LWN.net

The Software Freedom Conservancy (SFC) has put out an analysis of the recently announced plans of Canonical to provide and support ZFS as part of Ubuntu 16.04. There are some license-compatibility questions within the community, but Canonical believes that it is within its rights to distribute the CDDLv1-licensed zfs.ko kernel module with the GPLv2-licensed kernel. SFC, however, disagrees: "We are sympathetic to Canonical's frustration in this desire to easily support more features for their users. However, as set out below, we have concluded that their distribution of zfs.ko violates the GPL. We have written this statement to answer, from the point of view of many key Linux copyright holders, the community questions that we've seen on this matter.Specifically, we provide our detailed analysis of the incompatibility between CDDLv1 and GPLv2 — and its potential impact on the trajectory of free software development — below. However, our conclusion is simple: Conservancy and the Linux copyright holders in the GPL Compliance Project for Linux Developers believe that distribution of ZFS binaries is a GPL violation and infringes Linux's copyright. We are also concerned that it may infringe Oracle's copyrights in ZFS. As such, we again ask Oracle to respect community norms against license proliferation and simply relicense its copyrights in ZFS under a GPLv2-compatible license."

Arch Linux has updated libgcrypt(key leak) and libssh2 (insecure sessions).Debian has updated icedove (multiple vulnerabilities).Debian-LTS has updated libfcgi(denial of service), libfcgi-perl (denial of service), pixman (code execution from 2014), and postgresql-8.4 (denial of service).Fedora has updated hamster-time-tracker (F22: denial of service), postgresql (denial of service), and qemu (three vulnerabilities).Mageia has updated libssh(insecure sessions).openSUSE has updated gummi (42.1,13.2: insecure tmp files), libgcrypt (13.2:key leak),and postgresql94 (42.1: three vulnerabilities, one from 2007).Oracle has updated openssh (OL5:denial of service from 2010).SUSE has updated firefox(SLE11SP4: denial of service).Ubuntu has updated ca-certificates (15.10, 14.04, 12.04: 1024-bitRSA key removal), glib-networking (15.10,14.04, 12.04: update for certificate changes), gnutls (14.04, 12.04: update for certificate changes), and openssl (14.04, 12.04: update for certificate changes).

The LWN.net Weekly Edition for February 25, 2016 is available.

One of the more entertaining presentations at this year's DevConf.cz was by Dan Walsh, Red Hat's headof container engineering. He presented on one of the core conflicts in the Linuxcontainer world: systemd versus the Docker daemon. This is far from a newissue; it has been brewing since Ubuntu adopted systemd, and CoreOSintroduced Rocket, a container system builtaround systemd.Subscribers can click below for a look at the talk by guest author JoshBerkus.

Arch Linux has updated libssh (insecure ssh sessions).Debian has updated libssh(multiple vulnerabilities), lighttpd (padding-oracle attack), and websvn (cross-site scripting).Debian-LTS has updated nss(cryptographic weakness) and websvn (cross-site scripting).Fedora has updated botan (F23:three vulnerabilities), code-editor (F23:three vulnerabilities), gdl (F22:out-of-bounds read flaw), GraphicsMagick(F22: out-of-bounds read flaw), monotone(F23: three vulnerabilities), octave (F22:out-of-bounds read flaw), postgresql (F23:denial of service), qca (F23: threevulnerabilities), qt-creator (F23: threevulnerabilities), vdr-skinenigmang (F22:out-of-bounds read flaw), vdr-skinnopacity(F22: out-of-bounds read flaw), and vdr-tvguide (F22: out-of-bounds read flaw).openSUSE has updated firefox(13.1: same-origin restriction bypass).Red Hat has updated rh-ror41(RHSCL: multiple vulnerabilities).Slackware has updated bind(denial of service), glibc (codeexecution), libgcrypt (two vulnerabilities), and ntp (multiple vulnerabilities).SUSE has updated firefox(SLE12-SP1: denial of service) and postgresql94 (SLE12-SP1: threevulnerabilities, one from 2007).

The Red Hat developer blog looksat what's coming in version 6 of the GNU Compiler Collection."The x86/x86_64 is a segmented memory architecture, yet GCC haslargely ignored this aspect of the Intel architecture and relied onimplicit segment registers. Low level code such as the Linux kernel &glibc often have to be aware of the segmented architecture and havetraditionally resorted to asm statements to use explicit segment registersfor memory accesses. Starting with GCC 6, variables may be declared asbeing relative to a particular segment. Explicit segment registers willthen be used to access those variables in memory." The GCC 6release can be expected sometime around April.

Debian has updated libssh2 (insecure ssh sessions).Debian-LTS has updated didiwiki (unintended access), krb5 (two vulnerabilities), libssh (insecure ssh sessions), and libssh2 (insecure ssh sessions).Fedora has updated nghttp2 (F22:denial of service) and nodejs (F22: two vulnerabilities).Mageia has updated 389-ds-base (denial of service).Red Hat has updated chromium-browser (RHEL6: code execution).Ubuntu has updated cpio (twovulnerabilities), kernel (15.10; 14.04; 12.04:multiple vulnerabilities), libssh (twovulnerabilities), linux-lts-trusty (12.04:multiple vulnerabilities), linux-lts-utopic(14.04: three vulnerabilities), linux-lts-vivid (14.04: multiplevulnerabilities), linux-lts-wily (14.04:multiple vulnerabilities), linux-raspi2(15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: denial of service), oxide-qt (15.10, 14.04: code execution), andnss (12.04: regression in previous update).

Dan Kaminsky looksat the Glibc DNS bug (CVE-2015-7547). "We’ve investigated the DNS lookup path, which requires the glibc exploit to survive traversing one of the millions of DNS caches dotted across the Internet. We’ve found that it is neither trivial to squeeze the glibc flaw through common name servers, nor is it trivial to prove such a feat is impossible. The vast majority of potentially affected systems require this attack path to function, and we just don’t know yet if it can. Our belief is that we’re likely to end up with attacks that work sometimes, and we’re probably going to end up hardening DNS caches against them with intent rather than accident. We’re likely not going to apply network level DNS length limits because that breaks things in catastrophic and hard to predict ways."

Arch Linux has updated chromium (code execution) and thunderbird (multiple vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities), didiwiki (unintended access), and xdelta3 (code execution).Debian-LTS has updated openssl (man-in-the-middle attacks) and python-imaging (denial of service).Fedora has updated graphite2(F23: multiple vulnerabilities), kscreenlocker (F23; F22:restriction bypass), mariadb (F23: multiplevulnerabilities), nettle (F22: impropercryptographic calculations), ntp (F22:multiple vulnerabilities), php-horde-horde (F23; F22:cross-site scripting), poco (F23; F22: SSL server spoofing), python-pillow (F22: denial of service), qemu (F23: multiple vulnerabilities), and thunderbird (F23: multiple vulnerabilities).openSUSE has updated chromium(13.1: multiple vulnerabilities), chromium(13.1: code execution), erlang (13.2:man-in-the-middle attack), ffmpeg(Leap42.1: denial of service), obs-service-download_files, (Leap42.1, 13.2:code injection), postgresql93 (Leap42.1,13.2: multiple vulnerabilities, one from 2007), qemu (Leap42.1: two vulnerabilities),chromium (SPH for SLE12;Leap42.1, 13.2: code execution), kernel (13.2: two vulnerabilities), and xdelta3 (13.2; 13.1: code execution).SUSE has updated postgresql93(SLE12: multiple vulnerabilities, one from 2007).

Version 2.23 of the GNU C Library (glibc) has been released. The headlinefeature this time around seems to be Unicode 8.0.0 support; there are anumber of API changes, performance improvements and security fixes aswell.

The Linux Mint blog announces that the project'sweb site was compromised and made to point to a backdoored version of thedistribution. "As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th."Update: it appearsthat the Linux Mint forums were compromised too; users should assume thattheir passwords have been exposed.

The 4.5-rc5 kernel prepatch is out, one dayahead of the usual schedule. "Things continue to look normal, andthings have been fairly calm. Yes, the VM THP cleanup seems to still beproblematic on s390, but other than that I don't see anything particularlyworrisome."

Greg Kroah-Hartman has announced the release of stable kernels 4.3.6 and 3.10.97. Both contain important updatesthroughout the tree. In addition, 4.3.6 is the last release for thenow end-of-life 4.3 kernel branch; users will need to migrate to the4.4 series.

Version 4.7 of the Ardourdigital-audio workstation has been released. Theupdate includes two key new features: a dialog that displays detailedspectral and waveform analysis for exported files, and substantiallyimproved support for Mackie Control brand hardware control consoles.Many other improvements are listed in the announcement, includingpreliminary support for importing work from ProTools 10 and 11.

CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).Debian has updated cpio(denial of service).Debian-LTS has updated libmatroska (code execution).Mageia has updated glibc (M5: multiple vulnerabilities) and nodejs (M5: multiple vulnerabilities).openSUSE has updated glibc (13.2: multiple vulnerabilities; 11.4, 13.1: code execution).Oracle has updated kernel (O7; O6:privilege escalation)and thunderbird (O7; O6: multiple vulnerabilities).Red Hat has updated openstack-heat (RHEL7: denial of service) and thunderbird (RHEL 5,6,7: multiple vulnerabilities).Scientific Linux has updated thunderbird (SL 5,6,7: multiple vulnerabilities).Ubuntu has updated oxide-qt(14.04, 15.10: multiple vulnerabilities).

Dustin Kirkland justifiesUbuntu's plans to ship the ZFS filesystem kernel module. "Andzfs.ko, as a self-contained file system module, is clearly not a derivativework of the Linux kernel but rather quite obviously a derivative work ofOpenZFS and OpenSolaris. Equivalent exceptions have existed for manyyears, for various other stand alone, self-contained, non-GPL and evenproprietary (hi, nvidia.ko) kernel modules."

The Linux Foundation has announcedthe Zephyr Project, which is aimed at building a real-time operatingsystem (RTOS) for the Internet of Things (IoT). "Modularity andsecurity are key considerations when building systems for embedded IoTdevices. The Zephyr Project prioritizes these features by providing thefreedom to use the RTOS as is or to tailor a solution. The project’s focuson security includes plans for a dedicated security working group and adelegated security maintainer. Broad communications and networking supportis also addressed and will initially include Bluetooth, Bluetooth LowEnergy and IEEE 802.15.4, with plans to expand communications andnetworking support over time." The ZephyrKernel v1.0.0 Release Notes provide more details.

Arch Linux has updated lib32-glibc (multiple vulnerabilities).Debian has updated libreoffice(two code execution flaws).Fedora has updated hamster-time-tracker (F23: two denial ofservice flaws).Mageia has updated cacti(authentication bypass), claws-mail (twovulnerabilities), cpio (code execution), eog (code execution from 2013), eom (code execution from 2013), gambas3 (code execution from 2013), gnome-photos (code execution from 2013), graphite2/firefox (multiple vulnerabilities), gtk+2.0 (code execution from 2013), libgcrypt (key leak), libxmp (multiple vulnerabilities), nginx (three vulnerabilities), pinpoint (code execution from 2013), python-pillow (two code execution flaws), thunar (code execution from 2013), and thunderbird (multiple vulnerabilities).Ubuntu has updated nss (15.10,14.04, 12.04: cryptographic weakness).

The LWN.net Weekly Edition for February 18, 2016 is available.

Greg Kroah-Hartman has released stable kernels 4.4.2 and 3.14.61. Both of them contain important fixes.

Arch Linux has updated glibc (multiple vulnerabilities).CentOS has updated 389-ds-base(C7: denial of service), firefox (C7; C6; C5: three vulnerabilities), glibc (C7: two vulnerabilities), glibc (C6: code execution), kernel (C7: two vulnerabilities), polkit (C7: privilege escalation), and sos (C7: information disclosure).Debian-LTS has updated eglibc(two vulnerabilities), gtk+2.0 (code execution), and wordpress (two vulnerabilities).Fedora has updated asterisk (F23; F22: filedescriptor exhaustion), ecryptfs-utils (F23; F22:privilege escalation), firefox (F22:multiple vulnerabilities), glibc (F23: codeexecution), glibc (F22: multiplevulnerabilities), mingw-curl (F23;F22: authentication bypass),mingw-libpng (F23; F22: denial of service), mingw-libxml2(F23; F22:multiple vulnerabilities), mingw-pcre (F23; F22:multiple vulnerabilities), nghttp2 (F23:denial of service), and springframework-social (F23: cross-site request forgery).Gentoo has updated glibc (multiple vulnerabilities).openSUSE has updated Chromium(SPH for SLE12: multiple vulnerabilities), claws-mail (Leap42.1, 13.2; 13.1: code execution), firefox (Leap42.1, 13.2: same-originrestriction bypass), glibc (Leap42.1:multiple vulnerabilities), libnettle (Leap42.1; 13.2; 13.1:improper cryptographic calculations), socat (Leap42.1, 13.2; 13.1: cipher-downgrade attacks), thunderbird (Leap42.1, 13.2: code execution),thunderbird (13.1: multiplevulnerabilities), and vlc (Leap42.1: code execution).Oracle has updated 389-ds-base(OL7: denial of service), firefox (OL7; OL6; OL5: three vulnerabilities), glibc (OL7: two vulnerabilities), glibc (OL6: code execution), kernel (OL7: multiple vulnerabilities), polkit (OL7: privilege escalation), and sos (OL7: information disclosure).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), glibc (RHEL6.2, 6.4, 6.5,6.6, 7.1: code execution), glibc (RHEL7:two vulnerabilities), glibc (RHEL6: codeexecution), and kernel-rt (RHEMRG2.5: two vulnerabilities).Scientific Linux has updated 389-ds-base (SL7: denial of service), firefox (SL5,6,7: three vulnerabilities), glibc (SL7: two vulnerabilities), glibc (SL6: code execution), kernel (SL7: two vulnerabilities), polkit (SL7: privilege escalation), and sos (SL7: information disclosure).SUSE has updated glibc (SLE12-SP1; SLE12; SLE11-SP3,SP4; SLE11-SP2: multiple vulnerabilities).Ubuntu has updated eglibc, glibc(code execution), graphite2 (15.10, 14.04:multiple vulnerabilities), libreoffice(code execution), and xdelta3 (15.10,14.04: code execution).

Vulkan is a new graphics APIspecification, seemingly meant to supersede OpenGL. Collabora has announcedthe availability of the 1.0 specification — and that the Wayland compositoralready supports it. "To provide the best possible base for fluidmodern user interfaces, Collabora have worked extensively on the Waylandwindow system, the underlying Kernel Mode Setting drivers and atomicmodesetting, and also the EGL specifications and implementations. We areproud to continue this work with Vulkan." Intel has announcedan open-source Vulkan driver for its hardware as well.

Debian has updated eglibc (multiple vulnerabilities), glibc (multiple vulnerabilities), graphite2 (three vulnerabilities), and libgcrypt11 (key leak).Debian-LTS has updated xdelta3 (code execution).Red Hat has updated 389-ds-base(RHEL7: denial of service), firefox(RHEL5,6,7: three vulnerabilities), kernel(RHEL7: two vulnerabilities), kernel-rt(RHEL7: two vulnerabilities), polkit(RHEL7: denial of service), and sos (RHEL7:information disclosure).SUSE has updated qemu (SLE12-SP1:two vulnerabilities).Ubuntu has updated eog (codeexecution), gtk+2.0, gtk+3.0 (codeexecution), libgcrypt11, libgcrypt20 (keyleak), nettle (15.10, 14.04: impropercryptographic calculations), and samba(regression in previous update).

The Google Online Security Blog disclosesa security issue in the GNU C library; a fix, workarounds, and aproof-of-concept exploit are all provided. "The glibc DNS client side resolver is vulnerableto a stack-based buffer overflow when the getaddrinfo() library function isused. Software using this function may be exploited withattacker-controlled domain names, attacker-controlled DNS servers, orthrough a man-in-the-middle attack."See also: the glibcadvisory for this issue.

Opensource.com coversa linux.conf.au talk by Paris Buttfield-Addison and Jon Manning ofSecret Lab. "Secret Lab participates in hackathons to subtly subvert that mission by making interesting games based on data. They don't even care if anyone ever plays the game again. But they've won quite a few national awards along the way.In particular, they've done so through participation in several GovHack events, which are Australia/New Zealand hackathons built around government data sources."

Arch Linux has updated firefox (same-origin restriction bypass) and nghttp2 (denial of service).Debian has updated iceweasel (denial of service), postgresql-9.1 (three vulnerabilities), and postgresql-9.4 (two vulnerabilities).Debian-LTS has updated chrony (packet modification) and cpio (out-of-bounds write).Fedora has updated firefox (F23:denial of service), krb5 (F22: threevulnerabilities), mingw-gnutls (F23:improper cryptographic calculations), mingw-nettle (F23: improper cryptographiccalculations), nodejs (F23: two vulnerabilities), php (F23; F22: multiple vulnerabilities), and wordpress (F23; F22: two vulnerabilities).

Mark Wielaard writesabout some of the many new compiler warnings provided by the GCC6release. "My favorite is still -Wmisleading-indentation. But thereare many more that have found various bugs. Not all of them are enabled bydefault, but it makes sense to enable as many as possible when writing newcode."

"It's Valentine's day, so here I am, making a valentine for everybodyin the form of the usual rc release," says Linus; that release is 4.5-rc4."So in between romancing your significant other, go out andtest."

In a lengthy blog series (part 1, part 2, and part 3), Matthew Chapman described the process of getting a non-Lenovo battery to charge in his Thinkpad laptop. He reverse-engineered the authorization that real batteries do and changed the code in the embedded controller (EC) on the laptop to allow other batteries to charge. "I look in BIOS to see where these messages are coming from. Both this message and the original unauthorised battery message are displayed by LenovoVideoInitDxe.efi: don’t ask me why this code is in this module rather than somewhere more relevant (may I suggest LenovoAnnoyingBatteryMessageDxe.efi?), but it might have been convenient to put it in the video initialisation module as the message is displayed when the screen is cleared post-POST [Power-on self-test]."(Thanks to Neil Brown.)

On the Maru blog, developer Preetam D’Souza has announced that the Maru project is now open source. Maru is a desktop system running on a smartphone, so that adding a display, keyboard, and mouse to a phone allows the user to run their desktop on the phone—and still be able to use the device as a phone. "I’ve gotta say, the open source community never ceases to amaze me. I’ve had emails from people asking if they can help test Maru on other devices on a Sunday. How many normal people do you know that willingly want to give up their Sundays to help test software? I’ve experienced this helpfulness time and time again, whether it was the speakers at open source conferences so willing to share their knowledge, or the folks on forums who were so keen to help out beginners like me. Maru would never have been possible without that spirit of openness."

Bradley Kuhn started off his linux.conf.au 2016 talk by stating a goalthat, he hoped, he shared with the audience: a world where more (or most)software is free software. The community has one key strategy toward that goal:copyleft licensing. He was there to talk about whether that strategy isworking, and what can be done to make it more effective; the picture hepainted was not entirely rosy, but there is hope if software developers arewilling to make some changes.

Chris Hermansen looks at an early open music format—vinyl LP records—over at Opensource.com. He goes into some of the details of the format and how it is read, as well as a bit about ripping records using Linux. "Ok, so we just figured out that our stylus puts 136 times as much pressure on our records as our car puts on the pavement? That's crazy!!! Why doesn't the stylus completely destroy the record? Those alternate-Earth physicists and engineers are rolling on the floor now, clutching their bellies and gasping for breath... but here is the final straw. Despite the seemingly ridiculous or even impossible nature of the whole ensemble of components, a well-recorded vinyl LP played back with a decent turntable, tonearm, and cartridge sounds wonderful."

Debian has updated libgcrypt20(key leak) and nginx (three vulnerabilities).Debian-LTS has updated eglibc(regression in previous security update).Fedora has updated nodejs-is-my-json-valid (F22: denial ofservice) and python-pymongo (F23; F22: two vulnerabilities).openSUSE has updated cacti (42.1; 13.2; 13.1: multiple vulnerabilities), cacti-spine (13.1: unspecified), and openssl (13.1: cipher downgrade).Slackware has updated mozilla(14.1: unspecified).Ubuntu has updated firefox(15.10, 14.04, 12.04: same-origin restriction bypass) and postgresql-9.1, postgresql-9.3, postgresql-9.4(15.10, 14.04, 12.04: two vulnerabilities).

Arch Linux has updated botan(three vulnerabilities).Fedora has updated firebird (F23:denial of service), firefox (F23: denial ofservice), gsi-openssh (F23: privilegeescalation), and php-PHPMailer (F23;F22: header injection).openSUSE has updated flash-player (13.2; 13.1:multiple vulnerabilities), jasper (13.1: denial of service), andtiff (13.1: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5&6: multiple vulnerabilities).SUSE has updated java-1_6_0-ibm (SLE12; SLE11SP2: multiple vulnerabilities) and java-1_7_0-ibm (SLE11SP2: multiple vulnerabilities).

The LWN.net Weekly Edition for February 11, 2016 is available.

Scratching an itch is a recurring theme in presentations at linux.conf.au. As the open-hardware movement gains strength, more and more of these itches relate to the physical world, not just the digital. David Tulloh used his presentation [WebM] on the “Linux Driven Microwave” to discuss how annoying microwave ovens can be and to describe his project to build something less irritating.Click below (subscribers only) for the full report from Neil Brown.

Arch Linux has updated kscreenlocker (restriction bypass).CentOS has updated sos (C6: information leak).Fedora has updated claws-mail(F22: stack-based buffer overflow), imlib2(F22: denial of service), python-pillow(F23: denial of service), and webkitgtk4(F22: multiple vulnerabilities).Mageia has updated ffmpeg(multiple vulnerabilities), flash-player-plugin (multiple vulnerabilities), jasper (denial of service), and nettle (improper cryptographic calculations).openSUSE has updated jasper(13.2: denial of service), krb5 (13.2:three vulnerabilities), and tiff (13.2: three vulnerabilities).Oracle has updated sos (OL6:information leak).Red Hat has updated openstack-swift (RHELOSP7: denial of service) and python-django (RHELOSP7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: information disclosure).Scientific Linux has updated sos(SL6: information leak).SUSE has updated flash-player (SLE12-SP1; SLE11-SP4: multiple vulnerabilities) and java-1_7_1-ibm (SLE12-SP1; SLE11-SP4: multiple vulnerabilities).Ubuntu has updated nginx (15.10,14.04: denial of service).

The SourceForge hosting site has announcedthat it has a new owner (BIZX, LLC, along with Slashdot) and that it willbe getting rid of the controversial DevShare program, which was covered here in 2013. "As of last week,the DevShare program was completely eliminated. The DevShare programdelivered installer bundles as part of the download for participatingprojects. We want to restore our reputation as a trusted home for opensource software, and this was a clear first step towards that. We’re moreinterested in doing the right thing than making extra short-termprofit."

<img class="photo" src="http://lwn.net/images/2016/lca-oven.jpg" alt="[Prototype]">

The LibreOffice 5.1 release is available. "LibreOffice 5.1's user interface has been completelyreorganized, to provide faster and more convenient access to its most usedfeatures. A new menu has been added to each of the applications: Style(Writer), Sheet (Calc) and Slide (Impress and Draw). In addition, severalicons and menu commands have been repositioned based on userpreferences." See thispage for (a little) more information and some videos.

The Obama administration has put out aplan for how it would like to make the net a safer place. There are alot of topics covered here; toward the end it also mentions that "theGovernment will work with organizations such as the Linux Foundation’s CoreInfrastructure Initiative to fund and secure commonly used internet'utilities' such as open-source software, protocols, and standards. Justas our roads and bridges need regular repair and upkeep, so do thetechnical linkages that allow the information superhighway to flow."

"TPM," said Matthew Garrett in his linux.conf.au 2016 talk, stands for "trusted platform module"; it is a tool that is meant to allow a system'sowner to decide which software to trust. Some years ago, there was a lot offear that the TPM would be used, instead, to take that decision away, to allow othersto decide which software would be trusted to run on our systems; for that reason,some called "trusted computing" by the rather less complimentary name"treacherous computing." That scenario didn't come about, though, for anumber of reasons, both technical and social. But we can still use the TPM forits original purpose; Matthew was there to talk about his work to bringabout computing that we can trust.Click below (subscribers only) for the full report from LCA 2016.

Debian has updated qemu (multiplevulnerabilities), qemu (more vulnerabilities), qemu-kvm (multiple vulnerabilities), and wordpress (two vulnerabilities).Debian-LTS has updated gajim (man-in-the-middle).Mageia has updated mbedtls/hiawatha/belle-sip/linphone/pdns (codeexecution), openssl (man-in-the-middle), php (multiple vulnerabilities), privoxy (denial of service), and radicale (authentication bypass).Red Hat has updated sos (RHEL6:information leak).Slackware has updated curl (authentication bypass) and flac (multiple vulnerabilities).SUSE has updated java-1_8_0-ibm(SLE12-SP1: multiple vulnerabilities) and rubygem-rails-html-sanitizer (SES2.1: multiple vulnerabilities).Ubuntu has updated firefox(regression in previous update).

Wired talkswith John Perry Barlow on the 20th anniversary of his Declaration ofIndependence of Cyberspace. "In the modern era of global NSA surveillance, China’s Great Firewall, and FBI agents trawling the dark Web, it’s easy to write off Barlow’s declaration as early dotcom-era hubris. But on his document’s 20th anniversary, Barlow himself wants to be clear: He stands by his words just as much today as he did when he clicked “send” in 1996."

Arch Linux has updated lib32-libsndfile (multiple vulnerabilities) and libsndfile (multiple vulnerabilities).Debian has updated polarssl (code execution) and tiff (multiple vulnerabilities).Debian-LTS has updated eglibc (multiple vulnerabilities) and linux-2.6 (multiple vulnerabilities).Fedora has updated claws-mail(F23: stack-based buffer overflow), nginx(F22: denial of service), and prosody (F23:insecure handling of dialback keys).Mageia has updated cakephp (denial of service), cgit (three vulnerabilities), curl (authentication bypass), cyrus-imapd (two vulnerabilities), docker/golang (two vulnerabilities), gajim (man-in-the-middle), imlib2 (denial of service), java-1.8.0-openjdk/copy-jdk-configs/lua-lunit/lua-posix (multiple vulnerabilities), krb5 (three vulnerabilities), phpmyadmin/phpseclib (multiple vulnerabilities), and socat (man-in-the-middle).openSUSE has updated curl (Leap42.1; 13.2; 13.1:authentication bypass), mariadb (Leap42.1; 13.2: multiple vulnerabilities), mysql(Leap42.1, 13.2; 13.1: multiple vulnerabilities), nginx (Leap42.1: denial of service), openssl (13.2: man-in-the-middle), php5 (Leap42.1: two vulnerabilities), phpMyAdmin (Leap42.1, 13.2: multiplevulnerabilities), rubygem-actionpack-3_2(13.2: multiple vulnerabilities), rubygem-actionpack-4_2 (Leap42.1: multiplevulnerabilities), rubygem-rails-html-sanitizer (Leap42.1:multiple vulnerabilities), and phpmyadmin(13.1: multiple vulnerabilities).Red Hat has updated openstack-swift (RHELOSP5 for RHEL6; RHELOSP5 for RHEL7; RHELOSP6 for RHEL7: denial ofservice) and python-django(RHELOSP6 for RHEL7: information disclosure).SUSE has updated kernel(SLE11-SP3: multiple vulnerabilities).

The 4.5-rc3 kernel prepatch is out."It's slightly bigger than I'd like, but not excessively so (and notunusually so). Most of the patches are pretty small, although the diff isutterly dominated by the (big) removal a couple of staging rdma driversthat just weren't going anywhere. Those removal patches are 90% of the bulkof the diff."

The CoreOS project has announced version1.0 of its rkt container manager.As part of the release, rkt's command-line interface and on-diskformat have been declared stable. The announcement also highlights anumber of new security features, including "KVM-based containerisolation, SELinux support, TPM integration, image signaturevalidation, and privilege separation" and notes that rkt willrun Docker images.

Arch Linux has updated libbsd (denial of service).Debian has updated krb5(multiple vulnerabilities).Fedora has updated nettle(F23: improper cryptographic calculations), salt (F22: information leak), and webkitgtk4 (F23: multiple vulnerabilities).SUSE has updated MozillaFirefox,MozillaFirefox-branding-SLE, mozilla-nss (SLE12: multiple vulnerabilities) and MozillaFirefox,MozillaFirefox-branding-SLED, mozilla-nss (SLE11: multiple vulnerabilities).

Over at Linux.com, Eric Brown looks at the newly announced Ubuntu Touch tablet. The hardware: "The Aquaris M10 is equipped with a 64-bit, quad-core, Cortex-A53 MediaTek MT8163A system-on-chip clocked to 1.5GHz, along with a high-powered ARM Mali-T720 MP2 GPU. The tablet ships with 2GB of RAM, 16GB flash, and a microSD slot." It is said to have 1920x1200 resolution and an 8 megapixel camera capable of HD recording. The interface will change to take advantage of larger displays and additional input devices (e.g. keyboard, mouse)."It appears that the upcoming Ubuntu 16.04 “Xenial Xerus” LTS release due in April will be the first true convergence release. According to PC World, it will still be optional, however, with a traditional Unity 7 build with X.org available alongside the newly converged Unity 8 with the new Mir display server. The new tablet, and Unity 8, will feature Ubuntu Touch’s Scopes interface, which presents frequently used content and services as an alternative to traditional apps.In addition to automatically changing the interface in response to new screens and input devices, Ubuntu is also providing convergence on the application development level. Developers are already developing single apps that can automatically morph into desktop, phone, and tablet formats."

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).Fedora has updated nodejs-is-my-json-valid (F23: denial ofservice), phpmyadmin (F23: multiple vulnerabilities), and prosody (F22: insecure key handling).Gentoo has updated qemu (multiple vulnerabilities).Slackware has updated mozilla(unspecified), mplayer (file contentsleak), openssl (cipher downgrade), and php (three vulnerabilities).