LWN.net

Debian 8, codenamed "Jessie", has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. "With this broad selection of packages and its traditional widearchitecture support, Debian once again stays true to its goal of beingthe universal operating system. It is suitable for many different usecases: from desktop systems to netbooks; from development servers tocluster systems; and for database, web, or storage servers. At the sametime, additional quality assurance efforts like automatic installationand upgrade tests for all packages in Debian's archive ensure that"Jessie" fulfills the high expectations that users have of a stableDebian release."

The Rust blog has posted a guideto using Rust's foreign function interface (FFI) with C code.Highlighted in particular are Rust's safe abstractions, which are saidto impose no costs. "Most features in Rust tie into its coreconcept of ownership, and the FFI is no exception. When binding a Clibrary in Rust you not only have the benefit of zero overhead, butyou are also able to make it safer than C can! Bindings can leveragethe ownership and borrowing principles in Rust to codify commentstypically found in a C header about how its API should beused."

Arch Linux has updated powerdns (denial of service) and powerdns-recursor (denial of service).Debian-LTS has updated subversion (multiple vulnerabilities).Fedora has updated lcms(F20: denial of service)and php (F21: multiple vulnerabilities).Mageia has updated chromium-browser-stable (M4: multiple vulnerabilities), chrony (M4: multiple vulnerabilities), lftp (M4: SSL server spoofing), libksba (M4: denial of service), ntop (M4: cross-site scripting), setup (M4: information disclosure), and t1utils (M4: multiple vulnerabilities).openSUSE has updated firefox (13.1; 13.2:code execution)and socat (13.1: denial of service).Oracle has updated kernel (kernel 3.8.18 (O6, O7);kernel 2.6.39 (O5, O6);kernel 2.6.32 (O5, O6): multiple vulnerabilities).Red Hat has updated novnc(RHEL OSP4: VNC session hijacking).Ubuntu has updated firefox(code execution), usb-creator (12.04, 14.04, 14.10; 15.04: privilege escalation), and wpa_supplicant (14.04, 14.10: code execution).

The Ubuntu 15.04 release is out. "Ubuntu Server 15.04 includes the Kilo release of OpenStack, alongsidedeployment and management tools that save devops teams time whendeploying distributed applications - whether on private clouds, publicclouds, x86 or ARM servers, or on developer laptops. Several key servertechnologies, from MAAS to Ceph, have been updated to new upstreamversions with a variety of new features.This release also includes the first release of snappy Ubuntu Core, anew distribution model based on transactional updates." LWN looked at Snappy in January.

Ars Technica reportson a wpa_supplicant bugthat might leave Linux and other systems open to remote code execution."That's because the code fails to check the length of incoming SSIDinformation and writes information beyond the valid 32 octets of data tomemory beyond the range it was allocated. SSID information 'is transmittedin an element that has a 8-bit length field and potential maximum payloadlength of 255 octets,' [wpa_supplicant maintainer Jouni] Malinen wrote,and the code 'was not sufficiently verifying the payload length on one ofthe code paths using the SSID received from a peer device. This can resultin copying arbitrary data from an attacker to a fixed length buffer of 32bytes (i.e., a possible overflow of up to 223 bytes). The overflow canoverride a couple of variables in the struct, including a pointer that getsfreed. In addition, about 150 bytes (the exact length depending onarchitecture) can be written beyond the end of the heapallocation.'"

Arch Linux has updated glibc(code execution).Fedora has updated chrony (F21:three vulnerabilities), gnupg2 (F20: denialof service), java-1.7.0-openjdk (F20:unspecified), java-1.8.0-openjdk (F21:unspecified), kernel (F21; F20: denial of service), ntp (F20: two vulnerabilities), python (F20: denial of service from 2013), spatialite-tools (F21: three vulnerabilities),and sqlite (F21: three vulnerabilities).Oracle has updated kvm (OL5: two vulnerabilities).

The LWN.net Weekly Edition for April 23, 2015 is available.

Few readers will have failed to notice by now that the attempted merging ofthe kdbus interprocess communication system into the 4.1 kernel has failedto go as well as its proponents would have liked. As of this writing, thediscussion continues and nothing has been merged. This article constitutesan attempt to derive a bit of light from the massive amounts of heat thathave been generated so far, with a specific focus on the issue of metadataand capabilities.

Opensource.com introducesSourcegraph. "Sourcegraph is a code search engine and browsing tool that semantically indexes all the open source code available on the web. You can search for code by repository, package, or function and click on fully linked code to read the docs, jump to definitions, and instantly find usage examples. And you can do all of this in your web browser, without having to configure any editor plugin."

Arch Linux has updated firefox (code execution).CentOS has updated kernel (C6:multiple vulnerabilities), kvm (C5: twovulnerabilities), and qemu-kvm (C6: privilege escalation).Debian has updated curl (multiplevulnerabilities) and subversion (two vulnerabilities).Debian-LTS has updated wireshark (multiple vulnerabilities).Fedora has updated ceph-deploy(F21: information leak), firefox (F20:multiple vulnerabilities), libzip (F21; F20: codeexecution), mingw-gnutls (F21: denial ofservice), mingw-libtasn1 (F21; F20: denial of service), openstack-neutron (F20: denial of service),python-virtualenv (F21; F20: insecure software download),qt5-qtwebkit (F21; F20: denial of service), and qtwebkit(F21; F20:denial of service).openSUSE has updated Chromium(13.2, 13.1: multiple vulnerabilities).Oracle has updated glibc (OL6:two vulnerabilities), kernel (OL6: multiplevulnerabilities), and qemu-kvm (OL6: privilege escalation).Red Hat has updated kernel(RHEL5.9: privilege escalation), kvm(RHEL5: two vulnerabilities), and qemu-kvm(RHEL6: privilege escalation).Scientific Linux has updated kernel (SL6: multiple vulnerabilities), kvm (SL5: two vulnerabilities), and qemu-kvm (SL6: privilege escalation).Slackware has updated bind(denial of service), gnupg (multiplevulnerabilities), httpd (multiplevulnerabilities), libssh (twovulnerabilities), firefox (multiplevulnerabilities), thunderbird (multiplevulnerabilities), mutt (denial of service),ntp (two vulnerabilities), openssl (multiple vulnerabilities), php (multiple vulnerabilities), ppp (two vulnerabilities), proftpd (unauthenticated copying of files), qt (multiple vulnerabilities), and seamonkey (multiple vulnerabilities).SUSE has updated mariadb (SLE12: multiple vulnerabilities).

Version 5.1 of the GNU Compiler Collection is out. "GCC 5.1 is amajor release containing substantial new functionality not available in GCC4.9.x or previous GCC releases." Some of that new functionalityincludes full C++14 language support, quite a few optimizationimprovements, partial OpenACC support, OpenMP 4.0 support, anexperimental JIT library, and more; see the changelog for details.

The Daily Dot reportsthat the Tor project is receiving some funding from the US Defense AdvancedResearch Projects Agency (DARPA) to improve Tor's hidden services. "The Dark Net road map moving forward is ambitious. Tor plans to double the encryption strength of hidden service’s identity key and to allow offline storage for that key, a major security upgrade.Next-generation hidden services may be run from multiple hosts to better deal with denial of service attacks and high traffic in general, a potentially big power boost that further closes the gap between the Dark Net and normal websites."

Fedora 22 Beta has been released. It comes in Workstation, Server, andCloud editions, as well as several spins. This version replaces yum withDNF for package management, as discussed in this recent LWN article. The Cloud edition features thelatest versions of rpm-ostree and rpm-ostree-toolbox and introduces theAtomic command line tool. The Server edition features a new database serverrole based on PostgreSQL, an updated Cockpit, and XFS as the defaultfilesystem. The Workstation product has also seen a number of enhancementsand improvements, including a redesigned GNOME Shell notification system,transitional Wayland support, and much more.

Arch Linux has updated jdk8-openjdk (multiple vulnerabilities), jre8-openjdk (multiple vulnerabilities), jre8-openjdk-headless (multiple vulnerabilities), and tcpdump (denial of service).CentOS has updated glibc (C6: twovulnerabilities).Debian-LTS has updated python-django-markupfield (information leak).Red Hat has updated glibc (RHEL6:two vulnerabilities) and kernel (RHEL6: multiple vulnerabilities).Scientific Linux has updated glibc (SL6: two vulnerabilities).SUSE has updated Real Time LinuxKernel (SLERTE11 SP3: multiple vulnerabilities).Ubuntu has updated mysql-5.5(14.10, 14.04, 12.04: multiple vulnerabilities), openjdk-6 (12.04, 10.04: multiplevulnerabilities), openjdk-7 (14.10, 14.04:multiple vulnerabilities), and php5 (14.10,14.04, 12.04, 10.04: multiple vulnerabilities).

O'Reilly has posted anexcerpt from Puppet Best Practices, an upcoming book about thePuppet system configuration tool. It's a good place to look for thosewanting an introduction to how Puppet works. "Puppet can be somewhatalien to technologists who have a background in automation scripting. Wheremost of our scripts scripts are procedural, Puppet is declarative. While adeclarative language has many major advantages for configurationmanagement, it does impose some interesting restrictions on the approacheswe use to solve common problems."

David Tschumperlé has posted anextensive summary of his work on G'MIC, an image-processing tool.One of those projects was comic colorization: "The idea is very simple: Instead of forcing the artist to do all thecolorization job by himself, we just ask him to put some colored key-pointshere and here, inside the different image regions to fill-in. Then, thealgorithm tries to guess a probable colorization of the drawing, byanalyzing the contours in the image and by interpolating the given coloredkey-points with respect to these contours." (LWN looked at G'MIC in August 2014).

NetworkWorld takesa look at two VMWare projects that are aimed at running containersinside the VM. "VMware has created Photon as an OS that can run in vSphere. VMware says it’s a “lightweight” Linux OS that has only the basic elements required to package applications in containers and run them inside virtual machines. Because of its minimalist feature set, Project Photon is meant to boot up quickly, which is a key advantage of using containers.Project Photon supports many container image platforms, including thosefrom Docker (which is both an open source container runtime and the name ofthe company that is commercializing it), as well as container images fromCoreOS (called “rkt”) and Pivotal (named “Garden”)." VMWare alsoannounced a beta version of Project Lightwave, "which is an identity and access management tool meant to provide an extra security layer for containers."

New stable kernel updates have been released for 3.19.5, 3.14.39, and 3.10.75. All of them contain important fixesthroughout the tree.

Arch Linux has updated chromium (multiple vulnerabilities), flashplugin (multiple vulnerabilities), jdk7-openjdk (multiple vulnerabilities), jre7-openjdk (multiple vulnerabilities), and jre7-openjdk-headless (multiple vulnerabilities).Debian has updated django-markupfield (information leak) and mysql-5.5 (multiple vulnerabilities).Debian-LTS has updated file(memory leak), openldap (multiple vulnerabilities), ppp (denial of service), and wesnoth-1.8 (information leak).Fedora has updated gnupg2 (F21:double-free issue), groovy-sandbox (F21:privilege escalation), jenkins (F21:multiple vulnerabilities), jenkins-matrix-project-plugin (F21: privilegeescalation), jenkins-script-security-plugin(F21: privilege escalation), knot (F21; F20:multiple vulnerabilities), libtasn1 (F21; F20:denial of service), mediawiki (F21;F20: multiple vulnerabilities),owncloud (F21; F20: multiple vulnerabilities),perl-DBD-Firebird (F21; F20: buffer overflow),perl-Module-Signature (F21; F20: multiple vulnerabilities),perl-Test-Signature (F21; F20: multiple vulnerabilities),php-symfony (F21; F20: two vulnerabilities), postgis (F21: multiple vulnerabilities), python (F21: denial of service), rest(F21; F20:denial of service), tcpdump (F20: multiple vulnerabilities), and tor (F21; F20: denial of service).Mageia has updated perl-DBD-Firebird (buffer overflow), perl-Module-Signature (multiple vulnerabilities), and potrace (denial of service).openSUSE has updated xen (13.1: multiple vulnerabilities).Red Hat has updated java-1.6.0-sun (RHEL5,6,7: multiplevulnerabilities) and java-1.7.0-oracle(RHEL5,6,7: multiple vulnerabilities).

Version 4.0 of theArdour audio editing system is available. This release features Windowssupport, more flexible audio support (JACK is no longer required), a lot ofuser-interface work, and official OS X and Windows support.

PacketFence is a free network accesscontrol system; the 5.0release is now available. Changes include a new active clusteringmode, better device fingerprinting, better performance monitoring, theelimination of plaintext passwords, and more.

At his blog, Christian Schaller announcesthat Red Hat has joined the KhronosGroup, the consortium behind (among other things) the OpenGLstandard. Schaller notes that "the reason we are joining isbecause of all the important changes that are happening in Graphicsand GPU compute these days and our wish to have more direct input ofthe direction of some of these technologies. Our efforts are likely tofocus on improving the OpenGL specification by proposing some newextensions to OpenGL, and of course providing input and help withmoving the new Vulkan standard forward."

Arch Linux has updated php (multiple vulnerabilities).Debian-LTS has updated tzdata (unspecified vulnerability).Gentoo has updated adobe-flash (multiple vulnerabilities) and xorg-server (multiple vulnerabilities).openSUSE has updated icecast(13.1, 13.2:denial of service) and ntop (13.1, 13.2: cross-site scripting).Red Hat has updated java-1.8.0-oracle (RHEL6,7: multiple vulnerabilities), novnc (RHEL6 OSP; RHEL7 OSP: VNC session hijacking),openstack-foreman-installer (RHEL6OSP: root command execution),openstack-glance (RHEL6 OSP; RHEL7 OSP: denial of service),openstack-nova (RHEL6 OSP; RHEL7 OSP: multiple vulnerabilities), openstack-packstack, openstack-puppet-modules (RHEL6 OSP; RHEL7 OSP: root command execution),openstack-swift (RHEL6 OSP; RHEL7 OSP: metadata constraint bypass),python-django-horizon, python-django-openstack-auth (RHEL6 OSP; RHEL7 OSP: denial of service), andredhat-access-plugin-openstack (RHEL6 OSP; RHEL7 OSP: information disclosure).Ubuntu has updated apport(14.04, 14.10: privilege escalation).

It has been roughly a year and a half since the last release of the GNU Hurd operatingsystem, so it may be of interest to some readers that GNU Hurd 0.6 has beenreleased along withGNU Mach 1.5 (the microkernel that Hurdruns on) and GNU MIG 1.5 (the Mach Interface Generator, whichgenerates code to handle remote procedure calls). New features includeprocfs and random translators; cleanups and stylistic fixes, some of whichcame from static analysis; message dispatching improvements; integerhashing performance improvements; a split of the init server into astartup server and an init program based on System V init; and more. "GNU Hurd runs on 32-bit x86 machines. A version running on 64-bit x86(x86_64) machines is in progress. Volunteers interested in ports toother architectures are sought; please contact us (see below) if you'dlike to help.To compile the Hurd, you need a toolchain configured to target i?86-gnu;you cannot use a toolchain targeting GNU/Linux. Also note that youcannot run the Hurd "in isolation": you'll need to add further componentssuch as the GNU Mach microkernel and the GNU C Library (glibc), to turnit into a runnable system."

On his blog, Josh Boyer looks at the choice of the 4.0 kernel for Fedora 22. While the underpinnings of the live kernel patching feature have been merged, even when it is fully operational it is probably not something that Fedora (and perhaps other distributions) will use often (or at all). "In reality, we might not ever really leverage the live patching functionality in Fedora itself. It is understandable that people want to patch their kernel without rebooting, but the mechanism is mostly targeted at small bugfixes and security patches. You cannot, for example, live patch from version 4.0 to 4.1. Given that the Fedora kernel rebases both from stable kernel (e.g. 3.19.2 to 3.19.3) and major release kernels over the lifetime of a Fedora release, we don't have much opportunity to build the live patches."

Debian has updated gst-plugins-bad0.10 (code execution), inspircd (code execution from 2012), movabletype-opensource (code execution), andppp (denial of service).Debian-LTS has updated ruby1.9.1(three vulnerabilities).Mageia has updated java-1.7.0-openjdk (multiple vulnerabilities),mono (three SSL/TLS vulnerabilities), andpython-dulwich (two code execution flaws).openSUSE has updated flash-player(11.4: 45 vulnerabilities) and rubygem-rest-client (13.2, 13.1: plaintextpassword logging).Oracle has updated java-1.6.0-openjdk (OL5: unspecifiedvulnerabilities) and java-1.7.0-openjdk(OL5: unspecified vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), java-1.6.0-openjdk(RHEL5,6&7: multiple vulnerabilities), java-1.7.0-openjdk (RHEL5; RHEL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (RHEL6&7: multiple vulnerabilities).Scientific Linux has updated java-1.6.0-openjdk (SL5,6&7: multiplevulnerabilities), java-1.7.0-openjdk (SL5; SL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).SUSE has updated flash-player(SLE11SP3: 22 vulnerabilities).

The LWN.net Weekly Edition for April 16, 2015 is available.

In the first two installments in this series on plotting tools(which covered gnuplot and matplotlib), we introduced tools for creating plots and graphs, and used the termsinterchangeably to refer to the typical scientific plot relating oneset of quantities to another. In this article we use the term "graph"in its mathematical, graph-theory context, meaning a set of nodes connected byedges. There is a strong family resemblance among graph-theory graphs,flowcharts, and network diagrams—so much so that some of the sametools can be coerced into creating all of them. We will now surveyseveral mature free-software systems for building these typesof visualizations. At least one of these tools will likely be useful if youare ever in need of an automated way to diagram source-codeinterdependencies, make an organizational chart, visualize a computernetwork, or organize a sports tournament. We will start with agraphical charting tool and a flexible graphing system that can easily be called by other programs.

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities), java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), and java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).Debian-LTS has updated libvncserver (multiple vulnerabilities) and libx11 (code execution).Mageia has updated arj (multiple vulnerabilities), asterisk (SSL server spoofing), flash-player-plugin (multiple vulnerabilities), glusterfs (denial of service), librsync (file checksum collision), ntp (two vulnerabilities), qemu (denial of service), quassel (denial of service), shibboleth-sp (denial of service), socat (denial of service), tor (denial of service), and wesnoth (information leak).Oracle has updated java-1.6.0-openjdk (OL6: multiplevulnerabilities), java-1.7.0-openjdk (OL6:multiple vulnerabilities), and java-1.8.0-openjdk (OL6: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6 Supplementary: multiple vulnerabilities).SUSE has updated Adobe FlashPlayer (SLEWE12, SLED12: multiple vulnerabilities).

This year's Debian project election leader election has concluded, withNeil McGovern winning by a conclusive margin.

The first half of our report from the Python LanguageSummit is now available. Subscribers can click below to access reports from five sessions held before lunch covering topics like the atomicity of Python operations, making Python 3 more attractive to developers, PyParallel, infrastructure for Python development, and Python 3 adoption. We will be adding more reports to this page as they become available.

Open Invention Network (OIN) has announced that it hasupdated its Linux System patent non-aggression coverage. "For thisupdate, 115 new packages will be added to the Linux System, out of almost 800 proposed by various parties. Key additions are the referenceimplementations of the popular Go and Lua programming languages, Nginx,Openshift, and development tools like CMake and Maven. This update willrepresent an increase of approximately 5% of the total number of packagescovered in the Linux System, a reflection of the incremental and disciplinednature of the update process."

A beta version of Plasma 5.3 has been released.This release features enhanced power management, better Bluetoothcapabilities, improved Plasma widgets, a tech preview of Plasma MediaCenter, big steps towards Wayland support, and lots of bug fixes.

Arch Linux has updated ruby (man-in-the-middle attack).CentOS has updated openssl (C5: multiple vulnerabilities).Debian-LTS has updated ia32-libs (multiple vulnerabilities).Oracle has updated openssl (OL5: multiple vulnerabilities).Red Hat has updated kernel(RHEL6.4: privilege escalation).Scientific Linux has updated xorg-x11-server (SL7, SL6: information leak/denial of service).Ubuntu has updated apport (14.10,14.04: privilege escalation), libx11,libxrender (14.10, 14.04, 12.04: code execution), and ntp (14.10, 14.04, 12.04: multiple vulnerabilities).

The Document Foundation's project Document Liberation looks at its progressduring the past year. "During 2014, members of the project released a new framework library,called librevenge, which contains all the document interfaces and helpertypes, in order to simplify the dependency chain. In addition, they starteda new library for importing Adobe PageMaker documents, libpagemaker,written as part of Google Summer of Code 2014 by Anurag Kanungo.Existing libraries have also been extended with the addition of moreformats, like libwps with the addition of Microsoft Works Spreadsheet andDatabase by Laurent Alonso. He is now working on adding support for Lotus1-2-3, which is one of the most famous legacy applications for personalcomputers. Laurent has also added support for more than twenty legacy Macformats to libmwaw."

Greg KH has released stable kernels 3.19.4,3.14.38, and 3.10.74. All of them contain the usual set ofimportant fixes.

Arch Linux has updated icecast (denial of service).CentOS has updated xorg-x11-server (C6: information leak).Debian has updated chrony (multiple vulnerabilities), das-watchdog (privilege escalation), libdbd-firebird-perl (buffer overflow), libtasn1-3 (denial of service), libx11 (code execution), ntp (two vulnerabilities), and wesnoth-1.10 (information leak).Debian-LTS has updated chrony (multiple vulnerabilities), das-watchdog (privilege escalation), libtasn1-3 (denial of service), and ntp (two vulnerabilities).Fedora has updated arj (F20:multiple vulnerabilities), ca-certificates (F21; F20:certificate update), ImageMagick (F21:multiple vulnerabilities), libxml2 (F20:denial of service), openldap (F21: denialof service), qemu (F21: multiplevulnerabilities), varnish (F21: heap buffer overflow), and xen (F21; F20: multiple vulnerabilities).Gentoo has updated apache (multiple vulnerabilities), mysql (multiple unspecified vulnerabilities), sudo (information disclosure), and xen (multiple vulnerabilities).Mandriva has updated batik(MBS1,2: information leak).openSUSE has updated kernel (13.2; 13.1:multiple vulnerabilities) and tor (13.2,13.1: denial of service).Red Hat has updated openssl(RHEL5: multiple vulnerabilities).Scientific Linux has updated openssl (SL5: multiple vulnerabilities).SUSE has updated firefox (SLES12; SLED12: multiple vulnerabilities).

Jan Hubička has posted a lengthydiscussion of the optimization improvements found in the upcomingGCC 5.0 release. "Identical code folding is a new pass(contributed by Martin Liška, SUSE) looking for functions with the samecode and variables with the same constructors. If some are found, one copyis removed and replaced one by an alias to another where possible. This isespecially important for C++ code bases that tend to contain duplicatedfunctions as a result of template instantiations."

Linus has released the 4.0 kernel right onschedule. "Feature-wise, 4.0 doesn't have all that muchspecial. Much have been made of the new kernel patching infrastructure, butrealistically, that not only wasn't the reason for the version numberchange, we've had much bigger changes in other versions. So this is verymuch a 'solid code progress' release." Beyond the (incomplete)live-patching mechanism, this release includes the removal of theremap_file_pages() system call, improved persistent memory support, the lazytime mount option, and thekernel address sanitizer.

Aaron Turon has posted alengthy introduction to concurrency in the Rust programming language."Every data type knows whether it can safely be sent between oraccessed by multiple threads, and Rust enforces this safe usage; there areno data races, even for lock-free data structures. Thread safety isn't justdocumentation; it's law."

Arch Linux has updated mediawiki (multiple vulnerabilities).CentOS has updated xorg-x11-server (C7: information leak/denial of service).Debian has updated dpkg(integrity-verification bypass).Fedora has updated arj (F21:multiple vulnerabilities),echoping (F20; F21: multiple vulnerabilities), and python-dulwich (F20; F21:code execution).Mageia has updated batik(M4: information leak), chromium-browser-stable (M4: multiple vulnerabilities), jakarta-taglibs-standard (M4: code execution), less (M4: information leak), mediawiki (M4: multiple vulnerabilities), openldap (M4: denial of service), qt-creator (M4: key-verification failure), suricata (M4: denial of service), and xerces-c (M4: denial of service).Mandriva has updated arj(BS1: multiple vulnerabilities), less(BS1,2: information leak), mediawiki (BS1: multiple vulnerabilities), and ntp (BS1,2: multiple vulnerabilities).Oracle has updated xorg-x11-server (O6; O7: information leak/denial of service).Red Hat has updated qemu-kvm-rhev (RHEL OSP: privilege escalation) and xorg-x11-server (RHEL6,7: information leak/denial of service).Scientific Linux has updated krb5 (SL6: multiple vulnerabilities).SUSE has updated libXfont(SLE12: multiple vulnerabilities).Ubuntu has updated dpkg (integrity-verification bypass).

As was discussed in this LWN article, theX.Org Foundation recently held an election to choose four board members anddecide whether to change the organization's by-laws to enable it to becomea member of Software in the Public Interest (SPI). The resultsare now available. The board members elected are Peter Hutterer, MartinPeres, Rob Clark, and Daniel Vetter. The measure to change the by-laws didnot pass, though, despite receiving only two "no" votes, because therequired two-thirds majority was not reached.

The Linux Foundation (LF) has announcedthat it will serve as host of the Let's Encryptproject, as well as the Internet Security Research Group (ISRG).Let's Encrypt is the free, automated SSL/TLS certificate authoritythat was announced in November 2014 by the Electronic Frontier Foundation(EFF) to provide TLS certificates for every domain on the web. ISRG isthe non-profit organization created to spearhead efforts like Let'sEncrypt (which, as of now, is ISRG's only public project). In the LFannouncement, executive director Jim Zemlin notes that "byhosting this important encryption project in a neutral forum we canaccelerate the work towards a free, automated and easy securitycertification process that benefits millions of people around theworld."

Arch Linux has updated chrony (denial of service).CentOS has updated krb5(C6: multiple vulnerabilities).Debian-LTS has updated arj(multiple vulnerabilities), checkpw(denial of service), libgcrypt11 (multiple vulnerabilities), and libgd2 (multiple vulnerabilities).Fedora has updated drupal7-webform (F20; F21:unspecified vulnerability),firefox (F21: multiple vulnerabilities),powerpc-utils-python (F20; F21: code execution), and xterm (F20; F21:denial of service).Mandriva has updated java-1.8.0-openjdk (BS2: multiple vulnerabilities).Oracle has updated kernel (O5: multiple vulnerabilities)and krb5 (O6: denial of service).Red Hat has updated krb5(RHEL6: multiple vulnerabilities).Ubuntu has updated kernel (12.04; 14.04; 14.10: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).

The LWN.net Weekly Edition for April 9, 2015 is available.

Arch Linux has updated ntp (two vulnerabilities).CentOS has updated kernel (C5: multiple vulnerabilities).Debian has updated libxml2 (denial of service).Fedora has updated setroubleshoot (F21; F20:privilege escalation) and texlive (F21: arbitrary file removal).openSUSE has updated Chromium(13.2, 13.1: two vulnerabilities), libgit2(13.2, 13.1: code execution), firefox,thunderbird (13.2, 13.1: multiple vulnerabilities), php5 (13.2, 13.1: multiple vulnerabilities),potrace (13.2, 13.1: denial of service), quassel (13.2, 13.1: denial of service), andsubversion (13.2, 13.1: multiple vulnerabilities).Red Hat has updated kernel(RHEL5: multiple vulnerabilities), novnc(RHEL OSP6.0: VNC session hijacking), openstack-nova (RHEL OSP6.0: cross-sitewebsocket hijack attack), openstack-packstack (RHEL OSP6.0: rootcommand execution), and installer(RHEL OSP6.0: root command execution).Scientific Linux has updated kernel (C5: multiple vulnerabilities).SUSE has updated xorg-x11-libs(SLE11 SP3: privilege escalation).Ubuntu has updated libtasn1-3,libtasn1-6 (14.10, 14.04, 12.04, 10.04: denial of service) and mailman (14.10, 14.04, 12.04: path traversal attack).

From the OpenStack community comes the sad announcement of the passing ofChris Yeoh, a longtime free-software developer. "Chris was humble, helpful and honest. The OpenStack and broader Open Sourcecommunities are poorer for his passing." Those with memories ofChris are encouraged to contribute them to a collection being put togetherfor his daughter.

The freedreno project wasstarted by Rob Clark to create a free-software driver for the Adreno familyof GPUs, which are used by the Qualcomm Snapdragon system-on-chip (SoC)family. He presented a status report on the project, along with some history andfuture plans, at the EmbeddedLinux Conference, which was held in San Jose, CA, March 23-25.Click below (subscribers only) for the full report from ELC 2015.

Threat Post takesa look at two TrueCrypt forks, VeraCrypt and CipherShed. AlthoughTrueCrypt development was discontinued last year, the code underwent a twophase audit and passed with a relatively clean bill of health."VeraCrypt and CipherShed have addressed many of the shortcomingsidentified not only by the audit, but by others who have scrutinized theTrueCrypt code in recent years. VeraCrypt’s [Mounir] Idrassi, for example,said he replaced TrueCrypt’s lone support of the RIPEMD-160 algorithm withSHA-256 support for system encryption. He said VeraCrypt has also tried tosimplify the build process, especially for Linux and Mac OS X systems, sothat other less common configurations could be used." The results of the audit of TrueCrypt are available in PDF format; phase1 was completed in February 2014, and phase2 was completed March 2015.

Arch Linux has updated tor (denial of service).Debian has updated arj (multiple vulnerabilities), libgd2 (denial of service), mailman (path traversal attack), and tor (denial of service).Debian-LTS has updated mailman (path traversal attack) and tor (denial of service).Fedora has updated chicken (F21; F20:buffer overflow), kernel (F20: multiplevulnerabilities), libxml2 (F21: denial of service), and seamonkey (F21; F20: multiple vulnerabilities).Gentoo has updated firefox (multiple vulnerabilities).Mandriva has updated cups-filters(MBS2.0: remote command execution), libtasn1 (MBS1.0, MBS2.0: denial of service),and python-django (MBS1.0: cross-site scripting).Red Hat has updated kernel(RHEL6.5: multiple vulnerabilities).Ubuntu has updated firefox(14.10, 14.04, 12.04: certificate verification bypass) and oxide-qt (14.10, 14.04: multiple vulnerabilities).