Security advisories for Monday

By ris

Arch Linux has updated curl (multiple vulnerabilities) and wpa_supplicant (code execution).

Debian has updated chromium-browser (multiple vulnerabilities), kernel (multiple vulnerabilities), libreoffice (code execution), openjdk-6 (multiple vulnerabilities), openjdk-7 (multiple vulnerabilities), and wpa (code execution).

Fedora has updated cherokee (F21; F20:
authentication bypass), chrony (F20:
multiple vulnerabilities), php (F20:
multiple vulnerabilities), qt5-qtbase (F21; F20:
multiple vulnerabilities), resteasy (F20:
XML eXternal Entity (XXE) attacks), spatialite-tools (F20: multiple
vulnerabilities), sqlite (F20: multiple
vulnerabilities), wesnoth (F21; F20: information leak), wpa_supplicant (F21: code execution), and zarafa (F21; F20: denial of service).

Mageia has updated php (three vulnerabilities) and wordpress (multiple vulnerabilities).

Mandriva has updated asterisk
(MBS1.0: SSL server spoofing), glusterfs
(MBS2.0: denial of service), librsync
(MBS1.0: file checksum collision), perl-Module-Signature (MBS1.0: multiple
vulnerabilities), php (MBS1.0, MBS2.0:
multiple vulnerabilities), qemu (MBS1.0,
MBS2.0: denial of service), setup (MBS2.0:
information disclosure), and tor (MBS1.0: denial of service).

openSUSE has updated java-1_7_0-openjdk (13.2: multiple
vulnerabilities), java-1_8_0-openjdk (13.2:
multiple vulnerabilities), and ntp (13.2,
13.1: two vulnerabilities).

Ubuntu has updated autofs (14.10:
privilege escalation), libreoffice (14.10,
14.04, 12.04: two vulnerabilities), and tcpdump (14.10, 14.04, 12.04: multiple vulnerabilities).

From: LWN

Kernel prepatch 4.1-rc1

By corbet The 4.1-rc1 prepatch is out. Linus says:
No earth-shattering new features come to mind, even if initial
support for ACPI on arm64 looks funny. Depending on what you care about,
your notion of ‘big new feature’ may differ from mine, of course. There’s a
lot of work all over, and some of it might just make a big difference to
your use cases.
” What he doesn’t mention is that, in the end, kdbus
was not merged for this development cycle.

From: LWN

Debian 8 “Jessie” released

By jake Debian 8, codenamed “Jessie”, has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. “With this broad selection of packages and its traditional wide
architecture support, Debian once again stays true to its goal of being
the universal operating system. It is suitable for many different use
cases: from desktop systems to netbooks; from development servers to
cluster systems; and for database, web, or storage servers. At the same
time, additional quality assurance efforts like automatic installation
and upgrade tests for all packages in Debian’s archive ensure that
“Jessie” fulfills the high expectations that users have of a stable
Debian release.

From: LWN

Rust Once, Run Everywhere

By n8willis

The Rust blog has posted a guide
to using Rust’s foreign function interface (FFI) with C code.
Highlighted in particular are Rust’s safe abstractions, which are said
to impose no costs. “Most features in Rust tie into its core
concept of ownership, and the FFI is no exception. When binding a C
library in Rust you not only have the benefit of zero overhead, but
you are also able to make it safer than C can! Bindings can leverage
the ownership and borrowing principles in Rust to codify comments
typically found in a C header about how its API should be

From: LWN

Friday’s security updates

By n8willis

Arch Linux has updated powerdns (denial of service) and powerdns-recursor (denial of service).

Debian-LTS has updated subversion (multiple vulnerabilities).

Fedora has updated lcms
(F20: denial of service)
and php (F21: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (M4: multiple vulnerabilities), chrony (M4: multiple vulnerabilities), lftp (M4: SSL server spoofing), libksba (M4: denial of service), ntop (M4: cross-site scripting), setup (M4: information disclosure), and t1utils (M4: multiple vulnerabilities).

openSUSE has updated firefox (13.1; 13.2:
code execution)
and socat (13.1: denial of service).

Oracle has updated kernel (kernel 3.8.18 (O6, O7);
kernel 2.6.39 (O5, O6);
kernel 2.6.32 (O5, O6): multiple vulnerabilities).

Red Hat has updated novnc
(RHEL OSP4: VNC session hijacking).

Ubuntu has updated firefox
(code execution), usb-creator (12.04, 14.04, 14.10; 15.04: privilege escalation), and wpa_supplicant (14.04, 14.10: code execution).

From: LWN

Ubuntu 15.04 (Vivid Vervet) released

By corbet The Ubuntu 15.04 release is out. “Ubuntu Server 15.04 includes the Kilo release of OpenStack, alongside
deployment and management tools that save devops teams time when
deploying distributed applications – whether on private clouds, public
clouds, x86 or ARM servers, or on developer laptops. Several key server
technologies, from MAAS to Ceph, have been updated to new upstream
versions with a variety of new features.

This release also includes the first release of snappy Ubuntu Core, a
new distribution model based on transactional updates.” LWN looked at Snappy in January.

From: LWN

Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica)

By jake Ars Technica reports on a wpa_supplicant bug that might leave Linux and other systems open to remote code execution.
That’s because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information ‘is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,’ [Google security team member Jouni] Malinen wrote, and the code ‘was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.’

From: LWN

Security updates for Thursday

By jake

Arch Linux has updated glibc
(code execution).

Fedora has updated chrony (F21:
three vulnerabilities), gnupg2 (F20: denial
of service), java-1.7.0-openjdk (F20:
unspecified), java-1.8.0-openjdk (F21:
unspecified), kernel (F21; F20: denial of service), ntp (F20: two vulnerabilities), python (F20: denial of service from 2013), spatialite-tools (F21: three vulnerabilities),
and sqlite (F21: three vulnerabilities).

Oracle has updated kvm (OL5: two vulnerabilities).

From: LWN

[$] The kdbuswreck

By corbet Few readers will have failed to notice by now that the attempted merging of
the kdbus interprocess communication system into the 4.1 kernel has failed
to go as well as its proponents would have liked. As of this writing, the
discussion continues and nothing has been merged. This article constitutes
an attempt to derive a bit of light from the massive amounts of heat that
have been generated so far, with a specific focus on the issue of metadata
and capabilities.

From: LWN