LWN.net

Twisted developer Glyph Lefkowitz writes about the attrs library for Python, which he calls "my favorite mandatory Python library". Instead of a lot of boilerplate to handle attributes in classes, attrs makes it far easier. "It lets you say what you mean directly with a declaration rather than expressing it in a roundabout imperative recipe. Instead of “I have a type, it’s called MyType, it has a constructor, in the constructor I assign the property ‘A’ to the parameter ‘A’ (and so on)”, you say “I have a type, it’s called MyType, it has an attribute called a”, and behavior is derived from that fact, rather than having to later guess about the fact by reverse engineering it from behavior (for example, running dir on an instance, or looking at self.__class__.__dict__)."

CentOS has updated mariadb (C7:multiple unspecified vulnerabilities), php (C7; C6: proxyinjection), and qemu-kvm (C7: twovulnerabilities).Debian has updated icedove(multiple vulnerabilities) and postgresql-9.4 (two vulnerabilities).Debian-LTS has updated nettle (?:).Fedora has updated perl-DBD-MySQL(F23: code execution from 2015), python(F24: proxy injection), and python3 (F24:proxy injection).openSUSE has updated go (42.1,13.2; SPH: denial of service), hawk2 (42.1: clickjacking prevention),java-1_7_0-openjdk (42.1; 13.2: multiple vulnerabilities), java-1_8_0-openjdk (42.1: multiplevulnerabilities), libarchive (42.1:multiple vulnerabilities, many from 2015), OpenJDK7 (13.1: multiple vulnerabilities), pcre2 (42.1: code execution), sqlite3 (42.1: information leak), and wget (13.2: code execution).Oracle has updated mariadb (OL7:multiple unspecified vulnerabilities), php (OL7; OL6:proxy injection), and qemu-kvm (OL7: two vulnerabilities).Red Hat has updated mariadb(RHEL7: multiple unspecified vulnerabilities), mariadb55-mariadb (RHSC: multiple unspecifiedvulnerabilities), php (RHEL7; RHEL6: proxy injection), php54-php (RHSC: proxy injection), php55-php (RHSC: proxy injection), qemu-kvm (RHEL7: two vulnerabilities), Red Hat OpenShift Enterprise (twovulnerabilities), rh-mariadb100-mariadb(RHSC: multiple unspecified vulnerabilities), rh-mysql56-mysql (RHSC: multiple unspecifiedvulnerabilities), and rh-php56-php (RHSC:proxy injection).

Ars Techica is reporting on a mistake by Microsoft that resulted in providing a "golden key" to circumvent Secure Boot. The "key" is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a "rather funky website" (viewing the source of that page is a good way to avoid the visual and audio funkiness)."The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse." As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.Update: For some more detail, see Matthew Garrett's blog post .

Arch Linux has updated jq (codeexecution from 2015) and websvn (cross-sitescripting).Debian-LTS has updated postgresql-9.1 (two vulnerabilities).Gentoo has updated optipng (threevulnerabilities).openSUSE has updated typo3 (13.1:three vulnerabilities from 2013 and 2014) and firefox, mozilla-nss (13.1: many vulnerabilities).Red Hat has updated java-1.7.0-ibm (RHEL5: two vulnerabilities),java-1.7.1-ibm (RHEL6&7: twovulnerabilities), java-1.8.0-ibm(RHEL6&7: two vulnerabilities), and python-django (RHOSP8; RHOSP7; RHEL7:cross-site scripting).Scientific Linux has updated qemu-kvm (SL6: denial of service).Ubuntu has updated libgd2 (16.04,14.04: three vulnerabilities) and xmlrpc-epi (16.04: code execution).

The LWN.net Weekly Edition for August 11, 2016 is available.

Side-channel attacks against various kinds of protocols (typicallynetworking or cryptographic) are both dangerous and often hard fordevelopers and reviewers to spot.They are generally passive attacks, which makes them hard to detect as well. Arecent paper[PDF] describes in detail one such attack against the kernel's TCPnetworking stack; the bug (CVE-2016-5696)has existed since Linux 3.6, which was released in 2012. Ironically, the bug was introduced because Linux has implementeda countermeasure against another type of attack.

The 4.6.6,4.4.17, and3.14.75stable kernel updates have been released. Each contains the usual set offixes and updates.

The KDE project has announcedthe first public release of the Kirigami interface framework. "Now,with KDE’s focus expanding beyond desktop and laptop computers into themobile and embedded sector, our QWidgets-based components alone are notsufficient anymore. In order to allow developers to easily create Qt-basedapplications that run on any major mobile or desktop operating system(including our very own existing Plasma Desktop and upcoming Plasma Mobile,of course), we have created a framework that extends Qt Quick Controls:Welcome Kirigami!"

CentOS has updated qemu-kvm (C6:denial of service).Debian-LTS has updated fontconfig(privilege escalation) and mongodb (problemin previous update).Fedora has updated lighttpd (F24; F23:man-in-the-middle attacks) and openssh(F24: denial of service).Oracle has updated qemu-kvm (OL6:multiple vulnerabilities).Red Hat has updated qemu-kvm(RHEL6: denial of service).SUSE has updated java-1_7_0-openjdk (SLE12-SP1: multiplevulnerabilities), java-1_8_0-openjdk(SLE12-SP1: multiple vulnerabilities), php53 (SLE11-SP4: multiple vulnerabilities),squid3 (SLE11-SP4: multiplevulnerabilities), and kernel (SLE11-SP4: three vulnerabilities).Ubuntu has updated kernel (16.04; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-vivid (14.04: multiplevulnerabilities), linux-lts-xenial (14.04:multiple vulnerabilities), linux-raspi2(16.04: multiple vulnerabilities), linux-snapdragon (16.04: multiplevulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).

The Electronic Frontier Foundation (EFF) has announcedthe winners of the 2016 Pioneer Awards: "Malkia Cyril of the Center for Media Justice, data protection activist Max Schrems, the authors of the “Keys Under Doormats” report that counters calls to break encryption, and the lawmakers behind CalECPA—a groundbreaking computer privacy law for Californians."

UCR Today reports thatresearchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) in Linux that enablesattackers to hijack users’ internet communications remotely. "TheUCR researchers didn’t rely on chance, though. Instead, they identified asubtle flaw (in the form of ‘side channels’) in the Linux software thatenables attackers to infer the TCP sequence numbers associated with aparticular connection with no more information than the IP address of thecommunicating parties. This means that given any two arbitrary machines onthe internet, a remote blind attacker, without being able to eavesdrop onthe communication, can track users’ online activity, terminate connectionswith others and inject false material into their communications."

US Chief Information Officer Tony Scott introducesthe Federal Source Code Policy,on the White House blog. "By making source code available forsharing and re-use across Federal agencies, we can avoid duplicative customsoftware purchases and promote innovation and collaboration across Federalagencies. By opening more of our code to the brightest minds inside andoutside of government, we can enable them to work together to ensure thatthe code is reliable and effective in furthering our nationalobjectives. And we can do all of this while remaining consistent with theFederal Government’s long-standing policy of technology neutrality, throughwhich we seek to ensure that Federal investments in IT are merit-based,improve the performance of our government, and create value for theAmerican people." (Thanks to David A. Wheeler)

Arch Linux has updated curl (three vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities) and fontconfig (privilege escalation).Debian-LTS has updated libreoffice (code execution) and python-django (rebase to 1.4.x).Fedora has updated bind99 (F23:denial of service), ca-certificates (F23:certificate update), dhcp (F23: denial ofservice), dnsmasq (F23: denial of service),flex (F24: buffer overflow), fontconfig (F24: privilege escalation),kernel (F24; F23: two vulnerabilities), libidn (F23: multiple vulnerabilities), libreswan (F23: unspecified), nodejs-tough-cookie (F24: denial of service),pdns (F24: denial of service),perl-CGI-Emulate-PSGI (F24; F23: HTTP redirect),perl-Module-Load-Conditional (F24;F23: privilege escalation), v8 (F24; F23:denial of service), and xen (F23: multiple vulnerabilities).Mageia has updated chromium-browser-stable (multiple vulnerabilities), firefox (multiple vulnerabilities), and openntpd/busybox (denial of service).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), kernel (RHEL6.4:privilege escalation), nodejs010-nodejs-minimatch (RHSCL: denial ofservice), and rh-nodejs4-nodejs-minimatch(RHSCL: denial of service).SUSE has updated kernel(SLE11-SP4: multiple vulnerabilities).Ubuntu has updated curl (three vulnerabilities).

The GPL-infringement case brought against VMware by Christoph Hellwig inGermany has been dismissed by the court; the ruling is available in Germanand English.The decision seems to be based entirely on uncertainty over where hiscopyrights actually lie and not on the infringement claims."Nonetheless, these questions (on which the legal interest of theparties and their counsel presumably focus) can and must remainunanswered. This is because the very first requirement for conducting anexamination, namely that code possibly protected for the Plaintiff as aholder of adapter’s copyright has been used in the Defendant’s product,cannot be established. " The ruling will beappealed.

Jeff Fortin Tam reportson the state of the GNOME Foundation. "Generally speaking, this yearwas a bit less intense than the one before it (we didn’t have to worryabout a legal battle with a giant corporation this time around!) althoughwe did end up touching a fair amount of legal matters, such as trademarkagreements. One big item we got cleared was the Ubuntu GNOME trademarkagreement. We also welcomed businesses that wanted to sell GNOME-relatedmerchandise, you can find them listed here—supporting them by purchasingGNOME-related items also supports the Foundation with a small percentageshared as royalties." (Thanks to Paul Wise)

Version1.0.0 of the Lumina Desktop Environment has been released."After roughly four years of development, I am pleased to announcethe first official release of the Lumina desktop environment! This releaseis an incredible realization of the initial idea of Lumina – a simple andunobtrusive desktop environment meant for users to configure to match theirindividual needs." Lumina is a from-scratch, BSD-licensed desktopsystem.

Arch Linux has updated glibc (twodenial of service vulnerabilities), lib32-glibc (two denial of servicevulnerabilities), and libupnp(unauthenticated access).Debian has updated kde4libs (command execution) and lighttpd (man-in-the-middle attacks).Debian-LTS has updated mongodb (two vulnerabilities), mupdf (denial of service), and openjdk-7 (multiple vulnerabilities).Fedora has updated curl (F24:three vulnerabilities), firefox (F23:multiple vulnerabilities), libgcrypt (F23:key leak), and xen (F24: multiple vulnerabilities).Mageia has updated ruby-eventmachine (denial of service).openSUSE has updated bsdiff(Leap42.1, 13.2: denial of service), Chromium (Leap42.1, 13.2; SPH for SLE12: multiplevulnerabilities), java-1_8_0-openjdk (13.2:multiple vulnerabilities), libvirt(Leap42.1: authentication bypass), redis (Leap42.1, 13.2; SPH for SLE12: information leak),and wireshark (Leap42.1, 13.2: multiple vulnerabilities).Slackware has updated curl (threevulnerabilities), firefox (multiplevulnerabilities), openssh (two vulnerabilities), and stunnel (two vulnerabilities).

Check Point has discovered four local-root vulnerabilities inQualcomm-based Android devices and is hyping the result as "QuadRooter"."QuadRooter is a set of four vulnerabilities affecting Androiddevices built using Qualcomm chipsets. Qualcomm is the world’s leadingdesigner of LTE chipsets with a 65% share of the LTE modem basebandmarket. If any one of the four vulnerabilities is exploited, an attackercan trigger privilege escalations for the purpose of gaining root access toa device." Actually getting the report requires registration. Allfour vulnerabilities are in Android-specific code; three of them are inout-of-tree modules (kgsl and ipc_router); the fourth is in the "ashmem" code in the staging tree.

Linus has released the 4.8-rc1 prepatch andclosed the merge window for this development cycle — sort of. "Iactually still have a few pull requests pending in my inbox that I justwanted to take another look at before merging, but the large bulk of themerge window material has been merged, and I wanted to make sure therearen't any new ones coming in." A total of 11,618 non-mergechangesets were pulled during the merge window.

The Let's Encrypt project, which provides a free SSL/TLS certificate authority (CA), has announced that Mozilla has accepted the project's root key into the Mozilla root program and will be trusted by default as of Firefox 50. This is a step forward from Let's Encrypt's earlier status. "In order to start issuing widely trusted certificates as soon as possible, we partnered with another CA, IdenTrust, which has a number of existing trusted roots. As part of that partnership, an IdenTrust root 'vouches for' the certificates that we issue, thus making our certificates trusted. We’re incredibly grateful to IdenTrust for helping us to start carrying out our mission as soon as possible. However, our plan has always been to operate as an independently trusted CA. Having our root trusted directly by the Mozilla root program represents significant progress towards that independence." The project has also applied for inclusion the CA trust roots maintained by Apple, Microsoft, Google, Oracle, and Blackberry. News on those programs is still pending.

Arch Linux has updated firefox (multiple vulnerabilities), jdk7-openjdk (multiple vulnerabilities), jre7-openjdk (multiple vulnerabilities), and jre7-openjdk-headless (multiple vulnerabilities).Debian has updated openjdk-7 (multiple vulnerabilities).Debian-LTS has updated curl(multiple vulnerabilities) and mysql-5.5 (multiple vulnerabilities).Fedora has updated collectd (F23; F24:code execution),dietlibc (F23; F24: insecure default PATH), perl (F24: privilege escalation), perl-DBD-MySQL (F24: code execution), and python-autobahn (F24: insecure origin validation).openSUSE has updated MozillaFirefox, mozilla-nss (13.2, Leap42.1: multiple vulnerabilities).Oracle has updated kernel (O7; O6:multiple vulnerabilities; O7; O6; O6; O5:privilege escalation)and squid (O6: code execution).Scientific Linux has updated squid (SL6: code execution).SUSE has updated kernel(SLE12-LP: multiple vulnerabilities).Ubuntu has updated firefox(12.04, 14.04, 16.04: multiple vulnerabilities), libreoffice (12.04: code execution), oxide-qt (14.04, 16.04: multiple vulnerabilities), and qemu, qemu-kvm (12.04, 14.04, 16.04: multiple vulnerabilities).

The 2.24 version of the GNU C Library (glibc) has been released. It comeswith lots of bug fixes, including five for security vulnerabilities (fourstack overflows and a memory leak). Some deprecated features havebeen removed, as well as deprecating the readdir_r() andreaddir64_r() functions in favor of readdir() andreaddir64(). There are also additions to the math library(nextup*() and nextdown*()) to return the nextrepresentable value toward either positive or negative infinity.

The Tor Blog looks at using Pluggable Transports to avoid country-level Tor blocking. There are some new easy-to-follow graphical directions for using the transports."Many repressive governments and authorities benefit from blocking their users from having free and open access to the internet. They can simply get the list of Tor relays and block them. This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship. This is why we've developed methods to connect to the network and bypass censorship. These methods are called Pluggable Transports (PTs).Pluggable Transports are a type of bridge to the Tor network. They take advantage of various transports and make encrypted traffic to Tor look like not-interesting or garbage traffic. Unlike normal relays, bridge information is kept secret and distributed between users via BridgeDB."

CentOS has updated firefox (C5:multiple vulnerabilities) and squid (C6: code execution).Debian has updated firefox-esr (multiple vulnerabilities) and wordpress (multiple vulnerabilities).Debian-LTS has updated collectd(regression in previous security update), firefox-esr (multiple vulnerabilities), and libsys-syslog-perl (privilege escalation).Fedora has updated firefox (F24:multiple vulnerabilities) and pbuilder (F24; F23: file overwrite).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated squid (RHEL6:code execution).Scientific Linux has updated firefox (multiple vulnerabilities), golang (SL7: denial of service), kernel (SL7: three vulnerabilities, one from2015), and libtiff (SL7: multiple vulnerabilities, including somefrom 2014 and 2015).SUSE has updated hawk2 (SLE12:clickjacking prevention).

The LWN.net Weekly Edition for August 4, 2016 is available.

It has been some time since our last update on the state of LWN itself.That's somewhat by design, as we'd rather be writing about the communityand the code than ourselves. Occasionally, though, we do like to updateour readers and subscribers on the state of the operation, especially whenthere is some news to report, as is the case now.

CentOS has updated firefox (C7; C6:multiple vulnerabilities), golang (C7:denial of service), kernel (C7: three vulnerabilities), and libtiff (C7; C6: multiple vulnerabilities).Debian has updated curl (three vulnerabilities).Debian-LTS has updated libidn (three vulnerabilities), libreoffice (code execution), and lighttpd (man-in-the-middle attacks).Fedora has updated libreswan(F24: unspecified) and python-django (F24; F23: cross-site scripting).Mageia has updated chromium-browser-stable (multiple vulnerabilities), java-1.8.0-openjdk (multiple vulnerabilities), php-ZendFramework (SQL injection), and wireshark (multiple vulnerabilities).Oracle has updated golang (OL7:denial of service), kernel (OL7: three vulnerabilities), and libtiff (OL7; OL6: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities), golang (RHEL7: denial of service), kernel (RHEL7: three vulnerabilities),kernel-rt (RHEMRG2.5; RHEL7: two vulnerabilities), libtiff(RHEL7; RHEL6: multiple vulnerabilities), and ntp (RHEL6.7: multiple vulnerabilities).Scientific Linux has updated libtiff (SL6: multiple vulnerabilities).Ubuntu has updated php5, php7.0 (multiple vulnerabilities).

The LibreOffice 5.2 release is out. "LibreOffice 5.2 provides document classification according to the TSCPstandard, and a set of improved forecasting functions in Calc. Inaddition, multiple signature descriptions are now supported, along withimport and export of signatures from OOXML files.Interoperability features have also been improved, with better Writerimport filters for DOCX and RTF files, and the added support for Wordfor DOS legacy documents."There's a lot more; see therelease notes [PDF] for an illustrated list.See also: thispost from Michael Meeks on the last year of LibreOffice development.

The 4.7 kernel was released onJuly 24, so longtime readers might be wondering where the usualdevelopment statistics are. We're running a little late this time around,but for good reason — Greg Kroah-Hartman obtained information from a largenumber of developers on who they work for, and we're now able to use thatinformation to produce better numbers. Of course, the overall story hasn'tchanged a whole lot — kernel development is relatively boring andpredictable these days — but each cycle still has a few noteworthy points.Click below (subscribers only) for the full article from this week's KernelPage.

Firefox 48 is out, featuring process separation (e10s) for some users,mandatory add-ons signatures, stable WebExtensions, enhanced downloadprotection, and more. See the releasenotes for details.

Arch Linux has updated openssh (user enumeration via timing side-channel).Fedora has updated dropbear (F23:multiple vulnerabilities), krb5 (F24:denial of service), p7zip (F23: two codeexecution flaws), php-doctrine-common (F24; F23:privilege escalation), and wireshark (F24: multiple vulnerabilities).Oracle has updated kernel 2.6.39 (OL6; OL5: information disclosure).SUSE has updated bsdtar(SLE11-SP4: multiple vulnerabilities) and kernel (SLERTE12-SP1: multiple vulnerabilities).

GNOME Maps recently ran into a tile problem (LWN article) when a service it relied on shutdown. Jonas Danielsson reportsthat Maps will be getting tiles from Mapbox. "We access Mapbox through a GNOME based redirect, so that we could redirect to something else if a similar situation would arise again."

Evan Klitzke explainswhy Uber Engineering moved away from Postgresql. "The earlyarchitecture of Uber consisted of a monolithic backend application writtenin Python that used Postgres for data persistence. Since that time, thearchitecture of Uber has changed significantly, to a model of microservices and new dataplatforms. Specifically, in many of the cases where we previously usedPostgres, we now use Schemaless, a noveldatabase sharding layer built on top of MySQL. In this article, we’llexplore some of the drawbacks we found with Postgres and explain thedecision to build Schemaless and other backend services on top ofMySQL." (Thanks to Dimitri John Ledkov)

The US Federal Communications Commission (FCC) has announced a settlement with network-hardware manufacturer TP-Link, covering both the company's non-compliance with FCC transmission-power regulations and the company's plan to lock-out third-party firmware—including open-source firmware projects like OpenWrt. "While manufacturers of Wi-Fi routers must ensure reasonable safeguards toprotect radio parameters, users are otherwise free to customize their routers and we support TP-Link’s commitment to work with the open-source community and Wi-Fi chipset manufacturers to enable third-party firmware on TP-Link routers." Under the settlement agreement, TP-Link will pay a $200,000 fine for shipping WiFi routers that could be configured to run above the permitted power limits, but it will also have to cooperate with open-source firmware projects to make sure they remain installable. TP-Link had moved to block user-installed firmware in March as its first attempt to satisfy the FCC's complaint about non-compliant power settings.

Arch Linux has updated imagemagick (information leak) and libidn (multiple vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities), collectd (code execution), libdbd-mysql-perl (code execution), and redis (information leak).Debian-LTS has updated collectd (code execution), icedove (code execution), kde4libs (command execution), libdbd-mysql-perl (code execution), openssh (user enumeration via timing side-channel), qemu (multiple vulnerabilities), qemu-kvm (multiple vulnerabilities), redis (information leak), wordpress (multiple vulnerabilities), xen (multiple vulnerabilities), and xmlrpc-epi (denial of service).Fedora has updated bind (F24:denial of service), bind99 (F24: denial of service), and php-pecl-zip (F24; F23: buffer overflow).Gentoo has updated bsh (code execution).Mageia has updated glibc, libtirpc (denial of service) and kernel (multiple vulnerabilities).openSUSE has updated Chromium(13.1: multiple vulnerabilities), dropbear(13.1: multiple vulnerabilities), libidn(13.2: multiple vulnerabilities), mupdf(Leap42.1, 13.2: denial of service), php5(Leap42.1: multiple vulnerabilities), polarssl (13.2: code execution), and sqlite3 (13.2: information leak).Oracle has updated kernel 3.8.13 (OL7; OL6: information disclosure) and kernel-uek (OL7; OL6: multiple vulnerabilities).SUSE has updated ntp (SLES10-SP4:many vulnerabilities).

The CFP deadline for the 2017 linux.conf.au (January 16-20, Hobart) is August 5; the organizers are warning that, contrary to the usual LCAtradition, that deadline will not be extended this year. So anybodywho thinks they may want to speak at LCA should get going on a proposal;see the CFP page forinstructions.

OpenSSH 7.3 is out. This release fixes a number of security issues (mostlyrelated to timing attacks) and adds a handful of new minor features. Thedevelopers also warn that RSA keys less than 1024 bits will be refused in anear-future release.

The Androidsecurity bulletin for July covers the issues that have recently beenfixed for supported Android devices. "The most severe of theseissues is a Critical security vulnerability that could enable remote codeexecution on an affected device through multiple methods such as email, webbrowsing, and MMS when processing media files." There are severaldozen CVE numbers listed overall, including 31 Qualcomm-specificvulnerabilities dating as far back as 2013.

Jehan Pagès writesabout the current GIMP development release and the plan from here."I want to imagine a future where most big graphics programintegrates GEGL, where Blender for instance would have GEGL as the newimplementation of nodes, with image processing graphs which can beexchanged between programs, where darktable would share buffers with GIMPso that images can be edited in one program and updated in real time in theother, and so on. Well of course the short/mid-term improvements will benon-destructive editing with live preview on high bit depth images, andthat’s already awesomely cool right?" See also theannouncement for more information on the GIMP 2.9.4 release.

Software in the PublicInterest (SPI) has completed its 2016 board elections. There weretwo open seats on the board in addition to four board members whoseterms were expiring. The six newly elected members of the board are Luca Filipozzi, Joerg Jaspert, Jimmy Kaplowitz, Andrew Tridgell,Valerie Young, and Martin Zobel-Helas. The fullresults, including voter statistics, are also available.

Debian-LTS has updated cakephp (denial of service) and perl (multiple vulnerabilities).Fedora has updated drupal7-views (F24; F23:access bypass),golang (F24; F23: denial of service), java-1.8.0-openjdk (F24; F23:multiple vulnerabilities),php-guzzlehttp-guzzle (F24; F23: proxy injection), and php-guzzlehttp-guzzle6(F24; F23:proxy injection).Slackware has updated libidn(3.0, 13.1, 13.37, 14.0, 14.1, 14.2: multiple vulnerabilities).SUSE has updated libarchive(SLE 12: multiple vulnerabilities).

On his blog, Gmane creator and maintainer Lars Magne Ingebrigtsen warns that the email-to-news (and web) gateway may be disappearing soon. The site, which is hosted by his employer, has been under a distributed denial of service (DDoS) attack for the last few weeks, but there are other problems as well. "And now the DDoS stuff, which I have no idea why is happening, but I can only assume that somebody is angry about something.Probably me being a wise ass.So… it’s been 14 years… I’m old now. I almost threw up earlier tonight because I’m so stressed about the situation. I should retire and read comic books and watch films. Oh, and the day job. Work, work, work. Oh, and Gnus.I’m thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don’t want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess…" The site, which has been relied on by many (including LWN) since it started in 2002, is down now and it appears to be unclear when (or if) it will be back.

Debian has updated xen (multiple vulnerabilities, onefrom 2015).Debian-LTS has updated tardiff(two vulnerabilities from 2015).Fedora has updated httpd (F23:HTTP redirect), libarchive (F24: codeexecution), and libvirt (F23:authentication bypass).openSUSE has updated dropbear(42.1, 13.2: multiple vulnerabilities), go (13.2: HTTP requestsmuggling flaws from 2015), karchive (42.1,13.2: code execution), mbedtls (42.1: threevulnerabilities), python (42.1, 13.2: threevulnerabilities), and tiff (13.2: multiple vulnerabilities).Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).Scientific Linux has updated java-1.7.0-openjdk (multiple vulnerabilities).

The LWN.net Weekly Edition for July 28, 2016 is available.

A few years ago, the hardware vendor Yubico made a bit of a splashwhen it introduced its YubiKey line of inexpensive hardware securitytokens powered by open-source software. With its most recent productrelease, however, Yubico has dropped open source and started deploying onlyproprietary software in its devices. Consequently, many communitymembers have started looking for a viable replacement that will adhereto open-source principles. At present, one of the leading contendersfor Yubico's departed customers is Nitrokey, which manufactures a lineof hardware tokens capable of generating one-time passwords (OTPs),storing and using OpenPGP keys, and several other features. Thedevices made by Nitrokey run open-source software and are open hardwareas well.

Greg Kroah-Hartman has released stable kernels 4.6.5, 4.4.16,and 3.14.74. All of them contain importantfixes.

Shari Steele has posted a statement from theTor project on the results of an investigation into the allegations ofharassment (and worse) within Tor and how the project will respond. "I ampleased, therefore, to announce that both the Tor Project and the Torcommunity are taking active steps to strengthen our ability to handleproblems of unprofessional behavior. Specifically, the Tor Project hascreated an anti-harassment policy, a conflicts of interest policy,procedures for submitting complaints, and an internal complaint reviewprocess. They were recently approved by Tor’s board of directors, and theywill be rolled out internally this week."

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), samba (C7: crypto downgrade), and samba4 (C6: crypto downgrade).Debian has updated libgd2 (denial of service), mariadb-10.0 (multiple vulnerabilities), and php5 (multiple vulnerabilities).Debian-LTS has updated libgd2 (denial of service).Mageia has updated apache (HTTPredirect), harfbuzz (multiplevulnerabilities), libgd (threevulnerabilities), libidn (multiplevulnerabilities), libupnp (unauthenticatedaccess), libxml2 (multiplevulnerabilities), mariadb (multiplevulnerabilities), mupdf (denial of service), php/xmlrpc-epi/timezone (multiple vulnerabilities), sudo (race condition), tomcat/apache-commons-fileupload (denial of service), and virtualbox (allows local users to affect availability).Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiplevulnerabilities) and kernel (RHEL6.7:privilege escalation).Scientific Linux has updated samba (SL7: crypto downgrade) and samba4 (SL6: crypto downgrade).Ubuntu has updated kde4libs(15.10, 14.04, 16.04: command execution) and openjdk-8 (16.04: multiple vulnerabilities).

Harald Sitter reportson a discussion at recent sprint focused on making Snap packaging usefulfor KDE. "Shipping things users can use on Linux has been a pain in the rearsince forever and these bundles are meant to change that. As such weas KDE should have a strong interest and presence in this field in thehopes of shaping a future that is useful to us. After all, we are oneof the biggest source distributors, and the primary reason we don'talso offer generic binary packages of our applications is because thisnever scaled and was altogether terrible to pull off from a KDE pointof view." He and Scarlett Clark are working on somehigh level mass automation of snap building on top of KDE Neon's existingdeb binaries. (Thanks to Jos van den Oever)

Debian has updated ntp (multiple vulnerabilities).Debian-LTS has updated cacti(three vulnerabilities), dietlibc (insecure default PATH), gosa (code injection), ntp (multiple vulnerabilities), squid (cache poisoning), and uclibc (three vulnerabilities).Oracle has updated samba (OL7:crypto downgrade) and samba4 (OL6: crypto downgrade).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), samba (RHEL7: cryptodowngrade), and samba4 (RHEL6: crypto downgrade).