LWN.net

Andrew "Tridge" Tridgell writesabout the ArduPilot project's withdrawal from the Dronecode group."Unfortunately DroneCode has a built-in flaw. The structure andbylaws of DroneCode are built around exceptional power for the Platinummembers, giving them extraordinary control over the future ofDroneCode. [...]Just how great a flaw that is has been shown by the actions of the Platinummembers over the last two months. Due to their overwhelming desire to beable to make a proprietary autopilot stack the Platinum members staged whatcan only be called a coup. They removed all top level open source projectsfrom DroneCode, leaving only their own nominees in the Technical SteeringCommittee. They passed a resolution requiring that all projects hand overcontrol of all trademarks, accounts and domains to their control."

The Vim editor project is celebrating its 8.0release. "This the first major Vim release in ten years. Thereare interesting new features, many small improvements and lots of bugfixes." New features include asynchronous I/O, jobs, a packagesystem, GTK+ 3 support, and more.

Greg KH has released stable kernel 3.14.79. This is the last update in the3.14.x series. "Please use 4.4 if you want a LTS kernel that willlast for another year, or even better yet, just use the normal stablereleases as those will always contain the latest fixes and updates."

Arch Linux has updated file-roller (file deletion), graphicsmagick (denial of service), and tomcat8 (redirect HTTP traffic).Debian has updated openjpeg2(multiple vulnerabilities) and pdns(multiple denial of service flaws).Debian-LTS has updated libarchive (two vulnerabilities), qemu (directory/path traversal), and qemu-kvm (directory/path traversal).Fedora has updated chromium (F24:multiple vulnerabilities), elog (F24; F23:unauthorized posts), phpMyAdmin (F23: multiple vulnerabilities), python-jwcrypto (F24; F23: information disclosure), and slock (F24; F23: screen locking bypass).openSUSE has updated libtorrent-rasterbar (Leap42.1: denial ofservice), kernel (Leap42.1: multiplevulnerabilities), and wget (13.2: race condition).Slackware has updated gnutls (denial of service).SUSE has updated java-1_7_0-ibm(SOSC5, SMP2.1, SM2.1, SLES11-SP2,3: three vulnerabilities).

Linus has released the 4.8-rc6 kernelprepatch. "I still haven't decided whether we're going todo an rc8, but I guess I don't have to decide yet. Nothing looksparticularly bad, and it will depend on how rc7 looks."

Laura Abbott marks the end of the latest round of open-source internships at Outreachy with a blog post reflecting on "what makes an internship successful," especially as seen in the kernel team's internships. Among Abbott's lessons: "Choose your tasks carefully. Tasks with a specific goal but multiple ways to solve are best. Too open ended tasks can be frustrating for all involved but there should be some chance for decision making. Just giving a list of tasks and exactly how they should be completed isn't good for learning. Give your intern a chance to propose a solution and then review it together." Also: "Speaking of review, code review is a skill. Model how to respond to code review comments. Encourage interns to practice reviewing others code and ask questions as well." That is just a sampling; in total, Abbott lists well over a dozen take-aways from the experience, all worth reading.

Arch Linux has updated wordpress (multiple vulnerabilities).Debian has updated inspircd(user impersonation) and xen (multiple vulnerabilities).Debian-LTS has updated curl(certificate reuse) and xen (multiple vulnerabilities).openSUSE has updated fontconfig (Leap 42.1: privilege escalation), gdk-pixbuf (13.2, Leap 42.1: denial of service), krb5 (Leap 42.1: denial of service), mariadb (Leap 42.1: multiple vulnerabilities), ocaml (Leap 42.1: information leak), tiff (13.2: multiple vulnerabilities), and wget (Leap 42.1: multiple vulnerabilities).Slackware has updated php(14.0, 14.1, 14.2: multiple vulnerabilities).Ubuntu has updated file-roller (14.04, 16.04: file deletion) and imlib2 (12.04, 14.04, 16.04: multiple vulnerabilities).

The LWN.net Weekly Edition for September 9, 2016 is available.

On the Red Hat Security Blog, Ilya Etingof describes some traps for the unwary in Python, some that have security implications. "Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at; experienced developers may well be aware of the peculiarities that follow."(Thanks to Paul Wise.)

Debian-LTS has updated icu (codeexecution) and roundcube (threevulnerabilities, one each from 2015 and 2014).openSUSE has updated libsrtp(42.1: denial of service from 2015), libstorage (42.1: password disclosure), and libtcnative-1-0 (42.1: cipher downgrade from 2015).Red Hat has updated Kibana(RHOS3: two vulnerabilities).Scientific Linux has updated thunderbird (multiple vulnerabilities).SUSE has updated java-1_7_1-ibm(SLE11: three unspecified vulnerabilities).

Concerns about the viability of the Apache OpenOffice (AOO) project are notnew; they had been in the air for a while by the time LWN looked at the project's development activityin early 2015. Since then, though, the worries have grown more pronounced,especially after AOO's recent failure to produce a release with an importantsecurity fix nearly one year after being notified of the vulnerability.The result is an internal discussion on whether the project should be "retired," or whetherit will find a way to turn its fortunes around.

At GUADEC 2016 inKarlsruhe, Germany, Jonathan Blandford challenged the GNOME project torethink how its desktop software uses network access. The GNOMEdesktop assumes Internet connectivity is always available, which hasthe side effect of making the software stack considerably less usefuland, indeed, usable to people who live in those places regarded as the developing world.

Last Monday was the Labor Day holiday in the US, so the LWN crew took theday off to celebrate. As a result, the weekly edition will be published oneday late this week. It will be available on Friday, sometime shortly after midnight UTC.

Stable kernels 4.7.3, 4.4.20, and 3.14.78 have been released with the usual setof important fixes. There will be one more 3.14.x kernel release beforethis kernel series hits its end-of-life.

Debian has updated charybdis (incorrect SASL authentication).Debian-LTS has updated libtomcrypt (signature forgery).Fedora has updated 389-ds-base(F23: information disclosure), libgcrypt(F23: flawed random number generation), libksba (F23: denial of service), and mediawiki (F24; F23: multiple vulnerabilities).openSUSE has updated Chromium(Leap42.1: multiple vulnerabilities), thunderbird (SPH for SLE12; Leap42.1, 13.2: multiple vulnerabilities), andtomcat (Leap42.1: two vulnerabilities).Red Hat has updated postgresql92-postgresql (RHSCL: twovulnerabilities) and rh-postgresql95-postgresql (RHSCL: two vulnerabilities).SUSE has updated Chromium(SPH for SLE12: multiple vulnerabilities).

Git 2.10 has been released, with lots of updates to the user interface andworkflows, performance enhancements, and much more. See the announcementfor details.

LWN previously reported that Gmane creatorand maintainer Lars Magne Ingebrigtsen shut down the website and wascontemplating shutting down the service entirely. Martin Dankonowreports that Gmane has a new maintainer. "I petitioned some of our directors to allow us to offer to take it over and in the end we entered into agreement with Lars to take over Gmane. The assets of Gmane have been placed into a UK company Gmane Ltd.As part of the agreement, we have received the INN spool with all the articles but none of the code that drives the site. We’ve started rebuilding parts of the site just to get it back online, its not perfect and there are pieces missing but we’re working on building all the functionality back into the site."(Thanks to Brian Thomas)

Arch Linux has updated thunderbird (code execution).CentOS has updated ipa (C7; C6: denialof service) and thunderbird (C7; C6; C5: code execution).Debian has updated chromium-browser (multiple vulnerabilities),flex (regression in previous update), andkernel (multiple vulnerabilities).Debian-LTS has updated jsch (path traversal), kernel (multiple vulnerabilities), and tiff3 (multiple vulnerabilities).Fedora has updated ca-certificates (F23: certificate update),ganglia (F24; F23: cross-site scripting), glibc (F23: denial of service), kernel(F24; F23:two vulnerabilities), lcms2 (F23: heapmemory leak), and phpMyAdmin (F24: multiple vulnerabilities).openSUSE has updated curl (13.2:three vulnerabilities), dosfstools(Leap42.1: two vulnerabilities), eog(Leap42.1, 13.2: out-of-bounds write), and xerces-c (Leap42.1: two vulnerabilities).Oracle has updated thunderbird (OL7; OL6: codeexecution).Red Hat has updated kernel (RHEL6.7; RHEL6.5: information leak) and thunderbird (RHEL5,6,7: code execution).Scientific Linux has updated ipa(SL6,7: denial of service).SUSE has updated kernel (SOSC5,SMP2.1, SM2.1, SLE11-SP3: multiple vulnerabilities).

Version 3.9 of the LLVM compiler suite is out."This release is the result of the LLVM community's work over the pastsix months, including ThinLTO, new libstdc++ ABI compatibility,support for all OpenCL 2.0 and all non-offloading OpenMP 4.5 features,clang-include-fixer, many new clang-tidy checks, significantlyimproved ELF linking with lld, identical code folding and initial LTOsupport in lld, as well as improved optimization, many bug fixes andmore."

The announcementof a project to develop the "Kool Desktop Environment" went out onOctober 14, 1996. As the 20th anniversary of that announcementapproaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "Thisbook presents 37 stories about the technical, social and cultural aspectsthat shaped the way the KDE community operates today. It has been writtenas part of the 20th anniversary of KDE. From community founders andveterans to newcomers, with insights from different perspectives and pointsof view, the book provides you with a thrilling trip through the history ofsuch an amazing geek family."

The 4.8-rc5 kernel prepatch is availablefor testing."So rc5 is noticeably bigger than rc4 was, and my hope last week thatwe were starting to calm down and shrink the releases seems to havebeen premature. [...]Not that any of this looks worrisome per se, but if things don't startcalming down from now, this may be one of those releases that willneed an rc8. We'll see."

The Z-Wave wireless home-automation protocol has been releasedto the public. In years past, the specification was only available topurchasers of the Z-Wave Alliance's development kit, forcingopen-source implementations to reverse-engineer the protocol. Theofficial pressrelease notes that there are several such projects, including OpenZWave; Z-Wave support is alsovital to higher-level Internet-of-Things abstraction systems like AllJoyn.

Arch Linux has updated chromium (multiple vulnerabilities) and webkit2gtk (multiple vulnerabilities).Debian has updated libidn (multiple vulnerabilities).Debian-LTS has updated mailman (password disclosure).Fedora has updated canl-c (F24; F23:proxy manipulation),krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service),and webkitgtk4 (F23: multiple vulnerabilities).openSUSE has updated karchive (SLE12: command execution).Oracle has updated ipa (O7; O6:denial of service).

The US Department of Justice has announcedthat it has arrested a suspect in the 2011kernel.org breakin. "[Donald Ryan] Austin is charged withcausing damage to four servers located in the Bay Area by installingmalicious software. Specifically, he is alleged to have gained unauthorizedaccess to the four servers by using the credentials of an individualassociated with the Linux Kernel Organization. According to the indictment,Austin used that access to install rootkit and trojan software, as well asto make other changes to the servers."

Outgoing Apache OpenOffice project management committee (PMC) chair DennisHamilton has begun the discussion of a possible (note possible atthis point) shutdown of the project."In the case of Apache OpenOffice, needing to disclose securityvulnerabilities for which there is no mitigation in an update has become aserious issue.In responses to concerns raised in June, the PMC is currently tasked by theASF Board to account for this inability and to provide a remedy. Anindicator of the seriousness of the Board's concern is the PMC been requestedto report to the Board every month, starting in August, rather thanquarterly, the normal case. One option for remedy that must be considered isretirement of the project. The request is for the PMC's consideration amongother possible options." (Thanks to James Hogarth.)Also of interest is this note on how thehandling of CVE-2016-1513 went.

OpenBSD 6.0 has been released. An EFI bootloader hasbeen added to the armv7 platform along with other improvements for thatplatform. Also in this release, new and improved hardware support, IEEE802.11 wireless stack improvements, generic network stack improvements,installer improvements, routing daemons and other userland networkimprovements, security improvements, and more. The announcement alsocontains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, andLibreSSL 2.4.2.

Debian-LTS has updated cacti(authentication bypass).Mageia has updated eog (M5:out-of-bounds write), python3/python(M5: HTTPoxy attack), redis (M5: information leak), and webkit2 (M5: multiple vulnerabilities).openSUSE has updated cracklib (Leap 42.1: code execution), gd (13.2: out-of-bounds read), and libgcrypt (13.2: flawed random number generation).Red Hat has updated ipa(RHEL 6,7: denial of service).Slackware has updated mozilla thunderbird (14.1, 14.2:unspecified vulnerabilities).

Here's alengthy ars technica article on efforts to replace Tor with somethingmore secure. "As a result, these known weaknesses have promptedacademic research into how Tor could be strengthened or even replaced bysome new anonymity system. The priority for most researchers has been tofind better ways to prevent traffic analysis. While a new anonymity systemmight be equally vulnerable to adversaries running poisoned nodes, betterdefences against traffic analysis would make those compromised relays muchless useful and significantly raise the cost of de-anonymisingusers."

The LWN.net Weekly Edition for September 1, 2016 is available.

Some of the most important discussions associated with the annual KernelSummit do not happen at the event itself; instead, they unfold prior to thesummit on the planningmailing list. There is value in learning what developers feel needs to be talked about and, often, important issues can be resolvedbefore the summit itself takes place. That list has just hosted (indeed,is still hosting as of this writing) avoluminous discussion on license enforcement that was described by someparticipants as being "pointless" or worse. But that discussion has serveda valuable purpose: it has brought to the light a debate that has longfestered under the surface, and it has clarified where some of the realdisagreements lie.

LWN covered a memory corruptionvulnerability (CVE-2016-1513) in Apache OpenOffice that was disclosedbefore a fix was available. Now a hotfixfor the problem has been released. "The official Apache OpenOffice security bulletin was announced on July 21, 2016. Affected is Apache OpenOffice 4.1.2 and older on all platforms and all languages. OpenOffice.org versions are also affected.The Apache OpenOffice project recommends to update to the latest version 4.1.2 and then to download and install the Zip file from the table below. Please follow the installation instructions in the respective Readme file."(Thanks to Cesar Eduardo Barros)

Arch Linux has updated mupdf (denial of service).Debian has updated libarchive (multiple vulnerabilities) and tryton-server (two vulnerabilities).Debian-LTS has updated tiff (multiple vulnerabilities).Fedora has updated krb5 (F23: denial of service).Mageia has updated bsdiff (denialof service), ctdb (privilege escalation),curl (three vulnerabilities), fontconfig (privilege escalation), gnupg/libgcrypt (flawed random numbergeneration), kernel-linus (multiplevulnerabilities), kernel-tmb (multiplevulnerabilities), mupdf (denial ofservice), nettle/nettle2.7 (informationleak), openssh (three vulnerabilities), php (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), postgresql (two vulnerabilities), and python-django (cross-site scripting).openSUSE has updated libqt4(Leap42.1: unsafe SSL ciphers).Red Hat has updated rh-postgresql94-postgresql (RHSCL: two vulnerabilities).SUSE has updated firefox(SLE11-SP4: multiple vulnerabilities).Ubuntu has updated linux-lts-xenial (14.04: multiplevulnerabilities), linux-raspi2 (16.04:multiple vulnerabilities), and linux-snapdragon (16.04: multiple vulnerabilities).

The Red Hat Developer's blog looksat the latest updates to the GNU toolchain. GCC 6.2 and GDB 7.11.1 aremostly bug-fix releases, but GCC contains a few enhancements for SPARCusers and there's a look at what's coming in GDB 7.12. Glibc 2.24 containsmany new features and enhancements. "A new NSS action is added to facilitate large distributed system administration. The action, MERGE, allows remote user stores like LDAP to be merged into local user stores like /etc/groups in order to provide easy to use, updated, and managed sets of merged credentials."

We recently pointed to Lubomir Rintel'scoverage of NetworkManager 1.4. Thomas Haller followsup with a more detailed look at the MAC spoofing capabilities ofNetworkManager. "1.2.0 relies on support from wpa_supplicant to configure a random MAC address. The problem is that it requires API which will only be part of the next major release 2.6 of the supplicant. Such a release does not yet exist to this date and thus virtually nobody is using this feature.With NetworkManager 1.4.0, changing of the MAC address is done by NetworkManager itself, requiring no support from the supplicant. This allows also for more flexibility to generate “stable” addresses and the “generate-mac-address-mask”. Also, the same options are now available not only for Wi-Fi, but also Ethernet devices."

Arch Linux has updated mupdf (denial of service).Debian-LTS has updated gnupg (flawed random number generation).Fedora has updated borgbackup (F24; F23:directory traversal), freeipa (F24;F23: denial of service), java-1.8.0-openjdk-aarch32 (F24: multiple vulnerabilities), rubygem-actionpack (F24; F23: unsafe query generation), and rubygem-activerecord (F24; F23: unsafe query generation).openSUSE has updated kernel(13.1: multiple vulnerabilities).Slackware has updated kernel (TCP connection takeover).Ubuntu has updated kernel (16.04; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).

Open-source font developer Vernon Adams has passed away inCalifornia at the age of 49.In 2014, Adams was injured in an automobile collision, sustaining serious trauma from which he never fully recovered.Perhaps best known within the Linux community as the creator of KDE'suser-interface font Oxygen, Adams created a total of 51 font families publishedthrough Google Fonts, all under open licenses. He was also active in a number of related free-software projects, including FontForge,Metapolator, and the Open Font Library. In 2012, he co-authored theuser's guide for FontForge as part of Google's Summer of Code Documentation Camp, which we reported on at that time.Speaking personally, Vernon was always quick to offerencouragement and assistance to newcomers—regardless of their experience with typedesign, FontForge, or free software in general. There were also few people who put asmuch energy into improving the usability of free-software design toolsas he did. In addition, he was a constant advocate forfree-software principles in the world of fonts—not just ondevelopment lists and at libre graphics conferences, but on type forums aswell, where "open source" did not automatically garner a warmreception. The tagline on his website was "fonts for everyone," and he meant it. He'llbe missed.

Arch Linux has updated wireshark-cli (multiple vulnerabilities).Debian has updated mupdf (twodenial of service flaws).Debian-LTS has updated eog(out-of-bounds write), quagga (twovulnerabilities), ruby-actionpack-3.2(multiple vulnerabilities), and ruby-activesupport-3.2 (denial of service).Fedora has updated lcms2 (F24:heap memory leak), uClibc (F24: codeexecution), and webkitgtk4 (F24: multiple vulnerabilities).openSUSE has updated Firefox(13.1: buffer overflow), firefox, nss(Leap42.1, 13.2: buffer overflow), phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities), and typo3-cms-4_5 (Leap42.1, 13.2: three vulnerabilities).Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and kernel 4.1.12 (OL7; OL6: multiple vulnerabilities).

Hanno Böck performed some fuzz testing on the dpkg and RPM package managersand reported the results; it seems that oneof the projects has been rather more responsive than the other infixing these issues. "The development process of RPM seems to betotally chaotic, it's neither clear where one reports bugs nor where onegets the latest code and security bugs don't get fixed within a reasonabletime. There's been some recent events that make me feel especially worriedabout this..." It seems that some of the maintenance issues withRPM may not have improved greatly since they were reported here ten years ago.

The 4.8-rc4 kernel prepatch is out."Everything looks normal, and it's been a bit quieter than rc3 too, sohopefully we're well into the "it's calming down" phase. Although withthe usual timing-related fluctuation (different maintainers staggertheir pulls differently), it's hard to tell a trend yet."

While distribution-hopping is common among newcomers to Linux, longtimeusers tend to settle into a distribution they like and stay putthereafter. In the end, Linux distributions are more alike than different,and one's time is better spent getting real work done rather than lookingfor a shinier version of the operating system. Your editor, however,somehow never got that memo; that's what comes from ignoring Twitter,perhaps. So there is a new distribution on the main desktop machine; thistime around it's openSUSE Tumbleweed.

Nextcloud 10 has been releasedwith new features for system administrators to control and direct the flowof data between users on a Nextcloud server. "Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations."

The Maru OS handset distribution that includes an Ubuntu desktop (reviewed here in April) is finally availablein source form. "If you're interested in contributing in general, please check out theproject's GitHub (https://github.com/maruos/maruos),get up and running with the developer guide (https://github.com/maruos/maruos/wiki/Developer-Guide),and join the developer group (https://groups.google.com/forum/#!forum/maru-os-dev)"

Arch Linux has updated mediawiki (multiple vulnerabilities).CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).Debian has updated flex (codeexecution), imagemagick (multiplevulnerabilities), quagga (two vulnerabilities), and rails (cross-site scripting).Fedora has updated gnupg (F24:flawed random number generation), openvpn(F24: information disclosure), and rubygem-actionview (F24; F23: cross-site scripting).Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).

Version 1.1.0 of the OpenSSL TLS library is available. A list of changescan be found on this page;they include a new threading API, a number of new algorithms and theremoval of a number of older ones, pipelining(parallel processing) support, extendedmaster secret support, and more.

Lubomir Rintel takesa look at new features in NetworkManager 1.4. "It is now possible to randomize the MAC address of Ethernet devices to mitigate possibility of tracking. The users can choose between different policies; use a completely random address, or just use different addresses in different networks. For Wi-Fi devices, the same randomization modes are now supported and does no longer require support from wpa-supplicant."Also a newly added API for using configuration snapshots that automaticallyroll back after a timeout, IPv6 tokenized interface identifiers can beconfigured, new features in nmcli, and more are covered. (Thanksto Paul Wise)

Fedora has updated eog (F23: out-of-bounds write).openSUSE has updated ImageMagick(Leap42.1: three vulnerabilities).Red Hat has updated qemu-kvm-rhev(RHOSP9: two vulnerabilities) and Red HatOpenShift Enterprise 2.2.10 (RHOSE: multiple vulnerabilities).Ubuntu has updated eog(out-of-bounds write), harfbuzz (16.04,14.04: two vulnerabilities), and libidn (multiple vulnerabilities).

The LWN.net Weekly Edition for August 25, 2016 is available.

On August 25, 1991, an obscure student in Finland named Linus BenedictTorvalds posteda message to the comp.os.minix Usenet newsgroup saying that he wasworking on a free operating system as a project to learn about the x86architecture. He cannot possibly have known that he was launching aproject that would change the computing industry in fundamental ways.Twenty-five years later, it is fair to say that none of us foresaw whereLinux would go — a lesson that should be taken to heart when trying toimagine where it might go from here.

The Gentoo community is mourningthe loss of Jonathan Portnoy. "Jon was an active member of theInternational Gentoo community, almost since its founding in 1999. He wasstill active until his last day. His passing has struck us deeply and withdisbelief. We all remember him as a vivid and enjoyable person, easy toreach out to and energetic in all his endeavors."

CentOS has updated kernel(C6: TCP injection).Debian-LTS has updated libgcrypt11 (flawed random number generation).Fedora has updated eog (F24:out-of-bounds write),kernel (F23: use-after-free), mariadb (F23: multiple vulnerabilities), mingw-lcms2 (F24: heap memory leak), postgresql (F23: multiple vulnerabilities), and python (F23: proxy injection).openSUSE has updated libidn(Leap 42.1: multiple vulnerabilities) and kernel (13.2: multiple vulnerabilities).Oracle has updated kernel(O6: TCP injection).Red Hat has updated kernel (RHEL 7.1: multiple vulnerabilities; RHEL6: TCP injection)and qemu-kvm-rhev (RHOSP8: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: TCP injection).Slackware has updated gnupg(flawed random number generation), kernel (14.2: TCP injection), and libgcrypt (flawed random number generation).