LWN.net

As promised, the 4.1-rc8 kernel prepatch isout. "So I'm on vacation, but time doesn't stop for that, and it'sSunday, so time for a hopefully final rc."

The 2015 edition of the TeX Live software distribution, the "easy way to get up and running with the TeX document production system," has been released. DVDs are in production for members of the TeX Users Group (TUG), though many will probably prefer the downloadable release. The changes included in this edition include the merging of several LaTeX fixes from external packages into LaTeX itself, JPEG Exif support in pdfTeX, and image-handling fixes in XeTeX.

Version 1.10 of the MATE Desktop has been released. Perhaps the most notable new feature is that all MATE components can now be built with GTK+2 or GTK+3, although GTK+3 support is still labeled "experimental." Also new in this update are ePub support in the Atril document viewer and a new audio-mixing library named libmatemixer.

Arch Linux has updated openssl (multiple vulnerabilities).Debian-LTS has updated imagemagick (multiple vulnerabilities) and strongswan (information disclosure).Fedora has updated qemu(F22: denial of service).openSUSE has updated flash-player (13.1, 13.2: multiplevulnerabilities), python-setuptools(13.1: non-secure SSL hostname matching), and tidy (13.1, 13.2: buffer overflow).Oracle has updated wpa_supplicant (O7: multiple vulnerabilities).Red Hat has updated wpa_supplicant (RHEL7: multiple vulnerabilities).Scientific Linux has updated wpa_supplicant (SL7: multiple vulnerabilities).Slackware has updated openssl (multiple vulnerabilities) and php (S14: multiple vulnerabilities).SUSE has updated cups (SLE12: multiple vulnerabilities),cups154 (SLE12: multiple vulnerabilities), flash-player (SLE12: multiple vulnerabilities), and xen (SLE11 SP3; SLE12: multiple vulnerabilities).Ubuntu has updated openssl (multiple vulnerabilities).

Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. "Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for 'because of an incomplete fix for'."

CentOS has updated kernel (C6:multiple vulnerabilities) and qemu-kvm (C6: code execution).Debian-LTS has updated wireshark(WCP dissector crash).Fedora has updated cabal-install(F22: force digest authentication), freecad(F22: code execution), fusionforge (F22; F21: codeexecution), haskell-platform (F22: forcedigest authentication), less (F21:information leak), libreswan (F22;F21: denial of service), python-tornado (F21: TLS side-channel attack),and thermostat (F21: code execution).openSUSE has updated proftpd(13.2, 13.1: two vulnerabilities, one from 2013), wpa_supplicant (13.2, 13.1: threevulnerabilities), and zeromq (13.2, 13.1:protocol downgrade).Oracle has updated qemu-kvm (OL6:code execution) and kernel (OL6; OL5: three vulnerabilities).Red Hat has updated qemu-kvm(RHEL6: code execution) and qemu-kvm-rhev(RHEL6OSP: code execution).Scientific Linux has updated abrt(SL7: multiple vulnerabilities) and qemu-kvm (SL6: code execution).Ubuntu has updated kernel (15.04; 14.10;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-utopic (14.04: twovulnerabilities), linux-lts-vivid (14.04:three vulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).

LinkedIn has announcedthe release of its "Pinot" analytics system under the Apache license."We’ve been using it at LinkedIn for more than two years, and in thattime, it has established itself as the de facto online analytics platformto provide valuable insights to our members and customers. At LinkedIn, wehave a large deployment of Pinot storing 100’s of billions of records andingesting over a billion records every day."

The LWN.net Weekly Edition for June 11, 2015 is available.

Processor architectures are far from trivial; untold millions ofdollars and many thousands of hours have likely gone into the creationand refinement of the x86 and ARM architectures that dominate theCPUs in Linux boxes today. But that does not mean that x86 and ARM are the onlyarchitectures of value, as Jeff Dionne, Rob Landley, and ShumpeiKawasaki illustrated in their LinuxCon Japan session "Turtles all theway down: running Linux on open hardware." The team has been workingon breathing new life into a somewhat older architecture that offerscomparable performance to many common system-on-chip (SoC)designs—and whichcan be produced as open hardware.Click below (subscribers only) for the full report from LinuxCon Japan.

Geoff Huston has written a lengthycolumn on multipath TCP. "For many scenarios there is littlevalue in being able to use multiple addresses. The conventional behavior iswhere each new session is directed to a particular interface, and thesession is given an outbound address as determined by localpolicies. However, when we start to consider applications where the bindingof location and identity is more fluid, and where network connections aretransient, and the cost and capacity of connections differ, as is often thecase in todays mobile cellular radio services and in WiFi roaming services,then having a session that has a certain amount of agility to switch acrossnetworks can be a significant factor." (See also: LWN's look at the Linux multipath TCPimplementation from 2013).

The folks behind the NGINX web server have put up ahighly self-congratulatory article on how the system was designed."NGINX scales very well to support hundreds of thousands ofconnections per worker process. Each new connection creates another filedescriptor and consumes a small amount of additional memory in the workerprocess. There is very little additional overhead per connection. NGINXprocesses can remain pinned to CPUs. Context switches are relativelyinfrequent and occur when there is no work to be done."

Arch Linux has updated cups (two vulnerabilities).Debian has updated cups (two vulnerabilities).Debian-LTS has updated libapache-mod-jk (information disclosure) and libraw (denial of service).Oracle has updated abrt (OL7:multiple vulnerabilities) and kernel (OL6: multiple vulnerabilities).Red Hat has updated abrt (RHEL7:multiple vulnerabilities), flash-plugin(RHEL5,6: multiple vulnerabilities), and kernel (RHEL6; RHEL6.2: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: multiple vulnerabilities).Ubuntu has updated cups (15.04,14.10, 14.04, 12.04: two vulnerabilities) and qemu, qemu-kvm (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Tim Bird has worked with embedded Linux for many years; during this time hehas noticed an unhappy pattern: many of the companies that use and modifyopen-source software are not involved with the communities that developthat software. That is, he said, "a shame." In an attempt to determinewhat is keeping companies from contributing to the kernel in particular,the Consumer Electronics LinuxForum (a Linux Foundation workgroup) has runa survey of embedded kernel developers. The resulting picture highlightssome of the forces keeping these developers from engaging with thedevelopment community and offers some ideas for improving the situation.

Debian-LTS has updated cups (two vulnerabilities).Fedora has updated fuse (F21:privilege escalation), mbedtls (F22: codeexecution), python-tornado (F22:side-channel attack), and thermostat (F22: code execution).Mageia has updated ipsec-tools (denial of service), jackrabbit (information leak), php-ZendFramework (CRLF injection), and rabbitmq-server (multiple vulnerabilities).Ubuntu has updated strongswan(15.04, 14.10, 14.04: information disclosure).

ITWorld reportsthat Apple will release its Swift programming language under an open sourcelicense. "When Swift becomes open source later this year, programmers will be able to compile Swift programs to run on Linux as well as on OS X and iOS, said Craig Federighi, Apple’s head of software engineering, during the opening keynote of Apple’s Worldwide Developers Conference Monday in San Francisco.The source code will include the Swift compiler and standard library, and community contributions will be “accepted—and encouraged,” Apple said."

Debian has updated php5 (multiple vulnerabilities), redis (code execution), and strongswan (information disclosure).Debian-LTS has updated fuse (privilege escalation).Fedora has updated dcraw (F22; F21; F20: denial of service), fuse (F22: privilege escalation),ipsec-tools (F21; F20: denial of service), less (F22: information leak), ntfs-3g (F21: privilege escalation), php-symfony (F22; F21; F20: restriction bypass), ufraw (F22; F21; F20: denial of service), and zarafa (F21; F20: file overwrites).Scientific Linux has updated openssl (SL6,7: cipher-downgrade attacks).SUSE has updated cups (SLE11SP3: privilege escalation).

The 4.0.5,3.14.44, and3.10.80stable kernels have been released. These contain a number of important bugfixes, including the fixes for the ext4 and RAID 0 data corruption issuesdiscussed in this article.At LinuxCon Japan last week it was announced that the next long-term stablerelease, to be maintained for two years, will be 4.1.

The 4.1-rc7 prepatch is out."Normally rc7 tends to be the last rc release, and there's not a lotgoing on to really merit anything else this time around. However, we dostill have some pending regressions, and as mentioned last week I also havemy yearly family vacation coming up, so we'll have an rc8 and an extra weekbefore 4.1 actually gets released."

The Let's Encrypt project has announced that it has created the root and intermediate keys and certificates it will use to sign certificates. Let's Encrypt is the no-cost certificate authority announced by the Electronic Frontier Foundation (EFF) back in November. In April, the Linux Foundation announced that it would be hosting the project. "The keys and certificates that will underlie Let’s Encrypt have been generated. This was done during a key ceremony at a secure facility today." The intermediate certificates will be cross-signed by IdenTrust so that they will be accepted by browsers before the Let's Encrypt root certificate has been propagated. A bit more news from the blog post: "In the next few weeks, we’ll be saying some more about our plans for going live."

Arch Linux has updated pcre (codeexecution).CentOS has updated openssl (C7; C6: cipherdowngrade).Fedora has updated batik (F22; F21; F20: information leak), netty (F21: httpOnly cookie bypass), andpcs (F22; F21; F20: two vulnerabilities).openSUSE has updated e2fsprogs (13.2; 13.1:two vulnerabilities) and fuse (13.1:privilege escalation).Oracle has updated openssl (OL7; OL6:cipher downgrade).Red Hat has updated openssl(RHEL6&7: cipher downgrade).

GNU Octave, which is ahigh-level programming language for numerical computations that is largelycompatible with MATLAB, has made its 4.0 release. There are lots of newfeatures in this major release, which are described in the release notes.Some of those features include defaulting to the graphical user interfaceinstead of the command-line interface, OpenGL graphics and Qt widgets bydefault, a new syntax for object-oriented programming usingclassdef, audio functions, better MATLAB compatibility, and more.

Debian has updated libapache-mod-jk (information disclosure).Debian-LTS has updated mercurial(two code execution flaws).Oracle has updated kernel (OL5:unspecified vulnerabilities).Red Hat has updated php54(RHSC6&7: multiple vulnerabilities), php55 (RHSC6&7: multiple vulnerabilities),python27 (RHSC6&7: multiplevulnerabilities, two from 2013), and thermostat1 (RHSC6&7: code execution).Ubuntu has updated t1utils(14.10, 14.04: code execution).

The LWN.net Weekly Edition for June 4, 2015 is available.

Here's anarticle on the Red Hat security blog on the use of Systemtap to applyemergency security fixes. "With the vulnerability-band-aid approachchosen, we need to express our intent in the systemtap scriptinglanguage. The model is simple: for each place where the state change is tobe done we place a probe. In each probe handler, we detect whether thecontext indicates an exploit is in progress and, if so, make changes to thecontext. We might also need additional probes to detect and capture statefrom before the vulnerable section of code, for diagnosticpurposes."

At the 2015 Automotive Linux Summit in Tokyo, Dan Cauchy from theLinux Foundation (LF) kicked off the first day's program with anannouncement: that the LF's Automotive Grade Linux (AGL) workgroup hasdecided to build its own Linux distribution, which it plans to run asan ongoing, long-term project. While the desire for aworkgroup to create a distribution tailored to its needs is nothingnew, the announcement had several in the crowd wondering what thisdecision meant for Tizen IVI—which, up until now, has served asthe reference distribution for AGL. Tizen, of course, is also anLF-hosted project, and it has made in-vehicle infotainment (IVI) oneof its high-priority use cases.

CentOS has updated kernel (C5: privilege escalation).Debian has updated jqueryui(regression in previous update) and wireshark (multiple vulnerabilities).Fedora has updated httpd (F21:mis-handling of Require directives), libtiff (F22: two vulnerabilities), nss (F22: cipher-downgrade attacks), nss-softokn (F22: cipher-downgrade attacks),and nss-util (F22: cipher-downgrade attacks).openSUSE has updated fuse (13.2:privilege escalation), nbd (13.2, 13.1:denial of service), and php5 (13.2, 13.1: multiple vulnerabilities).Oracle has updated kernel (OL5: privilege escalation).Red Hat has updated kernel(RHEL5: privilege escalation) and virtio-win (RHEL7; RHEL6: denial of service).Scientific Linux has updated kernel (SL5: privilege escalation).Ubuntu has updated qt4-x11,qtbase-opensource-src (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

The OpenVZ team has announcedthe open source code release of several Virtuozzo userspace utilities. Theutilities include prlctl, a unified command line tool to manage virtualmachines and containers; libprlsdk, Virtuozzo API C++ and python libraries,used for local and remote communications with a dispatcher managementservice; prl-disp-service, a primary Containers and Virtual machinesmanagement service; libvzctl, a low-level library for Containersmanagement; libvzevent, a low-level library for Containers life-cyclenotifications from the kernel; vzctl, a utility to control a Containers;and vztt, a utility for Containers templates management.

Linux.com talkswith Dan Cauchy, general manager of automotive at the Linux Foundation,about the release of the AGL Requirements Specification. "In July2014, AGL released its first AGL reference platform built on the Tizen IVI platform running HTML5 apps. The new release instead details precise specifications and requirements for any AGL-compliant IVI stack. For the first time, automakers, automotive suppliers, and open source developers can collaborate on refining the spec -- the first draft of a common, Linux-based software stack for the connected car."

Firefox 38.0.5 has been released. This version introduces Pocket, whichhelps you keep track of articles and videos. Clean formatting for articlesand blog posts with Reader View is also a new feature. See the releasenotes for more information.

Fedora has updated kernel (F22; F21:denial of service), libinfinity (F22; F21; F20: incorrect validation of certificates), nss (F21: cipher-downgrade attacks), nss-softokn (F21: cipher-downgrade attacks),nss-util (F21: cipher-downgrade attacks),ntfs-3g (F22: privilege escalation), and php-ZendFramework (F21; F20: CRLF injection).openSUSE has updated xen (13.1: two vulnerabilities).Ubuntu has updated apache2(12.04: multiple vulnerabilities), ipsec-tools (12.04: denial of service), and openssl (15.04, 14.10, 14.04, 12.04: cipher-downgrade attacks).

Software Freedom Conservancy has announceda long-term campaign to increase education and understanding aboutcommunity-driven GPL enforcement processes. "Conservancy invitesdevelopers and other Open Source and Free Software contributors to emailtheir questions on GPL enforcement to<enforcement-questions@sfconservancy.org>. Conservancy cannot promiseto answer every question; Conservancy will use the collected questions overthe coming months to provide more educational and informational materialsabout GPL enforcement, and in particular about Conservancy's GPL Compliance Project for Linux Developers."

Debian has updated fusionforge(code execution), postgresql-9.1(regression in previous update), and symfony (restriction bypass).Debian-LTS has updated ipsec-tools (denial of service), ruby1.9.1 (multiple vulnerabilities), and wordpress (multiple vulnerabilities).Fedora has updated gcab (F21:directory traversal), libtiff (F21: twovulnerabilities), netty (F22: HttpOnlycookie bypass), php-ZendFramework (F22:CRLF injection), python-django (F22:incorrect session flushing), suricata (F21:denial of service), torque (F22; F21; F20:denial of service), and zeromq (F22: security bypass).Gentoo has updated adobe-flash(multiple vulnerabilities) and phpmyadmin (multiple vulnerabilities).openSUSE has updated Chromium(13.2, 13.1: multiple vulnerabilities), parallel (13.2, 13.1: file overwrite), and mysql-connector-java (13.2, 13.1: information disclosure).SUSE has updated firefox(SLE11SP3: multiple vulnerabilities).

The 4.1-rc6 kernel prepatch is out. Linussays that "things look normal."

Mauro Carvalho Chehab, the maintainer of the kernel's media subsystem, hasposted the first two in a series of articles on digital video broadcastingsupport in Linux. Part 1gives an overview of how the devices and protocols work, while part 2looks at digital TV network interface use. "Supporting embeddedDigital TV hardware is complex, considering that such hardware generallyhas multiple components that can be rewired in runtime to dynamicallychange the stream pipelines and provide flexibility for things likerecording a video stream, then tuning into another channel to see adifferent program. This article describes how the DVB pipelines are setupand the needs that should be addressed by the Linux Kernel."

At his blog, Chris Ball announces "GitTorrent," his new project designed to let developers host Git repositories on BitTorrent. The system takes advantage of Git's ability to run over arbitrary network protocols. "We ask for the commit we want and connect to a node with BitTorrent, but once connected we conduct this Smart Protocol negotiation in an overlay connection on top of the BitTorrent wire protocol, in what’s called a BitTorrent Extension. Then the remote node makes us a packfile and tells us the hash of that packfile, and then we start downloading that packfile from it and any other nodes who are seeding it using Standard BitTorrent. We can authenticate the packfile we receive, because after we uncompress it we know which Git commit our graph is supposed to end up at; if we don’t end up there, the other node lied to us, and we should try talking to someone else instead." The project is, obviously, a new one that still has important ground to cover—such as dealing with comments or pull requests—but there are interesting ideas to consider already.

Debian has updated virtualbox (privilege escalation).Debian-LTS has updated clamav (multiple vulnerabilities), postgresql-8.4 (multiple vulnerabilities), and tomcat6 (multiple vulnerabilities).

The LWN.net Weekly Edition for May 29, 2015 is available.

The Document Foundation has announced the availability of the LibreOfficeviewer for Android systems. And it's not just for viewing:"LibreOffice Viewer also offers basic editing capabilities, like modifying words in existing paragraphs and changing font styles such asbold and italics.Editing is still an experimental feature which has to be enabledseparately in the settings, and is not stable enough for missioncritical tasks."

The folks at Banyan have looked into thesecurity state of the images stored on Docker Hub and published theirresults. "More than a third of all images have highpriority vulnerabilities and close to two-thirds have high or mediumpriority vulnerabilities. These statistics are especially troublesomebecause these images are also some of the most downloaded images (severalof them have hundreds of thousands of downloads)."

Arch Linux has updated curl(information leak).Debian-LTS has updated dulwich(code execution), eglibc (code execution),exactimage (denial of service), and libnokogiri-ruby (information disclosure from 2012).Fedora has updated ca-certificates (F20: CA update),hostapd (F21; F20: denial of service), java-1.8.0-openjdk (F20: insecure tmp fileuse), LibRaw (F21: denial of service), mingw-LibRaw (F21: denial of service), openslp (F20: two denial of service flaws, onefrom 2010, one from 2012), php (F21;F20: multiple vulnerabilities), postgresql (F22: three vulnerabilities), andrawtherapee (F22: denial of service).Mageia has updated fuse(privilege escalation), kernel-linus(denial of service), and kernel-tmb (denial of service).openSUSE has updated glibc,glibc-testsuite, glibc-utils, glibc.i686 (13.2, 13.1: two vulnerabilities).SUSE has updated firefox (SLE12:multiple vulnerabilities).

In 2013, we reported that SourceForge.net had started to redirectthe download links clicked on by some users, providing those users with aninstaller program that bundled in not just the software the user hadrequested, but a set of side-loaded "utilities" as well. The practiceraised the ire of many in the community, even though it was anoptional service that SourceForge offered to project owners. Mattersmay have changed recently, however, as the GIMP project discovered that"GIMP for Windows" downloads had suddenly become side-loadinginstallers—and that the project could no longer access the SourceForgeaccount that was used to distribute them.

LWN staff celebrated the US Memorial Day holiday on Monday this week, sothe Weekly Edition will come out on the holiday schedule — one day laterthan usual. We will return to our normal schedule next week. Thank youall, as always, for supporting LWN.

Ars Technica reportsthat the US Justice Department has sided with Oracle in its dispute withGoogle. "The dispute centers on Google copying names, declarations, and header lines of the Java APIs in Android. Oracle filed suit, and in 2012, a San Francisco federal judge sided with Google. The judge ruled that the code in question could not be copyrighted. Oracle prevailed on appeal, however. A federal appeals court ruled that the "declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection."Google maintained that the code at issue is not entitled to copyrightprotection because it constitutes a "method of operation" or "system" thatallows programs to communicate with one another." (Thanks to Martin Michlmayr)

Debian has updated ntfs-3g(incomplete fix in previous update).Debian-LTS has updated ntfs-3g(incomplete fix in previous update).Red Hat has updated kernel(RHEL6.4: privilege escalation) and qemu-kvm (RHEL6.5: code execution).Ubuntu has updated ntfs-3g(15.04: incomplete fix in previous update) and openldap (15.04, 14.10, 14.04, 12.04: denial of service).

The GNOME community is mourning the loss of developer Marco Pesenti Gritti,who passed away on May 23. "He was the most passionate and dedicated hacker I knew, and I know he wasextremely respected in the GNOME community, for his work on Epiphany,Evince and Sugar among many others, just like he was at litl. Those whoknew him personally know he was also an awesome human being."

Scott Kitterman has posted aseries of emails around the the Ubuntu Community Council's decision toremove Jonathan Riddell as the leader of the Kubuntu project. He has alsostatedhis intent to leave the Ubuntu community. "I also wish to extendmy personal apology to the Kubuntu community for keeping this private foras long as we did. Generally, I don’t believe such an approach isconsistent with our values, but I supported keeping it private in the hopethat it would be easier to achieve a mutually beneficial resolution of thesituation privately. Now that it’s clear that is not going to happen, I(and others in the KC) could not in good faith keep this private."

If you run PostgreSQL and have applied one of the updates that werereleased on May 22, it would be a good idea to read thispage about an unfortunate bug in those releases. In somecases, the problem can cause the server to fail to restart after a crash.There is a new release in the works; meanwhile, a workaround is available.

Ars Technica takesa look at the latest malware threat. "A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers' DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add "follows" to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.The malware, dubbed "Linux/Moose" by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device."

Arch Linux has updated nbd (denial of service), pgbouncer (denial of service), postgresql (multiple vulnerabilities), webkitgtk (information disclosure), and webkitgtk2 (information disclosure).Debian has updated ipsec-tools (denial of service), nbd (denial of service), postgresql-9.1 (multiple vulnerabilities), postgresql-9.4 (multiple vulnerabilities), tiff (multiple vulnerabilities), and zendframework (multiple vulnerabilities).Debian-LTS has updated ntfs-3g (privilege escalation).Fedora has updated firefox (F22:multiple vulnerabilities), hostapd (F22:denial of service), java-1.8.0-openjdk(F22: file overwrites), kernel (F20: twovulnerabilities), libarchive (F21: denialof service), LibRaw (F22; F20: denial of service), mingw-LibRaw(F22; F22;F20: denial of service), openstack-glance (F22: access restrictionbypass), php (F22: multiplevulnerabilities), php-ZendFramework2 (F22:CRLF injection), phpMyAdmin (F22: twovulnerabilities), qemu (F22; F20: code execution), quassel (F22: denial of service), suricata (F22: denial of service), thunderbird (F22: multiple vulnerabilities),wordpress (F22: cross-site scripting), and xen (F22; F21; F20: privilege escalation).Mageia has updated chromium-browser-stable (multiple vulnerabilities) and kernel (memory corruption).openSUSE has updated coreutils(13.2: multiple vulnerabilities), firefox(13.2, 13.1: multiple vulnerabilities), libraw (13.2, 13.1: denial of service), LibVNCServer (13.2: code execution), quassel (13.2, 13.1: SQL injection), thunderbird (13.2, 13.1: multiple vulnerabilities), and wireshark (13.2; 13.1: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).SUSE has updated KVM (SLES11SP2:code execution), MySQL (SLE11SP3: multiplevulnerabilities), and Xen (SLES11SP2; SLES11SP1; SLES10SP4: two vulnerabilities).Ubuntu has updated kernel (14.04:denial of service), linux-lts-trusty(12.04: denial of service), and postgresql-9.1,postgresql-9.3, postgresql-9.4 (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

The Fedora 22 release is out. "If this release had ahuman analogue, it'd be Fedora 21 after it'd been to college,landed a good job, and kept its New Year's Resolution to go to thegym on a regular basis. What we're saying is that Fedora 22 hasbuilt on the foundation we laid with Fedora 21 and the work tocreate distinct editions of Fedora focused on the desktop, server,and cloud (respectively). It's not radically different, but thereare a fair amount of new features coupled with features we'vealready introduced but have improved for Fedora 22." LWN's preview of Fedora 22 was published in theMay 21 Weekly Edition.