Greg Kroah-Hartman has released the latest batch of stable kernel updates: 3.18.5, 3.14.31, and 3.10.67. All contain important updates throughout the tree.

CentOS has updated kernel (C7; C7: multiple vulnerabilities in each update) and libyaml (C7: denial of service).

Debian has updated openjdk-6 (multiple vulnerabilities), openjdk-7 (multiple vulnerabilities), privoxy (multiple vulnerabilities), and requests (multiple vulnerabilities).

Debian-LTS has updated polarssl (code execution).

Fedora has updated polarssl (F20; F21: code execution), thunderbird (F20: multiple vulnerabilities), unzip (F20: unspecified impact), and vorbis-tools (F21:).

Oracle has updated glibc (O4: code execution) and kernel (O6; O7: multiple vulnerabilities; O5; O6; O5; O6: denial of service).

SUSE has updated kernel (SLE 12: multiple vulnerabilities).

We are a bit late in noting that KDE has released Plasma 5.2 on January 27. This KDE.News article gives a tour of the desktop that will be featured in upcoming Kubuntu and Fedora KDE spin releases (and probably other distributions as well). There are lots of new features and bug fixes in the release, see the changelog for all the details. "In the screen locker we improved the integration with logind to ensure the screen is properly locked before suspend. The background of the lock screen can be configured. Internally this uses part of the Wayland protocol which is the future of the Linux desktop. There are improvements in the handling of multiple monitors. The detection code for multiple monitors got ported to use the XRandR extension directly and multiple bugs related to it were fixed."

The LibreOffice 4.4 release is now available. "We have completed the dialog conversion, redesigned menu bars, context menus, toolbars, status bars and rulers to make them much more useful. The Sifr monochrome icon theme is extended and now the default on OS X. We also developed a new Color Selector, improved the Sidebar to integrate more smoothly with menus, and reworked many user interface details to follow today’s UX trends." See the release notes and this posting from Michael Meeks for lots more information.

CentOS has updated kernel (C6: two vulnerabilities) and libyaml (C6: denial of service).

Debian has updated virtualbox (two denial of service flaws with no details).

Debian-LTS has updated jasper (two vulnerabilities), libksba (denial of service), privoxy (three vulnerabilities), python-django (multiple vulnerabilities), and rpm (multiple vulnerabilities, some from 2012 and 2013).

Fedora has updated drupal7-context (F21; F20: open redirect), suricata (F21; F20: denial of service), and unzip (F21: unspecified impact).

openSUSE has updated flash-player (12.3: multiple vulnerabilities), git (13.2, 13.1: code execution), glibc (11.4: code execution), and libpng16 (13.2, 13.1: two vulnerabilities).

Oracle has updated kernel (OL7; OL6: multiple vulnerabilities) and libyaml (OL7; OL6: denial of service).

Red Hat has updated glibc (RHEL4: code execution), kernel (RHEL7: multiple vulnerabilities), libyaml (RHEL6&7: denial of service), and ntp (RHEL6.5: multiple code execution flaws).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities) and libyaml (SL6&7: denial of service).

Slackware has updated glibc (code execution).

SUSE has updated firefox (SLE11SP2, SLE11SP1; SLE10SP4: multiple vulnerabilities) and flash-player (SLE11SP3: multiple vulnerabilities).

The LWN.net Weekly Edition for January 29, 2015 is available.

At linux.conf.au 2015 in Auckland, Rusty Russell presented a talk about his personal side-project, Pettycoin. Russell had announced Pettycoin at LCA 2014; at that time it represented an untested concept: a way to attach a separate, Bitcoin-like network to the existing Bitcoin blockchain. Pettycoin's goal was originally to offer a simpler and faster "side network" that periodically reconnected to Bitcoin. In the intervening year, Russell made a lot of progress, but other new innovations in the Bitcoin arena have led him to question parts of the Pettycoin approach and consider a reimplementation.

CentOS has updated glibc (C7; C6; C5: code execution).

Debian-LTS has updated eglibc (code execution).

Mageia has updated busybox (arbitrary module loading), flash-player-plugin (multiple vulnerabilities), php (multiple vulnerabilities), privoxy (multiple vulnerabilities), and python-pillow (denial of service).

Oracle has updated glibc (OL7; OL6; OL5: code execution).

Red Hat has updated chromium-browser (RHEL6 Supplementary: multiple vulnerabilities), flash-plugin (RHEL5,6 Supplementary: multiple vulnerabilities), glibc (RHEL6,7; RHEL5; RHEL5.6, 5.9, 6.2, 6.4, 6.5: code execution), and kernel (RHEL6: denial of service).

Scientific Linux has updated glibc (SL6,7; SL5: code execution) and kernel (SL6: denial of service).

SUSE has updated glibc (SLE11, SLE10: code execution).

Ubuntu has updated eglibc (12.04, 10.04: code execution), openjdk-6 (12.04, 10.04: multiple vulnerabilities), and openjdk-7 (14.10, 14.04: multiple vulnerabilities).

Ars Technica has a report on GHOST, which is a critical vulnerability found in the GNU C library (glibc). "The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections." While the proof-of-concept used Exim, a wide variety of client and server programs call gethostbyname*(), often at the behest of a remote system (or attacker). Distributions have started putting out updates; users and administrators should plan on updating as soon as possible.

Greg Kroah-Hartman has released stable kernels 3.18.4, 3.14.30, and 3.10.66. All contain important fixes throughout the tree.

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).

Debian has updated eglibc (multiple vulnerabilities), wireshark (denial of service), and xen (multiple vulnerabilities).

Fedora has updated python-django (F20: multiple vulnerabilities) and python-django14 (F20: multiple vulnerabilities).

openSUSE has updated flash-player (13.2, 13.1; 11.4: code execution).

Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities) and java-1.6.0-sun (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6: multiple vulnerabilities).

SUSE has updated flash-player (SLE12: code execution).

Ubuntu has updated oxide-qt (14.10, 14.04: multiple vulnerabilities) and firefox (14.10, 14.04, 12.04: regression in previous update).

The Python Software Foundation wraps up its 2014 retrospective. "On the technical side, the Python language grew with the releases of Python 2.7.9, 3.3.5, 3.4, and, in August, 3.4.1. Major new features of the 3.4 series, compared to 3.3 include "hundreds of small improvements and bug fixes." Additionally, Python 3.4.1 has many more advantages."

CentOS has updated jasper (C7: multiple vulnerabilities).

Debian has updated jasper (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), polarssl (code execution), squid (denial of service), and websvn (information disclosure).

Debian-LTS has updated libevent (denial of service) and websvn (information disclosure).

Fedora has updated docker-io (F20: multiple vulnerabilities), grep (F21: heap buffer overrun), java-1.7.0-openjdk (F20: multiple vulnerabilities), java-1.8.0-openjdk (F21; F20: multiple vulnerabilities), kde-runtime (F20: misuse of crypto), kernel (F21: restriction bypass), python-django (F21: multiple vulnerabilities), and xdg-utils (F21: command injection).

Mageia has updated aircrack-ng (multiple vulnerabilities), chromium-browser-stable (multiple vulnerabilities), jasper (multiple vulnerabilities), and java-1.7.0-openjdk (multiple vulnerabilities).

openSUSE has updated Firefox (11.4: multiple vulnerabilities), libevent (13.2, 13.1: denial of service), openssl (13.2, 13.1: multiple vulnerabilities), shotwell, vala (13.2: heap buffer overflow), and thunderbird (13.2, 13.1: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: unspecified vulnerability) and vsftpd (SLES11 SP3: unauthorized access).

Ubuntu has updated ghostscript (10.04: multiple vulnerabilities), jasper (14.10, 14.04, 12.04: multiple vulnerabilities), and unbound (14.10, 14.04: denial of service).

Linus has released the 3.19-rc6 kernel prepatch. "I currently expect to make an rc7 next week, with the final 3.19 in two weeks, as per the usual schedule."

At Opensource.com, Jordi Mon introduces the biicode project, an open-source dependency-management system for C and C++ applications that is akin to Ruby Gems or the Python Package Index. It is a challenging goal, he says, "because there are approximately 4 million C/C++ developers, and both languages represent up to almost 20% of the world's code." The project was started as a proprietary service, and only recently transitioned into an open-source project.

CentOS has updated jasper (C6: multiple vulnerabilities).

openSUSE has updated dbus-1 (13.1, 13.2: multiple vulnerabilities), elfutils (13.1, 13.2: directory traversal), flash-player (13.1, 13.2: memory randomization circumvention), otrs (13.1, 13.2: authentication bypass), roundcubemail (13.2: cross-site request forgery), strongswan (13.1, 13.2: denial of service), and wireshark (13.1, 13.2: multiple vulnerabilities).

Oracle has updated jasper (O6; O7: multiple vulnerabilities).

Red Hat has updated jasper (RHEL6,7: multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), and java-1.8.0-oracle (RHEL6: multiple vulnerabilities).

Scientific Linux has updated jasper (SL6,7: multiple vulnerabilities).

SUSE has updated flash-player (memory randomization circumvention) and rpm (SLE12: multiple vulnerabilities).

Ubuntu has updated elfutils (directory traversal), mysql-5.5 (12.04, 14.04, 14.10): multiple vulnerabilities, and samba (14.04, 14.10: privilege escalation).

Flockport Labs has a two-part "LXC networking superguide" that covers a bunch of LXC networking concepts, as well as practical ideas on connecting containers (Part1 and Part 2). Part 1 starts with an introduction to LXC networking, then moves into extending layer 2 to remote hosts using a layer 3 tunnel. Part 2 looks at using LXC containers as routers. "We are going to create a bridge on 2 remote hosts over their public IPs and connect the bridges with Ethernet over GRE or L2tpv3 so containers connecting to these bridges are on the same layer 2 network. We will first show you how to do this with Ethernet over GRE and then L2tpv3. The main difference is Ethernet over GRE is less well known while L2tpv3 is more widely used for l2 extension and uses UDP, and thus could be more flexible."

Fedora has updated binutils (F21: two vulnerabilities), cross-binutils (F21; F20: multiple vulnerabilities), exiv2 (F21: denial of service), libsndfile (F21: code execution), and python-pillow (F21: denial of service).

Mageia has updated freeciv (code execution).

Oracle has updated java-1.7.0-openjdk (OL5: multiple vulnerabilities).

Red Hat has updated java-1.7.0-openjdk (RHEL6&7; RHEL5: multiple vulnerabilities), java-1.8.0-openjdk (RHEL6: multiple vulnerabilities), kernel (RHEL6.5: multiple vulnerabilities), and openssl (RHEL6&7: multiple vulnerabilities).

The LWN.net Weekly Edition for January 22, 2015 is available.

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), java-1.8.0-openjdk (C6: multiple vulnerabilities), and openssl (C7; C6: multiple vulnerabilities).

Debian has updated privoxy (use after free) and sympa (information disclosure).

Fedora has updated elfutils (F20: directory traversal), gd (F20: memory leak), libsndfile (F20: multiple vulnerabilities), and openssl (F20: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (OL7; OL6: multiple vulnerabilities), java-1.8.0-openjdk (OL6: multiple vulnerabilities), and openssl (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (SL6,7; SL5: multiple vulnerabilities), java-1.8.0-openjdk (SL6: multiple vulnerabilities), and openssl (SL6,7: multiple vulnerabilities).

Slackware has updated samba (privilege escalation).

SUSE has updated bind (SLE12: denial of service).