Security advisories for Wednesday

By ris

Debian has updated jackrabbit (information leak).

Debian-LTS has updated libcrypto++ (information disclosure), libmodule-signature-perl (multiple vulnerabilities), and ruby1.9.1 (denial of service).

Fedora has updated abrt (F21:
multiple vulnerabilities), cups-x2go (F22:
multiple vulnerabilities), elfutils (F22:
hardening fixes), gnome-abrt (F21: multiple
vulnerabilities), kernel (F21: denial of
service), libreport (F21: multiple
vulnerabilities), pam (F22: denial of
service), and rubygem-activesupport (F22; F21: two vulnerabilities).

Mageia has updated apache-mod_jk
(MG4: information disclosure), drupal
(MG4,5: multiple vulnerabilities), libvpx
(MG4,5: denial of service), p7zip (MG4,5:
directory traversal), postgresql (MG4:
multiple vulnerabilities), and python-tornado (MG4: side-channel attack).

openSUSE has updated p7zip (13.2,
13.1: directory traversal).

Oracle has updated openssl (OL5: multiple vulnerabilities).

Scientific Linux has updated openssl (SL5: multiple vulnerabilities).

From: LWN

Linux Foundation Announces R Consortium

By ris The Linux Foundation has announced
the R Consortium. “The R language is used by statisticians, analysts and data scientists to unlock value from data. It is a free and open source programming language for statistical computing and provides an interactive environment for data analysis, modeling and visualization. The R Consortium will complement the work of the R Foundation, a nonprofit organization based in Austria that maintains the language. The R Consortium will focus on user outreach and other projects designed to assist the R user and developer communities.

Founding companies and organizations of the R Consortium include The R Foundation, Platinum members Microsoft and RStudio; Gold member TIBCO Software Inc.; and Silver members Alteryx, Google, HP, Mango Solutions, Ketchum Trading and Oracle.”

From: LWN

Tuesday’s security advisories

By ris

CentOS has updated postgresql (C7; C6:
multiple vulnerabilities) and xerces-c (C7:
denial of service).

Debian has updated unattended-upgrades (authentication bypass).

Debian-LTS has updated aptdaemon (information leak), hostapd (denial of service), jqueryui (cross-site scripting), and shibboleth-sp2 (denial of service).

Fedora has updated chicken (F22; F21:
out-of-bounds read), openvas-cli (F21: sql
injection), openvas-libraries (F21: sql
injection), openvas-manager (F21: sql
injection), openvas-scanner (F21: sql
injection), php-htmLawed (F22; F21: multiple vulnerabilities), postgresql (F21: multiple vulnerabilities),
python-jwt (F22; F21: token verification bypass),
rubygem-jquery-rails (F22; F21: CSRF vulnerability), and rubygem-web-console (F22: code execution).

Oracle has updated postgresql (OL7; OL6:
multiple vulnerabilities) and xerces-c
(OL7: denial of service).

Red Hat has updated kernel
(RHEL6.5: two vulnerabilities), openssl
(RHEL5: multiple vulnerabilities), postgresql (RHEL6,7: multiple
vulnerabilities), postgresql92-postgresql
(RHSCL2: multiple vulnerabilities), rh-postgresql94-postgresql (RHSCL2: multiple
vulnerabilities), and xerces-c (RHEL7: denial of service).

Scientific Linux has updated nss
(SL6,7: cipher-downgrade attacks), postgresql (SL6,7: multiple vulnerabilities),
and xerces-c (SL7: denial of service).

SUSE has updated java-1_6_0-ibm
(SLEM12: multiple vulnerabilities).

Ubuntu has updated oxide-qt
(15.04, 14.10, 14.04: multiple vulnerabilities) and unattended-upgrades (15.04, 14.10, 14.04,
12.04: authentication bypass).

From: LWN

Amazon’s new TLS implementation

By corbet Amazon has announced
the release of a new TLS library called “s2n” under the Apache license.
s2n is a library that has been designed to be small, fast, with
simplicity as a priority. s2n avoids implementing rarely used options and
extensions, and today is just more than 6,000 lines of code. As a result of
this, we’ve found that it is easier to review s2n; we have already
completed three external security evaluations and penetration tests on s2n,
a practice we will be continuing.

From: LWN

Security updates for Monday

By ris

Debian has updated libcrypto++ (information disclosure).

Debian-LTS has updated cacti
(multiple vulnerabilities), libwmf (denial
of service), and t1utils (code execution).

Fedora has updated kernel (F22: denial of service).

openSUSE has updated roundcubemail (13.2: two vulnerabilities).

Scientific Linux has updated kvm
(SL5: code execution).

SUSE has updated java-1_7_0-ibm
(SLE11SP3: multiple vulnerabilities) and Xen (SLES11SP2; SLES11SP1: multiple vulnerabilities).

From: LWN

Valve: Introducing SteamOS “brewmaster”

By n8willis

Valve has announced the first preview release of its forthcoming
SteamOS update. The new release is based on Debian 8.1 with long-term
support kernel 3.18; there are
downloadable builds linked to in the announcement for both UEFI and
legacy BIOS systems. There appear to be few user-visible differences
between the new release and the current SteamOS so far,
though; the announcement notes: “Although there are a lot of
changes under the covers, the overall functionality and experience of
brewmaster is the same as alchemist

From: LWN

Friday’s security updates

By n8willis

CentOS has updated kvm (C5:
code execution).

Debian-LTS has updated librack-ruby (denial of service) and libwmf (multiple vulnerabilities).

openSUSE has updated flash-player (13.1, 13.2: code
execution), chromium (13.1, 13.2:
multiple vulnerabilities), and openssl
(13.1, 13.2: multiple vulnerabilities).

Oracle has updated kvm (O5:
code execution) and nss (O6; O7: cipher-downgrade attacks).

Red Hat has updated kernel
(RHEL5: privilege escalation) and kvm
(RHEL5: code execution).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities)
and mailman (SL7: code execution).

SUSE has updated compat-openssl098 (SLE12: multiple
vulnerabilities), KVM (SLE11 SP3:
multiple vulnerabilities), and openssl
(SLE12: multiple vulnerabilities).

From: LWN

Ardour 4.1 released

By jake Version 4.1 of the Ardour digital audio workstation software has been released. There are some new features in the release including input gain control, support for capture-only and playback-only devices, a real “Save As” option (with the old option being renamed to “Snapshot (& switch to new version)”), and allowing plugins to be reordered and meter positions to change without adding a click into the audio. There are also lots of user interface changes, including better High-DPI support. “This release contains several new features, both internally and in the user interface, and a slew of bug fixes worthy of your attention. Encouragingly, we also have one of our longest ever contributor lists for this release.

We had hoped to be on a roughly monthly release cycle after the release of 4.0, but collaborations with other organizations delayed 4.1 by nearly a month.”

From: LWN

Joint Statement from the UCC and KC

By ris The Ubuntu Community Council (UCC) and Kubuntu Council (KC) have issued
a joint statement
regarding the conflict between Jonathan Riddell and
the UCC. “We have mutually agreed that KDE is important to Ubuntu, and the Kubuntu
Council believes that Ubuntu is important to the KDE community as well.
Therefore we have a basis to work together on putting out a lovely Wily
release. We recognize that there are honest and strong feelings about
both the things that led up to the current controversy and the way that
resolution of it was handled. Despite that, we would all like to move
forward as best we can for the betterment of the Ubuntu project,
including Kubuntu.
” LWN covered the
controversy in late May.

From: LWN