LWN.net

An anonymous reader has pointed out that Mandriva iscurrently being liquidated (page in French). The company brought in€553,000 in 2013, but that is seemingly not enough to keep it going in2015. It is a sad end for a company that has been pursuing the desktopLinux dream since 1998.

The fifth 4.1 prepatch is out for testing."So we're on schedule for a normal 4.1 release, if it wasn't for thefact that the timing looks like the next merge window would hit our yearlyfamily vacation. So we'll see how that turns out, I might end up delayingthe release just to avoid that (or just delay opening the mergewindow)."

There have been two bugs causing filesystem corruption in the newsrecently. One of them, a bug in ext4, has gotten the bulk of theattention, despite the fact that it is an old bug that is hard to trigger.The other, however, is recent and able to cause data loss onfilesystems installed on a RAID 0 array. Both are interestingexamples of how things can go wrong, and, thus, merit a closer look.

At his blog, Bastien Nocera announcesthe 1.0 release of iio-sensor-proxy,a framework for accessing the various environmental sensors (e.g.,accelerometer, magnetometer, proximity, or ambient-light sensors) builtin to recent laptops. The proxy is a daemon that listens to theIndustrial I/O (IIO) subsystem and provides access to the sensorreadings over D-Bus. As of right now, support for ambient-lightsensors and accelerometers is working; other sensor types are indevelopment. The current API is based on those used by Android andiOS, but may be expanded in the future. "For future versions,we'll want to export the raw accelerometer readings, so thatapplications, including games, can make use of them, which might bringup security issues. SDL, Firefox, WebKit could all do with beingadapted, in the near future."

Arch Linux has updated chromium (multiple vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities), fuse (privilege escalation), and ntfs-3g (privilege escalation).SUSE has updated KVM (SLES11SP1: multiple vulnerabilities),SUSE Manager Server 1.7 (SLE11 SP2: multiple vulnerabilities), and Xen (SLE11 SP3: multiple vulnerabilities).Ubuntu has updated apport(two privilege escalation vulnerabilities), fuse (privilege escalation), ntfs-3g (privilege escalation), oxide-qt (14.04, 14.10, 15.04: multiple vulnerabilities), and python-dbusmock (14.04, 14.10, 15.04:code execution).

The announcement of Clear Containers (which guest author Arjan van de Ven described in an LWN article from this week) seems to have sparked some interesting work on QEMU that resulted in qboot: "a minimal x86 firmware that runs on QEMU and, together witha slimmed-down QEMU configuration, boots a virtual machine in 40milliseconds on an Ivy Bridge Core i7 processor." Paolo Bonzini announced the project (code is available at git://github.com/bonzini/qboot.git), which is quite new: "The first commit to qboot is more or less 24 hours old, so there isdefinitely more work to do, in particular to extract ACPI tables fromQEMU and present them to the guest. This is probably another day ofwork or so, and it will enable multiprocessor guests with little or noimpact on the boot times. SMBIOS information is also available from QEMU."

Debian has updated libmodule-signature-perl (multiple vulnerabilities).Debian-LTS has updated dnsmasq(information disclosure).Fedora has updated wordpress (F21; F20:three vulnerabilities).Oracle has updated docker (OL7; OL6: multiple vulnerabilities).Red Hat has updated java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities, one from 2005)and java-1.7.1-ibm (RHEL6&7: multiple vulnerabilities, onefrom 2005).SUSE has updated gstreamer-0_10-plugins-bad (SLE11SP3: codeexecution) and xen (SLE12: multiple vulnerabilities).

The LWN.net Weekly Edition for May 21, 2015 is available.

Debian has updated icedove(multiple vulnerabilities), proftpd-dfsg(unauthenticated copying of files), and zendframework (multiple vulnerabilities).Fedora has updated dovecot (F21; F20:denial of service), firefox (F20: multiplevulnerabilities), libtasn1 (F21: denial ofservice), php-ZendFramework2 (F21;F20: CRLF injection), and thunderbird (F20: multiple vulnerabilities).Ubuntu has updated kernel (14.10; 14.04;12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), and linux-ti-omap4 (12.04: two vulnerabilities).

The PostgreSQL development community is working toward the 9.5 release,currently planned for the third quarter of this year. Development activityis at peak levels as the planned feature freeze for this release approaches.While this activity is resulting in the merging of some interestingfunctionality, including the long-awaited "upsert" feature,it is also revealing some fault lines within the community. The fact that PostgreSQLlacks the review resources needed to keep up with its natural rate ofchange has been understood for years; many other projects suffer from thesame problem. But the pressures on PostgreSQL seem to be becoming moreacute, leading to concerns about fairness in the community and thedurability of the project's cherished reputation for high-quality software.

Lars Knoll marks the20th anniversary of the Qt toolkit on the Qt blog. "From thebeginning, Qt has been released with both open source and commerciallicensing options. Over the years, we have worked on expanding this model,and nowadays, Qt is actually developed as an open source project. In thissense Qt is actually in a rather unique position, having a strong ecosystemwith passionate people, as well as a commercial entity behind it, whichbacks up and funds most of the development."

Over at Linux.com, John Mark Walker examineswhy companies aren't making money on pure open source ventures. "It is not that there is no money in selling open source software, but rather that the business models have shifted. Whereas, under the old proprietary world, a larger percentage of money went to pure software vendors, now that money has spread among a larger spectrum of companies and industries; lots of people get paid to work on or with open source software, but an increasing number of them don’t work for software vendors, per se. In addition to looking in all the wrong places, the current investment model is suspicious of an open source approach. The vast majority of venture capitalists, especially in Silicon Valley, are very risk averse and shy away from open source products that, in their view, will not give as large a return on their investment. In order to secure the funding required to scale a company, investors will frequently require that the startup company include proprietary bits as tools to increase revenue and margins. These two factors - diffusion of revenue and risk-averse investors - combine to both give a false impression and, in part due to the false impression, prevent pure open source software vendors from getting funding."

CentOS has updated thunderbird (C6; C5: multiple vulnerabilities).Debian has updated kfreebsd-9 (denial of service) and xen (code execution).Debian-LTS has updated commons-httpclient (multiple vulnerabilities) and ruby1.8 (man-in-the-middle attack).Mageia has updated avidemux (multiple vulnerabilities), firefox, thunderbird, sqlite3 (multiple vulnerabilities), moodle (multiple vulnerabilities), php (multiple vulnerabilities), phpmyadmin (two vulnerabilities), and xbmc (denial of service).openSUSE has updated clamav(13.2, 13.1: multiple vulnerabilities), docker (13.2: multiple vulnerabilities), andflash-player (13.2, 13.1: multiple vulnerabilities).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).Ubuntu has updated thunderbird(15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Linux Journal takes alook at the C.H.I.P. mini-computer, an open software and hardwaredevice that comes with a Debian-based OS. "The official public release is scheduled for next year, but crowdfunding backers will be able to land a "Kernel Hacker" package this September. This package is aimed at Linux developers who want to help to contribute to kernel modifications for the C.H.I.P. before its final release."

Linus has released the 4.1-rc4 kernelprepatch, saying: "So here it is, last-minute fix and all. The -rc4patch is a bit bigger than the previous ones, but that seems to be mainlydue to normal random timing - just the fluctuation of when submaintainertrees get pushed."

New stable kernels 4.0.4, 3.14.43, and 3.10.79 have been released. All of themcontain important fixes throughout the tree.

Arch Linux has updated thunderbird (multiple vulnerabilities).CentOS has updated thunderbird(C7: multiple vulnerabilities).Debian has updated libmodule-signature-perl (multiple vulnerabilities).Debian-LTS has updated dpkg (integrity-verification bypass), nbd (denial of service), and tiff (multiple vulnerabilities).Fedora has updated java-1.8.0-openjdk (F21: unspecifiedvulnerability), NetworkManager (F21: denialof service), phpMyAdmin (F21; F20: two vulnerabilities), qemu (F21: code execution), and t1utils (F21; F20: multiple vulnerabilities).Mageia has updated ruby-rest-client (two vulnerabilities) and virtualbox (code execution).openSUSE has updated flash-player(11.4: multiple vulnerabilities), qemu (13.2; 13.1:code execution), and firefox (11.4: multiple vulnerabilities).Red Hat has updated thunderbird(RHEL5,6,7: multiple vulnerabilities).Slackware has updated thunderbird (multiple vulnerabilities).SUSE has updated KVM (SLE11SP3:code execution), qemu (SLE12: two vulnerabilities), and spice (SLE12; SLESDK12: denial of service).

Guest author Arjan van de Ven writes: "Containers are hot. Everyoneloves them. Developers love the ease of creating a "bundle" of somethingthat users can consume; DevOps and information-technology departments lovethe ease of management and deployment." A group at Intel is workingon a new approach to containers called "ClearContainers"; click below (subscribers only) for an introduction to howthese containers work.

The Xen Project looks at a mechanism to mitigate vulnerabilities like VENOM that attack emulation layers in QEMU. "The good news is it’s easy to mitigate all present and future QEMU bugs, which the recent Xen Security Advisory emphasized as well. Stubdomains can nip the whole class of vulnerabilities exposed by QEMU in the bud by moving QEMU into a de-privileged domain of its own. Instead of having QEMU run as root in dom0, a stubdomain has access only to the VM it is providing emulation for. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources. Furthermore, QEMU in a stubdomain runs on MiniOS, so an attacker would only have a very limited environment to run code in (as in return-to-libc/ROP-style), having exactly the same level of privilege as in the domain where the attack started. Nothing is to be gained for a lot of work, effectively making the system as secure as it would be if only PV drivers were used." The Red Hat Security Blog also noted this kind of mitigation for VENOM-style attacks.

Version1.0 of the Rust language has been released. "The 1.0 release marks the end of that churn. This release is the official beginning of our commitment to stability, and as such it offers a firm foundation for building applications and libraries. From this point forward, breaking changes are largely out of scope (some minor caveats apply, such as compiler bugs).That said, releasing 1.0 doesn’t mean that the Rust language is “done”. We have many improvements in store. In fact, the Nightly builds of Rust already demonstrate improvements to compile times (with more to come) and includes work on new APIs and language features, like std::fs and associated constants."

Arch Linux has updated wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).SUSE has updated flash-player (SLE12: multiple vulnerabilities).

Over at Opensource.com, Lucidworks co-founder and CTO Grant Ingersoll writes about lessons he has learned from running an open-source company. "You might ask, 'Why not open source it all and just provide support?' It's a fair question and one I think every company that open sources code struggles to answer, unless they are a data company (e.g., LinkedIn, Facebook), a consulting company, or a critical part of everyone's infrastructure (e.g., operating systems) and can live off of support alone. Many companies start by open sourcing to gain adoption and then add commercial features (and get accused of selling out), whereas others start commercial and then open source. Internally, the sales side almost always wants "something extra" that they can hang their quota on, while the engineers often want it all open because they know they can take their work with them."

Arch Linux has updated qemu (codeexecution).CentOS has updated firefox (C5:multiple vulnerabilities), kernel (C7: codeexecution), kvm (C5: code execution),qemu-kvm (C7; C6: code execution), and xen (C5: code execution).Debian has updated iceweasel(multiple vulnerabilities) and qemu(multiple vulnerabilities).Debian-LTS has updated icu (multiple vulnerabilitiessome from 2013).Fedora has updated ca-certificates (F21: certificate changes), firefox (F21: multiple vulnerabilities), gnutls (F21: signature algorithm verificationbotch), libssh (F21: denial of service),and thunderbird (F21: two vulnerabilities).Mageia has updated darktable(denial of service), kernel-linus (threevulnerabilities), kernel-tmb (multiple vulnerabilities), libraw (denial of service), qemu (code execution), rawtherapee (denial of service), ufraw and dcraw (denial of service), and wireshark (three dissector vulnerabilities).Oracle has updated firefox (OL6:multiple vulnerabilities), kvm (OL5: denial of service),qemu-kvm (OL7; OL6: code execution), kernel (OL7; OL6; OL6; OL5: multiple vulnerabilities),and xen (OL5: code execution).Scientific Linux has updated firefox (SL7,SL6,SL5: multiple vulnerabilities), kernel (SL7: code execution), kexec-tools (SL7: arbitrary file overwrite),pcs (SL7; SL6: privilege escalation), qemu-kvm(SL7; SL6:code execution), tomcat (SL7: HTTP requestsmuggling), and tomcat6 (SL6: HTTP request smuggling).SUSE has updated kvm (SLE11SP3:denial of service).Ubuntu has updated firefox (multiple vulnerabilities)and qemu, qemu-kvm (three vulnerabilities).

The LWN.net Weekly Edition for May 14, 2015 is available.

Kamal Mostafa has announced that Canonical's kernel team will pick upstable maintenance of the 3.19 kernel series, until July 2016.

Greg Kroah-Hartman has released stable kernels 4.0.3, 3.14.42, and 3.10.78. All of them contain important fixes.

It's been a Linux container bonanza in San Francisco recently, and thatincludes a series of events and announcements from multiple startups andcloud hosts. It seems like everyone is fighting for a piece of what theyhope will be a new multi-billion-dollar market. This included Container Camp on April 17 and CoreOS Fest on May 5th and 6th, with DockerCon to come near the end ofJune. While there is a lot of hype, the current container gold rush hasyielded more than a few benefits for users — and caused technologicaldevelopment so rapid it is hard to keep up with.Subscribers can click below for a report by guest author Josh Berkus fromthis week's edition.

Arch Linux has updated firefox (multiple vulnerabilities) and tomcat6 (denial of service).CentOS has updated firefox (C7; C6:multiple vulnerabilities), kexec-tools (C7:file overwrites), pcs (C7; C6: privilege escalation), tomcat (C7: HTTP request smuggling), and tomcat6 (C6: HTTP request smuggling).Debian has updated quassel (SQL injection).Fedora has updated clamav (F20:multiple vulnerabilities), dpkg (F21; F20: twovulnerabilities), kernel (F21: twovulnerabilities), texlive (F21: predictablefilenames), and wpa_supplicant (F20: code execution).Gentoo has updated ettercap (multiple vulnerabilities).Mageia has updated dnsmasq(information disclosure), flash-player-plugin (multiple vulnerabilities), hostapd (denial of service), netcf (denial of service), pam (two vulnerabilities), and testdisk (multiple vulnerabilities).Oracle has updated firefox (OL7; OL5:multiple vulnerabilities), kernel (OL7: twovulnerabilities), kexec-tools (OL7: fileoverwrites), tomcat (OL7: HTTP requestsmuggling), and tomcat6 (OL6: HTTP request smuggling).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities), flash-plugin (RHEL5,6: multiplevulnerabilities), java-1.6.0-ibm (RHEL5,6:multiple vulnerabilities), java-1.7.0-ibm(RHEL5: multiple vulnerabilities), kernel(RHEL7: privilege escalation), kernel-rt (RHEL7; RHEMRG2.5:privilege escalation), kexec-tools (RHEL7:file overwrites), kvm (RHEL5: codeexecution), pcs (RHEL7; RHEL6: privilege escalation), qemu-kvm(RHEL7; RHEL6: code execution), qemu-kvm-rhev (RHEL7, RHEL6,RHEL OSP4,5,6: code execution), tomcat(RHEL7: HTTP request smuggling), tomcat6(RHEL6: HTTP request smuggling), and xen(RHEL5: code execution).Scientific Linux has updated kvm(SL5: code execution) and xen (SL5: code execution).Slackware has updated mozilla (multiple vulnerabilities).SUSE has updated php5 (SLE12:multiple vulnerabilities).

The kernel community ordinarily tries to avoid letting users get into aposition where the integrity of their data might be compromised. There areexceptions, though; consider, for example, the ability to explicitly flushimportant data to disk (or more importantly, to avoid flushing at any giventime). Buffering I/O in this manner can significantly improve disk writeI/O throughput, but if application developers are careless, the result canbe data loss should the system go down at an inopportune time. Recentlythere have been a couple of proposed performance-oriented changes that havetested the community's willingness to let users put themselves into danger.<p>Click below (subscribers only) for the full story from this week's KernelPage.

Mozilla has released Firefox 38.0. This version features new tab-basedpreferences and Ruby annotation support. Also, it will be the base for thenext ESR release. The releasenotes contain more information.

Debian has updated mercurial (twovulnerabilities).Mageia has updated async-http-client (two vulnerabilities), glpi (privilege escalation), kernel (multiple vulnerabilities), libarchive (denial of service), libssh (denial of service), mailman (path traversal attack), pnp4nagios (cross-site scripting), postgis (multiple vulnerabilities), ruby-redcarpet (cross-site scripting), and springframework (information disclosure).openSUSE has updated Chromium(13.2, 13.1: two vulnerabilities), curl(13.2, 13.1: information leak), dnsmasq(13.2, 13.1: information disclosure), gnu_parallel (13.2, 13.1: file overwrite), libreoffice (13.2: code execution), libssh (13.2, 13.1: denial of service), libtasn1 (13.2, 13.1: denial of service), pcre (13.2, 13.1: multiple vulnerabilities),and php5 (13.2, 13.1: multiple vulnerabilities).Slackware has updated mariadb (multiple unspecified vulnerabilities), mysql (multiple unspecified vulnerabilities), and wpa_supplicant (code execution).Ubuntu has updated libmodule-signature-perl (15.04, 14.10, 14.04,12.04: multiple vulnerabilities) and openssl (12.04: re-enable TLSv1.2 by default).

The development of the Foresight Linux distribution has come to an end."The Foresight Linux Council has determined that there hasbeen insufficient volunteer activity to sustain meaningful newdevelopment of Foresight Linux. Faced with the need either toupdate the project's physical infrastructure or cease operations,we find no compelling reason to update the infrastructure."

Greg Kroah-Hartman has released stable kernel 3.19.8. This is the last kernel in the 3.19.xseries and users should upgrade to 4.0.x.

Arch Linux has updated docker (multiple vulnerabilities).Debian has updated libtasn1-6 (denial of service), suricata (denial of service), and zeromq3 (security bypass).Fedora has updated firefox (F20:multiple vulnerabilities), libreoffice(F20: code execution), netcf (F21;F20: denial of service),perl-XML-LibXML (F21; F20: information disclosure), proftpd (F21: unauthenticated copying offiles), prosody (F20: denial of service),thunderbird (F20: multiplevulnerabilities), and xulrunner (F20:multiple vulnerabilities).Mageia has updated wordpress (cross-site scripting).Ubuntu has updated icu (15.04,14.10, 14.04: code execution), kernel (14.10, 14.04:regression in previous update), libtasn1-3,libtasn1-6 (15.04, 14.10, 14.04, 12.04: denial of service), linux-lts-utopic (14.04: regression inprevious update), and linux-lts-trusty (12.04:regression in previous update).

The 4.1 development cycle continues with the release of 4.1-rc3. "Go out and test. By -rc3,things really should be pretty non-threatening and this would be a goodtime to just make sure everything is running smoothly if you haven't triedone of the earlier development kernels already."

At the Go Blog, Andrew Gerrand provides a look at the language'sapproach to combining example code and documentation. "Godoc examplesare snippets of Go code that are displayed as package documentationand that are verified by running them as tests. They can also be runby a user visiting the godoc web page for the package and clicking theassociated "Run" button. Having executable documentation for a packageguarantees that the information will not go out of date as the APIchanges." Each package's examples are compiled as part of thepackage test suite; examples can also (optionally) be executed inorder to capture failures with the testing framework.

Arch Linux has updated libtasn1 (code execution), mariadb (multiple vulnerabilites), and mariadb-clients (denial of service).Debian has updated dnsmasq(regression fix for previous advisory) and pound (multiple vulnerabilites).Fedora has updated async-http-client (F20: multiple vulnerabilites), realmd (F21: unsanitized input), springframework (F20: information disclosure), testdisk (F20: multiple vulnerabilities), and v8 (F20; F21:denial of service).Mandriva has updated libtasn1 (BS1,2: code execution).SUSE has updated DirectFB(SLE12: multiple vulnerabilities), java-1_7_0-openjdk (SLED 11.3: multiple vulnerabilities), and kernel (SLE12 Live Patching: denial of service).

Greg Kroah-Hartman has released the latest batch of stable kernels: 3.10.77, 3.14.41, 3.19.7, and 4.0.2. As usual, they contain fixes all overthe tree and users should upgrade.

Over at Opensource.com, one of the translators for OpenStack, Łukasz Jernaś, is interviewed about the process of translating a large project like OpenStack. "How does OpenStack's release cycle play into the translation process? Is it manageable to get translations done on a six-month release cycle?Most of the work gets done after the string freeze period, which happens around a month before the release, with a lot of it being completed after getting the first release candidate out of the window. Documentation is translated during the entire cycle, as many parts are common between releases and can be deployed independently to the releases. So we don't have to focus that much about deadlines, as it's available online all the time and not prepackaged and pushed out to users and distributions. Of course, having a month to do the translations can be cumbersome, depending on the team doing the translation (some do that part time, some people in their spare time), and how many developers push out new strings during the string freeze."

Debian has updated sqlite3 (threevulnerabilities).Mageia has updated dpkg(integrity verification bypass), libtasn1(denial of service), perl-XML-LibXML(information disclosure), qt3, qt4, andqtbase5 (three vulnerabilities), and tcl-tcllib (cross-site scripting).Mandriva has updated perl-XML-LibXML (BS1,2: information disclosure).

The LWN.net Weekly Edition for May 7, 2015 is available.

Two talks at the 2015 Libre Graphics Meeting in Toronto came fromvideo-editing projects. One was an update from Natron, a relatively youngproject that deals with video compositing, while the other was areflection on ten years' worth of development on the general-purposenon-linear editor (NLE) Pitivi. Both are active projects, but they take twomarkedly different approaches: one aims to support an existingindustry standard, while the other must build its core functionalityfrom the ground up.

Debian has updated dnsmasq (information disclosure).Mageia has updated erlang(man-in-the-middle attack), glibc (multiplevulnerabilities), mariadb (multipleunspecified vulnerabilities), qtwebkit(denial of service), and x11-server (two vulnerabilities).Mandriva has updated net-snmp(MBS2.0, MBS1.0: code execution), nodejs(MBS2.0: privilege escalation), and squid(MBS2.0: certificate validation bypass).Red Hat has updated openstack-glance (RHELOSP6.0: denial of service).Ubuntu has updated clamav (15.04,14.10, 14.04, 12.04: multiple vulnerabilities), kernel (15.04; 14.10; 14.04; 12.04:privilege escalation), linux-lts-trusty(12.04: privilege escalation), linux-lts-utopic (14.04: privilegeescalation), oxide-qt (15.04, 14.10, 14.04:multiple vulnerabilities), and ppp (14.10,14.04, 12.04: denial of service).

This year the International Day Against DRM will be held on May 6. TheFree Software Foundation focuses oncommunity with a wide variety of community groups, activistorganizations, and businesses all taking part in the ninth International DayAgainst DRM.The FSF's DefectiveByDesign campaign looks at how DRMaffects people with disabilities. "DRM is especially bad for those of us that face additionalhurdles using computers. It's beastly for blind people, who aredependent on an audiobook market heavily laden with DRM."

Early support for hosting Git repositories directly on Launchpad has beenannounced. "This has been by far the single most commonly requested feature from Launchpad code hosting for a long time; we’ve been working hard on it for several months now, and we’re very happy to be able to release it for general use.This is distinct from the facility to import code from Git (and some other systems) into Bazaar that Launchpad has included for many years."

CoreOS looks atcommunity adoption of the App Container spec (appc). "In order to ensure the specification remains a community-led effort, the appc project has established a governance policy and elected several new community maintainers unaffiliated with CoreOS: initially, Vincent Batts of Red Hat, Tim Hockins of Google and Charles Aylward of Twitter. This new set of maintainers brings each of their own unique points of view and allows appc to be a true collaborative effort. Two of the initial developers of the spec from CoreOS, Brandon Philips and Jonathan Boulle, remain as maintainers, but now are proud to have the collective help of others to make the spec what it is intended to be: open, well-specified and developed by a community."

Debian has updated wordpress (multiple vulnerabilities).Fedora has updated mingw-curl(F21: multiple vulnerabilities), mingw-libgcrypt (F21: multiplevulnerabilities), mingw-openssl (F21:multiple vulnerabilities), and mingw-qt5-qtbase (F21: multiple vulnerabilities).Mageia has updated clamav(multiple vulnerabilities), gstreamer0.10-plugins-bad (code execution), hiawatha (multiple vulnerabilities), net-snmp (code execution), nodejs (privilege escalation), pdns, pdns-recursor (denial of service), and squid (certificate validation bypass).Mandriva has updated cherokee(MBS1.0: authentication bypass), clamav(MBS2.0, MBS1.0: multiple vulnerabilities), directfb (MBS2.0, MBS1.0: twovulnerabilities), fcgi (MBS1.0: denial ofservice), mariadb (MBS2.0, MBS1.0: multipleunspecified vulnerabilities), ppp (MBS2.0,MBS1.0: denial of service), and ruby(MBS2.0, MBS1.0: man-in-the-middle attack).Ubuntu has updated dnsmasq(15.04, 14.10, 14.04, 12.04: information disclosure) and libxml-libxml-perl (15.04, 14.10, 14.04,12.04: information disclosure).

Synfig Studio 1.0 has been released. This version featuresa reworked UI, a full-featured bone system to create cutout animation,advanced image distortion, a new Cutout Tool, sound support, and more.

Arch Linux has updated clamav (multiple vulnerabilities) and squid (certificate validation bypass).Debian has updated jqueryui (cross-site scripting), libphp-snoopy (command execution), libxml-libxml-perl (information disclosure), owncloud (multiple vulnerabilities), ruby1.8 (man-in-the-middle attack), ruby1.9.1 (man-in-the-middle attack), and ruby2.1 (man-in-the-middle attack).Debian-LTS has updated xorg-server (denial of service).Fedora has updated clamav (F21:multiple vulnerabilities), curl (F21:multiple vulnerabilities), ikiwiki (F21; F20:cross-site scripting), mingw-libtiff (F21:two vulnerabilities), proftpd (F20: unauthenticated copying of files), qt3 (F21; F20: code execution), and xen (F21; F20: information leak).Mageia has updated 389-ds-base(access control bypass), cherokee(authentication bypass), chromium-browser-stable (multiplevulnerabilities), curl (multiplevulnerabilities), directfb (twovulnerabilities), fcgi (denial of service),python-pip (two vulnerabilities), ruby (man-in-the-middle attack), and subversion (multiple vulnerabilities).Mandriva has updated curl (MBS2.0; MBS1.0: multiple vulnerabilities).

The second 4.1 prepatch is out for testing."As usual, it's a mixture of driver fixes, arch updates (with s390really standing out due to that one prng commit), and some filesystem andnetworking."