LWN.net

The LWN.net Weekly Edition for December 15, 2016 is available.

The Domain Name System (DNS) is an amazing technological achievement,but it suffers from a historical excess of trust, which makes itpossible for people who rely on it to be lied to. The DNS Security Extensions (formally DNSSEC-bis, more usually justDNSSEC) are a mechanism for including robust trust information withinthe DNS. Here we discuss briefly what DNSSEC does, how it does it,and how (and whether) you can use it to secure your domains.

Version 3.1 of theKrita image editor is available. "Krita 3.1 is the result ofhalf a year of intense work and contains many new features, performanceimprovements and bug fixes. It’s now possible to use render animations(using ffmpeg) to gif or various video formats. You can use a curve editorto animate properties. Soft-proofing was added for seeing how your artworkwill look in print. A new color picker that allows selecting wide-gamutcolors. There is also a new brush engine that paints fast on largecanvases, a stop-based gradient editor." See the releasenotes for more information.

Arch Linux has updated firefox (multiple vulnerabilities), linux-zen (denial of service), python-html5lib (cross-site scripting), and python2-html5lib (cross-site scripting).Debian has updated apt (code execution) and firefox-esr (multiple vulnerabilities).Debian-LTS has updated chrony (packet modification).Fedora has updated lxc (F25; F24; F23: directory traversal) and roundcubemail (F24; F23: code execution).openSUSE has updated gc(Leap42.2, 42.1: code execution), gstreamer-0_10-plugins-bad (Leap42.1, 13.2:code execution), kernel (13.1: privilegeescalation), tomcat (Leap42.2; Leap42.1: multiple vulnerabilities), w3m (Leap42.2, 42.1: multiplevulnerabilities), and xen (Leap42.2: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities) and flash-plugin (RHEL6: multiple vulnerabilities).Slackware has updated firefox (multiple vulnerabilities).SUSE has updated flash-player(SLE12-SP1: multiple vulnerabilities) and kernel (SLE12-SP2: privilege escalation).Ubuntu has updated apt (16.10,16.04, 14.04: code execution) and firefox (multiple vulnerabilities).

Back in 2007, the announcement that AMDintended to reverse its longstanding position and create an upstream driverfor its graphics processors was joyfully received by Linux usersworldwide. As 2017 approaches, an attempt by AMD to merge a driver for anupcoming graphics chip has been rejected by the kernel's graphics subsystemmaintainer — a decision that engendered rather less joy. A look at thisdiscussion reveals a pattern seen many times before; the positions and decisions taken can seem arbitrary to the wider world but theyare not without their reasons and will, hopefully, lead to a better kernelin the long run.

Nextcloud 11 has beenreleased with many security and scalability improvements. "Nextcloud 11 introduces Apache Solr powered Full Text Search, enabling users to find words or phrases in text, pdf and common office documents on internal, external, shared and encrypted storage. The next generation Federation technology introduces a central lookup server, enabling Nextcloud users to find each other irrespective of the server their account resides on. The experimental Spreed app integrates secure, peer to peer audio and video chat in Nextcloud."

Debian has updated php5 (multiple vulnerabilities).Debian-LTS has updated monit(regression in previous update) and unzip (buffer overflows).Fedora has updated golang (F25; F24:denial of service), kernel (F25; F24; F23:three vulnerabilities), perl-DBD-MySQL(F25: two vulnerabilities), php-simplesamlphp-saml2 (F25; F24; F23: incorrect signature verification),php-simplesamlphp-saml2_1 (F25; F24; F23:incorrect signature verification), and python-tornado (F24: XSRF protection bypass).Gentoo has updated SQUASHFS (twocode execution flaws from 2012), bash (codeexecution), botan (two vulnerabilities), elfutils (code execution from 2014), ghostscript-gpl (buffer overflow from 2015),nodejs (multiple vulnerabilities), pixman (code execution), systemd (multiple vulnerabilities from 2013),tigervnc (two vulnerabilities from 2014),webkit-gtk (many vulnerabilities, some from2014 and 2015), xstream (code executionfrom 2013), and zabbix (two vulnerabilities).openSUSE has updated Chromium(multiple vulnerabilities), ImageMagick (Leap42.2; Leap42.1: two vulnerabilities), java-1_7_0-openjdk (Leap42.2, 42.1: multiplevulnerabilities), libass (Leap42.1, 13.2:two vulnerabilities), libgit2 (Leap42.2:two vulnerabilities), pacemaker (Leap42.1:two vulnerabilities), pcre (Leap42.2, 42.1:multiple vulnerabilities, some from 2014 and 2015), perl-DBD-mysql (13.2: use after free), php5 (Leap42.2, 42.1: two vulnerabilities), php7 (Leap42.2: two vulnerabilities), qemu (Leap42.1: multiple vulnerabilities), andutil-linux (Leap42.2: denial of service).Oracle has updated kernel 3.8.13 (OL7; OL6: twovulnerabilities), and kernel 2.6.39 (OL6; OL5: denial of service).Slackware has updated kernel (privilege escalation), loudmouth (roster push attack), and php (multiple vulnerabilities).SUSE has updated firefox, nss(SLE11-SP2: multiple vulnerabilities).

KDE e.V. has released its community report for thesecond half of 2015. "Over nineteen years producing high quality free software, spreading open culture, and creating a thriving community, KDE has become a huge umbrella organization supporting all sorts of FOSS-related projects. As a consequence, an even more inclusive, diverse, and open community has grown, with opportunities we couldn't have envisioned some years ago."

CentOS Linux has released version 7.3-1611 of its Enterprise Linux clone. "This release supersedes all previously released content for CentOSLinux 7, and therefore we highly encourage all users to upgrade theirmachines. Information on different upgrade strategies and how tohandle stale content is included in the Release Notes."

Arch Linux has updated kernel (denial of service) and linux-grsec (denial of service).Debian has updated chromium-browser (multiple vulnerabilities) and icedove (multiple vulnerabilities).Debian-LTS has updated imagemagick (regression in previous update), jasper (multiple vulnerabilities), and libgsf (denial of service).Fedora has updated cracklib (F25; F24: codeexecution), flex (F23: buffer overflow), gd (F25: three vulnerabilities), gstreamer-plugins-bad-free (F25: threevulnerabilities), gstreamer-plugins-base (F25; F24: codeexecution), gstreamer-plugins-good (F25:multiple vulnerabilities), gstreamer1-plugins-bad-free (F24: threevulnerabilities), gstreamer1-plugins-base(F24: code execution), httpd (F24: denialof service), kernel (F25; F24; F23:three vulnerabilities), libgsf (F25: denialof service), mcabber (F25; F24; F23:roster push attack), mingw-libarchive (F25:three vulnerabilities), openjpeg2 (F25; F24:denial of service), perl-DBD-MySQL (F24:use after free), php-php-gettext (F25; F24: codeexecution), phpMyAdmin (F24: multiplevulnerabilities), and roundcubemail (F25: code execution).Gentoo has updated docker(privilege escalation), exfat-utils (twovulnerabilities from 2015), libmms (codeexecution from 2014), sox (code executionfrom 2014), and virtualbox (multiplevulnerabilities some from 2014 and 2015).Mageia has updated python-tornado (XSRF protection bypass) and tomcat (two vulnerabilities).openSUSE has updated pdns(Leap42.1: denial of service from 2015), subversion (Leap42.2: denial of service), andkernel (Leap42.2; Leap42.1: privilege escalation), kernel (13.1: three vulnerabilities).SUSE has updated java-1_7_0-ibm(SOSC5, SMP2.1, SM2.1, SLE11-SP3,SP2: multiple vulnerabilities), java-1_8_0-ibm (SLE12-SP2,SP1: multiplevulnerabilities), firefox, nss (SOSC5,SMP2.1, SM2.1, SLE11-SP4,SP3: multiple vulnerabilities), kernel (SLE11-SP4: multiple vulnerabilities), tomcat (SLES12-SP2; SLES12-SP1: multiple vulnerabilities), and xen (SLE12-SP2; SLE12-SP1: multiple vulnerabilities).

Linus has released the 4.9 kernel, asexpected. Some of the headline features in 4.9 includeimproved security with virtually mapped kernelstacks,the memory-protection keys system calls,the BBR congestion-control algorithm,support for the Greybus bus architecture,shared extents in the XFS filesystem (which will be used to supportlightweight copy operations among other things),and much more.The code name has also been changed to "Roaring Lionus".In the end, 16,216 non-merge changesets were pulled for the 4.9 release,making this development cycle the busiest ever by far.

The stable kernel machine continues to crank out updates; 4.8.14 and 4.4.38 are now available with another set ofimportant fixes. These include, finally, the fix for CVE-2016-8655, a local-root exploit that hasbeen getting some attention.

Arch Linux has updated jasper(multiple vulnerabilities, two from 2015) and linux-zen (code execution).Debian-LTS has updated roundcube(code execution) and spip (cross-site scripting).Fedora has updated httpd (F25:denial of service).Mageia has updated phpmyadmin (multiple vulnerabilities).openSUSE has updated GraphicsMagick (42.2: multiple vulnerabilities, many from 2014), kernel (13.2: multiple vulnerabilities, two from 2015), and libXfixes (13.2: denial of service).Red Hat has updated python-XStatic-jquery-ui (RHOSP 9.0; RHOSP8.0: cross-site scripting), rh-mariadb100-mariadb (RHSC: multiple vulnerabilities), and rh-mariadb101-mariadb (RHSC: multiple vulnerabilities).SUSE has updated kernel (SLE12:three vulnerabilities).Ubuntu has updated oxide-qt(16.10, 16.04, 14.04: multiple vulnerabilities).

Greg Kroah-Hartman has announced the release of the 4.8.13 and 4.4.37 stable kernels. As usual, there arefixes throughout the tree and users of those kernel series should upgrade.Note that the fixfor the kernel code execution vulnerability usingAF_PACKET sockets (also known as CVE-2016-8655) has not made itinto these stable kernels. Those running systemd may want to check LennartPoettering's blogpost on how to mitigate the problem for services started by systemd.

Over at the Fedora Community Blog, Brian Proffitt writes about Fedora member Matthew Williams who passed away recently from cancer. "Matthew’s passion to constantly improve the software and hardware with which he worked created a tireless advocate for the Fedora Project, and his presence was felt at conferences across the nation: SCaLE, Ohio LinuxFest, and the former Indiana LinuxFest, an Indianapolis-based event that he helped found.Matthew also devoted time to interviewing and archiving notable figures in the free and open source software communities to learn what drove people to work on their projects. He was also very driven to share what he knew, launching the Open FOSS training site in 2015 to help new Linux users with getting involved with any Linux distribution. While he was active in the Fedora community, Matthew was also very involved with Ubuntu as well."

Debian has updated xen (multiple vulnerabilities).Debian-LTS has updated gst-plugins-bad0.10 (code execution) and gst-plugins-base0.10 (code execution).Fedora has updated memcached(F25: three vulnerabilities), ntp (F25; F24; F23: multiple vulnerabilities), php-php-gettext (F23: code execution), and phpMyAdmin (F23: multiple vulnerabilities).Gentoo has updated binutils (multiple vulnerabilitiesfrom 2014), coreutils (code execution from2014), cracklib (code execution), jq (code execution from 2015), openjpeg (multiple vulnerabilities, one from 2015), socat (encryption botch), and sqlite (code execution from 2015).Mageia has updated kernel (multiple vulnerabilities) and ntp (multiple vulnerabilities).openSUSE has updated kernel (42.2; 42.1: multiple vulnerabilities,some from 2015).Oracle has updated kernel 4.1.12 (OL7; OL6: two vulnerabilities).Red Hat has updated atomic-openshift (RHOSCP 3.3, 3.2, 3.1:), chromium-browser (RHEL6: manyvulnerabilities), and openstack-cinder andopenstack-glance (RHOSP 9.0: denial of service from 2015).SUSE has updated firefox (SLE12:code execution), java-1_6_0-ibm (SLE11:multiple vulnerabilities), java-1_7_1-ibm (SLE12; SLE11: multiple vulnerabilities), kernel (SLE12: three vulnerabilities), and xen (SLE11: multiple vulnerabilities).Ubuntu has updated openjdk-6(12.04: multiple vulnerabilities).

The LWN.net Weekly Edition for December 8, 2016 is available.

Recently ChrisEvans, an IT security expert currently working for Tesla, published aseries of blog posts about security vulnerabilities in the GStreamermultimedia framework. A combination of the Chrome browser and GNOME-baseddesktops creates a particularlyscary vulnerability. Evans also made a provocative statement: thatvulnerabilities of this severity currently wouldn't happen inWindows 10. Is the state of security on the Linux desktop really thatbad — and what can be done about it?Subscribers can click below for the full story from this week's edition.

The Xen Project Blog has releasedthe Xen Project Hypervisor 4.8. "As always, we focused on improving code quality, security hardening as well as enabling new features. One area of interest and particular focus is new feature support for ARM servers. Over the last few months, we’ve seen a surge of patches from various ARM vendors that have collaborated on a wide range of updates from new drivers to architecture to security."

Arch Linux has updated kernel (privilege escalation), linux-grsec (privilege escalation), and linux-lts (privilege escalation).CentOS has updated sudo (C6: privilege escalation) and thunderbird (C6; C5: code execution).Debian-LTS has updated mapserver (information leak).Fedora has updated mingw-nsis(F23: DLL hijacking).Gentoo has updated mercurial (multiple vulnerabilities), openssh (multiple vulnerabilities), openssl (multiple vulnerabilities), and pecl-http (code execution).Mageia has updated drupal (two vulnerabilities), kernel-linus-4.4.32 (multiple vulnerabilities), and kernel-tmb-4.4.32 (multiple vulnerabilities).openSUSE has updated libXrender(13.2: insufficient validation), libXtst(13.2: insufficient validation), libXv(13.2: insufficient validation), libXvMC(13.2: insufficient validation), roundcubemail (Leap42.2,42.1: twovulnerabilities), roundcubemail (13.2:cross-site scripting), tiff (13.2: multiplevulnerabilities), and X (Leap42.2, 42.1,13.2: multiple vulnerabilities).Oracle has updated sudo (OL7; OL6: privilege escalation).SUSE has updated kernel(SLE12-SP1: three vulnerabilities).

WordPress 4.7 “Vaughan” has been released. Thisversion includes a new default theme, adds new features to the customizer,comes with REST API endpoints for posts, comments, terms, users, meta, andsettings, and more."To help give you a solid base to build from, individual themes can provide starter content that appears when you go to customize your brand new site. This can range from placing a business information widget in the best location to providing a sample menu with social icon links to a static front page complete with beautiful images. Don’t worry – nothing new will appear on the live site until you’re ready to save and publish your initial theme setup."

The maintainer model is deeply ingrained into the culture of thefree-software community; for any bit of code, there is usually a developer(or a small group of developers) charged with that code's maintenance.Good maintainers can help a project run smoothly, while poor maintainerscan run things into the ground. What is to be done to save a project withthe latter type of maintainer? Forking can be an option in some casesbut, in many others, it's not a practical alternative. The Debian projectis currently discussing its approach to bad maintainers — a discussion which has taken asurprising turn.

Debian-LTS has updated monit(regression in previous update).Fedora has updated dpkg (F25; F24; F23: code execution), gstreamer-plugins-bad-free (F25: codeexecution), gstreamer1-plugins-bad-free(F24: code execution), gstreamer1-plugins-good (F24: multiplevulnerabilities), kernel (F25; F24; F23:denial of service), and thunderbird (F25: code execution).Gentoo has updated arj (multiple vulnerabilities) and util-linux (command injection).Mageia has updated firefox (code execution), thunderbird (multiple vulnerabilities), and virtualbox (multiple vulnerabilities).openSUSE has updated GraphicsMagick (Leap42.1; 13.2: two vulnerabilities), ImageMagick (13.2: two vulnerabilities),mariadb (Leap42.2; Leap42.1: multiple mostly unspecifiedvulnerabilities), firefox, thunderbird, nss(13.1: multiple vulnerabilities), tcpreplay(Leap42.2: denial of service), kernel(13.1: multiple vulnerabilities), and thunderbird (SPH for SLE12: multiple vulnerabilities).Oracle has updated thunderbird (OL7; OL6: code execution).Red Hat has updated bind(RHEL6.2, 6.4, 6.5, 6.6, 6.7: denial of service) and sudo (RHEL6,7: privilege escalation).SUSE has updated java-1_6_0-ibm(SLEMLS12: multiple vulnerabilities) and firefox, nss (SLE12-SP2,SP1: multiple vulnerabilities).Ubuntu has updated kernel (16.10; 16.04;14.04; 12.04: code execution), linux-lts-trusty (12.04: code execution), linux-lts-xenial (14.04: code execution),linux-raspi2 (16.10; 16.04: code execution), linux-snapdragon (16.04: code execution), andlinux-ti-omap4 (12.04: code execution).

James Bottomley has posted atutorial on using the trusted platform module to store cryptographickeys. "The main thing that came out of this discussion was that alot of this stack complexity can be hidden from users and we shouldconcentrate on making the TPM 'just work' for all cryptographic functionswhere we have parallels in the existing security layers (like thekeystore). One of the great advantages of the TPM, instead of messingabout with USB pkcs11 tokens, is that it has a file format for TPM keys(I’ll explain this later) which can be used directly in place of standardprivate key files."

Arch Linux has updated chromium (multiple vulnerabilities) and libdwarf (multiple vulnerabilities).CentOS has updated firefox (C6; C5: code execution).Debian-LTS has updated openafs (information leak).Fedora has updated firefox (F25; F24; F23: code execution), gstreamer1-plugins-bad-free (F25: codeexecution), gstreamer1-plugins-good (F25:code execution), p7zip (F24; F23: denial of service), phpMyAdmin (F25: multiple vulnerabilities), thunderbird (F24: code execution), and xen (F25; F24; F23: multiple vulnerabilities).Gentoo has updated busybox (twovulnerabilities), chromium (multiplevulnerabilities), cifs-utils (codeexecution from 2014), dpkg (codeexecution), gd (multiple vulnerabilities),libsndfile (two vulnerabilities), libvirt (path traversal), nghttp2 (code execution), nghttp2 (denial of service), patch (denial of service), and pygments (shell injection).openSUSE has updated containerd,docker, runc (Leap42.1, 42.2: permission bypass), firefox (two vulnerabilities), java-1_7_0-openjdk (13.1: multiplevulnerabilities), java-1_8_0-openjdk(Leap42.1, 42.2: multiple vulnerabilities), libarchive (Leap42.2; Leap42.1: multiple vulnerabilities), thunderbird (code execution), nodejs4 (Leap42.2: code execution), phpMyAdmin (multiple vulnerabilities),sudo (Leap42.2; Leap42.1: three vulnerabilities), tar (Leap42.1, 42.2: file overwrite), andvim (Leap42.2; Leap42.1, 13.2: code execution).Red Hat has updated thunderbird (code execution).SUSE has updated qemu (SLE12-SP1:multiple vulnerabilities).

The 4.9-rc8 kernel prepatch is out; thefinal 4.9 release will need one more week. "So if anybody has beenfollowing the git tree, it should come as no surprise that I ended up doingan rc8 after all: things haven't been bad, but it also hasn't been thecomplete quiet that would have made me go 'no point in doing anotherweek'."

Over at Opensource.com, Rich Bowen gives an overview of the changes in the OpenStack Newton release that was made in October. In it, he looks at each of sub-projects and highlights some of the changes for them that were in the release, which is also useful as a kind high-level guide to some of the various sub-projects and their roles. "With a product as large as OpenStack, summarizing what's new in a particular release is challenging. (See the full release notes for more details.) Each deployment of OpenStack might use a different combination of services and projects, and so will care about different updates. Added to that, the release notes for the various projects tend to be extremely technical in nature, and often don't do a great job of calling out the changes that will actually be noticed by either operators or users."

Google's Project Zero blog has a detailed look at exploiting a vulnerability in Android's ashmem shared-memory facility. "The mismatch between the mmap-ed and munmap-ed length provides us with a great exploitation primitive! Specifically, we could supply a short length for the mmap operation and a longer length for the munmap operation - thus resulting in deletion of an arbitrarily large range of virtual memory following our bitmap object. Moreover, there’s no need for the deleted range to contain one continuous memory mapping, since the range supplied in munmap simply ignores unmapped pages.Once we delete a range of memory, we can then attempt to “re-capture” that memory region with controlled data, by causing another allocation in the remote process. By doing so, we can forcibly “free” a data structure and replace its contents with our own chosen data -- effectively forcing a use-after-free condition."

The 4.8.12 and 4.4.36 stable kernels have been released.As always, users of those kernel series should upgrade.

Arch Linux has updated firefox(two vulnerabilities) and thunderbird (code execution).CentOS has updated thunderbird (C6; C5: code execution).Debian-LTS has updated firefox-esr (multiple vulnerabilities), imagemagick (multiple vulnerabilities, many from 2014 and 2015), monit (cross-site request forgery), tomcat6 (multiple vulnerabilities), and tomcat7 (multiple vulnerabilities).Fedora has updated calamares (F25; F24:encryption bypass), jenkins (F25: code execution), jenkins-remoting (F25: code execution), moin (F25; F24; F23: cross-site scripting flaws), mujs (F23: multiple vulnerabilities), and zathura-pdf-mupdf (F23: multiple vulnerabilities).Gentoo has updated davfs2(privilege escalation from 2013) and gnupg(flawed random number generation).openSUSE has updated libtcnative-1-0 (42.2, 42.1: SSL improvements)and pacemaker (42.2: two vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: code execution).Red Hat has updated firefox (codeexecution).SUSE has updated kernel (SLE11: multiple vulnerabilities, some from 2013 and 2015)and ImageMagick(SLE11: multiple vulnerabilities, some from 2014 and 2015).Ubuntu has updated ghostscript(multiple vulnerabilities, one from 2013) and oxide-qt (16.10,16.04, 14.04: multiple vulnerabilities).

The Google security blog announcesthe OSS-Fuzz project, which performs continuous fuzz testing offree-software project repositories. "OSS-Fuzz has already found 150bugs in several widely used open source projects (and churns ~4 trilliontest cases a week). With your help, we can make fuzzing a standard part ofopen source development, and work with the broader community of developersand security testers to ensure that bugs in critical open sourceapplications, libraries, and APIs are discovered and fixed."

Version 5.5 of the Ardouraudio editor has been released. "Among the notable new featuresare support for VST 2.4 plugins on OS X, the ability to have MIDI inputfollow MIDI track selection, support for Steinberg CC121, Avid Artist &Artist Mix Control surfaces, 'fanning out' of instrument outputs to newtracks/busses and the often requested ability to do horizontal zoom viavertical dragging on the rulers."

Debian has updated firefox-esr(code execution).Debian-LTS has updated gst-plugins-good0.10 (three code execution flaws).Gentoo has updated imagemagick(multiple vulnerabilities) and php (multiple vulnerabilities, one from 2015).openSUSE has updated bash (42.1:multiple vulnerabilities, two from 2014) and libcares2 (13.2:code execution).Slackware has updated firefox(code execution) and thunderbird (codeexecution).Ubuntu has updated c-ares (codeexecution), firefox (two vulnerabilities),imagemagick (multiple vulnerabilities), kernel (16.10; 16.04;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-xenial (14.04: multiple vulnerabilities), linux-ti-omap4 (12.04: code execution), and thunderbird (multiple vulnerabilities).

Cyanogen Inc. has put out a terse press releaseannouncing the departure of founder (and CyanogenMod creator) SteveKondik. See thisrather less terse Android Police article for Kondik's view of thematter. The future of the CyanogenMod distribution seems unclear at thispoint; if it goes forward, it may have to do so with a different name.

The LWN.net Weekly Edition for December 1, 2016 is available.

Arch Linux has updated neovim (code execution).Debian has updated hdf5 (multiple vulnerabilities).Fedora has updated drupal7 (F25; F24; F23: multiple vulnerabilities), p7zip (F25: denial of service), teeworlds (F25; F24; F23: code execution), and vagrant (F25; F24; F23: nfs export insertion).Mageia has updated jenkins-remoting (code execution) and teeworlds (code execution).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).SUSE has updated vim (SLE12-SP2; SLE11-SP4: code execution).

As covered here in January, changes to theGNU C Library's memory-allocation routines have broken the "unexec" methodused to build the Emacs editor. Fixing this problem has proved to be morechallenging than originally thought; that issue has now come to a head in adisagreement that could cost the Emacs community one of its maintainers.

The Git project has announcedthe release of Git 2.11.0. This version prints longer abbreviatedSHA-1 names and has better tools for dealing with ambiguous short SHA-1s,it's faster at accessing delta chains, and has other performanceenhancements, and much more. The releasenotes contain more details.

CentOS has updated expat (C6:code execution) and memcached (C6: code execution).openSUSE has updated ffmpeg(Leap42.2: heap corruption) and virtualbox(Leap42.2: multiple unspecified vulnerabilities).Oracle has updated expat (OL7; OL6: code execution).Red Hat has updated expat(RHEL6,7: code execution) and thunderbird(RHEL5,6,7: multiple vulnerabilities).SUSE has updated mariadb (SLE12-SP1,2; SLES12: multiple vulnerabilities) and qemu (SLES12: multiple vulnerabilities).Ubuntu has updated python-cryptography (16.10, 16.04: bad key generation) and vim (code execution).

InfoWorld looksat the underfunded NTP project. "NTP is more than 30 years old—it may be the oldest codebase running on the internet. Despite some hiccups, it continues to work well. But the project’s future is uncertain because the number of volunteer contributors has shrunk, and there’s too much work for one person—principal maintainer Harlan Stenn—to handle. When there is limited support, the project has to pick and choose what tasks it can afford to complete, which slows down maintenance and stifles innovation."

Arch Linux has updated lib32-libtiff (multiple vulnerabilities), libtiff (multiple vulnerabilities), and ntp (multiple vulnerabilities).Debian has updated icu (multiple vulnerabilities) and imagemagick (three vulnerabilities).Debian-LTS has updated irssi (information disclosure), libsoap-lite-perl (XML expansion), and mcabber (roster push attack).Fedora has updated bind (F23:denial of service) and python-tornado (F25:XSRF protection bypass).Mageia has updated bzip2 (denialof service), chromium-browser-stable(multiple vulnerabilities), clamav (threevulnerabilities), giflib (denial ofservice), icu (two vulnerabilities), kernel-4.4.32 (code execution), libtiff (two vulnerabilities), lighttpd (man-in-the-middle attacks), and perl-Email-Address (denial of service).openSUSE has updated wireshark(Leap42.2: multiple vulnerabilities).SUSE has updated kernel(SLE12-SP1: multiple vulnerabilities).Ubuntu has updated gst-plugins-good0.10, gst-plugins-good1.0(incomplete fix in previous update).

Harald Welte looksback at the Openmoko phone with a ten-year perspective (and an almostunreadable low-contrast web page). "So yes, the smartphone world ismuch more restricted, locked-down and proprietary than it was back in theOpenmoko days. If we had been more successful then, that world might bequite different today. It was a lost opportunity to make the world embracemore freedom in terms of software and hardware."

The 4.9-rc7 kernel prepatch is out. Linussays that things are shaping up and it is possible, but perhaps not likely,that the final 4.9 release will happen on December 4. "Ibasically reserve the right to make up my mind next weekend."

Greg Kroah-Hartman has announced the release of the 4.8.11 and 4.4.35 stable kernels. As usual, they containfixes throughout the kernel tree and users of those kernel series shouldupgrade.

Arch Linux has updated tomcat6(two vulnerabilities), wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).Debian has updated gst-plugins-good0.10 (three vulnerabilities)and gst-plugins-good1.0 (three vulnerabilities).Debian-LTS has updated libgc(code execution) and xen (multiple vulnerabilities).Fedora has updated bind99 (F23:two vulnerabilities), ghostscript (F23: twovulnerabilities), icu (F25; F24: code execution), kernel (F23: multiple vulnerabilities), moodle (F24; F23:three vulnerabilities), mujs (F25;F24: multiple vulnerabilities), perl-DBD-MySQL (F24: out of bounds read), sudo (F23: privilege escalation), and zathura-pdf-mupdf (F25; F24: multiple vulnerabilities).openSUSE has updated java-1_7_0-openjdk (13.2: multiple vulnerabilities).SUSE has updated kvm (SLE11: multiple vulnerabilities).Ubuntu has updated lxc (16.10,16.04, 14.04: directory traversal) and moin(three vulnerabilities).

The Verge looksat legislation in the UK that would allow police and intelligenceagencies to legally spy on its own people. "The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and awaits only the formality of royal assent before it becomes law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary."

Debian has updated tomcat7 (multiple vulnerabilities), tomcat8 (multiple vulnerabilities), and vim (code execution).Debian-LTS has updated moin (cross-site scripting), tiff (multiple vulnerabilities), and vim (code execution).Gentoo has updated adobe-flash (multiple vulnerabilities), chromium (multiple vulnerabilities), poppler (code execution), rpcbind (denial of service), tar (file overwrite), and testdisk (code execution).Mageia has updated bash (code execution), flex (buffer overflow), libssh2 (insecure ssh sessions), libxslt (code execution), and tre (code execution).openSUSE has updated dovecot22(information disclosure), gnuchess (codeexecution), monit (two vulnerabilities), sudo (13.2: privilege escalation), and tar (13.2: file overwrite).Oracle has updated ipsilon (OL7:information leak/denial of service) and memcached (OL7; OL6:multiple vulnerabilities).Red Hat has updated memcached (RHEL7; RHEL6: code execution).Scientific Linux has updated 389-ds-base (SL6: multiple vulnerabilities),firefox (SL5,6,7: multiplevulnerabilities), kernel (SL6: twovulnerabilities), memcached (SL6: codeexecution), nss and nss-util (SL5,6,7:multiple vulnerabilities), and policycoreutils (SL6,7: sandbox escape).Slackware has updated ntp (multiple vulnerabilities).SUSE has updated java-1_8_0-openjdk (SLE12-SP1,2: multiplevulnerabilities) and pacemaker (SLE12-SP2:two vulnerabilities).Ubuntu has updated gst-plugins-good0.10, gst-plugins-good1.0(code execution), python2.7, python3.2,python3.4, python3.5 (16.04, 14.04, 12.04: multiple vulnerabilities), and tar (file overwrite).

The Fedora 25 release is now available "The Fedora Project is pleased to announce the immediate availability ofFedora 25, the next big step our journey into the containerized, modularfuture!" See the announcement and therelease notes for details on the many changes in this release.

Clement Lefebvre has announcedthe release of Cinnamon 3.2. This version has QT 5.7+ support, supportfor libinput touchpads as well as synaptics, and many more changes acrossthe stack.

Fedora Magazine has a briefoverview of the changes to be found in the workstation version of theFedora 25 release. "Wayland now replaces the old X11 displayserver by default. Its goal is to provide a smoother, richer experiencewhen navigating Fedora Workstation. Like all software, there may still besome bugs. You can still choose the old X11 server if required."