openSUSE has updated expat (Leap42.1: code execution), gd (13.2: information leak), glibc (13.2: multiple vulnerabilities), GraphicsMagick (Leap42.1; 13.2: command execution), libimobiledevice, libusbmuxd (Leap42.1, 13.2: sockets listening on INADDR_ANY), libksba (Leap42.1: denial of service), and php5 (Leap42.1: multiple vulnerabilities).
SUSE has updated expat (SLE11-SP4: code execution).
Debian has updated spice (two vulnerabilities).
openSUSE has updated clamav-database (Leap42.1: database refresh).
Red Hat has updated glibc (RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities), spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).
SUSE has updated expat (SLE12-SP1: code execution).
Debian-LTS has updated libxml2 (multiple vulnerabilities).
Fedora has updated php (F22: multiple vulnerabilities), phpMyAdmin (F22: multiple vulnerabilities), roundcubemail (F23; F22: cross-site scripting), sudo (F23: information leak), and xen (F23: multiple vulnerabilities).
Slackware has updated ntp (multiple vulnerabilities).
SUSE has updated Chromium (SPH for SLE12: multiple vulnerabilities).
At his blog, Gunnar Wolf urges developers to stop using "short" (eight hex-digit) PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild. The possibility of short-ID collisions has been known for a while, but it is still disconcerting to see in the wild. "Those three keys are not (yet?) uploaded to the keyservers, though... But we can expect them to appear at any point in the future. We don't know who is behind this, or what his purpose is. We just know this looks very evil."
Wolf goes on to note that short IDs are not merely human-readable conveniences, but are actually used to identify PGP keys in some software programs. To mitigate the risk, he recommends configuring GnuPG to never shows short IDs, to ensure that other programs do not consume short IDs, and to "only sign somebody else's key if you see and verify its full fingerprint. [...] And there are surely many other important recommendations. But this is a good set of points to start with."
Debian has updated libxml2 (multiple vulnerabilities).
Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), libgd (M5: multiple vulnerabilities), nginx (M5: denial of service), pgpdump (M5: buffer overrun), and php (M5: multiple vulnerabilities).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).
Ubuntu has updated nginx (14.04, 15.10, 16.04: denial of service).
At OSCON 2016 in Austin, a panel of invited experts debated the always-thorny subject of how open-source software projects deal with patents. The panel was packed, featuring representatives from the free-software world, commerce, and the legal community, so there was scarcely enough time to move through the prepared topics in the time allotted, much less to take questions from the audience. But the discussion was able to highlight a number of current issues, including patent abolition, implicit patent licenses, and where the open-source community should focus its efforts to improve matters.
Debian has updated nginx (denial of service).
Fedora has updated compat-nettle27 (F23: improper cryptographic calculations), dosfstools (F22: two vulnerabilities), gd (F23: two vulnerabilities), kernel (F23; F22: multiple vulnerabilities), libimobiledevice (F22: sockets listening on INADDR_ANY), libusbmuxd (F22: sockets listening on INADDR_ANY), and phpMyAdmin (F23: three vulnerabilities).
Ubuntu has updated imagemagick (multiple vulnerabilities).
Click below (subscribers only) for the full article from Neil Brown.