LWN.net

Arch Linux has updated chromium (multiple vulnerabilities), flashplugin (multiple vulnerabilities), lib32-flashplugin (multiple vulnerabilities), and libksba (denial of service).CentOS has updated thunderbird (C7: multiple vulnerabilities).Debian has updated libxstream-java (XML external-entity attack).Debian-LTS has updated libgwenhywfar (outdated CA certificates) and libuser (multiple vulnerabilities).Fedora has updated glibc(F23: denial of service).Mageia has updated flash-player-plugin (M5: multiple vulnerabilities) and mercurial (M5: code execution).openSUSE has updated libxml2(Leap 42.1: denial of service) and ntp(Leap 42.1: multiple vulnerabilities).Oracle has updated kernel(O7: privilege escalation) and thunderbird (O7; O6: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), docker (RHEL7: privilege escalation), flash-plugin (RHEL 5,6: multiple vulnerabilities), and openshift (RHOSE 3.2: multiple vulnerabilities).SUSE has updated java-1_7_1-ibm (SLE12; SLE11: multiple vulnerabilities),ntp (SLE12: multiple vulnerabilities), and openssl (SLE11, SSO1.3, SOSC5, SMP2.1, SM2.1: multiple vulnerabilities).

The Electronic Frontier Foundation (EFF) has announced a new name and web site for the Let's Encrypt client. The Let's Encrypt project is a free certificate authority for TLS certificates that enable HTTPS for the web. The client, now called "Certbot", uses Automatic Certificate Management Environment (ACME) to talk to the Let's Encrypt CA, though it will no longer be the "official" client and there are other ACME clients that can be used."Along with the rename, we've also launched a brand new website for Certbot, found at https://certbot.eff.org. The site includes frequently asked questions as well as links to how you can learn more and help support the project, but by far the biggest feature of the website is an interactive instruction tool. To get the specific commands you need to get Certbot up and running, just input your operating system and webserver. No more searching through pages and pages of documentation or Google search results!While a new name has the potential for creating technical issues, the Certbot team has worked hard to make this transition as seamless as possible. Packages installed from PyPI, letsencrypt-auto, and third party plugins should all continue to work and receive updates without modification. We expect OS packages to begin using the Certbot name in the next few weeks as well. On many systems, the current client packages will automatically transition to Certbot while continuing to support the letsencrypt command so you won't have to edit any scripts you're currently using."

Debian-LTS has updated ocaml(code execution) and xerces-c (code execution).Fedora has updated kernel (F23:information leak), ntp (F22: multiplevulnerabilities), php (F22: multiplevulnerabilities), subversion (F23: twovulnerabilities), and xen (F23: twovulnerabilities).Mageia has updated libtasn1(denial of service) and squid (twovulnerabilities).Oracle has updated pcre (OL7:multiple vulnerabilities).Red Hat has updated kernel(RHEL7: privilege escalation), kernel-rt (RHEL7; RHEL6:privilege escalation), and thunderbird (twovulnerabilities).Slackware has updated thunderbird(multiple vulnerabilities).SUSE has updated mysql (SLE11:multiple vulnerabilities), ntp (SLE11:multiple vulnerabilities), and php5 (SLE12:multiple vulnerabilities).Ubuntu has updated qemu, qemu-kvm(multiple vulnerabilities).

The LWN.net Weekly Edition for May 12, 2016 is available.

The OpenWrt project is perhaps the most widely known Linux-baseddistribution for home WiFi routers and access points; it was spawnedfrom the source code of the now-famous Linksys WRT54G router more than12 years ago. In early May, the OpenWrt user community was throwninto a fair amount of confusion when a group of core OpenWrtdevelopers announced that they were starting a spin-off (or, perhaps, afork) of OpenWrt to be named the Linux Embedded Development Environment(LEDE). It was not entirely clear to the public why the split wastaking place—and the fact that the LEDE announcement surprised afew other OpenWrt developers suggested trouble within the team.

The Mozilla Open Source Support (MOSS), an award program focused onsupporting open source and free software, was launched last year. The first track providedsupport for software projects that Mozilla uses or relies on. This yearMOSS isopen "to any open source project in the world which isundertaking an activity that meaningfully furthers Mozilla’smission." In other words, projects that help to ensure the Internetis a global public resource, open and accessible to all. "So if youthink your project qualifies, we encourage you to apply. Applications for the Mission Partners track are openas of today. (Applications for Foundational Technology alsoremain open.) You can read more about our selection criteria andcommittee on the wiki. Thebudget for this track for 2016 is approximately US$1.25 million."

Greg Kroah-Hartman has released stable kernels 4.5.4, 4.4.10,and 3.14.69. All of them contain importantfixes.

Arch Linux has updated cacti (SQL injection) and squid (multiple vulnerabilities).Debian has updated libarchive(code execution) and monotone ovito pdnsqtcreator softhsm (regression in previous update).Debian-LTS has updated botan1.10(regression in previous update). Not all Debian packages are fullysupported in Wheezy LTS. See the debian-security-support advisory for details.Fedora has updated glibc (F23:multiple vulnerabilities), graphite2 (F22:multiple vulnerabilities), ntp (F23:multiple vulnerabilities), openssl (F22:multiple vulnerabilities), pgpdump (F23; F22:denial of service), and thunderbird (F22: multiple vulnerabilities).openSUSE has updated compat-openssl098 (Leap42.1: multiplevulnerabilities) and php5 (13.2: multiple vulnerabilities).Red Hat has updated file (RHEL6:multiple vulnerabilities), icedtea-web(RHEL6: applet execution), java-1.8.0-ibm(RHEL6: multiple vulnerabilities), kernel(RHEL6: multiple vulnerabilities), ntp(RHEL6: multiple vulnerabilities), openshift (RHOSE3.1: information disclosure),openssh (RHEL6: multiple vulnerabilities),pcre (RHEL7: multiple vulnerabilities), andqemu-kvm-rhev(RHELOSP5 for RHEL6: code execution).Scientific Linux has updated pcre(SL7: multiple vulnerabilities).Slackware has updated imagemagick (multiple vulnerabilities).SUSE has updated ImageMagick(SOSC5, SMP2.1, SM2.1, SLE11-SP4: multiple vulnerabilities).Ubuntu has updated openjdk-6(12.04: multiple vulnerabilities).

Techniques for hardening the security of running systems often focus onaccess to memory. An attacker who can write (or even read) arbitrarymemory regions will be able to take over the system in short order; even theability to access small regions of memory can often be exploited. Onepossible defensive technique would be to encrypt the contents of memory sothat an attacker can do nothing useful with it, even if access is somehowgained; this type of encryption clearly requires hardware support. Both Inteland AMD are introducing such support in their processors, and patches toenable that support have been posted for consideration; the twomanufacturers have taken somewhat different approaches to the problem,though.

BitKeeper, the inspiration behindGit and Mercurial, has been released under the Apache 2.0 License.Larry McVoy is answeringquestions on Hacker News, posting as 'luckydude'. In one comment hesays:"Git/Github has all the market share. Trying to compete with thatjust proved to be too hard. So rather than wait until we were about to turnout the lights, we decided to open source it while we still had money inthe bank and see what happens. We've got about 2 years of money and we'retrying to build up some additional stuff that we can charge for. We're alsoopen to being doing work for pay to add whatever it is that some companywants to BK, that's more or less what we've been doing for the last 18years. Will it work? No idea. We have a couple of years to find out. Ifnothing pans out, open sourcing it seemed like a better answer than sellingit off." (Thanks to Josh Triplett)

The Future of Open Source Survey aims to examine trends in open source.It's hosted by Black Duck and North Bridge. Opensource.com looksat the results. "The 2016Future of Open Source Survey analyzed responses from nearly 3,400 professionals. Developers made their voices heard in the survey this year, comprising roughly 70% of the participants. The group that showed exponential growth were security professionals, whose participation increased by over 450%. Their participation shows the increasing interest in ensuring that the open source community pays attention to security issues in open source software and securing new technologies as they emerge."

Ars Technica likesUbuntu's latest release, and thinks it may be the best releaseCanonical has presented to date. Snap packaging is part of that appeal,but Snaps have competition. "While something like Snap packages have the potential to completely change the way distros work, it remains to be seen if Snap specifically will be what ends up reaching critical mass. It's certainly possible that Snap may prove popular enough to warrant other distros incorporating it, but it's also possible that there may end up being more than one way to handle self-contained packages. Looking at Canonical's track record does not inspire confidence. Upstart gave way to systemd, the software center gave way to GNOME Software, and even simple things like scrollbars get abandoned for upstream solutions. How Snap packages end up over the long term will be fascinating for Ubuntu users to watch, but even in the worst-case scenario, fans shouldn't have anything to worry about. If one day Ubuntu does abandon Snap in favor of another system, all the changes will likely be behind the scenes.In the shorter term, Snap packages should be a boon to Ubuntu, allowing users to stick with a stable base system while still leaving them free to try just-released software packages without fear of wrecking the system."

CentOS has updated ImageMagick (C7; C6:multiple vulnerabilities), java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities), and qemu-kvm (C7: code execution).Debian has updated qemu (two vulnerabilities) and websvn (cross-site scripting).Debian-LTS has updated ikiwiki (cross-site scripting), libav (code execution), and websvn (cross-site scripting).Oracle has updated ImageMagick (OL7; OL6:multiple vulnerabilities), java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities), and qemu-kvm (OL7: code execution).Red Hat has updated ImageMagick(RHEL6,7: multiple vulnerabilities), openssl (RHEL6: multiple vulnerabilities), qemu-kvm (RHEL7; RHEL6: code execution), and qemu-kvm-rhev (RHOSP8; RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: code execution).Scientific Linux has updated ImageMagick (SL6,7: multiple vulnerabilities)and qemu-kvm (SL7: code execution).Ubuntu has updated kernel (15.10; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), linux-lts-vivid(14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiplevulnerabilities), linux-raspi2 (15.10:multiple vulnerabilities), linux-ti-omap4(12.04: multiple vulnerabilities), and openssh (15.10, 14.04, 12.04: multiple vulnerabilities).

The Journal of Open Source Software(JOSS) has been announced.JOSS is an open source, developer-friendly journal for research softwarepackages. "As academics, it's important for us to be able to measurethe impact of our work, but available tools & metrics are woefullylacking when it comes to tracking research output that doesn't look like apaper. A 2009 survey of more than 2000 researchers found that > 90% ofthem consider software important or very important to their work — but evenif you've followed this GitHub guide for archiving a GitHub repository withZenodo (and acquired a DOI in the process), citations to your work probablyaren't being counted by the people that matter." (Thanks to Paul Wise)

Arch Linux has updated gd (codeexecution), latex2rtf (code execution), mencoder (denial of service), mercurial (two vulnerabilities), and mplayer (denial of service).CentOS has updated openssl (C7: multiple vulnerabilities).Debian has updated ikiwiki (cross-site scripting).Debian-LTS has updated file(buffer over-write), mercurial (codeexecution), and nagios3 (denial of service,from 2014).Fedora has updated firefox (F22:multiple vulnerabilities), kernel (F22:multiple vulnerabilities), libecap (F22:multiple vulnerabilities), openvas-cli(F22: cross-site scripting), openvas-gsa(F22: cross-site scripting), openvas-libraries (F22: cross-site scripting),openvas-manager (F22: cross-sitescripting), openvas-scanner (F22:cross-site scripting), perl (F22: denial ofservice), quassel (F23; F22: denial of service), and squid (F22: multiple vulnerabilities).Mageia has updated openssl (multiple vulnerabilities) and vlc (multiple vulnerabilities).openSUSE has updated ImageMagick (Leap42.1; 13.2: multiple vulnerabilities), java-1_7_0-openjdk (Leap42.1: multiplevulnerabilities), java-1_8_0-openjdk(Leap42.1: multiple vulnerabilities), and subversion (Leap42.1; 13.2: two vulnerabilities).Oracle has updated openssl (OL7: multiple vulnerabilities).Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiplevulnerabilities) and openssl (RHEL7: multiple vulnerabilities).Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiplevulnerabilities) and openssl (SL7: multiple vulnerabilities).SUSE has updated compat-openssl098 (SLE12-SP1: multiplevulnerabilities), firefox (SLE12-SP1:multiple vulnerabilities), and ImageMagick(SLE12-SP1: multiple vulnerabilities).Ubuntu has updated kernel (16.04:multiple vulnerabilities), linux-lts-xenial(14.04: multiple vulnerabilities), linux-raspi2 (16.04: multiplevulnerabilities), and linux-snapdragon(16.04: multiple vulnerabilities).

Ars technica reportson the restart of Oracle v.Google, the fight over Google's useof the Java APIs in Android. "So now, it's back to a jury. Oraclehas won its bid to be able to use copyright as a powerful legal sword. ButGoogle can still dodge that sword by convincing a jury that Android's useof APIs constitutes fair use—in other words, relatively small andjustified."

Linus has released the 4.6-rc7 kernelprepatch. "Nothing particularly scary, and the more people who testthis out, the more confident we can be that the final 4.6 is all good. Soplease take a moment to try it out."

At his blog, Matthias Klumpp reflects on his experience writing the asgen tool for AppStream metadata generation using, of all things, the D programming language. "I started to implement the same examples in D just for fun, as I didn’t plan to use D (I was aiming at Go back then), but the language looked interesting. The D language had the huge advantage of being very familiar to me as a C/C++ programmer, while also having a rich standard library, which included great stuff like std.concurrency.Generator, std.parallelism, etc." What follows is a "huge braindump of things" Klumpp found enjoyable, including built-in unit-test support, safe functions, scope blocks, and documentation generation. After that, however, comes Klumpp's list of complaints—starting with the proprietary reference compiler and the not-quite-complete free-software compilers.

Arch Linux has updated chromium (multiple vulnerabilities), imagemagick (code execution), and quassel-core (denial of service).Debian has updated mercurial(code execution) and openafs (multiplevulnerabilities).Debian-LTS has updated mplayer2 (code execution).Fedora has updated firefox(F23: ) and libreoffice (F23:information leak).Mageia has updated ansible(M5: code execution), jenkins-remoting(M5: code execution), owncloud (M5: undisclosed vulnerabilities), quagga (M5: denial of service), quassel (M5: denial of service), and xstream (M5: enabled processing of external entities).openSUSE has updated firefox (13.1: multiple vulnerabilities),libopenssl0_9_8 (13.2, Leap 42.1:multiple vulnerabilities), and openssl (Leap 42.1: multiple vulnerabilities).Oracle has updated kernel 3.8.13 (O7; O6:denial of service), kernel 2.6.39 (O5; O6:denial of service), kernel 2.6.32 (O6; O5:denial of service), and kernel 4.1.12 (O7; O6:denial of service).SUSE has updated java-1_7_0-openjdk (SLE12: multiple vulnerabilities), java-1_8_0-openjdk (SLE12: multiple vulnerabilities), and ntp (SLE12: multiple vulnerabilities).

On his blog, Peter Hutterer answers an oft-asked question:"A recurring question I encounter is the question whether uinput or evdev should be the approach [to] implement some feature the user cares about. This question is unfortunately wrongly framed as uinput and evdev have no real overlap and work independent of each other. This post outlines what the differences are. Note that "evdev" here refers to the kernel API, not to the X.Org evdev driver.First, the easy flowchart: do you have to create a new virtual device that has a set of specific capabilities? Use uinput. Do you have to read and handle events from an existing device? Use evdev. Do you have to create a device and read events from that device? You (probably) need two processes, one doing the uinput bit, one doing the evdev bit."

In a blog post that likens software development to cabinetmaking, Havoc Pennington makes the case for cutting corners—but only the right corners:"Software remains a craft rather than a science, relying on the experience of the craftsperson. Like cabinetmakers, we proceed one step at a time, making judgments about what’s important and what isn’t at each step.A professional developer does thorough work when it matters, and cuts irrelevant corners that aren’t worth wasting time on. Extremely productive developers don’t have supernatural coding skills; their secret is to write only the code that matters.How can we do a better job cutting corners? I think we can learn a lot from people building tables and dressers."

On his blog, Mirko Boehm reports on a multi-day workshop where the Free Software Foundation Europe (FSFE) and the Peng! Collectiveteamed up to look at new and innovative ways to get out the message about free software."These campaigns translate abstract, distant risks or worries into concrete, tangible calls to action. By being provocative, they break the mold and reach a wide audience online and through traditional media. They are “cat content for social change”, as our tutors put it. Campaigners are being urged to stop preaching or complaining, and to start using positive communication combined with subversive PR work instead. Such messaging needs punchlines, which requires some kind of hyperbole – dadaism, hijacking attention, or provocation." (Thanks to Paul Wise.)

Debian has updated libpam-sshauth(privilege escalation) and libtasn1-6(denial of service).Debian-LTS has updated mplayer(code execution).Fedora has updated dhcp (F23:denial of service), obs-signd (F23:improper user ID matching), and openssl(F23: multiple vulnerabilities).Mageia has updated subversion(two vulnerabilities).openSUSE has updated java-1_7_0-openjdk (13.1: multiplevulnerabilities), libopenssl0_9_8 (13.1; 11.4:multiple vulnerabilities), and openssl (13.2; 13.1; 11.4: multiple vulnerabilities).SUSE has updated compat-openssl097g (SLE11: multiplevulnerabilities) and openssl (SLE12:multiple vulnerabilities).Ubuntu has updated lcms2 (14.04:denial of service from 2013), openjdk-7 (15.10, 14.04: multiple vulnerabilities), openjdk-8 (16.04: multiple vulnerabilities), and samba (regression in previous security fix).

The LWN.net Weekly Edition for May 5, 2016 is available.

Greg Kroah-Hartman has released stable kernels 4.5.3, 4.4.9,and 3.14.68. All contain important fixesthroughout the tree.

One aspect of the heavily hyped Internet of Things (IoT) that can easily getoverlooked is that each of the Things one hooks up to the Internetinvariably spews out a near non-stop stream of data. While commercialIoT users—such as utility companies—generally have awell-established grasp of what data interests them and how to processit, the DIY crowd is better served by flexible tools that makeexploring and transforming data easy. Airbnb maintains anopen-source Python utility called Caravel that provides suchtools. There are many alternatives, of course, but Caravel does agood job at ingesting data and smoothly molding it into nice-lookinginteractive graphs—with a few exceptions.

Arch Linux has updated imlib2 (multiple vulnerabilities), jasper (multiple vulnerabilities), lib32-openssl (multiple vulnerabilities), and openssl (multiple vulnerabilities).CentOS has updated kernel (C6: two vulnerabilities).Debian has updated openssl (multiple vulnerabilities).Debian-LTS has updated asterisk (multiple vulnerabilities), extplorer (cross-site scripting), minissdpd (denial of service), and openssl (multiple vulnerabilities).Fedora has updated cacti (F23; F22: three vulnerabilities).openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2: multiple vulnerabilities), giflib (Leap42.1: denial of service), java-1_7_0-openjdk (13.2: multiplevulnerabilities), java-1_8_0-openjdk (13.2:multiple vulnerabilities), jq (Leap42.1; 13.2: heap buffer overflow), libgcrypt (Leap42.1: key leak), firefox, nss (Leap42.1, 13.2: multiplevulnerabilities), wireshark (Leap42.1,13.2: multiple vulnerabilities), xerces-j2(13.2: denial of service), and yast2-users(Leap42.1: empty passwords fields in /etc/shadow).Oracle has updated kernel (OL6: two vulnerabilities).Red Hat has updated java-1.8.0-ibm (RHEL7: multiplevulnerabilities), jenkins (RHOSE3.1:multiple vulnerabilities), and kernel(RHEL6: two vulnerabilities).Scientific Linux has updated kernel (SL6: two vulnerabilities).Slackware has updated openssl (multiple vulnerabilities).SUSE has updated openssl (SLE12:multiple vulnerabilities), openssl1(SLES11: multiple vulnerabilities), and kernel (SLE11-SP3, SOSC5, SMP2.1: multiple vulnerabilities).

The interfaces supported by Linux to provide access to information aboutprocesses and files have literally been around for decades. One mightthink that, by this time, they would have reached a state of relativeperfection. But things are not so perfect that developers are deterredfrom working on alternatives; the motivating factor in the two casesstudied here is the same: reducing the cost of getting information out ofthe kernel while increasing the range of information that is available.<p>Click below (subscribers only) for the full article from this week's KernelPage.

Mercurial revision-control system developer Mathias De Maré summarizesthe changes in the 3.7 and 3.8 releases."Mercurial 3.7 had a major focus on performance. This is — to a largedegree — due to large users like Facebook and Mozilla working on bothperformance and scalability."

The Linux Embedded Development Environment (or LEDE) project, a fork (or"spinoff") of OpenWrt, has announced its existence. "We are building an embedded Linux distribution that makes it easy fordevelopers, system administrators or other Linux enthusiasts to buildand customize software for embedded devices, especially wireless routers.[...]Members of the project already include a significant share of the mostactive members of the OpenWrt community.We intend to bring new life to Embedded Linux development by creating acommunity with a strong focus on transparency, collaboration anddecentralisation." The new project lives at lede-project.org. (Thanks to Mattias Mattsson).

Over at the grsecurity forums, Brad Spengler writes about a recently released proof of concept attack on the kernel using JIT spraying. "What happened next was the hardening of the BPF interpreter in grsecurity to prevent such future abuse: the previously-abused arbitrary read/write from the interpreter was now restricted only to the interpreter buffer itself, and the previous warn on invalid BPF instructions was turned into a BUG() to terminate execution of the exploit. I also then developed GRKERNSEC_KSTACKOVERFLOW which killed off the stack overflow class of vulns on x64.A short time later, there was work being done upstream to extend the use of BPF in the kernel. This new version was called eBPF and it came with a vastly expanded JIT. I immediately saw problems with this new version and noticed that it would be much more difficult to protect -- verification was being done against a writable buffer and then translated into another writable buffer in the extended BPF language. This new language allowed not just arbitrary read and write, but arbitrary function calling." The protections in the grsecurity kernel will thus prevent this attack. In addition, the newly released RAP feature for grsecurity, which targets the elimination of return-oriented programming (ROP) vulnerabilities in the kernel, will also ensure that "the fear of JIT spraying goes away completely", he said.

Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and smarty3 (code execution).Fedora has updated php (F23: multiple vulnerabilities).Gentoo has updated git (multiple vulnerabilities).Oracle has updated mercurial(OL7: two vulnerabilities).Scientific Linux has updated mercurial (SL7: two vulnerabilities).Slackware has updated mercurial (code execution).Ubuntu has updated libtasn1-3,libtasn1-6 (15.10, 14.04, 12.04: denial of service), libtasn1-6 (16.04: denial of service), openssl (multiple vulnerabilities), poppler (15.10, 14.04, 12.04: multiplevulnerabilities), and firefox (12.04:denial of service).

The Androidsecurity bulletin for May is available. It lists 40 different CVEnumbers addressed by the May over-the-air update; the bulk of those are ata severity level of "high" or above. "Partners were notified aboutthe issues described in the bulletin on April 04, 2016 or earlier. Sourcecode patches for these issues will be released to the Android Open SourceProject (AOSP) repository over the next 48 hours. We will revise thisbulletin with the AOSP links when they are available. The most severe ofthese issues is a Critical security vulnerability that could enable remotecode execution on an affected device through multiple methods such asemail, web browsing, and MMS when processing media files."

The International Day Against DRM is May 3. "Participate in personat one of the planned events, or join us Tuesday on dayagainstdrm.org forways to take action against DRM. There will also be a list of discountedebook offerings from stores participating in the Day."

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated mercurial (C7:two vulnerabilities).Debian has updated botan1.10 (multiple vulnerabilities), chromium-browser (multiple vulnerabilities), poppler (code execution), and tardiff (two vulnerabilities).Debian-LTS has updated botan1.10 (multiple vulnerabilities), gdk-pixbuf (two vulnerabilities), mysql-5.5 (multiple vulnerabilities), poppler (code execution), and subversion (two vulnerabilities).Fedora has updated ansible (F23; F22: codeexecution), firefox (F23: multiplevulnerabilities), gd (F23: code execution),openvas-cli (F23: cross-site scripting), openvas-gsa (F23: cross-site scripting), openvas-libraries (F23: cross-site scripting),openvas-manager (F23: cross-sitescripting), openvas-scanner (F23: cross-site scripting), roundcubemail (F23; F22: multiple vulnerabilities), and xen (F23; F22: multiple vulnerabilities).Mageia has updated chromium-browser-stable (multiple vulnerabilities), firefox (multiple vulnerabilities), pgpdump (denial of service), php (multiple vulnerabilities), php-ZendFramework (multiple vulnerabilities), and roundcubemail (three vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), java-1.6.0-ibm (RHEL5,6:multiple vulnerabilities), java-1.7.0-ibm(RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL7: multiplevulnerabilities), mercurial (RHEL7: twovulnerabilities), and rh-mysql56-mysql(RHSCL: multiple vulnerabilities).Slackware has updated ntp (multiple vulnerabilities), php (multiple vulnerabilities), and subversion (two vulnerabilities).Ubuntu has updated ubuntu-core-launcher (16.04: code execution).

The "linux-insides" series of articles has gained anoverview of inline assembly in GCC. "I've decided to write thisto consolidate my knowledge related to inline assembly here. As inlineassembly statements are quite common in the Linux kernel and we may seethem in linux-insides parts sometimes, I thought that it would be useful ifwe would have a special part which contains descriptions of the moreimportant aspects of inline assembly. Of course you may find comprehensiveinformation about inline assembly in the official documentation, but I likethe rules all in one place."

The 4.6-rc6 kernel prepatch is out. Linussays: "Things continue to be fairly calm, although I'm pretty sureI'll still do an rc7 in this series." As of this prepatch the codename has been changed to "Charred Weasel."

The Devuan community has finally gotten a beta release out for testing."Debian GNU+Linux [sic] is a fork of Debian without systemd,on its way to become much more than that. This Beta release marks an importantmilestone towards the sustainability and the continuation of Devuan asan universal base distribution."

At the Mozilla blog, Andy McKay announcesthat the browser maker has officially declared WebExtensions ready touse for add-on development. "With the release of Firefox 48, we feel WebExtensions arein a stable state. We recommend developers start to use theWebExtensions API for their add-on development." TheWebExtensions support released for Firefox 48 includes improvements tothe "alarms,bookmarks,downloads,notifications,webNavigation,webRequest,windowsand tabs"APIs, support for a new Content Security Policy that limits whereresources can be loaded from, and support in Firefox for Android. LWNlooked at the WebExtensions API in December.

Debian has updated subversion (multiple vulnerabilities).Fedora has updated i7z (F23:denial of service).openSUSE has updated php5(Leap 42.1: multiple vulnerabilities).SUSE has updated ntp (SLE11; SLE12: multiple vulnerabilities).

The Association for Computing Machinery has announced therecipients of its 2015 technical awards. They are Brent Walters, MichaelLuby, Eric Horvitz, and: "Richard Stallman, recipient of the ACMSoftware System Award for the development and leadership of GCC (GNUCompiler Collection), which has enabled extensive software and hardwareinnovation, and has been a lynchpin of the free software movement."

The resultsof the X.Org election are in. There were two things up for a vote: fourseats on the board of directors and amending the bylaws to join Software in the Public Interest (SPI).Unlike last year's election, this year'svote met the required 2/3 approval to joinSPI (61 voters out of 65 members, with 54 voting "Yes", 4 "No", and 3 "Abstain"). In addition,Egbert Eich, Alex Deucher, Keith Packard, and Bryce Harrington were electedto the board.

CentOS has updated firefox (C6; C5:multiple vulnerabilities).Debian has updated iceweasel (multiple vulnerabilities) and php5 (multiple vulnerabilities).Fedora has updated kernel (F23:two vulnerabilities) and libtasn1 (F22:denial of service).openSUSE has updated php5 (13.2:multiple vulnerabilities, including one from 2014).SUSE has updated php5 (SLE12: multiple vulnerabilities,including one from 2014).Ubuntu has updated libsoup2.4(16.04, 15.10, 14.04: regression in previous update), oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities), php5 (15.10: regression in previous update), and thunderbird (multiple vulnerabilities).

The LWN.net Weekly Edition for April 28, 2016 is available.

Firefox 46.0 has been released, featuring improved security of theJavaScript Just In Time (JIT) Compiler and GTK3 integration. See the releasenotes for more details.

CentOS has updated firefox (C7: multiple vulnerabilities).Debian has updated mysql-5.5 (multiple vulnerabilities) and openjdk-7 (multiple vulnerabilities).Fedora has updated rpm (F23: two vulnerabilities) and xstream (F23; F22: enabled processing of external entities).Gentoo has updated libksba (three vulnerabilities) and wireshark (multiple vulnerabilities).Mageia has updated libgd (code execution), samba (multiple vulnerabilities), w3m (denial of service), and wireshark (multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).Slackware has updated firefox (multiple vulnerabilities).Ubuntu has updated firefox (multiple vulnerabilities).

Version 6.1 of the GCC compiler suite is out. Changes in this releaseinclude defaulting to the C++14 standard, improved diagnostic output, fullsupport for OpenMP 4.5, better optimization, and more; see the changelog for a fulllist.

InfoWorld introducesFuthark, an open source functional programming language designed forcreating code that runs on GPUs. It can automatically generate both C andPython code to be integrated with existing apps. "Most GPU programming involves using frameworks like OpenCL or CUDA, both of which use variations of C or C++ to generate code that runs on the GPU. Futhark can generate C code, but is its own language, more similar to Haskell or Standard ML than C. (Futhark is itself written in Haskell.)Futhark's creators claim that the expressiveness of the language makes it easier to describe complex operations that use parallelism. This includes the ability to support nested parallelizations (parallel operations inside other parallel operations). Futhark can do this "despite the complexities of efficiently mapping to the flat parallelism supported by hardware, as a great many programs depend on this feature," say the language's creators."

CentOS has updated nspr (C5: twovulnerabilities), nss (C5: twovulnerabilities), nspr (C7: twovulnerabilities), nss (C7: twovulnerabilities), nss-softokn (C7: twovulnerabilities), and nss-util (C7: two vulnerabilities).Fedora has updated ansible1.9 (F23; F22: codeexecution), golang (F23; F22: denial of service), gsi-openssh(F23; F22:command injection), mingw-poppler (F23; F22: codeexecution), mod_nss (F23; F22: invalid handling of +CIPHER operator),and webkitgtk4 (F22: multiple vulnerabilities).openSUSE has updated flash-player(11.4: code execution).Oracle has updated nss and nspr(OL5: two vulnerabilities) and nss, nspr,nss-softokn, and nss-util (OL7: three vulnerabilities).Scientific Linux has updated nss,nspr, nss-softokn, nss-util (SL7: two vulnerabilities).SUSE has updated php53(SLE11-SP4: multiple vulnerabilities), portus (SLEM12: multiple vulnerabilities), andxen (SLES11-SP2: multiple vulnerabilities).

The Mozilla Foundation has (in the guise of Gervase Markham) posted anupdate on the process of spinning off the Thunderbird mail client as aseparate project. As part of that, they engaged Simon Phipps to write upasurvey of possible new homes [PDF] for the project. "Havingreviewed the destinations listed below together with several others whichwere less promising, I believe there are three viable choices for a futurehome for the Thunderbird Project; Software Freedom Conservancy, TheDocument Foundation and a new deal at the Mozilla Foundation. None of thesethree is inherently the best, and it is possible that over time the projectmight seek to migrate to a 'Thunderbird Foundation' as a permanent home(although I would not recommend that as the next step)."