LWN.net

The Linux Plumbers Android microconference was held in Seattle on August20th. It included discussions of a variety of topics, many of whichneed to be coordinated within the Android ecosystem. The microconferencewas split up into two separate sessions; this summary covers the secondsession, which was held for three hours in the evening. Topics were toyboxin Android, improving AOSP vendor trees, providing per-task quality ofservice, and improving big.LITTLE on Android.

Arch Linux has updated icedtea-web (applet execution), libvdpau lib32-libvdpau (multiple vulnerabilities), and openldap (denial of service).Debian has updated openldap (denial of service), php5 (multiple vulnerabilities), virtualbox (unspecified vulnerability), and vzctl (insecure ploop-based containers).Fedora has updated kernel (F22: privilege escalation), pcre (F22; F21: code execution), and phpMyAdmin (F22; F21: guessable user credentials).Mageia has updated conntrack-tools (MG4,5: denial of service), freetype2 (MG4: denial of service), gnupg (MG4: two vulnerabilities), libgcrypt (MG4: information leak), libvdpau (MG4,5: multiple vulnerabilities), mariadb (MG4,5: unspecified vulnerabilities),php (MG4: multiple vulnerabilities), phpmyadmin (MG4,5: guessable usercredentials), and xfsprogs (MG5: information disclosure).Red Hat has updated qemu-kvm-rhev(RHEL OSP5,6,7: code execution).

The 4.1.7,3.14.52, and3.10.88stable kernel updates have been released. Each contains the usualcollection of important fixes.

The Python 3.5.0 release is out. "Python 3.5.0 is the newest version of the Python language, and it contains many exciting new features and optimizations." See the what's newpage and this LWN article for detailson the new features in this release.

Linus has released 4.3-rc1 and closed the4.3 merge window one day ahead of the usual schedule. "I decidedthat I'm not interested in catering to anything that comes in tomorrow, andI might as well just close the merge window and do the -rc1release." In the end, 10,756 non-merge changesets were pulledduring this merge window.

The Electronic Frontier Foundation (EFF) is running a storyon its DeepLinks blog that the Kilton Public Library in Lebanon, NewHampshire has suspended its Tor node deployment—at leasttemporarily—due to criticism by the local police department (wecovered the launch of the Kiltonlibrary's Tor node in August). The EFF post says that the criticismoriginated when "a regionalDepartment of Homeland Security office contacted the local policeto spread fear, uncertainty, and doubt about Tor. The police got intouch with the library board, who suspended the program until theycould vote on it on September 15." The EFF has set up a pageat which interested parties can sign a petition showing support forthe library, and has written its own letter of support to the Lebanonlibrary board. The Library Freedom Project, which is handling thedetails of running Kilton's Tor node, has also writtenabout the incident and promises further updates after the libraryboard meeting.

Debian-LTS has updated libvdpau (multiple vulnerabilities).Fedora has updated onionshare (F21; F22:denial of service).openSUSE has updated libvdpau (13.1, 13.2: multiplevulnerabilities) and squid (13.1,13.2: certificate validation bypass).Red Hat has updated libunwind (RHEL7 OSP; RHEL6 OSP: buffer overflow)and python-django (RHEL7 OSP; RHEL6 OSP: multiple vulnerabilities).SUSE has updated MozillaFirefox,mozilla-nss (SLE11: multiple vulnerabilities).Ubuntu has updated freetype(12.04, 14.04, 15.04: multiple vulnerabilities).

The OpenWrt 15.05 release is out. This release includes a number of newfeatures, including improved package signing, support for hardened buildsand jails, a lot of new hardware support, and much more. (See also: LWN's review of the 15.05 release from July).

The LWN.net Weekly Edition for September 11, 2015 is available.

On his blog, QEMU developer Amit Shah gathered up information on the recent QEMU 2.4 release from the maintainers. It takes the form of a video made at KVM Forum, as well as some email comments from those who were not present. "Many contributors to the QEMU and KVM projects meet at the annual KVM Forum conference to talk about new features, new developments, what changed since the last conference, etc.The QEMU project released version 2.4 just a week before the 2015 edition of KVM Forum. I thought that was a good opportunity to gather a few developers and maintainers, and get them on video where we can see them speak about the improvements they made in the 2.4 release, and what we can expect in the 2.5 release."

Debian has updated libvdpau(three vulnerabilities).Debian-LTS has updated bind9(denial of service).Fedora has updated bind (F22:denial of service).SUSE has updated qemu (SLE12: twovulnerabilities).

Some languages pride themselves on providing many ways to accomplish anygiven task. Python, instead, tends to focus on providing a single solutionto most problems. There are exceptions, though; the creation of formattedstrings would appear to be one of them. Despite the fact that there are(at least) three mechanisms available now, Python's developers have justadopted a plan to add a fourth. With luck, this new formatting mechanism (slated for Python 3.6) willimprove the traditionally cumbersome string-formatting facilities availablein Python.

Opensource.com takesa look at the AXIOM Beta camera, a new professional digital imagecapturing platform. "The goal of the AXIOM camera, and theglobal-community-driven apertus° project, is to create a variety ofpowerful, affordable, open source licensed and sustainable digital cinematools. The apertus° project was started by filmmakers who felt limited bythe available proprietary tools. AXIOM Beta will provide full and opendocumentation, the ability to add new features and change the behavior ofexisting features, and the option to add custom accessories." AXIOMBeta is intended primarily for software and hardware developers.

CentOS has updated haproxy (C7; C6:information leak) and subversion (C7: multiple vulnerabilities).Debian has updated spice (code execution).Mageia has updated chromium-browser (MG4,5: multiplevulnerabilities), libidn (MG5: informationdisclosure), libxml2 (MG4,5: denial ofservice), ntp (MG4,5: multiplevulnerabilities), pcre (MG4,5: multiplevulnerabilities), php (MG5: multiplevulnerabilities), pure-ftpd (MG4,5: denialof service), ruby-rack (MG4,5: denial ofservice), ruby-RubyGems (MG4,5: DNShijacking), screen (MG4,5: denial ofservice), squid (MG5: security bypass), struts (MG4,5: input validation bypass), util-linux (MG5: file name collision), vorbis-tools (MG4,5: buffer overread), webmin (MG4,5: cross-site scripting), and xmltooling (MG4,5: denial of service).Oracle has updated haproxy (OL7:information leak) and subversion (OL7: multiple vulnerabilities).Scientific Linux has updated haproxy (SL6,7: information leak) and subversion (SL7: multiple vulnerabilities).Ubuntu has updated kernel (15.04:privilege escalation), linux-lts-vivid(14.04: privilege escalation), and oxide-qt(15.04, 14.04: multiple vulnerabilities).

Samba 4.3.0 is out. This release has a lot of new features, including areworked logging system, a new FileChangeNotify subsystem, better trusteddomains support, SMB 3.1.1 support, and more.

Jono Bacon interviewsJohn Sullivan, executive director of the FSF, at Opensource.com."What we have been focusing on now are the challenges I highlighted in the first question. We are in desperate need of hardware in several different areas that fully supports free software. We have been talking a lot at the FSF about what we can do to address this, and I expect us to be making some significant moves to both increase our support for some of the projects already out there—as we having been doing to some extent through our Respects Your Freedom certification program—and possibly to launch some projects of our own. The same goes for the network service problem. I think we need to tackle them together, because having full control over the mobile components has great potential for changing how we relate to services, and decentralizing more and more services will in turn shape the mobile components."

The Linux Plumbers Android microconference was held in Seattle on August20th and looked at a number of topics needingcoordination between various players in the Android ecosystem. It was splitup into two separate sessions; this summary covers thefirst three-hour session.Topics covered the state of the staging tree, USB gadgets and ConfigFS,running mainline on consumer devices, partitions and customization, asingle binary image for multiple devices, Project Ara, and kdbus.<p>Click below (subscribers only) for the full report from LPC 2015.

Arch Linux has updated powerdns (denial of service).Debian has updated openslp-dfsg (denial of service).Debian-LTS has updated php5 (multiple vulnerabilities) and screen (denial of service).Fedora has updated drupal6 (F22; F21:multiple vulnerabilities), drupal6-ctools (F22; F21:multiple vulnerabilities), drupal6-views_bulk_operations (F22; F21:access bypass), drupal7 (F22; F21: multiple vulnerabilities),gdk-pixbuf2 (F22; F21: code execution), mingw-gdk-pixbuf(F22; F21:code execution), and php-twig (F21: code execution).Mageia has updated bind (MG4,5:denial of service), freeimage (MG4,5:integer overflow), hplip (MG4,5:man-in-the-middle attack), iceape (MG4,5:multiple vulnerabilities), jsoup (MG5:cross-site scripting), lighttpd (MG4,5: loginjection), openafs (MG4,5: multiplevulnerabilities), and squashfs-tools(MG4,5: two vulnerabilities).openSUSE has updated gdk-pixbuf(13.2: code execution), gnutls (13.2, 13.1:denial of service), net-snmp (13.2, 13.1:code execution), perl-XML-LibXML (13.2,13.1: information disclosure), libgcrypt(13.2, 13.1: two vulnerabilities), and tor(13.2, 13.1: respect SafeLogging).Red Hat has updated haproxy(RHEL6,7: information leak) and subversion(RHEL7: multiple vulnerabilities).SUSE has updated bind (SLE11SP1:denial of service), firefox (SLE11SP2,SP1:two vulnerabilities), and java-1_6_0-ibm(SLE11SP3,SP2,SP1: multiple vulnerabilities).Ubuntu has updated spice (15.04,14.04: code execution).

It's time to figure out who will be organizing the Linux PlumbersConference in 2016, which is planned to be held in Santa Fe, New Mexico, atthe beginning of November, alongside the Kernel Summit. Interestedorganizers should put together a bid and submit it to the LinuxFoundation's Technical Advisory Board by October 5; see this page for details onhow the process works. "This is your chance to putyour stamp on one of our community's most important gatherings in ayear when we will be celebrating 25 years of the Linux kernel."

The Mozilla blog has disclosedthat the official Mozilla instance of Bugzilla was recentlycompromised by an attacker who stole "security-sensitiveinformation" related to unannounced vulnerabilities inFirefox—in particular, the PDFViewer exploit discovered on August 5. The blog post explains thatMozilla has now taken several steps to reduce the risk of futureattacks using Bugzilla as a stepping stone. "As an immediatefirst step, all users with access to security-sensitive informationhave been required to change their passwords and use two-factorauthentication. We are reducing the number of users with privilegedaccess and limiting what each privileged user can do. In other words,we are making it harder for an attacker to break in, providing feweropportunities to break in, and reducing the amount of information anattacker can get by breaking in."

CentOS has updated spice(C7: code execution) and spice-server(C6: code execution).Debian has updated chromium-browser (multiple vulnerabilities) and screen (denial of service).Fedora has updated mediawiki (F21; F22:multiple vulnerabilities)and struts (F22: input validation bypass).openSUSE has updated firefox(13.1, 13.2: multiple vulnerabilities).Oracle has updated bind (O7; O6; O5: denial of service), bind97 (O5: multiple vulnerabilities), libXfont (O7; O6:multiple vulnerabilities),spice (O7: code execution), and spice-server (O6: code execution).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), openshift (RHOSE3: denial of service), openstack-nova (RHELOSP7: denial of service), qemu-kvm-rhev (RHELOSP7: information leak), spice (RHEL7: code execution), and spice-server (RHEL6: code execution).Scientific Linux has updated spice-server (SL7; SL6:code execution).Slackware has updated seamonkey (multiple vulnerabilities).SUSE has updated kernel (SLELP12 3.12.43; 3.12.39; 3.12.38; 3.12.36; 3.12.32: multiple vulnerabilities).Ubuntu has updated kernel (12.04: information leak; 14.04: code execution),libvdpau (12.04, 14.04, 15.04:multiple vulnerabilities), linux-lts-trusty (12.04: code execution), linux-ti-omap4 (12.04: information leak), and openslp-dfsg (12.04, 14.04, 15.04: denialof service).

The Linux Test Project (LTP) has made a stable release for September 2015. The previous release was in April. This release has a number of new test cases including ones for user namespaces, virtual network interfaces, umount2(), getrandom(), and more. In addition, the network namespace test cases were rewritten and regression tests have been added for inotify, cpuset, futex_wake(), and recvmsg(). We looked at writing LTP test cases back in January.

Arch Linux has updated bind (twodenial of service flaws).CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), andlibXfont (C7; C6: three privilege escalation flaws).Debian has updated bind9 (denialof service), qemu (multiplevulnerabilities), and qemu-kvm (two vulnerabilities).Debian-LTS has updated openslp-dfsg (three vulnerabilities, one from2010, another from 2012).Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and libXfont (RHEL6,7: three privilege escalation flaws).Scientific Linux has updated bind (SL6,7; SL5:denial of service), bind97 (SL5: denial ofservice), and libXfont (SL6,7: threeprivilege escalation flaws).Slackware has updated bind (twodenial of service flaws).SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service), kernel (SLE11SP2: multiple vulnerabilities,three from 2014), and xen (SLE11SP3;SLED11SP3: multiple vulnerabilities).Ubuntu has updated bind9 (denialof service).

The LWN.net Weekly Edition for September 3, 2015 is available.

Debsources is a project that provides a web-based interface intothe source code of every package in the Debian softwarearchive—not a small task by any means. But, as StefanoZacchiroli and Matthieu Caneill explained in their DebConf 2015session, Debsources is far more than a source-code browsing tool. Itprovides a searchable viewport into 20 years offree-software history, which makes it viable as a platform for manyvarieties of research and experimentation.

Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated gdk-pixbuf2 (C7; C6: code execution), jakarta-taglibs-standard (C7; C6: code execution), nss-softokn (C7; C6: signature forgery), and pcs (C7; C6: privilege escalation).Debian has updated pdns (denial of service).Scientific Linux has updated nss-softokn (SL6,7: signature forgery) and pcs (SL6,7: privilege escalation).Slackware has updated gdk (code execution).SUSE has updated kvm (SLE11SP3:code execution) and firefox, nss (SLE12: multiple vulnerabilities).

Version 3.7 of the LLVM compiler suite is out. "This release contains the work of the LLVM community over the past sixmonths: full OpenMP 3.1 support (behind a flag), the On RequestCompilation (ORC) JIT API, a new backend for Berkeley Packet Filter(BPF), Control Flow Integrity checking, as well as improvedoptimizations, new Clang warnings, many bug fixes, and more."See the release notes for LLVM andClangfor details.

Ars Technica reportsthat Microsoft, Google, Mozilla, Cisco, Intel, Netflix, and Amazon havelaunched a new consortium, the Alliance for Open Media. "TheAlliance for Open Media would put an end to this problem [of patent licenses and royalties]. The group's first aim is to produce a video codec that's a meaningful improvement on HEVC. Many of the members already have their own work on next-generation codecs; Cisco has Thor, Mozilla has been working on Daala, and Google on VP9 and VP10. Daala and Thor are both also under consideration by the IETF's netvc working group, which is similarly trying to assemble a royalty-free video codec."

Fedora has updated qemu (F21: multiple vulnerabilities).Oracle has updated gdk-pixbuf2 (OL7; OL6: code execution), jakarta-taglibs-standard (OL7; OL6: code execution), and nss-softokn (OL7; OL6: signature forgery).Red Hat has updated nss-softokn(RHEL6,7: signature forgery) and pcs(RHEL6,7: privilege escalation).Ubuntu has updated expat (15.04,14.04, 12.04: denial of service) and gnutls28 (15.04: two vulnerabilities).

The OpenSSL project looksat its security record for the last year. "The acceptabletimeline for disclosure is a hot topic in the community: we meet CERT’s45-day disclosure deadline more often than not, and we’ve never blownProject Zero’s 90-day baseline. Most importantly, we met the goal we setourselves and released fixes for all HIGH severity issues in well under amonth. We also landed mitigation for two high-profile protocol bugs, POODLEand Logjam. Those disclosure deadlines weren’t under our control but ourresponse was prepared by the day the reports went public."

The ownCloud Contributor Conference2015 (August 28-September 3 in Berlin, Germany) started off with some bigannouncements, including the publishing of the User Data Manifesto 2.0, thecreation of the ownCloud Security Bug Bounty Program, and the release ofthe ownCloud Proxy app. "Designed for those of you who want your own private, secure “Dropbox” and don’t want the hassle of configuring routers, firewalls and DNS entries for access from anywhere, at any time, ownCloud Proxy is for you. It comes installed as an ownCloud community app in the new ownCloud community appliance, connects to relay servers in the cloud, and provides anytime, anywhere access to your files, on your PC running in your home network, quickly and easily. And, of course, you can grab it from the ownCloud app store and add it to an existing ownCloud server if you already have one running."

Debian has updated drupal7 (multiple vulnerabilities) and iceweasel (multiple vulnerabilities).Mageia has updated audit (MG4,5:unsafe escape-sequence handling), firefox(MG4,5: multiple vulnerabilities), and glusterfs (MG5; MG4: privilege escalation).openSUSE has updated ansible(13.2: regression in previous update) and thunderbird (13.2; 13.1: multiple vulnerabilities).Red Hat has updated gdk-pixbuf2(RHEL6,7: code execution) and jakarta-taglibs-standard (RHEL6,7: code execution).Scientific Linux has updated firefox (SL5,6,7: two vulnerabilities), gdk-pixbuf2 (SL6,7: code execution), and jakarta-taglibs-standard (SL6,7: code execution).Slackware has updated firefox (multiple vulnerabilities).SUSE has updated kvm (SLE11SP4:code execution).

Linus has announced the final release of the 4.2 kernel."So judging by how little happened this week, it wouldn't have been amistake to release 4.2 last week after all, but hey, there's certainlya few fixes here, and it's not like delaying 4.2 for a week shouldhave caused any problems either."Headline features in this release include thesecurity module stacking patches,the delay-gradient congestion-controlalgorithm,improvements to writeback management in control groups,a lot of important persistent-memory infrastructure, and more.

Version 7.10 of the GDB debugger is out. Improvements this time aroundinclude better support for access to shared libraries on remote targets,reverse debugging on ARM64 systems, support for DTrace static probes, andmore.

Google has announcedthat, beginning September 1, Chrome will no longer auto-playFlash-based ads in the company's popular AdWords program. The postframes this as a move to improve browsing performance for users, andnotes that most Flash ads are automatically converted to HTML5already. Commenting on the news, The Register notesthat the change should also offer some additional protection againstmalware delivered via Flash. Chrome will continue to auto-play Flashcontent in the main body of pages, however. The Register's story saysthe change is, in fact, just a modification of the default setting forplugin behavior, which already supportsan option to disable plugin content not deemed "important." Mozilla,of course, blacklisted the Flashplugin in July, although that action only disabled the then-current,vulnerable release—which was subsequently updated.

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated firefox (C5; C6; C7: multiple vulnerabilities) and thunderbird (C5; C6; C7: multiple vulnerabilities).Debian-LTS has updated openjdk-6 (multiple vulnerabilities) and zendframework (XML external entity attack).Fedora has updated maradns (F21; F22:denial of service),openssh (F21: multiple vulnerabilities), php-guzzle-Guzzle(F21; F22: XML external entity attack), php-twig (F22: code execution),php-ZendFramework2 (F21; F22: XML external entity attack), rt (F21; F22:cross-site scripting),and rubygem-rack (F21: denial of service).Mageia has updated drupal(M4,5: multiple vulnerabilities), python-django, python-django14(M4,5: multiple vulnerabilities), subversion (M4,5: multiple vulnerabilities), thunderbird (M4,5: multiple vulnerabilities), and vlc (M4,5: code execution).Oracle has updated firefox (O5; O6; O7: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities).SUSE has updated MozillaFirefox,mozilla-nss (SLE11: multiple vulnerabilities).Ubuntu has updated cups-filters (15.04: unintended printer access) and firefox (12.04, 14.04, 15.04: multiple vulnerabilities).

The Electronic Frontier Foundation has announcedthe recipients of its Pioneer Awards for 2015: Caspar Bowden, The CitizenLab, Annriette Esterhuysen and the Association for ProgressiveCommunications, and Kathy Sierra. "This extraordinary group ofwinners have all focused on the users, striving to give everyone theaccess, power, community, and protection they need in order to create andparticipate in our digital world."

KDE.News looks at KDE sprints and their benefits. The organization is doing some fundraising to help support its sprints, so it is trying get the word out about these code-focused events: "To start with, KDE sprints are intensive sessions centered around coding. They take place in person over several days, during which time skillful developers eat, drink and sleep code. There are breaks to refresh and gain perspective, but mostly sprints involve hard, focused work. All of this developer time and effort is unpaid. However travel expenses for some developers are covered by KDE. KDE is a frugal organization with comparatively low administrative costs, and only one paid person who works part time. So the money donated for sprints goes to cover actual expenses. Who gets the money? Almost all of it goes to transportation companies."

Debian has updated php5 (multiple vulnerabilities).Debian-LTS has updated pykerberos(authentication botch) and python-django(two vulnerabilities).Fedora has updated mariadb (F21: unspecified).Mageia has updated cgit (codeexecution from 2014).Ubuntu has updated qemu, qemu-kvm(multiple vulnerabilities, including one from 2014).

The developers of the Grsecurity kernel-hardening patch set have announced that, due toclaimed ongoing GPL and trademark violations, the public distribution of the"stable" series of patches will stop. "We decided that it is unfairto our sponsors that the above mentioned unlawful players can get away withtheir activity. Therefore, two weeks from now, we will cease the publicdissemination of the stable series and will make it available to sponsorsonly. The test series, unfit in our view for production use, will howevercontinue to be available to the public to avoid impact to the GentooHardened and Arch Linux communities."

The LWN.net Weekly Edition for August 27, 2015 is available.

Arch Linux has updated gnutls (denial of service), jasper (denial of service), pcre (code execution), and python-django (denial of service).CentOS has updated httpd (C7: twovulnerabilities) and mariadb (C7: multiple vulnerabilities).Debian has updated twig (code execution).Debian-LTS has updated ruby1.8 (information disclosure) and ruby1.9.1 (information disclosure).Mageia has updated gnutls (MG4,5:two vulnerabilities), vlc (MG5: codeexecution), and wireshark (MG4,5: multiple vulnerabilities).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Ubuntu has updated gdk-pixbuf(15.04, 14.04, 12.04: code execution).

At the 2015 edition of TypeCon in Denver, Adobe's Frank Grießhammer presented hiswork reviving the famous Hershey fontsfrom the Mid-Century era of computing. The original fonts weretailor-made for early vector-based output devices but, although theyhave retained a loyal following (often as a historical curiosity), they have neverbefore beenproduced as an installable digital font.

Version 1.5 of the Go language has been released."This release includes significant changes to the implementation. The compiler tool chain was translated from C to Go, removing the last vestiges of C code from the Go code base. The garbage collector was completely redesigned, yielding a dramatic reduction [PDF] in garbage collection pause times. Related improvements to the scheduler allowed us to change the default GOMAXPROCS value (the number of concurrently executing goroutines) from 1 to the number of available CPUs. Changes to the linker enable distributing Go packages as shared libraries to link into Go programs, and building Go packages into archives or shared libraries that may be linked into or loaded by C programs (design doc)."

Opensource.com wishesLinux a happy 24th birthday, with a brief timeline of Linux history. "There's some debate in the Linux community as to whether we should be celebrating Linux's birthday today or on October 5 when the first public release was made, but Linus says he is O.K. with you celebrating either one, or both! So as we say happy birthday, let's take a quick look back at the years that have passed and how far we have come."

KDE has releasedPlasma 5.4 with some new features. "This release of Plasma brings many nice touches for our users such as much improved high DPI support, KRunner auto-completion and many new beautiful Breeze icons. It also lays the ground for the future with a tech preview of Wayland session available. We're shipping a few new components such as an Audio Volume Plasma Widget, monitor calibration tool and the User Manager tool comes out beta."

CentOS has updated httpd (C6:denial of service) and nss (C5: two vulnerabilities).Oracle has updated httpd (OL7; OL6:denial of service), mariadb (OL7: multipleunspecified vulnerabilities), and nss (OL5:two vulnerabilities).Red Hat has updated httpd (RHEL7; RHEL6:HTTP request smuggling), httpd24-httpd(RHSCL2: multiple vulnerabilities), libunwind (RHELOSP6: buffer overflow), mariadb (RHEL7: multiple vulnerabilities), nss (RHEL5: two vulnerabilities), openstack-neutron (RHELOSP6: denial ofservice), openstack-swift (RHELOSP6;RHELOSP5: arbitrary object deletion),python-django (RHELOSP6; RHELOSP5: denial of service), python-django-horizon (RHELOSP6: cross-sitescripting), python-keystoneclient (RHELOSP6; RHELOSP5:two vulnerabilities), qemu-kvm-rhev (RHELOSP6; RHELOSP5:information leak), redis (RHELOSP6: codeexecution), and thunderbird (RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated httpd (SL7; SL6:denial of service), mariadb (SL7: multiplevulnerabilities), nss (SL5: twovulnerabilities), and thunderbird (SL5,6,7:multiple vulnerabilities).Ubuntu has updated thunderbird(15.04, 14.04, 12.04: multiple vulnerabilities).

Linux.com has aninterview with Dustin Kirkland of Canonical's Ubuntu Product andStrategy team, about Ubuntu on the mainframe and more. "Canonical is doing a lot of different things in the enterprise space, to solve different problems. One of the interesting works going on at Canonical is Fan networking. We all know that the world is running out of IPv4 addresses (or already has). The obvious solution to this problem is IPv6, but it’s not universally available. Kirkland said, "There are still places where IPv6 doesn't exist -- little places like Amazon web services where you end up finding lots of containers." The problem multiplies as many instances in cloud need IP addresses. "Each of those instances can run hundreds of containers, each of those containers then needs to be addressable," said Kirkland."

Debian-LTS has updated extplorer (cross-site scripting), roundup (multiple vulnerabilities), and wesnoth-1.8 (information leak).Mageia has updated libcryptopp(MG4,5: information disclosure), mediawiki(MG4,5: multiple vulnerabilities), openssh(MG4,5: multiple vulnerabilities), php (MG5; MG4:multiple vulnerabilities), and x11-server(MG5: permission bypass).openSUSE has updated wireshark(13.2: multiple vulnerabilities) and xfsprogs (13.2, 13.1: information disclosure).Red Hat has updated rh-ruby22-ruby (RHSCL2: DNS hijacking).Slackware has updated gnutls (denial of service).SUSE has updated glibc(SLE11SP3,4: multiple vulnerabilities) and kvm (SLE11SP2: two vulnerabilities).

In the end, Linus decided to hold off one more week and release 4.2-rc8 instead of the final 4.2 kernel."It's not like there are any real outstanding issues, and I waffledbetween just doing the release and doing another -rc. But we did haveanother low-level x86 issue come up this week, and together with thefact that a number of people are on vacation, I decided that waitingan extra week isn't going to hurt. But it was close. It's a fairlysmall rc8, and I really feel like it could have gone either way."