LWN.net

CentOS has updated spice(C7: code execution) and spice-server(C6: code execution).Debian has updated chromium-browser (multiple vulnerabilities) and screen (denial of service).Fedora has updated mediawiki (F21; F22:multiple vulnerabilities)and struts (F22: input validation bypass).openSUSE has updated firefox(13.1, 13.2: multiple vulnerabilities).Oracle has updated bind (O7; O6; O5: denial of service), bind97 (O5: multiple vulnerabilities), libXfont (O7; O6:multiple vulnerabilities),spice (O7: code execution), and spice-server (O6: code execution).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), openshift (RHOSE3: denial of service), openstack-nova (RHELOSP7: denial of service), qemu-kvm-rhev (RHELOSP7: information leak), spice (RHEL7: code execution), and spice-server (RHEL6: code execution).Scientific Linux has updated spice-server (SL7; SL6:code execution).Slackware has updated seamonkey (multiple vulnerabilities).SUSE has updated kernel (SLELP12 3.12.43; 3.12.39; 3.12.38; 3.12.36; 3.12.32: multiple vulnerabilities).Ubuntu has updated kernel (12.04: information leak; 14.04: code execution),libvdpau (12.04, 14.04, 15.04:multiple vulnerabilities), linux-lts-trusty (12.04: code execution), linux-ti-omap4 (12.04: information leak), and openslp-dfsg (12.04, 14.04, 15.04: denialof service).

The Linux Test Project (LTP) has made a stable release for September 2015. The previous release was in April. This release has a number of new test cases including ones for user namespaces, virtual network interfaces, umount2(), getrandom(), and more. In addition, the network namespace test cases were rewritten and regression tests have been added for inotify, cpuset, futex_wake(), and recvmsg(). We looked at writing LTP test cases back in January.

Arch Linux has updated bind (twodenial of service flaws).CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), andlibXfont (C7; C6: three privilege escalation flaws).Debian has updated bind9 (denialof service), qemu (multiplevulnerabilities), and qemu-kvm (two vulnerabilities).Debian-LTS has updated openslp-dfsg (three vulnerabilities, one from2010, another from 2012).Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and libXfont (RHEL6,7: three privilege escalation flaws).Scientific Linux has updated bind (SL6,7; SL5:denial of service), bind97 (SL5: denial ofservice), and libXfont (SL6,7: threeprivilege escalation flaws).Slackware has updated bind (twodenial of service flaws).SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service), kernel (SLE11SP2: multiple vulnerabilities,three from 2014), and xen (SLE11SP3;SLED11SP3: multiple vulnerabilities).Ubuntu has updated bind9 (denialof service).

The LWN.net Weekly Edition for September 3, 2015 is available.

Debsources is a project that provides a web-based interface intothe source code of every package in the Debian softwarearchive—not a small task by any means. But, as StefanoZacchiroli and Matthieu Caneill explained in their DebConf 2015session, Debsources is far more than a source-code browsing tool. Itprovides a searchable viewport into 20 years offree-software history, which makes it viable as a platform for manyvarieties of research and experimentation.

Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated gdk-pixbuf2 (C7; C6: code execution), jakarta-taglibs-standard (C7; C6: code execution), nss-softokn (C7; C6: signature forgery), and pcs (C7; C6: privilege escalation).Debian has updated pdns (denial of service).Scientific Linux has updated nss-softokn (SL6,7: signature forgery) and pcs (SL6,7: privilege escalation).Slackware has updated gdk (code execution).SUSE has updated kvm (SLE11SP3:code execution) and firefox, nss (SLE12: multiple vulnerabilities).

Version 3.7 of the LLVM compiler suite is out. "This release contains the work of the LLVM community over the past sixmonths: full OpenMP 3.1 support (behind a flag), the On RequestCompilation (ORC) JIT API, a new backend for Berkeley Packet Filter(BPF), Control Flow Integrity checking, as well as improvedoptimizations, new Clang warnings, many bug fixes, and more."See the release notes for LLVM andClangfor details.

Ars Technica reportsthat Microsoft, Google, Mozilla, Cisco, Intel, Netflix, and Amazon havelaunched a new consortium, the Alliance for Open Media. "TheAlliance for Open Media would put an end to this problem [of patent licenses and royalties]. The group's first aim is to produce a video codec that's a meaningful improvement on HEVC. Many of the members already have their own work on next-generation codecs; Cisco has Thor, Mozilla has been working on Daala, and Google on VP9 and VP10. Daala and Thor are both also under consideration by the IETF's netvc working group, which is similarly trying to assemble a royalty-free video codec."

Fedora has updated qemu (F21: multiple vulnerabilities).Oracle has updated gdk-pixbuf2 (OL7; OL6: code execution), jakarta-taglibs-standard (OL7; OL6: code execution), and nss-softokn (OL7; OL6: signature forgery).Red Hat has updated nss-softokn(RHEL6,7: signature forgery) and pcs(RHEL6,7: privilege escalation).Ubuntu has updated expat (15.04,14.04, 12.04: denial of service) and gnutls28 (15.04: two vulnerabilities).

The OpenSSL project looksat its security record for the last year. "The acceptabletimeline for disclosure is a hot topic in the community: we meet CERT’s45-day disclosure deadline more often than not, and we’ve never blownProject Zero’s 90-day baseline. Most importantly, we met the goal we setourselves and released fixes for all HIGH severity issues in well under amonth. We also landed mitigation for two high-profile protocol bugs, POODLEand Logjam. Those disclosure deadlines weren’t under our control but ourresponse was prepared by the day the reports went public."

The ownCloud Contributor Conference2015 (August 28-September 3 in Berlin, Germany) started off with some bigannouncements, including the publishing of the User Data Manifesto 2.0, thecreation of the ownCloud Security Bug Bounty Program, and the release ofthe ownCloud Proxy app. "Designed for those of you who want your own private, secure “Dropbox” and don’t want the hassle of configuring routers, firewalls and DNS entries for access from anywhere, at any time, ownCloud Proxy is for you. It comes installed as an ownCloud community app in the new ownCloud community appliance, connects to relay servers in the cloud, and provides anytime, anywhere access to your files, on your PC running in your home network, quickly and easily. And, of course, you can grab it from the ownCloud app store and add it to an existing ownCloud server if you already have one running."

Debian has updated drupal7 (multiple vulnerabilities) and iceweasel (multiple vulnerabilities).Mageia has updated audit (MG4,5:unsafe escape-sequence handling), firefox(MG4,5: multiple vulnerabilities), and glusterfs (MG5; MG4: privilege escalation).openSUSE has updated ansible(13.2: regression in previous update) and thunderbird (13.2; 13.1: multiple vulnerabilities).Red Hat has updated gdk-pixbuf2(RHEL6,7: code execution) and jakarta-taglibs-standard (RHEL6,7: code execution).Scientific Linux has updated firefox (SL5,6,7: two vulnerabilities), gdk-pixbuf2 (SL6,7: code execution), and jakarta-taglibs-standard (SL6,7: code execution).Slackware has updated firefox (multiple vulnerabilities).SUSE has updated kvm (SLE11SP4:code execution).

Linus has announced the final release of the 4.2 kernel."So judging by how little happened this week, it wouldn't have been amistake to release 4.2 last week after all, but hey, there's certainlya few fixes here, and it's not like delaying 4.2 for a week shouldhave caused any problems either."Headline features in this release include thesecurity module stacking patches,the delay-gradient congestion-controlalgorithm,improvements to writeback management in control groups,a lot of important persistent-memory infrastructure, and more.

Version 7.10 of the GDB debugger is out. Improvements this time aroundinclude better support for access to shared libraries on remote targets,reverse debugging on ARM64 systems, support for DTrace static probes, andmore.

Google has announcedthat, beginning September 1, Chrome will no longer auto-playFlash-based ads in the company's popular AdWords program. The postframes this as a move to improve browsing performance for users, andnotes that most Flash ads are automatically converted to HTML5already. Commenting on the news, The Register notesthat the change should also offer some additional protection againstmalware delivered via Flash. Chrome will continue to auto-play Flashcontent in the main body of pages, however. The Register's story saysthe change is, in fact, just a modification of the default setting forplugin behavior, which already supportsan option to disable plugin content not deemed "important." Mozilla,of course, blacklisted the Flashplugin in July, although that action only disabled the then-current,vulnerable release—which was subsequently updated.

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated firefox (C5; C6; C7: multiple vulnerabilities) and thunderbird (C5; C6; C7: multiple vulnerabilities).Debian-LTS has updated openjdk-6 (multiple vulnerabilities) and zendframework (XML external entity attack).Fedora has updated maradns (F21; F22:denial of service),openssh (F21: multiple vulnerabilities), php-guzzle-Guzzle(F21; F22: XML external entity attack), php-twig (F22: code execution),php-ZendFramework2 (F21; F22: XML external entity attack), rt (F21; F22:cross-site scripting),and rubygem-rack (F21: denial of service).Mageia has updated drupal(M4,5: multiple vulnerabilities), python-django, python-django14(M4,5: multiple vulnerabilities), subversion (M4,5: multiple vulnerabilities), thunderbird (M4,5: multiple vulnerabilities), and vlc (M4,5: code execution).Oracle has updated firefox (O5; O6; O7: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities).SUSE has updated MozillaFirefox,mozilla-nss (SLE11: multiple vulnerabilities).Ubuntu has updated cups-filters (15.04: unintended printer access) and firefox (12.04, 14.04, 15.04: multiple vulnerabilities).

The Electronic Frontier Foundation has announcedthe recipients of its Pioneer Awards for 2015: Caspar Bowden, The CitizenLab, Annriette Esterhuysen and the Association for ProgressiveCommunications, and Kathy Sierra. "This extraordinary group ofwinners have all focused on the users, striving to give everyone theaccess, power, community, and protection they need in order to create andparticipate in our digital world."

KDE.News looks at KDE sprints and their benefits. The organization is doing some fundraising to help support its sprints, so it is trying get the word out about these code-focused events: "To start with, KDE sprints are intensive sessions centered around coding. They take place in person over several days, during which time skillful developers eat, drink and sleep code. There are breaks to refresh and gain perspective, but mostly sprints involve hard, focused work. All of this developer time and effort is unpaid. However travel expenses for some developers are covered by KDE. KDE is a frugal organization with comparatively low administrative costs, and only one paid person who works part time. So the money donated for sprints goes to cover actual expenses. Who gets the money? Almost all of it goes to transportation companies."

Debian has updated php5 (multiple vulnerabilities).Debian-LTS has updated pykerberos(authentication botch) and python-django(two vulnerabilities).Fedora has updated mariadb (F21: unspecified).Mageia has updated cgit (codeexecution from 2014).Ubuntu has updated qemu, qemu-kvm(multiple vulnerabilities, including one from 2014).

The developers of the Grsecurity kernel-hardening patch set have announced that, due toclaimed ongoing GPL and trademark violations, the public distribution of the"stable" series of patches will stop. "We decided that it is unfairto our sponsors that the above mentioned unlawful players can get away withtheir activity. Therefore, two weeks from now, we will cease the publicdissemination of the stable series and will make it available to sponsorsonly. The test series, unfit in our view for production use, will howevercontinue to be available to the public to avoid impact to the GentooHardened and Arch Linux communities."

The LWN.net Weekly Edition for August 27, 2015 is available.

Arch Linux has updated gnutls (denial of service), jasper (denial of service), pcre (code execution), and python-django (denial of service).CentOS has updated httpd (C7: twovulnerabilities) and mariadb (C7: multiple vulnerabilities).Debian has updated twig (code execution).Debian-LTS has updated ruby1.8 (information disclosure) and ruby1.9.1 (information disclosure).Mageia has updated gnutls (MG4,5:two vulnerabilities), vlc (MG5: codeexecution), and wireshark (MG4,5: multiple vulnerabilities).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Ubuntu has updated gdk-pixbuf(15.04, 14.04, 12.04: code execution).

At the 2015 edition of TypeCon in Denver, Adobe's Frank Grießhammer presented hiswork reviving the famous Hershey fontsfrom the Mid-Century era of computing. The original fonts weretailor-made for early vector-based output devices but, although theyhave retained a loyal following (often as a historical curiosity), they have neverbefore beenproduced as an installable digital font.

Version 1.5 of the Go language has been released."This release includes significant changes to the implementation. The compiler tool chain was translated from C to Go, removing the last vestiges of C code from the Go code base. The garbage collector was completely redesigned, yielding a dramatic reduction [PDF] in garbage collection pause times. Related improvements to the scheduler allowed us to change the default GOMAXPROCS value (the number of concurrently executing goroutines) from 1 to the number of available CPUs. Changes to the linker enable distributing Go packages as shared libraries to link into Go programs, and building Go packages into archives or shared libraries that may be linked into or loaded by C programs (design doc)."

Opensource.com wishesLinux a happy 24th birthday, with a brief timeline of Linux history. "There's some debate in the Linux community as to whether we should be celebrating Linux's birthday today or on October 5 when the first public release was made, but Linus says he is O.K. with you celebrating either one, or both! So as we say happy birthday, let's take a quick look back at the years that have passed and how far we have come."

KDE has releasedPlasma 5.4 with some new features. "This release of Plasma brings many nice touches for our users such as much improved high DPI support, KRunner auto-completion and many new beautiful Breeze icons. It also lays the ground for the future with a tech preview of Wayland session available. We're shipping a few new components such as an Audio Volume Plasma Widget, monitor calibration tool and the User Manager tool comes out beta."

CentOS has updated httpd (C6:denial of service) and nss (C5: two vulnerabilities).Oracle has updated httpd (OL7; OL6:denial of service), mariadb (OL7: multipleunspecified vulnerabilities), and nss (OL5:two vulnerabilities).Red Hat has updated httpd (RHEL7; RHEL6:HTTP request smuggling), httpd24-httpd(RHSCL2: multiple vulnerabilities), libunwind (RHELOSP6: buffer overflow), mariadb (RHEL7: multiple vulnerabilities), nss (RHEL5: two vulnerabilities), openstack-neutron (RHELOSP6: denial ofservice), openstack-swift (RHELOSP6;RHELOSP5: arbitrary object deletion),python-django (RHELOSP6; RHELOSP5: denial of service), python-django-horizon (RHELOSP6: cross-sitescripting), python-keystoneclient (RHELOSP6; RHELOSP5:two vulnerabilities), qemu-kvm-rhev (RHELOSP6; RHELOSP5:information leak), redis (RHELOSP6: codeexecution), and thunderbird (RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated httpd (SL7; SL6:denial of service), mariadb (SL7: multiplevulnerabilities), nss (SL5: twovulnerabilities), and thunderbird (SL5,6,7:multiple vulnerabilities).Ubuntu has updated thunderbird(15.04, 14.04, 12.04: multiple vulnerabilities).

Linux.com has aninterview with Dustin Kirkland of Canonical's Ubuntu Product andStrategy team, about Ubuntu on the mainframe and more. "Canonical is doing a lot of different things in the enterprise space, to solve different problems. One of the interesting works going on at Canonical is Fan networking. We all know that the world is running out of IPv4 addresses (or already has). The obvious solution to this problem is IPv6, but it’s not universally available. Kirkland said, "There are still places where IPv6 doesn't exist -- little places like Amazon web services where you end up finding lots of containers." The problem multiplies as many instances in cloud need IP addresses. "Each of those instances can run hundreds of containers, each of those containers then needs to be addressable," said Kirkland."

Debian-LTS has updated extplorer (cross-site scripting), roundup (multiple vulnerabilities), and wesnoth-1.8 (information leak).Mageia has updated libcryptopp(MG4,5: information disclosure), mediawiki(MG4,5: multiple vulnerabilities), openssh(MG4,5: multiple vulnerabilities), php (MG5; MG4:multiple vulnerabilities), and x11-server(MG5: permission bypass).openSUSE has updated wireshark(13.2: multiple vulnerabilities) and xfsprogs (13.2, 13.1: information disclosure).Red Hat has updated rh-ruby22-ruby (RHSCL2: DNS hijacking).Slackware has updated gnutls (denial of service).SUSE has updated glibc(SLE11SP3,4: multiple vulnerabilities) and kvm (SLE11SP2: two vulnerabilities).

In the end, Linus decided to hold off one more week and release 4.2-rc8 instead of the final 4.2 kernel."It's not like there are any real outstanding issues, and I waffledbetween just doing the release and doing another -rc. But we did haveanother low-level x86 issue come up this week, and together with thefact that a number of people are on vacation, I decided that waitingan extra week isn't going to hurt. But it was close. It's a fairlysmall rc8, and I really feel like it could have gone either way."

Mozilla has announceda significant set of changes for authors of Firefox add-ons. These includea new API (and the deprecation of XUL and XPCOM), a process-basedsandboxing mechanism, mandatory signing of extensions, and more."For our add-on development community, these changes will bringbenefits, like greater cross-browser add-on compatibility, but will alsorequire redevelopment of a number of existing add-ons. We’re making a biginvestment by expanding the team of engineers, add-on reviewers, andevangelists who work on add-ons and support the community that developsthem. They will work with the community to improve and finalize theWebExtensions API, and will help developers of unsupported add-ons make thetransition to newer APIs and multi-process support."

Kent Overstreet, author of the bcacheblock caching layer, has announced that bcachehas metamorphosed into a fully featured copy-on-write filesystem."Well, years ago (going back to when I was still at Google), I andthe other people working on bcache realized that what we were working onwas, almost by accident, a good chunk of the functionality of a full blownfilesystem - and there was a really clean and elegant design to be hadthere if we took it and ran with it. And a fast one - the main goal ofbcachefs to match ext4 and xfs on performance and reliability, but with thefeatures of btrfs/zfs."

Fedora has updated pure-ftpd(F21: denial of service).Red Hat has updated openshift(RHOSE3: privilege escalation).SUSE has updated xen (SLE11SP1: two vulnerabilities).Ubuntu has updated subversion(15.04, 14.04, 12.04: multiple vulnerabilities) and firefox (15.04, 14.04, 12.04: regression inprevious update).

The GNU C Library (glibc) is a famously conservative project. In the past,that conservatism created a situation where there is no way to directlycall a number of Linux system calls from a glibc-using program. As glibchas relaxed a bit in recent years, its developers have started toreconsider adding wrapper functions for previously inaccessible systemcalls. But, as the discussion shows, adding these wrappers is still not asstraightforward as one might think.

Debian has updated conntrack (denial of service), openjdk-6 (multiple vulnerabilities), vlc (code execution), and zendframework (XML External Entity attack).Debian-LTS has updated conntrack (denial of service).Fedora has updated mariadb (F22:multiple vulnerabilities).Red Hat has updated mariadb55-mariadb (RHSCL2: multiplevulnerabilities) and rh-mariadb100-mariadb(RHSCL2: multiple vulnerabilities).SUSE has updated kvm (SLE11SP1: code execution).

Version 0.8 of the rkt container specification has been released. The changelog notes that this version adds support for running under the LKVM hypervisor and adds experimental support for user namespaces. Other features include improved integration with systemd and additional functional tests. An accompanying blog post goes into further detail for many of these new features.

CentOS has updated pam (C6; C7: denial of service).Debian has updated python-django (multiple vulnerabilities).Debian-LTS has updated wordpress (multiple vulnerabilities).Fedora has updated audit (F21; F22: unsafe escape-sequence handling), icecast (F21; F22: denial of service), kernel (F21; F22: information leak), openssh (F22: multiple vulnerabilities), rubygem-rack (F22: denial of service), rubygems (F21: DNS hijacking), strongswan (F21; F22: multiple vulnerabilities), and xfsprogs (F21: information leak).Oracle has updated pam (O6; O7: denial of service).Red Hat has updated kernel (RHEL6: privilege escalation) and pam (RHEL6, 7: denial of service).Scientific Linux has updated pam (SL6, 7: denial of service).Ubuntu has updated python-django (12.04, 14.04, 15.04: multiple vulnerabilities) and openssh (12.04, 14.04, 15.04: upstream regression resulting in denial of service).

On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. "The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs.These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers." He was able to get more information, such as the contents of /etc/passwd on Pocket's Amazon EC2 servers.(Thanks to Scott Bronson and Pete Flugstad.)

CentOS has updated glibc (C5:code execution from 2013), mysql55-mysql(C5: multiple unspecified vulnerabilities, one from 2014), net-snmp(C7; C6:code execution), sqlite (C6: codeexecution), sqlite (C7: threevulnerabilities), and subversion (C6: threevulnerabilities).Debian has updated apache2 (twovulnerabilities), gdk-pixbuf (codeexecution), and nss (two vulnerabilities).Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).Fedora has updated erlang (F22; F21:man-in-the-middle vulnerability), firefox(F22: many vulnerabilities), flac (F21: twovulnerabilities from 2014), gnutls (F21:code execution), golang (F22; F21: HTTP request smuggling),nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi(F22; F21:denial of service), and webkitgtk4 (F22:three unspecified vulnerabilities).Mageia has updated kdepim (M4: noattachment encryption from 2014).openSUSE has updated subversion(two vulnerabilities) and virtualbox (two vulnerabilities).Oracle has updated glibc (OL5:code execution from 2013), mysql55-mysql(OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp(OL7; OL6:code execution), sqlite (OL7: threevulnerabilities), sqlite (OL6: codeexecution), and subversion (OL6: three vulnerabilities).Red Hat has updated net-snmp(RHEL6&7: code execution).Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecifiedvulnerabilities, one from 2014), net-snmp(SL6&7: code execution), sqlite (SL6:code execution), and subversion (SL6: threevulnerabilities).Ubuntu has updated kernel (12.04:three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service),linux-lts-utopic (14.04: denial ofservice), linux-lts-vivid (14.04: denial ofservice), linux-ti-omap4 (12.04: threevulnerabilities), and net-snmp (twovulnerabilities, one from 2014).

As of this writing, the 4.2-rc7 prepatch isout and the final 4.2 kernel looks to be (probably) on-track to be released on August 23.Tradition says that it's time for a look at the development statistics for this cycle. 4.2, ina couple of ways, looks a bit different from recent cycles, with some olderpatterns reasserting themselves.Click below (subscribers only) for the full article.

Christian Schaller has posted anopen letter to the Apache Software Foundation with a non-trivialrequest: "So dear Apache developers, for the sake of open source andfree software, please recommend people to go and download LibreOffice, thefree office suite that is being actively maintained and developed and whichhas the best chance of giving them a great experience using freesoftware. OpenOffice is an important part of open source history, but thatis also what it is at this point in time."In this context, it's interesting to note that OpenOffice project chair JanIverson recently stepped down, listingresistance to an effort to cooperate with LibreOffice as one of the mainreasons. The project currently looks set to name Dennis Hamilton (who isrunning unopposed) as itsnew chair.

The Linux Foundation has announcedthe launch of the OpenMainframe Project. "In just the last few years, demand formainframe capabilities have drastically increased due to Big Data, mobileprocessing, cloud computing and virtualization. Linux excels in all theseareas, often being recognized as the operating system of the cloud and foradvancing the most complex technologies across data, mobile and virtualizedenvironments. Linux on the mainframe today has reached a critical mass suchthat vendors, users and academia need a neutral forum to work together toadvance Linux tools and technologies and increase enterpriseinnovation."

Greg Kroah-Hartman has announced the release of the 4.1.6, 3.14.51, and 3.10.87. As usual, there are important fixesthroughout the tree and users of those kernel series should upgrade.

Arch Linux has updated glibc(denial of service from 2014).Debian-LTS has updated libidn(information disclosure) and subversion (information disclosure).Fedora has updated bzr (F22; F21:denial of service from 2013), firefox (F21:multiple vulnerabilities), and flac (F22: two vulnerabilities).Gentoo has updated adobe-flash(multiple vulnerabilities), icecast (denialof service), and libgadu (threevulnerabilities from 2013 and 2014).openSUSE has updated firefox (13.2; 13.1:multiple vulnerabilities) and flash-player (13.2; 13.1: many vulnerabilities).Oracle has updated kernel 3.8.13 (OL7; OL6: tworemote denial of service flaws), kernel 2.6.39 (OL6; OL5: tworemote denial of service flaws), and kernel 2.6.32 (OL6; OL5: tworemote denial of service flaws).Red Hat has updated glibc (RHEL5:code execution from 2013), mysql55-mysql (RHEL5; RHSC2:multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecifiedvulnerabilities), sqlite (RHEL6:code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).Scientific Linux has updated sqlite (SL7: three vulnerabilities).Slackware has updated firefox(multiple vulnerabilities) and thunderbird(multiple vulnerabilities).Ubuntu has updated openssh(15.04, 14.04, 12.04: two vulnerabilities) and pollinate (15.04, 14.04: certificate update).

Linus has released the 4.2-rc7 prepatch,but he's still not sure about whether it will be the last for thisdevelopment cycle. "So this may be the last RC, and it might notbe. It will depend on whether anything more comes up next week, and howgood I feel about things come next Sunday. A part of me is convinced thatall the odd 32-bit compat issues etc fallout is finally fixed, but a partof me is still a bit leery."

Version 2.22 of the GNU C Library is out. The biggest user-visible changesare an update to Unicode 7.0.0 and the addition of a vectorized mathlibrary for the x86_64 architecture. Beyond that, of course, there isa pile of bug fixes, a few of which address security-related problems.

It would seem that reports of the demise of the Stagefright Android vulnerability may be rather premature. Exodus Intelligence is reporting that at least one of the fixes for integer overflow did not actually fully fix the problem, so MPEG4 files can still crash Android and potentially allow code execution. "Around July 31st, Exodus Intelligence security researcher Jordan Gruskovnjak noticed that there seemed to be a severe problem with the proposed patch. As the code was not yet shipped to Android devices, we had no ability to verify this authoritatively.In the following week, hackers converged in Las Vegas for the annual Black Hat conference during which the Stagefright vulnerability received much attention, both during the talk and at the various parties and events.After the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded. They were."

Arch Linux has updated freeradius(certificate verification botch) and subversion (two vulnerabilities).CentOS has updated kernel (C6:two remote denial of service flaws).Fedora has updated gnutls (F22:denial of service), nbd (F22; F21: denial of service), pcre (F22: code execution), andwordpress (F22; F21: multiple vulnerabilities).Mageia has updated gdk-pixbuf2.0(M5: code execution) and owncloud (three vulnerabilities).openSUSE has updated glibc (13.1:denial of service from 2014) and kernel(13.2: multiple vulnerabilities, some from 2014).Oracle has updated kernel (OL6:two remote denial of service flaws).Red Hat has updated kernel(RHEL6: two remote denial of service flaws).Scientific Linux has updated kernel (SL6: two remote denial of service flaws).SUSE has updated firefox(SLE11SP4, SP3: information leak).

Fedora Magazine reports on Fedora project leader Matthew Miller's keynote at Flock, which is the Fedora contributor conference. He outlined the state of the distribution using some graphs and statistics and said "we’re doing very well as a project and it’s thanks to all of you". The use of Internet Relay Chat (IRC) by the project was another topic: "Fedorans do like to work together. Last year there were 1,066 IRC meetings (official meetings, not just being in IRC talking), and 765 IRC meetings in 2015 alone. 'This shows how vibrant we are, but also is buried in IRC. There’s a lot of Fedora activity you don’t see on the Fedora Web site… I want to look at ways to make that more visible,' says Miller.There are efforts to make the activity more visible, says Miller. 'If I want to interact with the project, is somebody there? Yes, but we have millions of dead pages on the wiki… we need to make this more visible.'IRC is 'definitely a measure of engagement' but it’s also a high barrier of entry, says Miller. 'Wow that’s complicated. Wow, that’s still around?' is a common response from new contributors to IRC. The technology, and 'culture' can be confusing."

Debian has updated request-tracker4 (cross-site scripting).Red Hat has updated flash-plugin(RHEL5&6: many vulnerabilities).SUSE has updated firefox (SLE12:information leak), java-1_7_0-ibm(SLE11SP3, SP2: many vulnerabilities), and kernel-rt (SLE11SP3: many vulnerabilities,including some from 2014).