By corbet The second 4.1 prepatch is out for testing.
“As usual, it’s a mixture of driver fixes, arch updates (with s390
really standing out due to that one prng commit), and some filesystem and
Arch Linux has updated perl-xml-libxml (information disclosure).
Debian has updated chromium-browser (multiple vulnerabilities).
Debian-LTS has updated libjson-ruby (denial of service), libxml-libxml-perl (information disclosure), squid (denial of service), xdg-utils (command execution), and xorg-server (information leak/denial of service).
openSUSE has updated wpa_supplicant (13.2, 13.1: code execution).
Scientific Linux has updated 389-ds-base (SL7: access control bypass).
SUSE has updated kernel
(SLES10 SP4: multiple vulnerabilities).
By corbet The Mozilla community has declared
its intent to phase out “non-secure” (not encrypted with TLS)
web access. “Since the goal of this effort is to send a message to
the web developer community that they need to be secure, our work here will
be most effective if coordinated across the web community. We expect to be
making some proposals to the W3C WebAppSec Working Group soon.”
By corbet The Apache SpamAssassin 3.4.1 release is out. “Highlights include: Improved automation to help combat spammers
that are abusing new top level domains; Tweaks to the SPF support to
block more spoofed emails; Increased character set normalization to
make rules easier to develop, block more international spam and stop
spammers from using alternate character sets to bypass tests;
Continued refinement to the native IPv6 support; and Improved Bayesian
classification with better debugging and attachment hashing.”
By ris WeLiveSecurity reports
that ESET researchers have revealed a family of Linux malware that stayed
under the radar for more than 5 years. They are calling it
Linux/Mumblehard. “There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average.
Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines.”
Fedora has updated ax25-tools (F21; F20:
denial of service), fcgi (F21; F20: denial of service), FlightGear (F21: unspecified vulnerability),
FlightGear-data (F21: unspecified
vulnerability), mailman (F21: path
traversal attack), mksh (F21; F20: multiple issues), pdns (F21; F20:
denial of service), pdns-recursor (F21; F20:
denial of service), and qt (F21: multiple vulnerabilities).
openSUSE has updated DirectFB
(13.2, 13.1: two vulnerabilities).
Ubuntu has updated curl (15.04,
14.10, 14.04, 12.04: multiple vulnerabilities), EC2 kernel (10.04: privilege escalation),
kernel (14.10; 14.04; 12.04;
10.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),
linux-lts-utopic (14.04: multiple
vulnerabilities), and linux-ti-omap4
(12.04: denial of service).