Friday’s security updates

By n8willis

Debian has updated openssl
(multiple vulnerabilities).

Fedora has updated csync2 (F20; F21:
file checksum collision),
duplicity (F20; F21: file checksum collision), librsync (F20; F21:
file checksum collision),
libssh2 (F21: denial of service), mapserver (F20; F21: code
execution),
php-ZendFramework2 (F22: cross-site forgery), and
rdiff-backup (F20; F21: file checksum collision).

Gentoo has updated openssl
(multiple vulnerabilities).

Mageia has updated openssl
(M4: multiple vulnerabilities).

openSUSE has updated krb5
(13.1, 13.2: multiple vulnerabilities).

Oracle has updated kernel (O6; O7: multiple vulnerabilities).

Red Hat has updated qpid (RHEL6 MRG; RHEL7 MRG: multiple vulnerabilities).

SUSE has updated compat-openssl098 (SLEM-LS12; SLED12: multiple vulnerabilities)
and openssl (SLE12: multiple vulnerabilities).

Ubuntu has updated openssl
(multiple vulnerabilities).

From: LWN

Docker security in the future (Opensource.com)

By jake Over at Opensource.com, Daniel Walsh writes about applying various Linux security technologies to Docker containers. In the article, he looks at using user namespaces and seccomp filters to provide better security for Docker. “One of the problems with all of the container separation modes described here and elsewhere is that they all rely on the kernel for separation. Unlike air gapped computers, or even virtual machines, the processes within the container can talk directly to the host kernel. If the host kernel has a kernel vulnerability that a container can access, they might be able to disable all of the security and break out of the container.

The x86_64 Linux kernel has over 600 system calls, a bug in any one of which could lead to a privilege escalation. Some of the system calls are seldom called, and should be eliminated from access within the container.”

From: LWN

Security updates for Thursday

By jake

OpenSSL has updates released today, with two vulnerabilities of
“High” severity, as described in its advisory. One of
the High vulnerabilities is a reclassification of the FREAK vulnerability due to the prevalence of
servers with RSA export ciphers available, the other is a denial of service
in OpenSSL 1.0.2.

CentOS has updated freetype (C6:
multiple vulnerabilities) and unzip (C6:
multiple vulnerabilities).

Debian has updated file (denial
of service).

Debian-LTS has updated mono
(three SSL/TLS vulnerabilities).

Gentoo has updated python
(multiple vulnerabilities, two from 2013).

Mageia has updated moodle
(multiple vulnerabilities).

openSUSE has updated gdm (13.2:
screen lock bypass), glusterfs (13.2:
denial of service), and libssh2_org (13.2,
13.1: information leak).

Oracle has updated unzip (OL7; OL6:
multiple vulnerabilities).

Red Hat has updated postgresql92-postgresql (RHSC1: multiple
vulnerabilities) and unzip (RHEL6&7:
multiple vulnerabilities).

SUSE has updated kernel (SLE12:
multiple vulnerabilities).

From: LWN

Fedora seeks a diversity advisor

By corbet The Fedora project is looking for somebody to become its diversity
advisor. “The Fedora Diversity Advisor will lead initiatives to assess and
promote equality and inclusion within the Fedora contributor and user
communities, and will develop project strategy on diversity issues. The
Diversity Advisor will also be the point of contact for Fedora’s
participation in third-party outreach programs and events.
” You
have to get to the bottom of the announcement to read that this is a
volunteer position, though they hope to change that someday.

From: LWN

Security advisories for Wednesday

By ris

Debian has updated php5 (multiple vulnerabilities).

Fedora has updated freexl (F21; F20:
denial of service) and libgcrypt (F21: two vulnerabilities).

openSUSE has updated vorbis-tools
(13.2, 13.1: denial of service).

Oracle has updated freetype (OL7; OL6:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5,6: multiple vulnerabilities) and freetype (RHEL6,7: multiple vulnerabilities).

Ubuntu has updated libxfont (privilege escalation) and php5 (multiple vulnerabilities).

From: LWN

Utah software company’s decade-old suit against IBM revived (SL Tribune)

By corbet The Salt Lake Tribune reports
that the SCO Group’s lawsuit against IBM is once again alive and moving in
Federal court. “In addition to its claims of IBM misappropriation of
code, SCO alleges that IBM executives and lawyers directed the company’s
Linux programmers to destroy source code on their computers after SCO made
its allegations. The company’s other remaining claims are that IBM’s
actions amounted to unfair competition and interference with its contracts
and business relations with other companies.

From: LWN

Qt 5.5 Alpha Available

By ris Qt 5.5 alpha has been released.
With Qt 5.5, Canvas 3D is fully supported and a technology preview
of long awaited Qt 3D is included. Qt 5.5 also introduces mapping support
with a Qt Location technology preview. Qt 5.5 Alpha is the first step
towards Qt 5.5 final release planned to be available in May.
” Check
out the New Features in
Qt 5.5
page for more details.

From: LWN