LWN.net

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated mercurial (C7:two vulnerabilities).Debian has updated botan1.10 (multiple vulnerabilities), chromium-browser (multiple vulnerabilities), poppler (code execution), and tardiff (two vulnerabilities).Debian-LTS has updated botan1.10 (multiple vulnerabilities), gdk-pixbuf (two vulnerabilities), mysql-5.5 (multiple vulnerabilities), poppler (code execution), and subversion (two vulnerabilities).Fedora has updated ansible (F23; F22: codeexecution), firefox (F23: multiplevulnerabilities), gd (F23: code execution),openvas-cli (F23: cross-site scripting), openvas-gsa (F23: cross-site scripting), openvas-libraries (F23: cross-site scripting),openvas-manager (F23: cross-sitescripting), openvas-scanner (F23: cross-site scripting), roundcubemail (F23; F22: multiple vulnerabilities), and xen (F23; F22: multiple vulnerabilities).Mageia has updated chromium-browser-stable (multiple vulnerabilities), firefox (multiple vulnerabilities), pgpdump (denial of service), php (multiple vulnerabilities), php-ZendFramework (multiple vulnerabilities), and roundcubemail (three vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), java-1.6.0-ibm (RHEL5,6:multiple vulnerabilities), java-1.7.0-ibm(RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL7: multiplevulnerabilities), mercurial (RHEL7: twovulnerabilities), and rh-mysql56-mysql(RHSCL: multiple vulnerabilities).Slackware has updated ntp (multiple vulnerabilities), php (multiple vulnerabilities), and subversion (two vulnerabilities).Ubuntu has updated ubuntu-core-launcher (16.04: code execution).

The "linux-insides" series of articles has gained anoverview of inline assembly in GCC. "I've decided to write thisto consolidate my knowledge related to inline assembly here. As inlineassembly statements are quite common in the Linux kernel and we may seethem in linux-insides parts sometimes, I thought that it would be useful ifwe would have a special part which contains descriptions of the moreimportant aspects of inline assembly. Of course you may find comprehensiveinformation about inline assembly in the official documentation, but I likethe rules all in one place."

The 4.6-rc6 kernel prepatch is out. Linussays: "Things continue to be fairly calm, although I'm pretty sureI'll still do an rc7 in this series." As of this prepatch the codename has been changed to "Charred Weasel."

The Devuan community has finally gotten a beta release out for testing."Debian GNU+Linux [sic] is a fork of Debian without systemd,on its way to become much more than that. This Beta release marks an importantmilestone towards the sustainability and the continuation of Devuan asan universal base distribution."

At the Mozilla blog, Andy McKay announcesthat the browser maker has officially declared WebExtensions ready touse for add-on development. "With the release of Firefox 48, we feel WebExtensions arein a stable state. We recommend developers start to use theWebExtensions API for their add-on development." TheWebExtensions support released for Firefox 48 includes improvements tothe "alarms,bookmarks,downloads,notifications,webNavigation,webRequest,windowsand tabs"APIs, support for a new Content Security Policy that limits whereresources can be loaded from, and support in Firefox for Android. LWNlooked at the WebExtensions API in December.

Debian has updated subversion (multiple vulnerabilities).Fedora has updated i7z (F23:denial of service).openSUSE has updated php5(Leap 42.1: multiple vulnerabilities).SUSE has updated ntp (SLE11; SLE12: multiple vulnerabilities).

The Association for Computing Machinery has announced therecipients of its 2015 technical awards. They are Brent Walters, MichaelLuby, Eric Horvitz, and: "Richard Stallman, recipient of the ACMSoftware System Award for the development and leadership of GCC (GNUCompiler Collection), which has enabled extensive software and hardwareinnovation, and has been a lynchpin of the free software movement."

The resultsof the X.Org election are in. There were two things up for a vote: fourseats on the board of directors and amending the bylaws to join Software in the Public Interest (SPI).Unlike last year's election, this year'svote met the required 2/3 approval to joinSPI (61 voters out of 65 members, with 54 voting "Yes", 4 "No", and 3 "Abstain"). In addition,Egbert Eich, Alex Deucher, Keith Packard, and Bryce Harrington were electedto the board.

CentOS has updated firefox (C6; C5:multiple vulnerabilities).Debian has updated iceweasel (multiple vulnerabilities) and php5 (multiple vulnerabilities).Fedora has updated kernel (F23:two vulnerabilities) and libtasn1 (F22:denial of service).openSUSE has updated php5 (13.2:multiple vulnerabilities, including one from 2014).SUSE has updated php5 (SLE12: multiple vulnerabilities,including one from 2014).Ubuntu has updated libsoup2.4(16.04, 15.10, 14.04: regression in previous update), oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities), php5 (15.10: regression in previous update), and thunderbird (multiple vulnerabilities).

The LWN.net Weekly Edition for April 28, 2016 is available.

Firefox 46.0 has been released, featuring improved security of theJavaScript Just In Time (JIT) Compiler and GTK3 integration. See the releasenotes for more details.

CentOS has updated firefox (C7: multiple vulnerabilities).Debian has updated mysql-5.5 (multiple vulnerabilities) and openjdk-7 (multiple vulnerabilities).Fedora has updated rpm (F23: two vulnerabilities) and xstream (F23; F22: enabled processing of external entities).Gentoo has updated libksba (three vulnerabilities) and wireshark (multiple vulnerabilities).Mageia has updated libgd (code execution), samba (multiple vulnerabilities), w3m (denial of service), and wireshark (multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).Slackware has updated firefox (multiple vulnerabilities).Ubuntu has updated firefox (multiple vulnerabilities).

Version 6.1 of the GCC compiler suite is out. Changes in this releaseinclude defaulting to the C++14 standard, improved diagnostic output, fullsupport for OpenMP 4.5, better optimization, and more; see the changelog for a fulllist.

InfoWorld introducesFuthark, an open source functional programming language designed forcreating code that runs on GPUs. It can automatically generate both C andPython code to be integrated with existing apps. "Most GPU programming involves using frameworks like OpenCL or CUDA, both of which use variations of C or C++ to generate code that runs on the GPU. Futhark can generate C code, but is its own language, more similar to Haskell or Standard ML than C. (Futhark is itself written in Haskell.)Futhark's creators claim that the expressiveness of the language makes it easier to describe complex operations that use parallelism. This includes the ability to support nested parallelizations (parallel operations inside other parallel operations). Futhark can do this "despite the complexities of efficiently mapping to the flat parallelism supported by hardware, as a great many programs depend on this feature," say the language's creators."

CentOS has updated nspr (C5: twovulnerabilities), nss (C5: twovulnerabilities), nspr (C7: twovulnerabilities), nss (C7: twovulnerabilities), nss-softokn (C7: twovulnerabilities), and nss-util (C7: two vulnerabilities).Fedora has updated ansible1.9 (F23; F22: codeexecution), golang (F23; F22: denial of service), gsi-openssh(F23; F22:command injection), mingw-poppler (F23; F22: codeexecution), mod_nss (F23; F22: invalid handling of +CIPHER operator),and webkitgtk4 (F22: multiple vulnerabilities).openSUSE has updated flash-player(11.4: code execution).Oracle has updated nss and nspr(OL5: two vulnerabilities) and nss, nspr,nss-softokn, and nss-util (OL7: three vulnerabilities).Scientific Linux has updated nss,nspr, nss-softokn, nss-util (SL7: two vulnerabilities).SUSE has updated php53(SLE11-SP4: multiple vulnerabilities), portus (SLEM12: multiple vulnerabilities), andxen (SLES11-SP2: multiple vulnerabilities).

The Mozilla Foundation has (in the guise of Gervase Markham) posted anupdate on the process of spinning off the Thunderbird mail client as aseparate project. As part of that, they engaged Simon Phipps to write upasurvey of possible new homes [PDF] for the project. "Havingreviewed the destinations listed below together with several others whichwere less promising, I believe there are three viable choices for a futurehome for the Thunderbird Project; Software Freedom Conservancy, TheDocument Foundation and a new deal at the Mozilla Foundation. None of thesethree is inherently the best, and it is possible that over time the projectmight seek to migrate to a 'Thunderbird Foundation' as a permanent home(although I would not recommend that as the next step)."

Arduino has announcedthe release of the source code for the real-time operating system(RTOS) powering the Arduino 101 and Genuino 101. "The packagecontains the complete BSP (Board Support Package) for the Curie processoron the 101. It allows you to compile and modify the core OS and thefirmware to manage updates and the bootloader. (Be careful with this onesince flashing the wrong bootloader could brick your board and require aJTAG programmer to unbrick it)." (Thanks to Paul Wise)

Arch Linux has updated pgpdump(denial of service), samba (multiplevulnerabilities), squid (multiplevulnerabilities), and thunderbird (two vulnerabilities).Debian has updated imlib2 (multiple vulnerabilities) and libgd2 (code execution).Fedora has updated java-1.8.0-openjdk (F23: multiplevulnerabilities), openssh (F23: privilegeescalation), parallel (F23; F22: file overwrites),python-tgcaptcha2 (F23; F22: reusable captchas), thunderbird (F23: multiple vulnerabilities),w3m (F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).Mageia has updated java-1.8.0-openjdk (multiple vulnerabilities), libcryptopp (information disclosure), squid (denial of service), varnish (access control bypass), and vtun (denial of service).openSUSE has updated Chromium (13.2; 13.1:multiple vulnerabilities) and clamav(Leap42.1: database refresh).Red Hat has updated nss, nspr(RHEL5: two vulnerabilities) and nss, nspr,nss-softokn, nss-util (RHEL7: two vulnerabilities).Scientific Linux has updated nss,nspr (SL5: two vulnerabilities).SUSE has updated yast2-users(SLE12-SP1: empty passwords fields in /etc/shadow).Ubuntu has updated mysql-5.7(16.04: multiple vulnerabilities).

Linus has released the 4.6-rc5 kernelprepatch. "Things continue to be fairly calm: rc5 is bigger than rc4 was, but rc4really was tiny.And while we're back to fairly normal commit counts for this time inthe release window, the kinds of bugs people are finding remain verylow grade: there's absolutely nothing scary in here. If thingscontinue this way, this might be one of those rare releases that don'teven get to rc7."

At his blog, Lubomir Rintel highlights some of the changes found in the new 1.2 release of Network Manager, the network-configuration utility suite shipped by many Linux distributions. High on the list are privacy improvements; the post notes that "the identity of a mobile host can also leak via Wi-Fi hardware addresses. A common way to solve this is to use random addresses when scanning for available access points, which is what NetworkManager now does (with a recent enough version of wpa_supplicant). The actual hardware address is used only after the device is associated to an access point." Network Manager can also now be used to manage tun, tap, macvlan, vxlan and IP tunnel software devices, and can run multiple VPN modules simultaneously. In addition, support for several hardware device classes was split into loadable modules, which will reduce memory overhead.

CentOS has updated java-1.7.0-openjdk (C6; C5; C7: multiple vulnerabilities) and java-1.8.0-openjdk (C6; C7: multiple vulnerabilities).Debian has updated varnish(access control bypass) and xen(multiple vulnerabilities).Fedora has updated drupal7-block_class (F23; F22:cross-site scripting),glpi (F23; F22: SQL injection), libtasn1 (F23: denial of service), and springframework-amqp (F22: code execution).Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), imlib2 (M5: code execution), lha (M5: buffer overflow), and poppler (M5: denial of service).Oracle has updated java-1.7.0-openjdk (O7; O6; O5: multiple vulnerabilities).Red Hat has updated java-1.6.0-sun (RHEL 5,6,7: multiple vulnerabilities),java-1.7.0-openjdk (RHEL 5,7; RHEL6: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5,6,7: multiple vulnerabilities), and java-1.8.0-oracle (RHEL 6,7: multiple vulnerabilities).Scientific Linux has updated java-1.7.0-openjdk (SL 5,7; SL6: multiple vulnerabilities).Ubuntu has updated mysql-5.5,mysql-5.6 (12.04, 14.04, 15.10: multiple vulnerabilities) and php5 (12.04, 14.04, 15.10: multiple vulnerabilities).

The Ubuntu team has announced the release of Ubuntu 16.04 LTS forDesktop, Server, Cloud, and Core. "Ubuntu 16.04 LTS is thefirst long-term support release available for the new "s390x" architecture forIBM LinuxONE and z Systems, as well as introducing the new Ubuntu MATEcommunity flavour." Joining Ubuntu in this release are the flavorsKubuntu, Lubuntu, Mythbuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE,Ubuntu Studio, and Xubuntu. Maintenance updates will be provided for 5years for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, Ubuntu Core, andUbuntu Kylin. All the remaining flavors will be supported for 3 years.

Greg Kroah-Hartman has released the latest batch of stable kernels:4.5.2, 4.4.8, and 3.14.67. Each contains updates and fixesthroughout the tree.

Fedora has updated springframework-amqp (F23: code execution).openSUSE has updated giflib (13.2; 13.1:denial of service)and xerces-c (Leap 42.1: code execution).Oracle has updated java-1.8.0-openjdk (O7; O6: multiple vulnerabilities).Red Hat has updated java-1.8.0-openjdk (RHEL6; RHEL7:multiple vulnerabilities).Scientific Linux has updated java-1.8.0-openjdk (SL6; SL7: multiple vulnerabilities).

The LWN.net Weekly Edition for April 21, 2016 is available.

Mesosphere has announcedthe release of DC/OS under the ApacheLicense 2.0. "DC/OS derives from Mesosphere’s Datacenter Operating System, a commercial product built around Apache Mesos. Open sourcing DCOS has always been part of our strategic roadmap and we’re proud to have collaborated with our launch partners for today’s unveiling.DC/OS is a software platform that’s 100 percent open source, comprised ofmore than 30 component technologies, including Apache Mesos andMarathon. Some of the technologies were always open source, includingMesos, while others were previously proprietary code developed byMesosphere, such as the GUI and our Minuteman load balancer." Over60 partner companies participated in the open source release.

Fedora has updated kernel (F23: three vulnerabilities).openSUSE has updated apparmor(13.1: profile updates), samba (13.1; 11.4:multiple vulnerabilities), and tiff (13.1: denial of service).SUSE has updated samba(SLES10-SP4: three vulnerabilities) and kernel (SLE11-SP4: multiple vulnerabilities).Ubuntu has updated firefox(regressions in previous update).

One of the key advantages of persistent memory is that it is, for lack of abetter word, persistent; data stored there will be available for recall inthe future, regardless of whether the system has remained up in themeantime. But, like memory in general, persistent memory can fail for anumber of reasons and, given the quantities in which it is expected to be deployed, failures are acertainty. How should the operating system and applications deal witherrors in persistent memory? One of the first plenary sessions at the 2016 Linux Storage, Filesystem, and Memory-Management Summit, led by Jeff Moyer,took on this question.

Fedora has updated libreswan(F22: denial of service).openSUSE has updated systemd(13.2: two vulnerabilities).

Google has announcedthe availability of the Androidsecurity 2015 year in review [PDF]. "Android’s open source modelhas also allowed device manufacturers to introduce new securitycapabilities. Samsung KNOX, for example, has taken advantage of uniquehardware capabilities to strengthen the root of trust on Samsungdevices. Samsung has also introduced new kernel monitoring capabilities ontheir Android devices. Samsung is not unique in their contributions to theAndroid ecosystem. Blackberry has worked to enhance the security of theirdevices by enabling kernel hardening and other features in the BlackberryPRIV. CopperheadOS has both introduced security improvements to their ownversion of Android and made significant contributions to the Android OpenSource Project. These are just some of the various contributions madepossible through open sourcing that improved the Android ecosystem in2015."

Christian Schaller celebratesthe completion of the (informal) first phase of the Fedora Workstationproject. "Another major piece of engineering that is coming to aclose is moving major applications such as Firefox, LibreOffice and Eclipseto GTK3. This was needed both to get these applications able to runnatively on Wayland, but it also enabled us to make them work nicely forHiDPI. This has also played out into how GTK3 have positioned itself whichto be a toolkit dedicated to pushing the Linux desktop forward and helpingthat quickly adapt and adopt to changes in the technologylandscape."

Matthew Garrett remembersDavid MacKay, shortly after his passing. "I was already aware ofthe importance of free software in terms of developers, but working withDavid made it clear to me how important it was to users as well. Acommunity formed around Dasher, helping us improve it and allowing us todevelop support for new use cases that made the difference between someonebeing able to type at two words per minute and being able to managetwenty. David saw that this collaborative development would be vital tocreating something bigger than his original ideas, and it succeeded in wayshe couldn't have hoped for." (Thanks to Paul Wise)

Arch Linux has updated chromium (multiple vulnerabilities) and libtasn1 (denial of service).Debian has updated fuseiso (two vulnerabilities), openssh (privilege escalation), and tomcat7 (multiple vulnerabilities).Fedora has updated firefox (F23:multiple vulnerabilities) and xerces-c(F22: code execution).openSUSE has updated Chromium (Leap42.1; 13.1: multiple vulnerabilities), gcc5 (Leap42.1: predictable random values), krb5 (Leap42.1: null pointer dereference), mercurial (Leap42.1: three vulnerabilities),optipng (Leap42.1; 13.2: three vulnerabilities), perl-YAML-LibYAML (Leap42.1: threevulnerabilities, one from 2013), samba(13.2: multiple vulnerabilities), and tiff(13.2: denial of service).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).Slackware has updated thunderbird (multiple vulnerabilities) and samba (multiple vulnerabilities).SUSE has updated Chromium(SPH for SLE12: multiple vulnerabilities) and openssl (SOSC5&SM2.1: multiple vulnerabilities).Ubuntu has updated optipng (multiple vulnerabilities) and samba (multiple vulnerabilities).

Thispost on the Red Hat Enterprise Linux blog describes the discovery andrepair of the "Badlock" vulnerability. One begins to understand a littlebetter why it took as long as it did. "The code was rewritten; inMarch 2016 the changes needed to fix all eight CVEs amounted to about 200individual patches against a development version of Samba, with about halfof those responsible for fixing CVE-2015-5370. When backported to previousstable Samba versions, they needed additional hundred patches. To oldestsupported Samba version — about four hundred patches. What started as anindividual snowflake became an avalanche but it wasn’t finishedyet."

It appears to be widely accepted that the Linux desktop has achievedlimited success at best, while the Linux palmtop — in the form ofAndroid — has been wildly successful. The two classes of systems aregenerally thought of as being quite different, but it is worth rememberingthat the handsets we carry now have more computing power than the desktopsystems we were using in the recent past. Given the right peripherals, anAndroid handset should be more than capable of providing a reasonabledesktop experience. The Marudistribution is an experiment intended to prove that point by turning asmartphone device into a portable Debian desktop.

The 4.6-rc4 kernel prepatch is out for testing."So there really isn't anything particularly interesting here. Justlike I like it in the rc series. Let's hope it stays that way."

On his blog, Sven Brauch has some suggestions on how to use NumPy to process scientific data and how to avoid some pitfalls that will ruin its performance. "In general, copying data is cheap. But if your program simulates 25 million particles, each having a float64 location in 3d, you already have 8*3*25e6 = 600 MB of data. Thus, if you write r = r + v*dt, you will copy 1.2 GB of data around in memory: once 600 MB to calculate v*dt, and again to calculate r+(v*dt), and only then the result is written back to r. This can really become a major bottleneck if you aren’t careful. Fortunately, it is usually easy to circumvent; instead of writing r = r+dv, write r += dv. Instead of a = 3*a + b, write a *= 3; a+= b. This avoids the copying completely. For calculating v*dt and adding it to r, the situation is a bit more tricky; one good idea is to just have the unit of v be such that you don’t need to multiply by dt. If that is not possible, it might even be worth it to keep a copy of v which is multiplied by dt already, and update that whenever you update v. This is advantageous if only few v values change per step of your simulation.I would not recommend writing it like this everywhere though, it’s often not worth the loss in readability; just for really large arrays and when the code is executed frequently."

Over at the Scylla blog, Glauber Costa looks at why a high-performance datastore application might want to do its own I/O scheduling. "If one is using a threaded approach for managing I/O, a thread can be assigned to a different priority group by tools such as ionice. However, ionice only allows us to choose between general concepts like real-time, best-effort and idle. And while Linux will try to preserve fairness among the different actors, that doesn’t allow any fine tuning to take place. Dividing bandwidth among users is a common task in network processing, but it is usually not possible with disk I/O without resorting to infrastructure like cgroups.More importantly, modern designs like the Seastar framework used by Scylla to build its infrastructure may stay away from threads in favor of a thread-per-core design in the search for better scalability. In the light of these considerations, can a userspace application like Scylla somehow guarantee that all actors are served according to the priorities we would want them to obey?"

Arch Linux has updated lhasa(code execution).Debian has updated chromium-browser (multiple vulnerabilities).Fedora has updated cryptopp (F24:information disclosure), libtasn1 (F24:denial of service), poppler (F23: codeexecution), qpid-proton (F23: TLS toplaintext downgrade), and samba (F24:multiple vulnerabilities).openSUSE has updated java-1_7_0-openjdk (13.1: sandbox bypass).

Over at the Freedom to Tinker blog, guest poster Vitaly Shmatikov, who is a professor at Cornell Tech, writes about his study [PDF] of whatURL shortening means for the security and privacy of cloud services."TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments."

Debian has updated samba(multiple vulnerabilities) andsamba (regression in previous update).Fedora has updated samba (F23; F22:multiple vulnerabilities).Mageia has updated apache-commons-collections (code execution),imlib2 (three vulnerabilities), mercurial (three vulnerabilities), optipng (two vulnerabilities), postgresql (two vulnerabilities), python-pillow (code execution), and thunderbird (unspecified).openSUSE has updated lhasa (42.1; 13.2:code execution) and quagga (password disclosure).SUSE has updated samba (SLE11SP2:multiple vulnerabilities).

The LWN.net Weekly Edition for April 14, 2016 is available.

CentOS has updated samba (C6; C5:multiple vulnerabilities), ipa (C7;C6: multiple vulnerabilities),libldb (C7; C6: multiple vulnerabilities),libtalloc (C7; C6: multiple vulnerabilities), libtdb(C7; C6:multiple vulnerabilities), libtevent (C7; C6:multiple vulnerabilities), openchange (C7; C6:multiple vulnerabilities), samba (C7:multiple vulnerabilities), samba4 (C6:multiple vulnerabilities), and samba3x (C5:multiple vulnerabilities).Fedora has updated imlib2 (F23:two vulnerabilities), libreswan (F23:denial of service), and xerces-c (F23: code execution).openSUSE has updated mercurial(13.2: three vulnerabilities) and samba(Leap42.1: multiple vulnerabilities).Oracle has updated samba (OL6; OL5:multiple vulnerabilities), samba and samba4 (OL7; OL6:multiple vulnerabilities), and samba3x(OL5: multiple vulnerabilities).Red Hat has updated samba (RHEL7.1; RHEL6; RHEL6.2,6.4,6.5,6.6; RHEL5; RHEL5.6,5.9; RHEL4: multiple vulnerabilities), samba, samba4 (RHEL6,7: multiplevulnerabilities), samba3x (RHEL5; RHEL5.6,5.9: multiple vulnerabilities), and samba4 (RHEL6.2,6.5,6.6: multiple vulnerabilities).Scientific Linux has updated samba (SL6; SL5:multiple vulnerabilities), samba, samba4(SL6,7: multiple vulnerabilities), and samba3x (SL5: multiple vulnerabilities).SUSE has updated samba (SLE12-SP1; SLE12; SLE11-SP4,SP3: multiple vulnerabilities) andkernel (SLE12-SP1: multiple vulnerabilities).

CoreOS has announced therelease of its "Ignition" provisioning tool. "At the the most basiclevel, Ignition is a tool for manipulating disks during early boot. Thisincludes partitioning disks, formatting partitions, writing files, andconfiguring users." It runs as the first process — before systemd —to get the system into the proper shape before the ordinary boot processtakes over.

The IntelligentPlatform Management Interface (IPMI) is a set ofsystem-management-and-monitoring APIs typically implemented on servermotherboards via an embedded system-on-chip (SoC) that functionscompletely outside of the host system's BIOS and operating system.While it is intended as a convenience for those who must manage dozensor hundreds of servers in a remote facility, IPMI has been called outfor its potential as a serious hole in server security. At the2016 EmbeddedLinux Conference in San Diego, Tian Fang presented Facebook'srecent work on OpenBMC, a Linux distribution designed to replaceproprietary IPMI implementations with an open-source alternative builtaround standard facilities like SSH.

Stable kernels 4.5.1, 4.4.7, and 3.14.66 have been released. All of themcontain important fixes throughout the tree.

The details for the "Badlock" vulnerability in the SMBDCE-RPC protocol have finally been disclosed, along with theobligatory logo and domain name; there is no word on the availability ofhats and T-shirts yet. It is a man-in-the-middle attack that can allow anattacker to access files in an SMB share, or gain access to Active Directoryadministrative tools, with the permissions of theintercepted user. "Please update your systems. We are pretty sure that there will be exploits soon.Engineers at Microsoft and the Samba Team worked together during the past months to get this problem fixed."

The Let's Encrypt project, which isworking to enable encrypted communications across the web, has announcedthat it has gained more sponsors and no longer considers itself to be in a"beta" state. "Since our beta began in September 2015 we’ve issuedmore than 1.7 million certificates for more than 3.8 millionwebsites. We’ve gained tremendous operational experience and confidence inour systems. The beta label is simply not necessary any more."

Debian has updated didiwiki(regression in previous update) and imagemagick (multiple vulnerabilities).openSUSE has updated cairo (13.2:denial of service), clamav-database(Leap42.1: database refresh), java-1_7_0-openjdk (Leap42.1: sandbox bypass),java-1_8_0-openjdk (Leap42.1: sandboxbypass), and kernel (Leap42.1: multiple vulnerabilities).Red Hat has updated kernel(RHEL6.6: memory leak) and openvswitch(RHOSE3.1: code execution).SUSE has updated mercurial (SLESDK12-SP1; SLESDK11-SP4: three vulnerabilities).Ubuntu has updated linux-lts-utopic (14.04: regression inprevious update).

Richard Stallman looks at the GPL andhow it is incompatible with the CDDL (Common Development and DistributionLicense), which is the license used by ZFS. "Likewise, the copyright holders of ZFS (the version that is actually used) can give permission to use it under the GNU GPL, version 2 or later, in addition to any other license. This would make it possible to combine that version with Linux without violating the license of Linux. This would be the ideal resolution and we urge the copyright holders of ZFS to do so.Some copyright holders choose not to enforce their licenses in specific situations. That enables users to operate as if permission were granted. However, this does not alter the meaning of the GNU GPL, and does not cause uses that the GPL disallows to either suddenly or slowly become permitted by the GPL. Such acquiescence is not the case in regard to linking Linux and ZFS; indeed, some Linux copyright holders have said they consider this copyright infringement. We have explained above the reasons why that is so."