LWN.net

Greg Kroah-Hartman has announced the release of the 4.8.11 and 4.4.35 stable kernels. As usual, they containfixes throughout the kernel tree and users of those kernel series shouldupgrade.

Arch Linux has updated tomcat6(two vulnerabilities), wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).Debian has updated gst-plugins-good0.10 (three vulnerabilities)and gst-plugins-good1.0 (three vulnerabilities).Debian-LTS has updated libgc(code execution) and xen (multiple vulnerabilities).Fedora has updated bind99 (F23:two vulnerabilities), ghostscript (F23: twovulnerabilities), icu (F25; F24: code execution), kernel (F23: multiple vulnerabilities), moodle (F24; F23:three vulnerabilities), mujs (F25;F24: multiple vulnerabilities), perl-DBD-MySQL (F24: out of bounds read), sudo (F23: privilege escalation), and zathura-pdf-mupdf (F25; F24: multiple vulnerabilities).openSUSE has updated java-1_7_0-openjdk (13.2: multiple vulnerabilities).SUSE has updated kvm (SLE11: multiple vulnerabilities).Ubuntu has updated lxc (16.10,16.04, 14.04: directory traversal) and moin(three vulnerabilities).

The Verge looksat legislation in the UK that would allow police and intelligenceagencies to legally spy on its own people. "The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and awaits only the formality of royal assent before it becomes law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary."

Debian has updated tomcat7 (multiple vulnerabilities), tomcat8 (multiple vulnerabilities), and vim (code execution).Debian-LTS has updated moin (cross-site scripting), tiff (multiple vulnerabilities), and vim (code execution).Gentoo has updated adobe-flash (multiple vulnerabilities), chromium (multiple vulnerabilities), poppler (code execution), rpcbind (denial of service), tar (file overwrite), and testdisk (code execution).Mageia has updated bash (code execution), flex (buffer overflow), libssh2 (insecure ssh sessions), libxslt (code execution), and tre (code execution).openSUSE has updated dovecot22(information disclosure), gnuchess (codeexecution), monit (two vulnerabilities), sudo (13.2: privilege escalation), and tar (13.2: file overwrite).Oracle has updated ipsilon (OL7:information leak/denial of service) and memcached (OL7; OL6:multiple vulnerabilities).Red Hat has updated memcached (RHEL7; RHEL6: code execution).Scientific Linux has updated 389-ds-base (SL6: multiple vulnerabilities),firefox (SL5,6,7: multiplevulnerabilities), kernel (SL6: twovulnerabilities), memcached (SL6: codeexecution), nss and nss-util (SL5,6,7:multiple vulnerabilities), and policycoreutils (SL6,7: sandbox escape).Slackware has updated ntp (multiple vulnerabilities).SUSE has updated java-1_8_0-openjdk (SLE12-SP1,2: multiplevulnerabilities) and pacemaker (SLE12-SP2:two vulnerabilities).Ubuntu has updated gst-plugins-good0.10, gst-plugins-good1.0(code execution), python2.7, python3.2,python3.4, python3.5 (16.04, 14.04, 12.04: multiple vulnerabilities), and tar (file overwrite).

The Fedora 25 release is now available "The Fedora Project is pleased to announce the immediate availability ofFedora 25, the next big step our journey into the containerized, modularfuture!" See the announcement and therelease notes for details on the many changes in this release.

Clement Lefebvre has announcedthe release of Cinnamon 3.2. This version has QT 5.7+ support, supportfor libinput touchpads as well as synaptics, and many more changes acrossthe stack.

Fedora Magazine has a briefoverview of the changes to be found in the workstation version of theFedora 25 release. "Wayland now replaces the old X11 displayserver by default. Its goal is to provide a smoother, richer experiencewhen navigating Fedora Workstation. Like all software, there may still besome bugs. You can still choose the old X11 server if required."

Arch Linux has updated drupal (multiple vulnerabilities), php (multiple vulnerabilities), slock (screen locking bypass), and w3m (multiple vulnerabilities).CentOS has updated 389-ds-base(C6: multiple vulnerabilities), firefox (C6; C5:multiple vulnerabilities), java-1.7.0-openjdk (C5: multiplevulnerabilities), kernel (C6: twovulnerabilities), nss (C6; C5: multiple vulnerabilities), nss-util (C6: multiple vulnerabilities), andpolicycoreutils (C6: sandbox escape).Debian has updated wireshark (multiple vulnerabilities).Debian-LTS has updated drupal7 (multiple vulnerabilities), gst-plugins-bad0.10 (multiple vulnerabilities), sniffit (privilege escalation), and wireshark (multiple vulnerabilities).Fedora has updated 389-ds-base(F25: information leak), ansible (F25: twovulnerabilities), bind (F25: denial ofservice), bind99 (F25: denial of service),chromium (F25; F23: multiple vulnerabilities), chromium-native_client (F25: multiplevulnerabilities), curl (F25: multiplevulnerabilities), docker (F25; F25: access bypass), dracut (F25: information disclosure),firefox (F25 (v49.02); F25 (V50.0); F23: multiple vulnerabilities), ghostscript (F25: two vulnerabilities), icu (F25: code execution), java-1.8.0-openjdk-aarch32 (F25: multiplevulnerabilities), kernel (F25;F24: denial of service), libgit2 (F25: unspecified), libwebp (F25: integer overflows), mingw-gnutls (F25: information leak), mingw-libwebp (F25: integer overflows), mingw-nettle (F25: information leak), moodle (F25: multiple vulnerabilities),python-cryptography (F25; F24; F23: badkey generation), python-django (F25: twovulnerabilities), quagga (F25: multiplevulnerabilities), sudo (F25: privilegeescalation), tomcat (F25: multiplevulnerabilities), tre (F25: codeexecution), and xen (F25: multiplevulnerabilities) (Note: Fedora 25 will be released tomorrow).Gentoo has updated imlib2(multiple vulnerabilities), mit-krb5 (multiple vulnerabilities), mongodb (denial of service), and qemu (multiple vulnerabilities).openSUSE has updated java-1_8_0-openjdk (13.2: multiplevulnerabilities), firefox, nss (Leap42.2,Leap42.1, 13.2: multiple vulnerabilities), and php5 (13.2: use after free).Oracle has updated kernel 4.1.12 (OL7; OL6:multiple vulnerabilities), kernel 3.8.13 (OL7; OL6:multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities).Red Hat has updated ipsilon(RHEL7: information leak/denial of service).Slackware has updated firefox (multiple vulnerabilities).Ubuntu has updated firefox (multiple vulnerabilities) and imagemagick (multiple vulnerabilities).

As expected, the 4.8.10 and 4.4.34 stable kernel updates have beenreleased. Each contains another set of important fixes.

Linus has released the 4.9-rc6 kernelprepatch for testing. "We're getting further in the rc series, andwhile things have stayed pretty calm, I'm not sure if we're quite thereyet. There's a few outstanding issues that just shouldn't be issues at rc6time, so we'll just have to see. This may be one of those releases thathave an rc8, which considering the size of 4.9 is perhaps not thatunusual."

The stable kernel machine continues to produce updates; the latest are 4.8.9 and 4.4.33. Each contains the usual set ofimportant fixes. Note that 4.8.10 and4.4.34 are already in the review process;they can be expected on or after November 21.

Debian has updated drupal7 (multiple vulnerabilities)and gst-plugins-bad1.0 (code execution).Debian-LTS has updated akonadi(denial of service) and curl (multiple vulnerabilities).Mageia has updated derby(information leak), dracut (informationleak), gnuchess (code execution from 2015),irssi (information leak), libtiff (multiple vulnerabilities), memcached (three code execution flaws), python-pillow (two vulnerabilities), resteasy (code execution), sudo (privilege escalation), systemd (denial of service), tar (file overwrite), and wireshark (multiple vulnerabilities).openSUSE has updated ghostscript(42.1: regression in previous security update), GraphicsMagick (42.1, 13.2: denial ofservice), ImageMagick (13.2: denial ofservice), jasper (42.2, 42.1: multiple vulnerabilities, some from2015, 2014, and 2008), memcached (42.2;42.1, 13.2: three code execution flaws), otrs (42.2, 13.2:), php5 (42.2; 42.1:three vulnerabilities), andutil-linux (42.1: denial of service).Ubuntu has updated openjdk-7(14.04: multiple vulnerabilities).

The Linux Foundation has announced that it is consolidating three conferences under one name going forward. LinuxCon, CloudOpen, and ContainerCon join together under the "Linux Foundation Open Source Summit" name. For 2017, that encompasses three events: OSS Japan in Tokyo May 31-June 2, OSS North America in Los Angeles September 11-13, and OSS Europe in Prague October 23-25. "The Linux Foundation Open Source Summit in North America and Europe will also contain a brand new event, Community Leadership Conference. Attendees will have access to sessions across all events in a single venue, enabling them to collaborate and share information across a wide range of open source topics and areas of technology. They can take advantage of not only unparalleled educational opportunities, but also an expo hall, networking activities, hackathons, additional co-located events and The Linux Foundation’s diversity initiatives, including free childcare, nursing rooms, non-binary restrooms and a diversity luncheon."

The Tor blog has a post about the refresh of its Tor-enabled Android phone prototype, which is now in a workable state though it still has some rough edges. There is also a worrisome trend that the post highlights:"It is unfortunate that Google seems to see locking down Android as the only solution to the fragmentation and resulting insecurity of the Android platform. We believe that more transparent development and release processes, along with deals for longer device firmware support from SoC vendors, would go a long way to ensuring that it is easier for good OEM players to stay up to date. Simply moving more components to Google Play, even though it will keep those components up to date, does not solve the systemic problem that there are still no OEM incentives to update the base system. Users of old AOSP base systems will always be vulnerable to library, daemon, and operating system issues. Simply giving them slightly more up to date apps is a bandaid that both reduces freedom and does not solve the root security problems. Moreover, as more components and apps are moved to closed source versions, Google is reducing its ability to resist the demand that backdoors be introduced. It is much harder to backdoor an open source component (especially with reproducible builds and binary transparency) than a closed source one."

Arch Linux has updated firefox(multiple vulnerabilities), libgit2 (two vulnerabilities), python-django (two vulnerabilities), and python2-django (two vulnerabilities).Debian has updated firefox-esr (multiple vulnerabilities).Fedora has updated bind99 (F24:two vulnerabilities), firefox (F24: multiple vulnerabilities),and kernel (F24: denial of service).Gentoo has updated libuv(privilege escalation from 2015).Mageia has updated nss, firefox (multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and nss and nss-util (OL7; OL6; OL5: twovulnerabilities).Red Hat has updated openssl(RHEL6: denial of service).

The LWN.net Weekly Edition for November 17, 2016 is available.

The EuroPython Society sharesthe sad news that Rob Collins has passed away. "Many of you may know Rob from the sponsored massage sessions he regularly ran at EuroPython in recent years and which he continued to develop, taking them from a single man setup (single threaded process) to a group of people setup by giving workshops (multiprocessing) and later on by passing on his skills to more leaders (removing the GIL) to spread wellness and kindness throughout our conference series."

Debian has updated akonadi (denial of service), gst-plugins-bad0.10 (code execution), and moin (cross-site scripting).Debian-LTS has updated mysql-5.5(multiple unspecified vulnerabilities) and postgresql-9.1 (PostgreSQL 9.1 is eol, usersare encouraged to upgrade).Mageia has updated libarchive (unspecified).openSUSE has updated pcre (13.2: multiple vulnerabilities).Oracle has updated 389-ds-base(OL6: three vulnerabilities) and kernel(OL6: multiple vulnerabilities).Red Hat has updated 389-ds-base(RHEL6: three vulnerabilities), atomic-openshift (RHOSCP3.3: redirect networktraffic), atomic-openshift-utils(RHOSCP3.2,3.3: code execution), firefox(RHEL5,6,7: multiple vulnerabilities), kernel (RHEL6: two vulnerabilities), and nss and nss-util (RHEL5,6,7: three vulnerabilities).

The Linux Foundation has announced that Microsoft has joined as a platinummember. "From cloud computing and networking to gaming, Microsoft has steadilyincreased its engagement in open source projects and communities. Thecompany is currently a leading open source contributor on GitHub andearlier this year announced several milestones that indicate the scope ofits commitment to open source development."

Mozilla has released Firefox 50.0. This version features improvedperformance for SDK extensions or extensions using the SDK module loader,added download protection for a large number of executable file types,added option to Find in page that allows users to limit search to wholewords only, and more. See the releasenotes for details.

Stable kernels 4.8.8 and 4.4.32 have been released. Both of themcontain important fixes and users should upgrade.

Arch Linux has updated shutter (code execution).Debian-LTS has updated sudo (privilege escalation).Fedora has updated libgit2 (F24:unspecified), memcached (F24; F23: code execution), python-django (F24: two vulnerabilities), and tre (F24; F23: code execution).Gentoo has updated libpng(multiple vulnerabilities), polkit(privilege escalation), tnftp (commandexecution from 2014), xen (multiplevulnerabilities), and xinetd (privilegeescalation from 2013).openSUSE has updated Chromium (SPH for SLE12; Leap42.2, Leap42.1, 13.2: multiple vulnerabilities).Oracle has updated policycoreutils (OL7; OL6: sandbox escape).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), qemu-kvm-rhev (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: denial ofservice), rh-mysql56-mysql (RHSCL: multiplevulnerabilities), and rh-php56 (RHSCL: multiple vulnerabilities).

Hector Marco and Ismael Ripoll reporta discouraging vulnerability in many encrypted disk setups: simply runningup too many password failures will eventually result in a root shell."This vulnerability allows to obtain a root initramfs shell onaffected systems. The vulnerability is very reliable because it doesn'tdepend on specific systems or configurations. Attackers can copy, modify ordestroy the hard disc as well as set up the network to exfiltratedata. This vulnerability is specially serious in environments likelibraries, ATMs, airport machines, labs, etc, where the whole boot processis protect (password in BIOS and GRUB) and we only have a keyboard or/and amouse."

The KDE Project has a littleproblem to report for users of the KDEneon distribution: "The package archive used by KDE neon wasincorrectly configured allowing anyone to upload packages to it. There isno reason to think that anyone actually did so but as a precaution we haveemptied the archives and removed ISOs built before this date." Oncethe process of rebuilding the archive is complete, users are recommended toupgrade to the new versions, or, better, simply reinstall.

The Core Infrastructure Initiative (CII) has announcedcontinued financial support for the Reproducible Builds Project."The grant extends the contribution to include Debian developersChris Lamb, Mattia Rizzolo, Ximin Luo and Vagrant Cascadian, as well asextending funding for Holger Levsen. Furthermore, this contribution addssupport for Ed Maste, working with FreeBSD." (Thanks to Paul Wise)

Getting live-patching capabilities into the mainline kernel has been amulti-year process. Basic patching support was merged for the 4.0 release,but further work has been stalled overdisagreements on how the consistency model — the code ensuring that a patchis safe to apply to a running kernel — should work. The addition of kernel stack validation has addressed thebiggest of the objections, so, arguably, it is time to move forward. Atthe 2016 Linux PlumbersConference, developers working on live patching got together to discusscurrent challenges and future directions.Click below (subscribers only) for the full report from LPC 2016.

CentOS has updated java-1.7.0-openjdk (C6: multiplevulnerabilities), libgcrypt (C6: flawedrandom number generation), and pacemaker(C6: privilege escalation).Debian has updated mariadb-10.0 (multiple vulnerabilities) and terminology (command execution).Fedora has updated bind (F24:denial of service), mingw-libwebp (F24:integer overflows), sudo (F24: privilege escalation), and tomcat (F24; F23: multiple vulnerabilities).Mageia has updated libwmf (denial of service), monit (cross-site request forgery), python-cryptography (returns empty byte-string), and quagga (stack overrun).openSUSE has updated flash-player(13.1: multiple vulnerabilities), mysql-community-server (Leap42.2: multiple vulnerabilities), and opera (Leap42.2; Leap42.1: multiple vulnerabilities).Red Hat has updated policycoreutils (RHEL6,7: sandbox escape).SUSE has updated flash-player(SLE12-SP1: multiple vulnerabilities) and mysql (SLE11-SP4: three vulnerabilities).

The 4.9-rc5 kernel prepatch is out. Linussays: "Things have definitely gotten smaller, so a normal releaseschedule (with rc7 being the last one) is still looking possible despitethe large size of 4.9. But let's see how things work out over the nextcouple of weeks. In the meantime, there's a lot of normal fixes in here,and we just need more testing."

Over at Linux Journal, Susan Sons has a lengthy article on security exercises, which are a way to test the readiness of a project or organization for some kind of security problem. "Scheduling exercises at a predictable time and reminding others when it will happen prevents confusion among staff. It is wise to begin with low-impact exercises (more on this below) that don't leverage production systems, and move on to higher-potential-impact exercises only when the organization's infrastructure and personnel have had most of the bugs shaken out. If something as small as a runaway process on a single server can seriously impact your business, it's better to find out at a planned time with all hands on deck than at 4am on a holiday when no one who knows what to do can be reached. The whole point of security exercises is to increase resilience: raise the threshold of what is normal for your team to deal with, what your systems can shrug off." She followed that article up with some example security exercises.

Debian has updated pillow (two vulnerabilities).Fedora has updated jasper (F23:multiple vulnerabilities), kdepimlibs (F23: threevulnerabilities), libXi (F23: twovulnerabilities), and xen (F23: multiple vulnerabilities).Mageia has updated freeimage (twovulnerabilities, one from 2015).openSUSE has updated curl (42.1:multiple vulnerabilities), flash-player (13.2: multiple vulnerabilities), gd (42.1: three vulnerabilities), ImageMagick (42.1: multiple vulnerabilities, some from 2014 and2015), and mysql-community-server (42.1,13.2: multiple vulnerabilities, many unspecified).Oracle has updated 389-ds-base(OL7: unspecified), bind (OL7: denial ofservice), curl (OL7: TLS botch), dhcp (OL7: unspecified), firewalld (OL7: authentication bypass), fontconfig (OL7: privilege escalation), gimp (OL7: code execution), glibc (OL7: code execution), java-1.7.0-openjdk (OL7: unspecified), kernel (OL7: multiple vulnerabilities, some from 2013 and 2015), krb5 (OL7: two vulnerabilities), libgcrypt (OL7: bad random numbers), libguestfs (OL7: information leak from 2015), libreoffice (OL7: code execution), libreswan (OL7: denial of service), libvirt (OL7: three vulnerabilities, two from 2015), mariadb (OL7: privilege escalation), mod_nss (OL7: cipher choosing botch), nettle (OL7: multiple vulnerabilities, three from 2015), NetworkManager (OL7: information leak), ntp (OL7: multiple vulnerabilities from 2015), openssh (OL7: privilege escalation from 2015), php (OL7: multiple vulnerabilities), poppler (OL7: code execution from 2015), postgresql (OL7: two vulnerabilities), python (OL7: code execution), qemu-kvm (OL7: two vulnerabilities), resteasy-base (OL7: code execution), squid (OL7: multiple vulnerabilities), sudo (OL7: information disclosure), systemd (OL7: denial of service), tomcat (OL7: multiple vulnerabilities, three from 2015), util-linux (OL7: denial of service), and wget (OL7: code execution).Ubuntu has updated kernel (16.10; 16.04:denial of service), kernel (14.04: multiple vulnerabilities, onefrom 2014 and 2015), kernel (12.04: twovulnerabilities), linux-lts-trusty (12.04:multiple vulnerabilities, one from 2014 and 2015), linux-lts-xenial (14.04: denial of service),linux-raspi2 (16.10: denial of service), linux-snapdragon (16.04: denial of service),and linux-ti-omap4 (12.04: two vulnerabilities).

Christian Schaller writesthat, after all these years, a stock Fedora system will be able to play MP3files. "I know this has been a big wishlist item for a long time fora lot of people so I am really happy that we are finally in a position tofulfill that wish. You should be able to download the mp3 plugin on day 1through GNOME Software or through the missing codec installer in variousGStreamer applications. For Fedora Workstation 26 I would not be surprisedif we decide to ship it on the install media."

The 4.8.7 and 4.4.31 stable kernels have been released. Asusual, they contain multiple important fixes; users of 4.8.x and 4.4.xshould upgrade.

Fedora has updated chromium (F24:multiple vulnerabilities), chromium-native_client (F24:multiple vulnerabilities), dracut (F24:information disclosure), jasper (F24:multiple vulnerabilities), and xen (F24:multiple vulnerabilities).Mageia has updated flash-player-plugin (multiple vulnerabilities), kernel (multiple vulnerabilities), and mariadb (multiple vulnerabilities).Red Hat has updated kernel(RHEL7.2: denial of service) and systemd(RHEL7.2: denial of service).SUSE has updated php5 (SLE12:three vulnerabilities).Ubuntu has updated qemu, qemu-kvm (multiple vulnerabilities).

The LWN.net Weekly Edition for November 10, 2016 is available.

Neil Brown writes: "For a little longer than a year now, I have been using Notmuch as my primary meansof reading email. Though the experience has not been without someannoyances, I feel that it has been a net improvement and expect to keepusing Notmuch for quite some time." Click below (subscribers only) for hisfull report.

Debian has updated libxslt (code execution).Fedora has updated dbus (F23:code execution), firefox (F23: twovulnerabilities), and pacemaker (F23: privilege escalation).openSUSE has updated mariadb(13.2: multiple vulnerabilities) and nodejs(Leap42.1, 13.2: code execution).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).Scientific Linux has updated libgcrypt (SL6: flawed random numbergeneration) and pacemaker (SL6: privilege escalation).

Dave Täht has been working to save the Internet for the last six years (atleast). Recently, his focus has been on improving the performance ofnetworking over WiFi — performance that has been disappointing for as longas anybody can remember. The good news, as related in his 2016 Linux PlumbersConference talk, is that WiFi can be fixed, and thefixes aren't even all that hard to do. Users with the right hardware and awillingness to run experimental software can have fast WiFi now, and itshould be available for the rest of us before too long.

The digiKam Software Collection 5.3.0 has been released. This version isavailable as an AppImage bundle. "AppImage is an open-source project dedicated to provide a simple way to distribute portable software as compressed binary file, that standard user can run as well, without to install special dependencies. All is included into the bundle, as last Qt5 and KF5 frameworks. AppImage use Fuse file-system, which is de-compressed into a temporary directory to start the application. You don't need to install digiKam on your system to be able to use it. Better, you can use the official digiKam from your Linux distribution in parallel, and test the new version without any conflict with one used in production. This permit to quickly test a new release without to wait an official package dedicated for your Linux box. Another AppImage advantage is to be able to provide quickly a pre-release bundle to test last patches applied to source code, outside the releases plan."

The second service pack for SUSE Linux Enterprise Server, Desktop and otherproducts, has been released. Highlightsinclude software defined networking and network function virtualization,the new SUSE Package Hub for package updates, the ability to skip servicepack releases (e.g. upgrade from SLES 12 to SLES 12-SP2), architecturesupport for AArch64 and Raspberry Pi, and much more.

Debian has updated mat (information leak) and openjdk-7 (multiple vulnerabilities).Debian-LTS has updated python-imaging (two vulnerabilities).Fedora has updated ansible (F24:two vulnerabilities), ghostscript (F24: twovulnerabilities), icu (F24: codeexecution), java-1.8.0-openjdk-aarch32(F24: multiple vulnerabilities), and kernel(F24: two vulnerabilities).openSUSE has updated bind (Leap42.1; 13.2: denial of service).Oracle has updated java-1.7.0-openjdk (OL6; OL5:multiple vulnerabilities) and libgcrypt(OL6: flawed random number generation).Red Hat has updated chromium-browser (RHEL6: memory leak), libgcrypt (RHEL6,7: flawed random numbergeneration), pacemaker (RHEL6: privilege escalation), and qemu-kvm-rhev (RHOSP8; RHOSP9: denial of service).Scientific Linux has updated java-1.7.0-openjdk (SL5,6: multiple vulnerabilities).

HackerBoards takesa look at the 64-bit Orange Pi. "Shenzhen Xunlong is keeping up its prolific pace in spinning off new Allwinner SoCs into open source SBCs, and now it has released its first 64-bit ARM model, and one of the cheapest quad-core -A53 boards around. The Orange Pi PC 2 runs Linux or Android on a new Allwinner H5 SoC featuring four Cortex-A53 cores and a more powerful Mali-450 GPU."

Debian has updated mysql-5.5 (multiple unspecified vulnerabilities).Debian-LTS has updated libdatetime-timezone-perl (update tzdata), libxslt (code execution), memcached (multiple vulnerabilities, one from2013), openjdk-7 (multiplevulnerabilities), and tzdata (update tzdata).Fedora has updated 389-ds-base(F24: information leak), curl (F24:multiple vulnerabilities), firefox (F24:two vulnerabilities), and pacemaker (F24: privilege escalation).Mageia has updated libtomcrypt (signature forgery), python-django (two vulnerabilities), and tomcat (multiple vulnerabilities).openSUSE has updated chromium (SPH for SLE12; Leap42.1, 13.2: memory leak), dbus-1 (13.1: denial of service), jasper (13.1: multiple vulnerabilities), libraw (Leap42.1: memory leak), libxml2 (13.2: code execution), and firefox (13.1: two vulnerabilities).Red Hat has updated java-1.6.0-ibm (RHEL5,6: multiplevulnerabilities) and java-1.7.0-openjdk(RHEL5,6,7: multiple vulnerabilities).

The 4.9-rc4 kernel prepatch is out fortesting. Linus says: "So I'm not going to lie: this is not a smallrc, and I'd have been happier if it was. But it's not unreasonably largefor this (big) release either, so it's not like I'd start worrying. I'mcurrently still assuming that we'll end up with the usual seven releasecandidates, assuming things start calming down. We'll see how that goes aswe get closer to a release."

Opensource.com celebrates25 years of Vim. "Vim is a flexible, extensible text editor with a powerful plugin system, rock-solid integration with many development tools, and support for hundreds of programming languages and file formats. Twenty-five years after its creation, Bram Moolenaar still leads development and maintenance of the project—a feat in itself! Vim had been chugging along in maintenance mode for more than a decade, but in September 2016 version 8.0 was released, adding new features to the editor of use to modern programmers."

ZDNet takesa look at the VoCore2, a coin-sized computer. "VoCore2 is an open source Linux computer and a fully-functional wireless router that is smaller than a coin. It can also act as a VPN gateway for a network, an AirPlay station to play lossless music, a private cloud to store your photos, video, and code, and much more.The Lite version of the VoCore2 features a 580MHz MT7688AN MediaTek system on chip (SoC), 64MB of DDR2 RAM, 8MB of NOR storage, and a single antenna slot for Wi-Fi that supports 150Mbps."

Arch Linux has updated lib32-gdk-pixbuf2 (denial of service).Debian has updated curl (multiple vulnerabilities) and memcached (code execution).Fedora has updated kdepimlibs(F24: three vulnerabilities), libwebp (F24:integer overflows), and quagga (F24;F23: three vulnerabilities).Gentoo has updated libreoffice (multiple vulnerabilities) and oracle-jre-bin (multiple vulnerabilities).Mageia has updated bind (denialof service), kernel-tmb (multiplevulnerabilities), php-adodb (twovulnerabilities), and rpm (code executionfrom 2014).openSUSE has updated jasper(13.2: multiple vulnerabilities, one from 2008).Oracle has updated kernel 4.1.12 (OL7; OL6: codeexecution), kernel 3.8.13 (OL7; OL6: code execution).Red Hat has updated docker(RHEL7: privilege escalation).Scientific Linux has updated bind(SL5,6: denial of service) and bind97 (SL5:denial of service).Slackware has updated bind (denial of service) and curl (multiple vulnerabilities).SUSE has updated java-1_8_0-ibm(SLE12-SP1: three vulnerabilities) and xen(SOSC5, SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).Ubuntu has updated curl (multiple vulnerabilities).

Opensource.com coversthe Internet Archive's 20th birthday celebration. "Of all the projects announced during the event though, by far one of the most exciting and impressive is the newly released ability to search the complete contents of all text items on the Internet Archive. Nine million text items, covering hundreds of years of human history, are now searchable in an instant."

Red Hat has announcedthe release of Red Hat Enterprise Linux 7.3. "This update to Red Hat’s flagship Linux operating system includes new features and enhancements built around performance, security, and reliability. The release also introduces new capabilities around Linux containers and the Internet of Things (IoT), designed to help early enterprise adopters use existing investments as they scale to meet new business demands."

Arch Linux has updated curl (multiple vulnerabilities), lib32-curl (multiple vulnerabilities), lib32-libcurl-compat (multiple vulnerabilities), lib32-libcurl-gnutls (multiple vulnerabilities), libcurl-compat (multiple vulnerabilities), libcurl-gnutls (multiple vulnerabilities), tar (file overwrite), and tomcat6 (redirect HTTP traffic).CentOS has updated bind (C6; C5: denialof service) and bind97 (C5: denial of service).Debian-LTS has updated bind9 (denial of service), bsdiff (denial of service), qemu (multiple vulnerabilities), spip (multiple vulnerabilities), and xen (information leak/corruption).Mageia has updated openjpeg2 (multiple vulnerabilities).openSUSE has updated bash (13.2:code execution), ghostscript (Leap42.1:insufficient parameter check), libxml2(Leap42.1: code execution), and openslp(Leap42.1: two vulnerabilities).Oracle has updated bind (OL6; OL5:denial of service) and bind97 (OL5: denial of service).Red Hat has updated 389-ds-base(RHEL7: three vulnerabilities), bind (RHEL7; RHEL5,6: denial of service), bind97 (RHEL5: denial of service), curl (RHEL7: three vulnerabilities), dhcp (RHEL7: denial of service), firewalld (RHEL7: authentication bypass), fontconfig (RHEL7: privilege escalation), gimp (RHEL7: use-after-free), glibc (RHEL7: three vulnerabilities), kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities),krb5 (RHEL7: two vulnerabilities), libguestfs and virt-p2v (RHEL7: informationleak), libreoffice (RHEL7: code execution),libreswan (RHEL7: denial of service), libvirt (RHEL7: three vulnerabilities), mariadb (RHEL7: multiple vulnerabilities), mod_nss (RHEL7: invalid handling of +CIPHERoperator), nettle (RHEL7: multiplevulnerabilities), NetworkManager (RHEL7:information leak), ntp (RHEL7: multiplevulnerabilities), openssh (RHEL7: privilegeescalation), pacemaker (RHEL7: denial ofservice), pacemaker (RHEL7: privilegeescalation), pcs (RHEL7: twovulnerabilities), php (RHEL7: multiplevulnerabilities), poppler (RHEL7: codeexecution), postgresql (RHEL7: twovulnerabilities), powerpc-utils-python(RHEL7: code execution), python (RHEL7:code execution), qemu-kvm (RHEL7: twovulnerabilities), resteasy-base (RHEL7:code execution), squid (RHEL7: multipledenial of service flaws), subscription-manager (RHEL7: informationdisclosure), sudo (RHEL7: informationdisclosure), systemd (RHEL7: denial ofservice), tomcat (RHEL7: multiplevulnerabilities), util-linux (RHEL7: denialof service), and wget (RHEL7: code execution).SUSE has updated bind (SLES-Pi-12-SP2; SOSC5, SMP2.1, SM2.1, SLE11-SP2,3,4: denial ofservice) and curl (SLE11-SP4: multiple vulnerabilities).Ubuntu has updated memcached(code execution), nvidia-graphics-drivers-367 (16.04, 14.04,12.04: privilege escalation), and openjdk-8(16.10, 16.04: multiple vulnerabilities).

The 2016 Linux Foundation TechnicalAdvisory Board election was held November 2 at the combined Kernel Summit and Linux Plumbers Conferenceevents. Incumbent members Chris Mason and Peter Anvin were re-elected tothe board; they will be joined by new members Olof Johansson, Dan Williams,and Rik van Riel. Thanks are due to outgoing members Grant Likely, KristenAccardi, and John Linville.