LWN.net

The LWN.net Weekly Edition for December 10, 2015 is available.

There have been no kernel updates from Greg Kroah-Hartman since earlyNovember, but that has ended with a bang:4.3.1,4.2.7,4.1.14,3.14.58, and3.10.94 are all available with the usualset of important fixes.

Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated libpng (C6:code execution).Debian-LTS has updated dhcpcd (multiple vulnerabilities), foomatic-filters (code execution), gnutls26 (padding oracle attack), and libphp-phpmailer (header injection).Fedora has updated ImageMagick(F23: multiple vulnerabilities) and potrace (F23; F22: denial of service).Mageia has updated chromium-browser-stable (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).openSUSE has updated kernel(Leap42.1: multiple vulnerabilities).Oracle has updated git (OL7: codeexecution) and kernel (OL7: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities), kernel(RHEL7.1: multiple vulnerabilities), libpng(RHEL7: code execution), and libpng12(RHEL7: multiple vulnerabilities).

Version 4.4 of the WordPress blogging platform (and, these days, general content-managementsystem) has been released.Highlights in this update include responsive image displays,integration of a REST API into Wordpress core, improved caching forcomment queries, and provider support for the oEmbedcontent-embedding format. Provider support means that "now youcan embed your posts on other WordPress sites. Simply drop a post URLinto the editor and see an instant embed preview, complete with thetitle, excerpt, and featured image if you’ve set one. We’ll eveninclude your site icon and links for comments and sharing." Accompanying the release is a new default theme named "Twenty Sixteen"that was "built to look great on any device. A fluid griddesign, flexible header, fun color schemes, and more, will all makeyour content shine."

TechCrunch reportsthat the Firefox OS phone experiment has come to an end. "Firefox OSproved the flexibility of the Web, scaling from low-end smartphones all theway up to HD TVs. However, we weren’t able to offer the best userexperience possible and so we will stop offering Firefox OS smartphonesthrough carrier channels."

Opensource.com takesa look at a court case in Germany addressing the GPLv3 terminationprovisions. "In the Halle court case, the defendant, a higher education institution in Germany, offered certain software for download to its employees and students. The plaintiff provided a written warning of copyright infringement based on a GPL violation to the defendant, including a cease-and-desist declaration with a penalty clause. The defendant refused to sign the declaration but removed the software from its website. The plaintiff filed for a preliminary injunction.The court ruled that the plaintiff was entitled to a preliminary injunction. The defendant had made the plaintiff's copyrighted software publicly available and was in violation of both GPLv2 and GPLv3 as the defendant had not accompanied the software with the license text and the complete corresponding source code."

Given the processing requirements for high-speed networking, it is notsurprising that there is interest in offloading some of that work todedicated hardware. Linux has always carefully limited the supportprovided for such offloading, though; it has been just over ten years sincesupport for TCP offload engines wasdefinitively blocked from entering theLinux network stack. That rejection was driven by a number of concerns,with a reluctance to entrust network-protocol processing to closed-source,unextendable, unfixable software being near the top of the list. Nearly ten years later,offload engines are again the topic of fierce discussion. The hardware haschanged, but the concerns have not; indeed, some of the problems beingworked around now show why those concerns were valid in the first place.

CentOS has updated libxml2 (C6: multiple vulnerabilities).Debian-LTS has updated bouncycastle (invalid curve attack) and linux-2.6 (multiple vulnerabilities).Fedora has updated audiofile(F22: buffer overflow), LibRaw (F23: twovulnerabilities), and python-django (F23: information disclosure).openSUSE has updated thunderbird(Leap42.1: multiple vulnerabilities).Oracle has updated libxml2 (OL7; OL6: multiple vulnerabilities).Red Hat has updated git (RHEL7:code execution) and kernel (RHEL7: denial of service).SUSE has updated java-1_7_0-ibm(SLE11SP3: many vulnerabilities).Ubuntu has updated libsndfile (multiple vulnerabilities).

Version 3.6.0 of theNetHack dungeon adventure game has been released. This is the firstofficial release in over ten years. "Unlike previous releases,which focused on the general game fixes, this release consists of a seriesof foundational changes in the team, underlying infrastructure and changesto the approach to game development. Those of you expecting a huge raft ofnew features will probably be disappointed. Although we have included anumber of new features, the focus of this release was to get the foundationestablished so that we can build on it going forward." There hasbeen enough change, though, that old save files will not work with thisversion.

For a far-outside view, it's hard to beat thisVentureBeat article, wherein a venture capitalist talks about how"open-source companies" are taking over. "The OSS companies thatwill be pillars of IT in the future are the companies that leverage asuccessful OSS project for sales, marketing, and engineering prioritizationbut have a product and business strategy that includes some proprietaryenhancements. They’ve figured out that customers are more than happy to payfor an enterprise-grade version of the complete product, which may havesecurity, management, or integration enhancements and come withsupport. And they also understand that keeping this type of functionalityproprietary won’t alienate the community supporting the project the waysomething such as a performance enhancement would."

Apple has released its Swift programming language under the Apache 2.0 license, and it's available for Linux. The code can be found on GitHub. "Swift makes it easy to write software that is incredibly fast and safe by design. Now that Swift is open source, you can help make the best general purpose programming language available everywhere."

Version 17.3 of theUbuntu-based Linux Mint Cinnamon distribution has been released. This is along-term support release, with support planned until 2019. There is along listof new features for this release, many of which come with theCinnamon 2.8 desktop environment.

Fedora has updated lxdm (F23: two vulnerabilities), openssl (F23: multiple vulnerabilities), p7zip (F23: directory traversal), php-symfony (F23; F22: two vulnerabilities), php-twig (F23; F22: two vulnerabilities), and rubygem-flexmock (F23: unspecified vulnerability).Red Hat has updated libxml2 (RHEL7; RHEL6: multiple vulnerabilities).Scientific Linux has updated libxml2 (SL6: multiple vulnerabilities).Ubuntu has updated cups-filters (15.10, 15.04, 14.04: code execution), foomatic-filters (12.04: code execution), and openssl (multiple vulnerabilities).

Day7 in the ongoing Perl 6 advent calendar is concerned with how thelanguage handles Unicode. "However, Perl 6 does this work for you,keeping track of these collections of codepoints internally, so that youjust have to think in terms of what you would see the characters as. Ifyou’ve ever had to dance around with substring operations to make sure youdidn’t split between a letter and a diacritic, this will be your happiestday in programming."

The 4.4-rc4 prepatch is out."Another week, another rc. We had a few more commits than last week(mostly due to the networking fixes merge), but on the whole it's beenpretty calm."

Arch has updatednodejs (two denial-of-service vulnerabilities),openssl (four CVEs), andpython-django (information disclosure).Mageia has updatedcups-filters (code execution),moodle (nine CVEs),openssl (four CVEs), andpython-django (information disclosure).Ubuntu has updated kernel (twodenial-of-service vulnerabilities) andlinux-lts-vivid (ditto).

The OpenSSL project has released versions 0.9.8zh, 1.0.0t, 1.0.1q, and1.0.2e with fixes for a number of "moderate" security issues. Theannouncement also notes that this will be the last update for the 0.9.8 and1.0.0 branches, so users of those versions are advised to upgrade.

Version 2.1.10 of the GNU Privacy Guard is out. There are a number of new features in this release; they include a trust-on-first-usekey acceptance mechanism and the ability to fetch public keysanonymously via Tor.

Debian has updated openssl(multiple vulnerabilities) and redis(denial of service).Debian-LTS has updated openssl (memory leak).openSUSE has updated cyrus-imapd (13.1: integer overflow), LibVNCServer (Leap 42.1: multiplevulnerabilities), and python-django (13.2, 13.1: information leak).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and openshift (RHOSE3.0, 3.1: information leak).SUSE has updated java-1_6_0-ibm (SLE12: multiple vulnerabilities), java-1_7_1-ibm (SLE11: multiple vulnerabilities), and kernel (SLE12: multiple vulnerabilities).

This lengthypaper from Phillip Rogaway tries to describe the moral responsibilitiesof the cryptographic community — responsibilities that, he believes, thatcommunity has failed to live up to. Worth a read."We need to erect a much expanded commons on the Internet. We need torealize popular services in a secure, distributed, and decentralized way,powered by free software and free/open hardware. We need to build systemsbeyond the reach of super-sized companies and spy agencies. Such servicesmust be based on strong cryptography. Emphasizing that prerequisite, weneed to expand our cryptographic commons."

On his blog, Lubomir Rintel discusses IPv6 privacy issues and how they are being handled by NetworkManager. "Creation of a privacy stable address relies on a pseudo-random key that’s only known the the host itself and never revealed to other hosts in the network. This key is then hashed using a cryptographically secure algorithm along with values specific for a particular network connection. It includes an identifier of the network interface, the network prefix and possibly other values specific to the network such as the wireless SSID. The use of the secret key makes it impossible to predict the resulting address for the other hosts while the network-specific data causes it to be different when entering a different network.This also solves the duplicate address problem nicely. The random key makes collisions unlikely. If, in spite of this, a collision occurs then the hash can be salted with a DAD failure counter and a different address can be generated instead of failing the network connectivity. Now that’s clever."

PHP 7 has been released. Along with some new language features, the biggest change is said to be much better performance and reduced memory use. "PHP 7.0 brings you unprecedented levels of real-world performance and throughput by utilizing the new and advanced Zend Engine 3.0, designed and refactored for speed and reduced memory consumption. This translates to real-world benefits: greatly decreased response times, superior user experiences, and the ability to serve more users with fewer servers to maximize the power of your PHP 7.0 deployment." We looked at the new features in PHP 7 in an article in this week's edition.

The Electronic Frontier Foundation has announcedthe public beta test of the Let's Encrypt initiative, which aims to makeencrypted web traffic the norm. "There are a number of flaws in theCA system, but when it comes to encrypting the Web, two in particular standout: cost and difficulty. Most CAs today charge for certificates. Whilesome are very cheap, every dollar of expense means a large swath of peoplewho can't afford to host a secure website. The larger barrier, though, isdifficulty. Once someone has purchased a certificate, they need to installit on their website, a time consuming and error-prone process that requiressignificant technical skill, which is a cost in itself. Let's Encrypt isnot only free but also automated, in order to make HTTPS encryption moreaccessible than ever."

CentOS has updated jakarta-commons-collections (C6: codeexecution) and libreport (C6: information leak).Debian has updated cups-filters(code execution).Fedora has updated keepass (F22:password locking options removed) and thunderbird (F23: multiple vulnerabilities).Slackware has updated libpng (twovulnerabilities) and mozilla (multiple vulnerabilities).Ubuntu has updated linux-lts-trusty (12.04: two vulnerabilities), openjdk-6 (12.04: multiple vulnerabilities), and qemu (multiple vulnerabilities).

The LWN.net Weekly Edition for December 3, 2015 is available.

While the event had a certain amount of drama surrounding it, the announcement of the end for the Debian Live project seems likely to haveless of an impact than it first appeared. The loss of the leaddeveloper will certainly be felt—and the treatment he and the projectreceived seems rather baffling—but the project looks like it will continuein some form. So Debian will still have tools to create live CDs and other media goingforward, but what appears to be a long-simmering dispute between projectfounder and leader DanielBaumann and the Debian CD and installer teams has been "resolved", albeitin an unfortunate fashion. Subscribers can click below for the full story from this week's Distributions page.

Arch Linux has updated chromium (multiple vulnerabilities).Debian has updated gnutls26 (padding oracle attack), icedove (multiple vulnerabilities), and putty (memory corruption).Fedora has updated putty (F23; F22: memory corruption).openSUSE has updated dracut(Leap42.1: multiple issues) and znc (SPH for SLE12; Leap42.1: denial of service).SUSE has updated dhcpcd(SLE11SP2,3,4: multiple vulnerabilities), java-1_6_0-ibm (SLE11SP3: multiplevulnerabilities), and java-1_7_1-ibm(SLE12: multiple vulnerabilities).Ubuntu has updated kernel (14.04:denial of service) and linux-lts-utopic(14.04: denial of service).

CryptoPeak Solutions is suing many tech and retail giants, claiming theirHTTPS websites infringe an encryption patent titled "Auto-Escrowable andAuto-Certifiable Cryptosystems". Ars Technica reports:"The latest batch of cases was lodged November 25. The cases name AT&T, Costco, Expedia, GoPro, Groupon, Netflix, Pinterest, Shutterfly, Starwood Hotels, Target, and Yahoo, among others. All the lawsuits include virtually identical language."Defendant has committed direct infringement by its actions that compriseusing one or more websites that utilize Elliptic Curve Cryptography (“ECC”)Cipher Suites for the Transport Layer Security (“TLS”) protocol (the“Accused Instrumentalities”)," according to the lawsuits."

Debian-LTS has updated libphp-snoopy (command execution).Fedora has updated ca-certificates (F22: certificate update), grub2 (F22: Secure Boot circumvention),imapsync (F23; F22; F21:information leak), libxml2 (F22: multiplevulnerabilities), perl-HTML-Scrubber (F23; F22; F21: cross-site scripting), rpm (F22: denial of service), and wget (F23: information leak).Oracle has updated apache-commons-collections (OL7: codeexecution) and jakarta-commons-collections(OL6: code execution).Red Hat has updated apache-commons-collections (RHEL7: codeexecution), jakarta-commons-collections(RHEL6: code execution), and rh-java-common-apache-commons-collections(RHSCL2: code execution).Scientific Linux has updated apache-commons-collections (SL7: codeexecution) and jakarta-commons-collections(SL6: code execution).Ubuntu has updated gnutls26(14.04, 12.04: padding oracle attack) and thunderbird (15.10, 15.04, 14.04, 12.04: multiple vulnerabilities).

Mozilla leader Mitchell Baker has announced that the Thunderbird emailclient projectwill, eventually, be spun out of Mozilla. "Therefore I believe Thunderbird should would thrive best by separating itself from reliance on Mozilla development systems and in some cases, Mozilla technology. The current setting isn’t stable, and we should start actively looking into how we can transition in an orderly way to a future where Thunderbird and Firefox are un-coupled."

Debian-LTS has updated imagemagick (denial of service), libsndfile (multiple vulnerabilities), libxml2 (multiple vulnerabilities), and nss (code execution).Fedora has updated abrt (F23: twovulnerabilities), mingw-libpng (F23;F22; F21:denial of service), python-pycurl (F22:use-after-free vulnerability), and seamonkey (F21: multiple vulnerabilities).Mageia has updated lightdm (denial of service), python-cryptography (denial of service), and thunderbird (multiple vulnerabilities).openSUSE has updated cyrus-imapd(Leap42.1, 13.2: two vulnerabilities), ffmpeg (Leap42.1: multiple vulnerabilities),GnuPG (13.2, 13.1: two vulnerabilities), libksba (Leap42.1: denial of service), libpng12 (Leap42.1: two vulnerabilities), libpng16 (Leap42.1: denial of service), libsndfile (Leap42.1: multiplevulnerabilities), ppp (Leap42.1, 13.2,13.1: denial of service), and virtualbox(13.1: two vulnerabilities).Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities) and thunderbird (OL7; OL6: multiple vulnerabilities).Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).

Matthew Garrett arguesthat meritocracy does not work as intended in development communities."When people criticise meritocracy, they're not criticising theconcept of treating contributions based on their merit. They're criticisingthe idea that humans are sufficiently self-aware that they will be able toidentify and reject every subconscious prejudice that will affect theirtreatment of others. It's not a criticism of a desirable goal, it's acriticism of a flawed implementation."

The 4.4-rc3 kernel prepatch is out fortesting. "I don't think there's anything particularly exciting,although that obviously depends on whether some particular issue ended upaffecting you or not. Most of it is pretty tiny random fixups."

The 2015 Ubuntu Community Council (CC) elections have been concluded. The results of the vote, as announced on the Ubuntu Fridge blog, are the seven individuals who will serve on the CC for the next two years: Daniel Holbach, Laura Czajkowski, Svetlana Belkin, Michael Hall, Scarlett Clark, C de-Avillez, and Marco Ceppi.A detailed account of the ballot results, complete with links to each candidate's biographical page, is also online.

CentOS has updated thunderbird (C5; C6:multiple vulnerabilities).Debian-LTS has updated libcommons-collections3-java (codeexecution) and smokeping (cross-site scripting).Fedora has updated libxml2(F23: multiple vulnerabilities) and pcre (F23: denial of service).Mageia has updated libsndfile (M5: buffer overflow), libxml2 (M5: multiple vulnerabilities), python-m2crypto (M5: denial of service), python-pygments (M5: command injection), and tigervnc (M5: multiple vulnerabilities).

Happy Thanksgiving to those who celebrate it, from all of us here at LWN.Happy November 26 to everyone else :)Debian has updated dpkg (codeexecution), nspr (code execution), python-django (information disclosure), and smokeping (code execution).Debian-LTS has updated eglibc(two vulnerabilities), python-django(information disclosure), and redmine (multiple vulnerabilities).Fedora has updated abrt (F21:information disclosure), jenkins (F22:three vulnerabilities), jenkins-remoting(F22: three vulnerabilities), and libreport(F21: information disclosure).openSUSE has updated libpng12(13.2, 13.1: two vulnerabilities), libpng16(13.2, 13.1: denial ofservice), and strongswan (authentication bypass).Oracle has updated abrt andlibreport (OL7: multiple vulnerabilities), glibc (OL7;OL7: multiple vulnerabilities), kernel (OL7: multiple vulnerabilities), NetworkManager (OL7: denial of service), sssd (OL7: unspecified), and tigervnc (OL7: two vulnerabilities).Red Hat has updated git19-git(RHSC2: code execution), java-1.5.0-ibm(RHEL5&6: multiple vulnerabilities), ntp (RHEL6: denial of service), and thunderbird (multiple vulnerabilities).SUSE has updated kernel(SLE11SP3: multiple vulnerabilities).Ubuntu has updated dpkg (codeexecution) and openjdk-7 (15.10, 15.04, 14.04: unspecified vulnerability).

Software Freedom Conservancy has announceda major fundraising effort. "Pointing to the difficulty of relying on corporate funding while pursuing important but controversial issues, like GPL compliance, Conservancy has structured its fundraiser to increase individual support. The organization needs at least 750 annual Supporters to continue its basic community services and 2500 to avoid hibernating its enforcement efforts. If Conservancy does not meet its goals, it will be forced to radically restructure and wind down a substantial portion of its operations."

Debian has updated libcommons-collections3-java (unsanitized input data) and symfony (two vulnerabilities).Debian-LTS has updated putty (memory corruption).Fedora has updated grub2 (F23:Secure Boot circumvention), krb5 (F21:multiple vulnerabilities), libpng10 (F23; F22; F21: two vulnerabilities), sblim-sfcb(F23; F22;F21: denial of service), and wpa_supplicant (F22: denial of service).Slackware has updated pcre (code execution).SUSE has updated linux-3.12.32(SLELP12: two vulnerabilities), linux-3.12.36 (SLELP12: two vulnerabilities),linux-3.12.38 (SLELP12: twovulnerabilities), linux-3.12.39 (SLELP12:two vulnerabilities), linux-3.12.43(SLELP12: two vulnerabilities), linux-3.12.44 (SLELP12: two vulnerabilities),and linux-3.12.44 (SLELP12: two vulnerabilities).Ubuntu has updated icedtea-web(15.10, 15.04, 14.04: applet execution) and python-django (15.10, 15.04, 14.04, 12.04: information disclosure).

RAID5 support in the MD driver has been part of mainline Linux since2.4.0 was released in early 2001. During this time it has been usedwidely by hobbyists and small installations, but there hasbeen little evidence of any impact on the larger or "enterprise"sites. Anecdotal evidence suggests that such sites are usually happier with so-called "hardware RAID" configurations where a purpose-builtcomputer, whether attached by PCI or fibre channel or similar,is dedicated to managing the array.This situation could begin to change with the 4.4 kernel, which brings someenhancements to the MD driver that should make itmore competitive with hardware-RAID controllers.

Debian-LTS has updated openjdk-6 (multiple vulnerabilities).Fedora has updated libsndfile (F22; F21:buffer overflow), mingw-freeimage (F23; F22:integer overflow), rpm (F23: denial ofservice), wpa_supplicant (F21: denial ofservice), and zarafa (F21: twovulnerabilities, one from 2012).Oracle has updated autofs (OL7:privilege escalation), binutils (OL7:multiple vulnerabilities), chrony (OL7:multiple vulnerabilities), cpio (OL7:denial of service), cups-filters (OL7:multiple vulnerabilities), curl (OL7:multiple vulnerabilities), file (OL7:multiple vulnerabilities), grep (OL7: heapbuffer overrun), grub2 (OL7: Secure Bootcircumvention), krb5 (OL7: twovulnerabilities), libreport (OL6: dataleak), libssh2 (OL7: information leak), net-snmp (OL7: denial of service), netcf (OL7: denial of service), ntp (OL7: multiple vulnerabilities), openhpi (OL7: world writable /var/lib/openhpidirectory), openldap (OL7: unintendedcipher usage), openssh (OL7: twovulnerabilities), python (OL7: multiplevulnerabilities), rest (OL7: denial ofservice), rubygem-bundler and rubygem-thor(OL7: installs malicious gem files), squid(OL7: certificate validation bypass), unbound (OL7: denial of service), wireshark (OL7: multiple vulnerabilities), andxfsprogs (OL7: information disclosure).Scientific Linux has updated libreport (SL6: data leak).SUSE has updated firefox(SLES10SP4: multiple vulnerabilities).

Red Hat has announcedthe release of Red Hat Enterprise Linux 7.2. "New features and capabilities focus on security, networking, and system administration, along with a continued emphasis on enterprise-ready tooling for the development and deployment of Linux container-based applications. In addition, Red Hat Enterprise Linux 7.2 includes compatibility with the new Red Hat Insights, an add-on operational analytics offering designed to increase IT efficiency and reduce downtime through the proactive identification of known risks and technical issues."

Debian has updated openjdk-7 (unspecified vulnerability).Fedora has updated cyrus-imapd(F21: largely unspecified), gdm (F23:denial of service), jenkins (F23: multiplevulnerabilities), jenkins-remoting (F23:multiple vulnerabilities), kernel (F21:multiple vulnerabilities), libpng (F23:denial of service), m2crypto (F21: denialof service), pdns (F21: denial of service),perl-IPTables-Parse (F21: predictabletemporary file names), postgresql (F22: twovulnerabilities), python-rauth (F23:unspecified vulnerability), and xen (F23; F22; F21: denial of service).openSUSE has updated Chromium (SUSE Package Hub for SLE12; Leap42.1, 13.2, 13.1: information leak), docker (Leap42.1: two vulnerabilities), and miniupnpc (Leap42.1, 13.2, 13.1: code execution).Red Hat has updated abrt,libreport (RHEL7: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiplevulnerabilities), java-1.7.0-ibm (RHEL5:multiple vulnerabilities), java-1.7.1-ibm(RHEL6,7: multiple vulnerabilities), java-1.8.0-ibm (RHEL7: multiplevulnerabilities), and libreport (RHEL6: data leak).

Martin Gräßlin looksat the security of the Plasma desktop running under Wayland; it'sbetter than X11, but with some ground yet to cover."Now imagine you want to write a key logger in a Plasma/Waylandworld. How would you do it? I asked myself this question recently, thoughtabout it, found a possible solution and had a key logger in less than 10minutes: ouch."

ThisLibre Graphics World article looks at the challenges faced by the20-year-old GIMP project. "If you've been following GIMP's progressover recent years, you couldn't help yourself noticing the decreasingactivity in terms of both commits (a rather lousy metric) and amount ofparticipants (a more sensible one).'GIMP is dying', say some. 'GIMP developers are slacking', sayothers. 'You've got to go for crowdfunding' is yet another popularnotion. And no matter what, there's always a few whitebearded folks whowould blame the team for not going with changes from the FilmGIMP branch.So what's actually going on and what's the outlook for the project?"

The second 4.4 prepatch is out for testing.Linus says: "Things are looking fairly normal in 4.4-land, with nohuge surprises in rc2. There were a couple of late features: parischugepage support and some late slub bulk allocator patches were not onlymerged at the end of the week, but they strictly speaking should have beenmerge window things."

Lennart Poettering introduces thesd-event API for the implementation of event loops. "sd-event.h, ofcourse, is not the first event loop API around, and it doesn't implementany really novel concepts. When we started working on it we tried to do ourhomework, and checked the various existing event loop APIs, maybe lookingfor candidates to adopt instead of doing our own, and to learn about thestrengths and weaknesses of the various implementationsexisting. Ultimately, we found no implementation that could deliver what weneeded, or where it would be easy to add the missing bits: as usual in thesystemd project, we wanted something that allows us access to all theLinux-specific bits, instead of limiting itself to the least commondenominator of UNIX."

Debian has updated lxc (codeexecution).Debian-LTS has updated nspr(code execution).Mageia has updated dovecot(M5: denial of service), gcc (M5:predictable random values), kernel (M5: multiple vulnerabilities), latex2rtf (M5: code execution), libpng/libpng12 (M5: denial of service), and uglify-js (M5: malicious code obfuscation).openSUSE has updated krb5(13.1, 13.2: memory corruption) and libksba (13.1, 13.2: denial of service).Red Hat has updated autofs(RHEL7: privilege escalation), binutils (RHEL7: multiple vulnerabilities), chrony (RHEL7: multiple vulnerabilities), cpio (RHEL7: code execution), cups-filters (RHEL7: multiple vulnerabilities), curl (RHEL7: multiple vulnerabilities), file (RHEL7: multiple vulnerabilities), glibc (RHEL7: multiple vulnerabilities; RHEL7:privilege escalation),grep (RHEL7: heap buffer overrun), grub2 (RHEL7: Secure Boot circumvention), kernel (RHEL7: multiple vulnerabilities), kernel-rt (RHEL7: multiple vulnerabilities), krb5 (RHEL7: multiple vulnerabilities), libssh2 (RHEL7: denial of service), net-snmp (RHEL7: denial of service), netcf (RHEL7: denial of service), NetworkManager (RHEL7: multiple vulnerabilities), ntp (RHEL7: multiple vulnerabilities), openhpi (RHEL7: world writable /var/lib/openhpi directory), openldap (RHEL7: unintended cipher usage), openssh (RHEL7: multiple vulnerabilities), pacemaker (RHEL7: privilege escalation), pcs (RHEL7: denial of service), python (RHEL7: multiple vulnerabilities), realmd (RHEL7: unsanitized input), rest (RHEL7: denial of service), rubygem-bundler, rubygem-thor (RHEL7:code execution), squid (RHEL7: certificate validation bypass), sssd (RHEL7: memory leak), tigervnc (RHEL7: multiple vulnerabilities), unbound (RHEL7: denial of service), wireshark (RHEL7: multiple vulnerabilities), and xfsprogs (RHEL7: information leak).Ubuntu has updated libpng(multiple vulnerabilities).

Matthew Garrett continueshis campaign against Canonical's "intellectualproperty rights policy". "The reality is that if Debian had hadan identical policy in 2004, Ubuntu wouldn't exist. The effort required tostrip all Debian trademarks from the source packages would have beenimmense, and this would have had to be repeated for every release. Whilethis policy is in place, nobody's going to be able to take Ubuntu and buildsomething better."

The Pitivi0.95 release is out, bringing a lot of changes to this longstandingvideo editor project. "This one packs a lot of bugfixes andarchitectural work to further stabilize the GES backend. In this blog post,I’ll give you an overview of the new and interesting stuff this releasebrings, coming out from a year of hard work. It’s pretty epic and you’re infor a few surprises, so I suggest listening to this song while you’rereading this blog post."

The "Detectify Labs" site has put up alengthy analysis of the user tracking taking place in many Chromebrowser extensions. "Google, claiming that Chrome is the safest webbrowser out there, is actually making it very simple for extensions to hidehow aggressively they are tracking their users. We have also discoveredexactly how intrusive this sort of tracking actually is and how thesetracking companies actually do a lot of things trying to hide it. Due tothe fact that the gathering of data is made inside an extension, all otherextensions created to prevent tracking (such as Ghostery) are completelybypassed." At the end they note that the situation with Firefox isnot a whole lot better.