LWN.net

The LWN.net Weekly Edition for October 6, 2016 is available.

There's a newrelease of FontForge available. "This release introduces a new icon set, new functionality for custom icon selection graphics, support for GlyphOrderAndAliasDB files, and support for Unicode 9.0."

CentOS has updated kernel (C6:two vulnerabilities).Debian has updated icedove (multiple vulnerabilities) and libav (multiple vulnerabilities).Debian-LTS has updated libav (multiple vulnerabilities).Fedora has updated gd (F23: denial of service) and links (F24; F23: anonymity leak).openSUSE has updated flex, at,libbonobo, netpbm, openslp, sgmltool, virtuoso (Leap42.1: bufferoverflow), mariadb (Leap42.1: SQLinjection/privilege escalation), and php5(Leap42.1: multiple vulnerabilities).Oracle has updated kernel (OL6: three vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and kernel (RHEL6: two vulnerabilities).Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).Ubuntu has updated php5, php7.0 (multiple vulnerabilities).

The Mozilla Open Source Support (MOSS) program has awarded$300,000 to four projects this quarter. "On the FoundationalTechnology track, we awarded $100,000 to Redash, a tool for buildingvisualizations of data for better decision-making within organizations, and$50,000 to Review Board,software for doing web-based source code review. Both of these pieces ofsoftware are in heavy use at Mozilla. We also awarded $100,000 to Kea, the successor to the venerable ISCDHCP codebase, which deals with allocation of IP addresses on anetwork. Mozilla uses ISC DHCP, which makes funding its replacement anatural move even though we haven’t deployed it yet. On the MissionPartners track, we awarded $56,000 to Speech Rule Engine,a code library which converts mathematical markup into vocalised form(speech) for the sight-impaired, allowing them to fully appreciatemathematical and scientific content on the web." (Thanks to Paul Wise)

KDE has releasedPlasma 5.8. "This marks the point where the developers and designersare happy to recommend Plasma for the widest possible audience be theyenterprise or non-techy home users. If you tried a KDE desktop previouslyand have moved away, now is the time to re-assess, Plasma is simple bydefault, powerful when needed." Plasma 5.8 is KDE's first Long TermSupport release. The changeloghas the details.

The Mageia project remembersThomas Spuhler who died in September. "Thomas had beencontributing to Mageia, and Mandriva before that, since 2009 as a packager,and much earlier already partaking in email discussions and bugreports. His packaging interests were mostly web and server-related components, for which his contributions were invaluable. He had to step back from his Mageia responsibilities in early August due to his health condition."

Arch Linux has updated hostapd (two vulnerabilities) and systemd (denial of service).CentOS has updated thunderbird (C7; C6; C5: code execution).Debian has updated libdbd-mysql-perl (denial of service).Fedora has updated bind99 (F24:denial of service), mariadb (F23: SQLinjection/privilege escalation), and mongodb (F23: information disclosure).Mageia has updated bind (denial of service), chromium-browser-stable (multiple vulnerabilities), freerdp (denial of service), libcryptopp (information disclosure), and python-django (cross-site request forgery).openSUSE has updated chromium (Leap42.1, 13.2; SPH for SLE12: multiplevulnerabilities), glibc (13.2: denial ofservice), and php5 (13.2: multiple vulnerabilities).Oracle has updated thunderbird (OL7; OL6: codeexecution).Red Hat has updated thunderbird(RHEL5,6,7: code execution).SUSE has updated firefox (SLE12-SP1; SLE11-SP2: multiple vulnerabilities).

The schism between two Arduino companies (that we covered in March 2015) has apparently been settled. The poster child for the open hardware movement is now under one company "Arduino Holding" and a new not-for-profit Arduino Foundation has been started. "Massimo Banzi, Co-Founder of Arduino LLC, commented, 'Today is one of the best days in Arduino history. This allows us to start a new course for Arduino made of constructive dialogue and disruptive innovation in the education, Makers and IoT fields. The Arduino Foundation will allow us to champion the core values of the Arduino Community within the open-source ecosystem and to make our commitment to open-source stronger than ever. This is really a new beginning for Arduino!'" (Thanks to Paul Wise.)

Debian has updated c-ares (codeexecution), chromium-browser (MV), and wordpress (regression in previous security update).Debian-LTS has updated ruby-activerecord-3.2 (access restriction bypass).Fedora has updated bash (F24:code execution), bind (F24: denial ofservice), community-mysql (F23:unspecified), nodejs-tough-cookie (F23:denial of service), openjpeg2 (F24: denialof service), openssh (F24: null pointerdereference), pdns (F23: denial ofservice), and systemd (F24: denial of service).Scientific Linux has updated python-twisted-web (SL7&6: HTTP proxy redirect).Slackware has updated thunderbird (unspecified).Ubuntu has updated pillow (14.04:regression in previous security update).

Linus Torvalds has announced the availabilityof the 4.8 kernel: "So the last week was really quiet, which maybe means that I couldprobably just have skipped rc8 after all. Oh well, no real harm done."Some of the headline changes in this release includesupport for transparent huge pages in the tmpfs filesystem,a new formatted documentation subsystem anda number of documentation changes to match,a new timeout subsystem that should addressthe latency problems experienced by its predecessor,continued work on the express data path forhigh-performance network routing,build-system improvements allowing the useof GCC plugins,the hardened usercopy security work,and much more. The KernelNewbies 4.8 page isstill under construction as of this writing, but should contain lots ofdetails in the near future.

In a world full of fancy development tools and sites, the kernel project'sdependence on email and mailing lists can seem quaintly dated, if notpositively prehistoric. But, as Greg Kroah-Hartman pointed out in a Kernel Recipes talk titled "Patches carved into stone tablets", there are somegood reasons for the kernel community's choices. Rather than being aholdover from an older era, email remains the best way to manage a projectas large as the kernel.

Over at the Sandstorm Blog, project founder Kenton Varda relates a debugging war story. Sandstorm web servers would mysteriously peg the CPU around once a week, slowing request processing to a crawl, seemingly at random."Obviously, we needed to take a CPU profile while the bug was in progress. Of course, the bug only reproduced in production, therefore we’d have to take our profile in production. This ruled out any profiling technology that would harm performance at other times – so, no instrumented binaries. We’d need a sampling profiler that could run on an existing process on-demand. And it would have to understand both C++ and V8 Javascript. (This last requirement ruled out my personal favorite profiler, pprof from google-perftools.)Luckily, it turns out there is a correct modern answer: Linux’s “perf” tool. This is a sampling profiler that relies on Linux kernel APIs, thus not requiring loading any code into the target binary at all, at least for C/C++. And for Javascript, it turns out V8 has built-in support for generating a “perf map”, which tells the tool how to map JITed code locations back to Javascript source: just pass the --perf_basic_prof_only_functions flag on the Node command-line. This flag is safe in production – it writes some data to disk over time, but we rebuild all our VMs weekly, so the files never get large enough to be a problem."

Arch Linux has updated c-ares(code execution) and wordpress (multiple vulnerabilities).CentOS has updated python-twisted-web (C7; C6: HTTP proxy redirect).Debian has updated wordpress (multiple vulnerabilities).Debian-LTS has updated chicken(two vulnerabilities), firefox-esr(regression in previous security update), icedove (multiple vulnerabilities), and ruby-activesupport-3.2 (access restriction bypass).Fedora has updated curl (F23:code execution) and php-adodb (F24;F23: SQL injection).openSUSE has updated libgcrypt(42.1: flawed random number generation), openjpeg (42.1: denial of service), and postgresql93 (13.2: two vulnerabilities).Oracle has updated python-twisted-web (OL7; OL6: HTTP proxy redirect).Red Hat has updated python-twisted-web (RHEL7&6: HTTP proxy redirect).SUSE has updated pidgin (SLE11:multiple vulnerabilities) and postgresql94 (SLE11: two vulnerabilities).

Greg Kroah-Hartman has released the 4.7.6and 4.4.23 stable kernels with the usualset of important fixes.

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), kvm (C5: two vulnerabilities), and openssl (C7; C6: multiple vulnerabilities).Fedora has updated vfrnav (F24: unspecified).Oracle has updated bind (OL7; OL6; OL5: denial of service) and bind97 (OL5: denial of service).Scientific Linux has updated bind(denial of service), bind97 (SL5: denial of service), kvm (SL5: two vulnerabilities), and openssl (SL7&6: multiple vulnerabilities).SUSE has updated postgresql93(SLE12: two vulnerabilities) and postgresql94 (SLE12: two vulnerabilities).Ubuntu has updated clamav (16.04,14.04, 12.04: three code execution flaws), samba (16.04, 14.04: crypto downgrade), and systemd (16.04: denial of service).

Version3.2 of the Qubes OS distribution is available. "This is anincremental improvement over the 3.1 version that we released earlier thisyear. A lot of work went into making this release more polished, morestable and easier to use than our previous releases." Changesinclude a new management infrastructure, the ability to assign individualUSB devices to virtual machines and a switch to the Xfce4 desktop. See the releasenotes for details.

The PostgreSQL 9.6 release is available. "This release will allow users to both scale up and scale outhigh performance database workloads. New features include parallelquery, synchronous replication improvements, phrase search, andimprovements to performance and usability, as well as many morefeatures." See the announcement text and therelease notes for more information.

The LWN.net Weekly Edition for September 29, 2016 is available.

Ana Guerrero Lopez sadly reports that Kristoffer H. Rose died on September17. "Kristoffer was a Debian contributor from the very early days ofthe project, and the upstream author of several packages that are still inthe Debian archive nowadays, such as the LaTeX package Xy-pic andFlexML. On his return to the project after several years' absence, many ofus had the pleasure of meeting Kristoffer during DebConf15 in Heidelberg. The Debian Project honours his good work and strong dedication to Debian and Free Software. Kristoffer's broad technical knowledge and his ability to share that knowledge with others will be missed. The contributions of Kristoffer will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others."

Arch Linux has updated bind (denial of service), lib32-openssl (denial of service), and openssl (denial of service).Debian has updated bind9 (twodenial of service flaws).Fedora has updated jansson (F24; F23:denial of service) and openssl (F24: multiple vulnerabilities).Mageia has updated autotrace(code execution), firefox/rootcerts/nss(multiple vulnerabilities), gnutls(certificate verification bypass), graphicsmagick (multiple vulnerabilities), pdns (three denial of service flaws), thunderbird (multiple vulnerabilities), wget (two vulnerabilities), and zookeeper (buffer overflow).openSUSE has updated bind(Leap42.1, 13.2: denial of service), freerdp (Leap42.1; 13.2: two vulnerabilities), and openssl (Leap42.1: multiple vulnerabilities).Oracle has updated kvm (OL5: two vulnerabilities) and openssl (OL7; OL6: multiple vulnerabilities).Red Hat has updated bind(RHEL5,6,7: denial of service), bind97(RHEL5: denial of service), kernel(RHEL6.6: information leak), and kvm(RHEL5: two vulnerabilities).Slackware has updated bind (denial of service).SUSE has updated bind (SLE12-SP1; SLES12; SOSC5,SMP2.1, SM2.1, SLE11-SP4: denial of service), mariadb (SLE12-SP1; SLES12: SQL injection/privilege escalation),openssl (SLE12-SP1: multiplevulnerabilities), and php5 (SLESDK12-SP1,SLEM12: multiple vulnerabilities).Ubuntu has updated bind9 (denialof service) and Pillow (14.04: multiple vulnerabilities).

Ari Jaaksi and David Bryant posteda note to the B2G (Boot to Gecko) OS community looking at the end ofFirefox OS development and at what happens to the code base going forward. "In the spring and summer of 2016 the Connected Devices team dug deeper into opportunities for Firefox OS. They concluded that Firefox OS TV was a project to be run by our commercial partner and not a project to be led by Mozilla. Further, Firefox OS was determined to not be sufficiently useful for ongoing Connected Devices work to justify the effort to maintain it. This meant that development of the Firefox OS stack was no longer a part of Connected Devices, or Mozilla at all. Firefox OS 2.6 would be the last release from Mozilla.Today we are announcing the next phase in that evolution. While work atMozilla on Firefox OS has ceased, we very much need to continue to evolvethe underlying code that comprises Gecko, our web platform engine, as partof the ongoing development of Firefox. In order to evolve quickly andenable substantial new architectural changes in Gecko, Mozilla’s PlatformEngineering organization needs to remove all B2G-related code frommozilla-central. This certainly has consequences for B2G OS. For thecommunity to continue working on B2G OS they will have to maintain a codebase that includes a full version of Gecko, so will need to fork Gecko andproceed with development on their own, separate branch." (Thanks toPaul Wise)

Arch Linux has updated gnutls (certificate verification bypass), lib32-gnutls (certificate verification bypass), lib32-openssl (multiple vulnerabilities), openssl (multiple vulnerabilities), and wireshark-cli (multiple vulnerabilities).Debian has updated jackrabbit (cross-site request forgery) and python-django (cross-site request forgery).Debian-LTS has updated firefox-esr (multiple vulnerabilities).Fedora has updated community-mysql (F24: SQL injection/privilege escalation).openSUSE has updated firefox, nss(13.1: multiple vulnerabilities) and openssl (13.2: multiple vulnerabilities).Red Hat has updated openssl(RHEL6,7: multiple vulnerabilities).Slackware has updated openssl (denial of service).SUSE has updated openssl (SLES12:multiple vulnerabilities).Ubuntu has updated python-django (cross-site request forgery).

Some time ago, we published a pair of articles about systemdprogramming that extolled the value of providing high-quality unit files inupstream packages. The hope was that all distributions would use them andthat problems could be fixed centrally rather than each distribution fixingits own problems independently. Now, 30 months later, it seems like agood time to see how well that worked out for nfs-utils, the focus of muchof that discussion. Did distributors benefit from upstream unit files, andwhat sort of problems were encountered?

KDE e.V. introducesthe KDE Advisory Board. "One of the core goals of the Advisory Board is to provide KDE with insights into the needs of the various organizations that surround us. We are very aware that we need the ability to combine our efforts for greater impact and the only way we can do that is by adopting a more diverse view from outside of our organization on topics that are relevant to us. This will allow all of us to benefit from one another's experience."

Debian has updated imagemagick(code execution), libarchive (threevulnerabilities), openssl (regression inprevious update), and unadf (two vulnerabilities).Debian-LTS has updated dropbear (two vulnerabilities), dwarfutils (two vulnerabilities), mactelnet (code execution), openssl (multiple vulnerabilities), and policycoreutils (sandbox escape).Fedora has updated bash (F24; F23: code execution) and firefox (F24; F23: multiple vulnerabilities).Gentoo has updated bundler (installs malicious gem files) and qemu (multiple vulnerabilities).Mageia has updated gdk-pixbuf2.0 (denial of service), golang (denial of service), libarchive (file overwrite), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), and wireshark (multiple vulnerabilities).openSUSE has updated curl(Leap42.1: multiple vulnerabilities), flash-player (13.1: multiple vulnerabilities),gd (Leap42.1: multiple vulnerabilities),gtk2 (Leap42.1; 13.2: code execution), firefox, nss (Leap42.1, 13.2: multiplevulnerabilities), samba (Leap42.1: cryptodowngrade), thunderbird (13.1: multiplevulnerabilities), tiff (13.1: multiplevulnerabilities), and wpa_supplicant(Leap42.1: multiple vulnerabilities).Slackware has updated php (multiple vulnerabilities).Ubuntu has updated openssl(regression in previous update).

This OpenSSLsecurity advisory is notable in that it's the second one in four days;sites that updated after the first one may need to do so again."This security update addresses issues that were caused by patchesincluded in our previous security update, released on 22nd September2016. Given the Critical severity of one of these flaws we havechosen to release this advisory immediately to prevent upgrades to theaffected version, rather than delaying in order to provide our usualpublic pre-notification."

The 4.8-rc8 kernel prepatch is out."Things actually did start to calm down this week, but Ididn't get the feeling that there was no point in doing one final rc,so here we are. I expect the final 4.8 release next weekend, unlesssomething really unexpected comes up."

Evan Prodromou, creator of identi.ca and pump.io, has put a call out for interested parties to adopt the administration of public pump.io microblogging servers, which he is currently funding out of his own pocket. "Almost all of them are on $5/month Digital Ocean droplets, which makes them relatively cheap for a single person to support. If you decide you want to adopt a server, E14N will sell you the domain and all the software and data for $1. But you'll be obligated to keep the server running pump.io for at least a year, and if you decide you don't want to run it, you have to sell it back to me." There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other pump.io instances. He notes that one important exception is the identi.ca site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.

The 4.7.5 and 4.4.22 stable kernel updates are available.These are relatively large updates containing the usual important fixes.

At his blog, Kyle E. Mitchell ("who is not your attorney") takes a close, line-by-line reading of the popular MIT software license. The details he points out begin on line one with the license's title: "'The MIT License' is a not a single license, but a family of license forms derived from language prepared for releases from the Massachusetts Institute of Technology. It has seen a lot of changes over the years, both for the original projects that used it, and also as a model for other projects. The Fedora Project maintains a kind of cabinet of MIT license curiosities, with insipid variations preserved in plain text like anatomical specimens in formaldehyde, tracing a wayward kind of evolution."Despite the license being only 171 words, Mitchell finds quite a bit to expand on, such as the ambiguities of the phrase "to deal in the Software without restriction": "As a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn’t clear whether The MIT License includes a patent license. The general language 'deal in' and some of the example verbs, especially 'use', point toward a patent license, albeit a very unclear one. The fact that the license comes from the copyright holder, who may or may not have patent rights in inventions in the software, as well as most of the example verbs and the definition of 'the Software' itself, all point strongly toward a copyright license." Nevertheless, Mitchell notes, "despite some crusty verbiage and lawyerly affectation, one hundred and seventy one little words can get a hell of a lot of legal work done."

Debian has updated firefox-esr (multiple vulnerabilities).Debian-LTS has updated wordpress (multiple vulnerabilities).Fedora has updated distribution-gpg-keys (F23: privilege escalation), mock (F23: privilege escalation), openvas-libraries (F24; F23: multiple vulnerabilities),openvas-scanner (F24; F23: denial of service), and shiro (F24: access control bypass).openSUSE has updated pdns (13.2,Leap 42.1: multiple vulnerabilities).Oracle has updated kernel (4.1.12 O6; O7:multiple vulnerabilities; 3.8.13 O7; O6:multiple vulnerabilities; 2.6.39 O6; O5:multiple vulnerabilities).Slackware has updated openssl (14.0, 14.1, 14.2, -current: multiple vulnerabilities) and pidgin (13.0, 13.1, 13.137, 14.0, 14.1:mysterious vulnerabilities).Ubuntu has updated openssl(12.04, 14.04, 16.04: multiple vulnerabilities).

Matthew Garrett looks atthe real problem behind the inability of some Lenovo laptops to runLinux. "The real problem here is that Intel do very little to ensurethat free operating systems work well on their consumer hardware - we stillhave no information from Intel on how to configure systems to ensure goodpower management, we have no support for storage devices in "RAID" mode andwe have no indication that this is going to get better in future. If Intelhad provided that support, this issue would never have occurred."

Arch Linux has updatedfirefox (multiple vulnerabilities),irssi (code execution), andtomcat7 (proxy injection).CentOS has updatedfirefox (C5, C6, C7: multiple vulnerabilities).Debian has updatedwireshark (LTS: dissector vulnerabilities),irssi (denial of service), andopenssl (multiple vulnerabilities).Fedora has updateddrupal7-google_analytics (F23, F24: cross-site scripting),drupal7-panels (F23, F24: multiple vulnerabilities),jasper (F23: multiple code-executionvulnerabilities),mod_cluster (F24: "remoteexploits"),nodejs-string-dot-prototype-dot-repeat (F23: "update for securityreasons"),php-horde-Horde-Mime-Viewer (F23,F24:cross-site scripting),php-horde-Horde-Text-Filter (F23,F24:cross-site scripting), andxen (F23: multiplevulnerabilities).Mageia has updatedchromium-browser-stable (29 CVEs),curl (code execution),file-roller (file deletion),flash-player-plugin (26 CVEs),icu (code execution),jsch (path traversal vulnerability),libksba (denial of service),nodejs (remote code execution),slock (lock bypass), andtomcat (traffic redirection).openSUSE has updatedopera (multiple vulnerabilities).Oracle has updatedfirefox (OL5, OL6,OL7: multiplevulnerabilities).Scientific Linux has updatedfirefox (SL5-7: multiple vulnerabilities).Slackware has updatedirssi (denial of service),pidgin (17 CVE numbers), andfirefox (multiple vulnerabilities).SUSE has updatedjava-1_7_1-ibm (SLES12: three CVEsdescribed as "Unspecified vulnerability in Oracle Java SE 7u101 and8u92 allows local users to affect confidentiality, integrity, andavailability via vectors related to Deployment"), andjava-1_6-0-ibm (SLES11: oneunspecified vulnerability).Ubuntu has updatedfirefox (multiple vulnerabilities),gdk-pixbuf (code execution),irssi (denial of service), andthunderbird (code execution).Note that there appear to be differences of opinion as to whether the irssivulnerability can be exploited for code execution.

The LWN.net Weekly Edition for September 22, 2016 is available.

The GNOME Project has announced the release of GNOME 3.22, "Karlsruhe". "This release brings comprehensive Flatpak support. GNOME Software caninstall and update Flatpaks, GNOME Builder can create them, and thedesktop provides portal implementations to enable sandboxed applications.Improvements to core GNOME applications include support for batch renamingin Files, sharing support in GNOME Photos, an updated look for GNOME Software,a redesigned keyboard settings panel, and many more."

Congestion-control algorithms are unglamorous bits of code that allownetwork protocols (usually TCP) to maximize the throughput of any givenconnection while simultaneously sharing the available bandwidth equitablywith other users. New algorithms tend not to generate a great deal ofexcitement; the addition of TCPNew Vegas during the 4.8 merge window drew little fanfare, for example.The BBR (Bottleneck Bandwidth and RTT)algorithm just released by Google, though, is attracting rather moreattention; it moves away from the mechanisms traditionally used by thesealgorithms in an attempt to get better results in a network characterized bywireless links, meddling middleboxes, and bufferbloat.

Arch Linux has updated curl (code execution), lib32-curl (code execution), and lib32-jansson (denial of service).Debian has updated wireshark (multiple vulnerabilities).Debian-LTS has updated unadf (two vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities).SUSE has updated mysql(SLE11-SP3,4: multiple unspecified vulnerabilities).

The Apache CouchDB database project has announced its 2.0release. New features include clustering support, a new query language, anew administrative interface, and more. "CouchDB 2.0 is 99% APIcompatible with the 1.x series and most applications should continue tojust work."

The fuzzy notepad blog is carrying apost about the switch statement with just about everything onemight want to know about its past, present, and possible future."As we’ve seen, the switch statement has had basically the same formfor 49 years. The special case labels are based on syntax derived directlyfrom fixed-layout FORTRAN on punchcards in 1957, several months before myfather was born. I hate it."

Michael Catanzaro laysdown the rules for which GNOME applications distributions should package ifthey want to claim to provide a "pure GNOME experience." "Selectingthe right set of default applications is critical to achieving a qualityuser experience. Installing redundant or overly technical applications bydefault can leave users confused and frustrated with thedistribution. Historically, distributions have selected wildly differentsets of default applications. There’s nothing inherently wrong with this,but it’s clear that some distributions have done a much better job of thisthan others."

NTP, the Network Time Protocol, quietlyand without much fuss performs the critical internet function of knowingthe correct time. Using it, a computer with imperfect communications linksmay join a distributed community of servers, each of which is eitherdirectly attached to a reliable clock, or is trying to best synchronize itsclock to one or more better-synchronized members of the community. The NTPpool system has arisen as a method of providing such a community to theinternet; it works well, but is not without its challenges.

Carlos Garcia Campos takes alook at the latest stable release of WebKitGTK+. "[The threadedcompositor] is the most important change introduced inWebKitGTK+ 2.14 and what kept us busy for most of this release cycle. Theidea is simple, we still render everything in the web process, but theaccelerated compositing (all the OpenGL calls) has been moved to asecondary thread, leaving the main thread free to run all other heavy taskslike layout, JavaScript, etc. The result is a smoother experience ingeneral, since the main thread is no longer busy rendering frames, it canprocess the JavaScript faster improving the responsivenesssignificantly." This release is also considered feature complete inWayland.

CentOS has updated kernel (C7:three vulnerabilities).openSUSE has updated file-roller(Leap42.1, 13.2: file deletion), openssh(Leap42.1: two vulnerabilities), and php5(13.2: multiple vulnerabilities).Ubuntu has updated kernel (16.04:three vulnerabilities), kernel (14.04: twovulnerabilities), kernel (12.04: codeexecution), linux-lts-trusty (12.04: twovulnerabilities), linux-lts-xenial (14.04:three vulnerabilities), linux-raspi2(16.04: three vulnerabilities), linux-snapdragon (16.04: threevulnerabilities), linux-ti-omap4 (12.04:code execution), and tomcat6, tomcat7,tomcat8 (privilege escalation).

The LLVM project is currently distributed under the BSD-like NCSA license, but theproject is considering a change in the interest of better patentprotection. "After extensive discussion involving many lawyers with differentaffiliations, we recommend taking the approach of using the Apache 2.0license, with the binary attribution exception (discussed before), and addan additional exception to handle the situation of GPL2 compatibility if itever arises."

Arch Linux has updated chromium (multiple vulnerabilities), jansson (denial of service), lib32-libgcrypt (flawed random number generation), and php (multiple vulnerabilities).Debian-LTS has updated curl (codeexecution), jackrabbit (cross-site requestforgery), pdns (multiple denial of service flaws), php5 (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), and zookeeper (buffer overflow).Fedora has updated chromium (F24:multiple vulnerabilities), distribution-gpg-keys (F24: privilegeescalation), GraphicsMagick (F23: multiplevulnerabilities), jasper (F24: denial ofservice), mingw-openjpeg2 (F24; F23: out-of-bounds write), mock (F24: privilege escalation), moin (F24: unspecified vulnerability from2014), openjpeg2 (F23: out-of-bounds write), and php-adodb (F24; F23: cross-site scripting).SUSE has updated php53(SLES11-SP2: multiple vulnerabilities).

Version 25.1 of the Emacs editor is available. New features include adynamic module loader, experimental Cairo drawing, better TLS certificatvalidation, better Unicode input, a mechanism for embedding widgets withinbuffers, and more.

The 4.8-rc7 kernel prepatch is out."Normally rc7 is the last in the series before the final release, butby now I'm pretty sure that this is going to be one of those releases thatcome with an rc8. Things did't calm down as much as I would have liked,there are still a few discussions going on, and it's just unlikely that Iwill feel like it's all good and ready for a final 4.8 next Sunday."

Here's alengthy piece from Nick Coghlan on how Python software gets to users."There have been a few recent articles reflecting on the currentstatus of the Python packaging ecosystem from an end user perspective, soit seems worthwhile for me to write-up my perspective as one of the leadarchitects for that ecosystem on how I characterise the overall problemspace of software publication and distribution, where I think we are at themoment, and where I'd like to see us go in the future."

The GNU Bourne Again SHell(Bash) project has released version 4.4 of the tool. It comes with a largenumber of bug fixes as well as new features:"The most notable newfeatures are mapfile's ability to use an arbitrary record delimiter; a --help option available for nearly all builtins; anew family of ${parameter@spec} expansions that transform the value of`parameter'; the `local' builtin's ability to save and restore the stateof the single-letter shell option flags around function calls; a newEXECIGNORE variable, which adds the ability to specify names that shouldbe ignored when searching for commands; and the beginning of an SDK forloadable builtins, which consists of a set of headers and a Makefilefragment that can be included in projects wishing to build their ownloadable builtins, augmented by support for a BASH_LOADABLES_PATH variablethat defines a search path for builtins loaded with `enable -f'. The existingloadable builtin examples are now installed by default with `makeinstall'." In addition, the related Readlinecommand-line editing library project has released Readline 7.0.

CentOS has updated libarchive (C7; C6: multiple vulnerabilities,some from 2015).Debian has updated tomcat7(privilege escalation) and tomcat8 (privilege escalation).Debian-LTS has updated mysql-5.5 (privilege escalation).Fedora has updated curl (F24:code execution).Mageia has updated cracklib (codeexecution), dropbear (three code executionflaws), jasper (two vulnerabilities from2015), krb5 (denial of service), lcms2 (information leak), mediawiki (multiple vulnerabilities), openvpn (information leak), perl-DBD-mysql (two code execution flaws from2014 and 2015), and perl-XSLoader (code execution).openSUSE has updated opera (42.1:multiple vulnerabilities) and tiff (42.1: multiple vulnerabilities, three from 2015).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).Scientific Linux has updated kernel (SL7: three vulnerabilities).Slackware has updated curl (code execution).