LWN.net

The 2015 Ubuntu Community Council (CC) elections have been concluded. The results of the vote, as announced on the Ubuntu Fridge blog, are the seven individuals who will serve on the CC for the next two years: Daniel Holbach, Laura Czajkowski, Svetlana Belkin, Michael Hall, Scarlett Clark, C de-Avillez, and Marco Ceppi.A detailed account of the ballot results, complete with links to each candidate's biographical page, is also online.

CentOS has updated thunderbird (C5; C6:multiple vulnerabilities).Debian-LTS has updated libcommons-collections3-java (codeexecution) and smokeping (cross-site scripting).Fedora has updated libxml2(F23: multiple vulnerabilities) and pcre (F23: denial of service).Mageia has updated libsndfile (M5: buffer overflow), libxml2 (M5: multiple vulnerabilities), python-m2crypto (M5: denial of service), python-pygments (M5: command injection), and tigervnc (M5: multiple vulnerabilities).

Happy Thanksgiving to those who celebrate it, from all of us here at LWN.Happy November 26 to everyone else :)Debian has updated dpkg (codeexecution), nspr (code execution), python-django (information disclosure), and smokeping (code execution).Debian-LTS has updated eglibc(two vulnerabilities), python-django(information disclosure), and redmine (multiple vulnerabilities).Fedora has updated abrt (F21:information disclosure), jenkins (F22:three vulnerabilities), jenkins-remoting(F22: three vulnerabilities), and libreport(F21: information disclosure).openSUSE has updated libpng12(13.2, 13.1: two vulnerabilities), libpng16(13.2, 13.1: denial ofservice), and strongswan (authentication bypass).Oracle has updated abrt andlibreport (OL7: multiple vulnerabilities), glibc (OL7;OL7: multiple vulnerabilities), kernel (OL7: multiple vulnerabilities), NetworkManager (OL7: denial of service), sssd (OL7: unspecified), and tigervnc (OL7: two vulnerabilities).Red Hat has updated git19-git(RHSC2: code execution), java-1.5.0-ibm(RHEL5&6: multiple vulnerabilities), ntp (RHEL6: denial of service), and thunderbird (multiple vulnerabilities).SUSE has updated kernel(SLE11SP3: multiple vulnerabilities).Ubuntu has updated dpkg (codeexecution) and openjdk-7 (15.10, 15.04, 14.04: unspecified vulnerability).

Software Freedom Conservancy has announceda major fundraising effort. "Pointing to the difficulty of relying on corporate funding while pursuing important but controversial issues, like GPL compliance, Conservancy has structured its fundraiser to increase individual support. The organization needs at least 750 annual Supporters to continue its basic community services and 2500 to avoid hibernating its enforcement efforts. If Conservancy does not meet its goals, it will be forced to radically restructure and wind down a substantial portion of its operations."

Debian has updated libcommons-collections3-java (unsanitized input data) and symfony (two vulnerabilities).Debian-LTS has updated putty (memory corruption).Fedora has updated grub2 (F23:Secure Boot circumvention), krb5 (F21:multiple vulnerabilities), libpng10 (F23; F22; F21: two vulnerabilities), sblim-sfcb(F23; F22;F21: denial of service), and wpa_supplicant (F22: denial of service).Slackware has updated pcre (code execution).SUSE has updated linux-3.12.32(SLELP12: two vulnerabilities), linux-3.12.36 (SLELP12: two vulnerabilities),linux-3.12.38 (SLELP12: twovulnerabilities), linux-3.12.39 (SLELP12:two vulnerabilities), linux-3.12.43(SLELP12: two vulnerabilities), linux-3.12.44 (SLELP12: two vulnerabilities),and linux-3.12.44 (SLELP12: two vulnerabilities).Ubuntu has updated icedtea-web(15.10, 15.04, 14.04: applet execution) and python-django (15.10, 15.04, 14.04, 12.04: information disclosure).

RAID5 support in the MD driver has been part of mainline Linux since2.4.0 was released in early 2001. During this time it has been usedwidely by hobbyists and small installations, but there hasbeen little evidence of any impact on the larger or "enterprise"sites. Anecdotal evidence suggests that such sites are usually happier with so-called "hardware RAID" configurations where a purpose-builtcomputer, whether attached by PCI or fibre channel or similar,is dedicated to managing the array.This situation could begin to change with the 4.4 kernel, which brings someenhancements to the MD driver that should make itmore competitive with hardware-RAID controllers.

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).Fedora has updated libsndfile (F22; F21:buffer overflow), mingw-freeimage (F23; F22:integer overflow), rpm (F23: denial ofservice), wpa_supplicant (F21: denial ofservice), and zarafa (F21: twovulnerabilities, one from 2012).Oracle has updated autofs (OL7:privilege escalation), binutils (OL7:multiple vulnerabilities), chrony (OL7:multiple vulnerabilities), cpio (OL7:denial of service), cups-filters (OL7:multiple vulnerabilities), curl (OL7:multiple vulnerabilities), file (OL7:multiple vulnerabilities), grep (OL7: heapbuffer overrun), grub2 (OL7: Secure Bootcircumvention), krb5 (OL7: twovulnerabilities), libreport (OL6: dataleak), libssh2 (OL7: information leak), net-snmp (OL7: denial of service), netcf (OL7: denial of service), ntp (OL7: multiple vulnerabilities), openhpi (OL7: world writable /var/lib/openhpidirectory), openldap (OL7: unintendedcipher usage), openssh (OL7: twovulnerabilities), python (OL7: multiplevulnerabilities), rest (OL7: denial ofservice), rubygem-bundler and rubygem-thor(OL7: installs malicious gem files), squid(OL7: certificate validation bypass), unbound (OL7: denial of service), wireshark (OL7: multiple vulnerabilities), andxfsprogs (OL7: information disclosure).Scientific Linux has updated libreport (SL6: data leak).SUSE has updated firefox(SLES10SP4: multiple vulnerabilities).

Red Hat has announcedthe release of Red Hat Enterprise Linux 7.2. "New features and capabilities focus on security, networking, and system administration, along with a continued emphasis on enterprise-ready tooling for the development and deployment of Linux container-based applications. In addition, Red Hat Enterprise Linux 7.2 includes compatibility with the new Red Hat Insights, an add-on operational analytics offering designed to increase IT efficiency and reduce downtime through the proactive identification of known risks and technical issues."

Debian has updated openjdk-7 (unspecified vulnerability).Fedora has updated cyrus-imapd(F21: largely unspecified), gdm (F23:denial of service), jenkins (F23: multiplevulnerabilities), jenkins-remoting (F23:multiple vulnerabilities), kernel (F21:multiple vulnerabilities), libpng (F23:denial of service), m2crypto (F21: denialof service), pdns (F21: denial of service),perl-IPTables-Parse (F21: predictabletemporary file names), postgresql (F22: twovulnerabilities), python-rauth (F23:unspecified vulnerability), and xen (F23; F22; F21: denial of service).openSUSE has updated Chromium (SUSE Package Hub for SLE12; Leap42.1, 13.2, 13.1: information leak), docker (Leap42.1: two vulnerabilities), and miniupnpc (Leap42.1, 13.2, 13.1: code execution).Red Hat has updated abrt,libreport (RHEL7: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiplevulnerabilities), java-1.7.0-ibm (RHEL5:multiple vulnerabilities), java-1.7.1-ibm(RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiplevulnerabilities), and libreport (RHEL6: data leak).

Martin Gräßlin looksat the security of the Plasma desktop running under Wayland; it'sbetter than X11, but with some ground yet to cover."Now imagine you want to write a key logger in a Plasma/Waylandworld. How would you do it? I asked myself this question recently, thoughtabout it, found a possible solution and had a key logger in less than 10minutes: ouch."

ThisLibre Graphics World article looks at the challenges faced by the20-year-old GIMP project. "If you've been following GIMP's progressover recent years, you couldn't help yourself noticing the decreasingactivity in terms of both commits (a rather lousy metric) and amount ofparticipants (a more sensible one).'GIMP is dying', say some. 'GIMP developers are slacking', sayothers. 'You've got to go for crowdfunding' is yet another popularnotion. And no matter what, there's always a few whitebearded folks whowould blame the team for not going with changes from the FilmGIMP branch.So what's actually going on and what's the outlook for the project?"

The second 4.4 prepatch is out for testing.Linus says: "Things are looking fairly normal in 4.4-land, with nohuge surprises in rc2. There were a couple of late features: parischugepage support and some late slub bulk allocator patches were not onlymerged at the end of the week, but they strictly speaking should have beenmerge window things."

Lennart Poettering introduces thesd-event API for the implementation of event loops. "sd-event.h, ofcourse, is not the first event loop API around, and it doesn't implementany really novel concepts. When we started working on it we tried to do ourhomework, and checked the various existing event loop APIs, maybe lookingfor candidates to adopt instead of doing our own, and to learn about thestrengths and weaknesses of the various implementationsexisting. Ultimately, we found no implementation that could deliver what weneeded, or where it would be easy to add the missing bits: as usual in thesystemd project, we wanted something that allows us access to all theLinux-specific bits, instead of limiting itself to the least commondenominator of UNIX."

Debian has updated lxc (codeexecution).Debian-LTS has updated nspr(code execution).Mageia has updated dovecot(M5: denial of service), gcc (M5:predictable random values), kernel (M5: multiple vulnerabilities), latex2rtf (M5: code execution), libpng/libpng12 (M5: denial of service), and uglify-js (M5: malicious code obfuscation).openSUSE has updated krb5(13.1, 13.2: memory corruption) and libksba (13.1, 13.2: denial of service).Red Hat has updated autofs(RHEL7: privilege escalation), binutils (RHEL7: multiple vulnerabilities), chrony (RHEL7: multiple vulnerabilities), cpio (RHEL7: code execution), cups-filters (RHEL7: multiple vulnerabilities), curl (RHEL7: multiple vulnerabilities), file (RHEL7: multiple vulnerabilities), glibc (RHEL7: multiple vulnerabilities; RHEL7:privilege escalation),grep (RHEL7: heap buffer overrun), grub2 (RHEL7: Secure Boot circumvention), kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), krb5 (RHEL7: multiple vulnerabilities), libssh2 (RHEL7: denial of service), net-snmp (RHEL7: denial of service), netcf (RHEL7: denial of service), NetworkManager (RHEL7: multiple vulnerabilities), ntp (RHEL7: multiple vulnerabilities), openhpi (RHEL7: world writable /var/lib/openhpi directory), openldap (RHEL7: unintended cipher usage), openssh (RHEL7: multiple vulnerabilities), pacemaker (RHEL7: privilege escalation), pcs (RHEL7: denial of service), python (RHEL7: multiple vulnerabilities), realmd (RHEL7: unsanitized input), rest (RHEL7: denial of service), rubygem-bundler, rubygem-thor (RHEL7:code execution), squid (RHEL7: certificate validation bypass), sssd (RHEL7: memory leak), tigervnc (RHEL7: multiple vulnerabilities), unbound (RHEL7: denial of service), wireshark (RHEL7: multiple vulnerabilities), and xfsprogs (RHEL7: information leak).Ubuntu has updated libpng(multiple vulnerabilities).

Matthew Garrett continueshis campaign against Canonical's "intellectualproperty rights policy". "The reality is that if Debian had hadan identical policy in 2004, Ubuntu wouldn't exist. The effort required tostrip all Debian trademarks from the source packages would have beenimmense, and this would have had to be repeated for every release. Whilethis policy is in place, nobody's going to be able to take Ubuntu and buildsomething better."

The Pitivi0.95 release is out, bringing a lot of changes to this longstandingvideo editor project. "This one packs a lot of bugfixes andarchitectural work to further stabilize the GES backend. In this blog post,I’ll give you an overview of the new and interesting stuff this releasebrings, coming out from a year of hard work. It’s pretty epic and you’re infor a few surprises, so I suggest listening to this song while you’rereading this blog post."

The "Detectify Labs" site has put up alengthy analysis of the user tracking taking place in many Chromebrowser extensions. "Google, claiming that Chrome is the safest webbrowser out there, is actually making it very simple for extensions to hidehow aggressively they are tracking their users. We have also discoveredexactly how intrusive this sort of tracking actually is and how thesetracking companies actually do a lot of things trying to hide it. Due tothe fact that the gathering of data is made inside an extension, all otherextensions created to prevent tracking (such as Ghostery) are completelybypassed." At the end they note that the situation with Firefox isnot a whole lot better.

Version 7 of the Nmap security scannerhas been released. "It is the product of three and a half years ofwork, nearly 3200 code commits, and more than a dozen point releases sincethe big Nmap 6 release in May 2012. Nmap turned 18 years old in Septemberthis year and celebrates its birthday with 171 new NSE scripts, expandedIPv6 support, world-class SSL/TLS analysis, and more user-requestedfeatures than ever."

At his blog, Stuart Langridge takesissue with a recent Mediumpost by Tony Aubé titled No UI is the New UI. Aubé'spremise is that "invisible" applications—those that usetext-messaging or voice-recognition rather than on-screeninterfaces—are the future of UI design. Langridge, however,contends that "until very recently, and honestly pretty muchstill, a computer can’t understand the nuance of language. So 'uselanguage to control computers' meant 'learn the computer’s language',not 'the computer learns yours'." More to the point,"understanding you is laughably incomplete and is obviously thecore of the problem, although explaining one’s ideas and beingunderstood by people is also the core problem of civilisation and wehaven’t cracked that one yet either." There is less reason tobe optimistic about language-based interfaces, he concludes: "I will say that point-and-grunt is not a very sophisticated way of communicating, but it may be all that technology can currently understand."

CentOS has updated java-1.6.0-openjdk (C6; C5; C7: multiple vulnerabilities) and postgresql (C6; C7:multiple vulnerabilities).Debian has updated libpng(multiple vulnerabilities).Debian-LTS has updated strongswan (authentication bypass).Fedora has updated kernel (F23; F22: ),krb5 (F22: multiple vulnerabilities), m2crypto (F23; F22:denial of service),monitorix (F23; F22: multiple vulnerabilities), perl-IPTables-Parse (F23; F22:predictable temporary file names),python-django (F23: multiple vulnerabilities), and rpcbind (F22: denial of service).openSUSE has updated xscreensaver (13.1, 13.2, Leap 42.1:denial of service).Oracle has updated java-1.6.0-openjdk (O7; O6; O5: multiple vulnerabilities) and postgresql (O7; O6:multiple vulnerabilities).Red Hat has updated java-1.6.0-openjdk (RHEL 5,6,7: multiplevulnerabilities), postgresql (RHEL 6; RHEL7: multiple vulnerabilities), postgresql92-postgresql (RHSC 2: multiplevulnerabilities), and rh-postgresql94-postgresql (RHSC 2:multiple vulnerabilities).Scientific Linux has updated java-1.6.0-openjdk (multiple vulnerabilities) andpostgresql (SL6; SL7: multiple vulnerabilities).Ubuntu has updated nvidia-graphics-drivers-352,nvidia-graphics-drivers-352-updates (privilege escalation).

The LWN.net Weekly Edition for November 19, 2015 is available.

Brian Warner talksabout why Samsung has an open-source group in this Linux.com article."If you want the full economic and technical benefit of consumingopen source, you hire people who are already influential in the projectsthat matter to you. You then ask them to continue doing exactly what theydo: write great code, manage great releases, and contribute to the overallstability of the project. This is the single best way to ensure stabilityand predictability in your software supply chain."

Arch Linux has updated jenkins (multiple vulnerabilities).Debian-LTS has updated libpng (multiple vulnerabilities) and openafs (multiple vulnerabilities).Fedora has updated cyrus-imapd (F22: information disclosure) and pdns (F22: denial of service).openSUSE has updated dracut (13.2: unspecified vulnerability) and putty (Leap42.1, 13.2, 13.1: memory corruption).Red Hat has updated nss, nss-util, nspr (RHEL6.2, 6.4, 6.5, 6.6: code execution).Ubuntu has updated lxcfs (15.10, 15.04: privilege escalation).

Microsoft has announcedthat its Visual Studio Codetool is now available under the MIT license. "Code combines thestreamlined UI of a modern editor with rich code assistance and navigation,and an integrated debugging experience – without the need for a fullIDE." The code for Code can be found in its GitHub repository.

One of the many weak links in Internet security is the domain name system(DNS); it is subject to attacks that, among other things, can misleadapplications regarding the IP address of a system they wish to connect to.That, in turn, can cause connections to go to the wrong place, facilitatingman-in-the-middle attacks and more. The DNSSECprotocol extensions are meant to address this threat by setting up acryptographically secure chain of trust for DNS information. When DNSSECis set up properly, applications should be able to trust the results ofdomain lookups. As the discussion over anattempt to better integrate DNSSEC into the GNU C Library shows,though, ensuring that DNS lookups are safe is still not a straightforwardproblem.

Red Hat has announcedthe availability of Red Hat Software Collections 2.1. Red HatDeveloper Toolset 4 was also released. "Applications built with Red Hat Software Collections can be deployed into production with greater confidence, as most software collections and components are supported for three years. In addition to Red Hat Enterprise Linux 6 and 7, applications built with Red Hat Software Collections can also be deployed to Red Hat Enterprise Linux Atomic Host and OpenShift, Red Hat’s Platform-as-a-Service (PaaS) offering, giving more choice and flexibility for application portfolios."

Arch Linux has updated lib32-libpng (two vulnerabilities) and libpng (two vulnerabilities).CentOS has updated xen (C5: code execution).Fedora has updated cyrus-imapd(F23: information disclosure), pdns (F23:denial of service), python-pygments (F23:shell execution), and webkitgtk4 (F23: two vulnerabilities).Gentoo has updated adobe-flash (multiple vulnerabilities).Mageia has updated chromium-browser-stable (information leak), iceape (multiple vulnerabilities), krb5 (code execution), and mariadb (multiple vulnerabilities).openSUSE has updated xen (13.2: multiple vulnerabilities).Oracle has updated xen (OL5: codeexecution).Red Hat has updated xen (RHEL5:code execution).Scientific Linux has updated xen(SL5: code execution).SUSE has updated krb5(SLEDebuginfo11SP3: denial of service).Ubuntu has updated libxml2(multiple vulnerabilities) and strongswan(15.10, 15.04, 14.04: authentication bypass).

Debian has updated freexl(regression in previous update) and strongswan (authentication bypass).Fedora has updated dovecot (F23; F22; F21: buffer overflow),drupal7-jquery_update (F23; F22; F21: openredirect attack), libsedml (F23; F22: hardened builds), libsndfile (F23: buffer overflow),MUMPS (F23; F22; F21:hardened builds), openms (F23; F22: hardened builds), owncloud (F23; F22; F21: unspecified vulnerabilities),snappy-player (F23; F22; F21:denial of service), telegram-cli (F23; F22:hardened builds), tubo (F23; F22; F21:hardened builds), and wildmagic5 (F23; F22; F21: hardened builds).openSUSE has updated krb5(Leap42.1: multiple vulnerabilities), libsndfile (13.2, 13.1: multiplevulnerabilities), and python-tornado (13.1:side-channel attack).Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities).Slackware has updated seamonkey(multiple vulnerabilities).

Linus has released the 4.4-rc1 prepatch andclosed the merge window for this cycle. "Just looking at the patchitself, things look fairly normal at a high level, possibly a bit moredriver-heavy than usual with about 75% of the patch being drivers, and 10%being architecture updates. The remaining 15% is documentation, filesystem,core networking (as opposed to network drivers), tooling and some coreinfrastructure."

The basic form of the LWN site was first laid out in early 1998, with sometweaks when the site code was replaced in 2002; since then, it has beenmostly static. Meanwhile, the web has moved on, leaving LWN lookingincreasingly dated, especially on small-screen devices. We have beenworking (sporadically) on a new layout for the last year and some, and manyreaders have helped us out by testing it. Now the time has come to switchto the new mode by default.<p>Hopefully, the result is a cleaner screen and much better usability onmobile devices.

CoreOS has announcedthe release of a container-security tool called Clair. "Clair scanseach container layer and provides a notification of vulnerabilities thatmay be a threat, based on the Common Vulnerabilities and Exposures database(CVE) and similar databases from Red Hat, Ubuntu, and Debian. Since layerscan be shared between many containers, introspection is vital to build aninventory of packages and match that against known CVEs."

Arch Linux has updated chromium (information leak) and putty (code execution).Debian has updated krb5(denial of service).Fedora has updated kernel(F21: privilege escalation), openstack-ironic-discoverd (F23;F22: remote code execution), python-cryptography (F23: denial of service), python-cryptography-vectors (F23: denial of service), sddm (F22: denial of service), and wpa_supplicant (F23: denial of service).openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities).SUSE has updated MozillaFirefox, mozilla-nspr,mozilla-nss (SLE11 SP2; SLE11 SP3, SP4: multiple vulnerabilities).Ubuntu has updated krb5(multiple vulnerabilities)and lxd (15.10: privilege escalation).

The Tor blog is carrying a post from interim executive director Roger Dingledine that accuses Carnegie Mellon University (CMU) of accepting $1 million from the FBI to de-anonymize Tor users."There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users." Cryptographer Matthew Green has also weighed in (among others, including Forbes and Ars Technica): "If CMU really did conduct Tor de-anonymization research for the benefit of the FBI, the people they identified were allegedly not doing the nicest things. It's hard to feel particularly sympathetic.Except for one small detail: there's no reason to believe that the defendants were the only people affected."

Arch Linux has updated flashplugin (multiple vulnerabilities) and powerdns (denial of service).Fedora has updated lxc (F22; F21:directory traversal).Mageia has updated flash-player-plugin (multiple vulnerabilities).openSUSE has updated git (13.2,13.1: code execution), java-1_7_0-openjdk(42.1: multiple vulnerabilities), and xen (13.1; 42.1: multiple vulnerabilities, one from 2014).

Mozilla has announcedthe availability of a developer preview for version 2.5 of Firefox OS. Newfeatures include an add-on mechanism, tracking protection, and more. Thereis also a version of the system packaged as an Android app, allowing it tobe tried on an Android device without wiping Android itself. "Ifyou’re curious to see what Firefox OS is all about, or just interested intesting out new features, the Firefox OS 2.5 Developer Preview app makes itvery simple to get started with very little risk involved. By downloadingthe app, you can experience Firefox OS and explore many of itscapabilities, without flashing hardware. If you decide you’re done tryingit out, the app can be removed as simply as any other app."

The LWN.net Weekly Edition for November 12, 2015 is available.

The darktable project has unveiledthe first release-candidate (RC) packages for its upcoming version 2.0milestone. Darktable retains its focus as a high-end photo editor inthe forthcoming release, with new features that target professionalworkflows and experienced users. But there are also improvements thatwill be appreciated by casual shutterbugs.

CentOS has updated sssd (C6: memory leak).Debian has updated wpa (multiple vulnerabilities).Fedora has updated php-udan11-sql-parser (F23; F21: content spoofing) and phpMyAdmin (F23; F21: content spoofing).Mageia has updated kernel-linus (denial of service), libreoffice (multiple vulnerabilities), putty (memory corruption), python-curl (use-after-free), and sudo (privilege escalation).Oracle has updated sssd (OL6: memory leak).Red Hat has updated flash-plugin (RHEL6; RHEL5:multiple vulnerabilities).SUSE has updated xen (SLE11SP2: multiple vulnerabilities).Ubuntu has updated linux-lts-wily(14.04: denial of service) and wpa (15.10,15.04, 14.04: multiple vulnerabilities).

Bitdefender Labs takesa look at Linux.Encoder.1 ransomware. "Linux.Encoder.1 isexecuted on the victim’s Linux box after remote attackers leverage a flawin the popular Magento content management system app. Once executed, theTrojan looks for the /home, /root and /var/lib/mysql folders and startsencrypting their contents. Just like Windows-based ransomware, it encryptsthe contents of these files using AES (a symmetric key encryptionalgorithm), which provides enough strength and speed while keeping systemresources usage to a minimum. The symmetric key is then encrypted with anasymmetric encryption algorithm (RSA) and is prepended to the file, alongwith the initialization vector used by AES." Once the files areencrypted the hackers demand a fee in exchange for the RSA private key todecrypt the AES symmetric one. However, Bitdefender researchers were ableto recover the AES key without having to decrypt it with the RSA privatekey. One can also thwart this threat with some good backups. (Thanks to Richard Moore)

Debian has updated kernel(multiple vulnerabilities) and unzip(regression in previous update).Fedora has updated firefox (F21:multiple vulnerabilities), icecat (F23; F22; F21: hardened build), nspr (F21: multiple vulnerabilities), nss (F21: multiple vulnerabilities), nss-softokn (F21: multiple vulnerabilities),nss-util (F21: multiple vulnerabilities), and xen (F22; F21: multiple vulnerabilities).openSUSE has updated firefox, nspr,nss, xulrunner, seamonkey (Leap42.1, 13.2, 13.1: multiple vulnerabilities).Red Hat has updated sssd (RHEL6: memory leak).Scientific Linux has updated sssd(SL6: memory leak).Ubuntu has updated kernel (15.10; 15.04;14.04; 12.04: denial of service), linux-lts-trusty (12.04: denial of service),linux-lts-utopic (14.04: denial ofservice), and linux-lts-vivid (14.04: denial of service).

Google has released its TensorFlowmachine-learning library under the Apache 2.0 license."TensorFlow is an open source software library for numericalcomputation using data flow graphs. Nodes in the graph representmathematical operations, while the graph edges represent themultidimensional data arrays (tensors) communicated between them."For those who are unfamiliar with this type of programming, thisbasic MNIST tutorial gives a feel for how it works with TensorFlow.

The 4.2.6,4.1.13,3.14.57, and3.10.93 stable kernel updates have all beenreleased; each contains another set of important fixes.

Knowledge Ecology International looks at Article 14.17 of the Trans-PacificPartnership (TPP), which has a provision banning requirements totransfer or provide access to software source code."I'm wondering how the GPL fares here, and how much money Microsoft spent lobbying to get this included in the TPP, or if the NSA has a role in this. One aspect of this provision is that governments cannot insist on source code transparency, for mass market software, even to address concerns over security or interoperability."

Debian has updated krb5 (multiple vulnerabilities).Debian-LTS has updated krb5 (multiple vulnerabilities) and php5 (multiple vulnerabilities).Fedora has updated git (F22: codeexecution), ipsilon (F23; F22; F21:denial of service), krb5 (F23: unspecifiedvulnerability), php-ZendFramework (F23; F22; F21: two vulnerabilities), rpcbind (F23: denial of service), sudo(F23; F22:privilege escalation), and xen (F23: multiple vulnerabilities).Mageia has updated kernel (denialof service), krb5 (multiplevulnerabilities), owncloud (unspecifiedvulnerabilities), and roundcubemail(cross-site scripting).openSUSE has updated krb5 (13.2,13.1: multiple vulnerabilities), phpMyAdmin (Leap42.1; 13.2,13.1: content spoofing), and polkit(Leap42.1: multiple vulnerabilities).Slackware has updated firefox(multiple vulnerabilities) and nss (code execution).Ubuntu has updated unzip(regression in previous update).

The videos ofthe talks from the inaugural systemd.conf event have been posted.There are about two-dozen talks on the development of systemd itself andsystems that use it.

Dave Jones has announced, atlong last, a new release of the Trinity kernel fuzz-testing tool."At last weeks kernel summit, a number of people expressed just howuseful they find Trinity and how much they were bummed to find out I wasn’tworking on it any more. With that feedback, I felt motivated to clean thedecks and get 1.6 out."

It is not often that Linux kernel development attracts the attention of amainstream newspaper like TheWashington Post; lengthy features on the kernel community's approach tosecurity are even more uncommon. So when just such a feature hit the net, it attracteda lot of attention. This article has gotten mixed reactions, with manyseeing it as a direct attack on Linux. The motivations behind the articleare hard to know, but history suggests that we may look back on it ashaving given us a much-needed push in a direction we should have been going forsome time.

Arch Linux has updated nspr (code execution) and nss (code execution).Debian has updated libreoffice (multiple vulnerabilities).Fedora has updated drupal7(F22: open redirect), mediawiki (F21; F22; F23:multiple vulnerabilities),python-pycurl (F23: use-after-free vulnerability), andxscreensaver (F21; F22: denial of service).Mageia has updated libebml(M5: multiple vulnerabilities), libtorrent-rasterbar (M5: code execution), libxml2 (M5: denial of service), libxslt (M5: denial of service), sddm (M5: denial of service), util-linux (M5: denial of service), and xscreensaver (M5: denial of service).SUSE has updated MozillaFirefox,mozilla-nspr, mozilla-nss (SLE12: multiple vulnerabilities).Ubuntu has updated kernel (12.04; 14.04; 15.04: multiple vulnerabilities), libreoffice (12.04, 14.04, 15.04:multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

Kees Cook has announced the KernelSelf Protection Project, which is meant to be "a community of people to work on the various kernelself-protection technologies (most of which are found in PaX andGrsecurity)". This is an outgrowth of his Kernel Summit talk about incorporatinghardening and self-protection features into the mainline kernel. "Between the companies that recognize the critical nature of this work,and with Linux Foundation's Core Infrastructure Initiative happy tostart funding specific work in this area, I think we can really make adent." He is looking for others who are also interested in doing some of this work.

The Washington Post has a lengthy look into an unusual subject for the mainstream press: Linux kernel security. There are quotes from Linus Torvalds and others in the kernel community along with some from various security researchers. The thrust seems to be that the kernel has been slow to adopt defensive mechanisms, which is a topic that also came up at the Kernel Summit. "The rift between Torvalds and security experts is a particular source of worry for those who see Linux becoming the dominant operating system at a time when technology is blurring the borders between the online and ­offline worlds. Much as Windows long was the standard for personal computers, Linux runs on most of the Internet’s servers. It also operates on medical equipment, sensitive databases and computers on many kinds of vehicles, including tiny drones and warships.'If you don’t treat security like a religious fanatic, you are going to be hurt like you can't imagine. And Linus never took seriously the religious fanaticism around security,' said Dave Aitel, a former National Security Agency research scientist and founder of Immunity, a Florida-based security company."