LWN.net

Arch Linux has updated jdk8-openjdk (multiple vulnerabilities), jre8-openjdk (multiple vulnerabilities), jre8-openjdk-headless (multiple vulnerabilities), and tcpdump (denial of service).CentOS has updated glibc (C6: twovulnerabilities).Debian-LTS has updated python-django-markupfield (information leak).Red Hat has updated glibc (RHEL6:two vulnerabilities) and kernel (RHEL6: multiple vulnerabilities).Scientific Linux has updated glibc (SL6: two vulnerabilities).SUSE has updated Real Time LinuxKernel (SLERTE11 SP3: multiple vulnerabilities).Ubuntu has updated mysql-5.5(14.10, 14.04, 12.04: multiple vulnerabilities), openjdk-6 (12.04, 10.04: multiplevulnerabilities), openjdk-7 (14.10, 14.04:multiple vulnerabilities), and php5 (14.10,14.04, 12.04, 10.04: multiple vulnerabilities).

O'Reilly has posted anexcerpt from Puppet Best Practices, an upcoming book about thePuppet system configuration tool. It's a good place to look for thosewanting an introduction to how Puppet works. "Puppet can be somewhatalien to technologists who have a background in automation scripting. Wheremost of our scripts scripts are procedural, Puppet is declarative. While adeclarative language has many major advantages for configurationmanagement, it does impose some interesting restrictions on the approacheswe use to solve common problems."

David Tschumperlé has posted anextensive summary of his work on G'MIC, an image-processing tool.One of those projects was comic colorization: "The idea is very simple: Instead of forcing the artist to do all thecolorization job by himself, we just ask him to put some colored key-pointshere and here, inside the different image regions to fill-in. Then, thealgorithm tries to guess a probable colorization of the drawing, byanalyzing the contours in the image and by interpolating the given coloredkey-points with respect to these contours." (LWN looked at G'MIC in August 2014).

NetworkWorld takesa look at two VMWare projects that are aimed at running containersinside the VM. "VMware has created Photon as an OS that can run in vSphere. VMware says it’s a “lightweight” Linux OS that has only the basic elements required to package applications in containers and run them inside virtual machines. Because of its minimalist feature set, Project Photon is meant to boot up quickly, which is a key advantage of using containers.Project Photon supports many container image platforms, including thosefrom Docker (which is both an open source container runtime and the name ofthe company that is commercializing it), as well as container images fromCoreOS (called “rkt”) and Pivotal (named “Garden”)." VMWare alsoannounced a beta version of Project Lightwave, "which is an identity and access management tool meant to provide an extra security layer for containers."

New stable kernel updates have been released for 3.19.5, 3.14.39, and 3.10.75. All of them contain important fixesthroughout the tree.

Arch Linux has updated chromium (multiple vulnerabilities), flashplugin (multiple vulnerabilities), jdk7-openjdk (multiple vulnerabilities), jre7-openjdk (multiple vulnerabilities), and jre7-openjdk-headless (multiple vulnerabilities).Debian has updated django-markupfield (information leak) and mysql-5.5 (multiple vulnerabilities).Debian-LTS has updated file(memory leak), openldap (multiple vulnerabilities), ppp (denial of service), and wesnoth-1.8 (information leak).Fedora has updated gnupg2 (F21:double-free issue), groovy-sandbox (F21:privilege escalation), jenkins (F21:multiple vulnerabilities), jenkins-matrix-project-plugin (F21: privilegeescalation), jenkins-script-security-plugin(F21: privilege escalation), knot (F21; F20:multiple vulnerabilities), libtasn1 (F21; F20:denial of service), mediawiki (F21;F20: multiple vulnerabilities),owncloud (F21; F20: multiple vulnerabilities),perl-DBD-Firebird (F21; F20: buffer overflow),perl-Module-Signature (F21; F20: multiple vulnerabilities),perl-Test-Signature (F21; F20: multiple vulnerabilities),php-symfony (F21; F20: two vulnerabilities), postgis (F21: multiple vulnerabilities), python (F21: denial of service), rest(F21; F20:denial of service), tcpdump (F20: multiple vulnerabilities), and tor (F21; F20: denial of service).Mageia has updated perl-DBD-Firebird (buffer overflow), perl-Module-Signature (multiple vulnerabilities), and potrace (denial of service).openSUSE has updated xen (13.1: multiple vulnerabilities).Red Hat has updated java-1.6.0-sun (RHEL5,6,7: multiplevulnerabilities) and java-1.7.0-oracle(RHEL5,6,7: multiple vulnerabilities).

Version 4.0 of theArdour audio editing system is available. This release features Windowssupport, more flexible audio support (JACK is no longer required), a lot ofuser-interface work, and official OS X and Windows support.

PacketFence is a free network accesscontrol system; the 5.0release is now available. Changes include a new active clusteringmode, better device fingerprinting, better performance monitoring, theelimination of plaintext passwords, and more.

At his blog, Christian Schaller announcesthat Red Hat has joined the KhronosGroup, the consortium behind (among other things) the OpenGLstandard. Schaller notes that "the reason we are joining isbecause of all the important changes that are happening in Graphicsand GPU compute these days and our wish to have more direct input ofthe direction of some of these technologies. Our efforts are likely tofocus on improving the OpenGL specification by proposing some newextensions to OpenGL, and of course providing input and help withmoving the new Vulkan standard forward."

Arch Linux has updated php (multiple vulnerabilities).Debian-LTS has updated tzdata (unspecified vulnerability).Gentoo has updated adobe-flash (multiple vulnerabilities) and xorg-server (multiple vulnerabilities).openSUSE has updated icecast(13.1, 13.2:denial of service) and ntop (13.1, 13.2: cross-site scripting).Red Hat has updated java-1.8.0-oracle (RHEL6,7: multiple vulnerabilities), novnc (RHEL6 OSP; RHEL7 OSP: VNC session hijacking),openstack-foreman-installer (RHEL6OSP: root command execution),openstack-glance (RHEL6 OSP; RHEL7 OSP: denial of service),openstack-nova (RHEL6 OSP; RHEL7 OSP: multiple vulnerabilities), openstack-packstack, openstack-puppet-modules (RHEL6 OSP; RHEL7 OSP: root command execution),openstack-swift (RHEL6 OSP; RHEL7 OSP: metadata constraint bypass),python-django-horizon, python-django-openstack-auth (RHEL6 OSP; RHEL7 OSP: denial of service), andredhat-access-plugin-openstack (RHEL6 OSP; RHEL7 OSP: information disclosure).Ubuntu has updated apport(14.04, 14.10: privilege escalation).

It has been roughly a year and a half since the last release of the GNU Hurd operatingsystem, so it may be of interest to some readers that GNU Hurd 0.6 has beenreleased along withGNU Mach 1.5 (the microkernel that Hurdruns on) and GNU MIG 1.5 (the Mach Interface Generator, whichgenerates code to handle remote procedure calls). New features includeprocfs and random translators; cleanups and stylistic fixes, some of whichcame from static analysis; message dispatching improvements; integerhashing performance improvements; a split of the init server into astartup server and an init program based on System V init; and more. "GNU Hurd runs on 32-bit x86 machines. A version running on 64-bit x86(x86_64) machines is in progress. Volunteers interested in ports toother architectures are sought; please contact us (see below) if you'dlike to help.To compile the Hurd, you need a toolchain configured to target i?86-gnu;you cannot use a toolchain targeting GNU/Linux. Also note that youcannot run the Hurd "in isolation": you'll need to add further componentssuch as the GNU Mach microkernel and the GNU C Library (glibc), to turnit into a runnable system."

On his blog, Josh Boyer looks at the choice of the 4.0 kernel for Fedora 22. While the underpinnings of the live kernel patching feature have been merged, even when it is fully operational it is probably not something that Fedora (and perhaps other distributions) will use often (or at all). "In reality, we might not ever really leverage the live patching functionality in Fedora itself. It is understandable that people want to patch their kernel without rebooting, but the mechanism is mostly targeted at small bugfixes and security patches. You cannot, for example, live patch from version 4.0 to 4.1. Given that the Fedora kernel rebases both from stable kernel (e.g. 3.19.2 to 3.19.3) and major release kernels over the lifetime of a Fedora release, we don't have much opportunity to build the live patches."

Debian has updated gst-plugins-bad0.10 (code execution), inspircd (code execution from 2012), movabletype-opensource (code execution), andppp (denial of service).Debian-LTS has updated ruby1.9.1(three vulnerabilities).Mageia has updated java-1.7.0-openjdk (multiple vulnerabilities),mono (three SSL/TLS vulnerabilities), andpython-dulwich (two code execution flaws).openSUSE has updated flash-player(11.4: 45 vulnerabilities) and rubygem-rest-client (13.2, 13.1: plaintextpassword logging).Oracle has updated java-1.6.0-openjdk (OL5: unspecifiedvulnerabilities) and java-1.7.0-openjdk(OL5: unspecified vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), java-1.6.0-openjdk(RHEL5,6&7: multiple vulnerabilities), java-1.7.0-openjdk (RHEL5; RHEL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (RHEL6&7: multiple vulnerabilities).Scientific Linux has updated java-1.6.0-openjdk (SL5,6&7: multiplevulnerabilities), java-1.7.0-openjdk (SL5; SL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).SUSE has updated flash-player(SLE11SP3: 22 vulnerabilities).

The LWN.net Weekly Edition for April 16, 2015 is available.

In the first two installments in this series on plotting tools(which covered gnuplot and matplotlib), we introduced tools for creating plots and graphs, and used the termsinterchangeably to refer to the typical scientific plot relating oneset of quantities to another. In this article we use the term "graph"in its mathematical, graph-theory context, meaning a set of nodes connected byedges. There is a strong family resemblance among graph-theory graphs,flowcharts, and network diagrams—so much so that some of the sametools can be coerced into creating all of them. We will now surveyseveral mature free-software systems for building these typesof visualizations. At least one of these tools will likely be useful if youare ever in need of an automated way to diagram source-codeinterdependencies, make an organizational chart, visualize a computernetwork, or organize a sports tournament. We will start with agraphical charting tool and a flexible graphing system that can easily be called by other programs.

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities), java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), and java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).Debian-LTS has updated libvncserver (multiple vulnerabilities) and libx11 (code execution).Mageia has updated arj (multiple vulnerabilities), asterisk (SSL server spoofing), flash-player-plugin (multiple vulnerabilities), glusterfs (denial of service), librsync (file checksum collision), ntp (two vulnerabilities), qemu (denial of service), quassel (denial of service), shibboleth-sp (denial of service), socat (denial of service), tor (denial of service), and wesnoth (information leak).Oracle has updated java-1.6.0-openjdk (OL6: multiplevulnerabilities), java-1.7.0-openjdk (OL6:multiple vulnerabilities), and java-1.8.0-openjdk (OL6: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6 Supplementary: multiple vulnerabilities).SUSE has updated Adobe FlashPlayer (SLEWE12, SLED12: multiple vulnerabilities).

This year's Debian project election leader election has concluded, withNeil McGovern winning by a conclusive margin.

The first half of our report from the Python LanguageSummit is now available. Subscribers can click below to access reports from five sessions held before lunch covering topics like the atomicity of Python operations, making Python 3 more attractive to developers, PyParallel, infrastructure for Python development, and Python 3 adoption. We will be adding more reports to this page as they become available.

Open Invention Network (OIN) has announced that it hasupdated its Linux System patent non-aggression coverage. "For thisupdate, 115 new packages will be added to the Linux System, out of almost 800 proposed by various parties. Key additions are the referenceimplementations of the popular Go and Lua programming languages, Nginx,Openshift, and development tools like CMake and Maven. This update willrepresent an increase of approximately 5% of the total number of packagescovered in the Linux System, a reflection of the incremental and disciplinednature of the update process."

A beta version of Plasma 5.3 has been released.This release features enhanced power management, better Bluetoothcapabilities, improved Plasma widgets, a tech preview of Plasma MediaCenter, big steps towards Wayland support, and lots of bug fixes.

Arch Linux has updated ruby (man-in-the-middle attack).CentOS has updated openssl (C5: multiple vulnerabilities).Debian-LTS has updated ia32-libs (multiple vulnerabilities).Oracle has updated openssl (OL5: multiple vulnerabilities).Red Hat has updated kernel(RHEL6.4: privilege escalation).Scientific Linux has updated xorg-x11-server (SL7, SL6: information leak/denial of service).Ubuntu has updated apport (14.10,14.04: privilege escalation), libx11,libxrender (14.10, 14.04, 12.04: code execution), and ntp (14.10, 14.04, 12.04: multiple vulnerabilities).

The Document Foundation's project Document Liberation looks at its progressduring the past year. "During 2014, members of the project released a new framework library,called librevenge, which contains all the document interfaces and helpertypes, in order to simplify the dependency chain. In addition, they starteda new library for importing Adobe PageMaker documents, libpagemaker,written as part of Google Summer of Code 2014 by Anurag Kanungo.Existing libraries have also been extended with the addition of moreformats, like libwps with the addition of Microsoft Works Spreadsheet andDatabase by Laurent Alonso. He is now working on adding support for Lotus1-2-3, which is one of the most famous legacy applications for personalcomputers. Laurent has also added support for more than twenty legacy Macformats to libmwaw."

Greg KH has released stable kernels 3.19.4,3.14.38, and 3.10.74. All of them contain the usual set ofimportant fixes.

Arch Linux has updated icecast (denial of service).CentOS has updated xorg-x11-server (C6: information leak).Debian has updated chrony (multiple vulnerabilities), das-watchdog (privilege escalation), libdbd-firebird-perl (buffer overflow), libtasn1-3 (denial of service), libx11 (code execution), ntp (two vulnerabilities), and wesnoth-1.10 (information leak).Debian-LTS has updated chrony (multiple vulnerabilities), das-watchdog (privilege escalation), libtasn1-3 (denial of service), and ntp (two vulnerabilities).Fedora has updated arj (F20:multiple vulnerabilities), ca-certificates (F21; F20:certificate update), ImageMagick (F21:multiple vulnerabilities), libxml2 (F20:denial of service), openldap (F21: denialof service), qemu (F21: multiplevulnerabilities), varnish (F21: heap buffer overflow), and xen (F21; F20: multiple vulnerabilities).Gentoo has updated apache (multiple vulnerabilities), mysql (multiple unspecified vulnerabilities), sudo (information disclosure), and xen (multiple vulnerabilities).Mandriva has updated batik(MBS1,2: information leak).openSUSE has updated kernel (13.2; 13.1:multiple vulnerabilities) and tor (13.2,13.1: denial of service).Red Hat has updated openssl(RHEL5: multiple vulnerabilities).Scientific Linux has updated openssl (SL5: multiple vulnerabilities).SUSE has updated firefox (SLES12; SLED12: multiple vulnerabilities).

Jan Hubička has posted a lengthydiscussion of the optimization improvements found in the upcomingGCC 5.0 release. "Identical code folding is a new pass(contributed by Martin Liška, SUSE) looking for functions with the samecode and variables with the same constructors. If some are found, one copyis removed and replaced one by an alias to another where possible. This isespecially important for C++ code bases that tend to contain duplicatedfunctions as a result of template instantiations."

Linus has released the 4.0 kernel right onschedule. "Feature-wise, 4.0 doesn't have all that muchspecial. Much have been made of the new kernel patching infrastructure, butrealistically, that not only wasn't the reason for the version numberchange, we've had much bigger changes in other versions. So this is verymuch a 'solid code progress' release." Beyond the (incomplete)live-patching mechanism, this release includes the removal of theremap_file_pages() system call, improved persistent memory support, the lazytime mount option, and thekernel address sanitizer.

Aaron Turon has posted alengthy introduction to concurrency in the Rust programming language."Every data type knows whether it can safely be sent between oraccessed by multiple threads, and Rust enforces this safe usage; there areno data races, even for lock-free data structures. Thread safety isn't justdocumentation; it's law."

Arch Linux has updated mediawiki (multiple vulnerabilities).CentOS has updated xorg-x11-server (C7: information leak/denial of service).Debian has updated dpkg(integrity-verification bypass).Fedora has updated arj (F21:multiple vulnerabilities),echoping (F20; F21: multiple vulnerabilities), and python-dulwich (F20; F21:code execution).Mageia has updated batik(M4: information leak), chromium-browser-stable (M4: multiple vulnerabilities), jakarta-taglibs-standard (M4: code execution), less (M4: information leak), mediawiki (M4: multiple vulnerabilities), openldap (M4: denial of service), qt-creator (M4: key-verification failure), suricata (M4: denial of service), and xerces-c (M4: denial of service).Mandriva has updated arj(BS1: multiple vulnerabilities), less(BS1,2: information leak), mediawiki (BS1: multiple vulnerabilities), and ntp (BS1,2: multiple vulnerabilities).Oracle has updated xorg-x11-server (O6; O7: information leak/denial of service).Red Hat has updated qemu-kvm-rhev (RHEL OSP: privilege escalation) and xorg-x11-server (RHEL6,7: information leak/denial of service).Scientific Linux has updated krb5 (SL6: multiple vulnerabilities).SUSE has updated libXfont(SLE12: multiple vulnerabilities).Ubuntu has updated dpkg (integrity-verification bypass).

As was discussed in this LWN article, theX.Org Foundation recently held an election to choose four board members anddecide whether to change the organization's by-laws to enable it to becomea member of Software in the Public Interest (SPI). The resultsare now available. The board members elected are Peter Hutterer, MartinPeres, Rob Clark, and Daniel Vetter. The measure to change the by-laws didnot pass, though, despite receiving only two "no" votes, because therequired two-thirds majority was not reached.

The Linux Foundation (LF) has announcedthat it will serve as host of the Let's Encryptproject, as well as the Internet Security Research Group (ISRG).Let's Encrypt is the free, automated SSL/TLS certificate authoritythat was announced in November 2014 by the Electronic Frontier Foundation(EFF) to provide TLS certificates for every domain on the web. ISRG isthe non-profit organization created to spearhead efforts like Let'sEncrypt (which, as of now, is ISRG's only public project). In the LFannouncement, executive director Jim Zemlin notes that "byhosting this important encryption project in a neutral forum we canaccelerate the work towards a free, automated and easy securitycertification process that benefits millions of people around theworld."

Arch Linux has updated chrony (denial of service).CentOS has updated krb5(C6: multiple vulnerabilities).Debian-LTS has updated arj(multiple vulnerabilities), checkpw(denial of service), libgcrypt11 (multiple vulnerabilities), and libgd2 (multiple vulnerabilities).Fedora has updated drupal7-webform (F20; F21:unspecified vulnerability),firefox (F21: multiple vulnerabilities),powerpc-utils-python (F20; F21: code execution), and xterm (F20; F21:denial of service).Mandriva has updated java-1.8.0-openjdk (BS2: multiple vulnerabilities).Oracle has updated kernel (O5: multiple vulnerabilities)and krb5 (O6: denial of service).Red Hat has updated krb5(RHEL6: multiple vulnerabilities).Ubuntu has updated kernel (12.04; 14.04; 14.10: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

The LWN.net Weekly Edition for April 9, 2015 is available.

Arch Linux has updated ntp (two vulnerabilities).CentOS has updated kernel (C5: multiple vulnerabilities).Debian has updated libxml2 (denial of service).Fedora has updated setroubleshoot (F21; F20:privilege escalation) and texlive (F21: arbitrary file removal).openSUSE has updated Chromium(13.2, 13.1: two vulnerabilities), libgit2(13.2, 13.1: code execution), firefox,thunderbird (13.2, 13.1: multiple vulnerabilities), php5 (13.2, 13.1: multiple vulnerabilities),potrace (13.2, 13.1: denial of service), quassel (13.2, 13.1: denial of service), andsubversion (13.2, 13.1: multiple vulnerabilities).Red Hat has updated kernel(RHEL5: multiple vulnerabilities), novnc(RHEL OSP6.0: VNC session hijacking), openstack-nova (RHEL OSP6.0: cross-sitewebsocket hijack attack), openstack-packstack (RHEL OSP6.0: rootcommand execution), and installer(RHEL OSP6.0: root command execution).Scientific Linux has updated kernel (C5: multiple vulnerabilities).SUSE has updated xorg-x11-libs(SLE11 SP3: privilege escalation).Ubuntu has updated libtasn1-3,libtasn1-6 (14.10, 14.04, 12.04, 10.04: denial of service) and mailman (14.10, 14.04, 12.04: path traversal attack).

From the OpenStack community comes the sad announcement of the passing ofChris Yeoh, a longtime free-software developer. "Chris was humble, helpful and honest. The OpenStack and broader Open Sourcecommunities are poorer for his passing." Those with memories ofChris are encouraged to contribute them to a collection being put togetherfor his daughter.

The freedreno project wasstarted by Rob Clark to create a free-software driver for the Adreno familyof GPUs, which are used by the Qualcomm Snapdragon system-on-chip (SoC)family. He presented a status report on the project, along with some history andfuture plans, at the EmbeddedLinux Conference, which was held in San Jose, CA, March 23-25.Click below (subscribers only) for the full report from ELC 2015.

Threat Post takesa look at two TrueCrypt forks, VeraCrypt and CipherShed. AlthoughTrueCrypt development was discontinued last year, the code underwent a twophase audit and passed with a relatively clean bill of health."VeraCrypt and CipherShed have addressed many of the shortcomingsidentified not only by the audit, but by others who have scrutinized theTrueCrypt code in recent years. VeraCrypt’s [Mounir] Idrassi, for example,said he replaced TrueCrypt’s lone support of the RIPEMD-160 algorithm withSHA-256 support for system encryption. He said VeraCrypt has also tried tosimplify the build process, especially for Linux and Mac OS X systems, sothat other less common configurations could be used." The results of the audit of TrueCrypt are available in PDF format; phase1 was completed in February 2014, and phase2 was completed March 2015.

Arch Linux has updated tor (denial of service).Debian has updated arj (multiple vulnerabilities), libgd2 (denial of service), mailman (path traversal attack), and tor (denial of service).Debian-LTS has updated mailman (path traversal attack) and tor (denial of service).Fedora has updated chicken (F21; F20:buffer overflow), kernel (F20: multiplevulnerabilities), libxml2 (F21: denial of service), and seamonkey (F21; F20: multiple vulnerabilities).Gentoo has updated firefox (multiple vulnerabilities).Mandriva has updated cups-filters(MBS2.0: remote command execution), libtasn1 (MBS1.0, MBS2.0: denial of service),and python-django (MBS1.0: cross-site scripting).Red Hat has updated kernel(RHEL6.5: multiple vulnerabilities).Ubuntu has updated firefox(14.10, 14.04, 12.04: certificate verification bypass) and oxide-qt (14.10, 14.04: multiple vulnerabilities).

Linus has released 4.0-rc7 after a delay ofa couple of days for the holiday. "But it's still pretty small, andthings are on track for 4.0 next weekend. There's a tiny chance that I'lldecide to delay 4.0 by a week just because I'm traveling the week after,and I might want to avoid opening the merge window. We'll see how I feelabout it next weekend."

Linux Australia has reporteda breach on the Conference Management (Zookeepr) hosting server. Thisserver hosted the conference systems for linux.conf.au 2013, 2014 and 2015,and for PyCon Australia 2013 and 2014. "The database dumps whichoccurred during the breach include information provided during conferenceregistration - First and Last Names, physical and email addresses, and anyphone contact details provided, as well as a hashed version of the userpassword. As Zookeepr uses a third party credit card payment gateway forcredit card processing, the database dumps do not contain any credit cardor banking details."

Arch Linux has updated firefox (certificate verification bypass), java-batik (information leak), and thunderbird (multiple vulnerabilities).Fedora has updated firefox (F20:multiple vulnerabilities), freeipa (F21:two vulnerabilities), glpi (F21; F20: privilege escalation), lasso (F21; F20:denial of service), mingw-libzip (F21; F20: codeexecution), mingw-qt5-qtbase (F21;F20: denial of service),mingw-qt5-qtdeclarative (F21; F20: denial of service),mingw-qt5-qtgraphicaleffects (F21;F20: denial of service),mingw-qt5-qtimageformats (F21; F20: denial of service),mingw-qt5-qtlocation (F21; F20: denial of service),mingw-qt5-qtmultimedia (F21; F20: denial of service),mingw-qt5-qtquick1 (F21; F20: denial of service),mingw-qt5-qtscript (F21; F20: denial of service),mingw-qt5-qtsensors (F21; F20: denial of service),mingw-qt5-qtsvg (F21; F20: denial of service),mingw-qt5-qttools (F21; F20: denial of service),mingw-qt5-qttranslations (F21; F20: denial of service),mingw-qt5-qtwebkit (F21; F20: denial of service),mingw-qt5-qtwinextras (F21; F20: denial of service), moodle (F21; F20:multiple vulnerabilities), osc (F21;F20: command injection), patch (F20: multiple vulnerabilities),PyYAML (F21; F20: denial of service), rt (F21: multiple vulnerabilities), slapi-nis (F21: multiple vulnerabilities), thunderbird (F21: multiple vulnerabilities), and tor (F21; F20: denial of service).Mageia has updated cups-filters(remote command execution), novnc (VNCsession hijacking), and php, libzip(multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: two vulnerabilities).

Linux.com talkswith Linus Torvalds about the development of Git. "Just to pickan example: the concept of 'merging' was generally considered to besomething really quite painful and hard in most SCM's. You'd plan yourmerges, because they were big deals. That's not acceptable to me, since Icommonly do tens of merges a day when in the merge window, and even then,the biggest overhead shouldn't be the merge itself, it should be testingthe result. The 'git' part of the merge is just a couple of seconds, itshould take me much longer just to write the merge explanationmessage."

The Tor Project and the Electronic Frontier Foundation (EFF) have announceda mentoring program entitled the "Tor Summer of Privacy" (TorSoP). Akin to theGoogle Summer of Code, TorSoP will provide financial support andmentorship for a group of students to work on privacy-related freesoftware. Three student positions are available this year;applications will be accepted through April 10. More details(including project ideas) are provided on the TorSoP page.

The Rust team at Mozilla Research has announced the first beta release of Rust 1.0. The release notes detail a number of important changes, but the announcement adds some additional noteworthy items. "The Beta release also marks a turning point in our approach to stability. During the alpha cycle, the use of unstable APIs and language features was permitted, but triggered a warning. As of the Beta release, the use of unstable APIs will become an error (unless you are using Nightly builds or building from source)." A new continuous-integration infrastructure has also been deployed. The final release is currently expected around May 15.

Arch Linux has updated libtasn1 (denial of service).Debian has updated icedove(multiple vulnerabilities).Fedora has updated drupal7-ctools (F20; F21: multiple vulnerabilities),firefox (F21: multiple vulnerabilities), icu (F21: multiple vulnerabilities), and texlive (F20: arbitrary file removal).Mageia has updated firefox,thunderbird (M4: multiple vulnerabilities), iceape (M4: multiple vulnerabilities), libtasn1 (M4: denial of service), mercurial (M4: command injection), mongodb (M4: denial of service), and python-django (M4: multiple vulnerabilities).Mandriva has updated icu(BS1: multiple vulnerabilities) and subversion (BS1, BS2: multiple vulnerabilities).SUSE has updated kernel(SLE12: multiple vulnerabilities).Ubuntu has updated thunderbird (12.04, 14.04, 14.10: multiple vulnerabilities).

The Engine Yard blog has anintroduction to the changes coming in the PHP 7 release."My personal favorite addition to PHP 7 is the addition of theCombined Comparison Operator, <=>,otherwise known as thespaceship operator. [...] It effectively works like strcmp(), orversion_compare(), returning -1 if the left operand is smaller than theright, 0 if they are equal, and 1 if the left is greater than theright. The major difference being that it can be used on any two operands,not just strings, but also integers, floats, arrays, etc."

Google has announcedthe issuing of alengthy report [PDF] on the state of Android security. "In 2014,the Android platform made numerous significant improvements in platformsecurity technology, including enabling deployment of full disk encryption,expanding the use of hardware- protected cryptography, and improving theAndroid application sandbox with an SELinux- based Mandatory Access Controlsystem (MAC). Developers were also provided with improved tools to detectand react to security vulnerabilities, including the nogotofail project andthe SecurityProvider. We provided device manufacturers with ongoingsupport for fixing security vulnerabilities in devices, includingdevelopment of 79 security patches, and improved the ability to respond topotential vulnerabilities in key areas, such as the updateable WebView inAndroid 5.0."

At his blog, cryptographer Matt Green announced that the Open Crypto Audit project's review of the now-abandoned TrueCrypt encryption tool is complete, and that "based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances." TrueCrypt was abruptly abandoned by its anonymous developers in 2014, leading some to suspect that a serious vulnerability had been discovered. The final Open Crypto Audit report [PDF] suggests otherwise, which is good news for users as well as for the multiple open-source projects that have subsequently developed TrueCrypt-compatibility support.

Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated thunderbird (C5: multiple vulnerabilities).Debian has updated iceweasel (multiple vulnerabilities).Mandriva has updated flac(BS2: multiple vulnerabilities), graphviz (BS2: format-string vulnerability), owncloud(BS1; BS2: multiple vulnerabilities), and tor(BS1: denial of service).openSUSE has updated php5(13.1, 13.2: multiple vulnerabilities) and python-Django (13.2: multiple vulnerabilities).Oracle has updated firefox(O5: multiple vulnerabilities) and thunderbird (O6; O7: multiple vulnerabilities).Scientific Linux has updated thunderbird (multiple vulnerabilities).SUSE has updated kernel(SLES11: multiple vulnerabilities).Ubuntu has updated tiff(regression fix for previous update).

Version1.8 of the Django web platform is out. "This version has beendesignated as a long-term support (LTS) release, which means that securityand data loss fixes will be applied for at least the next threeyears." New features include support for multiple template engines,complex SQL expressions, some PostgreSQL-specific add-ons, and more; see the releasenotes for details.

The LWN.net Weekly Edition for April 2, 2015 is available.