LWN.net

Greg Kroah-Hartman has released stable kernels 4.1.4, 3.14.49, and 3.10.85. All of them contain important fixes.

Debian has updated apache2(multiple vulnerabilities), ghostscript(code execution), icedove (multiple vulnerabilities), icu (multiple vulnerabilities), and ruby-rack (denial of service).Fedora has updated bind (F22; F21:denial of service), bind99 (F22: denial ofservice), libuser (F21: multiplevulnerabilities), and openssh (F21: denial of service).Mageia has updated bind (MG4,5:denial of service), icu (MG4,5: codeexecution), and remind (MG4,5: buffer overflow).openSUSE has updated bind (13.2,13.1: denial of service) and libuser (13.2:privilege escalation).Oracle has updated java-1.6.0-openjdk (OL5: multiplevulnerabilities), kernel 2.6.39 (OL6; OL5:multiple vulnerabilities), kernel 2..6.32 (OL6; OL5:multiple vulnerabilities), kernel 3.8.13 (OL7; OL6: multiple vulnerabilities), and lxc (OL7; OL6: two vulnerabilities).Scientific Linux has updated bind (SL6; SL6,7:denial of service) and libuser (SL6: two vulnerabilities).

The 4.2-rc5 prepatch is out, and Linus iswishing things were going a bit more smoothly. "We're getting upthere to the later rc's, but it's looking like 4.2 might be one of thereleases needing more than the usual seven rc releases - things aren'tcalming down like I would wish, and we've still had some fairly annoyingissues pop up."

LWN looked at the Linux multipath TCPimplementation back in 2013. That code remains out of tree, but it nowseems that it isbeing used in some Samsung phones in Korea. "This serviceenables smartphone users to reach bandwidth of up to 1 Gbps on existingsmartphones. This is probably the fastest commercially deployed mobilenetwork. They achieve this high bandwidth by combining both fast LTE (withcarrier aggregation) and fast WiFi networks on Multipath TCP enabledsmartphones."(Thanks to Oliver Bonaventure).

At the OpenSSL blog, Rich Salz has announcedthe project's decision to migrate away from the "rather uniqueand idiosyncratic" OpenSSL license to the Apache 2.0 license.In order to make the change in an upcoming release, though, theproject "will soon require almost every contributor to have asigned a Contributor License Agreement (CLA) on file."Individual and corporate versions of the CLA are posted; trivialpatches will evidently not trigger the need for the submitter to signand file an agreement. Salz closes by noting that more details arestill to come, since "there is a lot of grunt work needed to clean up the backlog and untangle all the years of work from the time when nobody paid much attention to this sort of detail."

Mozilla has launched a multi-pronged campaign to challenge a recentchange in Windows that has the effect of overriding users' choice ofFirefox as the default web browser. Mozilla CEO Chris Beard posted ablog entry outlining the problem as well as an openletter to Microsoft CEO Satya Nadella. The change apparentlylanded with the recent Windows 10 release and, as Beard explains it,"while it is technically possible for people to preserve theirprevious settings and defaults, the design of the new Windows 10upgrade experience and user interface does not make this obvious noreasy." Mozilla has also posted tutorialsand videosto help users restore Firefox as their default browser.

FFmpeg leader Michael Niedermayer has announced his departure from the project. "I hope my resignation will make it easier for the teams to find backtogether and avoid a more complete split which would otherwise bethe result sooner or later as the trees diverge and merging allimprovements becomes too difficult for me to do."

CentOS has updated java-1.6.0-openjdk (C5; C7: multiple vulnerabilities).Debian has updated openafs(multiple vulnerabilities) and xmltooling (denial of service).Fedora has updated libuser(F22: multiple vulnerabilities), openssh (F22: authentication limits bypass; F22: improper output filtering), and xrdp (F22: denial of service).Mageia has updated groovy(M4, M5: code execution).openSUSE has updated bind (11.4:multiple vulnerabilities) and openldap2 (13.1, 13.2: multiple vulnerabilities).Oracle has updated java-1.6.0-openjdk (O6; O7: ).Red Hat has updated java-1.6.0-openjdk (multiple vulnerabilities).Scientific Linux has updated openafs (multiple vulnerabilities).SUSE has updated bind(SLES 10: denial of service), java-1_7_0-openjdk (SLE 11;SLE 12: multiple vulnerabilities), java-1_7_1-ibm (SLE 11; SLE 12: multiple vulnerabilities),and kernel (SLE 12: multiple vulnerabilities).Ubuntu has updated hplip(12.04, 14.04, 15.04: man-in-the-middle attack), kernel (14.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), and sqlite3 (12.04, 14.04, 15.04: multiple vulnerabilities).

Debconf15, which will be held in Heidelberg, Germany August 15-23, has announced its schedule as well as four featured speakers: Allison Randal, President, Open Source Initiative and DistinguishedTechnologist, HP; Peter Eckersly, Chief Computer Scientist, Electronic Frontier Foundation; John Sullivan, Executive Director, Free Software Foundation; and Jon 'maddog' Hall, Executive Director, Linux International. "The DebConf content team is pleased to announce the schedule ofDebConf15, the forthcoming Debian Developers Conference. From a total ofnearly 100 talk submissions, the team selected 75 talks. Due to the highnumber of submissions, several talks had to be shortened to 20 minuteslots, of which a total of 30 talks have made it to the schedule.In addition, around 50 meetings and discussions (BoFs) have beenorganized so far, as well as several other events like lightning talksessions, live demos, a movie screening, a poetry night or stand-upcomedy."

Oracle has announcedthe release of Oracle Linux 6.7. As usual this release features both aRed Hat compatible kernel and Oracle's enterprise kernel. Some notablefeatures include Open Security Content Automation Protocol (OpenSCAP),including the oscap utility for enhanced security auditing andcompliance, Load Balancing and High Availability with Keepalived andHAProxy, supported under Oracle Linux Premier Support subscriptions,Enhanced SSSD support for Active Directory, and more.See the releasenotes for details.

Debian-LTS has updated squid3(security bypass).Fedora has updated drupal7-path_breadcrumbs (F22; F21: cross-sitescripting), ecryptfs-utils (F22; F21: password disclosure from 2014), hplip (F21: key verification botch), httpd (F21: multiple vulnerabilities),ipython (F22; F21: cross-site request forgery), libunwind (F21: code execution), libwmf (F21: two denial of service flaws), nx-libs (F22: unspecified vulnerabilities), wpa_supplicant (F21: code execution), and xrdp (F21: denial of service).openSUSE has updated lxc (13.2; 13.1:two vulnerabilities).Oracle has updated autofs (OL6:privilege escalation from 2014), bind (OL6; OL6:denial of service), curl (OL6: multiplevulnerabilities, some from 2014), freeradius (OL6: code execution from 2014), gnutls (OL6: two vulnerabilities), grep (OL6: code execution), hivex (OL6: code execution from 2014), ipa (OL6: cross-site scripting from 2010 and2012), kernel (OL6: multiplevulnerabilities, some from 2014), kernel 3.8.13 (OL7; OL6:three vulnerabilities, one from 2014), libreoffice (OL6: code execution), libuser (OL6: privilege escalation), libxml2 (OL6: two vulnerabilities, one from2014), mailman (OL6: two vulnerabilities,one from 2002), net-snmp (OL6: denial ofservice from 2014), ntp (OL6: threevulnerabilities), pki-core (OL6: cross-sitescripting), python (OL6: twovulnerabilities from 2013 and 2014), sudo(OL6: information disclosure from 2014), wireshark (OL6: multiple vulnerabilities, somefrom 2014), and wpa_supplicant (OL6: denialof service).SUSE has updated bind (SLE11SP1:denial of service).Ubuntu has updated ghostscript(15.04, 14.04, 12.04: code execution), openjdk-7 (15.04, 14.04: multiplevulnerabilities), pcre3 (15.04, 14.04,12.04: multiple vulnerabilities, one from 2014), and tidy (15.04, 14.04, 12.04: two vulnerabilities).

Here are a couple sad notes from theAda Initiative and the Apache SoftwareFoundation on the abrupt passing of Nóirín Plunkett. "ThroughoutNóirín's time at the Foundation she was an Apache httpd contributor, ASFboard member, VP and ApacheCon organizer. Nóirín's passionate contributionsand warm personality will be sorely missed. Many considered Nóirín a friendand viewed Nóirín's work to improving 'Women in Technology' as a greatcontribution to this cause."

The LWN.net Weekly Edition for July 30, 2015 is available.

In November of 2013, I decided to undertake a garage-hackingproject and build an in-vehicle infotainment (IVI) Linux box for myown car. Motivated hobbyists have done such things for years, ofcourse. But, after having followed the development of variousautomotive Linux projects (such as GENIVI and Tizen IVI), I wanted toput them to the test, rather than simply stuff a Raspberry Pi into theglove compartment and run Rhythmbox on a tiny screen on thedashboard. Interesting developments were happening at automakers andsoftware vendors, and they were worth exploring. It turned out to bea rather large project, so to cover it fully will take more than oneinstallment. The first major milestone involves understanding theunique hardware, power, and boot requirements of an IVI unit (as wellas finding a distribution that fits the bill).

Arch Linux has updated bind(denial of service), pacman(man-in-the-middle attack), and qemu(multiple vulnerabilities).CentOS has updated bind (C7; C5: denialof service) and bind97 (C5: denial of service).Debian has updated bind9 (denial of service).Debian-LTS has updated apache2 (denial of service) and bind9 (denial of service).Fedora has updated elfutils (F21:unspecified vulnerabilities), haproxy (F22; F21:information leak), hplip (F22:man-in-the-middle attack), libidn (F22; F21:information disclosure), php (F21: multiplevulnerabilities), roundcubemail (F22; F21:multiple vulnerabilities), subversion (F21:multiple vulnerabilities), and wpa_supplicant (F22: denial of service).Mageia has updated ansible(MG4,5: two vulnerabilities), freeradius(MG4,5: insufficient certificate verification), openssh (MG4,5: authentication limits bypass),python-django (MG4,5: multiplevulnerabilities), and springframework (MG5:denial of service).Oracle has updated bind (OL7; OL5:denial of service) and bind97 (OL5: denial of service).Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and qemu-kvm-rhev (RHOSP5,6: two vulnerabilities).Scientific Linux has updated bind(SL5: denial of service) and bind97 (SL5: denial of service).Slackware has updated bind (denial of service).SUSE has updated bind (SLE12; SLE11SP3,4: denial of service).Ubuntu has updated bind9 (15.04,14.04, 12.04: denial of service) and qemu(15.04, 14.04: multiple vulnerabilities).

Matt Thompson talkswith Allen Gunn, Executive Director of Aspiration, at Opensource.com. "I think you lead with a very earnest form of humility. The best forms of open are lovingly subversive, in that they draw others to form their own conclusions about the benefit of open rather than beating them over the head with it."

CentOS has updated clutter (C7:screen lock bypass) and qemu-kvm (C7: two vulnerabilities).Debian-LTS has updated icu(code execution).Mageia has updated chromium-browser (MG4,5: multiplevulnerabilities), expat (MG4,5: denial ofservice), icu (MG5; MG4: denial of service/code execution), stunnel (MG5: authentication bypass), thunderbird (MG4,5: multiple vulnerabilities),wesnoth (MG5; MG4: information leak), and wordpress (MG4: two vulnerabilities).Oracle has updated clutter (OL7:screen lock bypass) and qemu-kvm (OL7: two vulnerabilities).Red Hat has updated clutter(RHEL7: screen lock bypass).Scientific Linux has updated clutter (SL7: screen lock bypass) and qemu-kvm (SL7: two vulnerabilities).SUSE has updated xen (SLE12; SLE11SP4: two vulnerabilities).Ubuntu has updated apache2(15.04, 14.04, 12.04: two vulnerabilities), kernel (15.04; 14.04:multiple vulnerabilities), linux-lts-trusty(12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiplevulnerabilities), and linux-lts-vivid(14.04: multiple vulnerabilities).

Opensource.com followsup with the Dronecode Foundation, which was founded in October 2014."In the past year, Dronecode's developer community has grown from 1,200 to more than 2000 contributors, with more than 12,000 commits in the codebase. The rate of development is rapid with 1,000 commits being reviewed a month, with well over 2 million lines of code across the various Dronecode projects. Developers from Qualcomm, Intel, Parrot, Yuneec and many others are actively engaged in the development of the Dronecode technology stack. As a result, updates, new releases and project milestones are in motion all the time. For example, in late May, the APM project released version 3.3 of its flight code, and the PX4 project reached a milestone with the first RC candidate for release 1.0."

Here is anarticle on the "Threatpost" site about a set of remotely exploitablemedia-library vulnerabilities present on vast numbers of Android devices."An attacker in possession of their target’s phone number could sendan MMS or even a Google Hangouts message to an affected device thattriggers the vulnerability before the victim has a chance to open themessage. In some cases, the attack would delete the MMS in question,leaving behind only a notification that a message was sent."

Debian has updated expat (code execution), lxc (two vulnerabilities), and openjdk-7 (multiple vulnerabilities).Debian-LTS has updated expat(code execution), ghostscript (buffer overflow), and lighttpd (man-in-the-middle attack).Mageia has updated apache (MG4,5:two vulnerabilities), java-1.8.0-openjdk(MG5: multiple vulnerabilities), libuser(MG4,5: two vulnerabilities), and mariadb(MG4,5: multiple vulnerabilities).openSUSE has updated cacti (13.2,13.1: SQL injection), Chromium (13.2, 13.1:multiple vulnerabilities), java-1_7_0-openjdk (13.2, 13.1: multiplevulnerabilities), and java-1_8_0-openjdk(13.2: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and qemu-kvm (RHEL7: two vulnerabilities).

The fourth 4.2 prepatch is out for testing.Linus says: "I really wish that things were calming down, but ithasn't happened quite yet. It's not like this is particularly big or scary,but it's also not at the stage where it's really starting to get quiet andthe bugs are really small and esoteric."

Here is theannouncement for Plasma Mobile, a KDE-based platform for smartphones."The goal for Plasma Mobile is to give the user full use of thedevice. It is designed as an inclusive system, intended to support allkinds of apps. Native apps are developed using Qt; it will also supportapps written in GTK, Android apps, Ubuntu apps, and many others, if thelicense allows and the app can be made to work at a technicallevel." There is a prototype build available for Nexus 5phones.

The etcd 2.1release is out. "For a quick overview, etcd is an open source,distributed, consistent key value store for shared configuration, servicediscovery, and scheduler coordination. By using etcd, applications canensure that even in the face of individual servers failing, the applicationwill continue to work. "New features include a new authentication/authorization API, variousrobustness improvements, better logging, and a new metrics API.

The GNUnet blog has thisstory about recent resistance from the IETF toward thestandardization of "special use" domain names (such as .onion or.gnu) "to reduce the likelihood of ICANN accidentally creating aconflicting gTLD assignment."Despite the provisions made in RFC 6761, the articlenotes that "there are also a number of DNS-centric people with atotally lack of alacrity in the dnsop WG to continue to stall theprocess by repeating arguments that were exchanged dozens of times inhundreds of e-mails." Among those offering resistance, itreports, is Internet Architecture Board Chair Andrew Sullivan, who"says the IETF should not support special use domain namesthreatening the DNS business model."

The firstdevelopment release of the upcoming openSUSE 42.1 distribution is now available. "Milestone is being used to avoid the term Alphabecause the milestone is able to be deployed without the additional futureitems and subsystems that will become available when Leap is officiallyreleased."As reported in June, openSUSE 42.1 is a newversion of the distribution based on the SUSE Linux Enterprise core.

Arch Linux has updated chromium (multiple vulnerabilities), crypto++ (private key recovery), libuser (multiple vulnerabilities), and openssh (authentication limits bypass).CentOS has updated libuser(C7: multiple vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities).Gentoo has updated e2fsprogs(code execution).Oracle has updated libuser(O7: multiple vulnerabilities).Red Hat has updated java-1.7.0-ibm (RHEL 5: multiple vulnerabilities) and libuser(RHEL 6; RHEL 7:multiple vulnerabilities).Scientific Linux has updated libuser (SL7: multiple vulnerabilities).Ubuntu has updated kernel (12.04; 14.04; 14.10; 15.04: multiple vulnerabilities),linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-lts-vivid (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

At his blog, Allan Day announcesthe first major update to the GNOME Human InterfaceGuidelines since the first GNOME 3 version (released in2014). Day notes that the GNOME 3 HIG is structured arounddesign patterns, in the hopes that it can be updated regularly toreflect current practices. "These new guidelines are the directresult of design work that has happened in the past year. They attemptto distill everything we’ve learned through our own process of trialand error." Furthermore, "the HIG now links to therelevant GTK+ API reference documentation for each designcomponent. This is nice for knowing which widget does what; and makesthe design guidelines a more effective accompaniment to thetoolkit."

Debian has updated kernel(multiple vulnerabilities).Fedora has updated hostapd (F21; F22:denial of service)and python-django (F22: multiple vulnerabilities).Gentoo has updated libXfont (multiple vulnerabilities).Mageia has updated java-1.7.0-openjdk (M4: multiple vulnerabilities) and php (M4: multiple vulnerabilities).Red Hat has updated java-1.6.0-ibm (RHEL 5,6: multiple vulnerabilities) and java-1.7.1-ibm (RHEL 6,7: multiple vulnerabilities).Ubuntu has updated nbd (multiple vulnerabilities).

The LWN.net Weekly Edition for July 23, 2015 is available.

Though it got a bit of a late start due to some registration woes, thefirst day of EuroPython 2015began with an engaging and well-received keynote. It recounted the historyof a project that got its start just a year ago when the first Django Girls workshop was held atEuroPython 2014 in Berlin. The two women who started theproject, Ola Sitarska and Ola Sendecka, spoke about how the workshopto teach women about Python and the Django web framework all cametogether—and the amazing progress that has been made by the organization inits first year.

Red Hat has announcedthe general availability of RHEL 6.7. "As the basis for large,complex IT deployments, Red Hat Enterprise Linux 6.7 offers enterprise ITteams new capabilities to bolster system security, proactively identify andresolve business-critical IT issues, and confidently embrace some of thelatest open source technologies, such as Linux containers, withoutsacrificing operational stability." The releasenotes contain details.

Arch Linux has updated jre7-openjdk (multiple vulnerabilities).Debian has updated cacti (SQL injection).Debian-LTS has updated python-tornado (side-channel attack).openSUSE has updated ansible(13.2: two vulnerabilities), libressl(13.2: multiple vulnerabilities), pdns(13.2, 13.1: denial of service), and rubygem-activesupport-3_2 (13.2, 13.1: denial of service).Red Hat has updated autofs(RHEL6: privilege escalation), bind (RHEL6:denial of service), curl (RHEL6: multiplevulnerabilities), freeradius (RHEL6: bufferoverflow), gnutls (RHEL6: multiplevulnerabilities), grep (RHEL6: twovulnerabilities), hivex (RHEL6: codeexecution), httpd (RHEL6: accessrestriction bypass), ipa (RHEL6: cross-sitescripting), kernel (RHEL6: multiplevulnerabilities), libreoffice (RHEL6: codeexecution), libxml2 (RHEL6: denial ofservice), mailman (RHEL6: twovulnerabilities), net-snmp (RHEL6: denialof service), ntp (RHEL6: multiplevulnerabilities), pacemaker (RHEL6:privilege escalation), pki-core (RHEL6:cross-site scripting), ppc64-diag (RHEL6:two vulnerabilities), python (RHEL6:multiple vulnerabilities), sudo (RHEL6:information disclosure), wireshark (RHEL6:multiple vulnerabilities), and wpa_supplicant (RHEL6: denial of service).Ubuntu has updated lxc (15.04,14.10, 14.04: two vulnerabilities) and mysql-5.5, mysql-5.6 (15.04, 14.10, 14.04,12.04: multiple vulnerabilities).

The4.1.3and4.0.9stable kernel releases are available with the usual set of importantfixes. Note that 4.0.9 is the last in the 4.0.x series.

One of the many approaches to improving system security consists ofreducing the attack surface of a given program by restricting the range ofsystem calls available to it. If an application has no need for access tothe network, say, then removing its ability to use the socket() systemcall should cause no loss in functionality while reducing the scope of themischief that can be made should that application be compromised. In theLinux world, this kind of sandboxing can be done using a security module orthe seccomp() system call. OpenBSD has lacked this capability sofar, but it may soon gain it via a somewhat different approach than hasbeen seen in Linux.

The Linux Foundation has announcedthe Cloud Native Computing Foundation. "This new organization aims to advance the state-of-the-art for building cloud native applications and services, allowing developers to take full advantage of existing and to-be-developed open source technologies. Cloud native refers to applications or services that are container-packaged, dynamically scheduled and micro services-oriented.Founding organizations include AT&T, Box, Cisco, Cloud Foundry Foundation, CoreOS, Cycle Computing, Docker, eBay, Goldman Sachs, Google, Huawei, IBM, Intel, Joyent, Kismatic, Mesosphere, Red Hat, Switch SUPERNAP, Twitter, Univa, VMware and Weaveworks. Other organizations are encouraged to participate as founding members in the coming weeks, as the organization establishes its governance model."

CentOS has updated bind (C7: denial of service) and thunderbird (C7; C6; C5: multiple vulnerabilities).Debian-LTS has updated cacti (SQLinjection) and cacti (regression inprevious update).Fedora has updated asterisk (F22:SSL server spoofing), bind (F21: denial ofservice), httpd (F22: multiplevulnerabilities), java-1.8.0-openjdk (F22; F21:multiple vulnerabilities), libunwind (F22:buffer overflow), php-horde-Horde-Auth (F22; F21:multiple vulnerabilities), php-horde-Horde-Core (F22; F21:multiple vulnerabilities), php-horde-Horde-Form (F22; F21:multiple vulnerabilities), php-horde-Horde-Icalendar (F22; F21:multiple vulnerabilities), polkit (F21:multiple vulnerabilities), and squashfs-tools (F21: two vulnerabilities).Oracle has updated bind (OL7: denial of service) and thunderbird (OL7; OL6: multiple vulnerabilities).Red Hat has updated bind (RHEL7:denial of service) and thunderbird(RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated bind(SL7: denial of service) and thunderbird(SL5,6,7: multiple vulnerabilities).SUSE has updated mariadb (SLE12: multiple vulnerabilities).Ubuntu has updated thunderbird(15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Mel Gorman introducesSUSE's kernel performance-testing system. "Marvin is a system thatcontinually runs performance-related tests and is named after another robotdoomed with repetitive tasks. When tests are complete it generates aperformance comparison report that is publicly available but rarelylinked. The primary responsibility of this system is to check SUSE Linuxfor Enterprise kernels for performance regressions but it is alsoconfigured to run tests against mainline releases."

Arch Linux has updated apache (multiple vulnerabilities).Debian has updated freexl (denial of service), mariadb-10.0 (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), and tidy (two vulnerabilities).Debian-LTS has updated groovy (code execution), inspircd (denial of service), libidn (information disclosure), ruby1.9.1 (denial of service), and tidy (two vulnerabilities).Fedora has updated bind (F22:denial of service), condor (F21: codeexecution), cups-filters (F21: codeexecution), drupal7-migrate (F22; F21: cross-site scripting),drupal7-views_bulk_operations (F22;F21: permission bypass), openstack-cinder (F21: file disclosure), pcre (F21: two vulnerabilities), python-keystonemiddleware (F22: certificateverification botch), rawstudio (F22;F21: two vulnerabilities), redis (F22; F21: codeexecution), squashfs-tools (F22: twovulnerabilities), thunderbird (F22;F21: multiple vulnerabilities), webkitgtk4 (F22: denial of service), and xen (F22; F21: privilege escalation).Gentoo has updated postgresql (multiple vulnerabilities).openSUSE has updated flash-player(11.4: two vulnerabilities), libcryptopp(13.2, 13.1: information disclosure), libidn (13.2, 13.1: information disclosure),firefox, thunderbird (11.4: multiplevulnerabilities), rubygem-jquery-rails(13.2, 13.1: CSRF vulnerability), rubygem-rack (13.2, 13.1: denial of service),rubygem-rack-1_3 (13.2, 13.1: denial ofservice), and rubygem-rack-1_4 (13.2, 13.1:denial of service).Slackware has updated httpd (multiple vulnerabilities) and php (multiple vulnerabilities).SUSE has updated firefox, nspr, nss (SLE12; SLES11SP4; SLE11SP3: multiple vulnerabilities) and PHP (SLE11SP3: multiple vulnerabilities).

Ian Jackson has announced the availability of dgit 1.0. "dgit allows you to treat the Debian archive as if it were a gitrepository, and get a git view of any package. If you have theappropriate access rights you can do builds and uploads from git, andother dgit users will see your git history."

The third 4.2 kernel prepatch is out fortesting. Linus says: "Normal Sunday release schedule, and a fairlynormal rc release. There was some fallout from the x86 FPU cleanups, butthat only hit CPU's with the xsaves instruction, and it should be all goodnow."

At the Mozilla Blog, Julien Vehent announcesthat Mozilla will be conducting a second round of its "Winter ofSecurity" mentoring program. Aimed at college students, the programallows participants to work on security-related free software foruniversity credit, with guidance provided by Mozilla project members.This year's targetedproject list includes some high-profile projects like Let's Encrypt and Mozilla'sdigital forensics tool MiG.Applications are due August 15.

Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).Mageia has updated flash-player-plugin (M4, M5: multiple vulnerabilities).Oracle has updated java-1.7.0-openjdk (O5: multiple vulnerabilities).Red Hat has updated flash-plugin (RHEL 5, 6: multiplevulnerabilities), java-1.6.0-sun (RHEL5, 6, 7: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5, 6, 7: multiplevulnerabilities), and java-1.8.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities).SUSE has updated flash-player (SLE11; SLE12: multiple vulnerabilities) and php5 (SLE12: multiple vulnerabilities).

The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities),java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from2011).Debian-LTS has updated python-django (three vulnerabilities).Fedora has updated cryptopp (F22; F21:information disclosure), drupal7-feeds (F22; F21:three vulnerabilities), rsyslog (F22:denial of service), and springframework (F22; F21:denial of service).openSUSE has updated bind (13.2; 13.1:three vulnerabilities, one from 2014).Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified),java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities),kernel 2.6.39 (OL6; OL5: two vulnerabilities),and kernel 2.6.32 (OL6; OL5: denial of service).Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: manyvulnerabilities), and kernel (SL6: multiplevulnerabilities, one from 2011).

Version0.7.0 of the rkt container runtime system is available. "Thisrelease includes new subcommands for a rkt image to manipulate images fromthe local store, a new build system based on autotools and integration withSELinux. These new capabilities improve the user experience, make it easierto build future features and improve security isolation betweencontainers."

The LWN.net Weekly Edition for July 16, 2015 is available.

It has been nearly a year and a half since the last major Python release,which was 3.4 in March 2014—that means it is about time forPython 3.5. We looked at some of the newfeatures in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta releasefor 3.5 seems like a good time to see what will be coming in the new release.Subscribers can click below to see the full article from this week's edition.

Linux.com has an interviewwith Bruce Schneier. "Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it."

openSUSE has updated cups-filters(13.2: multiple vulnerabilities) and libunwind (13.2; 13.1: buffer overflow).Oracle has updated kernel (OL6: multiple vulnerabilities).Red Hat has updated java-1.7.0-openjdk (RHEL6,7; RHEL5: multiple vulnerabilities) and java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).Ubuntu has updated firefox(12.04: multiple vulnerabilities).

The Free Software Foundation (FSF) and Software Freedom Conservancy (SFC) have both put out statements about a change to the Canonical, Ltd. "intellectual property" policy that was negotiated over the last two years (FSF statement and SFC statement). Effectively, Canonical has added a "trump clause" that clarifies that the licenses of the individual packages override the Canonical policy when there is a conflict. Though, as SFC points out: "While a trump clause is a reasonable way to comply with the GPL in a secondary licensing document, the solution is far from ideal. Redistributors of Ubuntu have little choice but to become expert analysts of Canonical, Ltd.'s policy. They must identify on their own every place where the policy contradicts the GPL. If a dispute arises on a subtle issue, Canonical, Ltd. could take legal action, arguing that the redistributor's interpretation of GPL was incorrect. Even if the redistributor was correct that the GPL trumped some specific clause in Canonical, Ltd.'s policy, it may be costly to adjudicate the issue." While backing the change made, both FSF and SFC recommend further changes to make the situation even more clear.