LWN.net

CentOS has updated kernel (C6:privilege escalation).Debian has updated asterisk(multiple vulnerabilities) and nginx (privilege escalation).Debian-LTS has updated nspr (information disclosure), nss (information disclosure), potrace (multiple vulnerabilities), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).Fedora has updated perl-Image-Info (F24; F23: information disclosure).Mageia has updated graphicsmagick (three vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), mpg123 (denial of service), and tor (denial of service).openSUSE has updated GraphicsMagick (Leap42.1; 13.2: multiple vulnerabilities), guile (13.2: two vulnerabilities),guile1 (Leap42.1; 13.2: information disclosure), firefox (Leap42.1, 13.2: two vulnerabilities),qemu (Leap42.1: multiple vulnerabilities),quagga (Leap42.1: stack overrun), and kernel (13.2: multiple vulnerabilities).Oracle has updated kernel (OL6:privilege escalation).Red Hat has updated kernel (RHEL6; RHEL6.7:privilege escalation) and kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities).Scientific Linux has updated kernel (SL6: privilege escalation).Ubuntu has updated nginx (16.10,16.04, 14.04: privilege escalation).

Flatpak 0.6.13 has been released.Major changes include a change in command line arguments forinstall/update/uninstall, application runtime dependencies arechecked/downloaded, remote-add and install --from now supports uris,flatpak run can now launch a runtime directly, and more.

Arch Linux has updated linux-grsec (privilege escalation) and ocaml (information leak).CentOS has updated kernel (C7:privilege escalation).Debian has updated php5 (multiplevulnerabilities) and virtualbox (end ofsupport).Debian-LTS has updated ghostscript (multiple vulnerabilities).Fedora has updated bind (F23:denial of service), bind99 (F23: denial ofservice), and libass (F24: three vulnerabilities).Mageia has updated php (multiple vulnerabilities).openSUSE has updated quagga(13.2: stack overrun) and virtualbox (13.2:multiple unspecified vulnerabilities).Oracle has updated kernel (OL7:privilege escalation).Red Hat has updated bind(RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service).Scientific Linux has updated kernel (SL7: privilege escalation).SUSE has updated quagga(SLE12-SP1: stack overrun).Ubuntu has updated linux-raspi2(16.10: privilege escalation), mysql-5.5, mysql-5.7 (multiple unspecified vulnerabilities), and quagga (stack overrun).

Just about everyone who runs a Unix server on the internet uses SSHfor remote access, and almost everyone who does that will be familiarwith the log footprints of automated password-guessing bots. Althoughdecently-secure passwords do much to harden a server against such attacks,the costs of dealing with the continual stream of failed logins can beconsiderable. There are ways to mitigate these costs.

Valgrind 3.12.0 has been released. "3.12.0 is a feature release withmany improvements and the usual collection of bug fixes. This release addssupport for POWER ISA 3.0, improves instruction set support on ARM32, ARM64and MIPS, and provides support for the latest common components (kernel,gcc, glibc). There are many smaller refinements and new features. Therelease notes below give more details." There will be a Valgrinddeveloper room at FOSDEM in Brussels, Belgium, on February 4, 2017. Thecall for participation is open until December 1.

Arch Linux has updated chromium (multiple vulnerabilities), kernel (privilege escalation), linux-lts (privilege escalation), python-django (cross-site request forgery), and python2-django (cross-site request forgery).CentOS has updated bind (C6; C5: denialof service) and bind97 (C5: denial of service).Debian has updated kdepimlibs (HTML injection).Debian-LTS has updated kdepimlibs (HTML injection).Fedora has updated guile (F23: two vulnerabilities), kernel (F24; F23: privilege escalation), php (F24; F23: multiple vulnerabilities), and php-pecl-zip (F24; F23: multiple vulnerabilities).Mageia has updated 389-ds-base (information disclosure), c-ares (code execution), guile (two vulnerabilities), openjpeg (denial of service), and php-ZendFramework (SQL injection).openSUSE has updated Chromium(Leap42.1, 13.2: multiple vulnerabilities), dbus-1 (Leap42.1: code execution), gd (13.2: denial of service), kdump (Leap42.1: denial of service), php5 (13.2: three vulnerabilities),kernel (Leap42.1; 13.1: multiple vulnerabilities), tor (Leap42.1, 13.2: denial of service), andX (Leap42.1: multiple vulnerabilities).Oracle has updated bind (OL6; OL5:denial of service), bind97 (OL5: multiplevulnerabilities), and kernel 4.1.12 (OL7; OL6:privilege escalation), kernel 3.8.13 (OL7; OL6:privilege escalation), kernel 2.6.39 (OL6; OL5: privilege escalation).Red Hat has updated kernel(RHEL7: privilege escalation).SUSE has updated Chromium(SPH for SLE12: multiple vulnerabilities), qemu (SLE12-SP1: multiple vulnerabilities),and kernel (SLE12-SP1; SLE12; SLE11-SP4; SLE11-SP3; SLE11-SP2: privilege escalation).

The Linux Foundation's TechnicalAdvisory Board provides the development community (primarily the kerneldevelopment community) with a voice in the Foundation's decision-makingprocess. Among other things, the TAB chair holds a seat on theFoundation's board of directors. The next TAB election will be held onNovember 2 at the Kernel Summit in Santa Fe, NM; five TAB members (½of the total) will be selected there. The nomination process is open untilvoting begins; anybody interested in serving on the TAB is encouraged tothrow their hat into the ring.

The second 4.9 prepatch is out for testing,and Linus is asking for people to test one feature in particular: "Myfavorite new feature that I called out in the rc1 announcement (thevirtually mapped stacks) is possibly implicated in some crashes that DaveJones has been trying to figure out, so if you want to be helpful and tryto see if you can give more data, please make sure to enableCONFIG_VMAP_STACK."

The 4.8.4,4.7.10, and4.4.27 stable updates are out. These wouldappear to contain the usual fixes. Note that 4.7.10 is the end of the linefor the 4.7.x series.

We live in an era of celebrity vulnerabilities; at the moment, anunpleasant kernel bug called "Dirty COW" (or CVE-2016-5195) is taking itsturn on the runway. This one is more disconcerting than many due to itsomnipresence and the ease with which it can be exploited. But there isalso some unhappiness in the wider community about how this vulnerabilityhas been handled by the kernel development community. It may well be timefor the kernel project to rethink its approach to serioussecurity problems.

Debian-LTS has updated bind9 (denial of service).Fedora has updated libgit2 (F23:two vulnerabilities).Mageia has updated kernel (threevulnerabilities), libtiff (multiplevulnerabilities, two from 2015), and openslp (code execution).openSUSE has updated dbus-1(13.2: code execution), ghostscript-library(42.1: three vulnerabilities, one from 2013), roundcubemail (42.1: two vulnerabilities), andsquidGuard (42.1: cross-site scripting from2015).Red Hat has updated bind(RHEL6&5: denial of service) and bind97(RHEL5: denial of service).Scientific Linux has updated bind(SL6&5: denial of service) and bind97 (SL5: denial of service).Ubuntu has updated bind9 (12.04: denial of service).

Linux.com interviews Sylvain Zimmer, founder of the Common Search project, which is an effort to create an open web search engine. "Being transparent means that you can actually understand why our top search result came first, and why the second had a lower ranking. This is why people will be able to trust us and be sure we aren't manipulating results. However for this to work, it needs to apply not only to the results themselves but to the whole organization. This is what we mean by 'radical transparency.' Being a nonprofit doesn't automatically clear us of any ulterior motives, we need to go much further.As a community, we will be able to work on the ranking algorithm collaboratively and in the open, because the code is open source and the data is publicly available. We think that this means the trust in the fairness of the results will actually grow with the size of the community."

The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).Debian has updated kernel (multiple vulnerabilities,one from 2015).Debian-LTS has updated kernel(multiple vulnerabilities, one from 2015) and libxvmc (code execution).Fedora has updated glibc-arm-linux-gnu (F23: denial of service)and perl-DBD-MySQL (F23: denial of service).Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), and java-1.8.0-oracle (RHEL7&6: multiple vulnerabilities).Scientific Linux has updated java-1.8.0-openjdk (SL7&6: multiple vulnerabilities).SUSE has updated quagga (SLE11:code execution).Ubuntu has updated kernel (12.04; 14.04;16.04; 16.10: privilege escalation), linux-lts-trusty (12.04: privilege escalation), linux-lts-xenial (14.04: privilege escalation), linux-raspi2 (16.04: privilege escalation), linux-snapdragon (16.04: privilege escalation), and linux-ti-omap4 (12.04: privilege escalation).

The4.8.3,4.7.9,and 4.4.26 stable kernel updates have beenreleased. There's nothing in the announcements to indicate this, but theyall contain a fix for CVE-2016-5195, a bug that can allow local attackersto overwrite files they should not have write access to. So the "all usersmust upgrade" message seems more than usually applicable this time around.

The LWN.net Weekly Edition for October 20, 2016 is available.

Debian has updated quagga (stack overrun) and tor (denial of service).Debian-LTS has updated dwarfutils (multiple vulnerabilities), guile-2.0 (two vulnerabilities), libass (two vulnerabilities), libgd2 (two vulnerabilities), libxv (insufficient validation), and tor (denial of service).Fedora has updated epiphany (F24:unspecified), ghostscript (F24; F23: multiple vulnerabilities), glibc-arm-linux-gnu (F24: denial of service),guile (F24: two vulnerabilities), libgit2 (F24: two vulnerabilities), openssh (F23: null pointer dereference), qemu (F24: multiple vulnerabilities), and webkitgtk4 (F24: unspecified).Mageia has updated asterisk(denial of service), flash-player-plugin(multiple vulnerabilities), kernel (multiple vulnerabilities), and mailman (password disclosure).Red Hat has updated java-1.8.0-openjdk (RHEL6, 7: multiplevulnerabilities), kernel (RHEL6.7:use-after-free), and mariadb-galera(RHOSP8: SQL injection/privilege escalation).

Canonical has announced the availability of a live kernel patch service forthe 16.04 LTS release."It’s the best way to ensurethat machines are safe at the kernel level, while guaranteeing uptime,especially for container hosts where a single machine may be runningthousands of different workloads."Up to three systems can be patched for free; theservice requires a fee thereafter. There is a long FAQ about the servicein thisblog post; it appears to be based on the mainline live-patchingfunctionality with some Canonical add-ons.

Sebastian Kügler reports onKDE's Plasma team meeting. "We took this opportunity to also lookand plan ahead a bit further into the future. In what areas are we lacking,where do we want or need to improve? Where do we want to take Plasma in thenext two years?" Specific topics include release schedule changes,UI and theming improvements, feature backlog, Wayland, mobile, andmore. (Thanks to Paul Wise)

Debian-LTS has updated libarchive (three vulnerabilities), libxrandr (insufficient validation), libxrender (insufficient validation), and quagga (stack overrun).openSUSE has updated ffmpeg (Leap42.1; SPH for SLE12: multiplevulnerabilities) and kcoreaddons (Leap42.1, 13.2; SPH for SLE12: HTML injection).Red Hat has updated atomic-openshift (RHOSCP: authenticationbypass), kernel (RHEL6.5: privilegeescalation), and openssl (RHEL6.7: multiplevulnerabilities).

The mainline kernel has support for a wide range of hardware. One placewhere support has traditionally been lacking, though, is graphicsadapters. As a result, a great many people are still using proprietary,out-of-tree GPU drivers. Daniel Vetter went before the crowd at Kernel Recipes 2016 to saythat the situation is not as bad as some think; indeed, he said, in thisarea as well as others, world domination is proceeding according to plan.

Over on the Red Hat Enterprise Linux Blog, Dan Walsh writes about using Linux capabilities to help secure Docker containers. "Let’s look at the default list of capabilities available to privileged processes in a docker container:chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap.In the OCI/runc spec they are even more drastic only retaining, audit_write, kill, and net_bind_service and users can use ocitools to add additional capabilities. As you can imagine, I like the approach of adding capabilities you need rather than having to remember to remove capabilities you don’t." He then goes through the capabilities listed describing what they govern and when they might need to be turned on for a container application.

Arch Linux has updated guile (two vulnerabilities).Debian has updated libgd2 (denial of service).Debian-LTS has updated icedove (multiple vulnerabilities), libarchive (file overwrite), libdbd-mysql-perl (denial of service), and mpg123 (denial of service).Fedora has updated chromium (F24:multiple vulnerabilities).Gentoo has updated oracle-jdk-bin (multiple vulnerabilities).openSUSE has updated thunderbird(13.1: multiple vulnerabilities) and tiff(13.1: denial of service).Oracle has updated openssl (OL5: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

The 4.8.2,4.7.8, and4.4.25 stable kernels have been released.Each contains the usual set of important fixes.

Linus has released 4.9-rc1 and closed themerge window for this release one day earlier than some might haveexpected. "My own favorite 'small detail under the hood' happens tobe Andy Lutomirski's new virtually mapped kernel stack allocations. Theymake it easier to find and recover from stack overflows, but the effortalso cleaned up some code, and added a kernel stack mapping cache to avoidany performance downsides." The virtually mapped kernel stack workwas covered here in June. There were14,308 non-merge changesets pulled for this release, meaning that 4.9 willbe, by far, the busiest development cycle ever.

Opensource.com celebratesWorld Standards Day on October 14. "Whether in the world of software, where without standards we would have been unable to connect the world through the Internet and the World Wide Web, or the physical world, where standards make nearly everything you buy easier, more useful, and safer, the world would be a difficult place to navigate without standards. And critical to the useful of standards is making them available to all in an accessible, free format, unencumbered by legal or other hurdles."

The PostgreSQL project released version 9.6 onSeptember 29th. This new major release has an assortment of new goodiesfor PostgreSQL fans, including parallel query andphrase search, new options for synchronous replication, remote queryexecution using foreign data wrappers, "crosstab" data transformations inpsql, and more. Together with version 9.6, the community released a completely rewrittenversion of the pgAdmin database graphical interface.We'll explore multiple synchronous replicas, foreign datawrapper changes, crosstabs and the new pgAdmin here.

Arch Linux has updated gdk-pixbuf2 (denial of service).Debian has updated freeimage (two vulnerabilities).Debian-LTS has updated libxfixes (integer overflow).Fedora has updated dbus (F24: code execution) and xen (F24; F23: three vulnerabilities).openSUSE has updated compat-openssl098 (Leap42.1: multiplevulnerabilities), derby (13.2: informationleak), libreoffice (Leap42.1: codeexecution), php5 (Leap42.1: multiplevulnerabilities), go1.4(SPH for SLE12: denial of service), systemd (Leap42.1: denial of service), and unzip (13.2: two vulnerabilities).Oracle has updated kernel 4.1.12 (OL7; OL6: stack corruption).Red Hat has updated mariadb-galera (RHOSP9; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: SQL injection/privilege escalation).SUSE has updated xen (SLE12; SLES11-SP2: multiple vulnerabilities).Ubuntu has updated linux-ti-omap4(12.04: three vulnerabilities).

KDE.news notes the20th anniversary of the KDE project. "In the 20 years since thenso much has happened. We released great software, fought for softwarefreedom and empowered people all over the world to take charge of theirdigital life. In many ways we have achieved what we set out to do 20 yearsago - 'a consistent, nice looking free desktop-environment' andmore."For those feeling nostalgic, there is a new version of the KDE 1.1.2desktop ported to contemporary systems.

Christopher Allan Webber looksat a security vulnerability in Guile. Guile applications are generallynot vulnerable, but arbitrary scheme code may by used to attack the systemsof Guile developers. "There is also a lesson here that appliesbeyond Guile: the presumption that "localhost" is only accessible by local users can't be guaranteedby modern operating system environments. If you are looking to providelocal-execution-only, we recommend using unix domain sockets or namedpipes. Don't rely on localhost plus some port."

Ubuntu 16.10 (Yakkety Yak) has been released. "Under the hood, therehave been updates to many core packages, including a new 4.8-based kernel, a switch to gcc-6, and much more." Theflavors Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, UbuntuStudio, and Xubuntu have also been released. Ubuntu 16.10 will besupported for 9 months.

Arch Linux has updated crypto++ (information disclosure).Fedora has updated bash (F23:code execution), chromium (F23: multiplevulnerabilities), freeimage (F24; F23: code execution), mingw-freeimage(F24; F23:code execution), perl-DBD-MySQL (F24:denial of service), and python-pillow (F23:memory disclosure).Mageia has updated libass (three vulnerabilities) and ruby (encrypted ciphertext duplication).openSUSE has updated flash-player (13.2; 13.1:multiple vulnerabilities), irssi (Leap42.1,13.2: three vulnerabilities), python-suds-jurko (Leap42.1: symbolic linkattack from 2013), systemd (13.2: denial ofservice), tiff (Leap42.1: multiplevulnerabilities), and tiff (13.2: denial of service).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).SUSE has updated firefox(SLE11-SP3,4: multiple vulnerabilities) and flash-playerqemu (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated libdbd-mysql-perl (14.04, 12.04: threevulnerabilities) and quagga (16.04, 14.04,12.04: two vulnerabilities).

The long-awaited OpenOffice 4.1.3 release is out. "Apache OpenOffice 4.1.3 is a maintenance release incorporating importantbug fixes, security fixes, updated dictionaries, and build fixes. All usersof Apache OpenOffice 4.1.2 or earlier are advised to upgrade."

The LWN.net Weekly Edition for October 13, 2016 is available.

CentOS has updated kernel (C7:stack corruption), tomcat (C7: multiplevulnerabilities), and tomcat6 (C6: multiple vulnerabilities).Debian has updated ghostscript (multiple vulnerabilities).Fedora has updated ca-certificates (F24: certificate update), nsd (F24: denial of service), and openssl (F23: multiple vulnerabilities).Gentoo has updated bind (multiple vulnerabilities).Mageia has updated libgd (denial of service), openssl (multiple vulnerabilities), and python-twisted-web (HTTP proxy redirect).openSUSE has updated kde-cli-tools5 (SPH for SLE12; Leap42.1, 13.2: code execution), nodejs (Leap42.1, 13.2: multiple vulnerabilities), and xen (Leap42.1; 13.2: multiple vulnerabilities).Scientific Linux has updated kernel (SL7: stack corruption), tomcat (SL7: multiple vulnerabilities), and tomcat6 (SL6: multiple vulnerabilities).SUSE has updated ghostscript-library (SLE12-SP1; SLE11-SP2,3,4: multiple vulnerabilities) andxen (SLE11-SP4: multiple vulnerabilities).Ubuntu has updated kdepimlibs(12.04: HTML injection) and tracker (16.04:denial of service).

Peter Hutterer gave an update on the input stack at the 2016 X.Org Developers Conference (XDC). A lot has been accomplished, but thereis, naturally, more to do—especially as more and more quirky (or buggy)input hardware is released. But, overall Hutterer painted a picture of a maturesubsystem that is largely feature-complete at this point.

The Google Open Source Programs Office has announcedGoogle Code-in 2016 and Google Summer of Code 2017. Google Code-in is forstudents from 13-17 years of age who would like to explore open source."Students will find opportunities to learn and get hands onexperience with tasks from a range of categories. This structure allowsstudents to stretch themselves as they take on increasingly morechallenging tasks." Students will begin on November 28.Student applications for Google Summer of Code (GSoC) open on March 20,2017. Applications for interested open source organizations open onJanuary 19. GSoC "provides university students from around the world with an opportunity to take their skills and hone them by contributing to open source projects during their summer break from university."

The Free Software Foundation and the GNU Project are askingfor nominations for the 19th annual Free Software Awards. The Award forthe Advancement of Free Software will be presented to "an individualwho has made a great contribution to the progress and development of freesoftware, through activities that accord with the spirit of freesoftware" and the Award for Projects of Social Benefit will bepresented to "the project or team responsible for applying freesoftware, or the ideas of the free software movement, in a project thatintentionally and significantly benefits society in other aspects oflife." The deadline for nominations is November 6.

Debian has updated icedove (multiple vulnerabilities).Debian-LTS has updated graphicsmagick (multiple vulnerabilities), qemu (three vulnerabilities), and qemu-kvm (three vulnerabilities).Fedora has updated c-ares (F23:code execution), irssi (F24; F23: three vulnerabilities), mujs (F24; F23: twovulnerabilities), nodejs (F24: impropervalidation), python-django (F24; F23: cross-site request forgery), andzathura-pdf-mupdf (F24; F23: two vulnerabilities).Gentoo has updated mysql (multiple unspecified vulnerabilities) and subversion (multiple vulnerabilities).openSUSE has updated thunderbird (Leap42.1, 13.2; SPH for SLE12: multiple vulnerabilities).Oracle has updated kernel (OL7:stack corruption), tomcat (OL7: twovulnerabilities), and tomcat6 (OL6: multiple vulnerabilities).Red Hat has updated kernel(RHEL7: stack corruption), tomcat (RHEL7:multiple vulnerabilities), and tomcat6(RHEL6: multiple vulnerabilities).Ubuntu has updated kernel (16.04; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-xenial (14.04:multiple vulnerabilities), linux-raspi2(16.04: multiple vulnerabilities), and linux-snapdragon (16.04: multiple vulnerabilities).

FreeBSD 11.0 has been released.This version features new architecture support, performance improvements,toolchain enhancements, and support for contemporary wireless chipsets.See the releasenotes for more information.

Fortune covers a ruling[PDF] by the U.S. Court of Appeals for the Federal Circuit that invalidatesthree patents asserted against anti-virus companies Symantec and TrendMicro. "The most important part of the decision, which has created astir among the patent bar, is a concurrence by Circuit Judge HaldaneMayer. In striking down a key claim from U.S. Patent 5987610,which claims a monopoly on using anti-virus tools within a phone network,Mayer says it is time to acknowledge that a famous Supreme Court 2014decision known as “Alice” basically ended software patents altogether."

Arch Linux has updated imagemagick (two vulnerabilities), kcoreaddons (HTML injection), messagelib (two vulnerabilities), and wpa_supplicant (two vulnerabilities).Debian has updated php5 (multiple vulnerabilities).Debian-LTS has updated mat (information leak).Fedora has updated libdwarf (F24:two vulnerabilities), libXfixes (F24:integer overflow), libXi (F24: insufficientvalidation), libXrandr (F24: insufficientvalidation), libXrender (F24: insufficientvalidation), libXtst (F24: insufficientvalidation), libXv (F24: insufficientvalidation), libXvMC (F24: insufficientvalidation), mingw-c-ares (F24; F23: code execution), mingw-openjpeg2(F24; F23:denial of service), openjpeg2 (F23: denialof service), php-ZendFramework (F24;F23: SQL injection), and python-pillow (F24: memory disclosure).Gentoo has updated libgcrypt (multiple vulnerabilities) and quagga (code execution).Mageia has updated graphicsmagick (multiple vulnerabilities).Red Hat has updated python-django (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: cross-site request forgery).SUSE has updated php5 (SLE12-SP1:multiple vulnerabilities) and systemd (SLE12-SP1; SLE12: denial of service).

The Debian project can be accused of many things, but jumping too quicklyon leading-edge technology is not one of them. That can be seen in, among otherthings, the fact that there is still not a version of the distribution thatsupports the UEFI secure boot mechanism. But, as Ben Hutchings explainedduring his 2016 Kernel Recipes talk, such support is in the works, and itwill be implemented in a uniquely Debian-like manner.

Version 7.12 of the GDB debugger is out. The biggest changes this timearound appear to be support for the Andes NDS32 architecture and theability to debug programs written in the Rust language.

The Free Software Foundation's Defective By Design campaign reportsthat Tim Berners-Lee decided not to exercise his power to extend thedevelopment timeline for the Encrypted Media Extensions (EME) Webtechnology standard. "Berners-Lee made his surprising decision onTuesday, as explained in an emailannouncement by W3C representative Philippe Le Hégaret. Instead ofgranting a time extension — as he has already done once — Berners-Leedelegated the decision to the W3C's general decision-making body, the Advisory Committee. The Advisory Committee includes diverse entities from universities to companies to nonprofits, and it is divided as to whether EME should be part of Web standards. It is entirely possible that the Advisory Committee will reject the time extension and terminate EME development, marking an important victory for the free Web."

Greg Kroah-Hartman has released stable kernels 4.8.1, 4.7.7,and 4.4.24. All contain important fixes.

Debian-LTS has updated c-ares (code execution) and python-django (cross-site request forgery).Fedora has updated mongodb (F24:information leak).Gentoo has updated apache (multiple vulnerabilities) and groovy (code execution).Mageia has updated thunderbird (code execution).Oracle has updated kernel 4.1.12 (OL7; OL6: twovulnerabilities), kernel 3.8.13 (OL7; OL6: twovulnerabilities), kernel 2.6.39 (OL6; OL5: twovulnerabilities).SUSE has updated compat-openssl098 (SLE12-SP1: multiplevulnerabilities), nodejs4 (SLEM12: multiplevulnerabilities), openssl1(SLES11-SECURITY: multiple vulnerabilities), and xen (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated oxide-qt(16.04, 14.04: multiple vulnerabilities).

Rich Salz and Tim Hudson started off their LinuxCon Europe 2016 talk bystating that April 3, 2014 shall forever be known as the "re-key theInternet date." That, of course, was the day that the Heartbleed vulnerability in the OpenSSLlibrary was disclosed. A lot has happened with OpenSSL since that day, tothe point that, Salz said, this should be the last talk he gives that evermentions that particular vulnerability. In the last two years, the projecthas recovered from Heartbleed and is now more vital than ever before.

On the GTK+ Development Blog, Emmanuele Bassi looks at some statistics on the development of GTK+ 3.22 and GLib contributions during the same cycle (that resulted in GLib 2.50.0). He looks at which developers contributed the most change sets and changed lines of code, as well as how many change sets and hackers there are for each component by company affiliation. "During the 3.22 development cycle, GLib saw a total of 14119 lines added, 2031 removed, for a net gain of 12088 lines [...]GTK+, instead, saw a total of 46581 lines added, 19163 removed, for a net gain of 27418 lines". Those numbers do not include the translation work that was done for 3.22.

Debian has updated nspr (codeexecution) and nss (multiple vulnerabilities, some from 2015).Debian-LTS has updated bind9 (twodenial of service flaws), freeimage (codeexecution), and zendframework (SQL injection).Fedora has updated c-ares (F24:code execution).openSUSE has updated ffmpeg(42.1: not well specified), postgresql94(42.1: two vulnerabilities), and python-Jinja2 (13.2: privilege escalation from2014).Scientific Linux has updated kernel (SL6: two vulnerabilities).SUSE has updated openssl (SLE11:multiple vulnerabilities), php53 (SLE11SP4; SLE11SP2: multiple vulnerabilities), and php7 (SLE12: multiple vulnerabilities).Ubuntu has updated ntp (16.04,14.04, 12.04: multiple vulnerabilities, many from 2015).