Debian has updated openssl (multiple vulnerabilities), qemu (code execution), and qemu-kvm (code execution).

Mageia has updated apache-mod_security (rules bypass), cups-filters (M4: code execution), openjpeg (code execution), php (denial of service), and rsync (M4: denial of service).

Oracle has updated kernel (2.6.39 - OL5; OL6: privilege escalation) and kernel (3.8.13 - OL6: privilege escalation).

SUSE has updated jakarta-commons-fileupload (SLES11 SP3: denial of service).

The Debian project has announced that the security support period for the 6.0 ("squeeze") release has been extended by nearly two years; it now runs out in February 2016. At the end, squeeze will have received a full five years of security support. "squeeze-lts is only going to support i386 and amd64. If you're running a different architecture you need to upgrade to Debian 7 (wheezy). Also there are going to be a few packages which will not be supported in squeeze-lts (e.g. a few web-based applications which cannot be supported for five years). There will be a tool to detect such unsupported packages."

Internet Systems Consortium, the non-profit behind the BIND DNS server, has released version 1.2 of BIND 10, which is the last release it will make of the "applications framework for Internet infrastructure, such as DNS". That completes ISC's development effort on BIND 10, so it has renamed the project to Bundy and turned it over to the community for updates and maintenance. "'BIND 10 is an excellent software system,' said Scott Mann, ISC's Vice President of Engineering, 'and a huge step forward in open-source infrastructure software. Unfortunately, we do not have the resources to continue development on both projects, and BIND 9 is much more widely used.' 'The BIND 10 software is open-source,' Scott added, 'so we are making it available for anyone who wants to continue its development. The source will be available from GitHub under the name Bundy, to mitigate the confusion between it and ISC's BIND 9 (a completely separate system). The name 'BIND' is associated with ISC; we have changed its name as a reminder that ISC is no longer involved with the project.'"

Ubuntu has announced the release of its latest long-term support distribution: Ubuntu 14.04 LTS (aka "Trusty Tahr"). The release notes have all the details. It comes in a multitude of configurations, for desktops, servers, the cloud, phones, and tablets; also in many flavors: Kubuntu, Edubuntu, Xubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, and Ubuntu Studio. "Ubuntu 14.04 LTS is the first long-term support release with support for the new "arm64" architecture for 64-bit ARM systems, as well as the "ppc64el" architecture for little-endian 64-bit POWER systems. This release also includes several subtle but welcome improvements to Unity, AppArmor, and a host of other great software."

NPR has a look at the cross-pollination of open source software and agriculture, resulting in the release of the first "Open Source Seeds". The new Open Source Seed Initiative was formed to put seeds, and, more importantly, their genetic material, into a protected commons, so they will be available in perpetuity. "At an event on the campus of the University of Wisconsin, Madison, backers of the new Open Source Seed Initiative will pass out 29 new varieties of 14 different crops, including carrots, kale, broccoli and quinoa. Anyone receiving the seeds must pledge not to restrict their use by means of patents, licenses or any other kind of intellectual property. In fact, any future plant that's derived from these open source seeds also has to remain freely available as well." (Thanks to Rich Brown.)

The QEMU team has announced the release of version 2.0.0 of the QEMU "open source machine emulator and virtualizer". New features in the release include support for KVM on AArch64 (64-bit ARM) systems, support for all 64-bit ARMV8 instructions (other than the optional CRC and crypto extensions), support for the Allwinner A10-based cubieboard, CPU hotplug for Q35 x86 systems, better Windows guest performance when doing many floating-point or SIMD operations, live snapshot merging, new management interfaces for CPU and virtio-rng hotplug, direct access to NFSv3 shares using libnfs, and lots more. Detailed information about all of the changes can be found in the changelog.

Debian has announced that regular security updates for Debian 6.0 ("squeeze") will cease on May 31. But there will be long-term support for most of the packages in squeeze on just the i386 and amd64 architectures until February 2016.

Fedora has updated cacti (F20; F19: multiple vulnerabilities), json-c (F20: two denial of service flaws), and openstack-keystone (F20: access restriction bypass).

Mandriva has updated json-c (BS1.0: two denial of service flaws).

Oracle has updated java-1.6.0-openjdk (OL6; OL5: multiple vulnerabilities, most unspecified) and java-1.7.0-openjdk (OL6; OL5: multiple vulnerabilities, most unspecified).

Red Hat has updated java-1.6.0-sun (many vulnerabilities, lots unspecified), java-1.7.0-oracle (RHEL; RHEL Supplementary: multiple vulnerabilities, most unspecified), and libyaml (RHEL6: two code execution flaws).

Scientific Linux has updated java-1.6.0-openjdk (multiple vulnerabilities, most unspecified) and java-1.7.0-openjdk (SL5: multiple vulnerabilities, most unspecified).

SUSE has updated flash-player (SLE11SP3: multiple vulnerabilities) and kernel (SLERTE11SP3; SLE10SP4: multiple vulnerabilities).

The LWN.net Weekly Edition for April 17, 2014 is available.

CentOS has updated java-1.6.0-openjdk (C6; C5: multiple vulnerabilities) and java-1.7.0-openjdk (C6; C5: multiple vulnerabilities).

Debian has updated chromium-browser (multiple vulnerabilities) and virtualbox (code execution).

Fedora has updated cups-filters (F20: command execution), ImageMagick (F20: code execution), jbigkit (F20: code execution), libinfinity (F20; F19: unspecified vulnerability), mingw-openjpeg (F20; F19: code execution), mingw-openssl (F19: information disclosure), oath-toolkit (F20: replays one time passwords), php (F20; F19: denial of service), squid (F19: denial of service), v8 (F20: multiple vulnerabilities), and wordpress (F20: multiple vulnerabilities).

Mageia has updated asterisk (MG4; MG3: multiple vulnerabilities), cups-filters (MG4: multiple vulnerabilities), elfutils (MG3&4: code execution), fail2ban (MG3&4: denial of service), jbigkit (MG3&4: code execution), json-c (MG3&4: denial of service), and tigervnc (MG3&4: code execution).

Mandriva has updated asterisk (two vulnerabilities).

openSUSE has updated curl (11.4: multiple vulnerabilities).

Red Hat has updated java-1.6.0-openjdk (RHEL5&6: multiple vulnerabilities) and java-1.7.0-openjdk (RHEL6; RHEL5: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (SL6: multiple vulnerabilities).

SUSE has updated kernel (SLE11 SP3: multiple vulnerabilities) and strongswan (SLE11, SLE10 LTSS: authentication bypass).

Here is a long piece from Christian Schaller describing the planning for the upcoming Fedora Workstation product. "So when we are planning the Fedora Workstation we are not just looking at what features we can develop for individual libraries or applications like GTK+, Firefox or LibreOffice, but we are looking at what we want the system as a whole to look like. And maybe most important we try our hardest to look at things from a feature/usecase viewpoint first as opposed to a specific technology viewpoint."

There is a saying that you need to spend money to make money, though this apparent paradox is easily resolved with a start-up loan and the discipline of balancing expenses against income. A similar logic applies to the management of memory in an operating system kernel such as Linux: sometimes you need to allocate memory to free memory. Here, too, discipline is needed, though the typical consequences of not being sufficiently careful is not bankruptcy but rather a deadlock. The history of how the Linux kernel developed its balance between saving and spending is interesting as a microcosm of how Linux development proceeds.

Click below (subscribers only) for the full article by Neil Brown.

Debian has updated strongswan (authentication bypass).

Fedora has updated mingw-openssl (F20: information disclosure), mod_security (F20; F19: rules bypass), php-ZendFramework (F20; F19: multiple vulnerabilities), php-ZendFramework2 (F20; F19: multiple vulnerabilities), and systemd (F20: code execution).

openSUSE has updated couchdb (13.1, 12.3: denial of service) and jakarta-commons-fileupload (13.1; 12.3: denial of service).

Ubuntu has updated curl (all: information disclosure) and python-imaging (all: two tmpfile flaws).

The results of the 2014 Debian project leader election are in; incumbent Lucas Nussbaum fended off challenger Neil McGovern to win a second one-year term in this position. See the DPL election page for details on how the voting went.

Version 2.2 of the Cinnamon desktop environment is out. New features include a lot of improvements to the settings dialogs, tweaks to the "hot corners" and heads-up display mechanisms, better high-resolution display support, and more.

Greg Kroah-Hartman has released kernels 3.14.1, 3.13.10, 3.10.37, and 3.4.87. Each contains important updates and fixes; in addition, Greg notes that 3.13.10 will be the next-to-last release in the 3.13.y stable series, so migration to 3.14.y soon is advisable.

Mitchell Baker has announced that Chris Beard has been appointed to the board of directors and will be serving as the interim CEO. "In this time of transition there is no better person to lead us. Chris has one of the clearest visions of how to take the Mozilla mission and turn it into programs and activities and product ideas that I have ever seen. In the early years at Mozilla he was responsible for leading the Mozilla product, marketing and innovation teams. More recently, Chris was our CMO, leading user, developer and community engagement activities globally, including the initial launches of Firefox on Android and Firefox OS at MWC. Chris is the right person to lead us through this time and he is a strong candidate for CEO."

Debian has updated curl (multiple vulnerabilities) and wordpress (multiple vulnerabilities).

Mandriva has updated jbigkit (BS1, ES5: code execution).

openSUSE has updated flash-player (multiple vulnerabilities), nagios (12.3, 13.1: denial of service), python (12.3: code execution), rubygem-rack-ssl (12.3, 13.1: cross-site scripting), and xinetd (12.3, 13.1: multiple vulnerabilities).

Ubuntu has updated net-snmp (denial of service).

As the annual project leader election winds down, the Debian Project has begun a new vote on a proposed code of conduct for project members. It lays out some general guidelines for behavior within the project and allows administrators to ban "serious or persistent offenders" from communicating through Debian's channels. Voting is open through April 27.

Linus has released the 3.15-rc1 prepatch and closed the merge window for this development cycle. "In comparison to those large releases, 3.15-rc1 is just big in general. No single big thing, but just lots and lots of commits. Sure, it has a few big new staging drivers (rtl8723au in particular), but even when big, those aren't nearly the bulk of things. There's just a lot going on." In the end, 12,034 non-merge changesets were pulled into the mainline repository during the 3.15 merge window.

During an April 13 keynote at PyCon, Van Lindberg, chair of the Python Software Foundation (PSF) board, announced that PSF membership would now be open to the entire community. It had previously been a self-sustaining membership, with current members nominating new members, but that has now changed. Community members can sign up as PSF members by way of a "Become a Member" button at the bottom of the Python home page. Filling out a a form and agreeing to the Code of Conduct is all that is required to join. Instead of the roughly 200 members reported at PyCon 2013, he would like to see 30,000 or more PSF members by the end of 2014. This is part of an effort to diversify the PSF in much the same way that the Python community itself has diversified over the years, Lindberg said.