple vulnerabilities), and onionshare (F25; F24: file injection).Gentoo has updated apache(multiple vulnerabilities, one from 2014).Mageia has updated golang (denial of service) and irssi (multiple vulnerabilities).Red Hat has updated bind (RHEL7; RHEL5,6: denial of service) and bind97 (RHEL5: denial of service).Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).SUSE has updated qemu (SLE12-SP2:multiple vulnerabilities).

The 4.10-rc4 kernel prepatch is out fortesting. "Things are still looking fairly normal, and this is theusual weekly Sunday rc release. We're up to rc4, and people are clearlystarting to find the regressions. Good, good."

The 4.9.4 and 4.4.43 stable kernel updates are available;each contains a relatively large set of important fixes.

Google has posted an overview of its infrastructure security. It includes information about low-level details, such as physical security and secure boot, encryption of data at rest as well as communications between services and to users, keeping employee devices and credentials safe, and more. Undoubtedly there are lessons here for many different organizations. "This document gives an overview of how security is designed into Google’s technical infrastructure. This global scale infrastructure is designed to provide security through the entire information processing lifecycle at Google. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.Google uses this infrastructure to build its internet services, including both consumer services such as Search, Gmail, and Photos, and enterprise services such as G Suite and Google Cloud Platform."

Wired covers the release of Qbsolv as open-source software (under the Apache License v2) by D-Wave, which is a company that makes quantum computing hardware. Qbsolv is "designed to help developers program D-Wave machines without needing a background in quantum physics". Further:Qbsolv joins a small but growing pool of tools for would-be quantum computer programmers. Last year Scott Pakin of Los Alamos National Laboratory–and one of Qbsolv’s first users–released another free tool called Qmasm, which also eases the burden of writing code for D-Wave machines by freeing developers from having to worry about addressing the underlying hardware. The goal, Ewald says, is to kickstart a quantum computing software tools ecosystem and foster a community of developers working on quantum computing problems. In recent years, open source software has been the best way to build communities of both independent developers and big corporate contributors.Of course to actually run the software you create with these tools, you’ll need access to one of the very few existing D-Wave machines. In the meantime, you can download a D-Wave simulator that will let you test the software on your own computer. Obviously this won’t be the same as running it on a piece of hardware that uses real quantum particles, but it’s a start.

Arch Linux has updated ark (codeexecution), bind (multiple vulnerabilities), docker (privilege escalation), flashplugin (multiple vulnerabilities), irssi (multiple vulnerabilities), lib32-flashplugin (multiple vulnerabilities), and libvncserver (two vulnerabilities).CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities) and kernel (three vulnerabilities).Debian has updated rabbitmq-server (authentication bypass).Debian-LTS has updated asterisk(two vulnerabilities, one from 2014).Fedora has updated docker (F25:privilege escalation), libgit2 (F24: multiple vulnerabilities),and pcsc-lite (F24: privilege escalation).Gentoo has updated postgresql(multiple vulnerabilities, two from 2015), runc (privilege escalation), and seamonkey (multiple vulnerabilities).Mageia has updated flash-player-plugin (multiple vulnerabilities), php-ZendFramework2 (parameter injection), unzip (two vulnerabilities, one from 2014),and webmin (largely unspecified).Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) kernel 2.6.39 (OL6; OL5:multiple vulnerabilities), kernel3.8.13 (OL7; OL6: multiple vulnerabilities), and kernel 4.1.12 (OL7; OL6: multiple vulnerabilities).Red Hat has updated java-1.6.0-openjdk (multiple vulnerabilities).Scientific Linux has updated kernel (SL6: three vulnerabilities).

Over at Techdirt, Mike Masnick writes about a libel suit filed against the site: "As you may have heard, last week we were sued for $15 million by Shiva Ayyadurai, who claims to have invented email. We have written, at great length, about his claims and our opinion — backed up by detailed and thorough evidence — that email existed long before Ayyadurai created any software. We believe the legal claims in the lawsuit are meritless, and we intend to fight them and to win.There is a larger point here. Defamation claims like this can force independent media companies to capitulate and shut down due to mounting legal costs. Ayyadurai's attorney, Charles Harder, has already shown that this model can lead to exactly that result. His efforts helped put a much larger and much more well-resourced company than Techdirt completely out of business."

Greg Kroah-Hartman has announced the release of the 4.9.3 and 4.4.42 stable kernels. As usual, there arefixes throughout the tree and users of those kernel series should upgrade.

Debian has updated bind9 (threevulnerabilities), ikiwiki (threevulnerabilities), and python-pysaml2 (XMLexternal entity attack).Debian-LTS has updated libav (twovulnerabilities).Fedora has updated compat-guile18 (F25; F24:insecure directory creation), mingw-flac(F25: three vulnerabilities from 2015), qpid-java (F25: information disclosure), andspringframework-security (F25: securityconstraint bypass).openSUSE has updated flash-player(13.2: multiple vulnerabilities).Red Hat has updated memcached(RHMAP4.2: two vulnerabilities).Slackware has updated bind(denial of service), gnutls (multiplevulnerabilities), and irssi (multiple vulnerabilities).SUSE has updated bind (SLE12-SP2,SP1; SLE12; SLE11-SP4,SP3: three vulnerabilities) and flash-player (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated bind9 (threevulnerabilities) and libvncserver (two vulnerabilities).

The LWN.net Weekly Edition for January 12, 2017 is available.

The Ansible project is currently posting release candidates for the 2.1.4and 2.2.1 releases. They fix an important security bug:"CVE-2016-9587 is rated as HIGH in risk, as a compromised remotesystem being managed via Ansible can lead to commands being run on theAnsible controller (as the user running the ansible or ansible-playbookcommand)." Until this release is made, it would make sense to beespecially careful about running Ansible against systems that might havebeen compromised.Update: see thisadvisory for much more detailed information.

The appearance of a "Python 2.8" got the attention of the Python coredevelopers in early December. It is based on Python 2.7, withfeatures backported from Python 3.x. In general, there was littlesupport for the effort—core developers tend to clearly see Python 3 asthe way forward—but no opposition to it either. The Python license makesit clear that these kinds of efforts are legal and evenencouraged—any real opposition to the project lies in its name.Subscribers can click below for the full article from this week's edition.

Debian has updated icedove (multiple vulnerabilities).Debian-LTS has updated tomcat7 (information disclosure).Gentoo has updated bind (denialof service), botan (two vulnerabilities),c-ares (code execution), dbus (denial of service), expat (multiple vulnerabilities, one from2012), flex (code execution), nginx (privilege escalation), ntfs3g (privilege escalation from 2015), p7zip (two code execution flaws), pgbouncer (two vulnerabilities), phpBB (two vulnerabilities), phpmyadmin (multiple vulnerabilities), vim (code execution), and vzctl (insecure ploop-based containers from 2015).openSUSE has updated jasper(42.2, 42.1: multiple vulnerabilities).Oracle has updated kernel (OL6: three vulnerabilities).Red Hat has updated flash-plugin(RHEL6: multiple vulnerabilities), kernel(RHEL6.7: code execution), and kernel(RHEL6: three vulnerabilities).SUSE has updated freeradius-server (SLE12-SP1,2: insufficientcertificate verification) and LibVNCServer(SLE11-SP4: two vulnerabilities).Ubuntu has updated kernel (16.10; 16.04;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-xenial (14.04:three vulnerabilities), linux-raspi2 (16.10; 16.04:two vulnerabilities), linux-snapdragon(16.04: two vulnerabilities), linux-ti-omap4 (12.04: two vulnerabilities),and webkit2gtk (16.04: multiple vulnerabilities).

Tim Kadlec looks at theongoing MongoDB compromises and how they came to be."Before version 2.6.0, that wasn’t true. By default, MongoDB was leftopen to remote connections. Authentication is also not required by default,which means that out of the box installs of MongoDB before version 2.6.0happily accept unauthenticated remote connections."

The digiKam team has announcedthe release of version 5.4.0 of the digiKam Software Collection, aphoto editing system."This version introduces several improvements to the similaritysearch engine and a complete re-write of video file support." Underthe hood, digiKam has been fully ported to the QtAV framework to handle video and audio files.

Synfig Studio 1.2.0, a 2D animation system, has been released.This version features a completely rewritten render engine and new lipsyncfeatures, along with many improvements and bugfixes.

Arch Linux has updated icoutils (code execution).CentOS has updated gstreamer-plugins-bad-free (C7: three codeexecution vulnerabilities), gstreamer-plugins-good (C7: multiplevulnerabilities), gstreamer1-plugins-bad-free (C7: multiplevulnerabilities), and gstreamer1-plugins-good (C7: multiple vulnerabilities).Debian-LTS has updated python-crypto (denial of service).Gentoo has updated adobe-flash (multiple vulnerabilities), python (two vulnerabilities), and tiff (multiple vulnerabilities).Mageia has updated nvidia304,nvidia340 (three vulnerabilities) and xen (multiple vulnerabilities).openSUSE has updated irssi (42.2, 42.1, 13.2; SPH for SLE12: multiple vulnerabilities).Scientific Linux has updated subscription-manager (SL7: information disclosure).

The GNU C library (glibc) 2.25 release isexpected to be available at the beginning of February; among the new featuresin this release will be a wrapper for the Linux getrandom() system call. One mightwell wonder why getrandom() is only appearing in this release,given that kernel support arrived with the 3.17 release in 2014 and thatthe glibc projectis supposed to be more receptive tonew features these days. A look at the history of this particular change highlights some of the reasons why getting newfeatures into glibc is still hard.

The Inkscape project has announced the release of version 0.92. "Newfeatures include mesh gradients, improved SVG2 and CSS3 support, new path effects, interactive smoothing for the penciltool, a new Object dialog for directly managing all drawing elements,and much more. Infrastructural changes are also under way, including aswitch to CMake from the venerable Autotools build system."

Greg Kroah-Hartman has released stable kernels 4.9.2, 4.8.17,and 4.4.41. All contain important fixesand users should upgrade. This is the last 4.8-stable kernel to bereleased and users of that kernel series should upgrade to 4.9.x.

Debian has updated icoutils (code execution), tomcat7 (information disclosure), and tomcat8 (information disclosure).Fedora has updated FlightGear (F25; F24: fileoverwrites), libpng10 (F25; F24: NULL dereference bug),mingw-libpng (F25; F24: NULL dereference bug), openssh (F25: multiple vulnerabilities),php-swiftmailer (F25; F24: code execution), samba (F24: two vulnerabilities), sway(F25; F24:unspecified), and thunderbird (F24: multiple vulnerabilities).Mageia has updated flightgear (file overwrites), libcryptopp (denial of service), and subversion (denial of service).openSUSE has updated gstreamer-0_10-plugins-bad (42.2: three codeexecution vulnerabilities), gstreamer-plugins-bad (42.2: multiplevulnerabilities), gstreamer-plugins-good(42.2: multiple vulnerabilities), libcares2(42.2, 42.1: code execution), php5 (42.2,42.1: multiple vulnerabilities), php7(42.2: multiple vulnerabilities), syncthing, syncthing-gtk (42.2; 42.1:two vulnerabilities), tiff (42.2, 42.1: multiple vulnerabilities), and zlib (42.2; 42.1: multiple vulnerabilities).SUSE has updated jasper(SLE12-SP1,SP2: multiple vulnerabilities).

The 4.10-rc3 kernel prepatch is availablefor testing. Linus says: "It still feels a bit smaller than a usualrc3, but for the first real rc after the merge window (ie I'd compareit to a regular rc2), it's fairly normal."

The Vault Storage and Filesystems conference will be held March 22 and 23in Cambridge, MA, USA, immediately after the Linux Storage, Filesystem, andMemory-Management Summit. The call forpresentations expires on January 14, and the conference organizerswould really like to get a few more proposals in before then. Developersinterested in speaking at a technical Linux event are encourage to sign up.(Also, don't forget the LWN CFP deadlinescalendar, which is a good way to stay on top of conference proposaldeadlines.)

The LearntEmail blog has a look at running AsteroidOS on the LG Watch Urbane smartwatch."It looks like a watch, it smells like a watch, but it runs like a normal computer. Wayland, systemd, polkit, dbus and friends look very friendly to hacking. Even Qt is better than android, but that's debatable.My next project - run Gtk+ on the watch :)" (Thanks to Paul Wise.)

Debian-LTS has updated pcsc-lite(privilege escalation).Fedora has updated flac (F25:three vulnerabilities from 2015), pcsc-lite(F25: privilege escalation), php-PHPMailer(F25: code execution), subversion (F25:denial of service), thunderbird (F25: multiple vulnerabilities),and tinymce (F25: cross-site scripting).Mageia has updated bash (codeexecution), thunderbird (multiple vulnerabilities), tor (denial of service), and unrtf (code execution).openSUSE has updated kopete (SPH for SLE12; 42.2, 42.1, 13.2: encryption botch).Red Hat has updated puppet-tripleo (OSP10.0: access restriction bypass).Ubuntu has updated exim4(information leak).

The4.9.1,4.8.16, and4.4.40stable kernel updates have been released; each contains the usualcollection of important fixes.

Debian has updated libvncserver(two vulnerabilities) and pcsc-lite(privilege escalation).Debian-LTS has updated python-crypto (DLA-773-3; DLA-773-2: regression(s?) in previous securityupdate for CVE-2013-7459).Fedora has updated bzip2 (F24:denial of service), libpng (F24: denial ofservice), and seamonkey (F24: multiple vulnerabilities).openSUSE has updated ImageMagick(42.2, 42.1: multiple vulnerabilities), libgme (42.2, 42.1: multiple vulnerabilities),and thunderbird (13.1: multiple vulnerabilities).Oracle has updated ghostscript (OL7; OL6: multiple vulnerabilities, onefrom 2013), gstreamer-plugins-bad-free(OL7: three vulnerabilities), gstreamer-plugins-good (OL7: multiple vulnerabilities), gstreamer1-plugins-bad-free (OL7: multiple vulnerabilities), and gstreamer1-plugins-good (OL7: multiple vulnerabilities).Red Hat has updated gstreamer-plugins-bad-free (RHEL7: threevulnerabilities), gstreamer-plugins-good(RHEL7: multiple vulnerabilities), gstreamer1-plugins-bad-free(RHEL7: multiple vulnerabilities), and gstreamer1-plugins-good(RHEL7: multiple vulnerabilities).Scientific Linux has updated gstreamer-plugins-bad-free (SL7: threevulnerabilities), gstreamer-plugins-good(SL7: multiple vulnerabilities), gstreamer1-plugins-bad-free(SL7: multiple vulnerabilities), and gstreamer1-plugins-good(SL7: multiple vulnerabilities).Ubuntu has updated nss (three vulnerabilities).

The LWN.net Weekly Edition for January 5, 2017 is available.

Old habits die hard, even when support for the tools required by thosehabits ended over a decade ago. It is not surprising for users to cling tothe tools they learned early in their careers, even when they are told thatit is time to move on. A recent discussion on the Debian development list showed thesort of stress that this kind of inertia can put on a distribution andexplored the options that distributors have to try to nudge their userstoward more supportable solutions.

The Google Open Source Blog introducesthe Grumpy project. "Grumpy is an experimental Python runtimefor Go. It translates Python code into Go programs, and those transpiledprograms run seamlessly within the Go runtime. We needed to support a largeexisting Python codebase, so it was important to have a high degree ofcompatibility with CPython (quirks and all). The goal is for Grumpy to be adrop-in replacement runtime for any pure-Python project."

Arch Linux has updated lib32-curl(two vulnerabilities), lib32-libcurl-compat (two vulnerabilities), lib32-libcurl-gnutls (two vulnerabilities), libcurl-compat (two vulnerabilities), libcurl-gnutls (two vulnerabilities), and pcsclite (privilege escalation).CentOS has updated ghostscript (C7; C6: multiple vulnerabilities).Debian has updated libphp-phpmailer (regression in previous update).Debian-LTS has updated libphp-phpmailer (code execution) and libvncserver (two vulnerabilities).Fedora has updated borgbackup (F25; F24: twovulnerabilities) and freeipa (F24: two vulnerabilities).Gentoo has updated firefox (multiple vulnerabilities).Mageia has updated kernel-linus (multiple vulnerabilities), kernel-tmb (multiple vulnerabilities), libupnp (code execution), and python-html5lib (cross-site scripting).openSUSE has updated dnsmasq(42.2, 42.1: denial of service), samba (42.2; 42.1:three vulnerabilities), and wget (42.2,42.1: race condition).Red Hat has updated ghostscript (RHEL7; RHEL6:multiple vulnerabilities), kernel (RHEL7.1:denial of service), and systemd (RHEL7.1: denial of service).Scientific Linux has updated ghostscript (SL7; SL6:multiple vulnerabilities) and ipa (SL7: two vulnerabilities).

Version0.92 of the Inkscape vector drawing editor is available. "Newfeatures include mesh gradients, improved SVG2 and CSS3 support, new patheffects, interactive smoothing for the pencil tool, a new Object dialog fordirectly managing all drawing elements, and much more. Infrastructuralchanges are also under way, including a switch to CMake from the venerableAutotools build system." See therelease notes for details.

In what is becoming its annual tradition, the darktable project releaseda new stable version of its image-editing system at the end of December.The new 2.2 release incorporates several new photo-correction features ofnote.Click below (subscribers only) for the full article from Nathan Willis.

James Bottomley looks atTrusted Platform Module (TPM) version 2. "Recently Microsoft startedmandatingTPM2 as a hardware requirement for all platforms running recentversions of windows. This means that eventually all shipping systems(starting with laptops first) will have a TPM2 chip. The reason thisimpacts Linux is that TPM2 is radically different from its predecessorTPM1.2; so different, in fact, that none of the existing TPM1.2 software onLinux (trousers, the libtpm.so plug in for openssl, even my gnome keyringenhancements) will work with TPM2. The purpose of this blog is to explorethe differences and how we can make ready for the transition."(Thanks to Paul Wise)

Arch Linux has updated gst-plugins-bad (two vulnerabilities), lib32-libpng (denial of service), lib32-libpng12 (denial of service), libpng (denial of service), and libpng12 (denial of service).CentOS has updated ipa (C7: two vulnerabilities).Debian-LTS has updated samba(privilege escalation).Fedora has updated bzip2 (F25:denial of service), dovecot (F25: denial ofservice), and seamonkey (F25: multiple vulnerabilities).Gentoo has updated firefox(multiple vulnerabilities, some from 2014).Oracle has updated ipa (OL7: two vulnerabilities).

HackerBoards.com takesa look at hacker-friendly single board computers. "Community backed, open spec single board computers running Linux and Android sit at the intersection between the commercial embedded market and the open source maker community. Hacker boards also play a key role in developing the Internet of Things devices that will increasingly dominate our technology economy in the coming years, from home automation devices to industrial equipment to drones.This year, we identified 90 boards that fit our relatively loose requirements for community-backed, open spec SBCs running Linux and/or Android."

Pieter Hintjens passedaway last October. "Pieter was known mostly for founding the ZeroMQ project but he was also an ambitiousfighter for the open source philosophy, an active opponent to softwarepatents and an inspiring and keen thinker on open systems of allkind." (Thanks to Viktor Horvath)

Arch Linux has updated curl (two vulnerabilities) and libwmf (multiple vulnerabilities).Debian has updated libgd2 (denialof service) and libphp-phpmailer (code execution).Debian-LTS has updated hdf5(multiple vulnerabilities), hplip(man-in-the-middle attack from 2015), kernel (multiple vulnerabilities), libphp-phpmailer (code execution), pgpdump (denial of service), postgresql-common (file overwrites), python-crypto (denial of service), and shutter (code execution from 2015).Fedora has updated curl (F24:buffer overflow), cxf (F25: twovulnerabilities), game-music-emu (F24:multiple vulnerabilities), libbsd (F25; F24:denial of service), libpng (F25: NULLdereference bug), mingw-openjpeg2 (F25; F24:multiple vulnerabilities), openjpeg2 (F24:two vulnerabilities), php-zendframework-zend-mail (F25; F24:parameter injection), springframework (F25:directory traversal), tor (F25; F24: denial of service), xen (F24: three vulnerabilities), andzookeeper (F25; F24: buffer overflow).Gentoo has updated bash (codeexecution), busybox (denial of service), chicken (multiple vulnerabilities going backto 2013), cyassl (multiple vulnerabilitiesfrom 2014), e2fsprogs (code execution from2015), hdf5 (multiple vulnerabilities), icinga (privilege escalation), libarchive (multiple vulnerabilities, somefrom 2015), libjpeg-turbo (code execution),libotr (code execution), lzo (code execution from 2014), mariadb (multiple unspecifiedvulnerabilities), memcached (codeexecution), musl (code execution), mutt (denial of service from 2014), openfire (multiple vulnerabilities from 2015),openvswitch (code execution), pillow (multiple vulnerabilities, two from2014), w3m (multiple vulnerabilities), xdg-utils (command execution from 2014), andxen (multiple vulnerabilities).Mageia has updated mcabber (roster push attack) and tracker (denial of service).openSUSE has updated firefox(13.1: multiple vulnerabilities), gd (42.2,42.1: stack overflow), GNU Health (42.2:two vulnerabilities), roundcubemail (13.1:cross-site scripting), kernel (42.1:information leak), thunderbird (42.2,42.1, 13.2; SPH for SLE12:multiple vulnerabilities), and xen (42.2; 42.1; 13.2: multiple vulnerabilities).Red Hat has updated ipa (RHEL7:two vulnerabilities) and rh-nodejs4-nodejs andrh-nodejs4-http-parser (RHSCL: multiple vulnerabilities).Slackware has updated libpng (NULL dereference bug), thunderbird (code execution), and seamonkey (multiple vulnerabilities).SUSE has updated gstreamer-plugins-good (SLE12-SP2: multiplevulnerabilities) and kernel (SLERTE12-SP1: multiple vulnerabilities).

Richard Fontana reviewslegal development in 2016 on opensource.com."The Federal Source Code Policy is notable for placing emphasis onadhering to proper standards for open development as well as open sourcelicensing. Agencies releasing open source code are directed to do so in amanner that encourages engagement with existing communities, fosters growthof new communities, and facilitates contribution both by the community tothe federal code and by federal employees and contractors to upstreamprojects."

The second 4.10 kernel prepatch is out fortesting. "Hey, it's been a really slow week between Christmas Day and New YearsDay, and I am not complaining at all.It does mean that rc2 is ridiculously and unrealistically small. Ialmost decided to skip rc2 entirely, but a small little meaninglessrelease every once in a while never hurt anybody. So here it is."

The Python 3.6 release occurred onDecember 23, only one week later than plannedall the wayback in October 2015. Python 3.6 adds a number of newfeatures, including more support for asynchronous operations (generatorsand comprehensions), a filesystem path protocol, a new literal stringformatting option, two random-number-related features, a frame evaluation APIfor debuggers and just-in-time (JIT) compilation, and more. Some of thesefeatures have been described in LWN articles along the way, but many haven't, so anoverview of the highlights of the new release is in order.Subscribers can click below to see the article that will appear in nextweek's edition.