LWN.net

The LWN.net Weekly Edition for December 24, 2015 is available.

Dustin Kirkland feelsthat Ubuntu users have been undercounted, and so has put together acensus of his own. "Ever watch a movie on Netflix? You were servedby Ubuntu. Ever hitch a ride with Uber or Lyft? Your mobile app istalking to Ubuntu servers on the backend. Did you enjoy watching TheHobbit? Hunger Games? Avengers? Avatar? All rendered on Ubuntu at WETADigital." In the end, he says, there are over one billion Ubuntuusers.

Arch Linux has updated claws-mail (code execution).CentOS has updated qemu-kvm (C6: two vulnerabilities).Debian has updated libxml2 (multiple vulnerabilities).Fedora has updated kernel (F23:three vulnerabilities), subversion (F23:code execution), and xen (F23: three vulnerabilities).openSUSE has updated Chromium (Leap42.1, 13.2, 13.1; SPH for SLE12: code execution), compat-openssl098 (Leap42.1: memory leak), andquassel (Leap42.1, 13.2, 13.1: denial of service).Oracle has updated qemu-kvm (OL6:two vulnerabilities).Red Hat has updated qemu-kvm(RHEL6: two vulnerabilities) and qemu-kvm-rhev (RHELOSP5: two vulnerabilities).Scientific Linux has updated qemu-kvm (SL6: two vulnerabilities).Slackware has updated blueman (privilege escalation).

The Mozilla Add-ons blog takesa look at the work going on around the WebExtensions API. "WebExtensions is currently in an alpha state, so while this is a great time to get involved, please keep in mind that things might change if you decide to use it in its current state. Since August, we’ve closed 77 bugs and ramped up the WebExtensions team at Mozilla. With the release of Firefox 45 in March 2016, we’ll have full support for the following APIs: alarms, contextMenus, pageAction and browserAction. Plus a bunch of partially supported APIs: bookmarks, cookies, extension, i18n, notifications, runtime, storage, tabs, webNavigation, webRequest, windows."

Debian has updated foomatic-filters (command execution).Fedora has updated bind (F22: twovulnerabilities), bind-dyndb-ldap (F22: twovulnerabilities), dnsperf (F22: twovulnerabilities), firefox (F22: multiplevulnerabilities), jenkins (F22: multiplevulnerabilities), and kernel (F22: multiplevulnerabilities).Oracle has updated jakarta-commons-collections (OL5: code execution).Red Hat has updated openstack-ironic-discoverd (RHELOSP6: commandexecution), openstack-nova (RHELOSP7; RHELOSP5: insecure VM instances), and RHELOSP7 director (RHEL7: two vulnerabilities).Scientific Linux has updated abrt andlibreport (SL7: multiple vulnerabilities), autofs (SL7: privilege escalation), binutils (SL7: multiple vulnerabilities), chrony (SL7: multiple vulnerabilities), cpio (SL7: denial of service), cups-filters (SL7: code execution), curl (SL7: multiple vulnerabilities), file (SL7: multiple vulnerabilities), git (SL7: code execution), glibc (SL7: privilege escalation), glibc (SL7: multiple vulnerabilities), grep (SL7: heap buffer overrun), grub2 (SL7: Secure Boot circumvention), grub2 (SL7: code execution), jakarta-commons-collections (SL5: codeexecution), kernel (SL7: multiplevulnerabilities), kernel (SL7: twovulnerabilities), krb5 (SL7: twovulnerabilities), libpng (SL7: twovulnerabilities), libpng12 (SL7: multiplevulnerabilities), libssh2 (SL7: informationleak), libxml2 (SL7: multiplevulnerabilities), net-snmp (SL7: denial ofservice), netcf (SL7: denial of service),NetworkManager (SL7: two vulnerabilities),ntp (SL7: multiple vulnerabilities), openhpi (SL7: world writable /var/lib/openhpidirectory), openldap (SL7: unintendedcipher usage), openssh (SL7: multiplevulnerabilities), pacemaker (SL7: privilegeescalation), pcs (SL7: denial of service),python (SL7: multiple vulnerabilities), realmd (SL7: unsanitized input), rest (SL7: denial of service), rubygem-bundler, rubygem-thor (SL7: installsmalicious gem files), squid (SL7:certificate validation bypass), sssd (SL7:memory leak), tigervnc (SL7: twovulnerabilities), unbound (SL7: denial ofservice), wireshark (SL7: multiplevulnerabilities), and xfsprogs (SL7: information disclosure).SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service),firefox (SLE12SP1; SLE11SP3,4; SLE11SP2: multiple vulnerabilities), rubygem-passenger (SLE12: environment variableinjection), strongswan (SLE12SP1:authentication bypass), and kernel(SLE11SP4: multiple vulnerabilities).

Here's aninteresting article from cryptographer Matthew Green on how the Juniperbackdoor is the least interesting part of this whole episode. "ThusDual EC is safe only if you assume no tiny bug in the code couldaccidentally leak out 30 bytes or so of raw Dual EC output. If it did, thiswould make all subsequent seeding calls predictable, and thus render allnumbers generated by the system predictable. In general, this would spelldoom for the confidentiality of VPN connections. And unbelievably,amazingly, who coulda thunk it, it appears that such a bug does exist inmany versions of ScreenOS, dating to both before and after the'unauthorized code' noted by Juniper."

Ars Technica reportsthat Google has plans to bring Android to desktops and laptops. "We've Frankensteined together a little Android desktop setup using a Nexus 9 and a USB keyboard and mouse to see just how easy—or complicated—it was to use what is still formally a "mobile" operating system in a desktop context today, right now, without complicated changes or reconfigurations. It worked, but Android still has a ways to go before it can be called a real desktop operating system—quite a ways, in some cases.The biggest affordance Android makes for a desktop OS is that it supports a keyboard and mouse. Any Android device can pair with a Bluetooth mouse and keyboard, and if you want to go the wired route, just about any phone can plug in a mouse and keyboard via a USB OTG cable and a USB hub. Some OEMs even build Android devices with a keyboard and mouse, like the Asus Transformer series, which is a convertible laptop that runs Android."

CentOS has updated jakarta-commons-collections (C5: code execution).Debian has updated blueman (privilege escalation) and tomcat8 (Security Manager bypass).Fedora has updated bind (F23: twovulnerabilities), bind-dyndb-ldap (F23: twovulnerabilities), bind99 (F23: denial ofservice), cups-filters (F23: commandexecution), dhcp (F23: denial of service),dnsperf (F23: two vulnerabilities), libsndfile (F23: two vulnerabilities), p7zip (F22: directory traversal), xen (F22: multiple vulnerabilities), and xsupplicant (F23; F22: insecure temporary files).Gentoo has updated gdk-pixbuf (multiple vulnerabilities), grub (code execution), and openssh (multiple vulnerabilities).Mageia has updated bind (denial of service) and grub2 (code execution).openSUSE has updated libressl(Leap42.1, 13.2: two vulnerabilities) and libXfont (Leap42.1, 13.2, 13.1: regression inprevious update).Red Hat has updated jakarta-commons-collections (RHEL5: code execution).SUSE has updated ldb, samba, talloc, tdb, tevent (SLE12; SLE12SP1: multiple vulnerabilities).Ubuntu has updated kernel (15.10; 15.04;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), linux-lts-vivid(14.04: multiple vulnerabilities), linux-lts-wily (14.04: ), and linux-raspi2 (15.10: privilege escalation).

Anybody who has been paying attention to the net over the last week or so willcertainly have noticed an abundance of articles with titles like "Howto hack any Linux machine just using backspace". All this press doesindeed highlight an important vulnerability, but it may not be the one thatthey think they are talking about.Click below (no subscription required) for the full text.

The 4.4-rc6 kernel prepatch is out."Things remain fairly normal. Last week rc5 was very small indeed,this week we have a slightly bigger rc6. The main difference is that rc6had a network pull in it."

Over at KDE.News, Jonathan Riddell has announced the availability of the first live image [1.2GB ISO] of the KDE Plasma desktop running atop Wayland."The central component in this is our window manager, KWin, which has moved from drawing borders on the edges of windows to running the full compositor and talking the Wayland protocols which allow applications to draw on screen and be interacted with. Users of the image will notice some obvious glitches, it is certainly not ready for everyday use yet, but the advantages of more secure workspaces, easier feature extendibility and graphics free of tearing and gitches will be appreciated by everybody. Work on this has been ongoing since 2011 and is expected to take years rather than months before a completely transparent switch away from X will be possible. Find more about the project on the KWin Wayland wiki pages."

The Jolla company blog announces that thecompany has closed a new round of funding and will not be shutting downafter all. "This investment enables the continuation of Sailfish OSdevelopment, the community activities and other company operations. It’sclear that this recent struggle hit us hard and left some battle wounds butmost importantly this means that the development and life of Sailfish OSwill continue strong. This alone is worth a celebration!"

Arch Linux has updated python2-pyamf (denial of service).Debian has updated kernel (multiple vulnerabilities,including one from 2013).Debian-LTS has updated foomatic-filters (?:) and virtualbox-ose (no longer supported in Debian 6).Fedora has updated firefox (F23:multiple vulnerabilities), libldb (F23; F22: remote memory disclosure),libpng10 (F23; F22: code execution), libtalloc (F23; F22: remote memory disclosure),libtdb (F23; F22: remote memory disclosure), libtevent (F23; F22: remotememory disclosure), and samba (F23: multiple vulnerabilities).Gentoo has updated dnsmasq(information disclosure) and ipython (?:).Mageia has updated chromium-browser-stable (code execution) andpython-pygments (code execution).Red Hat has updated chromium-browser (RHEL6: code execution) and openshift (RHOSE2.2: information leak).Scientific Linux has updated bind(SL6: denial of service) and firefox(SL5&6: multiple vulnerabilities).Slackware has updated grub(password bypass) and libpng (read underflow).SUSE has updated kernel(SLE12SP1: multiple vulnerabilities).Ubuntu has updated linux-lts-wily(14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: denial of service), andsosreport (15.10, 15.04, 14.04: twovulnerabilities, including one from 2014).

The Linux Foundation has announced a new collaborative project to "develop an enterprise grade, open source distributed ledger framework" to allow developers to build "robust, industry-specific applications, platforms and hardware systems to support business transactions". Twenty companies have joined the effort: Accenture, ANZ Bank, Cisco, CLS, Credits, Deutsche Börse, Digital Asset Holdings, DTCC, Fujitsu Limited, IC3, IBM, Intel, J.P. Morgan, London Stock Exchange Group, Mitsubishi UFJ Financial Group (MUFG), R3, State Street, SWIFT, VMware, and Wells Fargo. "Many of the founding members are already investing considerable research and development efforts exploring blockchain applications for industry. IBM intends to contribute tens of thousands of lines of its existing codebase and its corresponding intellectual property to this open source community. Digital Asset is contributing the Hyperledger mark, which will be used as the project name, as well as enterprise grade code and developer resources. R3 is contributing a new financial transaction architectural framework designed to specifically meet the requirements of its global bank members and other financial institutions. These technical contributions, among others from a variety of companies, will be reviewed in detail in the weeks ahead by the formation and Technical Steering Committees."

Arch Linux has updated ruby (codeexecution).CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and firefox (C7; C6; C5: multiple vulnerabilities).Debian has updated cacti (SQLinjection), gdk-pixbuf (incomplete fix forearlier code execution flaw), grub2 (codeexecution), iceweasel (multiple vulnerabilities), subversion (code execution), and tryton-server (access check bypass).Debian-LTS has updated bind9 (denial of service).Fedora has updated grub2 (F22:code execution), qemu (F23: three vulnerabilities), andxen (F23: multiple vulnerabilities).Mageia has updated cups-filters(code execution), firefox (multiple vulnerabilities), libpng (two vulnerabilities), potrace (code execution), quassel (denial of service), and redis (denial of service).openSUSE has updated chromium (42.1, 13.2, 13.1; SPHSLE12: multiple vulnerabilities) andopenssl (42.1; 13.2,13.1: three vulnerabilities).Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), and firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated bind (RHEL6&7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and firefox (multiple vulnerabilities).Scientific Linux has updated bind(SL5: denial of service) and bind97 (SL5: denial of service).Ubuntu has updated cups-filters(15.10, 15.04, 14.04: code execution), foomatic-filters (12.04: code execution),kernel (12.04; 14.04; 15.04;15.10: multiple vulnerabilities), linux-lts-trusty (12.04: threevulnerabilities), linux-lts-utopic (14.04:three vulnerabilities), and linux-lts-vivid(14.04: multiple vulnerabilities).

Brett Cannon reminds theworld why the Python developers decided to create Python 3 — andacknowledges that the transition could have been done better. "Thispoint of avoiding bugs is a big deal that people forget. The simplificationof the language and the removal of the implicitness of what a str objectmight represent makes code less bug-prone. The Zen of Python points outthat 'explicit is better than implicit' for a reason: ambiguity andimplicit knowledge that is not easily communicated code is easy to getwrong and leads to bugs. By forcing developers to explicitly separate outtheir binary data and textual data it leads to better code that has less ofa chance to have a certain class of bug."

The LWN.net Weekly Edition for December 17, 2015 is available.

The GRUB bootloader (versions 1.98 to 2.02) has aninteger underflow issue which can enable a local attacker to bypassauthentication on a locked-down system. "Grub2 is the bootloaderused by most Linux systems including some embedded systems. This results inan incalculable number of affected devices."

Back in early 2013, your editor dedicated asacrificial handset to the testing of the then-new Ubuntu Touchdistribution. At that time, things were so unbaked that the distributioncame with mocked-up data for unready apps; it even came with a set of faketweets. Nearly three years later, it seemed time to give Ubuntu Touchanother try on another sacrificial device. This distribution has certainlymade some progress in those years, but, sadly, it still seems far from beinga competitive offering in this space.

Arch Linux has updated bind (denial of service) and firefox (multiple vulnerabilities).CentOS has updated grub2 (C7: code execution).Debian has updated bind9 (denial of service) and cups-filters (command execution).Debian-LTS has updated pygments (shell injection).Fedora has updated kernel (F23; F22: multiple vulnerabilities) and seamonkey (F23; F22: multiple vulnerabilities).Oracle has updated grub2 (OL7:code execution) and kernel (OL6: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: multiple vulnerabilities), libreoffice (SL6: multiple vulnerabilities), and openssl (SL6; SL5: multiple vulnerabilities).Slackware has updated bind(multiple vulnerabilities), libpng (two vulnerabilities), firefox (multiple vulnerabilities), and openssl (multiple vulnerabilities).Ubuntu has updated bind9 (denialof service), firefox (multiplevulnerabilities), git (code execution), and grub2 (code execution).

The PhotoFlow imageeditor is a relative newcomer to the field of free-softwarephotography tools. The project was started in 2014, and some peoplemight consider it an odd choice of undertaking—given that thereare, these days, quite a few capable raw-photo editors to choosefrom. But PhotoFlow does bring something new to the table.Click below (subscribers only) for the full review.

Mozilla has released Firefox 43. This version features improvements toPrivate Browsing and Tracking Protection, search suggestions, improved APIsupport for m4v video playback, and more. The releasenotes contain more information.

AnandTech reportson AMD's plans for Linux graphics driver support. In short: more opencode, but some proprietary components will remain. "The significantchange here is that by having the RTG closed source driver based around theopen source driver, the company is now only maintaining a single code base,is pushing as much as possible into open source, and that the open sourcedriver is receiving these features far sooner than it was previously. Thisgreatly improves the quality of life for open source driver users, but it’salso reciprocal for RTG: it’s a lot easier to keep up to date with Linuxkernel changes with an open source kernel mode driver than a closed sourcedriver, and quickly integrate improvements submitted by otherdevelopers."

Greg KH has released stable kernels 4.3.3,4.2.8, and 4.1.15. All of them contain important fixes.This will be the last 4.2.y kernel. Users of the 4.2 kernel should upgradeto the 4.3.y kernel series.Update: Canonical's kernel team will pick upstable maintenance of 4.2 where Greg left off.

CentOS has updated libreoffice (C7; C6: multiple vulnerabilities) and openssl (C7; C6; C5: multiple vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities).Oracle has updated libreoffice (OL7; OL6:multiple vulnerabilities) and openssl (OL5:multiple vulnerabilities).Red Hat has updated grub2 (RHEL7:code execution) and kernel (RHEL6; RHEL6.5: multiple vulnerabilities).

Collabora and ownCloud have announced a partnership, and, as an openingmove, have released the "Collabora Online Development Edition." This is acombined distribution consisting of LibreOffice Online and ownCloudServer. "The purpose of CODE is to giveinterested developers from any field an easy way to get early accessto the very latest untested feature additions and updates toLibreOffice Online, in order to enable them to develop, test, andcontribute." See this page for moreinformation and screenshots.

The CentOS project has announced the release of CentOS Linux 7 (1511),derived from Red Hat Enterprise Linux 7.2. "This release supersedes all previously released content for CentOSLinux 7, and therefore we highly encourage all users to upgrade theirmachines. Information on different upgrade strategies and how tohandle stale content is included in the Release Notes."

Here is a lengthy postingfrom Dan Luu on why it is so hard to safely write files on Unix-likesystems. It comes down to a combination of POSIX semantics and filesystembugs. "Something to note here is that while btrfs’s semantics aren’tinherently less reliable than ext3/ext4, many more applications corruptdata on top of btrfs because developers aren’t used to coding againstfilesystems that allow directory operations to be reordered (ext2 was theonly other filesystem that allowed that reordering). We’ll probably see asimilar level of bug exposure when people start using NVRAM drives thatonly have byte-level atomicity. People almost always just run some tests tosee if things work, rather than making sure they’re coding against what’slegal in a POSIX filesystem."

Debian has updated bouncycastle (invalid curve attack) and libphp-phpmailer (header injection).Debian-LTS has updated grub2 (code execution).Fedora has updated grub2 (F23:code execution), LibRaw (F22: twovulnerabilities), moodle (F23; F22: multiple vulnerabilities), openssl (F22: multiple vulnerabilities), pax-utils (F22: multiple vulnerabilities), pcre (F22: denial of service), proftpd(F23; F22:denial of service), qemu (F23: denial ofservice), and wget (F22: information leak).openSUSE has updated libpng12(13.2, 13.1: denial of service), libpng16(13.2, 13.1: denial of service), libraw(13.2, 13.1: unspecified), and mbedtls(Leap42.1: code execution).Oracle has updated openssl (OL7; OL6: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), glibc (RHEL7.1: multiplevulnerabilities), libpng (RHEL6: multiplevulnerabilities), libreoffice (RHEL6,7:multiple vulnerabilities), openshift(RHOSE3: information leak), and openssl (RHEL6,7; RHEL5: multiple vulnerabilities).SUSE has updated java-1_7_1-ibm(SLE12: many vulnerabilities) and java-1_8_0-ibm (SLE12: many vulnerabilities).Ubuntu has updated libxml2 (multiple vulnerabilities).

Ars technica reportsthat the Purism Librem 13 laptop will be available with thevirtualization-based Qubes distribution. "Qubes wants to lower thebarrier of entry for new users, including security-conscious enterpriseusers who might want to buy a number of laptops for their staff. Inaddition to the Librem 13, Qubes plans to certify the larger Librem 15,plus other laptops that are 'as diverse as possible in terms of geography,cost, and availability.'" LWN looked atQubes 3.0 back in May.

Linus has released the 4.4-rc5 prepatch."If you have all your Christmas shopping done, I wouldheartily recommend giving rc5 a whirl in between the eggnogs and thedecorations. And if you're not celebrating the holidays, you have noexcuse for not testing it all out."

Mozilla has announced the first round of projects to receive support from the organization's new “Foundational Technology” grant program. The program offers funding to open-source projects outside of Mozilla that are regarded as important building blocks for work done within Mozilla. The recipients announced are Buildbot, CodeMirror, Discourse, Read The Docs, Mercurial, Django, and Bro. The post contains further details on the specific development goals associated with each grant. More selections are yet to come, and applications are open.

Arch Linux has updated keepassx (information disclosure).Fedora has updated knot (F23; F22:out-of-bound read).Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), imagemagick (M5: multiple vulnerabilities), and libraw (M5: multiple vulnerabilities).openSUSE has updated xen (Leap 21.1; 13.2: multiple vulnerabilities).Oracle has updated kernel (O7; O6: multiple vulnerabilities).Ubuntu has updated oxide-qt(14.04, 15.04, 15.10: multiple vulnerabilities).

Over at Opensource.com, Seth Kenlon looks at realtime video editing with Open Broadcast Studio (OBS). The article describes OBS sources and scenes, compositing, filters, output options, and more. "It may be a relatively niche market, but not all video editing is done in post production. There are use cases for live, on-the-fly video editing and basic compositing. You've seen it done yourself, whether you realize it or not—news broadcasts, live webcasts, and live TV events usually use multiple-camera setups controlled by one central software suite.Open Broadcast Studio (formerly Open Broadcaster Software) is an open source central control room for live, realtime video editing. It features instant encoding using x264 (an open source h.264 encoder) and AAC and streams to services like YouTube, DailyMotion, Twitch, your own streaming server, or just to a file."

Greg Kroah-Hartman has released the 4.3.2stable kernel. It fixes a problem with time validation in X.509certificate handling that has been present since 4.3.0 (CVE-2015-5327). Ifyou are not using those certificates, though, you don't need to upgradefrom 4.3.1; others should upgrade.

Arch Linux has updated flashplugin (many vulnerabilities) and libxml2 (multiple vulnerabilities).Debian has updated chromium-browser (many vulnerabilities) and xen (multiple vulnerabilities).Debian-LTS has updated arts(privilege escalation) and kdelibs(privilege escalation).Fedora has updated pax-utils(F23: multiple vulnerabilities).openSUSE has updated flash-player(13.2, 13.1: many vulnerabilities), gpg2(42.1: two vulnerabilities), mariadb (13.2; 13.1:multiple vulnerabilities), mysql (many vulnerabilities), and thunderbird (13.2, 13.1: multiple vulnerabilities).Oracle has updated libpng (OL7; OL6: twovulnerabilities) and libpng12 (OL7: two vulnerabilities).Scientific Linux has updated libpng (SL6: three vulnerabilities).SUSE has updated flash-player (SLE11SP4, SLE11SP3; SLE12SP1, SLE12: many vulnerabilities).

The LWN.net Weekly Edition for December 10, 2015 is available.

There have been no kernel updates from Greg Kroah-Hartman since earlyNovember, but that has ended with a bang:4.3.1,4.2.7,4.1.14,3.14.58, and3.10.94 are all available with the usualset of important fixes.

Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated libpng (C6:code execution).Debian-LTS has updated dhcpcd (multiple vulnerabilities), foomatic-filters (code execution), gnutls26 (padding oracle attack), and libphp-phpmailer (header injection).Fedora has updated ImageMagick(F23: multiple vulnerabilities) and potrace (F23; F22: denial of service).Mageia has updated chromium-browser-stable (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).openSUSE has updated kernel(Leap42.1: multiple vulnerabilities).Oracle has updated git (OL7: codeexecution) and kernel (OL7: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities), kernel(RHEL7.1: multiple vulnerabilities), libpng(RHEL7: code execution), and libpng12(RHEL7: multiple vulnerabilities).

Version 4.4 of the WordPress blogging platform (and, these days, general content-managementsystem) has been released.Highlights in this update include responsive image displays,integration of a REST API into Wordpress core, improved caching forcomment queries, and provider support for the oEmbedcontent-embedding format. Provider support means that "now youcan embed your posts on other WordPress sites. Simply drop a post URLinto the editor and see an instant embed preview, complete with thetitle, excerpt, and featured image if you’ve set one. We’ll eveninclude your site icon and links for comments and sharing." Accompanying the release is a new default theme named "Twenty Sixteen"that was "built to look great on any device. A fluid griddesign, flexible header, fun color schemes, and more, will all makeyour content shine."

TechCrunch reportsthat the Firefox OS phone experiment has come to an end. "Firefox OSproved the flexibility of the Web, scaling from low-end smartphones all theway up to HD TVs. However, we weren’t able to offer the best userexperience possible and so we will stop offering Firefox OS smartphonesthrough carrier channels."

Opensource.com takesa look at a court case in Germany addressing the GPLv3 terminationprovisions. "In the Halle court case, the defendant, a higher education institution in Germany, offered certain software for download to its employees and students. The plaintiff provided a written warning of copyright infringement based on a GPL violation to the defendant, including a cease-and-desist declaration with a penalty clause. The defendant refused to sign the declaration but removed the software from its website. The plaintiff filed for a preliminary injunction.The court ruled that the plaintiff was entitled to a preliminary injunction. The defendant had made the plaintiff's copyrighted software publicly available and was in violation of both GPLv2 and GPLv3 as the defendant had not accompanied the software with the license text and the complete corresponding source code."

Given the processing requirements for high-speed networking, it is notsurprising that there is interest in offloading some of that work todedicated hardware. Linux has always carefully limited the supportprovided for such offloading, though; it has been just over ten years sincesupport for TCP offload engines wasdefinitively blocked from entering theLinux network stack. That rejection was driven by a number of concerns,with a reluctance to entrust network-protocol processing to closed-source,unextendable, unfixable software being near the top of the list. Nearly ten years later,offload engines are again the topic of fierce discussion. The hardware haschanged, but the concerns have not; indeed, some of the problems beingworked around now show why those concerns were valid in the first place.

CentOS has updated libxml2 (C6: multiple vulnerabilities).Debian-LTS has updated bouncycastle (invalid curve attack) and linux-2.6 (multiple vulnerabilities).Fedora has updated audiofile(F22: buffer overflow), LibRaw (F23: twovulnerabilities), and python-django (F23: information disclosure).openSUSE has updated thunderbird(Leap42.1: multiple vulnerabilities).Oracle has updated libxml2 (OL7; OL6: multiple vulnerabilities).Red Hat has updated git (RHEL7:code execution) and kernel (RHEL7: denial of service).SUSE has updated java-1_7_0-ibm(SLE11SP3: many vulnerabilities).Ubuntu has updated libsndfile (multiple vulnerabilities).

Version 3.6.0 of theNetHack dungeon adventure game has been released. This is the firstofficial release in over ten years. "Unlike previous releases,which focused on the general game fixes, this release consists of a seriesof foundational changes in the team, underlying infrastructure and changesto the approach to game development. Those of you expecting a huge raft ofnew features will probably be disappointed. Although we have included anumber of new features, the focus of this release was to get the foundationestablished so that we can build on it going forward." There hasbeen enough change, though, that old save files will not work with thisversion.

For a far-outside view, it's hard to beat thisVentureBeat article, wherein a venture capitalist talks about how"open-source companies" are taking over. "The OSS companies thatwill be pillars of IT in the future are the companies that leverage asuccessful OSS project for sales, marketing, and engineering prioritizationbut have a product and business strategy that includes some proprietaryenhancements. They’ve figured out that customers are more than happy to payfor an enterprise-grade version of the complete product, which may havesecurity, management, or integration enhancements and come withsupport. And they also understand that keeping this type of functionalityproprietary won’t alienate the community supporting the project the waysomething such as a performance enhancement would."

Apple has released its Swift programming language under the Apache 2.0 license, and it's available for Linux. The code can be found on GitHub. "Swift makes it easy to write software that is incredibly fast and safe by design. Now that Swift is open source, you can help make the best general purpose programming language available everywhere."

Version 17.3 of theUbuntu-based Linux Mint Cinnamon distribution has been released. This is along-term support release, with support planned until 2019. There is along listof new features for this release, many of which come with theCinnamon 2.8 desktop environment.

Fedora has updated lxdm (F23: two vulnerabilities), openssl (F23: multiple vulnerabilities), p7zip (F23: directory traversal), php-symfony (F23; F22: two vulnerabilities), php-twig (F23; F22: two vulnerabilities), and rubygem-flexmock (F23: unspecified vulnerability).Red Hat has updated libxml2 (RHEL7; RHEL6: multiple vulnerabilities).Scientific Linux has updated libxml2 (SL6: multiple vulnerabilities).Ubuntu has updated cups-filters (15.10, 15.04, 14.04: code execution), foomatic-filters (12.04: code execution), and openssl (multiple vulnerabilities).

Day7 in the ongoing Perl 6 advent calendar is concerned with how thelanguage handles Unicode. "However, Perl 6 does this work for you,keeping track of these collections of codepoints internally, so that youjust have to think in terms of what you would see the characters as. Ifyou’ve ever had to dance around with substring operations to make sure youdidn’t split between a letter and a diacritic, this will be your happiestday in programming."