LWN.net

The LWN.net Weekly Edition for February 4, 2016 is available.

Arch Linux has updated lib32-nettle (improper cryptographic calculations) and nettle (improper cryptographic calculations).Debian has updated openjdk-6 (multiple vulnerabilities).Fedora has updated openstack-heat(F23: denial of service) and openstack-swift (F23: denial of service).openSUSE has updated kernel(13.2: multiple vulnerabilities).Red Hat has updated kernel(RHEL7.1: multiple vulnerabilities).Ubuntu has updated qemu, qemu-kvm(15.10, 14.04, 12.04: multiple vulnerabilities).

Michael Catanzaro describesthe sad state of WebKit security on Linux distributions and thechallenges of security support for such a complex package in general."We regularly receive bug reports from users with very old versionsof WebKit, who trust their distributors to handle security for them andmight not even realize they are running ancient, unsafe versions ofWebKit. I strongly recommend using a distribution that releases WebKitGTK+updates shortly after they’re released upstream. That is currently onlyArch and Fedora. (You can also safely use WebKitGTK+ in Debian testing —except during its long freeze periods — and Debian unstable, and maybe alsoin openSUSE Tumbleweed. Just be aware that the stable releases of thesedistributions are currently not receiving our security updates.)"Lots of information here, worth a read for anybody interested in the topic.

Arch Linux has updated curl (authentication bypass), lib32-curl (authentication bypass), python-django (permission bypass), and python2-django: permission bypass).Fedora has updated bind (F22: twodenial of service flaws), chrony (F22:packet modification), curl (F22:authentication bypass), firefox (F22:multiple vulnerabilities), and qemu (F22: multiple vulnerabilities).openSUSE has updated firefox(13.1: multiple vulnerabilities), privoxy (Leap42.1, 13.2; 13.1: two denial of service flaws),seamonkey (Leap42.1, 13.2; 13.1: multiple vulnerabilities), firefox (Leap42.1, 13.2: multiplevulnerabilities), and xulrunner (Leap42.1:code execution).Red Hat has updated java-1.6.0-ibm (RHEL5,6: multiplevulnerabilities), java-1.7.0-ibm (RHEL5:multiple vulnerabilities), java-1.7.1-ibm(RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiple vulnerabilities), and redis (RHELOSP7-OT; RHELOSP7; RHELOSP6: denial of service).Ubuntu has updated kernel (15.10; 15.04;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), linux-lts-vivid(14.04: multiple vulnerabilities), linux-lts-wily (14.04: multiplevulnerabilities), linux-raspi2 (15.10:multiple vulnerabilities), linux-ti-omap4(12.04: multiple vulnerabilities), openjdk-6 (12.04: multiple vulnerabilities),and openjdk-7 (15.10, 15.04, 14.04: multiple vulnerabilities).

The Black Forestfire destroyed over 500 Colorado houses in June 2013; one of thosebelonged to longtime Debian developer Bdale Garbee. As he reported duringhis talk at the 2016 linux.conf.au Multimedia and Musicminiconf, the house has been redesigned and rebuilt and life is generally better now. Part of the rebuildingprocess included the incorporation of a whole-house audio system;naturally, Bdale took a unique approach to that task. His talk showed whatcan be done when one starts from scratch — and doesn't mind designing acircuit board along the way.

ThisRed Hat blog post celebrates the fifteenth anniversary of the firstSELinux release. "With the question of open source security longbehind us, we are now focused on providing an even more flexible securitymodel through SELinux. With the rise of composite, distributed applicationsthat can span hundreds of physical and virtual machines as well asdisparate cloud instances and Linux container deployments, one-off usage ofSELinux is not enough. Instead, we are focused on providing “defense indepth” for modern computing scenarios, effectively building and deployingSELinux policies at each level of the datacenter."

CentOS has updated qemu-kvm (C7; C6: code execution).Debian has updated freetype (denial of service), privoxy (two denial of service flaws), prosody (insecure handling of dialback keys), radicale (two vulnerabilities), and rails (multiple vulnerabilities).Debian-LTS has updated gosa (code injection), mysql-5.5 (multiple vulnerabilities), phpmyadmin (two vulnerabilities), prosody (two vulnerabilities), and tiff (multiple vulnerabilities).Fedora has updated curl (F23:authentication bypass), firefox (F23:multiple vulnerabilities), gsi-openssh(F22: multiple vulnerabilities), imlib2(F23: denial of service), kernel (F23; F22:multiple vulnerabilities), krb5 (F23: threevulnerabilities), moodle (F23; F22: two vulnerabilities), nginx (F23: multiple vulnerabilities), ntp (F23: multiple vulnerabilities), openssl (F23: two vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities),privoxy (F23; F22: two denial of service flaws), webkitgtk4 (F22: multiple vulnerabilities),and xen (F22: multiple vulnerabilities).Gentoo has updated openssl (multiple vulnerabilities).openSUSE has updated ecryptfs-utils (Leap42.1; 13.1: two vulnerabilities), giflib (Leap42.1: heap-based buffer overflow),and kernel (13.1: multiple vulnerabilities).

The 4.5-rc2 kernel prepatch is out. Linussays things aren't going so slowly anymore: "As late as Friday, I was planning on talking about how nice it is tosee this new trend of tiny rc2 releases, because there really hadn'tbeen very many pull requests at all.But it turns out the pull requests were just heavily skewed to the endof the week, and 4.5-rc2 isn't particularly small after all. It prettymuch doubled over the weekend." Still, he seems to think thatthings are working well enough.

The 4.4.1,4.3.5, and4.1.17 stable kernel updates are out.These contain a relatively large number of changes as Greg Kroah-Hartmancontinues to work through the patch backlog.

The KDE neon project — which arguablycould be seen as a replacement for the Kubuntu distribution — has been announcedat FOSDEM. "More than ever people expect a stable desktop with cutting-edge features, all in a package which is easy to use and ready to make their own.KDE Neon is the intersection of these needs using a stable Ubuntu long-term release as its core, packaging the hottest software fresh from the KDE Community ovens. Compute knowing you have a solid foundation and enjoy the features you experience in the world's most customisable desktop."

Greg Kroah-Hartman has released stable kernels 3.14.60 and 3.10.96, each containing importantupdates throughout the tree.

Arch Linux has updated lib32-openssl (multiple vulnerabilities) and openssl (multiple vulnerabilities).Debian has updated mysql-5.5(multiple vulnerabilities).Fedora has updated gsi-openssh (F23: multiple vulnerabilities), krb5 (F23: information leak), and xen (F23: multiple vulnerabilities).Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), chrony (M5: packet modification), firefox (M5: code execution), lxc (M5: directory traversal), ntp (M5: multiple vulnerabilities), owncloud (M5: multiple vulnerabilities), and srtp (M5: denial of service).openSUSE has updated java-1_7_0-openjdk (Leap 42.1: multiple vulnerabilities) and kernel (Leap 42.1: multiple vulnerabilities).Oracle has updated qemu-kvm (O7; O6:code execution).Red Hat has updated qemu-kvm (RHEL6; RHEL7:code execution)and qemu-kvm-rhev (RHEL7 OSP5; RHEL6 OSP5; RHEL7 OSP7; RHEL7 OSP6: multiple vulnerabilities).Scientific Linux has updated qemu-kvm (SL6; SL7:code execution).Ubuntu has updated openssl(15.10: information leak).

Wired reports on a talk at the USENIX Enigma conference by Rob Joyce of the US National Security Agency (NSA). Joyce is the head of the NSA's Tailored Access Operations, which is tasked with breaking into the systems of adversaries and sometimes allies. He spoke about ways to thwart the NSA and other nation-state-level attackers. "'We put the time in …to know [that network] better than the people who designed it and the people who are securing it,' he said. 'You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You'd be surprised about the things that are running on a network vs. the things that you think are supposed to be there.'"

Arch Linux has updated nginx(three denial of service flaws).Debian has updated iceweasel(three vulnerabilities) and openjdk-7(multiple vulnerabilities).openSUSE has updated chromium(13.1: multiple vulnerabilities), java-1_7_0-openjdk (13.2: multiple vulnerabilities),java-1_8_0-openjdk (42.1; 13.2: multiple vulnerabilities), java7 (13.1: multiple vulnerabilities), and openldap2 (42.1: two vulnerabilities).Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), andfirefox (OL7; OL6; OL5: twocode execution flaws).Red Hat has updated bind (RHEL6.4, 6.5: four denial of serviceflaws, including one from 2014) and bind(RHEL6.6: three denial of service flaws).Scientific Linux has updated bind(denial of service), bind97 (SL5: denial ofservice), and firefox (two code execution flaws).SUSE has updated java-1_7_0-openjdk (SLE12; SLE11:multiple vulnerabilities) and openldap2 (Studio Onsite 1.3: two vulnerabilities).Ubuntu has updated curl(authentication bypass) and oxide-qt(15.10, 15.04, 14.04: multiple vulnerabilities).

The LWN.net Weekly Edition for January 28, 2016 is available.

The Linux Foundation's board ofdirectors is not usually a hotbed of controversy; for the most part it does its work in the background, quietlygoing about the business of directing the non-profit organization. Inmid-January that all changed. The bylaws that governed howsome at-large board seats were allocated were changed, which caused quitean uproar within the Linux world. While there is speculation about the motive forthe change—as well as an official statement of sorts—it certainly seemslike the whole thing could have been handled a lot better.Subscribers can click below for the full story from this week's edition.

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and firefox (C7; C6; C5: code execution).Debian has updated chromium-browser (multiple vulnerabilities), curl (authentication bypass), and virtualbox (multiple vulnerabilities).Debian-LTS has updated nginx (denial of service), radicale (multiple vulnerabilities), and tiff (code execution).Fedora has updated cgit (F23:three vulnerabilities), kernel (F23:multiple vulnerabilities), and perl-PathTools (F22: returns untainted strings).Gentoo has updated adobe-flash (multiple vulnerabilities), opensmtpd (multiple vulnerabilities), and webkit-gtk (multiple vulnerabilities).openSUSE has updated Chromium (SPH SLE12; Leap42.1, 13.2: multiple vulnerabilities), openldap (13.1: two vulnerabilities), php5 (13.2: three vulnerabilities), and tiff (Leap42.1: denial of service).Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated bind(RHEL5,6,7: denial of service), bind97(RHEL5: denial of service), chromium-browser (RHEL6: multiplevulnerabilities), firefox (RHEL5,6,7: code execution), and RHOSE (multiple vulnerabilities).Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).SUSE has updated java-1_8_0-openjdk (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated firefox (multiple vulnerabilities).

Firefox 44.0 has been released. With this version Firefox can getpush notifications from your favorite sites. This release alsofeatures improved warning pages for certificate errors and untrustedconnections, H.264 is enabled if the system decoder is available, ifMP4/H.264 are not supported WebM/VP9 video support is enabled, the brotlicompression format via HTTPS content-encoding is supported, and more. Seethe release notes fordetails.

The Linux Test Project test suite stable release for January 2016 isavailable. There were 191 patches by 29 authors merged since the previousrelease. Some notable changes include rewritten and new cgroup tests forcpuacct and pids controllers, rewritten basic cgroup functional and stresstests, new userns07 test for user namespaces, new syscall tests, and more.

AMD has launched"gpuopen.com" to support open graphics development (on AMD GPUs,naturally). "The second is a commitment to open source software. Thegame and graphics development community is an active hub of enthusiasticindividuals who believe in the value of sharing knowledge. Full andflexible access to the source of tools, libraries and effects is a keypillar of the GPUOpen philosophy. Only through open source access aredevelopers able to modify, optimize, fix, port and learn from software. Thegoal? Encouraging innovation and the development of amazing graphicstechniques and optimizations in PC games."

Arch Linux has updated blueman (privilege escalation), chromium (multiple vulnerabilities), and mbedtls (signature forgery).CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities) and kernel (C7: privilege escalation).Debian has updated mariadb-10.0 (multiple vulnerabilities).Fedora has updated cgit (F22:three vulnerabilities), golang (F22:information disclosure), and java-1.8.0-openjdk (F22: unspecified).openSUSE has updated ecryptfs-utils (13.2: privilege escalation),ffmpeg (Leap42.1: cross-origin attacks),and python-requests (13.1: information disclosure).Oracle has updated kernel (OL7:privilege escalation) and ntp (OL6: missing check for zero originate timestamp).Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiplevulnerabilities), kernel (RHEL7: privilege escalation), and kernel-rt (RHEL7; RHE MRG2: privilege escalation).Scientific Linux has updated kernel (SL7: privilege escalation).Ubuntu has updated mysql-5.5, mysql-5.6 (multiple vulnerabilities).

As expected, Linus released the 4.5-rc1development kernel and closed the merge window for this cycle on January 24. Less than 2,000changes were pulled since last week'ssummary, but there were some significant changes to be found amongthem. Click below (subscribers only) for the final part of LWN's 4.5 mergewindow coverage.

Arch Linux has updated ecryptfs-utils (privilege escalation), linux-lts (privilege escalation), privoxy (two denial of service flaws), python-rsa (signature forgery), and python2-rsa (signature forgery).CentOS has updated ntp (C7; C6: missing check for zero originate timestamp).Debian has updated claws-mail (code execution).Debian-LTS has updated foomatic-filters (buffer overflows), imlib2 (denial of service), pound (multiple vulnerabilities, one from 2009), and privoxy (two denial of service flaws).Fedora has updated bind (F23: twodenial of service flaws), bind99 (F23:denial of service), chrony (F23: packetmodification), dhcp (F22: denial ofservice), java-1.8.0-openjdk (F23:unspecified), mod_nss (F22: enablesinsecure ciphersuites), owncloud (F23; F22:multiple vulnerabilities), python-rsa (F22:signature forgery), and qemu (F23: multiple vulnerabilities).Mageia has updated virtualbox (unspecified vulnerabilities).openSUSE has updated bind (13.1:denial of service), cgit (13.1: threevulnerabilities), giflib (13.1: heap-basedbuffer overflow), jasper (13.2; 13.1: denial of service), libvirt (Leap42.1, 13.2; 13.1: path traversal), openldap2 (13.2: two vulnerabilities), roundcubemail (Leap42.1; 13.2; 13.1: code execution), and tiff (13.2; 13.1: denial of service).Oracle has updated ntp (OL7: missing check for zero originate timestamp).Red Hat has updated ntp (RHEL6,7:missing check for zero originate timestamp).Scientific Linux has updated ntp(SL6,7: missing check for zero originate timestamp).SUSE has updated bind(SLES10-SP4: four denial of service vulnerabilities), openldap2 (SLE12-SP1: two vulnerabilities),and kernel (SLE12: privilege escalation).

Matt Mackall, the creator of the Mercurial source-code management system,has announced thathe is ready to move on to a new project. "So over the course of thisyear, I'm going to gradually remove myself from daily involvement in theproject. As lots of people and companies have a lot invested in Mercurial,I'm doing this over a long period of time to make sure it goessmoothly."

Linus has released the 4.5-rc1 prepatch andclosed the merge window for this development cycle. "It's a fairlynormal release - neither unusually big or unusually small. The statisticslook fairly normal too, with drivers being a bit over 70% of the bulk (thebig driver areas being gpu, networking, sound, staging, fbdev, but its allover)."

The4.3.4,4.1.16,3.14.59, and3.10.95 stable kernel updates have beenreleased. They are the first in just over one month, and they contain afair number of important fixes.

On his blog, Peter Hutterer answers the perennial "is Wayland ready yet?" question by pointing out that it really is not the right question. "The protocol is stable and has been for a while. But not every compositor and/or toolkit/application speak Wayland yet, so it may not be sufficient for your use-case. So rather than asking 'Is Wayland ready yet', you should be asking: 'Can I run GNOME/KDE/Enlightenment/etc. under Wayland?' That is the right question to ask, and the answer is generally 'It depends what you expect to work flawlessly.' This also means 'people working on Wayland' is often better stated as 'people working on Wayland support in ....'. "

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities) and java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).Debian has updated fuse(privilege escalation).Fedora has updated libsndfile(F22: two vulnerabilities), python-rsa (F23: signatureforgery), and rsync (F22: file overwritefrom 2014).Mageia has updated dhcpcd (denialof service).openSUSE has updated bind (42.1; 13.2:denial of service), cgit (42.1, 13.2: threevulnerabilities), giflib (13.2: code execution), and libxml2 (42.1: denial of service).Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and java-1.8.0-openjdk (OL6: multiple vulnerabilities).Scientific Linux has updated java-1.7.0-openjdk (SL6; SL5&7: multiple vulnerabilities) and java-1.8.0-openjdk (SL7: multiple vulnerabilities).Ubuntu has updated perl (15.10,15.04: taint botch) and rsync (fileoverwrite from 2014).

Just a quick note to point out that the very first LWN Weekly Edition came out onJanuary 22, 1998. So we have now been at it for eighteen years. Tosay we would have been surprised by that idea in 1998 is a seriousunderstatement. Many thanks to LWN's reader community for keeping us goingfor all this time!

Linux Foundation leader Jim Zemlin explainsthe recent changes in the organization's by-laws. "First, TheLinux Foundation Board structure has not changed. The same individualsremain as directors, and the same ratio of corporate to community directorscontinues as well. What we did do was to act on a long-discussed perceptionthat the value we provide to individual supporters could be improved, forthe first time in a decade. And that the process for recruiting communitydirectors should be changed to be in line with other leading organizationsin our community and industry." He also speaks out against thepersonal attacks that have appeared in conversations about this change.

Version1.6 of the Rust programming language has been released. "The largest new feature in 1.6 is that libcore is now stable! Rust’s standard library is two-tiered: there’s a small core library, libcore, and the full standard library, libstd, that builds on top of it. libcore is completely platform agnostic, and requires only a handful of external symbols to be defined. Rust’s libstd builds on top of libcore, adding support for memory allocation, I/O, and concurrency. Applications using Rust in the embedded space, as well as those writing operating systems, often eschew libstd, using only libcore.libcore being stabilized is a major step towards being able to write the lowest levels of software using stable Rust."

Arch Linux has updated bind (twovulnerabilities) and libdwarf (informationleak).Fedora has updated kernel (F23:two vulnerabilities) and prosody (F23; F22: two vulnerabilities).Mageia has updated bind (two vulnerabilities),cacti (three vulnerabilities), dhcp (denial of service), encfs (code execution from 2014), kernel (privilege escalation), kernel-linus (privilege escalation), kernel-tmb (privilege escalation), moodle (two vulnerabilities), and perl, perl-PathTools (taint botch).Oracle has updated java-1.8.0-openjdk (OL7: multiple vulnerabilities), kernel (OL5: unspecified), kernel3.8.13 (OL7; OL6: privilege escalation), and kernel 4.1.12 (OL7; OL6: privilege escalation).Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-openjdk(RHEL6; RHEL5&7: multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities),java-1.8.0-openjdk (RHEL7; RHEL6: multiple vulnerabilities), and java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities).Scientific Linux has updated java-1.8.0-openjdk (SL6: multiple vulnerabilities).SUSE has updated bind (SLE12:denial of service) and kernel (SLE12SP1: privilege escalation).

The LWN.net Weekly Edition for January 21, 2016 is available.

On his blog, Matthew Garrett has noted that the Linux Foundation (LF) has dropped the community representatives to its board that were elected by the individual LF members. "The by-laws were amended to drop the clause that permitted individual members to elect any directors. Section 3.3(a) now says that no affiliate members may be involved in the election of directors, and section 5.3(d) still permits at-large directors but does not require them[2]. The old version of the bylaws are here - the only non-whitespace differences are in sections 3.3(a) and 5.3(d).These changes all happened shortly after Karen Sandler [executive director of the Software Freedom Conservancy] announced that she planned to stand for the Linux Foundation board during a presentation last September [YouTube link]. A short time later, the "Individual membership" program was quietly renamed to the "Individual supporter" program and the promised benefit of being allowed to stand for and participate in board elections was dropped (compare the old page to the new one)." Garrett speculates that the GPL enforcement suit that the Software Freedom Conservancy is funding against VMware, which is an LF member, is ultimately behind the move.He also notes (the [2] above) that there is still a community representative from the Technical Advisory Board (TAB) that sits on the LF board.

OSNews reportsthat the Dutch consumer protection advocacy agency Consumentenbond hassued Samsung, demanding updates for its Android phones. "The Consumentenbond had been in talks with Samsung about this issue for a while now, but no positive outcome was reached, and as such, they saw no other option but to file suit.The Consumentenbond is demanding that Samsung provides two years of updatesfor all its Android devices, with the two-year period starting not at thedate of market introduction of the device, but at the date of sale. Thismeans that devices introduced one or even more years ago that are stillbeing sold should still get two years' worth of updates startingtoday." (Thanks to Paolo Bonzini)

Unused code is untested code, which probably means that it harborsbugs—sometimes significant security bugs. That lesson has been reinforced by the recent OpenSSH"roaming" vulnerability. Leaving a half-finished feature only in the clientside of the equation might seem harmless on a cursory glance but, ofcourse, is not. Those who mean harm can run servers that "implement" thefeature to tickle the unused code. Given that the OpenSSH project has astrong security focus (and track record), it is truly surprising that ablunder like this could slip through—and keep slipping through for roughly six years.Subscribers can click below to read the full story from the week's edition.

Arch Linux has updated kernel (privilege escalation).CentOS has updated kernel (C5: two remote denial of service vulnerabilities).Debian has updated bind9 (denial of service) and ecryptfs-utils (privilege escalation).Debian-LTS has updated bind9 (denial of service), ecryptfs-utils (privilege escalation), and librsvg (out-of-bounds heap read).Fedora has updated libxmp (F23; F22:multiple vulnerabilities), mbedtls (F23; F22:memory leak), qemu (F22: multiple vulnerabilities), and radicale (F23; F22: multiple vulnerabilities).openSUSE has updated cups-filters(Leap42.1: code execution).Oracle has updated kernel (OL5:two remote denial of service vulnerabilities).Scientific Linux has updated kernel (SL5: two remote denial of service vulnerabilities).SUSE has updated bind (SLE12-SP1:denial of service).Ubuntu has updated bind9 (denialof service), ecryptfs-utils (privilegeescalation), kernel (15.10; 15.04; 14.04:privilege escalation), libxml2 (twovulnerabilities), linux-lts-trusty (12.04:privilege escalation), linux-lts-utopic(14.04: privilege escalation), linux-lts-vivid (14.04: privilege escalation),linux-lts-wily (14.04: privilegeescalation), and linux-raspi2 (15.10: privilege escalation).

This article from CysecLabs starts a series explaining how return-oriented programming (ROP)can be used to exploit vulnerabilities in the kernel. "ROPtechniques take advantage of code misalignment to identify newgadgets. This is possible due to x86 language density, i.e., the x86instruction set is large enough (and instructions have different lengths),that almost any sequence of bytes can be interpreted as a validinstruction."

Back in 2014, LWN looked at the Meteor webapplication framework. Now, Meteor's developers are contemplatingwhy it failed to take over the world. "New developers love howeasy it is to get started with it, but can get discouraged when they startstruggling with more complex apps. And purely from a financial standpoint,it’s hard to build a sustainable business on the back of new developershacking on smaller apps. On the other hand, many of the more experienceddevelopers who’d be able to handle (and help solve) Meteor’s trickierchallenges are turned off by its all-in-one approach, and never even giveit a chance in the first place." They promise the imminentunveiling of a new approach that is going to address these problems.

The CyanogenMod developers have announcedthat they will be shutting down the WhisperPush secure messaging system (covered here in 2013). "We’veultimately made the decision that we will no longer be supportingWhisperPush functionality directly within CyanogenMod. Further, WhisperPushservices will be end-of-lifed beginning Feb 1st 2016. As this is a serverside implementation, all branches of CM from CM10.2 and forward will beaffected."

Two of the earliest figures in the Linux community were Lars Wirzenius andJoey Hess. So when the former offered us an interview with the latter, wewere quick to accept. Click below (subscribers only) for Joey's views onhis departure from Debian, Haskell development, off-the-grid living, andmore.

Debian has updated kernel(multiple vulnerabilities, including one from 2013).Debian-LTS has updated isc-dhcp(denial of service), passenger (environmentvariable injection), and srtp (denial of service).openSUSE has updated mbedtls(42.1: signature forgery), perl-Module-Signature (13.2, 13.1: multiplevulnerabilities), and polarssl (13.2:signature forgery).Red Hat has updated kernel(RHEL5: two remote denial of service vulnerabilities) and kernel (RHEL6.2: two denial of service vulnerabilities).SUSE has updated samba (SLE11SP4,SLE11SP3: multiple vulnerabilities) and kernel (SLE12: multiple vulnerabilities).

Perception Point disclosesa use-after-free vulnerability in the kernel's keyring subsystem; it isexploitable for local privilege escalation. "If a process causes thekernel to leak 0x100000000 references to the same object, it can latercause the kernel to think the object is no longer referenced andconsequently free the object. If the same process holds another legitimatereference and uses it after the kernel freed the object, it will cause thekernel to reference deallocated, or a reallocated memory. This way, we canachieve a use-after-free, by using the exact same bug from before. A lothas been written on use-after-free vulnerability exploitation in thekernel, so the following steps wouldn’t surprise an experiencedvulnerability researcher." This bug, introduced in 3.8, looks likea good one to patch quickly; of course, for vast numbers of users of mobile and embeddedsystems, that may not be an option.

Here is a longand detailed post from Andy Wingo on how he improved numericalperformance in the Guile language by carefully removing runtime typeinformation ("unboxing"). "If Guile did native compilation, it wouldalways be a win to unbox any integer operation, if only because you wouldavoid polymorphism or any other potential side exit. For bignums that arewithin the unboxable range, the considerations are similar to thefloating-point case: allocation costs dominate, so unboxing is almostalways a win, provided that you avoid double-boxing. Eliminating oneallocation can pay off a lot of instruction dispatch."

Swapnil Bhartiya takesa look at Mycroft AI and talks with CTO Ryan Sipes, on Linux.com. "Earlier this month, the developers released the Adapt intent parser as open source. When many people look at Mycroft, they think voice recognition is the important piece, but the brain of Mycroft is the Adapt intent. It takes natural language, analyzes the ultimate sentence, and then decides what action needs to be taken. That means when someone says “turn the lights off in the conference room,” Adapt grabs the intent “turn off” and identifies the entity as “conference room.” So, it makes a decision and then reaches out to whatever device is controlling the lights in the conference rooms and tells it to turn them off.That’s complex work. And, the Mycroft developers just open sourced the biggest and most powerful piece of their software."

Arch Linux has updated docker (information disclosure), ffmpeg (cross-origin attacks), go (information disclosure), go-ipfs (information disclosure), hub (information disclosure), keybase (information disclosure), ntp (man-in-the-middle attack), roundcubemail (code execution), and syncthing (information disclosure).Debian has updated tomcat7 (Security Manager bypass).Debian-LTS has updated prosody(guessable keys) and roundcube (code execution).Fedora has updated dhcp (F23:denial of service), golang (informationdisclosure), openssh (F23; F22: information disclosure), openstack-glance (F23: unspecified),php (F23; F22: multiple vulnerabilities), python-kdcproxy (F23: unspecified), salt (F23: insecure /tmp file handling), wireshark (F22: multiple vulnerabilities), and wordpress (F23; F22: cross-site scripting).Gentoo has updated openssh (multiple vulnerabilities).Mageia has updated openssh (multiple vulnerabilities), php (information disclosure), and qemu (multiple vulnerabilities).openSUSE has updated nodejs (two vulnerabilities) and openssh (13.1; 11.4: multiple vulnerabilities).

Version 1.2 of the MyPaint natural-media-painting application hasbeen released.Changes include new tools for smooth-stroke inking and flood filling,automatic file backup and recovery, the ability to group layers, andGTK+3 support. Ubuntu packages are already available through theproject's official testingPPA; builds will follow shortly for other distributions andplatforms. In the meantime, source bundles are provided at theproject's GitHub page.

Arch Linux has updated openssh (multiple vulnerabilities) and php (multiple vulnerabilities).CentOS has updated openssh(C7: multiple vulnerabilities).Debian has updated ganeti(denial of service; regression) and openssh (multiple vulnerabilities).Debian-LTS has updated dbconfig-common (information leak), dwarfutils (information leak), giflib (denial of service), isc-dhcp (denial of service), and openssh (multiple vulnerabilities).Mageia has updated ffmpeg(M5: multiple vulnerabilities), giflib(M5: heap-based buffer overflow), librsvg (M5: multiple vulnerabilities), and ruby-mail (M5: message injection).openSUSE has updated libebml, libmatroska (13.1, 13.2, Leap 42.1: multiplevulnerabilities), openssh (13.2; Leap 42.1: multiple vulnerabilities),and xen (13.2; 13.1; Leap 42.1: multiple vulnerabilities).Oracle has updated openssh(O7: multiple vulnerabilities).Red Hat has updated openssh(RHEL 7: multiple vulnerabilities).Scientific Linux has updated openssh (SL7: multiple vulnerabilities).Slackware has updated openssh (multiple vulnerabilities).SUSE has updated openssh (SLE12; SLE11-SP3; SLE11-SP4: multiple vulnerabilities) and openssh-openssl1 (SLE11-SECURITY: multiple vulnerabilities).Ubuntu has updated openssh(12.04, 14.04, 15.04, 15.10: multiple vulnerabilities).

Core Bitcoin developer Mike Hearn writesthat the Bitcoin experiment has failed. "In a company, someonewho did not share the goals of the organisation would be dealt with in asimple way: by firing him. But Bitcoin Core is an open source project, nota company. Once the 5 developers with commit access to the code had beenchosen and Gavin [Andresen] had decided he did not want to be the leader,there was no procedure in place to ever remove one. And there was nointerview or screening process to ensure they actually agreed with theproject’s goals." If Bitcoin is indeed failing as the article says,it's failing due to project governance issues rather than technical orregulatory problems.

Over at Opensource.com, VM (Vicky) Brasseur and Josh Berkus give advice to conference organizers on how they can improve their conferences for attendees. There are ten different areas they address, including "Clear communications", "Have a Code of Conduct (and train staff on what that means)", "Fix your darn badges", and "Working Wi-Fi (here be dragons)". "When asked, attendees have a lot of strong opinions on the subject of conference badges, and the majority of those opinions are not positive. Badges serve multiple purposes, but the single most important one is allowing attendees to identify each other. Yet, despite that, few conference badges do a good job of performing this one deceptively simple duty."