LWN.net

Guest author Arjan van de Ven writes: "Containers are hot. Everyoneloves them. Developers love the ease of creating a "bundle" of somethingthat users can consume; DevOps and information-technology departments lovethe ease of management and deployment." A group at Intel is workingon a new approach to containers called "ClearContainers"; click below (subscribers only) for an introduction to howthese containers work.

The Xen Project looks at a mechanism to mitigate vulnerabilities like VENOM that attack emulation layers in QEMU. "The good news is it’s easy to mitigate all present and future QEMU bugs, which the recent Xen Security Advisory emphasized as well. Stubdomains can nip the whole class of vulnerabilities exposed by QEMU in the bud by moving QEMU into a de-privileged domain of its own. Instead of having QEMU run as root in dom0, a stubdomain has access only to the VM it is providing emulation for. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources. Furthermore, QEMU in a stubdomain runs on MiniOS, so an attacker would only have a very limited environment to run code in (as in return-to-libc/ROP-style), having exactly the same level of privilege as in the domain where the attack started. Nothing is to be gained for a lot of work, effectively making the system as secure as it would be if only PV drivers were used." The Red Hat Security Blog also noted this kind of mitigation for VENOM-style attacks.

Version1.0 of the Rust language has been released. "The 1.0 release marks the end of that churn. This release is the official beginning of our commitment to stability, and as such it offers a firm foundation for building applications and libraries. From this point forward, breaking changes are largely out of scope (some minor caveats apply, such as compiler bugs).That said, releasing 1.0 doesn’t mean that the Rust language is “done”. We have many improvements in store. In fact, the Nightly builds of Rust already demonstrate improvements to compile times (with more to come) and includes work on new APIs and language features, like std::fs and associated constants."

Arch Linux has updated wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).SUSE has updated flash-player (SLE12: multiple vulnerabilities).

Over at Opensource.com, Lucidworks co-founder and CTO Grant Ingersoll writes about lessons he has learned from running an open-source company. "You might ask, 'Why not open source it all and just provide support?' It's a fair question and one I think every company that open sources code struggles to answer, unless they are a data company (e.g., LinkedIn, Facebook), a consulting company, or a critical part of everyone's infrastructure (e.g., operating systems) and can live off of support alone. Many companies start by open sourcing to gain adoption and then add commercial features (and get accused of selling out), whereas others start commercial and then open source. Internally, the sales side almost always wants "something extra" that they can hang their quota on, while the engineers often want it all open because they know they can take their work with them."

Arch Linux has updated qemu (codeexecution).CentOS has updated firefox (C5:multiple vulnerabilities), kernel (C7: codeexecution), kvm (C5: code execution),qemu-kvm (C7; C6: code execution), and xen (C5: code execution).Debian has updated iceweasel(multiple vulnerabilities) and qemu(multiple vulnerabilities).Debian-LTS has updated icu (multiple vulnerabilitiessome from 2013).Fedora has updated ca-certificates (F21: certificate changes), firefox (F21: multiple vulnerabilities), gnutls (F21: signature algorithm verificationbotch), libssh (F21: denial of service),and thunderbird (F21: two vulnerabilities).Mageia has updated darktable(denial of service), kernel-linus (threevulnerabilities), kernel-tmb (multiple vulnerabilities), libraw (denial of service), qemu (code execution), rawtherapee (denial of service), ufraw and dcraw (denial of service), and wireshark (three dissector vulnerabilities).Oracle has updated firefox (OL6:multiple vulnerabilities), kvm (OL5: denial of service),qemu-kvm (OL7; OL6: code execution), kernel (OL7; OL6; OL6; OL5: multiple vulnerabilities),and xen (OL5: code execution).Scientific Linux has updated firefox (SL7,SL6,SL5: multiple vulnerabilities), kernel (SL7: code execution), kexec-tools (SL7: arbitrary file overwrite),pcs (SL7; SL6: privilege escalation), qemu-kvm(SL7; SL6:code execution), tomcat (SL7: HTTP requestsmuggling), and tomcat6 (SL6: HTTP request smuggling).SUSE has updated kvm (SLE11SP3:denial of service).Ubuntu has updated firefox (multiple vulnerabilities)and qemu, qemu-kvm (three vulnerabilities).

The LWN.net Weekly Edition for May 14, 2015 is available.

Kamal Mostafa has announced that Canonical's kernel team will pick upstable maintenance of the 3.19 kernel series, until July 2016.

Greg Kroah-Hartman has released stable kernels 4.0.3, 3.14.42, and 3.10.78. All of them contain important fixes.

It's been a Linux container bonanza in San Francisco recently, and thatincludes a series of events and announcements from multiple startups andcloud hosts. It seems like everyone is fighting for a piece of what theyhope will be a new multi-billion-dollar market. This included Container Camp on April 17 and CoreOS Fest on May 5th and 6th, with DockerCon to come near the end ofJune. While there is a lot of hype, the current container gold rush hasyielded more than a few benefits for users — and caused technologicaldevelopment so rapid it is hard to keep up with.Subscribers can click below for a report by guest author Josh Berkus fromthis week's edition.

Arch Linux has updated firefox (multiple vulnerabilities) and tomcat6 (denial of service).CentOS has updated firefox (C7; C6:multiple vulnerabilities), kexec-tools (C7:file overwrites), pcs (C7; C6: privilege escalation), tomcat (C7: HTTP request smuggling), and tomcat6 (C6: HTTP request smuggling).Debian has updated quassel (SQL injection).Fedora has updated clamav (F20:multiple vulnerabilities), dpkg (F21; F20: twovulnerabilities), kernel (F21: twovulnerabilities), texlive (F21: predictablefilenames), and wpa_supplicant (F20: code execution).Gentoo has updated ettercap (multiple vulnerabilities).Mageia has updated dnsmasq(information disclosure), flash-player-plugin (multiple vulnerabilities), hostapd (denial of service), netcf (denial of service), pam (two vulnerabilities), and testdisk (multiple vulnerabilities).Oracle has updated firefox (OL7; OL5:multiple vulnerabilities), kernel (OL7: twovulnerabilities), kexec-tools (OL7: fileoverwrites), tomcat (OL7: HTTP requestsmuggling), and tomcat6 (OL6: HTTP request smuggling).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities), flash-plugin (RHEL5,6: multiplevulnerabilities), java-1.6.0-ibm (RHEL5,6:multiple vulnerabilities), java-1.7.0-ibm(RHEL5: multiple vulnerabilities), kernel(RHEL7: privilege escalation), kernel-rt (RHEL7; RHEMRG2.5:privilege escalation), kexec-tools (RHEL7:file overwrites), kvm (RHEL5: codeexecution), pcs (RHEL7; RHEL6: privilege escalation), qemu-kvm(RHEL7; RHEL6: code execution), qemu-kvm-rhev (RHEL7, RHEL6,RHEL OSP4,5,6: code execution), tomcat(RHEL7: HTTP request smuggling), tomcat6(RHEL6: HTTP request smuggling), and xen(RHEL5: code execution).Scientific Linux has updated kvm(SL5: code execution) and xen (SL5: code execution).Slackware has updated mozilla (multiple vulnerabilities).SUSE has updated php5 (SLE12:multiple vulnerabilities).

The kernel community ordinarily tries to avoid letting users get into aposition where the integrity of their data might be compromised. There areexceptions, though; consider, for example, the ability to explicitly flushimportant data to disk (or more importantly, to avoid flushing at any giventime). Buffering I/O in this manner can significantly improve disk writeI/O throughput, but if application developers are careless, the result canbe data loss should the system go down at an inopportune time. Recentlythere have been a couple of proposed performance-oriented changes that havetested the community's willingness to let users put themselves into danger.<p>Click below (subscribers only) for the full story from this week's KernelPage.

Mozilla has released Firefox 38.0. This version features new tab-basedpreferences and Ruby annotation support. Also, it will be the base for thenext ESR release. The releasenotes contain more information.

Debian has updated mercurial (twovulnerabilities).Mageia has updated async-http-client (two vulnerabilities), glpi (privilege escalation), kernel (multiple vulnerabilities), libarchive (denial of service), libssh (denial of service), mailman (path traversal attack), pnp4nagios (cross-site scripting), postgis (multiple vulnerabilities), ruby-redcarpet (cross-site scripting), and springframework (information disclosure).openSUSE has updated Chromium(13.2, 13.1: two vulnerabilities), curl(13.2, 13.1: information leak), dnsmasq(13.2, 13.1: information disclosure), gnu_parallel (13.2, 13.1: file overwrite), libreoffice (13.2: code execution), libssh (13.2, 13.1: denial of service), libtasn1 (13.2, 13.1: denial of service), pcre (13.2, 13.1: multiple vulnerabilities),and php5 (13.2, 13.1: multiple vulnerabilities).Slackware has updated mariadb (multiple unspecified vulnerabilities), mysql (multiple unspecified vulnerabilities), and wpa_supplicant (code execution).Ubuntu has updated libmodule-signature-perl (15.04, 14.10, 14.04,12.04: multiple vulnerabilities) and openssl (12.04: re-enable TLSv1.2 by default).

The development of the Foresight Linux distribution has come to an end."The Foresight Linux Council has determined that there hasbeen insufficient volunteer activity to sustain meaningful newdevelopment of Foresight Linux. Faced with the need either toupdate the project's physical infrastructure or cease operations,we find no compelling reason to update the infrastructure."

Greg Kroah-Hartman has released stable kernel 3.19.8. This is the last kernel in the 3.19.xseries and users should upgrade to 4.0.x.

Arch Linux has updated docker (multiple vulnerabilities).Debian has updated libtasn1-6 (denial of service), suricata (denial of service), and zeromq3 (security bypass).Fedora has updated firefox (F20:multiple vulnerabilities), libreoffice(F20: code execution), netcf (F21;F20: denial of service),perl-XML-LibXML (F21; F20: information disclosure), proftpd (F21: unauthenticated copying offiles), prosody (F20: denial of service),thunderbird (F20: multiplevulnerabilities), and xulrunner (F20:multiple vulnerabilities).Mageia has updated wordpress (cross-site scripting).Ubuntu has updated icu (15.04,14.10, 14.04: code execution), kernel (14.10, 14.04:regression in previous update), libtasn1-3,libtasn1-6 (15.04, 14.10, 14.04, 12.04: denial of service), linux-lts-utopic (14.04: regression inprevious update), and linux-lts-trusty (12.04:regression in previous update).

The 4.1 development cycle continues with the release of 4.1-rc3. "Go out and test. By -rc3,things really should be pretty non-threatening and this would be a goodtime to just make sure everything is running smoothly if you haven't triedone of the earlier development kernels already."

At the Go Blog, Andrew Gerrand provides a look at the language'sapproach to combining example code and documentation. "Godoc examplesare snippets of Go code that are displayed as package documentationand that are verified by running them as tests. They can also be runby a user visiting the godoc web page for the package and clicking theassociated "Run" button. Having executable documentation for a packageguarantees that the information will not go out of date as the APIchanges." Each package's examples are compiled as part of thepackage test suite; examples can also (optionally) be executed inorder to capture failures with the testing framework.

Arch Linux has updated libtasn1 (code execution), mariadb (multiple vulnerabilites), and mariadb-clients (denial of service).Debian has updated dnsmasq(regression fix for previous advisory) and pound (multiple vulnerabilites).Fedora has updated async-http-client (F20: multiple vulnerabilites), realmd (F21: unsanitized input), springframework (F20: information disclosure), testdisk (F20: multiple vulnerabilities), and v8 (F20; F21:denial of service).Mandriva has updated libtasn1 (BS1,2: code execution).SUSE has updated DirectFB(SLE12: multiple vulnerabilities), java-1_7_0-openjdk (SLED 11.3: multiple vulnerabilities), and kernel (SLE12 Live Patching: denial of service).

Greg Kroah-Hartman has released the latest batch of stable kernels: 3.10.77, 3.14.41, 3.19.7, and 4.0.2. As usual, they contain fixes all overthe tree and users should upgrade.

Over at Opensource.com, one of the translators for OpenStack, Łukasz Jernaś, is interviewed about the process of translating a large project like OpenStack. "How does OpenStack's release cycle play into the translation process? Is it manageable to get translations done on a six-month release cycle?Most of the work gets done after the string freeze period, which happens around a month before the release, with a lot of it being completed after getting the first release candidate out of the window. Documentation is translated during the entire cycle, as many parts are common between releases and can be deployed independently to the releases. So we don't have to focus that much about deadlines, as it's available online all the time and not prepackaged and pushed out to users and distributions. Of course, having a month to do the translations can be cumbersome, depending on the team doing the translation (some do that part time, some people in their spare time), and how many developers push out new strings during the string freeze."

Debian has updated sqlite3 (threevulnerabilities).Mageia has updated dpkg(integrity verification bypass), libtasn1(denial of service), perl-XML-LibXML(information disclosure), qt3, qt4, andqtbase5 (three vulnerabilities), and tcl-tcllib (cross-site scripting).Mandriva has updated perl-XML-LibXML (BS1,2: information disclosure).

The LWN.net Weekly Edition for May 7, 2015 is available.

Two talks at the 2015 Libre Graphics Meeting in Toronto came fromvideo-editing projects. One was an update from Natron, a relatively youngproject that deals with video compositing, while the other was areflection on ten years' worth of development on the general-purposenon-linear editor (NLE) Pitivi. Both are active projects, but they take twomarkedly different approaches: one aims to support an existingindustry standard, while the other must build its core functionalityfrom the ground up.

Debian has updated dnsmasq (information disclosure).Mageia has updated erlang(man-in-the-middle attack), glibc (multiplevulnerabilities), mariadb (multipleunspecified vulnerabilities), qtwebkit(denial of service), and x11-server (two vulnerabilities).Mandriva has updated net-snmp(MBS2.0, MBS1.0: code execution), nodejs(MBS2.0: privilege escalation), and squid(MBS2.0: certificate validation bypass).Red Hat has updated openstack-glance (RHELOSP6.0: denial of service).Ubuntu has updated clamav (15.04,14.10, 14.04, 12.04: multiple vulnerabilities), kernel (15.04; 14.10; 14.04; 12.04:privilege escalation), linux-lts-trusty(12.04: privilege escalation), linux-lts-utopic (14.04: privilegeescalation), oxide-qt (15.04, 14.10, 14.04:multiple vulnerabilities), and ppp (14.10,14.04, 12.04: denial of service).

This year the International Day Against DRM will be held on May 6. TheFree Software Foundation focuses oncommunity with a wide variety of community groups, activistorganizations, and businesses all taking part in the ninth International DayAgainst DRM.The FSF's DefectiveByDesign campaign looks at how DRMaffects people with disabilities. "DRM is especially bad for those of us that face additionalhurdles using computers. It's beastly for blind people, who aredependent on an audiobook market heavily laden with DRM."

Early support for hosting Git repositories directly on Launchpad has beenannounced. "This has been by far the single most commonly requested feature from Launchpad code hosting for a long time; we’ve been working hard on it for several months now, and we’re very happy to be able to release it for general use.This is distinct from the facility to import code from Git (and some other systems) into Bazaar that Launchpad has included for many years."

CoreOS looks atcommunity adoption of the App Container spec (appc). "In order to ensure the specification remains a community-led effort, the appc project has established a governance policy and elected several new community maintainers unaffiliated with CoreOS: initially, Vincent Batts of Red Hat, Tim Hockins of Google and Charles Aylward of Twitter. This new set of maintainers brings each of their own unique points of view and allows appc to be a true collaborative effort. Two of the initial developers of the spec from CoreOS, Brandon Philips and Jonathan Boulle, remain as maintainers, but now are proud to have the collective help of others to make the spec what it is intended to be: open, well-specified and developed by a community."

Debian has updated wordpress (multiple vulnerabilities).Fedora has updated mingw-curl(F21: multiple vulnerabilities), mingw-libgcrypt (F21: multiplevulnerabilities), mingw-openssl (F21:multiple vulnerabilities), and mingw-qt5-qtbase (F21: multiple vulnerabilities).Mageia has updated clamav(multiple vulnerabilities), gstreamer0.10-plugins-bad (code execution), hiawatha (multiple vulnerabilities), net-snmp (code execution), nodejs (privilege escalation), pdns, pdns-recursor (denial of service), and squid (certificate validation bypass).Mandriva has updated cherokee(MBS1.0: authentication bypass), clamav(MBS2.0, MBS1.0: multiple vulnerabilities), directfb (MBS2.0, MBS1.0: twovulnerabilities), fcgi (MBS1.0: denial ofservice), mariadb (MBS2.0, MBS1.0: multipleunspecified vulnerabilities), ppp (MBS2.0,MBS1.0: denial of service), and ruby(MBS2.0, MBS1.0: man-in-the-middle attack).Ubuntu has updated dnsmasq(15.04, 14.10, 14.04, 12.04: information disclosure) and libxml-libxml-perl (15.04, 14.10, 14.04,12.04: information disclosure).

Synfig Studio 1.0 has been released. This version featuresa reworked UI, a full-featured bone system to create cutout animation,advanced image distortion, a new Cutout Tool, sound support, and more.

Arch Linux has updated clamav (multiple vulnerabilities) and squid (certificate validation bypass).Debian has updated jqueryui (cross-site scripting), libphp-snoopy (command execution), libxml-libxml-perl (information disclosure), owncloud (multiple vulnerabilities), ruby1.8 (man-in-the-middle attack), ruby1.9.1 (man-in-the-middle attack), and ruby2.1 (man-in-the-middle attack).Debian-LTS has updated xorg-server (denial of service).Fedora has updated clamav (F21:multiple vulnerabilities), curl (F21:multiple vulnerabilities), ikiwiki (F21; F20:cross-site scripting), mingw-libtiff (F21:two vulnerabilities), proftpd (F20: unauthenticated copying of files), qt3 (F21; F20: code execution), and xen (F21; F20: information leak).Mageia has updated 389-ds-base(access control bypass), cherokee(authentication bypass), chromium-browser-stable (multiplevulnerabilities), curl (multiplevulnerabilities), directfb (twovulnerabilities), fcgi (denial of service),python-pip (two vulnerabilities), ruby (man-in-the-middle attack), and subversion (multiple vulnerabilities).Mandriva has updated curl (MBS2.0; MBS1.0: multiple vulnerabilities).

The second 4.1 prepatch is out for testing."As usual, it's a mixture of driver fixes, arch updates (with s390really standing out due to that one prng commit), and some filesystem andnetworking."

OpenBSD 5.7 has been released. This version includesimproved hardware support, network stack improvements, installerimprovements, security and bug fixes, and more. OpenSSH 6.8, LibreSSL, andother packages have also seen improvements and bug fixes.

Arch Linux has updated perl-xml-libxml (information disclosure).Debian has updated chromium-browser (multiple vulnerabilities).Debian-LTS has updated libjson-ruby (denial of service), libxml-libxml-perl (information disclosure), squid (denial of service), xdg-utils (command execution), and xorg-server (information leak/denial of service).Mageia has updated kernel(multiple vulnerabilities), kernel-linus(multiple vulnerabilities), libreoffice (code execution), ppp (denial of service), and quassel (SQL injection).openSUSE has updated wpa_supplicant (13.2, 13.1: code execution).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and kernel (RHEL5.6: privilege escalation).Scientific Linux has updated 389-ds-base (SL7: access control bypass).SUSE has updated kernel(SLES10 SP4: multiple vulnerabilities).

The Mozilla community has declaredits intent to phase out "non-secure" (not encrypted with TLS)web access. "Since the goal of this effort is to send a message tothe web developer community that they need to be secure, our work here willbe most effective if coordinated across the web community. We expect to bemaking some proposals to the W3C WebAppSec Working Group soon."

The Apache SpamAssassin 3.4.1 release is out. "Highlights include: Improved automation to help combat spammers that are abusing new top level domains; Tweaks to the SPF support to block more spoofed emails; Increased character set normalization to make rules easier to develop, block more international spam and stop spammers from using alternate character sets to bypass tests; Continued refinement to the native IPv6 support; and Improved Bayesian classification with better debugging and attachment hashing."

WeLiveSecurity reportsthat ESET researchers have revealed a family of Linux malware that stayedunder the radar for more than 5 years. They are calling itLinux/Mumblehard. "There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average.Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines."

Debian GNU/Hurd 2015 has been released. "This is a snapshot ofDebian "sid" at the time of the stable Debian "jessie" release (April2015), so it is mostly based on the same sources. It is not an officialDebian release, but it is an official Debian GNU/Hurd port release."

Debian has updated curl (information leak), elasticsearch (directory traversal), and icecast2 (denial of service).Debian-LTS has updated curl (two vulnerabilities), openjdk-6 (multiple vulnerabilities), php5 (multiple vulnerabilities), and qt4-x11 (multiple vulnerabilities).Fedora has updated ax25-tools (F21; F20:denial of service), fcgi (F21; F20: denial of service), FlightGear (F21: unspecified vulnerability),FlightGear-data (F21: unspecifiedvulnerability), mailman (F21: pathtraversal attack), mksh (F21; F20: multiple issues), pdns (F21; F20:denial of service), pdns-recursor (F21; F20:denial of service), and qt (F21: multiple vulnerabilities).Mandriva has updated glibc(MBS2.0, MBS1.0: two vulnerabilities) and sqlite3 (MBS2.0, MBS1.0: three vulnerabilities).openSUSE has updated DirectFB(13.2, 13.1: two vulnerabilities).Ubuntu has updated curl (15.04,14.10, 14.04, 12.04: multiple vulnerabilities), EC2 kernel (10.04: privilege escalation),kernel (14.10; 14.04; 12.04;10.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-utopic (14.04: multiplevulnerabilities), and linux-ti-omap4(12.04: denial of service).

The LWN.net Weekly Edition for April 30, 2015 is available.

Greg KH has released stable kernels 4.0.1,3.19.6, 3.14.40, and 3.10.76. All of them contain important fixes.

Arch Linux has updated chromium (multiple vulnerabilities) and dovecot (denial of service).CentOS has updated 389-ds-base(C7: access control bypass).Debian-LTS has updated jruby (denial of service).Fedora has updated libreoffice(F21: code execution) and yourls (F21; F20: cross-site scripting).Mandriva has updated lftp(MBS1.0: man-in-the-middle attack), libksba(MBS1.0, MBS2.0: denial of service), ntop(MBS1.0: cross-site-scripting), and t1utils(MBS1.0: multiple vulnerabilities).openSUSE has updated curl (13.2,13.1: multiple vulnerabilities) and python-Pillow (13.2: denial of service).Oracle has updated 389-ds-base(OL7: access control bypass).

GNU Mailman 3.0 has been released. "Over seven years in development, Mailman 3 represents a major new version,redesigned as a suite of cooperating components which can be used to mix andmatch however you want. The core engine is now backed by a relationaldatabase and exposes its functionality to other components via anadministrative REST+JSON API. Our new web user interface, Postorius is Django-based, as is our new archiverHyperKitty. The core requires Python 3.4 while Postorius and HyperKittyrequire Python 2.7. LWN looked at Mailman 3.0 in March, and at HyperKitty in April 2014.

Jacob Kaplan-Moss is known for his work on Django but, as he would describein his PyCon 2015 keynote, manythink he had more to do with its creation than he actually did. While his talkranged quite a bit, the theme covered something that software developmentorganizations—and open source projects—may be grappling with: amyth about developer performance and how it impacts the industry. It was athought-provoking talk that was frequently punctuated by applause; theseare the kinds of issues that the Python community tries to confront head on, sothe talk was aimed well.

KDE has announced therelease of Plasma 5.3. This release features improved powermanagement, better Bluetooth capabilities, improved Plasma widgets, a techpreview of the Plasma Media Center, big steps towards Wayland support, andmore.

Fedora has updated curl (F20:multiple vulnerabilities), firefox (F21:code execution), icu (F21; F20: multiple vulnerabilities), java-1.8.0-openjdk (F20: multiplevulnerabilities), ntp (F21: multiplevulnerabilities), ruby (F21:man-in-the-middle attack), and xulrunner(F21: code execution).Mandriva has updated java-1.7.0-openjdk (MBS1.0: multiple vulnerabilities).Red Hat has updated qemu-kvm-rhev(RHELOSP: privilege escalation).Ubuntu has updated network-manager (15.04, 14.10, 14.04:information disclosure) and oxide-qt(15.04, 14.10, 14.04: multiple vulnerabilities).

Matthew Garrett looked into why Linux systems consume too much power onrecent Intel chipsets and wrote up his results —a reduction of idle power use on his laptop from 8.5W to 5W. "Thistrend is likely to continue. As systems become more integrated we're goingto have to pay more attention to the interdependencies in order to obtainthe best possible power consumption, and that means that distributionvendors are going to have to spend some time figuring out what thesedependencies are and what the appropriate default policy is for theirusers."

Arch Linux has updated curl (multiple vulnerabilities) and wpa_supplicant (code execution).Debian has updated chromium-browser (multiple vulnerabilities), kernel (multiple vulnerabilities), libreoffice (code execution), openjdk-6 (multiple vulnerabilities), openjdk-7 (multiple vulnerabilities), and wpa (code execution).Fedora has updated cherokee (F21; F20:authentication bypass), chrony (F20:multiple vulnerabilities), php (F20:multiple vulnerabilities), qt5-qtbase (F21; F20:multiple vulnerabilities), resteasy (F20:XML eXternal Entity (XXE) attacks), spatialite-tools (F20: multiplevulnerabilities), sqlite (F20: multiplevulnerabilities), wesnoth (F21; F20: information leak), wpa_supplicant (F21: code execution), and zarafa (F21; F20: denial of service).Mageia has updated php (three vulnerabilities) and wordpress (multiple vulnerabilities).Mandriva has updated asterisk(MBS1.0: SSL server spoofing), glusterfs(MBS2.0: denial of service), librsync(MBS1.0: file checksum collision), perl-Module-Signature (MBS1.0: multiplevulnerabilities), php (MBS1.0, MBS2.0:multiple vulnerabilities), qemu (MBS1.0,MBS2.0: denial of service), setup (MBS2.0:information disclosure), and tor (MBS1.0: denial of service).openSUSE has updated java-1_7_0-openjdk (13.2: multiplevulnerabilities), java-1_8_0-openjdk (13.2:multiple vulnerabilities), and ntp (13.2,13.1: two vulnerabilities).Ubuntu has updated autofs (14.10:privilege escalation), libreoffice (14.10,14.04, 12.04: two vulnerabilities), and tcpdump (14.10, 14.04, 12.04: multiple vulnerabilities).

The 4.1-rc1 prepatch is out. Linus says:"No earth-shattering new features come to mind, even if initialsupport for ACPI on arm64 looks funny. Depending on what you care about,your notion of 'big new feature' may differ from mine, of course. There's alot of work all over, and some of it might just make a big difference toyour use cases." What he doesn't mention is that, in the end, kdbuswas not merged for this development cycle.