LWN.net

In a post on the Red Hat Blog, the company has announced a version of Red Hat Enterprise Linux (RHEL) for ARM development. "Today, we are making the Red Hat Enterprise Linux Server for ARM Development Preview 7.1 available to all current and future members of the Red Hat ARM Partner Early Access Program as well as their end users as an unsupported development platform, providing a common standards-based operating system for existing 64-bit ARM hardware. Beyond this release, we plan to continue collaborating with our partner ISVs and OEMs, end users, and the broader open source community to enhance and refine the platform to ultimately work with the next generation of ARM-based designs." Jon Masters, who is the technical lead for the project, has a lengthy Google+ post about the project and its history over the last 4+ years.

The Linux Foundation's Critical Infrastructure Initiative has announcedthe funding of three projects to the tune of "nearly$500,000." "CII's funds will support a new open sourceautomated testing project, the Reproducible Builds initiative from Debian,and IT security researcher Hanno Boeck's Fuzzing Project. Additionally, TheLinux Foundation is announcing Emily Ratliff is joining The LinuxFoundation as senior director of infrastructure security for CII. Ratliffis a Linux, system and cloud security expert with more than 20 years'experience. Most recently she worked as a security engineer for AMD andlogged nearly 15 years at IBM."

Mark Shuttleworth announces "theFan", a new mechanism for directing communications between containers."We recognised that container networking is unusual, and quite unliketrue software-defined networking, in that the number of containers you wanton each host is probably roughly the same. You want to run a couple hundredcontainers on each VM. You also don’t (in the docker case) want to livemigrate them around, you just kill them and start them againelsewhere. Essentially, what you need is an address multiplier – anywhereyou have one interface, it would be handy to have 250 of theminstead."See this page fordetails on how it works.

The Mageia5 release is now available. The headline feature in this long-awaiteddistribution release appears to be UEFI BIOS support, but there's more; seethe releasenotes for details.

Linus has releasedthe 4.1 kernel. "It's not like the 4.1release cycle was particularly painful, and let's hope that the extraweek of letting it sit makes for a great release. Which wouldn't be abad thing, considering that 4.1 will also be a LTS release."Headline features in this release includesupport for encrypted ext4 filesystems,the persistent memory block driver,ACPI support for the ARM64 architecture, and more.

The openSUSE project has often struggled with questions of identity: whatis the distribution trying to be, and for who? From the 2010 strategy search through to the 2013 development-model discussions and the 2014 release-management questions, openSUSE'sdevelopers have tried to find a development approach that is bothsustainable and appealing to a wider audience. In 2015, it appears that apartial success has been achieved, but that success is driving a new andcontroversial change.

Lennart Poettering writesabout the sd-bus library with substantial digressions into how D-Busworks in general. "We believe the result of our work delivers our goals quite nicely:the library is fun to use, supports kdbus and sockets as back-end, isrelatively minimal, and the performance is substantially better than bothlibdbus and GDBus."

Code Climate has announcedthe open-source release of its static-analysis platform. "We’rereleasing the static analysis engines that power the new Code ClimatePlatform, and going forward, all of our static analysis code will bepublished under Open Source licenses. Code Climate has always provided freeanalysis to Open Source projects, and this continues to deepen ourcommitment to, and participation in, the OSS community."

At his blog, former Ubuntu Community Manager Jono Bacon speculateson whether or not the Ubuntu Phone project should rebase its softwarestack on Android. Bacon prefaces the post with a note that it is"designed purely for some intellectual fun and discussion. I amnot proposing we actually do this, nor advocating for this."The central argument is that new mobile platforms invariably expendhundreds of thousands of dollars attracting well-known app vendors tothe new stack. Supporting Android apps would let Ubuntu focus effortson the user interface, scopes, and other components. "I knowthere has been a reluctance to support Android apps on Ubuntu as itdevalues the Ubuntu app ecosystem and people would just use Androidapps, but I honestly think some kind of middle-ground is needed to getinto the game, otherwise I worry we won’t even make it to the subsbench no matter how awesome our technology is." Note that,whatever one makes of the idea, Bacon is speaking only about theUbuntu Phone stack; the post does touch on how such a rebase wouldinterfere with Ubuntu's plans for a converged software stack.

Debian has updated cinder(file disclosure) and drupal7 (multiple vulnerabilities).Fedora has updated mbedtls(F21: multiple vulnerabilities) and python-django14 (F20: cross-site scripting).Mageia has updated cups(M4: multiple vulnerabilities), ffmpeg(M4: multiple vulnerabilities), openssl (M4: multiple vulnerabilities), and redis (M4: code execution).SUSE has updated IBM Java (SLES10 SP4; SLE11: multiple vulnerabilities).

Luke Wagner of Mozilla has announcedthe existence of the WebAssembly project. The purpose is to define alow-level language to run in web browsers; it will then serve as acompilation target for higher-level languages. Developers from most of themajor browser engines are working on the project. "For existingEmscripten/asm.js users, targeting WebAssembly will be as easy as flippinga flag. Thus, it is natural to view WebAssembly as the next evolutionarystep of asm.js (a step many have requested and anticipated)."

CentOS has updated cups (C7; C6: three vulnerabilities).Debian has updated kernel (three vulnerabilities).Debian-LTS has updated linux-2.6(multiple vulnerabilities going back to 2011) and openssl (multiple vulnerabilities).Fedora has updated mbedtls (F20:code execution), python-requests (F21:cookie stealing), and python-urllib3 (F21:proper openssl support).openSUSE has updated busybox(13.2, 13.1: code execution) and strongswan(13.2, 13.1: information disclosure).Oracle has updated cups (OL7; OL6:three vulnerabilities).Red Hat has updated cups(RHEL6&7: three vulnerabilities).Scientific Linux has updated cups(SL6&7: three vulnerabilities).

The LWN.net Weekly Edition for June 18, 2015 is available.

A 2013 Kickstarterproject brought us Micro Python, which is a versionof Python 3 for microcontrollers, along with the pyboard torun it on. Micro Python is a complete rewrite of the interpreter thatavoids some of the CPython (the canonical Python interpreter written in C)implementation details that don't work well on microcontrollers.I recently got my hands on a pyboard and decided to give it—andMicro Python—a try.

Opensource.com takesa look at the upcoming release of Blender 2.75. "One of the biggest features merged into Blender this go-round were from the multiview branch. In short, Blender now fully supports the ability to create stereoscopic 3D images. With the increased pervasiveness of 3D films and televisions—not to mention VR headsets in gaming—a lot of people are interested in generating images that play nice in this format. And now Blender can."

Debian-LTS has updated linux-2.6 (multiple vulnerabilities).Red Hat has updated kernel(RHEL5.9: privilege escalation).SUSE has updated java-1_7_0-ibm (SLE12: multiple vulnerabilities).Ubuntu has updated aptdaemon(15.04, 14.10, 14.04, 12.04: information leak), devscripts (14.10, 14.04, 12.04: directorytraversal), and wpa, wpasupplicant (15.04,14.10, 14.04, 12.04: multiple vulnerabilities).

The leap second is an occasional ritual wherein Coordinated Universal Time(UTC) is held back for one second to account for the slowing of the Earth'srotation. The last leap second happened on June 30, 2012; the next isscheduled for June 30 of this year. Leap seconds are thus infrequentevents. One might easily imagine that infrequent events involving timediscontinuities would be likely to expose software problems, and, sureenough, the 2012 leap second hadits share of issues. The 2015 leap second looks to be a calmer affair,but it appears that it will not be entirely problem-free.

CentOS has updated abrt (C7:multiple vulnerabilities), openssl (C7; C6:multiple vulnerabilities), and wpa_supplicant (C7: two vulnerabilities).Debian has updated p7zip (directory traversal).Oracle has updated openssl (OL7; OL6: multiple vulnerabilities).Red Hat has updated openssl(RHEL6,7: multiple vulnerabilities).Scientific Linux has updated openssl (SL6,7: multiple vulnerabilities).SUSE has updated kernel (SLE12: multiple vulnerabilities).Ubuntu has updated kernel (15.04; 14.10;14.04; 12.04: privilege escalation), linux-lts-trusty (12.04: privilegeescalation), linux-lts-utopic (14.04:privilege escalation), linux-lts-vivid(14.04: privilege escalation), and linux-ti-omap4 (12.04: privilege escalation).

Opensource.com has an interviewwith Robyn Bergeron about her current position as Operations Advocateat Elastic, and past roles (such as Fedora Project Leader). "The ELK stack (that's Elasticsearch, Logstash, and Kibana), being incredibly flexible and adaptable to many use cases, appeals to both operations folks and developers—but my love for it really has grown from seeing how fantastically it has allowed folks working in ops to not just start more rapidly identifying that "something broke," but also to be able to visually identify the patterns that lead to those broken things. Getting to a point where you're not just on fire all the time fixing technology, and instead fixing the processes that lead to fires, or implementing ways to proactively avoid fires, is not just redeeming, but frees up time to do other things besides firefighting.People love breaking that loop, and it's fabulous being an advocate for something that is literally making people's work-life balance and general happiness levels better. I've been in those fires. It's not fun. It makes me happy to see users feeling awesome."

Debian has updated libav (twovulnerabilities), openssl (multiplevulnerabilities), qemu (multiplevulnerabilities), qemu-kvm (two vulnerabilities), sqlite3 (denial of service), and xen (multiple vulnerabilities).Debian-LTS has updated p7zip (directory traversal).Fedora has updated armacycles-ad (F22; F21; F20: multiple vulnerabilities), filezilla (F22: multiple vulnerabilities), fuse (F20: privilege escalation), libreswan (F20: denial of service), nss (F20: cipher-downgrade attacks), nss-softokn (F20: cipher-downgrade attacks),nss-util (F20: cipher-downgrade attacks),ntfs-3g (F20: privilege escalation), and xen (F22; F21: multiple vulnerabilities).openSUSE has updated flash-player(11.4: multiple vulnerabilities), coreutils(13.2: memory handling error), cups (13.2,13.1: three vulnerabilities), dpkg (13.2,13.1: integrity-verification bypass), and php5 (13.2, 13.1: information disclosure).

As promised, the 4.1-rc8 kernel prepatch isout. "So I'm on vacation, but time doesn't stop for that, and it'sSunday, so time for a hopefully final rc."

The 2015 edition of the TeX Live software distribution, the "easy way to get up and running with the TeX document production system," has been released. DVDs are in production for members of the TeX Users Group (TUG), though many will probably prefer the downloadable release. The changes included in this edition include the merging of several LaTeX fixes from external packages into LaTeX itself, JPEG Exif support in pdfTeX, and image-handling fixes in XeTeX.

Version 1.10 of the MATE Desktop has been released. Perhaps the most notable new feature is that all MATE components can now be built with GTK+2 or GTK+3, although GTK+3 support is still labeled "experimental." Also new in this update are ePub support in the Atril document viewer and a new audio-mixing library named libmatemixer.

Arch Linux has updated openssl (multiple vulnerabilities).Debian-LTS has updated imagemagick (multiple vulnerabilities) and strongswan (information disclosure).Fedora has updated qemu(F22: denial of service).openSUSE has updated flash-player (13.1, 13.2: multiplevulnerabilities), python-setuptools(13.1: non-secure SSL hostname matching), and tidy (13.1, 13.2: buffer overflow).Oracle has updated wpa_supplicant (O7: multiple vulnerabilities).Red Hat has updated wpa_supplicant (RHEL7: multiple vulnerabilities).Scientific Linux has updated wpa_supplicant (SL7: multiple vulnerabilities).Slackware has updated openssl (multiple vulnerabilities) and php (S14: multiple vulnerabilities).SUSE has updated cups (SLE12: multiple vulnerabilities),cups154 (SLE12: multiple vulnerabilities), flash-player (SLE12: multiple vulnerabilities), and xen (SLE11 SP3; SLE12: multiple vulnerabilities).Ubuntu has updated openssl (multiple vulnerabilities).

Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. "Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for 'because of an incomplete fix for'."

CentOS has updated kernel (C6:multiple vulnerabilities) and qemu-kvm (C6: code execution).Debian-LTS has updated wireshark(WCP dissector crash).Fedora has updated cabal-install(F22: force digest authentication), freecad(F22: code execution), fusionforge (F22; F21: codeexecution), haskell-platform (F22: forcedigest authentication), less (F21:information leak), libreswan (F22;F21: denial of service), python-tornado (F21: TLS side-channel attack),and thermostat (F21: code execution).openSUSE has updated proftpd(13.2, 13.1: two vulnerabilities, one from 2013), wpa_supplicant (13.2, 13.1: threevulnerabilities), and zeromq (13.2, 13.1:protocol downgrade).Oracle has updated qemu-kvm (OL6:code execution) and kernel (OL6; OL5: three vulnerabilities).Red Hat has updated qemu-kvm(RHEL6: code execution) and qemu-kvm-rhev(RHEL6OSP: code execution).Scientific Linux has updated abrt(SL7: multiple vulnerabilities) and qemu-kvm (SL6: code execution).Ubuntu has updated kernel (15.04; 14.10;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-utopic (14.04: twovulnerabilities), linux-lts-vivid (14.04:three vulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).

LinkedIn has announcedthe release of its "Pinot" analytics system under the Apache license."We’ve been using it at LinkedIn for more than two years, and in thattime, it has established itself as the de facto online analytics platformto provide valuable insights to our members and customers. At LinkedIn, wehave a large deployment of Pinot storing 100’s of billions of records andingesting over a billion records every day."

The LWN.net Weekly Edition for June 11, 2015 is available.

Processor architectures are far from trivial; untold millions ofdollars and many thousands of hours have likely gone into the creationand refinement of the x86 and ARM architectures that dominate theCPUs in Linux boxes today. But that does not mean that x86 and ARM are the onlyarchitectures of value, as Jeff Dionne, Rob Landley, and ShumpeiKawasaki illustrated in their LinuxCon Japan session "Turtles all theway down: running Linux on open hardware." The team has been workingon breathing new life into a somewhat older architecture that offerscomparable performance to many common system-on-chip (SoC)designs—and whichcan be produced as open hardware.Click below (subscribers only) for the full report from LinuxCon Japan.

Geoff Huston has written a lengthycolumn on multipath TCP. "For many scenarios there is littlevalue in being able to use multiple addresses. The conventional behavior iswhere each new session is directed to a particular interface, and thesession is given an outbound address as determined by localpolicies. However, when we start to consider applications where the bindingof location and identity is more fluid, and where network connections aretransient, and the cost and capacity of connections differ, as is often thecase in todays mobile cellular radio services and in WiFi roaming services,then having a session that has a certain amount of agility to switch acrossnetworks can be a significant factor." (See also: LWN's look at the Linux multipath TCPimplementation from 2013).

The folks behind the NGINX web server have put up ahighly self-congratulatory article on how the system was designed."NGINX scales very well to support hundreds of thousands ofconnections per worker process. Each new connection creates another filedescriptor and consumes a small amount of additional memory in the workerprocess. There is very little additional overhead per connection. NGINXprocesses can remain pinned to CPUs. Context switches are relativelyinfrequent and occur when there is no work to be done."

Arch Linux has updated cups (two vulnerabilities).Debian has updated cups (two vulnerabilities).Debian-LTS has updated libapache-mod-jk (information disclosure) and libraw (denial of service).Oracle has updated abrt (OL7:multiple vulnerabilities) and kernel (OL6: multiple vulnerabilities).Red Hat has updated abrt (RHEL7:multiple vulnerabilities), flash-plugin(RHEL5,6: multiple vulnerabilities), and kernel (RHEL6; RHEL6.2: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: multiple vulnerabilities).Ubuntu has updated cups (15.04,14.10, 14.04, 12.04: two vulnerabilities) and qemu, qemu-kvm (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Tim Bird has worked with embedded Linux for many years; during this time hehas noticed an unhappy pattern: many of the companies that use and modifyopen-source software are not involved with the communities that developthat software. That is, he said, "a shame." In an attempt to determinewhat is keeping companies from contributing to the kernel in particular,the Consumer Electronics LinuxForum (a Linux Foundation workgroup) has runa survey of embedded kernel developers. The resulting picture highlightssome of the forces keeping these developers from engaging with thedevelopment community and offers some ideas for improving the situation.

Debian-LTS has updated cups (two vulnerabilities).Fedora has updated fuse (F21:privilege escalation), mbedtls (F22: codeexecution), python-tornado (F22:side-channel attack), and thermostat (F22: code execution).Mageia has updated ipsec-tools (denial of service), jackrabbit (information leak), php-ZendFramework (CRLF injection), and rabbitmq-server (multiple vulnerabilities).Ubuntu has updated strongswan(15.04, 14.10, 14.04: information disclosure).

ITWorld reportsthat Apple will release its Swift programming language under an open sourcelicense. "When Swift becomes open source later this year, programmers will be able to compile Swift programs to run on Linux as well as on OS X and iOS, said Craig Federighi, Apple’s head of software engineering, during the opening keynote of Apple’s Worldwide Developers Conference Monday in San Francisco.The source code will include the Swift compiler and standard library, and community contributions will be “accepted—and encouraged,” Apple said."

Debian has updated php5 (multiple vulnerabilities), redis (code execution), and strongswan (information disclosure).Debian-LTS has updated fuse (privilege escalation).Fedora has updated dcraw (F22; F21; F20: denial of service), fuse (F22: privilege escalation),ipsec-tools (F21; F20: denial of service), less (F22: information leak), ntfs-3g (F21: privilege escalation), php-symfony (F22; F21; F20: restriction bypass), ufraw (F22; F21; F20: denial of service), and zarafa (F21; F20: file overwrites).Scientific Linux has updated openssl (SL6,7: cipher-downgrade attacks).SUSE has updated cups (SLE11SP3: privilege escalation).

The 4.0.5,3.14.44, and3.10.80stable kernels have been released. These contain a number of important bugfixes, including the fixes for the ext4 and RAID 0 data corruption issuesdiscussed in this article.At LinuxCon Japan last week it was announced that the next long-term stablerelease, to be maintained for two years, will be 4.1.

The 4.1-rc7 prepatch is out."Normally rc7 tends to be the last rc release, and there's not a lotgoing on to really merit anything else this time around. However, we dostill have some pending regressions, and as mentioned last week I also havemy yearly family vacation coming up, so we'll have an rc8 and an extra weekbefore 4.1 actually gets released."

The Let's Encrypt project has announced that it has created the root and intermediate keys and certificates it will use to sign certificates. Let's Encrypt is the no-cost certificate authority announced by the Electronic Frontier Foundation (EFF) back in November. In April, the Linux Foundation announced that it would be hosting the project. "The keys and certificates that will underlie Let’s Encrypt have been generated. This was done during a key ceremony at a secure facility today." The intermediate certificates will be cross-signed by IdenTrust so that they will be accepted by browsers before the Let's Encrypt root certificate has been propagated. A bit more news from the blog post: "In the next few weeks, we’ll be saying some more about our plans for going live."

Arch Linux has updated pcre (codeexecution).CentOS has updated openssl (C7; C6: cipherdowngrade).Fedora has updated batik (F22; F21; F20: information leak), netty (F21: httpOnly cookie bypass), andpcs (F22; F21; F20: two vulnerabilities).openSUSE has updated e2fsprogs (13.2; 13.1:two vulnerabilities) and fuse (13.1:privilege escalation).Oracle has updated openssl (OL7; OL6:cipher downgrade).Red Hat has updated openssl(RHEL6&7: cipher downgrade).

GNU Octave, which is ahigh-level programming language for numerical computations that is largelycompatible with MATLAB, has made its 4.0 release. There are lots of newfeatures in this major release, which are described in the release notes.Some of those features include defaulting to the graphical user interfaceinstead of the command-line interface, OpenGL graphics and Qt widgets bydefault, a new syntax for object-oriented programming usingclassdef, audio functions, better MATLAB compatibility, and more.

Debian has updated libapache-mod-jk (information disclosure).Debian-LTS has updated mercurial(two code execution flaws).Oracle has updated kernel (OL5:unspecified vulnerabilities).Red Hat has updated php54(RHSC6&7: multiple vulnerabilities), php55 (RHSC6&7: multiple vulnerabilities),python27 (RHSC6&7: multiplevulnerabilities, two from 2013), and thermostat1 (RHSC6&7: code execution).Ubuntu has updated t1utils(14.10, 14.04: code execution).

The LWN.net Weekly Edition for June 4, 2015 is available.

Here's anarticle on the Red Hat security blog on the use of Systemtap to applyemergency security fixes. "With the vulnerability-band-aid approachchosen, we need to express our intent in the systemtap scriptinglanguage. The model is simple: for each place where the state change is tobe done we place a probe. In each probe handler, we detect whether thecontext indicates an exploit is in progress and, if so, make changes to thecontext. We might also need additional probes to detect and capture statefrom before the vulnerable section of code, for diagnosticpurposes."

At the 2015 Automotive Linux Summit in Tokyo, Dan Cauchy from theLinux Foundation (LF) kicked off the first day's program with anannouncement: that the LF's Automotive Grade Linux (AGL) workgroup hasdecided to build its own Linux distribution, which it plans to run asan ongoing, long-term project. While the desire for aworkgroup to create a distribution tailored to its needs is nothingnew, the announcement had several in the crowd wondering what thisdecision meant for Tizen IVI—which, up until now, has served asthe reference distribution for AGL. Tizen, of course, is also anLF-hosted project, and it has made in-vehicle infotainment (IVI) oneof its high-priority use cases.

CentOS has updated kernel (C5: privilege escalation).Debian has updated jqueryui(regression in previous update) and wireshark (multiple vulnerabilities).Fedora has updated httpd (F21:mis-handling of Require directives), libtiff (F22: two vulnerabilities), nss (F22: cipher-downgrade attacks), nss-softokn (F22: cipher-downgrade attacks),and nss-util (F22: cipher-downgrade attacks).openSUSE has updated fuse (13.2:privilege escalation), nbd (13.2, 13.1:denial of service), and php5 (13.2, 13.1: multiple vulnerabilities).Oracle has updated kernel (OL5: privilege escalation).Red Hat has updated kernel(RHEL5: privilege escalation) and virtio-win (RHEL7; RHEL6: denial of service).Scientific Linux has updated kernel (SL5: privilege escalation).Ubuntu has updated qt4-x11,qtbase-opensource-src (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

The OpenVZ team has announcedthe open source code release of several Virtuozzo userspace utilities. Theutilities include prlctl, a unified command line tool to manage virtualmachines and containers; libprlsdk, Virtuozzo API C++ and python libraries,used for local and remote communications with a dispatcher managementservice; prl-disp-service, a primary Containers and Virtual machinesmanagement service; libvzctl, a low-level library for Containersmanagement; libvzevent, a low-level library for Containers life-cyclenotifications from the kernel; vzctl, a utility to control a Containers;and vztt, a utility for Containers templates management.

Linux.com talkswith Dan Cauchy, general manager of automotive at the Linux Foundation,about the release of the AGL Requirements Specification. "In July2014, AGL released its first AGL reference platform built on the Tizen IVI platform running HTML5 apps. The new release instead details precise specifications and requirements for any AGL-compliant IVI stack. For the first time, automakers, automotive suppliers, and open source developers can collaborate on refining the spec -- the first draft of a common, Linux-based software stack for the connected car."

Firefox 38.0.5 has been released. This version introduces Pocket, whichhelps you keep track of articles and videos. Clean formatting for articlesand blog posts with Reader View is also a new feature. See the releasenotes for more information.

Fedora has updated kernel (F22; F21:denial of service), libinfinity (F22; F21; F20: incorrect validation of certificates), nss (F21: cipher-downgrade attacks), nss-softokn (F21: cipher-downgrade attacks),nss-util (F21: cipher-downgrade attacks),ntfs-3g (F22: privilege escalation), and php-ZendFramework (F21; F20: CRLF injection).openSUSE has updated xen (13.1: two vulnerabilities).Ubuntu has updated apache2(12.04: multiple vulnerabilities), ipsec-tools (12.04: denial of service), and openssl (15.04, 14.10, 14.04, 12.04: cipher-downgrade attacks).