LWN.net

OpenVZ 7.0 has been released.The new release focuses on merging OpenVZ and Virtuozzo source codebase andreplacing its hypervisor with KVM. There are many other improvements andnew features in container management and more.

InfoWorld takesa look at the upcoming OpenBSD 6.0 release. "Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications by way of a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement.""

Arch Linux has updated chromium (multiple vulnerabilities), python-django (cross-site scripting), and python2-django (cross-site scripting).Debian has updated openssh (userenumeration via timing side-channel), perl(two vulnerabilities), and phpmyadmin(multiple vulnerabilities).Debian-LTS has updated squid3 (denial of service).Fedora has updated ca-certificates (F24: certificate update), gd (F24: multiple vulnerabilities), httpd (F24: HTTP redirect),kf5-karchive (F24; F23: command execution, over a hundredrelated KDE Frameworks packages were included in this update), libgcrypt (F24: key leak), libidn (F24: multiple vulnerabilities), libvirt (F24: authentication bypass), and mingw-gnutls (F24: certificate verification vulnerability).openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2:multiple vulnerabilities) and gnugk(Leap42.1, 13.2: denial of service).Red Hat has updated mariadb55-mariadb (RHSCL: manyvulnerabilities) and mysql55-mysql (RHSCL:many vulnerabilities).Slackware has updated bind (denial of service).

Linus has returned from his travels and released the 4.7 kernel. The most significantchanges in this release includethe tracing histograms feature,in-kernel tracing analysis via the ability to attach BPF programs to tracepoints,the LoadPin security module,better out-of-memory detection,faster filesystem operations with parallelpathname lookups,the schedutil CPU frequency governor, andmore. See the KernelNewbies4.7 page for lots of details.

At his blog, Matthias Clasen exploresthe recent enhancements to the the classic GNU gettext utility.Thanks in large part to new maintainer Daiki Ueno, gettext nowunderstands many more file formats—thus enabling developers to easilyextract strings from a wide variety of source files for translation.In addition to programming languages, Clasen notes, gettextunderstands .desktop files, GSettings schemas, GtkBuilder ui files,and Appdata files. "If you don’t want to wait for your favorite format to come with built-in its support, you can also include its files with your application; gettext will look for such files in $XDG_DATA_DIRS/gettext/its/."

Arch Linux has updated drupal (proxy injection).Debian has updated mysql-5.5(multiple vulnerabilities) and squid3(multiple vulnerabilities).Debian-LTS has updated python-django (cross-site scripting).openSUSE has updated p7zip(13.1: code execution).Slackware has updated gimp(14.0, 14.1, 14.2: code execution) and php (14.0, 14.1, 14.2: multiple vulnerabilities).Ubuntu has updated mysql-5.5,mysql-5.6, mysql-5.7 (12.04, 14.04, 15.10, 16.04: multiple vulnerabilities).

The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew "bunnie" Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional:"These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing. Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials."

Arch Linux has updated bind(denial of service).CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).Debian-LTS has updated libarchive(multiple vulnerabilities, most from 2015).Fedora has updated openssh (F24:user enumeration via timing side-channel) and p7zip (F24: two code execution flaws).openSUSE has updated dhcp (42.1:denial of service).Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), andopenstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).SUSE has updated obs-service-source_validator (SLE12: code execution).

The LWN.net Weekly Edition for July 21, 2016 is available.

Congratulations are due to Alan Cox, who was awardedan honorary degree by Swansea University for his work with Linux."Alan started working on Version 0. There were bugs and problems hecould correct. He put Linux on a machine in the Swansea University computernetwork, which revealed many problems in networking which he sorted out;later he rewrote the networking software. Alan brought to Linux softwareengineering discipline: Linux software releases that were tested, correctedand above all stable. On graduating, Alan worked at Swansea University, setup the UK Linux server and distributed thousands of systems."

Benjamin Smedberg writesthat the Firefox browser will soon start taking a more active approach tothe elimination of Flash content. "Starting in August, Firefox willblock certain Flash content that is not essential to the user experience,while continuing to support legacy Flash content. These and future changeswill bring Firefox users enhanced security, improved battery life, fasterpage load, and better browser responsiveness."

Debian has updated apache2 (HTTP redirect).Debian-LTS has updated apache2 (HTTP redirect).Fedora has updated ecryptfs-utils(F24: two vulnerabilities), kernel (F24; F23:multiple vulnerabilities), php-doctrine-orm (F24; F23:privilege escalation), and spice (F24: two vulnerabilities).Gentoo has updated ansible (codeexecution), arpwatch (privilege escalationfrom 2012), bugzilla (multiplevulnerabilities from 2014), commons-beanutils (code execution from 2014),dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).openSUSE has updated ImageMagick(Leap42.1: many vulnerabilities), nodejs(Leap42.1, 13.2: buffer overflow), and samba (13.2: crypto downgrade).Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).SUSE has updated flash-player(SLE12-SP1: multiple vulnerabilities).Ubuntu has updated python-django(16.04: cross-site scripting).

The Register reportsthat longtime Tor contributor Lucky Green is quitting and closing down thenode and bridge authority he operates. "Practically, it's a bigdeal. Bridge Authorities are part of the infrastructure that lets users getaround some ISP-level blocks on the network (not, however, defeating deeppacket inspection). They're also incorporated in the Tor code, meaning thatto remove a Bridge Authority is going to need an update." Theshutdown is scheduled for August 31. (Thanks to Nomen Nescio)

The Software Freedom Conservancy is one of the few organizations involvedin GPL enforcement, and it has publishedprinciples regarding enforcement practices that seek compliance and notfinancial penalties. Bradley Kuhn and Karen Sandler urgeothers doing GPL enforcement to follow principles set forth by theSFC. "One impetus in drafting the Principles was our discovery ofongoing enforcement efforts that did not fit with the GPL enforcementcommunity traditions and norms established for the last twodecades. Publishing the previously unwritten guidelines has quicklyseparated the wheat from the chaff. Specifically, we remain aware ofmultiple non-community-oriented GPL enforcement efforts, where none ofthose engaged in these efforts have endorsed our principles nor pledged toabide by them. These “GPL monetizers”, who trace their roots to nefariousbusiness models that seek to catch users in minor violations in order tosell an alternative proprietary license, stand in stark contrast to thework that Conservancy, FSF and gpl-violations.org have done foryears." The actions of one individual prompted the netfilterproject to make a statement endorsing the principles, which we covered earlier this month.

Version 1.0 of the QtWebBrowser has been released.Qt WebBrowser is a browser for embedded devices developed using thecapabilities of Qt and Qt WebEngine. "The browser is optimized for embedded touch displays (running Linux), but you can play with it on the desktop platforms, too! Just make sure that you have Qt WebEngine, Qt Quick, and Qt VirtualKeyboard installed (version 5.7 or newer). For optimal performance on embedded devices you should plan for hardware-accelerated OpenGL, and around 1 GiByte of memory for the whole system. Anyhow, depending on your system configuration and the pages to be supported there is room for optimization."

CentOS has updated httpd (C7; C6; C5: HTTP redirect).Debian has updated mysql-connector-java (information disclosure) and python-django (cross-site scripting).Fedora has updated dnsmasq (F24:denial of service), gd (F23: twovulnerabilities), kernel (F22: multiplevulnerabilities), mingw-openjpeg2 (F24; F23:multiple vulnerabilities), pagure (F24:unspecified), pdfbox (F24: XML External Entity (XXE) attacks), perl (F24; F23: code execution), and tcpreplay (F24; F23: denial of service).Mageia has updated imagemagick(three vulnerabilities).openSUSE has updated apache2(Leap42.1, 13.2: HTTP redirect).Oracle has updated httpd (OL7; OL6; OL5: HTTP redirect).Red Hat has updated httpd (RHEL7; RHEL5,6: HTTP redirect) and httpd24-httpd (RHSCL: two vulnerabilities).Scientific Linux has updated httpd (SL7; SL5,6:HTTP redirect) and kernel (SL6: privilege escalation).Ubuntu has updated apache2 (HTTPredirect) and thunderbird (two vulnerabilities).

ComputerWorld talkswith Jim Hall, a contributor to FreeDOS. "FreeDOS (it was originally dubbed ‘PD-DOS’ for ‘Public Domain DOS’, but the name was changed to reflect that it’s actually released under the GNU General Public License) dates back to June 1994, meaning it is just over 22 years old — a formidable lifespan compared to many open source projects.“And if you consider the DOS platform, MS-DOS 1.0 dates back to 1981, ‘DOS’ as an operating system has been around for 35 years! That’s not too shabby,” Hall said. (Version 1.0 of MS-DOS — then marketed by IBM as PC DOS — was released in August 1981.)" (Thanks to Paul Wise)

Arch Linux has updated flashplugin (multiple vulnerabilities), gimp (use-after-free), and lib32-flashplugin (multiple vulnerabilities).Debian has updated libgd2 (multiple vulnerabilities) and pidgin (multiple vulnerabilities).Debian-LTS has updated binutils (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), and ruby-eventmachine (denial of service).Fedora has updated gimp (F22:use-after-free), httpd (F23: authenticationbypass), openjpeg2 (F23: multiplevulnerabilities), perl (F22: codeexecution), python (F23: denial ofservice), python3 (F23: denial of service),samba (F23: crypto downgrade), and sudo (F23; F22: race condition).Gentoo has updated cacti(multiple vulnerabilities), chromium(multiple vulnerabilities), cups (codeexecution), and gd (multiple vulnerabilities).

Canonical has disclosedthat the Ubuntu forum system has been compromised. "The attacker hadthe ability to inject certain formatted SQL to the Forums database on theForums database servers. This gave them the ability to read from any tablebut we believe they only ever read from the ‘user’ table. They used thisaccess to download portions of the ‘user’ table which contained usernames,email addresses and IPs for 2 million users. No active passwords wereaccessed."

The lowRISC project, which is an effort to develop a fully open-source, Linux-powered system-on-chip based on the RISC-V architecture, has published notes from the fourth RISC-V workshop. Notably, the post explains, the members of the RISC-V foundation voted to keep the RISC-V instruction-set architecture (ISA) and related standards open and license-free to all parties. There are also accounts included of the work on RISC-V interrupts, heterogeneous multicore RISC-V processors, support for non-volatile memory, and Debian's RISC-V port.

Debian has updated php5(multiple vulnerabilities).Debian-LTS has updated clamav (fix for previously released update) and drupal7 (privilege escalation).Fedora has updated openjpeg2(F24: multiple vulnerabilities) and sqlite (F24: information leak).Mageia has updated graphicsmagick (M5: multiple vulnerabilities), pdfbox (M5: XML External Entity (XEE) attack), sqlite3 (M5: information leak:), thunderbird (M5: multiple vulnerabilities), and util-linux (M5: denial of service).openSUSE has updated flash-player (13.1: multiple vulnerabilities), LibreOffice (Leap 42.1: multiple vulnerabilities), libvirt (13.2; Leap 42.1:authentication bypass),and xerces-c (13.2: multiple vulnerabilities).Red Hat has updated atomic-openshift (RHOSE 3.2: information leak).Ubuntu has updated ecryptfs-utils (15.10, 16.04: informationleak), kernel (14.04; 15.10: denial of service),libarchive (12.04, 14.04, 15.10, 16.04: code execution), linux-lts-trusty (12.04: denial of service), linux-lts-utopic (14.04: denial of service), linux-lts-vivid (14.04: denial of service), linux-lts-wily (14.04: denial of service), and linux-raspi2 (15.10: denial of service).

Over at Linux.com, Eric Brown writes about the release of Automotive Grade Linux (AGL) Unified Code Base (UCB) 2.0 for in-vehicle infotainment (IVI) systems. "The latest version adds features like audio routing, rear seat display support, the beginnings of an app platform, and new development boards including the DragonBoard, Wandboard, and Raspberry Pi.AGL’s Yocto Project derived UCB distro, which is also based on part on the GENIVI and Tizen automotive specs, was first released in January. UCB 1.0 followed an experimental AGL stack in 2014 and an AGL Requirements Specification in June, 2015.UCB is scheduled for a 3.0 release in early 2017, at which point some automotive manufacturers will finally use it in production cars. Most of the IVI software will be based on UCB, but carmakers can also differentiate with their own features." We looked at AGL UCB 1.0 back in January.

Fedora has updated gnutls (F23:certificate verification botch).Gentoo has updated flash (many vulnerabilities).openSUSE has updated flash-player(13.2: many vulnerabilities) and kernel (42.1:multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL 5↦6: many vulnerabilities) and rh-nginx18-nginx (RHSC: multiple vulnerabilities).SUSE has updated MozillaFirefox,MozillaFirefox-branding-SLE, mozilla-nss (SLE11: multiple vulnerabilities).

The LWN.net Weekly Edition for July 14, 2016 is available.

The Tor Project has announced a new board of directors. "As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the bestpossible leadership. The importance of Tor's mission requires it; thepublic standing of the organization makes it possible; and we are committedto achieve it. We had that duty in mind when we conducted an ExecutiveDirector search last year, and appreciate the leadership Shari Steele hasbrought. To support her, we further believe that it is time that we passthe baton of board oversight as the Tor Project moves into its seconddecade of operations."

CentOS has updated kernel (C6:privilege escalation).Fedora has updated python (F24:heap corruption), python3 (F24: heap corruption), and squid (F24; F23: multiple vulnerabilities).Mageia has updated flash-player-plugin (multiple vulnerabilities).Oracle has updated kernel (OL6: privilege escalation).Red Hat has updated kernel(RHEL7: denial of service) and kernel(RHEL6: privilege escalation).Scientific Linux has updated thunderbird (SL5,6,7: code execution).Ubuntu has updated pidgin (15.10,14.04, 12.04: multiple vulnerabilities).

Software in the Public Interest has announced its 2015 AnnualReport (PDF), covering the 2015 calendar year. The annual reportcovers SPI's finances, elections, board members, committees, associatedprojects, and other significant changes throughout the year.

Dave Herman reportsthat with Firefox 48, Mozilla will ship its first Rust component to alldesktop platforms. "One of the first groups at Mozilla to make useof Rust was the Media Playback team. Now, it’s certainly easy to see thatmedia is at the heart of the modern Web experience. What may be lessobvious to the non-paranoid is that every time a browser plays a seeminglyinnocuous video (say, a chameleon poppingbubbles), it’s reading data delivered in a complex format and createdby someone you don’t know and don’t trust. And as it turns out, mediaformats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in Web browsers’ implementation code.This makes a memory-safe programming language like Rust a compelling addition to Mozilla’s tool-chest for protecting against potentially malicious media content on the Web."

CentOS has updated thunderbird (C7; C6; C5: code execution).Debian-LTS has updated drupal7(open redirect vulnerability) and graphicsmagick (two vulnerabilities).Fedora has updated expat (F22:multiple vulnerabilities), gnutls (F24:certificate verification vulnerability), gsi-openssh (F24: support GSI authentication),httpd (F24: authentication bypass), krb5 (F22: buffer overflow), mbedtls (F23: three vulnerabilities), pdfbox (F23: XML External Entity (XXE)attacks), pypy3 (F23; F22: two vulnerabilities), python (F22: startTLS stripping attack), python3 (F22: startTLS stripping attack), andsamba (F24: crypto downgrade).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Ubuntu has updated libgd2(multiple vulnerabilities), nspr (denial ofservice), and nss (denial of service).

On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. "Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows.Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it.Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry."

Greg Kroah-Hartman has released stable kernels 4.6.4 and 4.4.15. Both of them contain important fixes.

Arch Linux has updated thunderbird (code execution).Fedora has updated community-mysql (F24: unspecified), davfs2 (F24: unspecified), gimp (F23: use-after-free), krb5 (F23: buffer overflow), and nodejs-ws (F24; F23: denial of service).Gentoo has updated libpcre (multiple vulnerabilities) and squid (multiple vulnerabilities).Mageia has updated drupal (privilege escalation), libreoffice (code execution), libvirt (authentication bypass), mbedtls (three vulnerabilities), spice (two vulnerabilities), struts (two vulnerabilities), and tcpreplay (denial of service).openSUSE has updated glibc(Leap42.1: multiple vulnerabilities), libircclient (13.1: insecure cipher suites),and thunderbird (SPH for SLE12; Leap42.1, 13.2; 13.1: multiple vulnerabilities).Red Hat has updated thunderbird(RHEL5,6,7: code execution).SUSE has updated GraphicsMagick(SSO1.3, SLE11-SP4: multiple vulnerabilities), ImageMagick (SLE12-SP1; SLE11-SP4: many vulnerabilities), kvm (SLES11-SP4: multiple vulnerabilities),and kernel (SLERTE12-SP1: multiple vulnerabilities).

Linus has released the 4.7-rc7 kernelprepatch. "Anyway, there's a couple of regressions still being looked at, butunless anything odd happens, this is going to be the last rc. However,due to my travel schedule, I won't be doing the final 4.7 nextweekend, and people will have two weeks to report (and fix) anyremaining bugs.Yeah, that's the ticket. My travel schedule isn't screwing anythingup, instead think of it as you guys getting a BONUS WEEK! Yay!"See the current list of reportedregressions for the known issues remaining in the 4.7 kernel.

Python applications, like those written in other languages, often need toobtain random data for purposes ranging from cryptographic key generationto initialization of scientific models. For years, the standard way ofgetting that data is via a call to os.urandom(), which is documented to "return astring of n random bytes suitable for cryptographic use." Anenhancement in Python 3.5 caused a subtle change in howos.urandom() behaves on Linux systems, leading to some long,heated discussions about how randomness should be obtained in Python programs. When the dustsettles, Python benevolent dictator for life (BDFL) Guido van Rossum willhave the unenviable task of choosing between two competing proposals.

On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox."Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system.Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t.Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access.Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system.The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox."

Debian-LTS has updated clamav(update to 0.99.2), icu (threevulnerabilities, two from 2015), and tcpreplay (denial of service).openSUSE has updated php5 (13.2:multiple vulnerabilities, one from 2015).Slackware has updated samba(crypto downgrade).

The LWN.net Weekly Edition for July 8, 2016 is available.

Ars Technica reports on the "HummingBad" malware that has infected millions of Android devices: "Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android." The article is based on a report [PDF] from Check Point, though the article notes that "researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices".

Debian has updated horizon (twovulnerabilities, one from 2015).openSUSE has updated ImageMagick(13.2: many vulnerabilities, lots from 2014 and 2015) and qemu (42.1: many vulnerabilities, lots from 2015).Scientific Linux has updated ocaml (SL7: information leak from 2015).Ubuntu has updated tomcat8(16.04: denial of service).In addition, Ubuntu has announced the end oflife for 15.10 on July 28 and the end oflife for 14.04.x hardware-enablement (HWE) stacks on August 4.

The Debian Edu team has announced Debian Edu 8+edu0 "Jessie", the latestDebian Edu / Skolelinux release. Debian Edu, also known as Skolelinux,provides a complete solution for schools. Debian Edu 8 is based on Debian8 "Jessie", update 8.5. "Do you have to administrate a computer labor a whole school network? Would you like to install servers, workstations and laptops which willthen work together? Do you want the stability of Debian with networkservices already preconfigured? Do you wish to have a web-based tool tomanage systems and several hundred or even more user accounts? Have youasked yourself if and how older computers could be used?Then Debian Edu is for you. The teachers themselves or their technicalsupport can roll out a complete multi-user multi-machine studyenvironment within a few days. Debian Edu comes with hundreds ofapplications pre-installed, but you can always add more packages fromDebian."

The digiKam team has announcedthe release of digiKam Software Collection 5.0.0. "This release marks almost complete port of the application to Qt5. All Qt4/KDE4 code has been removed and many parts have been re-written, reviewed, and tested. Porting to Qt5 required a lot of work, as many important APIs had to be changed or replaced by new ones.In addition to code porting, we introduced several changes and optimizations, especially regarding dependencies on the KDE project. Although digiKam is still a KDE desktop application, it now uses many Qt dependencies instead of KDE dependencies. This simplifies the porting job on other operating systems, code maintenance, while reducing the sensitivity of API changes from KDE project."

Those who are anxiously awaiting this week's edition later today (or tomorrow, depending on time zone) will have to wait another day. The US Independence Day holiday fell on Monday, so LWN staff took that day off for barbecues, fireworks, and other festivities. That means the edition will go out sometime in the early morning hours UTC on Friday, July 8. For those who celebrated the holiday, we hope you had a great one; for those who didn't, we certainly hope you had a great day too! We will be back on our normal schedule next week.

Arch Linux has updated libarchive (code execution), libreoffice-fresh (code execution), and xerces-c (denial of service).Debian-LTS has updated sqlite3 (information leak).Fedora has updated mingw-xerces-c (F23; F22:three vulnerabilities) and xerces-c (F23; F22: two vulnerabilities).Mageia has updated gimp (use-after-free), iperf (denial of service), libarchive (multiple vulnerabilities), libgd (multiple vulnerabilities), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), pidgin (multiple vulnerabilities), squidguard (cross-site scripting), and xerces-c (denial of service).openSUSE has updated cronic(Leap42.1, 13.2: predictable temporary files), libircclient (Leap42.1; 13.2: insecure cipher suites), and xerces-c (13.2: code execution).SUSE has updated xen (SLE11-SP3:multiple vulnerabilities - some from 2013).Ubuntu has updated gimp (15.10,14.04, 12.04: use-after-free), libimobiledevice (16.04, 15.10, 14.04: socketslistening on INADDR_ANY), libusbmuxd(16.04, 15.10: sockets listening on INADDR_ANY), and tomcat6, tomcat7 (multiple vulnerabilities).

The last time LWN looked at formatted kernel documentationin January, it seemed like the merging of AsciiDoc support for thekernel's structured source-code documentation ("kernel-doc") comments, wasimminent. As Jonathan Corbet, in the capacity of the kernel documentationmaintainer, wrote: "A good-enough solution that exists nowshould not be held up overly long in the hopes that vague ideas forsomething else might turn into real, working code." Sometimes,however, the threat that something not quite perfect might be mergedis enough to motivate people to turn those vague ideas into somethingreal.Subscribers can click below to see the full story by guest author (and the developer behind most of the Sphinx work) Jani Nikula.

KDE Plasma 5.7 has been released.This release features the return of the agenda view in the calendar,improvements to the Volume Control applet allow volume control on aper-application basis, improved Wayland support, and more. "This release brings Plasma closer to the new windowing system Wayland. Wayland is the successor of the decades-old X11 windowing system and brings many improvements, especially when it comes to tear-free and flicker-free rendering as well as security. The development of Plasma 5.7 for Wayland focused on quality in the Wayland compositor KWin. Over 5,000 lines of auto tests were added to KWin and another 5,000 lines were added to KWayland which is now released as part of KDE Frameworks 5."

Debian has updated gimp (use-after-free), kernel (multiple vulnerabilities), libvirt (authentication bypass), tomcat7 (denial of service), and wireshark (multiple vulnerabilities).Debian-LTS has updated pidgin (multiple vulnerabilities).Fedora has updated gimp (F24:use-after-free), kernel (F23: multiplevulnerabilities), libreoffice (F23: codeexecution), mbedtls (F24: threevulnerabilities), mediawiki (F24; F23: multiple vulnerabilities), mingw-xerces-c (F24: three vulnerabilities),ntp (F23; F22: multiple vulnerabilities), php (F24; F23; F22: multiple vulnerabilities),php-pecl-zip (F24; F23; F22: twovulnerabilities), phpMyAdmin (F23;F22: multiple vulnerabilities), pypy(F24; F23:startTLS stripping attack), pypy3 (F24: twovulnerabilities), python3 (F23: twovulnerabilities), qemu (F23; F22: multiple vulnerabilities), setroubleshoot-plugins (F23: commandinjection), and xerces-c (F24: two vulnerabilities).openSUSE has updated gimp(Leap42.1, 13.2: use-after-free), GraphicsMagick (13.2: multiplevulnerabilities), kinit (Leap42.1, 13.2: privilege escalation), and spice (Leap42.1; 13.2: two vulnerabilities).Red Hat has updated nodejs010-node-gyp and nodejs010-nodejs-qs(RHSCL: denial of service) and openstack-ironic (RHOSP7 for RHEL7; RHOSP8: authentication bypass).Slackware has updated thunderbird (multiple vulnerabilities).

The 4.7-rc6 kernel prepatch is out, righton schedule. "I'd love to tell you that things are calming down, andwe're shrinking, but that would be a lie. It's not like this is a huge rc,but it's definitely bigger than the previous rc's were. I don't thinkthat's necessarily a big problem, it seems to be mostly timing."

Slackware Linux Project has announced the releaseof Slackware version 14.2. "Slackware 14.2 brings many updates and enhancements, among which you'll find two of the most advanced desktop environments available today: Xfce 4.12.1, a fast and lightweight but visually appealing and easy to use desktop environment, and KDE 4.14.21 (KDE 4.14.3 withkdelibs-4.14.21) a stable release of the 4.14.x series of the award-winning KDE desktop environment. These desktops utilize eudev, udisks,and udisks2, and many of the specifications from freedesktop.org whichallow the system administrator to grant use of various hardware devicesaccording to users' group membership so that they will be able to useitems such as USB flash sticks, USB cameras that appear like USB storage,portable hard drives, CD and DVD media, MP3 players, and more, allwithout requiring sudo, the mount or umount command. Just plug and play.Slackware's desktop should be suitable for any level of Linuxexperience." See the release notes formore details.

Rails 5.0 has been released.The announcement highlights two new features, the ActionCable framework for handling WebSockets and an "API mode" forinterfacing with client-side JavaScript. Development of the latterfeature is ongoing; progress can be tracked in the JSONAPI::Resourcesrepository. There are quite a few other new features to be found inthe update as well; the release announcement provides links todetailed ChangeLogs for various subprojects.

Debian-LTS has updated libvirt (authentication bypass), qemu (multiple vulnerabilities), qemu-kvm (multiple vulnerabilities), roundcube (cross-site scripting), wget (code execution), and wireshark (multiple vulnerabilities).Fedora has updated kernel(F24: multiple vulnerabilities), python-django-horizon (F23: cross-site scripting), python3 (F24: StartTLS stripping), squidGuard (F22; F23; F24: cross-site scripting), struts (F23; F24: multiple vulnerabilities),and wordpress (F22; F23; F24: multiple vulnerabilities).SUSE has updated kernel (SLE11; SLE12; SLE12 GA: multiple vulnerabilities).Ubuntu has updated oxide-qt(14.04, 15.10, 16.04: multiple vulnerabilities).