LWN.net

Arch Linux has updated apache (multiple vulnerabilities).Debian has updated freexl (denial of service), mariadb-10.0 (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), and tidy (two vulnerabilities).Debian-LTS has updated groovy (code execution), inspircd (denial of service), libidn (information disclosure), ruby1.9.1 (denial of service), and tidy (two vulnerabilities).Fedora has updated bind (F22:denial of service), condor (F21: codeexecution), cups-filters (F21: codeexecution), drupal7-migrate (F22; F21: cross-site scripting),drupal7-views_bulk_operations (F22;F21: permission bypass), openstack-cinder (F21: file disclosure), pcre (F21: two vulnerabilities), python-keystonemiddleware (F22: certificateverification botch), rawstudio (F22;F21: two vulnerabilities), redis (F22; F21: codeexecution), squashfs-tools (F22: twovulnerabilities), thunderbird (F22;F21: multiple vulnerabilities), webkitgtk4 (F22: denial of service), and xen (F22; F21: privilege escalation).Gentoo has updated postgresql (multiple vulnerabilities).openSUSE has updated flash-player(11.4: two vulnerabilities), libcryptopp(13.2, 13.1: information disclosure), libidn (13.2, 13.1: information disclosure),firefox, thunderbird (11.4: multiplevulnerabilities), rubygem-jquery-rails(13.2, 13.1: CSRF vulnerability), rubygem-rack (13.2, 13.1: denial of service),rubygem-rack-1_3 (13.2, 13.1: denial ofservice), and rubygem-rack-1_4 (13.2, 13.1:denial of service).Slackware has updated httpd (multiple vulnerabilities) and php (multiple vulnerabilities).SUSE has updated firefox, nspr, nss (SLE12; SLES11SP4; SLE11SP3: multiple vulnerabilities) and PHP (SLE11SP3: multiple vulnerabilities).

Ian Jackson has announced the availability of dgit 1.0. "dgit allows you to treat the Debian archive as if it were a gitrepository, and get a git view of any package. If you have theappropriate access rights you can do builds and uploads from git, andother dgit users will see your git history."

The third 4.2 kernel prepatch is out fortesting. Linus says: "Normal Sunday release schedule, and a fairlynormal rc release. There was some fallout from the x86 FPU cleanups, butthat only hit CPU's with the xsaves instruction, and it should be all goodnow."

At the Mozilla Blog, Julien Vehent announcesthat Mozilla will be conducting a second round of its "Winter ofSecurity" mentoring program. Aimed at college students, the programallows participants to work on security-related free software foruniversity credit, with guidance provided by Mozilla project members.This year's targetedproject list includes some high-profile projects like Let's Encrypt and Mozilla'sdigital forensics tool MiG.Applications are due August 15.

Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).Mageia has updated flash-player-plugin (M4, M5: multiple vulnerabilities).Oracle has updated java-1.7.0-openjdk (O5: multiple vulnerabilities).Red Hat has updated flash-plugin (RHEL 5, 6: multiplevulnerabilities), java-1.6.0-sun (RHEL5, 6, 7: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5, 6, 7: multiplevulnerabilities), and java-1.8.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities).SUSE has updated flash-player (SLE11; SLE12: multiple vulnerabilities) and php5 (SLE12: multiple vulnerabilities).

The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities),java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from2011).Debian-LTS has updated python-django (three vulnerabilities).Fedora has updated cryptopp (F22; F21:information disclosure), drupal7-feeds (F22; F21:three vulnerabilities), rsyslog (F22:denial of service), and springframework (F22; F21:denial of service).openSUSE has updated bind (13.2; 13.1:three vulnerabilities, one from 2014).Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified),java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities),kernel 2.6.39 (OL6; OL5: two vulnerabilities),and kernel 2.6.32 (OL6; OL5: denial of service).Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: manyvulnerabilities), and kernel (SL6: multiplevulnerabilities, one from 2011).

Version0.7.0 of the rkt container runtime system is available. "Thisrelease includes new subcommands for a rkt image to manipulate images fromthe local store, a new build system based on autotools and integration withSELinux. These new capabilities improve the user experience, make it easierto build future features and improve security isolation betweencontainers."

The LWN.net Weekly Edition for July 16, 2015 is available.

It has been nearly a year and a half since the last major Python release,which was 3.4 in March 2014—that means it is about time forPython 3.5. We looked at some of the newfeatures in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta releasefor 3.5 seems like a good time to see what will be coming in the new release.Subscribers can click below to see the full article from this week's edition.

Linux.com has an interviewwith Bruce Schneier. "Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it."

openSUSE has updated cups-filters(13.2: multiple vulnerabilities) and libunwind (13.2; 13.1: buffer overflow).Oracle has updated kernel (OL6: multiple vulnerabilities).Red Hat has updated java-1.7.0-openjdk (RHEL6,7; RHEL5: multiple vulnerabilities) and java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).Ubuntu has updated firefox(12.04: multiple vulnerabilities).

The Free Software Foundation (FSF) and Software Freedom Conservancy (SFC) have both put out statements about a change to the Canonical, Ltd. "intellectual property" policy that was negotiated over the last two years (FSF statement and SFC statement). Effectively, Canonical has added a "trump clause" that clarifies that the licenses of the individual packages override the Canonical policy when there is a conflict. Though, as SFC points out: "While a trump clause is a reasonable way to comply with the GPL in a secondary licensing document, the solution is far from ideal. Redistributors of Ubuntu have little choice but to become expert analysts of Canonical, Ltd.'s policy. They must identify on their own every place where the policy contradicts the GPL. If a dispute arises on a subtle issue, Canonical, Ltd. could take legal action, arguing that the redistributor's interpretation of GPL was incorrect. Even if the redistributor was correct that the GPL trumped some specific clause in Canonical, Ltd.'s policy, it may be costly to adjudicate the issue." While backing the change made, both FSF and SFC recommend further changes to make the situation even more clear.

LinuxVoice has an interview with Perl creator Larry Wall. "So I was the language designer, but I was almost explicitly told: 'Stay out of the implementation! We saw what you did made out of Perl 5, and we don’t like it!' It was really funny because the innards of the new implementation started looking a whole lot like Perl 5 inside, and maybe that’s why some of the early implementations didn’t work well."

Opensource.com has an interviewwith Bradley Kuhn. "I continued on in my professional career, which included developing and supporting proprietary software, but I found that the lack of source code and/or the ability to rebuild it myself constantly hampered my ability to do my job. Proprietary software companies today are more careful to give "some open source"; thus, many technology professionals don't realize until it's too late how crippling proprietary software can be when you rely on it every day. In the mid 1990s, hardly any business software license gave us software freedom, so denying our rights to practice our profession (i.e, fix software) made many of us hate our jobs. I considered leaving the field of software entirely because I disliked working with proprietary software so much.Those experiences made me a software freedom zealot. I made a vow that I never wanted any developer or sysadmin to feel the constraints of proprietary software licensing, which limits technologists by what legal agreements their company's lawyers can negotiate rather than their technical skill."

ITNews reportsthat the US National Security Agency is in the process of releasing itssystems integrity management platform - SIMP. "SIMP helps to keep networked systems compliant with security standards, the NSA said, and should form part of a layered, "defence-in-depth" approach to information security.NSA said it released the tool to avoid duplication after US governmentdepartments and other groups tried to replicate the product in order tomeet compliance requirements set by US Defence and intelligencebodies." Currently only RHEL and CentOS versions 6.6 and 7.1 are supported.

Fedora has updated cups-filters(F22: code execution), firefox (F22;F21: multiple vulnerabilities), libssh (F22: denial of service),openssl (F22; F21: certificate verification botch), openvas-cli (F22: sql injection), openvas-libraries (F22: sql injection), openvas-manager (F22: sql injection), openvas-scanner (F22: sql injection), pcre (F22: two vulnerabilities), polkit (F22: multiple vulnerabilities), rubygem-moped (F22; F21: denial of service), and wesnoth (F22; F21: information leak).openSUSE has updated roundcubemail (13.1: multiple vulnerabilities).Red Hat has updated kernel(RHEL6: multiple vulnerabilities).

Slightly less than one year ago, the Debian community had an extended discussion on whether the FFmpeg multimedia library should return tothe distribution. Debian had followed the contentious libav fork when it happened in 2011, but somecommunity members were starting to have second thoughts about that move.At the time, the discussion died out without any changes being made, but the seeds hadevidently been planted; on July 8, the project's multimedia developersannounced that not only was FFmpegreturning to Debian, but it would be replacing libav.Click below (subscribers only) for a look at how this decision was made.

Arch Linux has updated krb5 (twovulnerabilities), lib32-krb5 (two vulnerabilities), lib32-openssl (certificate verification botch), and thunderbird (multiple vulnerabilities).Debian-LTS has updated bind9 (denial of service) and libunwind (buffer overflow).Fedora has updated cups-x2go(F21: multiple vulnerabilities), libwmf(F22: multiple vulnerabilities), mariadb(F21: man-in-the-middle attack), openssh (F22; F21: restriction bypass), and s3ql (F22; F21: code execution).Gentoo has updated libcapsinetwork (denial of service).openSUSE has updated Firefox, nss(13.2, 13.1: multiple vulnerabilities).Slackware has updated thunderbird (multiple vulnerabilities).SUSE has updated MySQL(SLES11SP2,SP1: cipher-downgrade attacks) and kernel (SLES11SP3: multiple vulnerabilities).

The second 4.2 prepatch is available fortesting. "This is not a particularly big rc, and things have beenfairly calm. We definitely did have some problems in -rc1 that bit people,but they all seemed to be pretty small, and let's hope that -rc2 ends uphaving fewer annoying issues."

Here's adiscouraging blog post from Dave Jones on why he will no longer bedeveloping the Trinity fuzz tester. "It’s no coincidence that thenumber of bugs reported found with Trinity have dropped off sharply sincethe beginning of the year, and I don’t think it’s because the Linux kernelsuddenly got lots better. Rather, it’s due to the lack of real ongoingdevelopment to 'try something else' when some approaches dry up. Sadly wenow live in a world where it’s easier to get paid to run someone else’sfuzzer these days than it is to develop one."

ZDNet has an interview about "microservices" with Red Hat VP of engineering for middleware, Dr. Mark Little. Microservices are a relatively recent software architecture that relies on small, easily replaced components and is an alternative to the well-established service-oriented architecture (SOA)—but it is not a panacea:"'Just because you adopt microservices doesn't suddenly mean your badly architected ball of mud is suddenly really well architected and no longer a ball of mud. It could just be lots of distributed balls of mud,' Little said.'That worries me a bit. I've been around service-oriented architecture for a long time and know the plus points and the negative points. I like microservices because it allows us to focus on the positive points but it does worry me that people see it as the answer to a lot of problems that it's never going to be the answer for.'"

Greg Kroah-Hartman has announced the release of the 4.1.2, 4.0.8,3.14.48, and 3.10.84 stable kernels. All contain importantfixes and users should upgrade. In addition, this is the second to last4.0.x release (i.e. there will be a 4.0.9, but that's the last), so usersshould be making plans to move to 4.1.x.

Arch Linux has updated openssl(certificate verification botch).CentOS has updated php (C6: manyvulnerabilities, some from 2014).Debian has updated pdns (full fixfor denial of service) and pdns-recursor(full fix for denial of service).Gentoo has updated adobe-flash(multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, somefrom 2014), perl (denial of service from2013), portage (certificate verificationbotch from 2013), pypam (code executionfrom 2012), and t1utils (multiple vulnerabilities).Mageia has updated openssl(certificate verification botch).openSUSE has updated MariaDB(13.2, 13.1: many vulnerabilities, some from 2014).Oracle has updated php (OL6: manyvulnerabilities, some from 2014).Red Hat has updated php (RHEL6:many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).Scientific Linux has updated php(SL6: many vulnerabilities, some from 2014).Slackware has updated openssl(certificate verification botch).Ubuntu has updated firefox(15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).

Debian has updated python-django(two vulnerabilities).Mageia has updated bind (denialof service), cups-filters (two codeexecution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).openSUSE has updated flash-player(11.4: unspecified vulnerabilities), libwmf(13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipherdowngrade), tiff (13.2, 13.1: multiplevulnerabilities), and wireshark (13.2: twodenial of service vulnerabilities).Red Hat has updated flash-plugin(RHEL5&6: many vulnerabilities).SUSE has updated flash-player(SLE12: many vulnerabilities).Ubuntu has updated python-django(two vulnerabilities).

The OpenSSL project has disclosed a newcertificate validation vulnerability. "During certificateverification, OpenSSL (starting from version 1.0.1n and 1.0.2b) willattempt to find an alternative certificate chain if the first attempt tobuild such a chain fails. An error in the implementation of this logic canmean that an attacker could cause certain checks on untrusted certificatesto be bypassed, such as the CA flag, enabling them to use a valid leafcertificate to act as a CA and 'issue' an invalid certificate."This is thus a client-side, man-in-the-middle vulnerability.Note that the affected versions of OpenSSL were released in mid-June;anybody with an older release should not be vulnerable.

The Core Infrastructure Initiative (a Linux Foundation effort todirect resources to critical projects in need of help) has announced a censusproject to identify the development projects most in need ofassistance. "Unlike the Fed’s stress tests, which are opaque, all ofthe census data and analysis is open source. We are eager for communityinvolvement. We encourage developers to fork the project and experimentwith different data sources, different parameters, and different algorithmsto test out the concept of an automated risk assessment census. We are alsoeager for input to help sanitize and complete the data that was used inthis first iteration of the census."

The LWN.net Weekly Edition for July 9, 2015 is available.

The PostgreSQL 9.5alpha release is now available for testing. In this feature article,PostgreSQL core team member Josh Berkus discusses the need for an alpharelease and introduces a number of the new features that will show up in9.5. Click below (subscribers only) for the full article.

Arch Linux has updated bind (denial of service) and flashplugin (code execution).Debian has updated bind9 (denial of service).Debian-LTS has updated linux-ftpd-ssl (segmentation fault).openSUSE has updated flash-player(13.2, 13.1: code execution).Oracle has updated abrt (OL6: multiple vulnerabilities).Scientific Linux has updated abrt(SL6: multiple vulnerabilities).Slackware has updated bind(denial of service), cups (code execution), firefox (multiple vulnerabilities), and ntp (denial of service).SUSE has updated bind (SLE11SP3:denial of service) and Xen (SLES10SP4: two vulnerabilities).Ubuntu has updated bind9 (15.04,14.10, 14.04, 12.04: denial of service) and libwmf (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

After nearly a year of consideration, theDebian project has decided to switch back to the ffmpeg multimedia libraryat the expense of its fork libav. See this wikipage for a summary of the current reasoning behind the switch.

In May, we noted the problems thatGIMP and other free-software projects have encountered of late withthe SourceForge project-hosting service. While there are plenty of alternativehosting providers to choose from, some developers will likely alwaysprefer to self-host their projects—precisely because an outsideservice provider can make just such an abrupt or surprising about-face. Gogs is one option for those taking theself-hosting approach: it provides a web-based front-end to a GitHub-like hosting service.Gogs offers quite a few features, but its choice of GitHub-like qualities may not be to everyone's tastes.

The ownCloud8.1 release is out. "This release marks significant under thehood improvements, such as increasing scalability and performance ofsyncing and file operations while making ownCloud a better platform fordevelopers to build upon. Security enhancements, integrated documentationlinks, more control in the admin panel over external storage, LDAP andencryption make ownCloud more secure and easier to use." See therelease notes for details.

Arch Linux has updated ntp (denial of service).CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).Debian has updated cups-filters (code execution) and libwmf (code execution).Gentoo has updated exiv2 (denial of service), icu (code execution), libvncserver (multiple vulnerabilities), libxml2 (denial of service), sqlite (three vulnerabilities), tor (denial of service), and unrtf (code execution).Red Hat has updated abrt (RHEL6:multiple vulnerabilities) and kernel(RHEL6.4: privilege escalation).Ubuntu has updated haproxy(15.04, 14.10: information leak), kernel (15.04; 14.10;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), linux-lts-vivid(14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: privilege escalation).

Greg KH has released two new stable kernels; 3.14.47 and 3.10.83. Both contain important fixes.

Arch Linux has updated haproxy (information leak) and openssh (restriction bypass).Debian has updated haproxy (information leak) and iceweasel (multiple vulnerabilities).Debian-LTS has updated aptdaemon(information leak) and virtualbox-ose(multiple vulnerabilities).Fedora has updated ansible (F22; F21: twovulnerabilities), mariadb (F22:man-in-the-middle attack), pam (F21: denialof service), and trafficserver (F22;F21: several vulnerabilities).Gentoo has updated chrony (multiple vulnerabilities).Mageia has updated chromium-browser (MG4,5: multiplevulnerabilities), coreutils (MG4: memoryhandling error), curl (MG5: informationdisclosure), filezilla (MG4,5:cipher-downgrade attacks), firefox (MG4,5:multiple vulnerabilities), libwmf (MG4,5:multiple vulnerabilities), mysql-connector-java (MG4: informationdisclosure), owncloud-client (MG4,5:man-in-the-middle attack), pam (MG4,5:denial of service), pcre (MG5: informationleak), php (MG4: multiple vulnerabilities),polkit (MG4,5: multiple vulnerabilities),tidy (MG4: buffer overflow), and wireshark (MG5: denial of service).openSUSE has updated php5 (13.2,13.1: multiple vulnerabilities) and phpMyAdmin (13.2, 13.1: three vulnerabilities).Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).SUSE has updated OpenSSL (SLE11SP3; SLED11SP3, SLES10SP4; SLES11SP2; SLES10SP4: multiple vulnerabilities).Ubuntu has updated cups-filters(15.04, 14.10, 14.04, 12.04: code execution) and php5 (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

The 2015 Kernel Summit will be held October 26-28 in Seoul, South Korea;the call for discussion proposals is out now. Now would be a good time forthose who would like to attend the Summit to come up with a good topic and get the discussion going. Proposals are due by July 31.

Linus has released 4.2-rc1 and closed themerge window for this development cycle. As Linus explains, 4.2 may, inthe end, not end up being the development cycle with the most commits ever,but there is still a lot going on. "However, if you count the sizein pure number of lines changed, this really seems to be the biggest rcwe've ever had, with over a million lines added (and about a quartermillion removed). That beats the previous champion (3.11-rc1) that was hugemainly due to Lustre being added to the staging tree." The sourceof the biggest chunk of those new lines is the new amdgpu graphics driver.

Firefox 39 has been releasedfor both desktop and mobile systems. The new features include a socialsharing tool for the FirefoxHello video chat subsystem. It is designed to make it easier toshare Firefox Hello chat invitations over third-party socialnetworks. In addition, Firefox's existing phishing-and-malwaredetection tool has been extended to cover downloads, support has beenadded for Unicode 8.0's multi-ethnic emoji characters, and there isimproved support for the Accessible Rich Internet Applications (ARIA) standard.

Arch Linux has updated firefox (multiple vulnerabilities) and wesnoth (information leak).Debian has updated stunnel4(authentication bypass).Debian-LTS has updated libxml2 (multiple vulnerabilities) and pykerberos (insecure authentication).Fedora has updated drupal6 (F21; F22:account hijacking)and drupal7 (F21; F22: multiple vulnerabilities).openSUSE has updated flash-player (11.4).Oracle has updated firefox (O5; O6; O7: multiple vulnerabilities).Red Hat has updated firefox(RHEL: multiple vulnerabilities) and openstack-cinder (RHEL OSP: file disclosure).SUSE has updated MySQL (SLE11 SP3: cipher downgrade attack),ntp (SLE11 SP3: multiple vulnerabilities), and OpenSSL (SLE 10 Client Tools; SUSE Manager 11 SP2, Studio Onsite; SLE 11 SAP; SLE 11 SP1; SLE SM 11 SP3: multiple vulnerabilities).

CentOS has updated openssl (C5:three vulnerabilities).Debian-LTS has updated unattended-upgrades (improper package authentication).

The LWN.net Weekly Edition for July 2, 2015 is available.

Ars Technica reportsthat the US Supreme Court rejected Google's appeal of the Google-Oracle APIcopyright dispute. "Despite the high court's inaction on the case, the Google-Oracle legal flap is far from resolved. That's because the appeals court sent the case back to the lower courts to determine whether Google's use of the code in Android—which it no longer uses—constitutes a "fair use." Oracle is seeking $1 billion in damages."This is not the end of the road for this case—the Federal Circuit decisionexplicitly left open the possibility that the kinds of uses Google madewere permissible under copyright's fair use doctrine," said Charles Duan,the director of Public Knowledge's patent reform project." (Thanksto Martin Michlmayr)

DockerCon on June 22 and 23 wasa much bigger affair than CoreOSFest or ContainerCamp. DockerCon rented outthe San Francisco Marriott for the event; the keynote ballroom seats 2000.That's a pretty dramatic change from the firstDockerCon last year, with roughly 500 attendees; it shows the hugegrowth of interest in Linux containers. Or maybe, given that it's SiliconValley, what you're seeing is the magnetic power of $95 million in round-Cfunding.Subscribers can click below for a report from DockerCon by guest authorJosh Berkus.

Debian has updated jackrabbit (information leak).Debian-LTS has updated libcrypto++ (information disclosure), libmodule-signature-perl (multiple vulnerabilities), and ruby1.9.1 (denial of service).Fedora has updated abrt (F21:multiple vulnerabilities), cups-x2go (F22:multiple vulnerabilities), elfutils (F22:hardening fixes), gnome-abrt (F21: multiplevulnerabilities), kernel (F21: denial ofservice), libreport (F21: multiplevulnerabilities), pam (F22: denial ofservice), and rubygem-activesupport (F22; F21: two vulnerabilities).Mageia has updated apache-mod_jk(MG4: information disclosure), drupal(MG4,5: multiple vulnerabilities), libvpx(MG4,5: denial of service), p7zip (MG4,5:directory traversal), postgresql (MG4:multiple vulnerabilities), and python-tornado (MG4: side-channel attack).openSUSE has updated p7zip (13.2,13.1: directory traversal).Oracle has updated openssl (OL5: multiple vulnerabilities).Scientific Linux has updated openssl (SL5: multiple vulnerabilities).

The Linux Foundation has announcedthe R Consortium. "The R language is used by statisticians, analysts and data scientists to unlock value from data. It is a free and open source programming language for statistical computing and provides an interactive environment for data analysis, modeling and visualization. The R Consortium will complement the work of the R Foundation, a nonprofit organization based in Austria that maintains the language. The R Consortium will focus on user outreach and other projects designed to assist the R user and developer communities.Founding companies and organizations of the R Consortium include The R Foundation, Platinum members Microsoft and RStudio; Gold member TIBCO Software Inc.; and Silver members Alteryx, Google, HP, Mango Solutions, Ketchum Trading and Oracle."

CentOS has updated postgresql (C7; C6:multiple vulnerabilities) and xerces-c (C7:denial of service).Debian has updated unattended-upgrades (authentication bypass).Debian-LTS has updated aptdaemon (information leak), hostapd (denial of service), jqueryui (cross-site scripting), and shibboleth-sp2 (denial of service).Fedora has updated chicken (F22; F21:out-of-bounds read), openvas-cli (F21: sqlinjection), openvas-libraries (F21: sqlinjection), openvas-manager (F21: sqlinjection), openvas-scanner (F21: sqlinjection), php-htmLawed (F22; F21: multiple vulnerabilities), postgresql (F21: multiple vulnerabilities),python-jwt (F22; F21: token verification bypass),rubygem-jquery-rails (F22; F21: CSRF vulnerability), and rubygem-web-console (F22: code execution).Oracle has updated postgresql (OL7; OL6:multiple vulnerabilities) and xerces-c(OL7: denial of service).Red Hat has updated kernel(RHEL6.5: two vulnerabilities), openssl(RHEL5: multiple vulnerabilities), postgresql (RHEL6,7: multiplevulnerabilities), postgresql92-postgresql(RHSCL2: multiple vulnerabilities), rh-postgresql94-postgresql (RHSCL2: multiplevulnerabilities), and xerces-c (RHEL7: denial of service).Scientific Linux has updated nss(SL6,7: cipher-downgrade attacks), postgresql (SL6,7: multiple vulnerabilities),and xerces-c (SL7: denial of service).SUSE has updated java-1_6_0-ibm(SLEM12: multiple vulnerabilities).Ubuntu has updated oxide-qt(15.04, 14.10, 14.04: multiple vulnerabilities) and unattended-upgrades (15.04, 14.10, 14.04,12.04: authentication bypass).

Amazon has announcedthe release of a new TLS library called "s2n" under the Apache license."s2n is a library that has been designed to be small, fast, withsimplicity as a priority. s2n avoids implementing rarely used options andextensions, and today is just more than 6,000 lines of code. As a result ofthis, we’ve found that it is easier to review s2n; we have alreadycompleted three external security evaluations and penetration tests on s2n,a practice we will be continuing."

Four new stable kernels are available; 4.1.1, 4.0.7,3.14.46, and 3.10.82. All contain important fixes.

Debian has updated libcrypto++ (information disclosure).Debian-LTS has updated cacti(multiple vulnerabilities), libwmf (denialof service), and t1utils (code execution).Fedora has updated kernel (F22: denial of service).openSUSE has updated roundcubemail (13.2: two vulnerabilities).Scientific Linux has updated kvm(SL5: code execution).SUSE has updated java-1_7_0-ibm(SLE11SP3: multiple vulnerabilities) and Xen (SLES11SP2; SLES11SP1: multiple vulnerabilities).