OpenBSD 5.7

By ris OpenBSD 5.7 has been released. This version includes
improved hardware support, network stack improvements, installer
improvements, security and bug fixes, and more. OpenSSH 6.8, LibreSSL, and
other packages have also seen improvements and bug fixes.

From: LWN

Security advisories for Friday

By ris

Arch Linux has updated perl-xml-libxml (information disclosure).

Debian has updated chromium-browser (multiple vulnerabilities).

Debian-LTS has updated libjson-ruby (denial of service), libxml-libxml-perl (information disclosure), squid (denial of service), xdg-utils (command execution), and xorg-server (information leak/denial of service).

Mageia has updated kernel
(multiple vulnerabilities), kernel-linus
(multiple vulnerabilities), libreoffice (code execution), ppp (denial of service), and quassel (SQL injection).

openSUSE has updated wpa_supplicant (13.2, 13.1: code execution).

Red Hat has updated chromium-browser (RHEL6: multiple
vulnerabilities) and kernel (RHEL5.6: privilege escalation).

Scientific Linux has updated 389-ds-base (SL7: access control bypass).

SUSE has updated kernel
(SLES10 SP4: multiple vulnerabilities).

From: LWN

Mozilla: Deprecating Non-Secure HTTP

By corbet The Mozilla community has declared
its intent
to phase out “non-secure” (not encrypted with TLS)
web access. “Since the goal of this effort is to send a message to
the web developer community that they need to be secure, our work here will
be most effective if coordinated across the web community. We expect to be
making some proposals to the W3C WebAppSec Working Group soon.

From: LWN

Apache SpamAssassin 3.4.1 released

By corbet The Apache SpamAssassin 3.4.1 release is out. “Highlights include: Improved automation to help combat spammers
that are abusing new top level domains; Tweaks to the SPF support to
block more spoofed emails; Increased character set normalization to
make rules easier to develop, block more international spam and stop
spammers from using alternate character sets to bypass tests;
Continued refinement to the native IPv6 support; and Improved Bayesian
classification with better debugging and attachment hashing.

From: LWN

Unboxing Linux/Mumblehard: Muttering spam from your servers (WeLiveSecurity)

By ris WeLiveSecurity reports
that ESET researchers have revealed a family of Linux malware that stayed
under the radar for more than 5 years. They are calling it
Linux/Mumblehard. “There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average.

Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines.”

From: LWN

Debian GNU/Hurd 2015 released

By ris Debian GNU/Hurd 2015 has been released. “This is a snapshot of
Debian “sid” at the time of the stable Debian “jessie” release (April
2015), so it is mostly based on the same sources. It is not an official
Debian release, but it is an official Debian GNU/Hurd port release.

From: LWN

Thursday’s security updates

By ris

Debian has updated curl (information leak), elasticsearch (directory traversal), and icecast2 (denial of service).

Debian-LTS has updated curl (two vulnerabilities), openjdk-6 (multiple vulnerabilities), php5 (multiple vulnerabilities), and qt4-x11 (multiple vulnerabilities).

Fedora has updated ax25-tools (F21; F20:
denial of service), fcgi (F21; F20: denial of service), FlightGear (F21: unspecified vulnerability),
FlightGear-data (F21: unspecified
vulnerability), mailman (F21: path
traversal attack), mksh (F21; F20: multiple issues), pdns (F21; F20:
denial of service), pdns-recursor (F21; F20:
denial of service), and qt (F21: multiple vulnerabilities).

Mandriva has updated glibc
(MBS2.0, MBS1.0: two vulnerabilities) and sqlite3 (MBS2.0, MBS1.0: three vulnerabilities).

openSUSE has updated DirectFB
(13.2, 13.1: two vulnerabilities).

Ubuntu has updated curl (15.04,
14.10, 14.04, 12.04: multiple vulnerabilities), EC2 kernel (10.04: privilege escalation),
kernel (14.10; 14.04; 12.04;
10.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),
linux-lts-utopic (14.04: multiple
vulnerabilities), and linux-ti-omap4
(12.04: denial of service).

From: LWN