Herefordshire Linux and Open Source User Group

Debian has updated firebird2.1 (code execution), firebird2.5 (code execution/denial of service), typo3-src (multiple vulnerabilities), lighttpd (symlink attack), libvirt-bin (unintended write access), and libvirt (fixes a regression in previous update).

Fedora has updated icu (F18; F17: race condition), bugzilla (F18; F17: cross-site scripting), kernel (F18: multiple vulnerabilities), sudo (F18: privilege escalation), tor (F18: denial of service), krb5 (F17: denial of service), yum (F17: denial of service).

Mageia has updated git (information disclosure), ruby (denial of service), firefox, thunderbird (code execution), perl (denial of service), poppler (multiple vulnerabilities), telepathy-gabble (denial of service), stunnel (code execution), and flash-player-plugin (multiple vulnerabilities).

Mandriva has updated sudo (privilege escalation), clamav (multiple vulnerabilities), and nagios (code execution).

openSUSE has updated systemtap (denial of service).

Slackware has updated ruby (denial of service).

SUSE has updated IBM java6 (SLE 11 SP1; SLE 11 SP2: multiple vulnerabilities), IBM Java5 (SLE 10 SP4; SUSE Core 9: multiple vulnerabilities), and firefox (SLE 11 SP2; SLE 10 SP4: code execution).

Ubuntu has updated apache2 (multiple vulnerabilities) and pam-xdg-support (privilege escalation).

The 3.9-rc3 kernel prepatch is out. Linus says: "Not as small as -rc2, but that one really was unusually calm. So there was clearly some pending stuff that came in for -rc3, with network drivers and USB leading the charge. But there's other misc drivers, arch updates, btrfs fixes, etc etc too."

Mozilla has announced the 1.0 release of Open Badges, an open framework for deploying verifiable digital recognition of achievements and awards. As the announcement explains, "With Open Badges, every badge has important data built in that links back to who issued it, how it was earned, and even the projects a user completed to earn it. Employers and others can dig into this rich data and see the full story of each user’s skills and achievements." Mozilla says there are more than 600 organizations using the Open Badges infrastructure, and they have issued more than 62,000 badges.

CentOS has updated pidgin (multiple vulnerabilities).

Debian has updated inetutils (denial of service), wireshark (multiple vulnerabilities), and zoneminder (multiple vulnerabilities).

Fedora has updated firefox (code execution), thunderbird (code execution), and xulrunner (code execution).

Mageia has updated wireshark (multiple vulnerabilities).

openSUSE has updated flash-player (12.1, 12.2, 12.3, 11.4; multiple vulnerabilities), MozillaFirefox (code execution), MozillaThunderbird (code execution), RubyOnRails (multiple vulnerabilities), seamonkey (code execution), and xulrunner (code execution).

Oracle has updated kernel (OL5, OL6; local privilege escalation) and pidgin (multiple vulnerabilities).

Red Hat has updated pidgin (multiple vulnerabilities).

Scientific Linux has updated kernel (three updates: one, multiple vulnerabilities; two, privilege escalation; three, multiple vulnerabilities), pidgin (multiple vulnerabilities), and xorg-x11-apps (privilege escalation).

SUSE has updated flash-player (multiple vulnerabilities), java-1_4_2-ibm (multiple vulnerabilities), and java-1_6_0-ibm (SLES 10 SP3, SLES 10 SP4; multiple vulnerabilities).

Ubuntu has updated apt (altered package installation), nspr (plaintext recovery), nss (plaintext recovery), and glance (information disclosure).

Greg Kroah-Hartman has released stable kernels 3.8.3, 3.4.36, and 3.0.69; each incorporating an important set of fixes.

Fedora has updated cumin (multiple vulnerabilities), firefox (code execution), java-1.7.0-openjdk (multiple code execution vulnerabilities), mingw-gnutls (F17, F18; multiple vulnerabilities), nspr (plaintext recovery), nss (plaintext recovery), nss-softokn (plaintext recovery), nss-util (plaintext recovery), poppler (F17, F18; multiple vulnerabilities), telepathy-gabble (denial of service), thunderbird (code execution), and xulrunner (code execution).

Mandriva has updated firefox (code execution) and pidgin (multiple vulnerabilities).

openSUSE has updated chromium (multiple vulnerabilities).

Slackware has updated perl (denial of service) and seamonkey (code execution).

SUSE has updated java-1_4_2-ibm (multiple vulnerabilities).

Ubuntu has updated php (information disclosure).

The LWN.net Weekly Edition for March 14, 2013 is available.

openSUSE 12.3 has been released. "openSUSE 12.3 improves search, filesystem performance and networking, as well as makes great strides forward in ARM and cloud support. openSUSE 12.3 is the latest Linux distribution from the openSUSE Project, allowing users and developers to benefit from free and open source software in physical, virtual and cloud environments."

CentOS has updated tomcat5 (C5: multiple vulnerabilities) and kernel (C6: privilege escalation).

Debian has updated puppet (multiple vulnerabilities).

Fedora has updated zfs-fuse (F18; F17: multiple vulnerabilities), gnutls (F17: plaintext recovery), and libtasn1 (F17: plaintext recovery).

Mandriva has updated openssh (multiple vulnerabilities) and coreutils (multiple vulnerabilities).

openSUSE has updated java-1_6_0-openjdk (11.4: code execution).

Oracle has updated kernel (OL5; OL6: multiple vulnerabilities) and tomcat5 (OL5: multiple vulnerabilities).

Red Hat has updated kernel (RHEL6: privilege escalation), Red Hat OpenShift Enterprise (multiple vulnerabilities), qemu-kvm-rhev (privilege escalation), tomcat5 (RHEL5: multiple vulnerabilities), and flash-plugin (multiple vulnerabilities).

Scientific Linux has updated tomcat5 (SL5: multiple vulnerabilities).

SUSE has updated java (SLED 11 SP2; SLES 11 SP2: multiple vulnerabilities) and perl (SLE 11 SP2; SLE 10 SP4: multiple vulnerabilities).

Ubuntu has updated puppet (multiple vulnerabilities), kernel (10.04 LTS: multiple vulnerabilities), and thunderbird (code execution).

A February linux-kernel mailing list discussion of a patch that extends the use of the CAP_COMPROMISE_KERNEL capability soon evolved into a discussion of the specific uses (or abuses) of the CAP_SYS_RAWIO capability within the kernel. However, in reality, the discussion once again exposes some general difficulties in the Linux capabilities implementation—difficulties that seem to have no easy solution.

Máirín Duffy has put together a lengthy summary of the current discussion within the Fedora project on how to improve the bootstrap experience. "While the mailing list thread on the topic at this point is high-volume and a bit chaotic, there is a lot of useful information and suggestions in there that I think could be pulled into a design process and sorted out. So I took 3 hours (yes, 3 hours) this morning to wade through the thread and attempt to do this."

The H reports from CeBIT 2013 at length. "Speaking to me following his presentation, [Klaus] Knopper also mentioned that he was contemplating creating a mobile version of Knoppix to run on smartphones. The developer noted that the hardware he would need is already available in many smartphones: a powerful processor, 1GB or more of RAM, and a large, high-resolution screen. He showed us his Samsung Galaxy Note II running the latest version of the CyanogenMod Project's custom Android firmware and suggested that Knoppix would run very well on the hardware and could be useful for applications such as GIMP (the Note II includes a pressure-sensitive stylus and Wacom technologies). Phones like the Note II could also be docked for use with an external display, keyboard and mouse, turning them into fully fledged desktop devices."

CentOS has updated tomcat6 (C6: multiple vulnerabilities), 389-ds-base (C6: denial of service), thunderbird (C6; C5: code execution), kernel (C5: multiple vulnerabilities).

Fedora has updated python-django (F18: multiple vulnerabilities), coreutils (F17: multiple vulnerabilities), django (F17: multiple vulnerabilities), ca-certificates (F17: certificate updates), and vdsm (F17: insecure node image).

openSUSE has updated java-1_6_0-openjdk (12.1: code execution) and mozilla (11.4: code execution).

Oracle has updated tomcat6 (OL6: multiple vulnerabilities), 389-ds-base (OL6: denial of service), and thunderbird (OL6: code execution).

Red Hat has updated kernel (RHEL5: multiple vulnerabilities), kernel-rt (RHE MRG 2.3: multiple vulnerabilities), tomcat6 (RHEL6: multiple vulnerabilities), java-1.5.0-ibm (multiple vulnerabilities), java-1.6.0-ibm (multiple vulnerabilities), java-1.7.0-ibm (multiple vulnerabilities), thunderbird (code execution), and 389-ds-base (RHEL6: denial of service).

Scientific Linux has updated tomcat6 (SL6: multiple vulnerabilities), thunderbird (code execution), kernel (SL5: multiple vulnerabilities), and 389-ds-base (SL6: denial of service).

Many people have talked about the Android kernel code and its relation to the mainline. One of the people who has done the most to help bring Android and the mainline closer together is John Stultz; at the 2013 Linaro Connect Asia event, he talked about the status of the Android code. The picture that emerged shows that a lot of progress has been made, but there is still a lot of work yet to be done. Click below (subscribers only) for the full report.

Rick Lehrbaum, founder of LinuxDevices, has a new site called LinuxGizmos. "Like its forerunner, LinuxGizmos is devoted to the use of Linux in embedded and mobile devices and applications. The site’s goal is to provide daily updates of news and information on embedded Linux distributions, application software, development tools, protocols, standards, and hardware of interest to technical, marketing, and management professionals in the embedded and mobile devices markets."

CentOS 6.4 is available. See the release notes for details.

CentOS has updated ruby (C5: denial of service), kvm (C5: buffer overflow), xulrunner (C5: code execution), 389-ds-base (C6: ACL restriction bypass), automake (C6: code execution), ccid (C6: arbitrary code execution), dhcp (C6: denial of service), dnsmasq (C6: DNS proxy is wrongly created), dovecot (C6: multiple vulnerabilities), evolution (C6: information disclosure), evolution-mapi (C6: remote code execution), gdb (C6: code execution), hplip (C6: multiple vulnerabilities), httpd (C6: multiple vulnerabilities), ibacm (C6: multiple vulnerabilities), ibsim (C6: multiple vulnerabilities), ibutils (C6: multiple vulnerabilities), infiniband-diags (C6: multiple vulnerabilities), ipa (C6: incorrect CRLs), kernel (C6: multiple vulnerabilities), libibmad (C6: multiple vulnerabilities), libibumad (C6: multiple vulnerabilities), libibverbs (C6: multiple vulnerabilities), libmlx4 (C6: multiple vulnerabilities), librdmacm (C6: multiple vulnerabilities), libvirt (C6: DNS proxy is wrongly created), openchange (C6: remote code execution), opensm (C6: multiple vulnerabilities), openssh (C6: code execution), pam (C6: arbitrary code execution), pcsc-lite (C6: arbitrary code execution), php (C6: multiple vulnerabilities), pki-core (C6: cross-site scripting), rdma (C6: multiple vulnerabilities), samba4 (C6: remote code execution), squid (C6: denial of service), sssd (C6: file modification and denial of service), util-linux-ng (C6: information disclosure), xinetd (C6: service disclosure flaw), xorg-x11-apps (C6: code execution), xorg-x11-server-utils (C6: code execution), xorg-x11-utils (C6: code execution), bind (C6: denial of service), cups (C6: privilege escalation), dbus-glib (C6: privilege escalation), git (C6: information disclosure), gnutls (C6: plaintext recovery), java-1.6.0-openjdk (C6: code execution), java-1.7.0-openjdk (C6: code execution), kernel (C6: kernel-mode code execution), libxml2 (C6: denial of service), nss-pam-ldapd (C6: code execution), openssl (C6: multiple vulnerabilities), qemu-kvm (C6: buffer overflow), ruby (C6: multiple vulnerabilities), and xulrunner (C6: code execution).

Debian has updated sudo (privilege escalation) and perl (denial of service).

Fedora has updated python-tw2-jquery (F18; F17: cross-site scripting), crypto-utils (F18; F17: symlink attack), kernel (F18: multiple vulnerabilities), and libproxy (format string flaw).

Mageia has updated iceape (multiple vulnerabilities), krb5 (denial of service), java-1.7.0-openjdk (code execution), and java-1.6.0-openjdk (code execution).

openSUSE has updated libqt4 (information disclosure).

Oracle has updated ruby (OL5: denial of service), kvm (OL5: buffer overflow), and xulrunner (OL6; OL5: code execution).

Scientific Linux has updated xulrunner (code execution).

Slackware has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities).

SUSE has updated firefox (multiple vulnerabilities).

Ubuntu has updated firefox (code execution).

Version 3.0 of the Ardour digital audio workstation system has been released. "This is the first release of Ardour that features support for MIDI recording, playback and editing. It also features a huge number of changes to audio workflow, which for many users may be more significant than the MIDI support." See the "What's new" page for details. (Thanks to Andreas Kågedal.)

Linus has announced the 3.9-rc2 prepatch. "Hey, things have been reasonable calm. Sure, Dave Jones has been messing with trinity and we've had some excitement from that, but Al is back, and is hopefully now busy virtually riding to the rescue on a white horse. But otherwise it's been good for this phase in the rc window."

Version 2.0 of the cross-platform open source softphone application Jitsi has been released. An announcement on the XMPP Foundation blog includes some details, such as: "one of the most prominent new features in the 2.0 release is Multiparty Video Conferencing. Such conferences can work in an ad-hoc mode where one of the clients relays video to everyone else, or in cases that require scalability, Jitsi can use the Jitsi Videobridge: an RTP relaying server controlled over XMPP." Other changes include support for the royalty-free VP8 and Opus codecs, and support for integrating with Microsoft Outlook. Additional details are listed at the Jitsi site.