LWN.net

Arch Linux has updated firefox (multiple vulnerabilities) and wesnoth (information leak).Debian has updated stunnel4(authentication bypass).Debian-LTS has updated libxml2 (multiple vulnerabilities) and pykerberos (insecure authentication).Fedora has updated drupal6 (F21; F22:account hijacking)and drupal7 (F21; F22: multiple vulnerabilities).openSUSE has updated flash-player (11.4).Oracle has updated firefox (O5; O6; O7: multiple vulnerabilities).Red Hat has updated firefox(RHEL: multiple vulnerabilities) and openstack-cinder (RHEL OSP: file disclosure).SUSE has updated MySQL (SLE11 SP3: cipher downgrade attack),ntp (SLE11 SP3: multiple vulnerabilities), and OpenSSL (SLE 10 Client Tools; SUSE Manager 11 SP2, Studio Onsite; SLE 11 SAP; SLE 11 SP1; SLE SM 11 SP3: multiple vulnerabilities).

CentOS has updated openssl (C5:three vulnerabilities).Debian-LTS has updated unattended-upgrades (improper package authentication).

The LWN.net Weekly Edition for July 2, 2015 is available.

Ars Technica reportsthat the US Supreme Court rejected Google's appeal of the Google-Oracle APIcopyright dispute. "Despite the high court's inaction on the case, the Google-Oracle legal flap is far from resolved. That's because the appeals court sent the case back to the lower courts to determine whether Google's use of the code in Android—which it no longer uses—constitutes a "fair use." Oracle is seeking $1 billion in damages."This is not the end of the road for this case—the Federal Circuit decisionexplicitly left open the possibility that the kinds of uses Google madewere permissible under copyright's fair use doctrine," said Charles Duan,the director of Public Knowledge's patent reform project." (Thanksto Martin Michlmayr)

DockerCon on June 22 and 23 wasa much bigger affair than CoreOSFest or ContainerCamp. DockerCon rented outthe San Francisco Marriott for the event; the keynote ballroom seats 2000.That's a pretty dramatic change from the firstDockerCon last year, with roughly 500 attendees; it shows the hugegrowth of interest in Linux containers. Or maybe, given that it's SiliconValley, what you're seeing is the magnetic power of $95 million in round-Cfunding.Subscribers can click below for a report from DockerCon by guest authorJosh Berkus.

Debian has updated jackrabbit (information leak).Debian-LTS has updated libcrypto++ (information disclosure), libmodule-signature-perl (multiple vulnerabilities), and ruby1.9.1 (denial of service).Fedora has updated abrt (F21:multiple vulnerabilities), cups-x2go (F22:multiple vulnerabilities), elfutils (F22:hardening fixes), gnome-abrt (F21: multiplevulnerabilities), kernel (F21: denial ofservice), libreport (F21: multiplevulnerabilities), pam (F22: denial ofservice), and rubygem-activesupport (F22; F21: two vulnerabilities).Mageia has updated apache-mod_jk(MG4: information disclosure), drupal(MG4,5: multiple vulnerabilities), libvpx(MG4,5: denial of service), p7zip (MG4,5:directory traversal), postgresql (MG4:multiple vulnerabilities), and python-tornado (MG4: side-channel attack).openSUSE has updated p7zip (13.2,13.1: directory traversal).Oracle has updated openssl (OL5: multiple vulnerabilities).Scientific Linux has updated openssl (SL5: multiple vulnerabilities).

The Linux Foundation has announcedthe R Consortium. "The R language is used by statisticians, analysts and data scientists to unlock value from data. It is a free and open source programming language for statistical computing and provides an interactive environment for data analysis, modeling and visualization. The R Consortium will complement the work of the R Foundation, a nonprofit organization based in Austria that maintains the language. The R Consortium will focus on user outreach and other projects designed to assist the R user and developer communities.Founding companies and organizations of the R Consortium include The R Foundation, Platinum members Microsoft and RStudio; Gold member TIBCO Software Inc.; and Silver members Alteryx, Google, HP, Mango Solutions, Ketchum Trading and Oracle."

CentOS has updated postgresql (C7; C6:multiple vulnerabilities) and xerces-c (C7:denial of service).Debian has updated unattended-upgrades (authentication bypass).Debian-LTS has updated aptdaemon (information leak), hostapd (denial of service), jqueryui (cross-site scripting), and shibboleth-sp2 (denial of service).Fedora has updated chicken (F22; F21:out-of-bounds read), openvas-cli (F21: sqlinjection), openvas-libraries (F21: sqlinjection), openvas-manager (F21: sqlinjection), openvas-scanner (F21: sqlinjection), php-htmLawed (F22; F21: multiple vulnerabilities), postgresql (F21: multiple vulnerabilities),python-jwt (F22; F21: token verification bypass),rubygem-jquery-rails (F22; F21: CSRF vulnerability), and rubygem-web-console (F22: code execution).Oracle has updated postgresql (OL7; OL6:multiple vulnerabilities) and xerces-c(OL7: denial of service).Red Hat has updated kernel(RHEL6.5: two vulnerabilities), openssl(RHEL5: multiple vulnerabilities), postgresql (RHEL6,7: multiplevulnerabilities), postgresql92-postgresql(RHSCL2: multiple vulnerabilities), rh-postgresql94-postgresql (RHSCL2: multiplevulnerabilities), and xerces-c (RHEL7: denial of service).Scientific Linux has updated nss(SL6,7: cipher-downgrade attacks), postgresql (SL6,7: multiple vulnerabilities),and xerces-c (SL7: denial of service).SUSE has updated java-1_6_0-ibm(SLEM12: multiple vulnerabilities).Ubuntu has updated oxide-qt(15.04, 14.10, 14.04: multiple vulnerabilities) and unattended-upgrades (15.04, 14.10, 14.04,12.04: authentication bypass).

Amazon has announcedthe release of a new TLS library called "s2n" under the Apache license."s2n is a library that has been designed to be small, fast, withsimplicity as a priority. s2n avoids implementing rarely used options andextensions, and today is just more than 6,000 lines of code. As a result ofthis, we’ve found that it is easier to review s2n; we have alreadycompleted three external security evaluations and penetration tests on s2n,a practice we will be continuing."

Four new stable kernels are available; 4.1.1, 4.0.7,3.14.46, and 3.10.82. All contain important fixes.

Debian has updated libcrypto++ (information disclosure).Debian-LTS has updated cacti(multiple vulnerabilities), libwmf (denialof service), and t1utils (code execution).Fedora has updated kernel (F22: denial of service).openSUSE has updated roundcubemail (13.2: two vulnerabilities).Scientific Linux has updated kvm(SL5: code execution).SUSE has updated java-1_7_0-ibm(SLE11SP3: multiple vulnerabilities) and Xen (SLES11SP2; SLES11SP1: multiple vulnerabilities).

Valve has announced the first preview release of its forthcomingSteamOS update. The new release is based on Debian 8.1 with long-termsupport kernel 3.18; there aredownloadable builds linked to in the announcement for both UEFI andlegacy BIOS systems. There appear to be few user-visible differencesbetween the new release and the current SteamOS so far,though; the announcement notes: "Although there are a lot ofchanges under the covers, the overall functionality and experience ofbrewmaster is the same as alchemist."

CentOS has updated kvm (C5:code execution).Debian-LTS has updated librack-ruby (denial of service) and libwmf (multiple vulnerabilities).openSUSE has updated flash-player (13.1, 13.2: codeexecution), chromium (13.1, 13.2:multiple vulnerabilities), and openssl(13.1, 13.2: multiple vulnerabilities).Oracle has updated kvm (O5:code execution) and nss (O6; O7: cipher-downgrade attacks).Red Hat has updated kernel(RHEL5: privilege escalation) and kvm(RHEL5: code execution).Scientific Linux has updated kernel (SL7: multiple vulnerabilities)and mailman (SL7: code execution).SUSE has updated compat-openssl098 (SLE12: multiplevulnerabilities), KVM (SLE11 SP3:multiple vulnerabilities), and openssl(SLE12: multiple vulnerabilities).

Version 4.1 of the Ardour digital audio workstation software has been released. There are some new features in the release including input gain control, support for capture-only and playback-only devices, a real "Save As" option (with the old option being renamed to "Snapshot (& switch to new version)"), and allowing plugins to be reordered and meter positions to change without adding a click into the audio. There are also lots of user interface changes, including better High-DPI support. "This release contains several new features, both internally and in the user interface, and a slew of bug fixes worthy of your attention. Encouragingly, we also have one of our longest ever contributor lists for this release.We had hoped to be on a roughly monthly release cycle after the release of 4.0, but collaborations with other organizations delayed 4.1 by nearly a month."

The Ubuntu Community Council (UCC) and Kubuntu Council (KC) have issueda joint statement regarding the conflict between Jonathan Riddell andthe UCC. "We have mutually agreed that KDE is important to Ubuntu, and the Kubuntu Council believes that Ubuntu is important to the KDE community as well. Therefore we have a basis to work together on putting out a lovely Wily release. We recognize that there are honest and strong feelings about both the things that led up to the current controversy and the way that resolution of it was handled. Despite that, we would all like to move forward as best we can for the betterment of the Ubuntu project, including Kubuntu." LWN covered thecontroversy in late May.

CentOS has updated nss (C7;C6: cipher downgrade) and nss-util (C7; C6: cipher downgrade).Debian has updated cacti (three vulnerabilities).Fedora has updated xen (F20: multiple vulnerabilities).Oracle has updated kernel 2.6.39 (OL6; OL5: twovulnerabilities), kernel 3.8.13 (OL7; OL6: twovulnerabilities), and kernel 2.6.32 (OL6; OL5: twovulnerabilities)Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), flash-plugin (RHEL5&6: code execution), nss (RHEL6&7: cipher downgrade), php55-php (RHSC2: multiple vulnerabilities), and rh-php56-php (RHSC2: multiple vulnerabilities).Scientific Linux has updated libreswan (SL7: denial of service) and php (SL7: multiple vulnerabilities).SUSE has updated IBM Java(SLE10SP4: multiple vulnerabilities) and Java (SLE11SP2: multiple vulnerabilities).Ubuntu has updated python2.7,python3.2, python3.4 (14.10, 14.04, 12.04: multiple vulnerabilities, some from 2013), tomcat6 (12.04: three vulnerabilities), and tomcat7 (15.04, 14.10, 14.04: multiple vulnerabilities).

The LWN.net Weekly Edition for June 25, 2015 is available.

PGCon 2015, the PostgreSQLinternational developer conference, took place in Ottawa, Canada from June16 to 20. This PGCon involved a change in format from prior editions, witha "developer unconference" in the two days before the main conferenceprogram. Both the conference and the unconference covered a wide range oftopics, many of them related to horizontal or vertical scaling, or to newPostgreSQL features.Subscribers can click below for a report from the conference from guest author Josh Berkus.

Arch Linux has updated flashplugin (code execution).CentOS has updated kernel (C7:multiple vulnerabilities), libreswan (C7:denial of service), mailman (C7: pathtraversal attack), and php (C7: multiple vulnerabilities).Debian has updated wireshark (denial of service).Debian-LTS has updated zendframework (regression in previous update).Fedora has updated curl (F22:information disclosure), libwmf (F21: codeexecution), openssl (F21: multiple vulnerabilities), and xen (F22; F21: multiple vulnerabilities).Mageia has updated flash-player-plugin (multiple vulnerabilities).openSUSE has updated cacti (13.2,13.1: SQL injection), curl (13.2, 13.1: information disclosure), and libwmf (13.2; 13.1: code execution).Oracle has updated kernel (OL7:multiple vulnerabilities), libreswan (OL7:denial of service), mailman (OL7: pathtraversal attack), and php (OL7: multiple vulnerabilities).SUSE has updated flash-player(SLED12: code execution).

Red Hat has announcedthe winners of its Women in Open Source Awards. The AcademicAward goes to Kesha Shah, a student at Dhirubhai Ambani Institute ofInformation and Communication Technology, and the Community Award goes to SarahSharp, embedded software architect at Intel. Opensource.com has interviewswith both women.KeshaShah: "Last year, I was a mentor in Season of KDE and GCI again, with BRLCAD and KDE. Now, I am currently working on testing automation of Ushahidi with Systers, an Anita Borg community, as a part of GSoC. During my journey, I had seen several of my peers enter the domain, succeed, and fail in equal measure. So, I took up the challenge of mentoring newbies.One of my biggest achievements is that I have personally guided about 20-22newbies into the world of open source through mentoring programs like GCI,SoK, Learn IT girls, and through conducting hands-on workshops andenlightening talks on open source. Those efforts converted them to regularcontributors."SarahSharp: "My second proudest moment is the very first round whenthe Linux kernel participated in the Outreach Program for Women (now called Outreachy). A lot of kernel maintainers complained about how newcomers would send them mangled patches, and grump about how the newcomers should really just RTFM and look at our patch submission guidelines. Of course, it turned out the manual was lacking or out of date, and there were a lot of steps to set up tools for Linux kernel development, so I spent a week and created a step-by-step tutorial.It was really gratifying to see those first applicants go through my tutorial and send well-formed patches. I've loved watching those interns move onto bigger projects, and even get hired to work on the Linux kernel, and I'm really proud I was able to help people get involved in Linux kernel development."

Greg Kroah-Hartman has released stable kernels 4.0.6, 3.14.45, and 3.10.81. All of them contain importantfixes throughout the tree.

Arch Linux has updated curl (information disclosure).Debian-LTS has updated postgresql-8.4 (denial of service).Fedora has updated xorg-x11-server (F22: permission bypass).Gentoo has updated chromium (multiple vulnerabilities) and gnutls (denial of service).Red Hat has updated kernel(RHEL7: multiple vulnerabilities), kernel-rt (RHEL7; RHEMRG2.5: multiple vulnerabilities), libreswan (RHEL7: denial of service), mailman (RHEL7: path traversal attack), and php (RHEL7: multiple vulnerabilities).SUSE has updated e2fsprogs(SLE11SP4: code execution).Ubuntu has updated kernel (14.10; 14.04; 12.04: regression in previous update), linux-ti-omap4 (12.04: regression in previousupdate), linux-lts-trusty (12.04:regression in previous update), linux-lts-utopic (14.04: regression inprevious update), and patch (14.10, 14.04,12.04: multiple vulnerabilities).

The Open Container Projecthas announced itsexistence. "Housed under the Linux Foundation, the OCP’s missionis to enable users and companies to continue to innovate and developcontainer-based solutions, with confidence that their pre-existingdevelopment efforts will be protected and without industryfragmentation. As part of this initiative, Docker will donate the code forits software container format and its runtime, as well as the associatedspecifications. The leadership of the Application Container spec (“appc”)initiative, including founding member CoreOS, will also be bringing theirtechnical leadership and support to OCP."

Debian has updated pyjwt (accepts arbitrary tokens).Debian-LTS has updated libclamunrar (double-free error), qemu (code execution), qemu-kvm (code execution), and zendframework (multiple vulnerabilities).Fedora has updated abrt (F22:multiple vulnerabilities), cups (F22; F21: twovulnerabilities), drupal7-views (F22; F21; F20: access bypass), gnome-abrt (F22: multiple vulnerabilities),kernel (F22; F21: privilege escalation), krb5 (F21: two vulnerabilities), libreport (F22: multiple vulnerabilities), openssl (F22: multiple vulnerabilities), postgresql (F22: multiple vulnerabilities), qemu (F21: denial of service), qpid-cpp (F21: two vulnerabilities), and satyr (F22: multiple vulnerabilities).Gentoo has updated adobe-flash(multiple vulnerabilities) and openssl (multiple vulnerabilities).openSUSE has updated cgit (13.2,13.1: code execution), xen (13.2; 13.1: multiple vulnerabilities), and XWayland (13.2: permission bypass).SUSE has updated IBM Java(SLE11SP3: multiple vulnerabilities).

In a post on the Red Hat Blog, the company has announced a version of Red Hat Enterprise Linux (RHEL) for ARM development. "Today, we are making the Red Hat Enterprise Linux Server for ARM Development Preview 7.1 available to all current and future members of the Red Hat ARM Partner Early Access Program as well as their end users as an unsupported development platform, providing a common standards-based operating system for existing 64-bit ARM hardware. Beyond this release, we plan to continue collaborating with our partner ISVs and OEMs, end users, and the broader open source community to enhance and refine the platform to ultimately work with the next generation of ARM-based designs." Jon Masters, who is the technical lead for the project, has a lengthy Google+ post about the project and its history over the last 4+ years.

The Linux Foundation's Critical Infrastructure Initiative has announcedthe funding of three projects to the tune of "nearly$500,000." "CII's funds will support a new open sourceautomated testing project, the Reproducible Builds initiative from Debian,and IT security researcher Hanno Boeck's Fuzzing Project. Additionally, TheLinux Foundation is announcing Emily Ratliff is joining The LinuxFoundation as senior director of infrastructure security for CII. Ratliffis a Linux, system and cloud security expert with more than 20 years'experience. Most recently she worked as a security engineer for AMD andlogged nearly 15 years at IBM."

Mark Shuttleworth announces "theFan", a new mechanism for directing communications between containers."We recognised that container networking is unusual, and quite unliketrue software-defined networking, in that the number of containers you wanton each host is probably roughly the same. You want to run a couple hundredcontainers on each VM. You also don’t (in the docker case) want to livemigrate them around, you just kill them and start them againelsewhere. Essentially, what you need is an address multiplier – anywhereyou have one interface, it would be handy to have 250 of theminstead."See this page fordetails on how it works.

The Mageia5 release is now available. The headline feature in this long-awaiteddistribution release appears to be UEFI BIOS support, but there's more; seethe releasenotes for details.

Linus has releasedthe 4.1 kernel. "It's not like the 4.1release cycle was particularly painful, and let's hope that the extraweek of letting it sit makes for a great release. Which wouldn't be abad thing, considering that 4.1 will also be a LTS release."Headline features in this release includesupport for encrypted ext4 filesystems,the persistent memory block driver,ACPI support for the ARM64 architecture, and more.

The openSUSE project has often struggled with questions of identity: whatis the distribution trying to be, and for who? From the 2010 strategy search through to the 2013 development-model discussions and the 2014 release-management questions, openSUSE'sdevelopers have tried to find a development approach that is bothsustainable and appealing to a wider audience. In 2015, it appears that apartial success has been achieved, but that success is driving a new andcontroversial change.

Lennart Poettering writesabout the sd-bus library with substantial digressions into how D-Busworks in general. "We believe the result of our work delivers our goals quite nicely:the library is fun to use, supports kdbus and sockets as back-end, isrelatively minimal, and the performance is substantially better than bothlibdbus and GDBus."

Code Climate has announcedthe open-source release of its static-analysis platform. "We’rereleasing the static analysis engines that power the new Code ClimatePlatform, and going forward, all of our static analysis code will bepublished under Open Source licenses. Code Climate has always provided freeanalysis to Open Source projects, and this continues to deepen ourcommitment to, and participation in, the OSS community."

At his blog, former Ubuntu Community Manager Jono Bacon speculateson whether or not the Ubuntu Phone project should rebase its softwarestack on Android. Bacon prefaces the post with a note that it is"designed purely for some intellectual fun and discussion. I amnot proposing we actually do this, nor advocating for this."The central argument is that new mobile platforms invariably expendhundreds of thousands of dollars attracting well-known app vendors tothe new stack. Supporting Android apps would let Ubuntu focus effortson the user interface, scopes, and other components. "I knowthere has been a reluctance to support Android apps on Ubuntu as itdevalues the Ubuntu app ecosystem and people would just use Androidapps, but I honestly think some kind of middle-ground is needed to getinto the game, otherwise I worry we won’t even make it to the subsbench no matter how awesome our technology is." Note that,whatever one makes of the idea, Bacon is speaking only about theUbuntu Phone stack; the post does touch on how such a rebase wouldinterfere with Ubuntu's plans for a converged software stack.

Debian has updated cinder(file disclosure) and drupal7 (multiple vulnerabilities).Fedora has updated mbedtls(F21: multiple vulnerabilities) and python-django14 (F20: cross-site scripting).Mageia has updated cups(M4: multiple vulnerabilities), ffmpeg(M4: multiple vulnerabilities), openssl (M4: multiple vulnerabilities), and redis (M4: code execution).SUSE has updated IBM Java (SLES10 SP4; SLE11: multiple vulnerabilities).

Luke Wagner of Mozilla has announcedthe existence of the WebAssembly project. The purpose is to define alow-level language to run in web browsers; it will then serve as acompilation target for higher-level languages. Developers from most of themajor browser engines are working on the project. "For existingEmscripten/asm.js users, targeting WebAssembly will be as easy as flippinga flag. Thus, it is natural to view WebAssembly as the next evolutionarystep of asm.js (a step many have requested and anticipated)."

CentOS has updated cups (C7; C6: three vulnerabilities).Debian has updated kernel (three vulnerabilities).Debian-LTS has updated linux-2.6(multiple vulnerabilities going back to 2011) and openssl (multiple vulnerabilities).Fedora has updated mbedtls (F20:code execution), python-requests (F21:cookie stealing), and python-urllib3 (F21:proper openssl support).openSUSE has updated busybox(13.2, 13.1: code execution) and strongswan(13.2, 13.1: information disclosure).Oracle has updated cups (OL7; OL6:three vulnerabilities).Red Hat has updated cups(RHEL6&7: three vulnerabilities).Scientific Linux has updated cups(SL6&7: three vulnerabilities).

The LWN.net Weekly Edition for June 18, 2015 is available.

A 2013 Kickstarterproject brought us Micro Python, which is a versionof Python 3 for microcontrollers, along with the pyboard torun it on. Micro Python is a complete rewrite of the interpreter thatavoids some of the CPython (the canonical Python interpreter written in C)implementation details that don't work well on microcontrollers.I recently got my hands on a pyboard and decided to give it—andMicro Python—a try.

Opensource.com takesa look at the upcoming release of Blender 2.75. "One of the biggest features merged into Blender this go-round were from the multiview branch. In short, Blender now fully supports the ability to create stereoscopic 3D images. With the increased pervasiveness of 3D films and televisions—not to mention VR headsets in gaming—a lot of people are interested in generating images that play nice in this format. And now Blender can."

Debian-LTS has updated linux-2.6 (multiple vulnerabilities).Red Hat has updated kernel(RHEL5.9: privilege escalation).SUSE has updated java-1_7_0-ibm (SLE12: multiple vulnerabilities).Ubuntu has updated aptdaemon(15.04, 14.10, 14.04, 12.04: information leak), devscripts (14.10, 14.04, 12.04: directorytraversal), and wpa, wpasupplicant (15.04,14.10, 14.04, 12.04: multiple vulnerabilities).

The leap second is an occasional ritual wherein Coordinated Universal Time(UTC) is held back for one second to account for the slowing of the Earth'srotation. The last leap second happened on June 30, 2012; the next isscheduled for June 30 of this year. Leap seconds are thus infrequentevents. One might easily imagine that infrequent events involving timediscontinuities would be likely to expose software problems, and, sureenough, the 2012 leap second hadits share of issues. The 2015 leap second looks to be a calmer affair,but it appears that it will not be entirely problem-free.

CentOS has updated abrt (C7:multiple vulnerabilities), openssl (C7; C6:multiple vulnerabilities), and wpa_supplicant (C7: two vulnerabilities).Debian has updated p7zip (directory traversal).Oracle has updated openssl (OL7; OL6: multiple vulnerabilities).Red Hat has updated openssl(RHEL6,7: multiple vulnerabilities).Scientific Linux has updated openssl (SL6,7: multiple vulnerabilities).SUSE has updated kernel (SLE12: multiple vulnerabilities).Ubuntu has updated kernel (15.04; 14.10;14.04; 12.04: privilege escalation), linux-lts-trusty (12.04: privilegeescalation), linux-lts-utopic (14.04:privilege escalation), linux-lts-vivid(14.04: privilege escalation), and linux-ti-omap4 (12.04: privilege escalation).

Opensource.com has an interviewwith Robyn Bergeron about her current position as Operations Advocateat Elastic, and past roles (such as Fedora Project Leader). "The ELK stack (that's Elasticsearch, Logstash, and Kibana), being incredibly flexible and adaptable to many use cases, appeals to both operations folks and developers—but my love for it really has grown from seeing how fantastically it has allowed folks working in ops to not just start more rapidly identifying that "something broke," but also to be able to visually identify the patterns that lead to those broken things. Getting to a point where you're not just on fire all the time fixing technology, and instead fixing the processes that lead to fires, or implementing ways to proactively avoid fires, is not just redeeming, but frees up time to do other things besides firefighting.People love breaking that loop, and it's fabulous being an advocate for something that is literally making people's work-life balance and general happiness levels better. I've been in those fires. It's not fun. It makes me happy to see users feeling awesome."

Debian has updated libav (twovulnerabilities), openssl (multiplevulnerabilities), qemu (multiplevulnerabilities), qemu-kvm (two vulnerabilities), sqlite3 (denial of service), and xen (multiple vulnerabilities).Debian-LTS has updated p7zip (directory traversal).Fedora has updated armacycles-ad (F22; F21; F20: multiple vulnerabilities), filezilla (F22: multiple vulnerabilities), fuse (F20: privilege escalation), libreswan (F20: denial of service), nss (F20: cipher-downgrade attacks), nss-softokn (F20: cipher-downgrade attacks),nss-util (F20: cipher-downgrade attacks),ntfs-3g (F20: privilege escalation), and xen (F22; F21: multiple vulnerabilities).openSUSE has updated flash-player(11.4: multiple vulnerabilities), coreutils(13.2: memory handling error), cups (13.2,13.1: three vulnerabilities), dpkg (13.2,13.1: integrity-verification bypass), and php5 (13.2, 13.1: information disclosure).

As promised, the 4.1-rc8 kernel prepatch isout. "So I'm on vacation, but time doesn't stop for that, and it'sSunday, so time for a hopefully final rc."

The 2015 edition of the TeX Live software distribution, the "easy way to get up and running with the TeX document production system," has been released. DVDs are in production for members of the TeX Users Group (TUG), though many will probably prefer the downloadable release. The changes included in this edition include the merging of several LaTeX fixes from external packages into LaTeX itself, JPEG Exif support in pdfTeX, and image-handling fixes in XeTeX.

Version 1.10 of the MATE Desktop has been released. Perhaps the most notable new feature is that all MATE components can now be built with GTK+2 or GTK+3, although GTK+3 support is still labeled "experimental." Also new in this update are ePub support in the Atril document viewer and a new audio-mixing library named libmatemixer.

Arch Linux has updated openssl (multiple vulnerabilities).Debian-LTS has updated imagemagick (multiple vulnerabilities) and strongswan (information disclosure).Fedora has updated qemu(F22: denial of service).openSUSE has updated flash-player (13.1, 13.2: multiplevulnerabilities), python-setuptools(13.1: non-secure SSL hostname matching), and tidy (13.1, 13.2: buffer overflow).Oracle has updated wpa_supplicant (O7: multiple vulnerabilities).Red Hat has updated wpa_supplicant (RHEL7: multiple vulnerabilities).Scientific Linux has updated wpa_supplicant (SL7: multiple vulnerabilities).Slackware has updated openssl (multiple vulnerabilities) and php (S14: multiple vulnerabilities).SUSE has updated cups (SLE12: multiple vulnerabilities),cups154 (SLE12: multiple vulnerabilities), flash-player (SLE12: multiple vulnerabilities), and xen (SLE11 SP3; SLE12: multiple vulnerabilities).Ubuntu has updated openssl (multiple vulnerabilities).

Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. "Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for 'because of an incomplete fix for'."

CentOS has updated kernel (C6:multiple vulnerabilities) and qemu-kvm (C6: code execution).Debian-LTS has updated wireshark(WCP dissector crash).Fedora has updated cabal-install(F22: force digest authentication), freecad(F22: code execution), fusionforge (F22; F21: codeexecution), haskell-platform (F22: forcedigest authentication), less (F21:information leak), libreswan (F22;F21: denial of service), python-tornado (F21: TLS side-channel attack),and thermostat (F21: code execution).openSUSE has updated proftpd(13.2, 13.1: two vulnerabilities, one from 2013), wpa_supplicant (13.2, 13.1: threevulnerabilities), and zeromq (13.2, 13.1:protocol downgrade).Oracle has updated qemu-kvm (OL6:code execution) and kernel (OL6; OL5: three vulnerabilities).Red Hat has updated qemu-kvm(RHEL6: code execution) and qemu-kvm-rhev(RHEL6OSP: code execution).Scientific Linux has updated abrt(SL7: multiple vulnerabilities) and qemu-kvm (SL6: code execution).Ubuntu has updated kernel (15.04; 14.10;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-utopic (14.04: twovulnerabilities), linux-lts-vivid (14.04:three vulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).