By ris The first beta in the GNOME 3.15 development series has been
released. GNOME 3.15.90 features a new GNOME shell theme, redesigned
notifications in GNOME shell, codec installation integrated in
gnome-software, a login screen on Wayland, and more.
CentOS has updated samba (C7; C6: root
code execution), samba3x (C5: root code
execution), and samba4 (C6: root code execution).
Debian has updated e2fsprogs
(incomplete fix for code execution), eglibc (multiple vulnerabilities), ruby-redcloth (cross-site scripting), samba (root code execution), sudo (information disclosure), typo3-src (authentication bypass), and xdg-utils (command execution).
Fedora has updated apache-poi (F21: XML-handling flaws), apache-poi (F20: denial of service), cups (F21: buffer overflow),
drupal6-views (F21; F20: multiple vulnerabilities), e2fsprogs (F20: code execution), sudo (F21: information disclosure), and tomcat (F21: multiple vulnerabilities).
Mageia has updated bind (denial of service).
openSUSE has updated glibc (13.2,
13.1: multiple vulnerabilities).
SUSE has updated java-1_6_0-ibm
(SLES10 SP4: multiple unspecified vulnerabilities),
java-1_7_0-ibm (SLE11 SP3; SLES11 SP2: multiple unspecified
vulnerabilities), and samba (SLE12: root code execution).
By corbet The Samba 4.1.17, 4.0.25 and 3.6.25
releases are available; they fix an unpleasant code-execution
vulnerability. See this
Red Hat security blog entry for more information. “CVE-2015-0240
is a security flaw in the smbd file server daemon. It can be exploited by a
malicious Samba client, by sending specially-crafted packets to the Samba
server. No [authentication] is required to exploit this flaw. It can result in
remotely controlled execution of arbitrary code as root.”
By corbet Linus has closed the merge window for this release and released 4.0-rc1 — meaning, of course, that the current
plan is to call the release “4.0”. “But nobody should
notice. Because moving to 4.0 does *not* mean that we somehow changed what
people see. It’s all just more of the same, just with smaller numbers so
that I can do releases without having to take off my socks again.”
The codename has also changed to “Hurr durr I’ma sheep.”
By jake Ubuntu has announced the release of the second point release for its 14.04
long-term support (LTS). 14.04.2 comes with an updated kernel and X Window
stack to support more hardware, along with “security updates and
corrections for other high-impact bugs” all on updated installation
media “so that fewer updates will need to
be downloaded after installation“. It is available for all of the
members of the Ubuntu clan: Kubuntu, Edubuntu, Xubuntu,
Mythbuntu, Ubuntu GNOME, Lubuntu,
Ubuntu Kylin, and Ubuntu Studio.
One other note from the Ubuntu world: a feature
freeze is in effect for 15.04 (“Vivid Vervet”), which is due in April.
By jake On his blog, Matthew Green gives an update on the plans to audit the TrueCrypt disk encryption tool. Green led an effort in 2013 to raise money for an audit of the TrueCrypt source code, which sort of ran aground when TrueCrypt abruptly shut down in May 2014. “It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We’re now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group’s Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price — and make your donations stretch farther — we allowed the start date to be a bit flexible, which is why we don’t have results yet.”
By corbet Version 7.9 of the GDB debugger is out. Changes include enhancements to
the Python scripting API, the ability to compile and inject code into the
debugged program, signal-handling improvements, and more.