LWN.net

The LWN.net Weekly Edition for August 13, 2015 is available.

One of the oft-recurring topics at GUADEC 2015 wasthe xdg-app application-packaging system currently being developed.Xdg-app's lead developer Alexander Larsson gave a presentation on itscurrent status on the first day, and it featured prominently inChristian Hergert's keynote about reaching new developers as well as inBastien Nocera's talk about hardware enablement. Perhaps the mostpractical discussion of the subject, however, came in StephanBergmann's talk about his recent attempts to bundle LibreOffice intoan xdg-app package.

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).Debian has updated gnutls28 (denial of service), iceweasel (multiple vulnerabilities), and wordpress (multiple vulnerabilities).Fedora has updated devscripts (F22; F21: twovulnerabilities), kernel (F22; F21: information leak), pure-ftpd (F22: denial of service), xen(F22; F21:code execution), and xfsprogs (F22:information disclosure from 2012).Mageia has updated firefox(MG4,5: multiple vulnerabilities), flash-player-plugin (MG4,5: multiplevulnerabilities), and qemu (MG4,5: multiple vulnerabilities).openSUSE has updated gnutls(13.2, 13.1: denial of service).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.5: use-after-free flaw).Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).SUSE has updated flash-player (SLE12; SLED11SP4,SP3: multiple vulnerabilities).Ubuntu has updated firefox(15.04, 14.04, 12.04: multiple vulnerabilities) and ubufox (15.04, 14.04, 12.04: multiple vulnerabilities).

The 1.8release of the Docker container system is out, with a number of newfeatures. "Docker Content Trust is a new feature in Docker Engine1.8 that makes it possible to verify the publisher of Docker images. When apublisher pushes an image to a remote registry, Docker signs the image witha private key. When you later pull this image, Docker uses the publisher’spublic key to verify that the image you are about to run is exactly whatthe publisher created, has not been tampered with, and is up todate."

Cisco, it seems, is unhappy with the patent mess around video codecs, so ithas launcheda project called "Thor" to make one that can be freely distributed."The effort is being staffed by some of the world’s most foremostcodec experts, including the legendary Gisle Bjøntegaard and ArildFuldseth, both of whom have been heavy contributors to prior videocodecs. We also hired patent lawyers and consultants familiar with thistechnology area. We created a new codec development process which wouldallow us to work through the long list of patents in this space, andcontinually evolve our codec to work around or avoid those patents."

Mozilla has released Firefox 40. There are several new features listed inthe release notes suchas; improved scrolling, graphics, and video playback performance with offmain thread compositing, added protection against unwanted softwaredownloads, a new style for add-on manager based on the in-contentpreferences style, and an improved graphic blocklist mechanism.

Kali Linux is a Debian-based distribution oriented toward penetrationtesting and related tasks; the 2.0release is now available. "There’s a new 4.0 kernel, now based onDebian Jessie, improved hardware and wireless driver coverage, support fora variety of Desktop Environments (gnome, kde, xfce, mate, e17, lxde,i3wm), updated desktop environment and tools – and the list goes on. Butthese bulletpoint items are essentially a side effect of the real changesthat have taken place in our development backend. Ready to hear the realnews? Take a deep breath, it’s a long list." At the top of thatlist is that Kali is now a rolling distribution.

Arch Linux has updated ppp (denial of service).Debian has updated subversion (two vulnerabilities).Debian-LTS has updated opensaml2 (denial of service).Fedora has updated elasticsearch(F22: multiple vulnerabilities), lxc (F22; F21: twovulnerabilities), and rubygems (F22: DNS hijacking).

The OpenSSH 7.0 release is out. It fixes a number of problems and adds afew new configuration features, but the main focus of 7.0 is taking thingsout: "This focus of this release is primarily to deprecate weak, legacyand/or unsafe cryptography." More old crypto is slated for removalin 7.1; see the announcement for the list.

Ubuntu has announcedthe release of the file-synchronization code behind its "Ubuntu One"service. The release is about as "over-the-wall" as it gets, though:"Will you take patches? In general, no. We won’t have anybodyassigned to reviewing and accepting code. We’d encourage interestedmaintainers to fork the code and build out a community around it."

Stable kernels 4.1.5, 3.14.50, and 3.10.86 have been released. All of themcontain important fixes throughout the tree.

CentOS has updated firefox (C7; C6; C5: information leak).Debian has updated activemq(denial of service) and opensaml2 (problemwith previous update).Debian-LTS has updated xmltooling (denial of service).Fedora has updated community-mysql (F22; F21: unspecified vulnerabilities) and firefox (F22; F21: information leak).Mageia has updated cacti (MG4,5:multiple vulnerabilities), firefox (MG4,5:information leak), ghostscript (MG4,5:buffer overflow), libunwind (MG4,5: bufferoverflow), lxc (MG5: two vulnerabilities),and wordpress (MG4: multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: information leak).Red Hat has updated firefox(RHEL5,6,7: information leak).Scientific Linux has updated firefox (SL5,6,7: information leak).Slackware has updated firefox(information leak) and nss (information leak).

The 4.2-rc6 kernel prepatch is out. Linussays: "So last week I wasn't very happy about the state of the releasecandidates, but things are looking up. Not only is rc6 finallyshrinking noticeably, the issues I was worried about had fixes come inearly in the week, and so I don't have anything big pending. Assumingnothing new comes up, I suspect we will end up with the regularrelease schedule after all (ie in two weeks). Knock wood."

The third update to the 14.04 Long Term Support release is available forDesktop, Server, Cloud, and Core products, as well as other flavors ofUbuntu with long-term support. "We have expanded our hardwareenablement offering since 12.04, and with 14.04.3, this point release contains an updated kernel and X stack fornew installations to support new hardware across all our supportedarchitectures, not just x86."

Firefox 39.0.3 has been released. According to the releasenotes there are various security fixes. This does include a fix forthe recently report active exploit.

CentOS Linux 6.7 has been released for x86 and x86_64. "There aremany fundamental changes in this release, compared with the past CentOSLinux 6 releases, and we highly recommend everyone study the upstreamRelease Notes as well as the upstream Technical Notes about the changes andhow they might impact your installation. (See the 'Further Reading' sectionof the CentOS release notes."

Arch Linux has updated firefox (information leak) and wordpress (multiple vulnerabilities).Debian has updated kernel (multiple vulnerabilities).Debian-LTS has updated openssh(two vulnerabilities) and remind (buffer overflow).Fedora has updated drupal6-cck (F22; F21:unspecified vulnerability), lighttpd (F22; F21: loginjection), mantis (F22; F21: information disclosure),opensaml-java (F22; F21: missing host name verification),opensaml-java-openws (F22; F21: missing host name verification), and openstack-swift (F22: arbitrary object deletion).Oracle has updated kernel 3.8.13 (OL7; OL6:information leak), kernel 2.6.39 (OL6; OL5: twovulnerabilities), and kernel 2.6.32 (OL6; OL5: two vulnerabilities).Ubuntu has updated firefox(15.04, 14.04, 12.04: information leak) and openjdk-6 (12.04: multiple vulnerabilities).

The Electronic Frontier Foundation has announcedthe 1.0 release of the Privacy Badger browser extension. "As youbrowse the Web, Privacy Badger looks at any third party domains that areloaded on a given site and determines whether or not they appear to betracking you (e.g. by setting cookies that could be used for tracking, orfingerprinting your browser). If the same third party domain appears to betracking you on three or more different websites, Privacy Badger willconclude that the third party domain is a tracker and block futureconnections to it." The extension is distributed under GPLv3; seethis page for moreinformation.

Mozilla has posted awarning about a Firefox vulnerability that is currently being activelyexploited on the net. "The vulnerability comes from the interactionof the mechanism that enforces JavaScript context separation (the 'sameorigin policy') and Firefox’s PDF Viewer. Mozilla products that don’tcontain the PDF Viewer, such as Firefox for Android, are notvulnerable. The vulnerability does not enable the execution of arbitrarycode but the exploit was able to inject a JavaScript payload into the localfile context. This allowed it to search for and upload potentiallysensitive local files." There is asecurity update for the problem.

On his blog, Peter Grasch considers the future for the Simon speech-recognition system for KDE. He is passing the torch and will no longer be actively participating in the project, but he spent some time passing on his knowledge and some thoughts on where things might go from here. In addition, he built a working prototype of a speech-based command and control system for the Plasma desktop called Lera. "If anything, Lera is a starting point. The next steps would be to move Simon’s “eventsimulation” library into a separate framework, to be shared between Lera and Simon. Lera could then use this to type out the recognition results (see Simon’s Dictation plugin). Then, I would suggest porting a simplified notion of “Scenarios” to Lera, which should only really contain a set of commands, and maybe context information (vocabulary and “grammar” can be synthesized automatically from the command triggers). The implementation of training (acoustic model adaption) would then complete a very sensible, very usable version 1.0."

The ownCloud blog has a post about federated file sharing between ownCloud instances in ownCloud 8.1, but it also looks at the wider view of federation between various kinds of cloud servers. ownCloud founder Frank Karlitschek has a series of posts (It is Time to Federate Our Clouds, The Next Generation File Sync and Share Technology, and The Federated Architecture of Next Generation File Sync and Share) on federation technology and has also proposed a cross-cloud-platform federation API:"In addition, today Frank proposed a draft of a Federated Cloud Sharing API to the Open Cloud Mesh working group with the goal of jump-starting a discussion about what is needed to enable federation between different file sharing implementations. Sharing among ownClouds is great, but the true power of a federated file cloud is available when you can share among different implementations seamlessly, because you all speak the same common language. This is the goal of the Open Cloud Mesh working group (of which ownCloud is a member as well), and outside of that, drafts have been shared with a number of well known standards organizations around web technologies and fellow open source file share and sync projects to get the work started."

CentOS has updated kernel (C7: multiple vulnerabilities, one from 2014).Fedora has updated kernel (F22:three vulnerabilities).openSUSE has updated ghostscript(13.2, 13.1: code execution) and php5(13.2, 13.1: two vulnerabilities).Red Hat has updated kernel(RHEL7: multiple vulnerabilities, one from 2014) and kernel-rt (RHEL7; RHEL6: multiple vulnerabilities, one from 2014).Scientific Linux has updated kernel (SL7: multiple vulnerabilities, one from 2014).SUSE has updated oracle-update(Manager 2.1: multiple vulnerabilities).Ubuntu has updated cinder (15.04:arbitrary file reads), python-keystoneclient,python-keystonemiddleware (15.04, 14.04: two vulnerabilities, one from2014), and swift (15.04, 14.04, 12,04: twovulnerabilities, one from 2014).

The LWN.net Weekly Edition for August 6, 2015 is available.

PostgreSQL 9.5 Alpha 2 is due to be released on August 6. Not onlydoes the new version support UPSERT, more JSON functionality, and other newfeatures we looked at back in July, it alsohas some major enhancements for "big data" workloads. Among these arefaster sorts, TABLESAMPLE, GROUPING SETS andCUBE, BRIN indexes, and Foreign Data Wrapper improvements. Takentogether, these features strengthen arguments for using PostgreSQL for datawarehouses, and enable users to continue using it with bigger databases.

Debian has updated wordpress(regression in previous update).Debian-LTS has updated ia32-libs (multiple vulnerabilities).Red Hat has updated java-1.5.0-ibm (RHEL5,6: multiplevulnerabilities) and node.js (RHOSE2.1; RHOSE2.0: man-in-the-middle attack).SUSE has updated java-1_6_0-ibm(SLEM12: multiple vulnerabilities).Ubuntu has updated oxide-qt(15.04, 14.04: multiple vulnerabilities).

You might be surprised to learn that starting with Linux 2.6.31 (in 2009)it has been rather easy to crash the Linux kernel.This date marks the introduction of theperf_event subsystem.It is likely that perf_event is not any more prone to errors thanany other large kernel subsystem, but it has the distinction ofbeing subjected to intense testing from theperf_fuzzer tool, which methodically probes the interface for bugs.Click below (subscribers only) for the full article from perf_fuzzer authorVince Weaver.

The LibreOffice 5.0 release is out. "LibreOffice 5.0 sports a significantly improved user interface, with abetter management of the screen space and a cleaner look. In addition,it offers better interoperability with office suites such as MicrosoftOffice and Apple iWork, thanks to new and improved filters to handle nonstandard formats." See thispost from Michael Meeks for a detailed description of the work that wentinto this release.

The Electronic Frontier Foundation (EFF), privacy company Disconnect and acoalition of Internet companies have announced a stronger “Do Not Track” (DNT) setting for Web browsing—"a new policy standard that, coupled with privacy software, will better protect users from sites that try to secretly follow and record their Internet activity, and incentivize advertisers and data collection companies to respect a user’s choice not to be tracked online."

Debian has updated squid3(security bypass) and wordpress (multiple vulnerabilities).Fedora has updated quassel (F21: denial of service).Mageia has updated ipython(MG4,5: two vulnerabilities), moodle (MG5:vulnerabilities), pdns (MG4,5: denial ofservice), and php (MG5: multiple vulnerabilities).openSUSE has updated gpsm (13.1:code execution from 2013).Scientific Linux has updated autofs (SL6: privilege escalation), curl (SL6: multiple vulnerabilities), freeradius (SL6: denial of service), gnutls (SL6: multiple vulnerabilities), grep (SL6: two vulnerabilities), hivex (SL6: privilege escalation), httpd (SL6: access restriction bypass), ipa (SL6: cross-site scripting), java-1.6.0-openjdk (SL6: multiplevulnerabilities), kernel (SL6: multiplevulnerabilities), libreoffice (SL6: codeexecution), libxml2 (SL6: denial ofservice), mailman (SL6: twovulnerabilities), net-snmp (SL6: denial ofservice), ntp (SL6: multiplevulnerabilities), pacemaker (SL6: privilegeescalation), pki-core (SL6: cross-sitescripting), python (SL6: multiplevulnerabilities), sudo (SL6: informationdisclosure), wireshark (SL6: multiplevulnerabilities), and wpa_supplicant (SL6: denial of service).

The Ada Initiative has announced that it is shutting down in mid-October. In the four years since it was founded, the organization has accomplished a lot to help create a less hostile environment for women in open technology and open culture. "We are proud of what we accomplished with the support of many thousands of volunteers, sponsors, and donors, and we expect all of our programs to continue on in some form without the Ada Initiative." Essentially, the organization found it hard to find others with the same "experiences, skills, strengths and passions" as co-founders Valerie Aurora and Mary Gardiner when they wanted to change roles within the initiative. "The Ada Initiative will shut down in approximately mid-October after using our remaining funds to complete our current obligations and do the tasks necessary to shut down the organization properly. We have several Ally Skills Workshops booked or in the process of being booked during our remaining months of operation. (We will not be booking additional Ally Skills Workshops through the Ada Initiative, but we will refer clients to other people who are teaching the Ally Skills Workshop.) We will teach Impostor Syndrome training classes in Sydney and Oakland in August, and release the materials under the Creative Commons Attribution Sharealike license. We will do the work to keep the Ada Initiative's web content online and available after the Ada Initiative shuts down."

Greg Kroah-Hartman has released stable kernels 4.1.4, 3.14.49, and 3.10.85. All of them contain important fixes.

Debian has updated apache2(multiple vulnerabilities), ghostscript(code execution), icedove (multiple vulnerabilities), icu (multiple vulnerabilities), and ruby-rack (denial of service).Fedora has updated bind (F22; F21:denial of service), bind99 (F22: denial ofservice), libuser (F21: multiplevulnerabilities), and openssh (F21: denial of service).Mageia has updated bind (MG4,5:denial of service), icu (MG4,5: codeexecution), and remind (MG4,5: buffer overflow).openSUSE has updated bind (13.2,13.1: denial of service) and libuser (13.2:privilege escalation).Oracle has updated java-1.6.0-openjdk (OL5: multiplevulnerabilities), kernel 2.6.39 (OL6; OL5:multiple vulnerabilities), kernel 2..6.32 (OL6; OL5:multiple vulnerabilities), kernel 3.8.13 (OL7; OL6: multiple vulnerabilities), and lxc (OL7; OL6: two vulnerabilities).Scientific Linux has updated bind (SL6; SL6,7:denial of service) and libuser (SL6: two vulnerabilities).

The 4.2-rc5 prepatch is out, and Linus iswishing things were going a bit more smoothly. "We're getting upthere to the later rc's, but it's looking like 4.2 might be one of thereleases needing more than the usual seven rc releases - things aren'tcalming down like I would wish, and we've still had some fairly annoyingissues pop up."

LWN looked at the Linux multipath TCPimplementation back in 2013. That code remains out of tree, but it nowseems that it isbeing used in some Samsung phones in Korea. "This serviceenables smartphone users to reach bandwidth of up to 1 Gbps on existingsmartphones. This is probably the fastest commercially deployed mobilenetwork. They achieve this high bandwidth by combining both fast LTE (withcarrier aggregation) and fast WiFi networks on Multipath TCP enabledsmartphones."(Thanks to Oliver Bonaventure).

At the OpenSSL blog, Rich Salz has announcedthe project's decision to migrate away from the "rather uniqueand idiosyncratic" OpenSSL license to the Apache 2.0 license.In order to make the change in an upcoming release, though, theproject "will soon require almost every contributor to have asigned a Contributor License Agreement (CLA) on file."Individual and corporate versions of the CLA are posted; trivialpatches will evidently not trigger the need for the submitter to signand file an agreement. Salz closes by noting that more details arestill to come, since "there is a lot of grunt work needed to clean up the backlog and untangle all the years of work from the time when nobody paid much attention to this sort of detail."

Mozilla has launched a multi-pronged campaign to challenge a recentchange in Windows that has the effect of overriding users' choice ofFirefox as the default web browser. Mozilla CEO Chris Beard posted ablog entry outlining the problem as well as an openletter to Microsoft CEO Satya Nadella. The change apparentlylanded with the recent Windows 10 release and, as Beard explains it,"while it is technically possible for people to preserve theirprevious settings and defaults, the design of the new Windows 10upgrade experience and user interface does not make this obvious noreasy." Mozilla has also posted tutorialsand videosto help users restore Firefox as their default browser.

FFmpeg leader Michael Niedermayer has announced his departure from the project. "I hope my resignation will make it easier for the teams to find backtogether and avoid a more complete split which would otherwise bethe result sooner or later as the trees diverge and merging allimprovements becomes too difficult for me to do."

CentOS has updated java-1.6.0-openjdk (C5; C7: multiple vulnerabilities).Debian has updated openafs(multiple vulnerabilities) and xmltooling (denial of service).Fedora has updated libuser(F22: multiple vulnerabilities), openssh (F22: authentication limits bypass; F22: improper output filtering), and xrdp (F22: denial of service).Mageia has updated groovy(M4, M5: code execution).openSUSE has updated bind (11.4:multiple vulnerabilities) and openldap2 (13.1, 13.2: multiple vulnerabilities).Oracle has updated java-1.6.0-openjdk (O6; O7: ).Red Hat has updated java-1.6.0-openjdk (multiple vulnerabilities).Scientific Linux has updated openafs (multiple vulnerabilities).SUSE has updated bind(SLES 10: denial of service), java-1_7_0-openjdk (SLE 11;SLE 12: multiple vulnerabilities), java-1_7_1-ibm (SLE 11; SLE 12: multiple vulnerabilities),and kernel (SLE 12: multiple vulnerabilities).Ubuntu has updated hplip(12.04, 14.04, 15.04: man-in-the-middle attack), kernel (14.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), and sqlite3 (12.04, 14.04, 15.04: multiple vulnerabilities).

Debconf15, which will be held in Heidelberg, Germany August 15-23, has announced its schedule as well as four featured speakers: Allison Randal, President, Open Source Initiative and DistinguishedTechnologist, HP; Peter Eckersly, Chief Computer Scientist, Electronic Frontier Foundation; John Sullivan, Executive Director, Free Software Foundation; and Jon 'maddog' Hall, Executive Director, Linux International. "The DebConf content team is pleased to announce the schedule ofDebConf15, the forthcoming Debian Developers Conference. From a total ofnearly 100 talk submissions, the team selected 75 talks. Due to the highnumber of submissions, several talks had to be shortened to 20 minuteslots, of which a total of 30 talks have made it to the schedule.In addition, around 50 meetings and discussions (BoFs) have beenorganized so far, as well as several other events like lightning talksessions, live demos, a movie screening, a poetry night or stand-upcomedy."

Oracle has announcedthe release of Oracle Linux 6.7. As usual this release features both aRed Hat compatible kernel and Oracle's enterprise kernel. Some notablefeatures include Open Security Content Automation Protocol (OpenSCAP),including the oscap utility for enhanced security auditing andcompliance, Load Balancing and High Availability with Keepalived andHAProxy, supported under Oracle Linux Premier Support subscriptions,Enhanced SSSD support for Active Directory, and more.See the releasenotes for details.

Debian-LTS has updated squid3(security bypass).Fedora has updated drupal7-path_breadcrumbs (F22; F21: cross-sitescripting), ecryptfs-utils (F22; F21: password disclosure from 2014), hplip (F21: key verification botch), httpd (F21: multiple vulnerabilities),ipython (F22; F21: cross-site request forgery), libunwind (F21: code execution), libwmf (F21: two denial of service flaws), nx-libs (F22: unspecified vulnerabilities), wpa_supplicant (F21: code execution), and xrdp (F21: denial of service).openSUSE has updated lxc (13.2; 13.1:two vulnerabilities).Oracle has updated autofs (OL6:privilege escalation from 2014), bind (OL6; OL6:denial of service), curl (OL6: multiplevulnerabilities, some from 2014), freeradius (OL6: code execution from 2014), gnutls (OL6: two vulnerabilities), grep (OL6: code execution), hivex (OL6: code execution from 2014), ipa (OL6: cross-site scripting from 2010 and2012), kernel (OL6: multiplevulnerabilities, some from 2014), kernel 3.8.13 (OL7; OL6:three vulnerabilities, one from 2014), libreoffice (OL6: code execution), libuser (OL6: privilege escalation), libxml2 (OL6: two vulnerabilities, one from2014), mailman (OL6: two vulnerabilities,one from 2002), net-snmp (OL6: denial ofservice from 2014), ntp (OL6: threevulnerabilities), pki-core (OL6: cross-sitescripting), python (OL6: twovulnerabilities from 2013 and 2014), sudo(OL6: information disclosure from 2014), wireshark (OL6: multiple vulnerabilities, somefrom 2014), and wpa_supplicant (OL6: denialof service).SUSE has updated bind (SLE11SP1:denial of service).Ubuntu has updated ghostscript(15.04, 14.04, 12.04: code execution), openjdk-7 (15.04, 14.04: multiplevulnerabilities), pcre3 (15.04, 14.04,12.04: multiple vulnerabilities, one from 2014), and tidy (15.04, 14.04, 12.04: two vulnerabilities).

Here are a couple sad notes from theAda Initiative and the Apache SoftwareFoundation on the abrupt passing of Nóirín Plunkett. "ThroughoutNóirín's time at the Foundation she was an Apache httpd contributor, ASFboard member, VP and ApacheCon organizer. Nóirín's passionate contributionsand warm personality will be sorely missed. Many considered Nóirín a friendand viewed Nóirín's work to improving 'Women in Technology' as a greatcontribution to this cause."

The LWN.net Weekly Edition for July 30, 2015 is available.

In November of 2013, I decided to undertake a garage-hackingproject and build an in-vehicle infotainment (IVI) Linux box for myown car. Motivated hobbyists have done such things for years, ofcourse. But, after having followed the development of variousautomotive Linux projects (such as GENIVI and Tizen IVI), I wanted toput them to the test, rather than simply stuff a Raspberry Pi into theglove compartment and run Rhythmbox on a tiny screen on thedashboard. Interesting developments were happening at automakers andsoftware vendors, and they were worth exploring. It turned out to bea rather large project, so to cover it fully will take more than oneinstallment. The first major milestone involves understanding theunique hardware, power, and boot requirements of an IVI unit (as wellas finding a distribution that fits the bill).

Arch Linux has updated bind(denial of service), pacman(man-in-the-middle attack), and qemu(multiple vulnerabilities).CentOS has updated bind (C7; C5: denialof service) and bind97 (C5: denial of service).Debian has updated bind9 (denial of service).Debian-LTS has updated apache2 (denial of service) and bind9 (denial of service).Fedora has updated elfutils (F21:unspecified vulnerabilities), haproxy (F22; F21:information leak), hplip (F22:man-in-the-middle attack), libidn (F22; F21:information disclosure), php (F21: multiplevulnerabilities), roundcubemail (F22; F21:multiple vulnerabilities), subversion (F21:multiple vulnerabilities), and wpa_supplicant (F22: denial of service).Mageia has updated ansible(MG4,5: two vulnerabilities), freeradius(MG4,5: insufficient certificate verification), openssh (MG4,5: authentication limits bypass),python-django (MG4,5: multiplevulnerabilities), and springframework (MG5:denial of service).Oracle has updated bind (OL7; OL5:denial of service) and bind97 (OL5: denial of service).Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and qemu-kvm-rhev (RHOSP5,6: two vulnerabilities).Scientific Linux has updated bind(SL5: denial of service) and bind97 (SL5: denial of service).Slackware has updated bind (denial of service).SUSE has updated bind (SLE12; SLE11SP3,4: denial of service).Ubuntu has updated bind9 (15.04,14.04, 12.04: denial of service) and qemu(15.04, 14.04: multiple vulnerabilities).

Matt Thompson talkswith Allen Gunn, Executive Director of Aspiration, at Opensource.com. "I think you lead with a very earnest form of humility. The best forms of open are lovingly subversive, in that they draw others to form their own conclusions about the benefit of open rather than beating them over the head with it."

CentOS has updated clutter (C7:screen lock bypass) and qemu-kvm (C7: two vulnerabilities).Debian-LTS has updated icu(code execution).Mageia has updated chromium-browser (MG4,5: multiplevulnerabilities), expat (MG4,5: denial ofservice), icu (MG5; MG4: denial of service/code execution), stunnel (MG5: authentication bypass), thunderbird (MG4,5: multiple vulnerabilities),wesnoth (MG5; MG4: information leak), and wordpress (MG4: two vulnerabilities).Oracle has updated clutter (OL7:screen lock bypass) and qemu-kvm (OL7: two vulnerabilities).Red Hat has updated clutter(RHEL7: screen lock bypass).Scientific Linux has updated clutter (SL7: screen lock bypass) and qemu-kvm (SL7: two vulnerabilities).SUSE has updated xen (SLE12; SLE11SP4: two vulnerabilities).Ubuntu has updated apache2(15.04, 14.04, 12.04: two vulnerabilities), kernel (15.04; 14.04:multiple vulnerabilities), linux-lts-trusty(12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiplevulnerabilities), and linux-lts-vivid(14.04: multiple vulnerabilities).

Opensource.com followsup with the Dronecode Foundation, which was founded in October 2014."In the past year, Dronecode's developer community has grown from 1,200 to more than 2000 contributors, with more than 12,000 commits in the codebase. The rate of development is rapid with 1,000 commits being reviewed a month, with well over 2 million lines of code across the various Dronecode projects. Developers from Qualcomm, Intel, Parrot, Yuneec and many others are actively engaged in the development of the Dronecode technology stack. As a result, updates, new releases and project milestones are in motion all the time. For example, in late May, the APM project released version 3.3 of its flight code, and the PX4 project reached a milestone with the first RC candidate for release 1.0."

Here is anarticle on the "Threatpost" site about a set of remotely exploitablemedia-library vulnerabilities present on vast numbers of Android devices."An attacker in possession of their target’s phone number could sendan MMS or even a Google Hangouts message to an affected device thattriggers the vulnerability before the victim has a chance to open themessage. In some cases, the attack would delete the MMS in question,leaving behind only a notification that a message was sent."

Debian has updated expat (code execution), lxc (two vulnerabilities), and openjdk-7 (multiple vulnerabilities).Debian-LTS has updated expat(code execution), ghostscript (buffer overflow), and lighttpd (man-in-the-middle attack).Mageia has updated apache (MG4,5:two vulnerabilities), java-1.8.0-openjdk(MG5: multiple vulnerabilities), libuser(MG4,5: two vulnerabilities), and mariadb(MG4,5: multiple vulnerabilities).openSUSE has updated cacti (13.2,13.1: SQL injection), Chromium (13.2, 13.1:multiple vulnerabilities), java-1_7_0-openjdk (13.2, 13.1: multiplevulnerabilities), and java-1_8_0-openjdk(13.2: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and qemu-kvm (RHEL7: two vulnerabilities).