The third 3.13 prepatch is available for testing. Linus says: "I'm still on a Friday release schedule, although I hope that changes soon - the reason I didn't drag this one out to Sunday is that it's already big enough, and I'll wait until things start calming down. Which they really should, at this point. Hint hint."

CentOS has updated kernel (information leak), nspr (multiple vulnerabilities), and nss (multiple vulnerabilities).

Gentoo has updated swi-prolog (multiple vulnerabilities).

Oracle has updated kernel (O5: multiple vulnerabilities) and nss, nspr (O5: multiple vulnerabilities).

Red Hat has updated kernel (RHEL5, information leak; RHEL6, multiple vulnerabilities) and nss, nspr (RHEL5: multiple vulnerabilities).

Slackware has updated hplip (code execution), mozilla-nss (multiple vulnerabilities), mozilla-thunderbird (multiple vulnerabilities), and seamonkey (multiple vulnerabilities).

SUSE has updated ruby (multiple vulnerabilities).

Ubuntu has updated curl (information disclosure).

TorrentFreak writes about a potentially troubling court decision in Germany. A company called Appwork has been threatened with a large fine for functionality committed to its open-source downloader (JDownloader2) repository by a non-employee: "“In our case, even when we didn’t even know about the functionality, which was part of an open source binary one of our open source developers used (rtmpdump), we were held liable anyway. Not from the moment on that we got notified about it, but even before,” he [Alex from Appwork] explains. “This means that if any company or individual wants to use an open (or closed) source binary (commercial or not), they are liable for it if it contains any illegal functions. This practically means they are obligated to check every single line of code, which is almost impossible for smaller projects.”" (Thanks to Martin Jeppesen.)

Debian has updated ruby1.8 (three vulnerabilities) and ruby1.9.1 (code execution).

openSUSE has updated horde5 (12.3: privilege escalation) and ibus-pinyin (13.1: password disclosure).

Bill McCloskey has posted an extensive writeup on the work to decompose Firefox into a multiprocess application. "Multiprocess Firefox depends on a new Firefox feature called off main thread compositing (OMTC). In brief, each Firefox window is broken into a series of layers, somewhat similar to layers in Photoshop. Each time Firefox draws, these layers are submitted to a compositor thread that clips and translates the layers and combines them together into a single image that is then drawn."

The LWN.net Weekly Edition for December 5, 2013 is available.

Greg KH has released stable kernels 3.12.3, 3.10.22, and 3.4.72. All contain the usual set of important fixes.

Deadline scheduling was first covered here in 2009. Like much of the code in the realtime tree, though, deadline scheduling appears not to be subject to deadlines when it comes to being merged into the mainline. That said, it seems entirely possible that this longstanding project will land in a stable kernel release fairly soon, so a look at the status of this patch set, and the proposed ABI in particular, seems in order.

Click below (subscribers only) for the full article from this week's Kernel Page.

CentOS has updated gimp (C6; C5: code execution) and mod_nss (C6; C5: access with invalid client certificate).

Fedora has updated monitorix (F18: unspecified vulnerability), python-keyring (F19: weak cryptography), and ruby (F19: code execution).

Oracle has updated gimp (OL6; OL5: code execution) and mod_nss (OL5; OL6: access with invalid client certificate).

Red Hat has updated gimp (RHEL5&6: code execution) and mod_nss (RHEL5&6: access with invalid client certificate).

Scientific Linux has updated 389-ds-base (SL6: denial of service), augeas (SL6: file overwrite and information leak), glibc (SL6: multiple vulnerabilities), libguestfs (SL6: insecure temporary directory), luci (SL6: two vulnerabilities), openssh (SL6: denial of service), pacemaker (SL6: denial of service), php (SL6: multiple vulnerabilities), python (SL6: man in the middle attack), ruby (SL6: code execution), samba (SL6: multiple vulnerabilities), and samba4 (SL6: denial of service).

Ubuntu has updated EC2 kernel (10.04 LTS: multiple vulnerabilities), kernel (10.04 LTS; 12.04 LTS; 12.10; 13.04: multiple vulnerabilities), linux-lts-quantal (12.04 LTS: multiple vulnerabilities), linux-lts-raring (12.04 LTS: multiple vulnerabilities), linux-lts-saucy (12.04 LTS: multiple vulnerabilities), linux-ti-omap4 (12.04 LTS; 12.10; 13.04: multiple vulnerabilities), and pixman (denial of service).

Matthew Garrett demonstrates how to use the kexec() system call to change parameters in a running kernel. "The beauty of this approach is that it doesn't rely on any kernel bugs - it's using kernel functionality that was explicitly designed to let you do this kind of thing (ie, run arbitrary code in ring 0). There's not really any way to fix it beyond adding a new system call that has rather tighter restrictions on the binaries that can be loaded. If you're using signed modules but still permit kexec, you're not really adding any additional security."

Philip Herron has announced the availability of a GCC frontend allowing it to compile programs in the Rust language. It is currently in an early stage but is able to compile a number of programs. "There is still a lot of work but i would really like to share it and see what people think. Personally i think rust will target GCC very well and be a good addition (if / when it works)."

Debian has updated openjpeg (multiple vulnerabilities).

Fedora has updated 389-ds-base (F19: denial of service) and krb5 (F19: two denial of service flaws).

Gentoo has updated busybox (multiple vulnerabilities, one from 2006), glibc (multiple vulnerabilities going back to 2009), libtheora (code execution, from 2009), and openssl (multiple vulnerabilities going back to 2011).

SUSE has updated mozilla-nspr, mozilla-nss (multiple vulnerabilities).

The Symantec blog has a report of a new Linux worm capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. "The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013."

Dan Geer has posted the transcript of his "Trends in cyber security" talk presented to the US National Reconnaissance Office in early November. "The trendline in the number of critical monocultures seems to be rising and many of these are embedded systems both without a remote management interface and long lived. That combination -- long lived and not reachable -- is the trend that must be reversed. Whether to insist that embedded devices self destruct at some age or that remote management of them be a condition of deployment is the question. In either case, the Internet of Things and the appearance of microcontrollers in seemingly every computing device should raise hackles on every neck."

Fedora has updated drupal7 (F19: multiple vulnerabilities), mediawiki (F18; F19: multiple vulnerabilities), mingw-curl (F19: unchecked ssl certificate host name), and nginx (F19: security restriction bypass).

Debian Project Leader Lucas Nussbaum has announced the appointment of Keith Packard to the project's Technical Committee. Keith will be getting off to a running start; one of the first things the committee has to do is to resolve the issue of which init system the Debian distribution will use by default. (See this message for a description of the process that led to Keith's nomination).

Version 1.2 of the Go language has been released. "This new release comes nearly seven months after the release of Go 1.1 in May, a much shorter period than the 14 months between 1.1 and 1.0. We anticipate a comparable interval between future major releases." See the release notes for details on the changes this time around, which include three-index slices, a preemptive goroutine scheduler, a test coverage analyzer, and more.

After taking a few days to eat too much over the US Thanksgiving holiday, it seemed time to clear the decks for next week by putting out the security advisories that had accumulated over the four days.

Debian has updated links2 (integer overflow), nbd (access restriction bypass), and sup-mail (two command injection flaws).

Fedora has updated kernel (F18: denial of service).

Gentoo has updated cpio (code execution from 2010), namazu (multiple vulnerabilities from 2009 and 2011), okular (code execution from 2010), perl (multiple vulnerabilities from 2008-2011), rssh (two command injections from 2012), and unbound (two denial of service flaws from 2011).

Mageia has updated 389-ds-base (denial of service), busybox (privilege escalation), drupal (multiple vulnerabilities), ganglia-web (cross-site scriptin), gnutls (code execution), graphicsmagick (denial of service), moodle (multiple vulnerabilities), polarssl (insecure private key), quassel (information leak), and subversion (two vulnerabilities).

openSUSE has updated seamonkey (12.3: multiple vulnerabilities), chromium (12.2; 12.3: multiple vulnerabilities), librsvg (12.x: denial of service), nginx (11.4: security restriction bypass), nginx-1.0 (12.2: security restriction bypass), and samba (11.4; 12.x: access restriction bypass).

Oracle has updated evolution (OL6: encrypt to unintended recipient), kernel (OL6: multiple vulnerabilities), kernel (OL6; OL5; OL6; OL5: multiple vulnerabilities), libguestfs (OL6: insecure tmp directory usage), openssh (OL6: denial of service from 2010), python (OL6: man-in-the-middle spoofing vulnerability), qemu-kvm (OL6: multiple vulnerabilities, one from 2012), ruby (OL6: code execution), and xorg-x11-server (OL6: two vulnerabilities).

Ubuntu has updated ruby1.8 and ruby1.9.1 (two vulnerabilities).

The 3.13-rc2 prepatch is out. Linus says: "We're back on the normal weekly schedule, although I'm planning on eventually slipping back to a Sunday release schedule. In the meantime, it's like Xmas every Friday! Or, perhaps more appropriately for the date, Hanukkah."

Greg KH has released stable kernels 3.12.2, 3.11.10, 3.10.21, and 3.4.71. All contain important fixes. There will be no more updates for the 3.11.x series. Users of 3.11.x should move to 3.12.x.