[$] The LPC Android microconference, part 1

By jake The Linux Plumbers Android microconference was held in Seattle on August
20th and looked at a number of topics needing
coordination between various players in the Android ecosystem. It was split
up into two separate sessions; this summary covers the
first three-hour session.
Topics covered the state of the staging tree, USB gadgets and ConfigFS,
running mainline on consumer devices, partitions and customization, a
single binary image for multiple devices, Project Ara, and kdbus.

Click below (subscribers only) for the full report from LPC 2015.

From: LWN


Security advisories for Tuesday

By ris

Arch Linux has updated powerdns (denial of service).

Debian has updated openslp-dfsg (denial of service).

Debian-LTS has updated php5 (multiple vulnerabilities) and screen (denial of service).

Fedora has updated drupal6 (F22; F21:
multiple vulnerabilities), drupal6-ctools (F22; F21:
multiple vulnerabilities), drupal6-views_bulk_operations (F22; F21:
access bypass), drupal7 (F22; F21: multiple vulnerabilities),
gdk-pixbuf2 (F22; F21: code execution), mingw-gdk-pixbuf
(F22; F21:
code execution), and php-twig (F21: code execution).

Mageia has updated bind (MG4,5:
denial of service), freeimage (MG4,5:
integer overflow), hplip (MG4,5:
man-in-the-middle attack), iceape (MG4,5:
multiple vulnerabilities), jsoup (MG5:
cross-site scripting), lighttpd (MG4,5: log
injection), openafs (MG4,5: multiple
vulnerabilities), and squashfs-tools
(MG4,5: two vulnerabilities).

openSUSE has updated gdk-pixbuf
(13.2: code execution), gnutls (13.2, 13.1:
denial of service), net-snmp (13.2, 13.1:
code execution), perl-XML-LibXML (13.2,
13.1: information disclosure), libgcrypt
(13.2, 13.1: two vulnerabilities), and tor
(13.2, 13.1: respect SafeLogging).

Red Hat has updated haproxy
(RHEL6,7: information leak) and subversion
(RHEL7: multiple vulnerabilities).

SUSE has updated bind (SLE11SP1:
denial of service), firefox (SLE11SP2,SP1:
two vulnerabilities), and java-1_6_0-ibm
(SLE11SP3,SP2,SP1: multiple vulnerabilities).

Ubuntu has updated spice (15.04,
14.04: code execution).

From: LWN


Linux Plumbers Conference 2016 call for organizers

By corbet It’s time to figure out who will be organizing the Linux Plumbers
Conference in 2016, which is planned to be held in Santa Fe, New Mexico, at
the beginning of November, alongside the Kernel Summit. Interested
organizers should put together a bid and submit it to the Linux
Foundation’s Technical Advisory Board by October 5; see this page for details on
how the process works. “This is your chance to put
your stamp on one of our community’s most important gatherings in a
year when we will be celebrating 25 years of the Linux kernel.

From: LWN


Mozilla: Improving Security for Bugzilla

By n8willis

The Mozilla blog has disclosed
that the official Mozilla instance of Bugzilla was recently
compromised by an attacker who stole “security-sensitive
” related to unannounced vulnerabilities in
Firefox—in particular, the PDF
Viewer exploit
discovered on August 5. The blog post explains that
Mozilla has now taken several steps to reduce the risk of future
attacks using Bugzilla as a stepping stone. “As an immediate
first step, all users with access to security-sensitive information
have been required to change their passwords and use two-factor
. We are reducing the number of users with privileged
access and limiting what each privileged user can do. In other words,
we are making it harder for an attacker to break in, providing fewer
opportunities to break in, and reducing the amount of information an
attacker can get by breaking in.

From: LWN


Friday’s security updates

By n8willis

CentOS has updated spice
(C7: code execution) and spice-server
(C6: code execution).

Debian has updated chromium-browser (multiple vulnerabilities) and screen (denial of service).

Fedora has updated mediawiki (F21; F22:
multiple vulnerabilities)
and struts (F22: input validation bypass).

openSUSE has updated firefox
(13.1, 13.2: multiple vulnerabilities).

Oracle has updated bind (O7; O6; O5: denial of service), bind97 (O5: multiple vulnerabilities), libXfont (O7; O6:
multiple vulnerabilities),
spice (O7: code execution), and spice-server (O6: code execution).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), openshift (RHOSE3: denial of service), openstack-nova (RHELOSP7: denial of service), qemu-kvm-rhev (RHELOSP7: information leak), spice (RHEL7: code execution), and spice-server (RHEL6: code execution).

Scientific Linux has updated spice-server (SL7; SL6:
code execution).

Slackware has updated seamonkey (multiple vulnerabilities).

SUSE has updated kernel (SLELP12 3.12.43; 3.12.39; 3.12.38; 3.12.36; 3.12.32: multiple vulnerabilities).

Ubuntu has updated kernel (12.04: information leak; 14.04: code execution),
libvdpau (12.04, 14.04, 15.04:
multiple vulnerabilities), linux-lts-trusty (12.04: code execution), linux-ti-omap4 (12.04: information leak), and openslp-dfsg (12.04, 14.04, 15.04: denial
of service).

From: LWN


The Linux Test Project has been released for September 2015

By jake The Linux Test Project (LTP) has made a stable release for September 2015. The previous release was in April. This release has a number of new test cases including ones for user namespaces, virtual network interfaces, umount2(), getrandom(), and more. In addition, the network namespace test cases were rewritten and regression tests have been added for inotify, cpuset, futex_wake(), and recvmsg(). We looked at writing LTP test cases back in January.

From: LWN


Thursday’s security advisories

By jake

Arch Linux has updated bind (two
denial of service flaws).

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and
libXfont (C7; C6: three privilege escalation flaws).

Debian has updated bind9 (denial
of service), qemu (multiple
vulnerabilities), and qemu-kvm (two vulnerabilities).

Debian-LTS has updated openslp-dfsg (three vulnerabilities, one from
2010, another from 2012).

Red Hat has updated bind (RHEL6,7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and libXfont (RHEL6,7: three privilege escalation flaws).

Scientific Linux has updated bind (SL6,7; SL5:
denial of service), bind97 (SL5: denial of
service), and libXfont (SL6,7: three
privilege escalation flaws).

Slackware has updated bind (two
denial of service flaws).

SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service), kernel (SLE11SP2: multiple vulnerabilities,
three from 2014), and xen (SLE11SP3;
SLED11SP3: multiple vulnerabilities).

Ubuntu has updated bind9 (denial
of service).

From: LWN