Debian has updated lucene-solr (multiple vulnerabilities) and nspr (code execution).

Fedora has updated dovecot (F19: denial of service), libfep (F20; F19: privilege escalation), lynis (F20: privilege escalation), mod_wsgi (F20; F19: two vulnerabilities), php (F20; F19: denial of service), php-doctrine-orm (F20; F19: denial of service), php-horde-Horde-Ldap (F19: check for empty passwords), php-phpunit-PHPUnit-MockObject (F20; F19: denial of service), and python-djblets (F20; F19: cross-site scripting).

openSUSE has updated miniupnpc (13.1, 12.3: denial of service), rxvt-unicode (13.1, 12.3: command execution), and typo3-cms-4_5 (13.1, 12.3: multiple vulnerabilities).

SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities) and kernel (SLES11 SP1 LTSS: multiple vulnerabilities).

Ubuntu has updated apt (invalid source package authentication) and nova (14.04 LTS, 13.10, 12.04 LTS: multiple vulnerabilities).

The success of Android has brought Linux to many millions of new users and that, in turn, has increased the development community for Linux itself. But those who value free software and privacy can be forgiven for seeing Android as a step backward in some ways; Android systems include significant amounts of proprietary software, and they report vast amounts of information back to the Google mothership. But Android is, at its heart, an open-source system, meaning that it should be possible to cast it into a more freedom- and privacy-respecting form. Your editor has spent some time working on that goal; the good news is that it is indeed possible to create a (mostly) free system on the Android platform.

On his blog, Lennart Poettering writes about new systemd features that will make it easier to "factory reset" systems back to their initial configuration. By handling /etc and /var differently, it will also support other use cases, such as "stateless" systems that store no persistent configuration, as well as "reproducible" and "verifiable" systems. "Booting up a system without a populated /var is relatively straight-forward. With a few lines of tmpfiles configuration it is possible to populate /var with its basic structure in a way that is sufficient to make a system boot cleanly. systemd version 214 and newer ship with support for this. Of course, support for this scheme in systemd is only a small part of the solution. While a lot of software reconstructs the directory hierarchy it needs in /var automatically, many software does not. In case like this it is necessary to ship a couple of additional tmpfiles lines that setup up at boot-time the necessary files or directories in /var to make the software operate, similar to what RPM or DEB packages would set up at installation time. Booting up a system without a populated /etc is a more difficult task. In /etc we have a lot of configuration bits that are essential for the system to operate, for example and most importantly system user and group information in /etc/passwd and /etc/group. If the system boots up without /etc there must be a way to replicate the minimal information necessary in it, so that the system manages to boot up fully."

The Document Foundation (TDF) has announced a LibreOffice 4.3 bug hunting session on June 20-22. "The community has already made a large collective effort to make LibreOffice 4.3 the best ever, based on automated stress tests and structured tests by Quality Assurance volunteers. Enterprise and individual LibreOffice users can now contribute to the quality of the best free office suite ever by testing the release candidate to identify issues in their preferred user scenario." See the wiki page for more information about the hunt.

Threatpost reports that most Android devices are vulnerable to a privilege escalation flaw in the kernel. "Researchers at Lacoon Mobile Security are calling the bug “TowelRoot,” because it is the very same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by George Hotz (Geohot). Successful exploitation of the Linux bug within the Android operating system would give the attacker administrative access to a victim’s phone. Specifically, such access could potentially allow that same attacker to run further malicious code, retrieve files and device data, bypass third-party or enterprise security applications including containers like Samsung’s secure Knox sub-operating system, and establish backdoors for future access on victim devices."

CentOS has updated kernel (Xen4CentOS: multiple vulnerabilities) and xen (Xen4CentOS: multiple vulnerabilities).

Debian has updated icedove (multiple vulnerabilities), openssl (multiple vulnerabilities), and php5 (code execution).

Fedora has updated kernel (F19: multiple vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities) and cups-filters (multiple vulnerabilities).

openSUSE has updated sendmail (11.4; 12.3, 13.1: denial of service).

SUSE has updated GnuTLS (SUSE CORE 9: multiple vulnerabilities).

Ubuntu has updated libxml2 (regression in upstream update).

Stable kernels 3.15.1, 3.14.8, 3.10.44, and 3.4.94 have been released. All contain important fixes.

Debian has updated chromium-browser (multiple vulnerabilities).

Fedora has updated firefox (F19: multiple vulnerabilities), nspr (F19: multiple vulnerabilities), thunderbird (F20: multiple vulnerabilities), and xulrunner (F19: multiple vulnerabilities).

Gentoo has updated freeradius (code execution), gnutls (multiple vulnerabilities), kdirstat (command execution), libXfont (multiple vulnerabilities), lighttpd (multiple vulnerabilities), memcached (multiple vulnerabilities), and opera (multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

Mandriva has updated kernel (BS1.0: multiple vulnerabilities) and nspr (BS1.0, ES5.0: code execution).

openSUSE has updated flash-player (11.4; 12.3, 13.1: multiple vulnerabilities) and Mozilla (11.4: multiple vulnerabilities).

SUSE has updated GnuTLS (SLES10: multiple vulnerabilities) and kernel (SLE RTE11 SP3: privilege escalation).

Ars technica has put together a detailed history of Android so far. "Thanks to this 'cloud rot,' an Android retrospective won’t be possible in a few years. Early versions of Android will be empty, broken husks that won't function without cloud support. While it’s easy to think of this as a ways off, it's happening right now. While writing this piece, we ran into tons of apps that no longer function because the server support has been turned off. Early clients for Google Maps and the Android Market, for instance, are no longer able to communicate with Google."

Linus Torvalds has released the 3.16-rc1 kernel prepatch, thus closing the merge window. In the end, Torvalds picked up 11,364 non-merge commits for inclusion, making 3.16 the third busiest merge window ever (after 3.15 and 3.10). "It also looks fairly usual from a statistics standpoint: about two thirds of the changes are to drivers (and one third of *that* is to staging), and half of the remainder is architecture updates (with arm dominating, dts files leading - but there's mips, powerpc, x86 and arm64 there too). Outside of drivers and architecture updates, there's the usual mixture of changes elsewhere: filesystems (mainly reiserfs, xfs, btrfs, nfs), networking, "core" kernel (mm, locking, scheduler, tracing), and tooling (perf and power, also new self-tests)."

While stressing that it is a pre-release for testing (i.e. quality assurance or QA) purposes, the CentOS team has announced the availability of the CentOS 7 QA release. It can be downloaded from here. Packages are not GPG signed, are likely to be replaced "in place" as bugs are fixed, and upgrading from the QA release to the final release may not be possible (and will not be supported). But, unlike previous CentOS releases, it has been opened up to the community before the final release. "We appreciate any and all bug reports at http://bugs.centos.org (please also check upstream bugzilla.redhat.com and link to those bugs when filing a new CentOS issue), and assistance with the “Branding Hunt” (see http://lists.centos.org/pipermail/centos-devel/2014-June/010411.html)."