LWN.net

Here's alengthy Washington Post feature on the security (or lack thereof) ofthe Linux kernel; it features a number of familiar names. "Even manyLinux enthusiasts see a problem with this from a security perspective:There is no systemic mechanism for identifying and remedying problemsbefore hackers discover them, or for incorporating the latest advances indefensive technologies. And there is no chief security officer for theLinux kernel."

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities),nspr(C7; C6; C5: code execution),nss(C7; C6; C5: code execution), andnss-util (C7; C6: code execution).Debian has updated iceweasel (multiple vulnerabilities).Fedora has updated firefox (F23; F22: multiple vulnerabilities),nspr (F23; F22: code execution), nss (F23; F22: codeexecution), nss-softokn (F23; F22: code execution), nss-util (F23; F22: codeexecution), ntp (F21: multiple vulnerabilities),php-horde-horde (F22; F21: cross-site request forgeries),php-horde-imp (F22; F21: cross-site request forgeries), php-horde-ingo (F22; F21: cross-site request forgeries), and php-horde-passwd (F22; F21: cross-site request forgeries).Mageia has updated drupal (open redirect),firefox, nspr, and nss (multiple vulnerabilities), and springframework (open file redirect).openSUSE has updated postgresql92(13.1: information disclosure) and wpa_supplicant (13.1: denial of service).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities), kernel 2.6.32 (OL6; OL5:privilege escalation), kernel 3.8.13 (OL7; OL6:privilege escalation), kernel 2.6.39 (OL6: privilege escalation), nss and nspr (OL5: code execution), andnss, nss-util, and nspr (OL7; OL6: code execution).Scientific Linux has updated firefox (multiple vulnerabilities), kernel (SL7: two vulnerabilities, one from2014), libreswan (SL7: denial of service),nss and nspr (SL5: code execution), and nss, nss-util, and nspr (SL6&7: code execution).Ubuntu has updated firefox (multiple vulnerabilities),nspr (code execution), and nss (code execution).

The LWN.net Weekly Edition for November 5, 2015 is available.

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated kernel (C7:two vulnerabilities) and libreswan (C7: denial of service).Debian has updated freeimage (integer overflow) and php-horde (cross-site request forgery).openSUSE has updated audiofile(Leap42.1, 13.2, 13.1: buffer overflow), bouncycastle (Leap42.1, 13.2, 13.1: invalidcurve attack), java-1_7_0-openjdk (13.2; 13.1:multiple vulnerabilities), java-1_8_0-openjdk (13.2: multiplevulnerabilities), postgresql93 (13.2: twovulnerabilities), potrace (Leap42.1, 13.2,13.1: denial of service), roundcubemail(13.2, 13.1: two vulnerabilities), sudo(13.2, 13.1: information disclosure), util-linux (Leap42.1, 13.2, 13.1: denial ofservice), and wpa_supplicant (13.2: denial of service).Oracle has updated kernel (OL7:two vulnerabilities) and libreswan (OL7: denial of service).Red Hat has updated nss, nspr(RHEL5: code execution), firefox(RHEL5,6,7: multiple vulnerabilities), kernel (RHEL7: two vulnerabilities),kernel-rt (RHEL7; RHEMRG2.5: two vulnerabilities), libreswan (RHEL7: denial of service), and nss, nss-util, nspr (RHEL6,7: code execution).SUSE has updated krb5 (SLE12; SLE11SP3,4: multiple vulnerabilities) and xen (SLE12: multiple vulnerabilities).Ubuntu has updated xscreensaver(12.04: denial of service).

The openSUSELeap 42.1 release is now available. "Version 42.1 is the firstversion of openSUSE Leap that uses source from SUSE Linux Enterprise (SLE)providing a level of stability that will prove to be unmatched by otherLinux distributions. Bonding community development and enterprisereliability provides more cohesion for the project and its contributor’smaintenance updates. openSUSE Leap will benefit from the enterprisemaintenance effort and will have some of the same packages and updates asSLE, which is different from previous openSUSE versions that createdseparate maintenance streams." See thisJune LWN article for some background on this new approach to theopenSUSE distribution.

Mary Gardiner has posted amemorial to Telsa Gwynne. "Telsa was also a critical inspirationto me as an activist: in the early 2000s (and still) it was hugelycontroversial to either believe that open source communities could stillwork if they were more civil (the entire LinuxChix project was partly anexperiment with that), and even more so to insist that they shouldbe. Telsa is the earliest person I can think of who stood up in an opensource development community and asked it to change its norms in thedirection of civility." Telsa withdrew from our community someyears ago, but she will be much missed just the same.

LWN's 2015 Kernel Summit page nowhas coverage from the open day of the event, which focused primarily ontechnical topics. Subscribers are invited to have a look. Coverage fromthe final day is in the works and will be posted within the next day orso.

Firefox 42 has been released. This version features private browsing withtracking protection, site security and privacy controls in the ControlCenter, WebRTC improvements, and more. See the releasenotes for more information.

Arch Linux has updated unzip (two vulnerabilities).Debian has updated libvdpau(regression in previous update) and xen(privilege escalation).Debian-LTS has updated libhtml-scrubber-perl (cross-site scripting).Fedora has updated drupal7 (F21: unspecified vulnerability).Gentoo has updated mksh (improper sanitation).Mageia has updated exfat-utils (two vulnerabilities), libxml2 (buffer overflow), mediawiki (multiple vulnerabilities), openafs (plaintext leak), and postgresql (two vulnerabilities).SUSE has updated java-1_7_0-openjdk (SLE12; SLE11SP3,4: multiple vulnerabilities) and xen (SLE11SP4: multiple vulnerabilities).

The 1957 Chevrolet Bel Air was a beautiful car, kernel.orgadministrator Konstantin Ryabitsev said at the beginning of his Korea LinuxForum talk. It had roomy seats, lots of features, and a smooth ride; itwas all about power and comfort. But if you got into an accident with thiscar, it would kill you; it was not designed around the idea that thingsmight go wrong. Our computer systems in 2015 mirror the Bel Air of 1957;they are not designed around humans and the mistakes they make.Konstantin had a simple message for the audience: take a cue from theautomotive industry and design and build systemsthat do not fail catastrophically when errors are made.

The Fedora 23 release is now available. "We're pleased to bring you the latest incarnations of the threemain Fedora editions — Fedora Workstation, Fedora Cloud, and FedoraServer, each built with love by the Fedora community to custom-fit yourneeds in different areas. Fedora 23 is also available in alternatedesktop Spins, curated software Labs, and special images for the ARMprocessor architecture." See therelease notes for details; LWN lookedforward to this release in August.

The GNU project has released GNU Hurd 0.7, GNU Mach 1.6, and GNU MIG 1.6.The Mach 3.0 Interface Generator (MIG) translates Remote Procedure Call(RPC) definition files to C code, and is required to compile any packagesthat are receiving or invoking RPCs, such as GNU Mach, GNU Hurd, and theGNU C Library (glibc) when compiled for the Hurd. GNU Mach is amicrokernel, upon which a GNU Hurd system is based. The GNU Hurd is theGNU project's replacement for the Unix kernel. These releases containimprovements and bug fixes.

Arch Linux has updated mysql (multiple vulnerabilities).Debian has updated mariadb-10.0(multiple vulnerabilities), ntp (multiplevulnerabilities), openafs (plaintext leak),openjdk-7 (problem with previous update), and unzip (two vulnerabilities).Debian-LTS has updated busybox (denial of service) and xscreensaver (denial of service).Fedora has updated community-mysql (F22; F21:multiple vulnerabilities), kernel (F21:multiple vulnerabilities), libvdpau (F21:multiple vulnerabilities), mingw-spice-gtk(F22: multiple vulnerabilities), mingw-spice-protocol (F22: multiplevulnerabilities), mod_nss (F22: incorrectmulti-keyword mode cipherstring parsing), pacemaker (F21: privilege escalation), php-udan11-sql-parser (F22: content spoofing),phpMyAdmin (F22: content spoofing), spice (F22: multiple vulnerabilities), spice-gtk (F22: multiple vulnerabilities), spice-protocol (F22: multiple vulnerabilities), and springframework (F22; F21: Reflected File Download (RFD) attack).Gentoo has updated cups (two vulnerabilities), cups-filters (code execution), django (multiple vulnerabilities), mediawiki (multiple vulnerabilities), qemu (multiple vulnerabilities), tcpdump (multiple vulnerabilities), and wireshark (multiple vulnerabilities).Mageia has updated libpng12 (information leak), miniupnpc (code execution), ntp (multiple vulnerabilities), and phpmyadmin (content spoofing).openSUSE has updated chromium(SPH for SLE12: multiple vulnerabilities), chromium (SPH for SLE12: multiplevulnerabilities), chromium(SPH for SLE12: multiple vulnerabilities), chromium (SPH for SLE12: multiplevulnerabilities), chromium(SPH for SLE12: information disclosure), chromium (SPH for SLE12: multiplevulnerabilities), znc(SPH for SLE12: denial of service from 2012), and VirtualBox (13.2: two vulnerabilities).SUSE has updated java-1_7_0-openjdk (SLE12; SLE11SP4,3: multiple vulnerabilities) and xen (SLE11SP3: multiple vulnerabilities).

Linus has released the 4.3 kernel right onthe 63-day schedule. "So on the whole, this remains a rather calmrelease cycle until the very end. And with the release of 4.3, obviouslythe merge window for 4.4 is open, and let's keep our fingers crossed thatthat will be an equally calm release." 4.3 includes the ability toadd BPF programs to user-space probes, the "PIDs controller" (ananti-fork-bomb measure), the removal of theext3 filesystem, support for identifier locatoraddressing, the ability to handle pagefaults in user space, and more.

A major new release of Denemo,the GNU music-notation program, has been madeavailable. Version 2.0 incorporates a significant refactoring ofthe user interface; the application now includes a general-purposeObject Inspector and Editor as well as separate tools for editingscores, movements, staffs, and voices. There is also asearch-and-replace feature capable of searching for rhythmic patternsand a layout editor for arranging scores.

Arch Linux has updated lldpd (denial of service), phpmyadmin (content spoofing), and wordpress (multiple vulnerabilities).Debian has updated virtualbox (multiple vulnerabilities) andwordpress (multiplevulnerabilities; separate cross-site scripting regression fix).openSUSE has updated kernel (13.2: multiple vulnerabilities), libressl (multiple vulnerabilities), nodejs(Leap 42.1: denial of service), squid (nonce replay), sudo (Leap 42.1: information disclosure), and wireshark (multiple vulnerabilities).Scientific Linux has updated openafs (SL5, 6, 7: plaintext leak).Slackware has updated curl(multiple vulnerabilities), jasper(multiple vulnerabilities), and ntp (multiple vulnerabilities).SUSE has updated openstack-swift (SUSE OSC5:multiple vulnerabilities).Ubuntu has updated unzip(multiple vulnerabilities).

The Tor Project has announced the beta release of a new,off-the-record (OTR) chat client called Tor Messenger. As expected,chat session traffic is sent entirely over Tor. In addition, theapplication requires the use of OTR encryption—rather thanmerely providing it as an option. The beta is available for Linux,Windows, and Mac OS X systems. A blogpost provides specifics about the implementation details.

Debian has updated phpmyadmin (multiple vulnerabilities).Debian-LTS has updated ntp(multiple vulnerabilities) and phpmyadmin (multiple vulnerabilities).Fedora has updated abrt(F22: data leak), bugzilla (F21; F22: privilege escalation), java-1.8.0-openjdk (F21; F22:certificate verification botch),and libreport (F22: data leak).Ubuntu has updated audiofile(code execution).

The LWN.net Weekly Edition for October 29, 2015 is available.

The Software Freedom Conservancy has posted an updateon the GPL-infringement suit against VMware filed by ChristophHellwig. "The lawsuit continues to progress. VMware has filed astatement of defense, in which they assert arguments for the dismissal ofthe action. Christoph, with the assistance of his lawyer Till Jaeger, hasfiled his response to these arguments. Unfortunately, VMware has explicitlyasked for the filings not to be published and, accordingly, Conservancy hasnot been able to review either document. With the guidance of counsel,Christoph was able to provide Conservancy with a high-level summary of thefilings from which we are able to provide this update. VMware's statementof defense primarily focuses on two issues. First, VMware questionsChristoph's copyright interest in the Linux kernel and his right to bringthis action. Second, VMware claims vmklinux is an 'interoperability module'which communicates through a stable interface called VMK API."

The Tor Project's .onion (hidden services) addresses have been formallyapproved as a Special Use Domain Name by the Internet Engineering TaskForce (IETF). "[Jacob] Appelbaum, a security researcher and advocate at the Tor Project andAlec Muffett, a software engineer at Facebook, co-authored the Requestfor Comments (RFC 7686) to the IETF. Hidden services are used by humanrights defenders, political organizers, journalists, diplomats, andordinary people around the world who want to chat, email, blog or doother everyday work privately and without the use of a centralized,hackable server."

CentOS has updated qemu-kvm (C7: denial of service).Debian has updated openjdk-7 (multiple vulnerabilities) and php5 (two vulnerabilities).openSUSE has updated squid (13.2,13.1: nonce replay vulnerability) and wireshark (13.2, 13.1: multiple vulnerabilities).Red Hat has updated kubernetes(RHOSE3: directory path traversal).Ubuntu has updated ntp (multiplevulnerabilities), openjdk-7 (15.10, 15.04,14.04: multiple vulnerabilities), and php5 (denial of service).

One of the biggest freedoms associated with free software is the ability toreplace a program with an updated or modified version. Even so, of themany millions of people using Linux-powered phones, few are able torun a mainline kernel on those phones, even if they have the technicalskills to do the replacement. The sad fact is that no mainstream phoneavailable runs mainline kernels. A session at the 2015 Kernel Summit, ledby Rob Herring, explored this problem and what might be done to address it.

One of the recurring features of Linux Foundation events is an on-stagediscussion between Dirk Hohndel and Linus Torvalds on a variety ofkernel-related topics. The KoreaLinux Forum in Seoul, South Korea did not diverge from this pattern. The pair talked about a wide range of topics; there were fewsurprises and little that will be controversial, but the discussion did include someinsights into how the community is doing and where the kernel is going.

The Electronic Frontier Foundation has announcedthat its petition for an exemption to the US Digital Millennium CopyrightAct for automotive software has been accepted. "Because Section 1201prohibits unlocking 'access controls' on the software, car companies havebeen able to threaten legal action against anyone who needs to get aroundthose restrictions, no matter how legitimate the reason. While thecopyright office removed this legal cloud from much car software research,it also delayed implementation of the exemption for one year."

The Electronic Frontier Foundation reportsthat the Librarian of Congress has granted security researchers and othersthe right to inspect and modify the software in their cars and othervehicles. "EFF also won an [DMCA] exemption for users who want to play video games after the publisher cuts off support. For example, some players may need to modify an old video game so it doesn’t perform a check with an authentication server that has since been shut down. The Librarian also granted EFF’s petition to renew a previous exemption to jailbreak smartphones, and extended that to other mobile devices, including tablets and smartwatches. This clarifies the law around jailbreaking, making clear that users are allowed to run operating systems and applications from any source, not just those approved by the manufacturer. EFF also won the renewal and partial expansion of the exemptions for remix videos that use excerpts from DVDs, Blu-Ray discs, or downloading services."

Arch Linux has updated vorbis-tools (denial of service).CentOS has updated ntp (C7; C6: two vulnerabilities).Debian-LTS has updated libxml2(regression in previous update).Mageia has updated iceape/sqlite3 (multiple vulnerabilities) and virtualbox (two vulnerabilities).openSUSE has updated nodejs(13.2, 13.1: denial of service), haproxy(13.2: information leak), and libressl(13.2: two vulnerabilities).Oracle has updated ntp (OL7; OL6: twovulnerabilities) and qemu-kvm (OL7: denial of service).Red Hat has updated ntp (RHEL6,7:two vulnerabilities) and qemu-kvm (RHEL7: denial of service).Scientific Linux has updated ntp(SL6,7: two vulnerabilities) and qemu-kvm(SL7: denial of service).Ubuntu has updated apport (privilege escalation).

The4.2.5,4.1.12,3.14.56, and3.10.92 stable kernels are available; eachcontains another set of important fixes.

The first beta release of KDevelop 5.0.0 is available.The code base has been ported to Qt 5 and KDE frameworks 5,the legacy C++ parser and semantic analysis plugin has been replaced with amuch more powerful one that is based on Clang, the hand-written CMakeinterpreter has been removed in favor of upstream CMake, plus more features,code cleanup and bug fixes.

Arch Linux has updated drupal (open redirect vulnerability).Debian has updated gdk-pixbuf (two vulnerabilities), miniupnpc (code execution), and mysql-5.5 (multiple vulnerabilities).Debian-LTS has updated libxml2 (buffer overflow).Fedora has updated drupal7-active_tags (F22; F21:cross-site scripting), drupal7-jquery_update (F22; F21: openredirect attack), ganglia (F22; F21: authentication bypass), mbedtls(F22; F21:code execution), pacemaker (F22: privilegeescalation), pixman (F21: buffer overflow),qemu (F22: denial of service), seamonkey (F22; F21: multiple vulnerabilities), and xen (F22; F21: denial of service).Mageia has updated audiofile(buffer overflow), chromium-browser-stable(multiple vulnerabilities), dbus (securityhardening), fuseiso (two vulnerabilities),java-1.8.0-openjdk (multiplevulnerabilities), lxdm (access bypass), ntp (multiple vulnerabilities), nvidia-driver (privilege escalation), and rsync (denial of service).openSUSE has updated Chromium(13.2, 13.1: multiple vulnerabilities) and firefox (13.2, 13.1: information disclosure).SUSE has updated php53(SLE11SP3,4: multiple vulnerabilities).Ubuntu has updated mysql-5.5,mysql-5.6 (15.10, 15.04, 14.04, 12.04: multiple vulnerabilities).

The 4.3-rc7 kernel prepatch is out."So it may still be Saturday at home, but with the Kernel Summit inKorea coming up, I'm ahead of the curve in a +0900 timezone, and it'sSunday here. So it's release day." This looks to be the finalprepatch, with 4.3 likely to come out on November 1.

Python language developer Nick Coghlan has posted asurvey of 27 languages that, he thinks, have lessons for Python."One of the things we do as part of the Python core developmentprocess is to look at features we appreciate having available in otherlanguages we have experience with, and see whether or not there is a way toadapt them to be useful in making Python code easier to both read andwrite. This means that learning another programming language that focusesmore specifically on a given style of software development can help improveanyone's understanding of that style of programming in the context ofPython."

Mozilla CEO Mitchell Baker has announced the launch of "an award program specifically focused on supporting open source and free software. The main focus of the program will be to provide financial support of other projects, "to recognize and celebrate communities who are leading the way with open source projects that contribute to our work and the health of the Web. It encompasses both: a) a “give back” element for open source and free software projects that Mozilla relies on; and b) a “give forward” component for supporting other projects where financial resources from Mozilla can make our entire community more successful." The initial funding allocation for the program is $1,000,000, and Mozilla is seeking applications for ten recipient projects. The announcement also notes that one planned component of the program will be to fund security-related work. (Thanks to Martin Michlmayr)

Arch Linux has updated jdk7-openjdk (multiple vulnerabilities), jdk8-openjdk (multiple vulnerabilities), jre7-openjdk (multiple vulnerabilities), jre7-openjdk-headless (multiple vulnerabilities), jre8-openjdk (multiple vulnerabilities), and jre8-openjdk-headless (multiple vulnerabilities).CentOS has updated kvm (C5:code execution)and qemu-kvm (C6: code execution).Debian-LTS has updated cakephp (denial of service), optipng (use after free), and polarssl (code execution).openSUSE has updated python-Django (13.2: multiple vulnerabilities).Oracle has updated kvm (O5:code execution)and qemu-kvm (O6: code execution).Red Hat has updated java-1.6.0-sun (RHEL 5, 6, 7: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities), java-1.8.0-oracle (RHEL 6, 7: multiple vulnerabilities), kvm (RHEL 5: code execution), openstack-ironic-discoverd (RHEL OSP 7:command execution), and qemu-kvm (RHEL 6: code execution).Scientific Linux has updated kvm (SL5: code execution) and qemu-kvm (SL6: code execution).Ubuntu has updated miniupnpc(15.10: code execution) and oxide-qt(15.10: multiple vulnerabilities).

Here's asurvey of orchestration systems on the O'Reilly site. "Varioussoftware tools and solutions exist to help with these challenges. Let’sfocus on orchestration tools, which help make all the pieces work together,working with the cluster to start containers on appropriate hosts andconnect them together. Along the way, we’ll consider scaling and automaticfailover, which are important features."

The4.2.4,4.1.11,3.14.55, and3.10.91 stable kernel updates areavailable. These are relatively large updates with a lot of importantfixes.

Ubuntu 15.10 (codenamed "Wily Werewolf") has been released. "Under the hood, there have been updates to many core packages, includinga new 4.2-based kernel, a switch to gcc-5, and much more.Ubuntu Desktop has seen incremental improvements, with newer versions ofGTK and Qt, updates to major packages like Firefox and LibreOffice, andstability improvements to Unity.Ubuntu Server 15.10 includes the Liberty release of OpenStack, alongsidedeployment and management tools that save devops teams time whendeploying distributed applications - whether on private clouds, publicclouds, x86, ARM, or POWER servers, or on developer laptops. Severalkey server technologies, from MAAS to juju, have been updated to newupstream versions with a variety of new features." More informationcan be found in the releasenotes.

Arch Linux has updated ntp(multiple vulnerabilities).CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities) andjava-1.8.0-openjdk (C7; C6: many vulnerabilities).Debian-LTS has updated unzip (twovulnerabilities).openSUSE has updated python-django (13.1: two vulnerabilities).Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: many vulnerabilities) and java-1.8.0-openjdk (OL7; OL6: many vulnerabilities).Red Hat has updated java-1.7.0-openjdk (RHEL6&7; RHEL5: many vulnerabilities) and java-1.8.0-openjdk (RHEL6&7: many vulnerabilities).Scientific Linux has updated java-1.7.0-openjdk (SL6&7; SL5: many vulnerabilities) and java-1.8.0-openjdk (SL6&7: many vulnerabilities).

The LWN.net Weekly Edition for October 22, 2015 is available.

Mark Shuttleworth introduces thenext Ubuntu release, 16.04 LTS.All of these are coming together beautifully, making Ubuntu the fastest path to magic of all sorts. And that magic will go by the codename… xenial xerus!What fortunate timing that our next LTS should be X, because “xenial” means “friendly relations between hosts and guests”, and given all the amazing work going into LXD and KVM for Ubuntu OpenStack, and beyond that the interoperability of Ubuntu OpenStack with hypervisors of all sorts, it seems like a perfect fit.And Xerus, the African ground squirrels, are among the most social animals in my home country. They thrive in the desert, they live in small, agile, social groups that get along unusually well with their neighbours (for most mammals, neighbours are a source of bloody competition, for Xerus, hey, collaboration is cool). They are fast, feisty, friendly and known for their enormous… courage. That sounds just about right. With great… courage… comes great opportunity!

CentOS has updated libwmf (C7; C6:multiple vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities).Oracle has updated libwmf (OL7; OL6: multiple vulnerabilities).Red Hat has updated libwmf(RHEL6,7: multiple vulnerabilities).Scientific Linux has updated libwmf (SL6,7: multiple vulnerabilities).Ubuntu has updated kernel (15.04:multiple vulnerabilities), linux-lts-vivid(14.04: multiple vulnerabilities), miniupnpc (15.04, 14.04, 12.04: codeexecution), and oxide-qt (15.04, 14.04: multiple vulnerabilities).

Access control lists (ACLs) can implement finer-grained access permissionsfor files than the traditional Unix mode bits. Linux has ACL support, butthe POSIX ACLs supported by Linux now have been showing their age for a while. POSIX ACLs may soon besuperseded by a more capable mechanism known as RichACLs. Click below (subscribers only) fora look at RichACLs and what they bring to Linux.

OwnCloud Server 8.2 is available.This release features a a revamped user interface and many improvements forownCloud administrators. "ownCloud Server 8.2 makes it possible forownCloud Administrators to send their users notifications, useful to letusers know about a maintenance window for example. Admins can now also setlimits on trash and version retention, ensuring that trashed files andversions get deleted after a set number of days or are not purged for acertain period. The occ command line tool has gained significant new maintenance and control features. It enables encrypting, decrypting and re-encrypting existing user data and can now set and get system and app configuration values. It can also be used to rescan the file system and update mime types after custom types have been defined."

Debian has updated postgresql-9.4 (two vulnerabilities) and wordpress (multiple vulnerabilities).Fedora has updated opensmtpd(F22: multiple vulnerabilities) and sssd (F22; F21: memory leak).openSUSE has updated flash-player(11.4: multiple vulnerabilities).SUSE has updated librsvg(SLE11SP3,4: denial of service) and qemu(SLE12: multiple vulnerabilities).Ubuntu has updated kernel (14.04; 12.04:multiple vulnerabilities), linux-lts-trusty(12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiplevulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).

Opensource.com has an interviewwith Sam Aaron, creator of Sonic Pi. "Sonic Pi is a musical instrument that happens to use code as its interface. It's also a programming environment that happens to be very capable of making sophisticated sounds. It's actually many things—a tool for learning how to program, for exploring new notations for music, for improvising electronic music, for collaborating on musical ideas via text, for researching new programming techniques related to time and liveness. Most of all, it's a lot of fun."

Arch Linux has updated flashplugin (multiple vulnerabilities), miniupnpc (code execution), and spice (multiple vulnerabilities).Debian has updated owncloud (multiple vulnerabilities).Debian-LTS has updated freeimage(integer overflow) and postgresql-8.4 (denialof service).Fedora has updated firefox (F22: multiple vulnerabilities) and lxdm (F22; F21: two vulnerabilities).Gentoo has updated bind (denial of service).Mageia has updated flash-player-plugin (multiple vulnerabilities).openSUSE has updated docker(13.2: two vulnerabilities).Red Hat has updated flash-plugin(RHEL6: multiple vulnerabilities).

Linus has released 4.3-rc6 fortesting. "Things continue to be calm, and in fact have gottenprogressively calmer. All of which makes me really happy, although mysuspicious nature looks for things to blame. Are people just on their bestbehavior because the Kernel Summit is imminent, and everybody is puttingtheir best foot forward?"

Theo de Raadt is celebrating the twentieth anniversary of the creation ofthe OpenBSD source tree. "Chuck [Cranor] and I also worked onsetting up the first 'anoncvs' to make sure noone was ever cut out from'the language of diffs' again. I guess that was the precursor for thegithub concept these days :-)"

Ars Technica reportsthat a handful of app distributors are putting many Android users at risk bybundling root exploits with their wares. "It took just one month of part-time work for the computer scientists to reverse engineer 167 exploits from a single provider so they could be reused by any app of their choosing. Ultimately, the researchers concluded that the providers, by providing a wide array of highly customized exploits that are easy to reverse engineer and hard to detect, are putting the entire Android user base at increased risk."

Here's alengthy Techdirt article looking through the US Appeals Court rulingthat Google's scanning of books constitutes fair use under copyright law."Thus, while authors are undoubtedly important intended beneficiariesof copyright, the ultimate, primary intended beneficiary is the public,whose access to knowledge copyright seeks to advance by providing rewardsfor authorship."