LWN.net

OpenSSL has updates released today, with two vulnerabilities of"High" severity, as described in its advisory. One ofthe High vulnerabilities is a reclassification of the FREAK vulnerability due to the prevalence ofservers with RSA export ciphers available, the other is a denial of servicein OpenSSL 1.0.2.CentOS has updated freetype (C6:multiple vulnerabilities) and unzip (C6:multiple vulnerabilities).Debian has updated file (denialof service).Debian-LTS has updated mono(three SSL/TLS vulnerabilities).Gentoo has updated python(multiple vulnerabilities, two from 2013).Mageia has updated moodle(multiple vulnerabilities).openSUSE has updated gdm (13.2:screen lock bypass), glusterfs (13.2:denial of service), and libssh2_org (13.2,13.1: information leak).Oracle has updated unzip (OL7; OL6:multiple vulnerabilities).Red Hat has updated postgresql92-postgresql (RHSC1: multiplevulnerabilities) and unzip (RHEL6&7:multiple vulnerabilities).SUSE has updated kernel (SLE12:multiple vulnerabilities).

The Fedora project is looking for somebody to become its diversityadvisor. "The Fedora Diversity Advisor will lead initiatives to assess andpromote equality and inclusion within the Fedora contributor and usercommunities, and will develop project strategy on diversity issues. TheDiversity Advisor will also be the point of contact for Fedora’sparticipation in third-party outreach programs and events." Youhave to get to the bottom of the announcement to read that this is avolunteer position, though they hope to change that someday.

The LWN.net Weekly Edition for March 19, 2015 is available.

The OpenSSH6.8 release is available. New features include host-key rotationsupport (to allow graceful changes to host keys), an option to require twopublic keys for authentication, and quite a few more.

Greg Kroah-Hartman has released a set of stable kernel updates: 3.19.2, 3.14.36, and 3.10.72. All contain the usual set ofimportant fixes.

Debian has updated php5 (multiple vulnerabilities).Fedora has updated freexl (F21; F20:denial of service) and libgcrypt (F21: two vulnerabilities).openSUSE has updated vorbis-tools(13.2, 13.1: denial of service).Oracle has updated freetype (OL7; OL6:multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities) and freetype (RHEL6,7: multiple vulnerabilities).Ubuntu has updated libxfont (privilege escalation) and php5 (multiple vulnerabilities).

The Salt Lake Tribune reportsthat the SCO Group's lawsuit against IBM is once again alive and moving inFederal court. "In addition to its claims of IBM misappropriation ofcode, SCO alleges that IBM executives and lawyers directed the company'sLinux programmers to destroy source code on their computers after SCO madeits allegations. The company's other remaining claims are that IBM'sactions amounted to unfair competition and interference with its contractsand business relations with other companies."

Qt 5.5 alpha has been released."With Qt 5.5, Canvas 3D is fully supported and a technology previewof long awaited Qt 3D is included. Qt 5.5 also introduces mapping supportwith a Qt Location technology preview. Qt 5.5 Alpha is the first steptowards Qt 5.5 final release planned to be available in May." Checkout the New Features inQt 5.5 page for more details.

When the schedulefor the 2015 Linux Storage, Filesystem, and Memory Management Summit waslaid out, its authors optimistically set aside 30 minutes on the first dayfor the thorny issue of memory-allocation problems in low-memorysituations. That session (covered here)didn't get past the issue of whether small allocations should be allowed tofail, so the remainder of the discussion, focused on finding bettersolutions for the problem of allocations that simply cannot fail, waspushed into a plenary session on the second day.With this article, LWN's coverage of the memory-management track at LSFMM2015 is complete; sessions from the filesystems track are being added aswell. It all can be found at the LWN LSFMM2015 page.

Debian has updated checkpw (denial of service), libxfont (privilege escalation), and tcpdump (multiple vulnerabilities).Debian-LTS has updated gnupg (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).Gentoo has updated adobe-flash(multiple vulnerabilities) and file(multiple vulnerabilities).Red Hat has updated kernel(RHEL6.2: multiple vulnerabilities) and kernel-rt (RHE MRG2.5: multiple vulnerabilities).Ubuntu has updated libav (12.04: multiple vulnerabilities).

The New Yorker notesthe 30th anniversary of the GNU Manifesto. "Stallman was one of the first to grasp that, if commercial entitieswere going to own the methods and technologies that controlled computers,then computer users would inevitably become beholden to thoseentities. This has come to pass, and in spades. Most computer users havebecome dependent on proprietary code provided by companies like Apple,Facebook, and Google, the use of which comes with conditions we may notcondone or even know about, and can’t control; we have forfeited thefreedom to adapt such code according to our needs, preferences, andpersonal ethics."

Debian has updated freetype (many vulnerabilities), gnutls26 (two vulnerabilities), icu (multiple vulnerabilities), libav (multiple vulnerabilities), and putty (information disclosure).Debian-LTS has updated libextlib-ruby (code execution and more), libssh2 (information leak), mod-gnutls (restriction bypass), and putty (information disclosure).Fedora has updated 389-admin(F21: multiple /tmp/ file vulnerabilities), cups-filters (F21; F20:remote command execution), gnupg (F20:multiple vulnerabilities), httpd (F21:multiple vulnerabilities), jBCrypt (F21; F20:integer overflow), kernel (F20: multiplevulnerabilities), libmspack (F21; F20: denial of service), libuv (F20: privilege escalation), nodejs (F20: privilege escalation),phpMyAdmin (F21; F20: information leak), putty (F21; F20:information disclosure), tcllib (F21: HTMLinjection), and v8 (F20: privilege escalation).Gentoo has updated hivex (privilege escalation) and icu (multiple vulnerabilities).Mageia has updated 389-ds-base (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).Mandriva has updated kernel (multiple vulnerabilities), nss (multiple vulnerabilities), qemu (multiple vulnerabilities), and yaml (multiple vulnerabilities).openSUSE has updated flashplayer(11.4: multiple vulnerabilities), chromium(13.2, 13.1: multiple vulnerabilities), and postgresql (11.4: multiple vulnerabilities).SUSE has updated flash-player(SLED11 SP3: multiple vulnerabilities) and java-1_7_0-openjdk (SLE12: multiple vulnerabilities).Ubuntu has updated cups-filters(14.10, 14.04: remote command execution), requests (14.10, 14.04: cookie stealing attacks), and sudo (information disclosure).

The fourth 4.0 prepatch is out for testing.Linus says: "Nothing particularly stands out here. Shortlog appended,I think we're doing fine for where in the release cycle we are."

Libre Graphics World has a lookat the new release of OpenSCAD, the 3D solid-modeling tool often usedin conjunction with 3D printers. The new features include support forcomplex text layout, offset functions for manipulating polygons, andthe ability to generate height maps from PNG images. "The user interface got a few improvements as well: new startup dialog to quickly open recent files or examples from a library, new QScintilla-based code editor with folding support, SVG and AMF exporting, and more."

CentOS has updated kernel(C6: multiple vulnerabilities).Debian has updated gnupg(multiple vulnerabilities), libgcrypt11 (multiple vulnerabilities), movabletype-opensource (multiple vulnerabilities), and nss (data smuggling).Fedora has updated krb5(F21: multiple vulnerabilities)and suricata (F21: multiple vulnerabilities).Mageia has updated libarchive (M4: directory traversal), libssh2 (M4: denial of service), and qt3, qt4, qt5base (M4: denial of service).openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities), osc (13.1, 13.2: command injection), and wireshark (13.1, 13.2: multiple vulnerabilities).Oracle has updated gnome-shell, clutter, cogl, mutter (O7:lock screen bypass), httpd (O7: multiple vulnerabilities), ipa (O7: multiple vulnerabilities), kernel (O7: multiple vulnerabilities), krb5 (O7: multiple vulnerabilities), libreoffice (O7: code execution), libvirt (O7: multiple vulnerabilities), qemu-kvm (O7: multiple vulnerabilities), and thunderbird (O7: multiple vulnerabilities).SUSE has updated bind(SLE10: denial of service), flash-player (SLE12: multiple vulnerabilities), and osc (SLE12: command injection).

InformationWeek has alengthy look at the maintenance of the network time protocol (NTP)code. "Not all is well within the NTP open source project. Thenumber of volunteer contributors -- those who submit code for periodicupdates, examine bug reports, and write fixes -- has shrunk over its longlifespan, even as its importance has increased. Its ongoing development andmaintenance now rest mostly on the shoulders of [Harlan] Stenn, and that'swhy NTP faces a turning point. Stenn, who also works sporadically on his ownconsulting business, has given himself a deadline: Garner more financialsupport by April, 'or look for regular work.'"

Google has announcedthat the Google Code repository is shutting down. "As developersmigrated away from Google Code, a growing share of the remaining projectswere spam or abuse. Lately, the administrative load has consisted almostexclusively of abuse management. After profiling non-abusive activity onGoogle Code, it has become clear to us that the service simply isn’t neededanymore." New project creation has been stopped already; the finalpulling of the plug will be in January 2016.

openSUSE has updated cacti (13.2,13.1: multiple vulnerabilities).Oracle has updated kernel (OL6: multiple vulnerabilities).Red Hat has updated kernel(RHEL6: multiple vulnerabilities).Scientific Linux has updated bind(SL6,7: denial of service) and kernel (SL6:multiple vulnerabilities).SUSE has updated bind(SLES11 SP1: denial of service) and kernel (SLES11 SP2: multiple vulnerabilities).Ubuntu has updated kernel (14.10; 14.04;12.04; 10.04: privilege escalation), linux-lts-trusty (12.04: privilegeescalation), and linux-lts-utopic (14.04: privilege escalation).

The LWN.net Weekly Edition for March 12, 2015 is available.

Since opening its doors in 2008, GitHub has grown to become the largestactive project-hosting service for open-source software. But it hasalso attracted a fair share of criticism for some of itsimplementation choices—with one of the leading complaints beingthat it takes a lax approach to software licensing. That, in turn,leads to a glut of repositories bearing little or no licensingdetails. The company recently announced a new tool to help combat thelicense-confusion issue: a site-wide API for querying and reportinglicense information. Whether that API is up to the task, however,remains to be seen.

CentOS has updated bind (C6: denial of service).Debian has updated libssh2 (information leak), mod-gnutls (restriction bypass), and xen (multiple vulnerabilities).Debian-LTS has updated axis (verification bypass).Mageia has updated gnupg,libgcrypt (information leak), icu (codeexecution), pngcrush (denial of service), and vsftpd (unauthorized access).openSUSE has updated autofs(13.2, 13.1: privilege escalation), glusterfs (13.1: denial of service), percona-toolkit (13.2, 13.1:man-in-the-middle attack), and putty (13.2,13.1: information disclosure).Oracle has updated bind (OL6: denial of service).Red Hat has updated bind(RHEL6,7: denial of service).Ubuntu has updated ecryptfs-utils(information disclosure) and icu (12.04:regression in previous update).

As Michal Hocko noted at the beginning of his session at the 2015 Linux Storage, Filesystem, and Memory Management Summit, the news that thememory-management code will normally retry small allocations indefinitelyrather than returning a failure status came as a surprise to manydevelopers. In this session, the assembled group attempted to come up withways to safely change this behavior. Click below (subscribers only) forthe full report from LSFMM 2015.

The Project Zero blog looksat the "Rowhammer" bug. "“Rowhammer” is a problem with somerecent DRAM devices in which repeatedly accessing a row of memory can causebit flips in adjacent rows. We tested a selection of laptops and found thata subset of them exhibited the problem. We built two working privilegeescalation exploits that use this effect. One exploit usesrowhammer-induced bit flips to gain kernel privileges on x86-64 Linux whenrun as an unprivileged userland process. When run on a machine vulnerableto the rowhammer problem, the process was able to induce bit flips in pagetable entries (PTEs). It was able to use this to gain write access to itsown page table, and hence gain read-write access to all of physicalmemory." (Thanks to Paul Wise)

VMware has publisheda statement on the lawsuit filed by Christoph Hellwig allegingcopyright infringement. "On March 5, 2015, Software Freedom Conservancy (SFC) announced a lawsuit in Germany, filed by Christoph Hellwig against VMware, alleging a failure to comply with the General Public License (GPL). We believe the lawsuit is without merit, and we are disappointed that the SFC and plaintiff have resorted to litigation given the considerable efforts we have made to understand and address their concerns.We see huge value in supporting multiple development methodologies, including free and open source software, and we appreciate the crucial role of free and open source software in the data center. In particular, VMware devotes significant effort supporting customer usage of Linux and F/OSS based software stacks and workloads."LWN recently covered the lawsuit. (Thanksto Emmanuel Seyman)

The Fedora Project has announced the release of Fedora 22 Alpha."The Alpha release contains all the exciting features of Fedora 22's editions in a form that anyone can help test. This testing, guided bythe Fedora QA team, helps us target and identify bugs. When these bugsare fixed, we make a Beta release available. A Beta release iscode-complete and bears a very strong resemblance to the third andfinal release. The final release of Fedora 22 is expected in May."

Mandriva has updated kernel (multiple vulnerabilities).Oracle has updated 389-ds-base(OL7: multiple vulnerabilities), glibc(OL7: multiple vulnerabilities), hivex(OL7: privilege escalation), openssh (OL7:two vulnerabilities), and pcre (OL7: information leak).Red Hat has updated qpid-cpp (RHE MRG for RHEL7; RHE MRG for RHEL6; RHE MRG for RHEL5: multiple vulnerabilities).Scientific Linux has updated 389-ds-base (SL6: information disclosure).Ubuntu has updated apache2(multiple vulnerabilities), oxide-qt(14.10, 14.04: multiple vulnerabilities), and firefox (14.10, 14.04, 12.04: regression inprevious update).

A brief "codeof conflict" was merged into the kernel's documentationdirectory for the 4.0-rc3 release. The idea is to describe the parametersfor acceptable discourse without laying down a lot of rules; it also namesthe Linux Foundation's technical advisory board as a body to turn to incase of unacceptable behavior. This document has been explicitlyacknowledged by a large number of prominent kernel developers.

Debian-LTS has updated konversation (information disclosure), libarchive (directory traversal), and redcloth (cross-site scripting).Fedora has updated cabextract (F21; F20:privilege escalation), kernel (F21: denialof service), krb5 (F20: multiplevulnerabilities), lftp (F20: automaticallyaccepting ssh keys), libpng10 (F21;F20: two vulnerabilities), and qt3 (F21; F20: denial of service).Gentoo has updated dbus (denial of service), freetype (multiple vulnerabilities), glibc (multiple vulnerabilities), and php (multiple vulnerabilities).Mageia has updated apache (denialof service), jython (code execution), librsvg (multiple vulnerabilities), mapserver (command execution), and putty, filezilla (information disclosure).Mandriva has updated rpm (code execution).openSUSE has updated libmspack(13.2, 13.1: denial of service), thunderbird (13.2, 13.1: multiplevulnerabilities), and tiff (13.2, 13.1: multiple vulnerabilities).SUSE has updated firefox (SLE11 SP3; SLE11 SP2,SP1, SLES10 SP4: multiple vulnerabilities).Ubuntu has updated icu (12.04:regression in previous update).

The 4.0-rc3 prepatch is out. "Backon track with a Sunday afternoon release schedule, since there was nothingparticularly odd going on this week, and no last-minute bugs that I knew ofand wanted to get fixed holding things up."

Debian project leader Lucas Nussbaum has confirmed the appointment of threenew members to the Debian technical committee. The new members are DidierRaboud, Tollef Fog Heen, and Sam Hartman; they will be replacing IanJackson, Russ Allbery, and Colin Watson.

The3.19.1,3.18.9,3.14.35, and3.10.71 stable kernel updates areavailable; each contains a relatively large set of important fixes.

At his blog, David Edmundson writesabout the state of high-DPI support in KDE. "For someapplications supporting high DPI has been easy. It is a single oneline in KWrite, and suddenly all icons look spot on with noregressions. For applications such as Dolphin which do a lot moregraphical tasks, this has not been so trivial. There are a lot ofimages involved, and a lot of complicated code around caching thesewhich conflicts with the high resolution support without some furtherwork." He is personally trackingthe progress of many applications, but notes that there are manyunsolved issues. "There are still many applications without a frameworks release even in the upcoming 15.04 applications release. Even in the next applications release in 15.08 August we are still unlikely to see a released PIM stack.Is it a good idea to add an option into our UIs that improves some applications at the cost of consistency? It's not an easy answer."This update is Edmunsdon's second post on the subject; the first, fromNovember 2014, is also quite informative.

Debian has updated libarchive (directory traversal).Debian-LTS has updated eglibc (multiple vulnerabilities).Fedora has updated gnupg(F21: multiple vulnerabilities), libjpeg-turbo (F20; F21: denial of service), and qt (F20: denial of service).Gentoo has updated jasper(multiple vulnerabilities).Mageia has updated dokuwiki(M4: access control circumvention), maradns (M4: denial of service), python (M4: missing hostname check), vlc (M4: code execution), and vorbis-tools (M4: multiple vulnerabilities).openSUSE has updated chromium (13.1, 13.2: multiple vulnerabilities) and php5 (13.1, 13.2: multiple vulnerabilities).Oracle has updated 389-ds-base (O6: information disclosure).Red Hat has updated 389-ds-base (RHEL6; RHEl7:information disclosure),chromium-browser (RHEL6: multiple vulnerabilities), firefox (RHEL7: multiple vulnerabilities), glibc (RHEL7: multiple vulnerabilities), gnome-shell, mutter, clutter, cogl (RHEL7:denial of service), hivex (RHEL7: code execution), httpd (RHEL7: multiple vulnerabilities), ipa (RHEL7: multiple vulnerabilities), kernel (RHEL7: multiple vulnerabilities), krb5 (RHEL7: multiple vulnerabilities), libreoffice (RHEL7: multiple vulnerabilities), libvirt (RHEL7: multiple vulnerabilities), openssh (RHEL7: multiple vulnerabilities), openstack-glance (RHEL OSP6: denial of service), pcre (RHEL7: denial of service), powerpc-utils (RHEL7: information disclosure), ppc64-diag (RHEL7: information disclosure), qemu-kvm (RHEL7: multiple vulnerabilities), qemu-kvm-rhev (RHEL OSP6: buffer overflow), redhat-access-plugin-openstack (RHELOSP6: information disclosure), thunderbird (RHEL7: multiple vulnerabilities), and virt-who (RHEL7: credentials disclosure).Slackware has updated samba(14.1: code execution).SUSE has updated PHP 5.3(SLES11: multiple vulnerabilities).

The Samba team has announced the first release in the new stable 4.2.xseries. This release adds transparent file compression, access to"Snapper" snapshots via the Windows Explorer "previous versions" dialog,better clustering support, and much more. This release also marks the endof support for Samba 3.

When Karen Sandler, the executive director of the Software Freedom Conservancy, spokerecently at the Linux Foundation's CollaborationSummit, she spent some time on the Linux Compliance Project, an effortto improve compliance with the Linux kernel's licensing rules. Thisproject, launched with some fanfare in 2012,has been relatively quiet ever since. Karen neglected to mention that thissituation was about to change; that had to wait for theannouncement on March 5 of the filing of a lawsuit against VMware alleging copyright infringement for its use of kernel code.Subscribers can click below for the full story.

Fedora has updated bind (F21; F20:denial of service), lftp (F21:automatically accepting ssh keys), and rubygem-actionpack (F20: two information leaks).openSUSE has updated vsftpd(13.2, 13.1: access restriction bypass).Ubuntu has updated icu (14.10,14.04, 12.04: multiple vulnerabilities, some from 2013).

The LWN.net Weekly Edition for March 5, 2015 is available.

Thus far, this series on network-attached storage (NAS) distributions haslooked at three different approaches to the problem. OpenMediaVaultprovides a NAS server using traditional Linux filesystems, Rockstor baseseverything on the Btrfs filesystem, and FreeNAS is a FreeBSD-based systemusing ZFS. This fourth (and probably final) installment in this series goesback to Btrfs with a look at EasyNAS,which is another attempt to make the unique features of Btrfs available in a dedicated NAS distribution.

Debian has updated icedove (multiple vulnerabilities).Debian-LTS has updated unace (code execution).Fedora has updated arc (F21; F20:directory traversal), e2fsprogs (F21; F20: codeexecution), glibc (F21; F20: multiple vulnerabilities), php (F20: multiple vulnerabilities), and qt (F21: denial of service).Mageia has updated php (multiple vulnerabilities).Mandriva has updated bind (denial of service) and freetype2 (many vulnerabilities).openSUSE has updated apache2(13.2: denial of service), postgresql93(13.2: multiple vulnerabilities), and python-rope (13.2, 13.1: unauthorized pickle.load).Red Hat has updated foreman-proxy (RHEL OSP Foreman; RHEL OSP4.0: restriction bypass).SUSE has updated php5 (SLE12: two vulnerabilities).Ubuntu has updated kernel (14.04:regression in previous update) and linux-lts-trusty (12.04: regression inprevious update).

GitLab and Gitorious have announcedthat GitLab will acquire Gitorious. "Starting today, Gitorious.org users can import their existing projects into GitLab.com by clicking the “Import projects from Gitorious.org” link when creating a new project. Gitorious.org will stay online until the end of May 2015 to give people time to migrate their repositories."

The 4.0-rc2 kernel prepatch is out. "So rc2 missed the usual Sunday afternoon timing, because I spent mostof the weekend debugging an issue that happened on an old Mac Mini Ihave around, and I hate making even early -rc releases with problemson machines that I have direct access to. Even if it only affected oldmachines that actual developers are unlikely to have or at least use.Today I got the patch from Daniel Vetter to fix it, so instead ofdoing a Sunday evening rc2, it's a Tuesday morning one. Go get it. Itworks better for the delay."

Debian has updated unace (code execution).Mandriva has updated patch (multiple vulnerabilities), sympa (information disclosure), tomcat (multiple vulnerabilities), and tomcat6 (multiple vulnerabilities).Red Hat has updated kernel (RHEL6.5; RHEL6.4: multiple vulnerabilities).SUSE has updated firefox (SLE12: multiple vulnerabilities).Ubuntu has updated thunderbird(14.10, 14.04, 12.04: multiple vulnerabilities).

Debian-LTS has updated bind9(denial of service), e2fsprogs (codeexecution), libgtk2-perl (code execution),and sudo (two vulnerabilities).Fedora has updated httpd (F20:multiple vulnerabilities), librsvg2 (F21; F20:multiple unspecified vulnerabilities), libuv (F21: privilege escalation), nodejs (F21: privilege escalation), v8 (F21: privilege escalation), andvorbis-tools (F21; F20: denial of service).Mandriva has updated cups (buffer overflow).openSUSE has updated firefox, nss(13.2, 13.1: multiple vulnerabilities).SUSE has updated java-1_6_0-ibm(SLES11 SP1,SP2: multiple vulnerabilities).Ubuntu has updated kernel (14.04:regression in previous update).

The IPython interactive developmentsystem project has announced its 3.0release. "Support for languages other than Python is greatlyimproved, notebook UI has been significantly redesigned, and a lot ofimprovement has happened in the experimental interactive widgets. Themessage protocol and document format have both been updated, whilemaintaining better compatibility with previous versions than priorupdates. The notebook webapp now enables editing of any text file, and evena web-based terminal (on Unix platforms)." (LWN looked at IPython in 2014).

Version 2.2.0 of the VLC media player has been released. According to the announcement, highlights in the new version include automatic, hardware-accelerated rotation of portrait-orientation videos such as those shot on smartphones, resuming playback at the last point watched in the previous session, in-application download and installation of extensions, support for interactive Blu-Ray menus, and "compatibility with a very large number of unusual codecs." The release is available for Linux, Android, and Android TV, plus various Windows and Apple platforms.

Version 3.6 of the LLVM compiler suite is out. Changes include "manymany bug fixes, optimization improvements, support for more proposed C++1z features in Clang, better native Windowscompatibility, embedding LLVM IR in native object files, Go bindings,and more." Details can be found in the LLVM 3.6release notes and the Clang3.6 release notes.

Greg Kroah-Hartman has released the latest stable kernels: 3.18.8, 3.14.34, and 3.10.70. All contain important updatesand fixes.

Debian has updated request-tracker4 (multiple vulnerabilities).Debian-LTS has updated cups(code execution) and request-tracker3.8 (multiple vulnerabilities).Oracle has updated openssl(O5: multiple vulnerabilities).SUSE has updated Samba(SLES11: code execution).Ubuntu has updated cups(code execution)and eglibc, glibc (multiple vulnerabilities).

Ars Technica takes a look at Linux gaming and at what effect SteamOS has had already for gaming on Linux. The article also considers the future and where SteamOS might (or might not) take things. "This all brings up another major question for SteamOS followers: how long is this "beta" going to last, exactly? While Valve has unquestionably built a viable Linux gaming market from practically nothing, the company's lackadaisical development timeline might be holding the market back from growing even more. In the last year, the initial excitement behind the SteamOS beta launch seems to have given way to "Valve Time" malaise in some ways."

CentOS has updated thunderbird (C6; C5:multiple vulnerabilities).Debian has updated cups (codeexecution), iceweasel (multiplevulnerabilities), kfreebsd-9 (denial ofservice), and libgtk2-perl (code execution).Fedora has updated libhtp (F20:denial of service).Gentoo has updated samba(multiple vulnerabilities, some from 2012 and 2013).Mageia has updated apache-poi(denial of service), cabextract (privilegeescalation), e2fsprogs (two code executionflaws), firefox, thunderbird (multiplevulnerabilities), and sympa (information disclosure).openSUSE has updated cups (13.2,13.1: code execution)and snack (13.2, 13.1: code execution from 2012).Oracle has updated firefox (OL5:multiple vulnerabilities) and thunderbird(OL6: multiple vulnerabilities).Red Hat has announced that RHEL5.9 support will end on March 31.Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (SL6, SL5: multiple vulnerabilities).Slackware has updated thunderbird(multiple vulnerabilities) and firefox(multiple vulnerabilities).SUSE has updated java-1_5_0-ibm(SLE10SP4: many vulnerabilities) and java-1_6_0-ibm (SLE11SP2: two unspecified vulnerabilities).Ubuntu has updated EC2 kernel(10.04: two vulnerabilities), firefox(14.10, 14.04, 12.04: many vulnerabilities), kernel (14.10; 14.04;12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).