LWN.net

Debian has updated mercurial (twovulnerabilities).Mageia has updated async-http-client (two vulnerabilities), glpi (privilege escalation), kernel (multiple vulnerabilities), libarchive (denial of service), libssh (denial of service), mailman (path traversal attack), pnp4nagios (cross-site scripting), postgis (multiple vulnerabilities), ruby-redcarpet (cross-site scripting), and springframework (information disclosure).openSUSE has updated Chromium(13.2, 13.1: two vulnerabilities), curl(13.2, 13.1: information leak), dnsmasq(13.2, 13.1: information disclosure), gnu_parallel (13.2, 13.1: file overwrite), libreoffice (13.2: code execution), libssh (13.2, 13.1: denial of service), libtasn1 (13.2, 13.1: denial of service), pcre (13.2, 13.1: multiple vulnerabilities),and php5 (13.2, 13.1: multiple vulnerabilities).Slackware has updated mariadb (multiple unspecified vulnerabilities), mysql (multiple unspecified vulnerabilities), and wpa_supplicant (code execution).Ubuntu has updated libmodule-signature-perl (15.04, 14.10, 14.04,12.04: multiple vulnerabilities) and openssl (12.04: re-enable TLSv1.2 by default).

The development of the Foresight Linux distribution has come to an end."The Foresight Linux Council has determined that there hasbeen insufficient volunteer activity to sustain meaningful newdevelopment of Foresight Linux. Faced with the need either toupdate the project's physical infrastructure or cease operations,we find no compelling reason to update the infrastructure."

Greg Kroah-Hartman has released stable kernel 3.19.8. This is the last kernel in the 3.19.xseries and users should upgrade to 4.0.x.

Arch Linux has updated docker (multiple vulnerabilities).Debian has updated libtasn1-6 (denial of service), suricata (denial of service), and zeromq3 (security bypass).Fedora has updated firefox (F20:multiple vulnerabilities), libreoffice(F20: code execution), netcf (F21;F20: denial of service),perl-XML-LibXML (F21; F20: information disclosure), proftpd (F21: unauthenticated copying offiles), prosody (F20: denial of service),thunderbird (F20: multiplevulnerabilities), and xulrunner (F20:multiple vulnerabilities).Mageia has updated wordpress (cross-site scripting).Ubuntu has updated icu (15.04,14.10, 14.04: code execution), kernel (14.10, 14.04:regression in previous update), libtasn1-3,libtasn1-6 (15.04, 14.10, 14.04, 12.04: denial of service), linux-lts-utopic (14.04: regression inprevious update), and linux-lts-trusty (12.04:regression in previous update).

The 4.1 development cycle continues with the release of 4.1-rc3. "Go out and test. By -rc3,things really should be pretty non-threatening and this would be a goodtime to just make sure everything is running smoothly if you haven't triedone of the earlier development kernels already."

At the Go Blog, Andrew Gerrand provides a look at the language'sapproach to combining example code and documentation. "Godoc examplesare snippets of Go code that are displayed as package documentationand that are verified by running them as tests. They can also be runby a user visiting the godoc web page for the package and clicking theassociated "Run" button. Having executable documentation for a packageguarantees that the information will not go out of date as the APIchanges." Each package's examples are compiled as part of thepackage test suite; examples can also (optionally) be executed inorder to capture failures with the testing framework.

Arch Linux has updated libtasn1 (code execution), mariadb (multiple vulnerabilites), and mariadb-clients (denial of service).Debian has updated dnsmasq(regression fix for previous advisory) and pound (multiple vulnerabilites).Fedora has updated async-http-client (F20: multiple vulnerabilites), realmd (F21: unsanitized input), springframework (F20: information disclosure), testdisk (F20: multiple vulnerabilities), and v8 (F20; F21:denial of service).Mandriva has updated libtasn1 (BS1,2: code execution).SUSE has updated DirectFB(SLE12: multiple vulnerabilities), java-1_7_0-openjdk (SLED 11.3: multiple vulnerabilities), and kernel (SLE12 Live Patching: denial of service).

Greg Kroah-Hartman has released the latest batch of stable kernels: 3.10.77, 3.14.41, 3.19.7, and 4.0.2. As usual, they contain fixes all overthe tree and users should upgrade.

Over at Opensource.com, one of the translators for OpenStack, Łukasz Jernaś, is interviewed about the process of translating a large project like OpenStack. "How does OpenStack's release cycle play into the translation process? Is it manageable to get translations done on a six-month release cycle?Most of the work gets done after the string freeze period, which happens around a month before the release, with a lot of it being completed after getting the first release candidate out of the window. Documentation is translated during the entire cycle, as many parts are common between releases and can be deployed independently to the releases. So we don't have to focus that much about deadlines, as it's available online all the time and not prepackaged and pushed out to users and distributions. Of course, having a month to do the translations can be cumbersome, depending on the team doing the translation (some do that part time, some people in their spare time), and how many developers push out new strings during the string freeze."

Debian has updated sqlite3 (threevulnerabilities).Mageia has updated dpkg(integrity verification bypass), libtasn1(denial of service), perl-XML-LibXML(information disclosure), qt3, qt4, andqtbase5 (three vulnerabilities), and tcl-tcllib (cross-site scripting).Mandriva has updated perl-XML-LibXML (BS1,2: information disclosure).

The LWN.net Weekly Edition for May 7, 2015 is available.

Two talks at the 2015 Libre Graphics Meeting in Toronto came fromvideo-editing projects. One was an update from Natron, a relatively youngproject that deals with video compositing, while the other was areflection on ten years' worth of development on the general-purposenon-linear editor (NLE) Pitivi. Both are active projects, but they take twomarkedly different approaches: one aims to support an existingindustry standard, while the other must build its core functionalityfrom the ground up.

Debian has updated dnsmasq (information disclosure).Mageia has updated erlang(man-in-the-middle attack), glibc (multiplevulnerabilities), mariadb (multipleunspecified vulnerabilities), qtwebkit(denial of service), and x11-server (two vulnerabilities).Mandriva has updated net-snmp(MBS2.0, MBS1.0: code execution), nodejs(MBS2.0: privilege escalation), and squid(MBS2.0: certificate validation bypass).Red Hat has updated openstack-glance (RHELOSP6.0: denial of service).Ubuntu has updated clamav (15.04,14.10, 14.04, 12.04: multiple vulnerabilities), kernel (15.04; 14.10; 14.04; 12.04:privilege escalation), linux-lts-trusty(12.04: privilege escalation), linux-lts-utopic (14.04: privilegeescalation), oxide-qt (15.04, 14.10, 14.04:multiple vulnerabilities), and ppp (14.10,14.04, 12.04: denial of service).

This year the International Day Against DRM will be held on May 6. TheFree Software Foundation focuses oncommunity with a wide variety of community groups, activistorganizations, and businesses all taking part in the ninth International DayAgainst DRM.The FSF's DefectiveByDesign campaign looks at how DRMaffects people with disabilities. "DRM is especially bad for those of us that face additionalhurdles using computers. It's beastly for blind people, who aredependent on an audiobook market heavily laden with DRM."

Early support for hosting Git repositories directly on Launchpad has beenannounced. "This has been by far the single most commonly requested feature from Launchpad code hosting for a long time; we’ve been working hard on it for several months now, and we’re very happy to be able to release it for general use.This is distinct from the facility to import code from Git (and some other systems) into Bazaar that Launchpad has included for many years."

CoreOS looks atcommunity adoption of the App Container spec (appc). "In order to ensure the specification remains a community-led effort, the appc project has established a governance policy and elected several new community maintainers unaffiliated with CoreOS: initially, Vincent Batts of Red Hat, Tim Hockins of Google and Charles Aylward of Twitter. This new set of maintainers brings each of their own unique points of view and allows appc to be a true collaborative effort. Two of the initial developers of the spec from CoreOS, Brandon Philips and Jonathan Boulle, remain as maintainers, but now are proud to have the collective help of others to make the spec what it is intended to be: open, well-specified and developed by a community."

Debian has updated wordpress (multiple vulnerabilities).Fedora has updated mingw-curl(F21: multiple vulnerabilities), mingw-libgcrypt (F21: multiplevulnerabilities), mingw-openssl (F21:multiple vulnerabilities), and mingw-qt5-qtbase (F21: multiple vulnerabilities).Mageia has updated clamav(multiple vulnerabilities), gstreamer0.10-plugins-bad (code execution), hiawatha (multiple vulnerabilities), net-snmp (code execution), nodejs (privilege escalation), pdns, pdns-recursor (denial of service), and squid (certificate validation bypass).Mandriva has updated cherokee(MBS1.0: authentication bypass), clamav(MBS2.0, MBS1.0: multiple vulnerabilities), directfb (MBS2.0, MBS1.0: twovulnerabilities), fcgi (MBS1.0: denial ofservice), mariadb (MBS2.0, MBS1.0: multipleunspecified vulnerabilities), ppp (MBS2.0,MBS1.0: denial of service), and ruby(MBS2.0, MBS1.0: man-in-the-middle attack).Ubuntu has updated dnsmasq(15.04, 14.10, 14.04, 12.04: information disclosure) and libxml-libxml-perl (15.04, 14.10, 14.04,12.04: information disclosure).

Synfig Studio 1.0 has been released. This version featuresa reworked UI, a full-featured bone system to create cutout animation,advanced image distortion, a new Cutout Tool, sound support, and more.

Arch Linux has updated clamav (multiple vulnerabilities) and squid (certificate validation bypass).Debian has updated jqueryui (cross-site scripting), libphp-snoopy (command execution), libxml-libxml-perl (information disclosure), owncloud (multiple vulnerabilities), ruby1.8 (man-in-the-middle attack), ruby1.9.1 (man-in-the-middle attack), and ruby2.1 (man-in-the-middle attack).Debian-LTS has updated xorg-server (denial of service).Fedora has updated clamav (F21:multiple vulnerabilities), curl (F21:multiple vulnerabilities), ikiwiki (F21; F20:cross-site scripting), mingw-libtiff (F21:two vulnerabilities), proftpd (F20: unauthenticated copying of files), qt3 (F21; F20: code execution), and xen (F21; F20: information leak).Mageia has updated 389-ds-base(access control bypass), cherokee(authentication bypass), chromium-browser-stable (multiplevulnerabilities), curl (multiplevulnerabilities), directfb (twovulnerabilities), fcgi (denial of service),python-pip (two vulnerabilities), ruby (man-in-the-middle attack), and subversion (multiple vulnerabilities).Mandriva has updated curl (MBS2.0; MBS1.0: multiple vulnerabilities).

The second 4.1 prepatch is out for testing."As usual, it's a mixture of driver fixes, arch updates (with s390really standing out due to that one prng commit), and some filesystem andnetworking."

OpenBSD 5.7 has been released. This version includesimproved hardware support, network stack improvements, installerimprovements, security and bug fixes, and more. OpenSSH 6.8, LibreSSL, andother packages have also seen improvements and bug fixes.

Arch Linux has updated perl-xml-libxml (information disclosure).Debian has updated chromium-browser (multiple vulnerabilities).Debian-LTS has updated libjson-ruby (denial of service), libxml-libxml-perl (information disclosure), squid (denial of service), xdg-utils (command execution), and xorg-server (information leak/denial of service).Mageia has updated kernel(multiple vulnerabilities), kernel-linus(multiple vulnerabilities), libreoffice (code execution), ppp (denial of service), and quassel (SQL injection).openSUSE has updated wpa_supplicant (13.2, 13.1: code execution).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and kernel (RHEL5.6: privilege escalation).Scientific Linux has updated 389-ds-base (SL7: access control bypass).SUSE has updated kernel(SLES10 SP4: multiple vulnerabilities).

The Mozilla community has declaredits intent to phase out "non-secure" (not encrypted with TLS)web access. "Since the goal of this effort is to send a message tothe web developer community that they need to be secure, our work here willbe most effective if coordinated across the web community. We expect to bemaking some proposals to the W3C WebAppSec Working Group soon."

The Apache SpamAssassin 3.4.1 release is out. "Highlights include: Improved automation to help combat spammers that are abusing new top level domains; Tweaks to the SPF support to block more spoofed emails; Increased character set normalization to make rules easier to develop, block more international spam and stop spammers from using alternate character sets to bypass tests; Continued refinement to the native IPv6 support; and Improved Bayesian classification with better debugging and attachment hashing."

WeLiveSecurity reportsthat ESET researchers have revealed a family of Linux malware that stayedunder the radar for more than 5 years. They are calling itLinux/Mumblehard. "There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average.Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines."

Debian GNU/Hurd 2015 has been released. "This is a snapshot ofDebian "sid" at the time of the stable Debian "jessie" release (April2015), so it is mostly based on the same sources. It is not an officialDebian release, but it is an official Debian GNU/Hurd port release."

Debian has updated curl (information leak), elasticsearch (directory traversal), and icecast2 (denial of service).Debian-LTS has updated curl (two vulnerabilities), openjdk-6 (multiple vulnerabilities), php5 (multiple vulnerabilities), and qt4-x11 (multiple vulnerabilities).Fedora has updated ax25-tools (F21; F20:denial of service), fcgi (F21; F20: denial of service), FlightGear (F21: unspecified vulnerability),FlightGear-data (F21: unspecifiedvulnerability), mailman (F21: pathtraversal attack), mksh (F21; F20: multiple issues), pdns (F21; F20:denial of service), pdns-recursor (F21; F20:denial of service), and qt (F21: multiple vulnerabilities).Mandriva has updated glibc(MBS2.0, MBS1.0: two vulnerabilities) and sqlite3 (MBS2.0, MBS1.0: three vulnerabilities).openSUSE has updated DirectFB(13.2, 13.1: two vulnerabilities).Ubuntu has updated curl (15.04,14.10, 14.04, 12.04: multiple vulnerabilities), EC2 kernel (10.04: privilege escalation),kernel (14.10; 14.04; 12.04;10.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-utopic (14.04: multiplevulnerabilities), and linux-ti-omap4(12.04: denial of service).

The LWN.net Weekly Edition for April 30, 2015 is available.

Greg KH has released stable kernels 4.0.1,3.19.6, 3.14.40, and 3.10.76. All of them contain important fixes.

Arch Linux has updated chromium (multiple vulnerabilities) and dovecot (denial of service).CentOS has updated 389-ds-base(C7: access control bypass).Debian-LTS has updated jruby (denial of service).Fedora has updated libreoffice(F21: code execution) and yourls (F21; F20: cross-site scripting).Mandriva has updated lftp(MBS1.0: man-in-the-middle attack), libksba(MBS1.0, MBS2.0: denial of service), ntop(MBS1.0: cross-site-scripting), and t1utils(MBS1.0: multiple vulnerabilities).openSUSE has updated curl (13.2,13.1: multiple vulnerabilities) and python-Pillow (13.2: denial of service).Oracle has updated 389-ds-base(OL7: access control bypass).

GNU Mailman 3.0 has been released. "Over seven years in development, Mailman 3 represents a major new version,redesigned as a suite of cooperating components which can be used to mix andmatch however you want. The core engine is now backed by a relationaldatabase and exposes its functionality to other components via anadministrative REST+JSON API. Our new web user interface, Postorius is Django-based, as is our new archiverHyperKitty. The core requires Python 3.4 while Postorius and HyperKittyrequire Python 2.7. LWN looked at Mailman 3.0 in March, and at HyperKitty in April 2014.

Jacob Kaplan-Moss is known for his work on Django but, as he would describein his PyCon 2015 keynote, manythink he had more to do with its creation than he actually did. While his talkranged quite a bit, the theme covered something that software developmentorganizations—and open source projects—may be grappling with: amyth about developer performance and how it impacts the industry. It was athought-provoking talk that was frequently punctuated by applause; theseare the kinds of issues that the Python community tries to confront head on, sothe talk was aimed well.

KDE has announced therelease of Plasma 5.3. This release features improved powermanagement, better Bluetooth capabilities, improved Plasma widgets, a techpreview of the Plasma Media Center, big steps towards Wayland support, andmore.

Fedora has updated curl (F20:multiple vulnerabilities), firefox (F21:code execution), icu (F21; F20: multiple vulnerabilities), java-1.8.0-openjdk (F20: multiplevulnerabilities), ntp (F21: multiplevulnerabilities), ruby (F21:man-in-the-middle attack), and xulrunner(F21: code execution).Mandriva has updated java-1.7.0-openjdk (MBS1.0: multiple vulnerabilities).Red Hat has updated qemu-kvm-rhev(RHELOSP: privilege escalation).Ubuntu has updated network-manager (15.04, 14.10, 14.04:information disclosure) and oxide-qt(15.04, 14.10, 14.04: multiple vulnerabilities).

Matthew Garrett looked into why Linux systems consume too much power onrecent Intel chipsets and wrote up his results —a reduction of idle power use on his laptop from 8.5W to 5W. "Thistrend is likely to continue. As systems become more integrated we're goingto have to pay more attention to the interdependencies in order to obtainthe best possible power consumption, and that means that distributionvendors are going to have to spend some time figuring out what thesedependencies are and what the appropriate default policy is for theirusers."

Arch Linux has updated curl (multiple vulnerabilities) and wpa_supplicant (code execution).Debian has updated chromium-browser (multiple vulnerabilities), kernel (multiple vulnerabilities), libreoffice (code execution), openjdk-6 (multiple vulnerabilities), openjdk-7 (multiple vulnerabilities), and wpa (code execution).Fedora has updated cherokee (F21; F20:authentication bypass), chrony (F20:multiple vulnerabilities), php (F20:multiple vulnerabilities), qt5-qtbase (F21; F20:multiple vulnerabilities), resteasy (F20:XML eXternal Entity (XXE) attacks), spatialite-tools (F20: multiplevulnerabilities), sqlite (F20: multiplevulnerabilities), wesnoth (F21; F20: information leak), wpa_supplicant (F21: code execution), and zarafa (F21; F20: denial of service).Mageia has updated php (three vulnerabilities) and wordpress (multiple vulnerabilities).Mandriva has updated asterisk(MBS1.0: SSL server spoofing), glusterfs(MBS2.0: denial of service), librsync(MBS1.0: file checksum collision), perl-Module-Signature (MBS1.0: multiplevulnerabilities), php (MBS1.0, MBS2.0:multiple vulnerabilities), qemu (MBS1.0,MBS2.0: denial of service), setup (MBS2.0:information disclosure), and tor (MBS1.0: denial of service).openSUSE has updated java-1_7_0-openjdk (13.2: multiplevulnerabilities), java-1_8_0-openjdk (13.2:multiple vulnerabilities), and ntp (13.2,13.1: two vulnerabilities).Ubuntu has updated autofs (14.10:privilege escalation), libreoffice (14.10,14.04, 12.04: two vulnerabilities), and tcpdump (14.10, 14.04, 12.04: multiple vulnerabilities).

The 4.1-rc1 prepatch is out. Linus says:"No earth-shattering new features come to mind, even if initialsupport for ACPI on arm64 looks funny. Depending on what you care about,your notion of 'big new feature' may differ from mine, of course. There's alot of work all over, and some of it might just make a big difference toyour use cases." What he doesn't mention is that, in the end, kdbuswas not merged for this development cycle.

Debian 8, codenamed "Jessie", has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. "With this broad selection of packages and its traditional widearchitecture support, Debian once again stays true to its goal of beingthe universal operating system. It is suitable for many different usecases: from desktop systems to netbooks; from development servers tocluster systems; and for database, web, or storage servers. At the sametime, additional quality assurance efforts like automatic installationand upgrade tests for all packages in Debian's archive ensure that"Jessie" fulfills the high expectations that users have of a stableDebian release."

The Rust blog has posted a guideto using Rust's foreign function interface (FFI) with C code.Highlighted in particular are Rust's safe abstractions, which are saidto impose no costs. "Most features in Rust tie into its coreconcept of ownership, and the FFI is no exception. When binding a Clibrary in Rust you not only have the benefit of zero overhead, butyou are also able to make it safer than C can! Bindings can leveragethe ownership and borrowing principles in Rust to codify commentstypically found in a C header about how its API should beused."

Arch Linux has updated powerdns (denial of service) and powerdns-recursor (denial of service).Debian-LTS has updated subversion (multiple vulnerabilities).Fedora has updated lcms(F20: denial of service)and php (F21: multiple vulnerabilities).Mageia has updated chromium-browser-stable (M4: multiple vulnerabilities), chrony (M4: multiple vulnerabilities), lftp (M4: SSL server spoofing), libksba (M4: denial of service), ntop (M4: cross-site scripting), setup (M4: information disclosure), and t1utils (M4: multiple vulnerabilities).openSUSE has updated firefox (13.1; 13.2:code execution)and socat (13.1: denial of service).Oracle has updated kernel (kernel 3.8.18 (O6, O7);kernel 2.6.39 (O5, O6);kernel 2.6.32 (O5, O6): multiple vulnerabilities).Red Hat has updated novnc(RHEL OSP4: VNC session hijacking).Ubuntu has updated firefox(code execution), usb-creator (12.04, 14.04, 14.10; 15.04: privilege escalation), and wpa_supplicant (14.04, 14.10: code execution).

The Ubuntu 15.04 release is out. "Ubuntu Server 15.04 includes the Kilo release of OpenStack, alongsidedeployment and management tools that save devops teams time whendeploying distributed applications - whether on private clouds, publicclouds, x86 or ARM servers, or on developer laptops. Several key servertechnologies, from MAAS to Ceph, have been updated to new upstreamversions with a variety of new features.This release also includes the first release of snappy Ubuntu Core, anew distribution model based on transactional updates." LWN looked at Snappy in January.

Ars Technica reportson a wpa_supplicant bugthat might leave Linux and other systems open to remote code execution."That's because the code fails to check the length of incoming SSIDinformation and writes information beyond the valid 32 octets of data tomemory beyond the range it was allocated. SSID information 'is transmittedin an element that has a 8-bit length field and potential maximum payloadlength of 255 octets,' [wpa_supplicant maintainer Jouni] Malinen wrote,and the code 'was not sufficiently verifying the payload length on one ofthe code paths using the SSID received from a peer device. This can resultin copying arbitrary data from an attacker to a fixed length buffer of 32bytes (i.e., a possible overflow of up to 223 bytes). The overflow canoverride a couple of variables in the struct, including a pointer that getsfreed. In addition, about 150 bytes (the exact length depending onarchitecture) can be written beyond the end of the heapallocation.'"

Arch Linux has updated glibc(code execution).Fedora has updated chrony (F21:three vulnerabilities), gnupg2 (F20: denialof service), java-1.7.0-openjdk (F20:unspecified), java-1.8.0-openjdk (F21:unspecified), kernel (F21; F20: denial of service), ntp (F20: two vulnerabilities), python (F20: denial of service from 2013), spatialite-tools (F21: three vulnerabilities),and sqlite (F21: three vulnerabilities).Oracle has updated kvm (OL5: two vulnerabilities).

The LWN.net Weekly Edition for April 23, 2015 is available.

Few readers will have failed to notice by now that the attempted merging ofthe kdbus interprocess communication system into the 4.1 kernel has failedto go as well as its proponents would have liked. As of this writing, thediscussion continues and nothing has been merged. This article constitutesan attempt to derive a bit of light from the massive amounts of heat thathave been generated so far, with a specific focus on the issue of metadataand capabilities.

Opensource.com introducesSourcegraph. "Sourcegraph is a code search engine and browsing tool that semantically indexes all the open source code available on the web. You can search for code by repository, package, or function and click on fully linked code to read the docs, jump to definitions, and instantly find usage examples. And you can do all of this in your web browser, without having to configure any editor plugin."

Arch Linux has updated firefox (code execution).CentOS has updated kernel (C6:multiple vulnerabilities), kvm (C5: twovulnerabilities), and qemu-kvm (C6: privilege escalation).Debian has updated curl (multiplevulnerabilities) and subversion (two vulnerabilities).Debian-LTS has updated wireshark (multiple vulnerabilities).Fedora has updated ceph-deploy(F21: information leak), firefox (F20:multiple vulnerabilities), libzip (F21; F20: codeexecution), mingw-gnutls (F21: denial ofservice), mingw-libtasn1 (F21; F20: denial of service), openstack-neutron (F20: denial of service),python-virtualenv (F21; F20: insecure software download),qt5-qtwebkit (F21; F20: denial of service), and qtwebkit(F21; F20:denial of service).openSUSE has updated Chromium(13.2, 13.1: multiple vulnerabilities).Oracle has updated glibc (OL6:two vulnerabilities), kernel (OL6: multiplevulnerabilities), and qemu-kvm (OL6: privilege escalation).Red Hat has updated kernel(RHEL5.9: privilege escalation), kvm(RHEL5: two vulnerabilities), and qemu-kvm(RHEL6: privilege escalation).Scientific Linux has updated kernel (SL6: multiple vulnerabilities), kvm (SL5: two vulnerabilities), and qemu-kvm (SL6: privilege escalation).Slackware has updated bind(denial of service), gnupg (multiplevulnerabilities), httpd (multiplevulnerabilities), libssh (twovulnerabilities), firefox (multiplevulnerabilities), thunderbird (multiplevulnerabilities), mutt (denial of service),ntp (two vulnerabilities), openssl (multiple vulnerabilities), php (multiple vulnerabilities), ppp (two vulnerabilities), proftpd (unauthenticated copying of files), qt (multiple vulnerabilities), and seamonkey (multiple vulnerabilities).SUSE has updated mariadb (SLE12: multiple vulnerabilities).

Version 5.1 of the GNU Compiler Collection is out. "GCC 5.1 is amajor release containing substantial new functionality not available in GCC4.9.x or previous GCC releases." Some of that new functionalityincludes full C++14 language support, quite a few optimizationimprovements, partial OpenACC support, OpenMP 4.0 support, anexperimental JIT library, and more; see the changelog for details.

The Daily Dot reportsthat the Tor project is receiving some funding from the US Defense AdvancedResearch Projects Agency (DARPA) to improve Tor's hidden services. "The Dark Net road map moving forward is ambitious. Tor plans to double the encryption strength of hidden service’s identity key and to allow offline storage for that key, a major security upgrade.Next-generation hidden services may be run from multiple hosts to better deal with denial of service attacks and high traffic in general, a potentially big power boost that further closes the gap between the Dark Net and normal websites."

Fedora 22 Beta has been released. It comes in Workstation, Server, andCloud editions, as well as several spins. This version replaces yum withDNF for package management, as discussed in this recent LWN article. The Cloud edition features thelatest versions of rpm-ostree and rpm-ostree-toolbox and introduces theAtomic command line tool. The Server edition features a new database serverrole based on PostgreSQL, an updated Cockpit, and XFS as the defaultfilesystem. The Workstation product has also seen a number of enhancementsand improvements, including a redesigned GNOME Shell notification system,transitional Wayland support, and much more.