LWN.net

Outgoing Apache OpenOffice project management committee (PMC) chair DennisHamilton has begun the discussion of a possible (note possible atthis point) shutdown of the project."In the case of Apache OpenOffice, needing to disclose securityvulnerabilities for which there is no mitigation in an update has become aserious issue.In responses to concerns raised in June, the PMC is currently tasked by theASF Board to account for this inability and to provide a remedy. Anindicator of the seriousness of the Board's concern is the PMC been requestedto report to the Board every month, starting in August, rather thanquarterly, the normal case. One option for remedy that must be considered isretirement of the project. The request is for the PMC's consideration amongother possible options." (Thanks to James Hogarth.)Also of interest is this note on how thehandling of CVE-2016-1513 went.

OpenBSD 6.0 has been released. An EFI bootloader hasbeen added to the armv7 platform along with other improvements for thatplatform. Also in this release, new and improved hardware support, IEEE802.11 wireless stack improvements, generic network stack improvements,installer improvements, routing daemons and other userland networkimprovements, security improvements, and more. The announcement alsocontains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, andLibreSSL 2.4.2.

Debian-LTS has updated cacti(authentication bypass).Mageia has updated eog (M5:out-of-bounds write), python3/python(M5: HTTPoxy attack), redis (M5: information leak), and webkit2 (M5: multiple vulnerabilities).openSUSE has updated cracklib (Leap 42.1: code execution), gd (13.2: out-of-bounds read), and libgcrypt (13.2: flawed random number generation).Red Hat has updated ipa(RHEL 6,7: denial of service).Slackware has updated mozilla thunderbird (14.1, 14.2:unspecified vulnerabilities).

Here's alengthy ars technica article on efforts to replace Tor with somethingmore secure. "As a result, these known weaknesses have promptedacademic research into how Tor could be strengthened or even replaced bysome new anonymity system. The priority for most researchers has been tofind better ways to prevent traffic analysis. While a new anonymity systemmight be equally vulnerable to adversaries running poisoned nodes, betterdefences against traffic analysis would make those compromised relays muchless useful and significantly raise the cost of de-anonymisingusers."

The LWN.net Weekly Edition for September 1, 2016 is available.

Some of the most important discussions associated with the annual KernelSummit do not happen at the event itself; instead, they unfold prior to thesummit on the planningmailing list. There is value in learning what developers feel needs to be talked about and, often, important issues can be resolvedbefore the summit itself takes place. That list has just hosted (indeed,is still hosting as of this writing) avoluminous discussion on license enforcement that was described by someparticipants as being "pointless" or worse. But that discussion has serveda valuable purpose: it has brought to the light a debate that has longfestered under the surface, and it has clarified where some of the realdisagreements lie.

LWN covered a memory corruptionvulnerability (CVE-2016-1513) in Apache OpenOffice that was disclosedbefore a fix was available. Now a hotfixfor the problem has been released. "The official Apache OpenOffice security bulletin was announced on July 21, 2016. Affected is Apache OpenOffice 4.1.2 and older on all platforms and all languages. OpenOffice.org versions are also affected.The Apache OpenOffice project recommends to update to the latest version 4.1.2 and then to download and install the Zip file from the table below. Please follow the installation instructions in the respective Readme file."(Thanks to Cesar Eduardo Barros)

Arch Linux has updated mupdf (denial of service).Debian has updated libarchive (multiple vulnerabilities) and tryton-server (two vulnerabilities).Debian-LTS has updated tiff (multiple vulnerabilities).Fedora has updated krb5 (F23: denial of service).Mageia has updated bsdiff (denialof service), ctdb (privilege escalation),curl (three vulnerabilities), fontconfig (privilege escalation), gnupg/libgcrypt (flawed random numbergeneration), kernel-linus (multiplevulnerabilities), kernel-tmb (multiplevulnerabilities), mupdf (denial ofservice), nettle/nettle2.7 (informationleak), openssh (three vulnerabilities), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), postgresql (two vulnerabilities), and python-django (cross-site scripting).openSUSE has updated libqt4(Leap42.1: unsafe SSL ciphers).Red Hat has updated rh-postgresql94-postgresql (RHSCL: two vulnerabilities).SUSE has updated firefox(SLE11-SP4: multiple vulnerabilities).Ubuntu has updated linux-lts-xenial (14.04: multiplevulnerabilities), linux-raspi2 (16.04:multiple vulnerabilities), and linux-snapdragon (16.04: multiple vulnerabilities).

The Red Hat Developer's blog looksat the latest updates to the GNU toolchain. GCC 6.2 and GDB 7.11.1 aremostly bug-fix releases, but GCC contains a few enhancements for SPARCusers and there's a look at what's coming in GDB 7.12. Glibc 2.24 containsmany new features and enhancements. "A new NSS action is added to facilitate large distributed system administration. The action, MERGE, allows remote user stores like LDAP to be merged into local user stores like /etc/groups in order to provide easy to use, updated, and managed sets of merged credentials."

We recently pointed to Lubomir Rintel'scoverage of NetworkManager 1.4. Thomas Haller followsup with a more detailed look at the MAC spoofing capabilities ofNetworkManager. "1.2.0 relies on support from wpa_supplicant to configure a random MAC address. The problem is that it requires API which will only be part of the next major release 2.6 of the supplicant. Such a release does not yet exist to this date and thus virtually nobody is using this feature.With NetworkManager 1.4.0, changing of the MAC address is done by NetworkManager itself, requiring no support from the supplicant. This allows also for more flexibility to generate “stable” addresses and the “generate-mac-address-mask”. Also, the same options are now available not only for Wi-Fi, but also Ethernet devices."

Arch Linux has updated mupdf (denial of service).Debian-LTS has updated gnupg (flawed random number generation).Fedora has updated borgbackup (F24; F23:directory traversal), freeipa (F24;F23: denial of service), java-1.8.0-openjdk-aarch32 (F24: multiple vulnerabilities), rubygem-actionpack (F24; F23: unsafe query generation), and rubygem-activerecord (F24; F23: unsafe query generation).openSUSE has updated kernel(13.1: multiple vulnerabilities).Slackware has updated kernel (TCP connection takeover).Ubuntu has updated kernel (16.04; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).

Open-source font developer Vernon Adams has passed away inCalifornia at the age of 49.In 2014, Adams was injured in an automobile collision, sustaining serious trauma from which he never fully recovered.Perhaps best known within the Linux community as the creator of KDE'suser-interface font Oxygen, Adams created a total of 51 font families publishedthrough Google Fonts, all under open licenses. He was also active in a number of related free-software projects, including FontForge,Metapolator, and the Open Font Library. In 2012, he co-authored theuser's guide for FontForge as part of Google's Summer of Code Documentation Camp, which we reported on at that time.Speaking personally, Vernon was always quick to offerencouragement and assistance to newcomers—regardless of their experience with typedesign, FontForge, or free software in general. There were also few people who put asmuch energy into improving the usability of free-software design toolsas he did. In addition, he was a constant advocate forfree-software principles in the world of fonts—not just ondevelopment lists and at libre graphics conferences, but on type forums aswell, where "open source" did not automatically garner a warmreception. The tagline on his website was "fonts for everyone," and he meant it. He'llbe missed.

Arch Linux has updated wireshark-cli (multiple vulnerabilities).Debian has updated mupdf (twodenial of service flaws).Debian-LTS has updated eog(out-of-bounds write), quagga (twovulnerabilities), ruby-actionpack-3.2(multiple vulnerabilities), and ruby-activesupport-3.2 (denial of service).Fedora has updated lcms2 (F24:heap memory leak), uClibc (F24: codeexecution), and webkitgtk4 (F24: multiple vulnerabilities).openSUSE has updated Firefox(13.1: buffer overflow), firefox, nss(Leap42.1, 13.2: buffer overflow), phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities), and typo3-cms-4_5 (Leap42.1, 13.2: three vulnerabilities).Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and kernel 4.1.12 (OL7; OL6: multiple vulnerabilities).

Hanno Böck performed some fuzz testing on the dpkg and RPM package managersand reported the results; it seems that oneof the projects has been rather more responsive than the other infixing these issues. "The development process of RPM seems to betotally chaotic, it's neither clear where one reports bugs nor where onegets the latest code and security bugs don't get fixed within a reasonabletime. There's been some recent events that make me feel especially worriedabout this..." It seems that some of the maintenance issues withRPM may not have improved greatly since they were reported here ten years ago.

The 4.8-rc4 kernel prepatch is out."Everything looks normal, and it's been a bit quieter than rc3 too, sohopefully we're well into the "it's calming down" phase. Although withthe usual timing-related fluctuation (different maintainers staggertheir pulls differently), it's hard to tell a trend yet."

While distribution-hopping is common among newcomers to Linux, longtimeusers tend to settle into a distribution they like and stay putthereafter. In the end, Linux distributions are more alike than different,and one's time is better spent getting real work done rather than lookingfor a shinier version of the operating system. Your editor, however,somehow never got that memo; that's what comes from ignoring Twitter,perhaps. So there is a new distribution on the main desktop machine; thistime around it's openSUSE Tumbleweed.

Nextcloud 10 has been releasedwith new features for system administrators to control and direct the flowof data between users on a Nextcloud server. "Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations."

The Maru OS handset distribution that includes an Ubuntu desktop (reviewed here in April) is finally availablein source form. "If you're interested in contributing in general, please check out theproject's GitHub (https://github.com/maruos/maruos),get up and running with the developer guide (https://github.com/maruos/maruos/wiki/Developer-Guide),and join the developer group (https://groups.google.com/forum/#!forum/maru-os-dev)"

Arch Linux has updated mediawiki (multiple vulnerabilities).CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).Debian has updated flex (codeexecution), imagemagick (multiplevulnerabilities), quagga (two vulnerabilities), and rails (cross-site scripting).Fedora has updated gnupg (F24:flawed random number generation), openvpn(F24: information disclosure), and rubygem-actionview (F24; F23: cross-site scripting).Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).

Version 1.1.0 of the OpenSSL TLS library is available. A list of changescan be found on this page;they include a new threading API, a number of new algorithms and theremoval of a number of older ones, pipelining(parallel processing) support, extendedmaster secret support, and more.

Lubomir Rintel takesa look at new features in NetworkManager 1.4. "It is now possible to randomize the MAC address of Ethernet devices to mitigate possibility of tracking. The users can choose between different policies; use a completely random address, or just use different addresses in different networks. For Wi-Fi devices, the same randomization modes are now supported and does no longer require support from wpa-supplicant."Also a newly added API for using configuration snapshots that automaticallyroll back after a timeout, IPv6 tokenized interface identifiers can beconfigured, new features in nmcli, and more are covered. (Thanksto Paul Wise)

Fedora has updated eog (F23: out-of-bounds write).openSUSE has updated ImageMagick(Leap42.1: three vulnerabilities).Red Hat has updated qemu-kvm-rhev(RHOSP9: two vulnerabilities) and Red HatOpenShift Enterprise 2.2.10 (RHOSE: multiple vulnerabilities).Ubuntu has updated eog(out-of-bounds write), harfbuzz (16.04,14.04: two vulnerabilities), and libidn (multiple vulnerabilities).

The LWN.net Weekly Edition for August 25, 2016 is available.

On August 25, 1991, an obscure student in Finland named Linus BenedictTorvalds posteda message to the comp.os.minix Usenet newsgroup saying that he wasworking on a free operating system as a project to learn about the x86architecture. He cannot possibly have known that he was launching aproject that would change the computing industry in fundamental ways.Twenty-five years later, it is fair to say that none of us foresaw whereLinux would go — a lesson that should be taken to heart when trying toimagine where it might go from here.

The Gentoo community is mourningthe loss of Jonathan Portnoy. "Jon was an active member of theInternational Gentoo community, almost since its founding in 1999. He wasstill active until his last day. His passing has struck us deeply and withdisbelief. We all remember him as a vivid and enjoyable person, easy toreach out to and energetic in all his endeavors."

CentOS has updated kernel(C6: TCP injection).Debian-LTS has updated libgcrypt11 (flawed random number generation).Fedora has updated eog (F24:out-of-bounds write),kernel (F23: use-after-free), mariadb (F23: multiple vulnerabilities), mingw-lcms2 (F24: heap memory leak), postgresql (F23: multiple vulnerabilities), and python (F23: proxy injection).openSUSE has updated libidn(Leap 42.1: multiple vulnerabilities) and kernel (13.2: multiple vulnerabilities).Oracle has updated kernel(O6: TCP injection).Red Hat has updated kernel (RHEL 7.1: multiple vulnerabilities; RHEL6: TCP injection)and qemu-kvm-rhev (RHOSP8: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: TCP injection).Slackware has updated gnupg(flawed random number generation), kernel (14.2: TCP injection), and libgcrypt (flawed random number generation).

Version 5.0.0 of the KDevelop integrated development environment (IDE) has been released, marking the end of a two-year development cycle. The highlight is a move to Clang for C and C++ support: "The most prominent change certainly is the move away from our own, custom C++ analysis engine. Instead, C and C++ code analysis is now performed by clang." The announcement goes on to describe other benefits of using Clang, such as more accurate diagnostics and suggested fixes for many syntax errors. KDevelop has also been ported to KDE Frameworks 5 and Qt 5, which opens up the possibility of Windows releases down the line.

Arch Linux has updated libgcrypt (information disclosure).Fedora has updated kernel(F24: use-after-free vulnerability), pagure (F24: cross-site scripting), and postgresql (F24: multiple vulnerabilities).Red Hat has updated qemu-kvm-rhev (RHEL7 OSP5; RHEL7 OSP7; RHEL6 OSP5; RHEL7 OSP6:multiple vulnerabilities).SUSE has updated MozillaFirefox (SLE12: multiple vulnerabilities).

Google has announcedthat the Android 7.0 release has started rolling out to recent-model Nexusdevices. "It introduces a brand new JIT/AOT compiler to improvesoftware performance, make app installs faster, and take up lessstorage. It also adds platform support for Vulkan, a low-overhead,cross-platform API for high-performance, 3D graphics. Multi-Window supportlets users run two apps at the same time, and Direct Reply so users canreply directly to notifications without having to open the app. As always,Android is built with powerful layers of security and encryption to keepyour private data private, so Nougat brings new features like File-basedencryption, seamless updates, and Direct Boot."See this pagefor a video-heavy description of new features.

Greg Kroah-Hartman has announced the release of the 4.7.2, 4.4.19,and 3.14.77 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.

Arch Linux has updated linux-lts(connection hijacking).CentOS has updated kernel (C7: connection hijacking).Debian-LTS has updated cracklib2(code execution) and suckless-tools (screenlock bypass).Fedora has updated firewalld(F24: authentication bypass), glibc (F24:denial of service on armhfp), knot (F24; F23:denial of service), libgcrypt (F24: badrandom number generation), and perl (F23:privilege escalation).openSUSE has updated apache2-mod_fcgid (42.1, 13.2: proxyinjection), gd (13.2: multiplevulnerabilities), iperf (SPHfSLE12;42.1, 13.2: denial of service), pdns (42.1, 13.2: denial of service), python3 (42.1, 13.2: multiplevulnerabilities), roundcubemail (42.1; 13.2; 13.1: multiple vulnerabilities, two from2015), and typo3-cms-4_7 (42.1, 13.2: threevulnerabilities from 2013 and 2014).Scientific Linux has updated kernel (SL7: connection hijacking) and python (SL6&7: three vulnerabilities).

The 4.8-rc3 kernel prepatch is out."It all looks pretty sane, I'm not seeing anything hugely scaryhere."

The Fedora engineering steering committee has agreed that theupcoming Fedora 25 release should use the Wayland display manager bydefault. "There are still some bugs that are important tosolve. However, there is still time to work on them. And the legacy Xorgsession option will not be removed, and will be clearly documented how tofallback in cases where users need it." If this plan holds, it maybe an important step in the long-awaited move away from the X Windowsystem.

The kdenlive video editor project has announced the16.08.0 release. "Kdenlive 16.08.0 marks a milestone in theproject’s history bringing it a step closer to becoming a full-fledgedprofessional tool." Highlights include three-point editing,pre-rendering of timeline effects, Krita image support, and more.

CentOS has updated python (C7; C6: multiple vulnerabilities).Fedora has updated ca-certificates (F24: update to CA certificates) and spice (F23: multiple vulnerabilities).Oracle has updated kernel(O7: TCP injection) and python (O7; O6: multiple vulnerabilities).Red Hat has updated kernel (RHEL7; RHEL6:TCP injection),kernel-rt (RHEL7: TCP injection), python (RHEL 6,7: multiple vulnerabilities), python27-python (RHSC: multiple vulnerabilities), python33-python (RHSC: multiple vulnerabilities), realtime-kernel (RHEM2.5: TCP injection), rh-mariadb101-mariadb (RHSC: multiple vulnerabilities), rh-python34-python (RHSC: multiple vulnerabilities), and rh-python35-python (RHSC: multiple vulnerabilities).SUSE has updated the LinuxKernel (SLE12: multiple vulnerabilities) and xen (SLE11: multiple vulnerabilities).Ubuntu has updated gnupg(12.04, 14.04, 16.04: flawed random-number generation), libgcrypt11, libgcrypt20 (12.04, 14.04,16.06: flawed random-number generation),and postgresql-9.1, postgresql-9.3,postgresql-9.5 (12.04, 14.04, 16.04: multiple vulnerabilities).

Microsoft has announced the release of its PowerShell automation and scripting platform under the MIT license, complete with a GitHub repository. "Last year we started down this path by contributing to a number of open source projects (e.g. OpenSSH) and open sourcing a number of our own components including DSC resources. We learned that working closely with the community, in the code and with our backlog and issues list, allowed us prioritize and drive the development much more responsively. We’ve always worked with the community but shifting to a fine-grain, tight, feedback loop with the code, energized the team and allowed us to focus on the things that had the most impact for our customers and partners. Now we are going big by making PowerShell itself an open source project and making it available on Mac OS X, Ubuntu, CentOS/RedHat and others in the future."

The Xenomai project is mourning Gilles Chanteperdrix, a longtime maintainer of the realtime framework, who recently passed away. In the announcement, Philippe Gerum writes: "Gilles will forever be remembered as a true-hearted man, a brilliant mind always scratching beneath the surface, looking for elegance in the driest topics, never jaded from such accomplishment.According to Paul Valéry, “death is a trick played by the inconceivable on the conceivable”. Gilles’s absence is inconceivable to me, I can only assume that for once, he just got rest from tirelessly helping all of us."

Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed."With optical-scan voting, the voter fills in the bubbles next to the names of her selected candidates on paper ballot; then she feeds the op-scan ballot into the optical-scan computer. The computer counts the vote, and the paper ballot is kept in a sealed ballot box. The computer could be hacked, in which case (when the polls close) the voting-machine lies about how many votes were cast for each candidate. But we can recount the physical pieces of paper marked by the voter’s own hands; that recount doesn’t rely on any computer. Instead of doing a full recount of every precinct in the state, we can spot-check just a few ballot boxes to make sure they 100% agree with the op-scan computers’ totals.Problem: What if it’s not an optical-scan computer, what if it’s a paperless touchscreen (“DRE, Direct-Recording Electronic) voting computer? Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there. If the computer is hacked, then the hacker gets to decide what numbers are reported. There are no paper ballots to audit or recount. All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem."

Arch Linux has updated chromium(multiple vulnerabilities) and linux-zen (connection hijacking).Debian has updated gnupg (flawedrandom number generation) and libgcrypt20(flawed random number generation).Debian-LTS has updated libupnp(arbitrary file overwrite).Fedora has updated bind (F23:denial of service), fontconfig (F23:privilege escalation), and python3 (F23:proxy injection).SUSE has updated xen (SLE12: multiple vulnerabilities,one from 2014) and yast2-ntp-client (SLE10:multiple vulnerabilities, most from 2015).Ubuntu has updated fontconfig(16.04, 14.04, 12.04: privilege escalation).

The LWN.net Weekly Edition for August 18, 2016 is available.

Anyone who has been paying attention to Linux kernel development inrecent years would be aware that IPC — interprocess communication — is nota solved problem. There are certainly many partial solutions, from pipesand signals, through sockets and shared memory, to more special-purposesolutions like Cross MemoryAttach and Android's binder. But it seems thereare still some use cases that aren't fully addressed by current solutions,leading to new solutions being occasionally proposed to try to meet those needs.The latest proposal is called "bus1".

Fedora has updated curl (F23:three vulnerabilities), drupal7-theme-zen (F24; F23:cross-site scripting), mingw-libarchive(F24: code execution), mingw-xz (F24: codeexecution), pulp (F24: twovulnerabilities), pulp-docker (F24: twovulnerabilities), pulp-ostree (F24: twovulnerabilities), pulp-puppet (F24: twovulnerabilities), pulp-python (F24: twovulnerabilities), and pulp-rpm (F24: two vulnerabilities).Red Hat has updated kernel(RHEL6.2: privilege escalation).Scientific Linux has updated mariadb (SL7: multiple unspecifiedvulnerabilities), php (SL7: proxyinjection), and qemu-kvm (SL7: two vulnerabilities).SUSE has updated squid3(SLE11-SP4: multiple vulnerabilities).Ubuntu has updated openjdk-7(14.04: multiple vulnerabilities).

Stable kernels 4.7.1, 4.6.7, 4.4.18,and 3.14.76 have been released. Allcontain important fixes. This is the last 4.6.y kernel, users shouldupgrade to 4.7.1 now.

Version 1.7 of the Go languagehas been released. "There is one tiny language change in thisrelease. The section on terminating statements clarifies that to determinewhether a statement list ends in a terminating statement, the 'finalnon-empty statement' is considered the end, matching the existing behaviorof the gc and gccgo compiler toolchains." On the other hand, thereappear to be significant optimization improvements; see the release notes for details.

Debian-LTS has updated extplorer (archive traversal).Fedora has updated jasper (F24: multiple vulnerabilities) and kernel (F24; F23: denial of service).openSUSE has updated harfbuzz(Leap42.1, 13.2: multiple vulnerabilities) and squid (Leap42.1: multiple vulnerabilities).Oracle has updated kernel 4.1.12 (OL7; OL6:information disclosure), kernel 3.8.13 (OL7; OL6: information disclosure).SUSE has updated php5 (SLE11-SP2:multiple vulnerabilities).Ubuntu has updated openssh (two vulnerabilities).

Android Police takesa look at a new OS from Google. "Enter “Fuchsia.” Google’s owndescription for it on the project’s GitHub page is simply, “Pink + Purple == Fuchsia (a new Operating System)”. Not very revealing, is it? When you begin to dig deeper into Fuchsia’s documentation, everything starts to make a little more sense.First, there’s the Magentakernel based on the ‘LittleKernel’ project. Justlike with Linux and Android, the Magenta kernel powers the larger Fuchsiaoperating system. Magenta is being designed as a competitor to commercialembedded OSes, such as FreeRTOS orThreadX." Fuchsiaalso uses the Flutter user interface, theDart programming language, andEscher, "a renderer that supports light diffusion, soft shadows, andother visual effects, with OpenGL or Vulkan under the hood".

Arch Linux has updated kernel(information disclosure), linux-grsec (information disclosure), and postgresql (two vulnerabilities).Debian has updated wireshark (multiple vulnerabilities).Debian-LTS has updated openssh (denial of service) and wireshark (multiple vulnerabilities).Fedora has updated chromium (F24:multiple vulnerabilities) and drupal7-entity_translation (F24; F23: cross-site scripting).openSUSE has updated GraphicsMagick (Leap42.1: multiplevulnerabilities), ImageMagick (13.2: threevulnerabilities), and php5 (13.2: multiple vulnerabilities).Scientific Linux has updated php(SL6: proxy injection).SUSE has updated firefox, nspr,nss (SLE11-SP2: multiple vulnerabilities) and kernel (SLE11-SP2: multiple vulnerabilities).Ubuntu has updated qemu, qemu-kvm(regression in previous update).

The second 4.8 prepatch has been released.Linus says: "Nothing really strange seems to be going on, so pleasejust go out and test it and report any problems you encounter. It'sobviously fairly early in the rc series, but I don't think there wasanything particularly worrisome this merge window, so don't be shy."

The OpenMandrivaLx 3.0 release is available. "OpenMandriva Lx is acutting edge distribution compiled with LLVM/clang. Combined with the highlevel of optimisation used for both code and linking (by enabling LTO) usedin its building, this gives the OpenMandriva desktop an unbelievably crispresponse to operations on the KDE Plasma 5 desktop which makes it apleasure to use."

The Ardour audio workstation has released its 5.0 version. There are many new features in the release, including a tabbed user interface, Lua scripting, built-in plugins, and new themes."Ardour 5.0 is now available for Linux, OS X and Windows. This is a major release focused on substantial changes to the GUI and major new features related to mixing, plugin use, tempo maps, scripting and more. As usual, there are also hundreds of bug fixes. Ardour 5.0 can be parallel-installed with older versions of the program, and does not use the same preference files. It will load sessions from Ardour 2, 3 and 4, though with some potential minor changes."