X.Org has disclosed a long list of vulnerabilities that have been fixed in the X Window System client libraries; most of them expose clients to attacks by a hostile server. "Most of the time X clients & servers are run by the same user, with the server more privileged from the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges." There are 30 CVE numbers assigned to these vulnerabilities; expect the distributor updates to start flowing shortly.

Sarah Sharp reports on the response to the availability of a set of Outreach Program for Women internships working on the Linux kernel. "As coordinator for the Linux kernel OPW project, I was really worried about whether applicants would be able to get patches into the kernel. Everyone knows that kernel maintainers are the pickiest bastards^Wperfectionists about coding style, getting the proper Signed-off-by, sending plain text email, etc. I thought a couple applicants would be able to complete maybe one or two patches, tops. Boy was I wrong!" In the end, 41 applicants submitted 374 patches to the kernel, of which 137 were accepted.

The Qt Blog introduces "Boot to Qt", which is "a light-weight UI stack for embedded linux, based on the Qt Framework - Boot to Qt is built on an Android kernel/baselayer and offers an elegant means of developing beautiful and performant embedded devices." Access is invitation-only currently; a release is forecast for sometime around the end of the year.

Debian has updated request-tracker4 (eight CVE numbers), and the kfreebsd kernel (code execution).

Fedora has updated python-virtualenv (F17, F18: temporary file and information disclosure vulnerabilities), krb5 (F17, "UDP ping-pong vulnerability" from 2002), and nginx (F18: denial of service and information disclosure).

openSUSE has updated samba (CIFS share attribute verification failure).

Oracle has updated kernel (EL5: denial of service).

Red Hat has updated java-1.5.0-ibm (RHEL5-6: 16 "unspecified" vulnerabilities).

The LWN.net Weekly Edition for May 23, 2013 is available.

Google has announced that it will be phasing out the file download feature for projects hosted on Google Code. "Downloads were implemented by Project Hosting on Google Code to enable open source projects to make their files available for public download. Unfortunately, downloads have become a source of abuse with a significant increase in incidents recently. Due to this increasing misuse of the service and a desire to keep our community safe and secure, we are deprecating downloads."

GigaOM asserts that Google will be taking over the desktop (regardless of the underlying operating system) with its Chrome browser. "For many Chrome is just a browser. For others who use a Chromebox or Chromebook, like myself, it’s my full-time operating system. The general consensus is that Chrome OS, the platform used on these devices, can only browse the web and run either extensions and web apps; something any browser can do. Simply put, the general consensus is wrong and the signs are everywhere."

The Electronic Frontier Foundation has sent out a release about how the US state of Vermont is going on the offensive against patent trolls. "Not content to strike back against a single troll, Vermont is also poised to pass a bill dealing with the problem as a whole. The Vermont House and Senate recently passed a bill to combat 'bad faith assertions of patent infringement'. And the latest word is that Vermont's governor is about to sign it into law."

Designing an enumeration type (i.e. "enum") for a language may seem like a straightforward exercise, but the recently "completed" discussions over Python's PEP 435 show that it has a few wrinkles. The discussion spanned several long threads in two mailing lists (python-ideas, python-devel) going back to January in this particular iteration, but the idea is far older than that. Subscribers can click below for the full article from this week's edition.

CentOS has updated kernel (C5: denial of service).

Fedora has updated gallery3 (F18; F17: cross-site scripting) and openstack-keystone (F18: multiple vulnerabilities).

Mandriva has updated krb5 (UDP ping-pong flaw in kpasswd).

Red Hat has updated kernel (RHEL5: denial of service).

Scientific Linux has updated kernel (SL5: denial of service).

SUSE has updated java-1_6_0-openjdk (multiple vulnerabilities) and kernel (privilege escalation).

Ubuntu has updated libtiff (two vulnerabilities).

While it is not an official Debian release, the Debian GNU/Hurd team has announced the release of Debian GNU/Hurd 2013. GNU Hurd is a Unix-style kernel based on the Mach microkernel and Debian GNU/Hurd makes much of the Debian system available atop that kernel.

Debian GNU/Hurd is currently available for the i386 architecture with more than 10.000 software packages available (more than 75% of the Debian archive, and more to come!).

Please make sure to read the configuration information, the FAQ, and the translator primer to get a grasp of the great features of GNU/Hurd.

Due to the very small number of developers, our progress of the project has not been as fast as other successful operating systems, but we believe to have reached a very decent state, even with our limited resources.

Local privilege escalations seem to be regularly found in the Linux kernel these days, but they usually aren't quite so old—more than two years since the release of 2.6.37—or backported into even earlier kernels. But CVE-2013-2094 is just that kind of bug, with a now-public exploit that apparently dates back to 2010.

Click below (subscribers only) for LWN's look at this vulnerability.

Version 1.5.0 of the QEMU hardware emulator is out. "This release was developed in a little more than 90 days by over 130 unique authors averaging 20 commits a day. This represents a year-to-year growth of over 38 percent making it the most active release in QEMU history." Some of the new features include KVM-on-ARM support, a native GTK+ user interface, and lots of hardware support and performance improvements. See the change log for lots of details.

Fedora has updated tomcat (F18; F17: information disclosure) and krb5 (F18: UDP ping-pong flaw in kpasswd).

openSUSE has updated tiff (12.2; 12.1: buffer overflows) and clamav (12.2; 12.1: multiple vulnerabilities).

Red Hat has updated kernel-rt (multiple vulnerabilities) and kernel (RHEL 6.2 EUS; RHEL 6.1 EUS: privilege escalation).

Slackware has updated kernel (privilege escalation).

A new kernel tracing tool called "ktap" has made its first release. "KTAP have different design principles from Linux mainstream dynamic tracing language in that it's based on bytecode, so it doesn't depend upon GCC, doesn't require compiling a kernel module, safe to use in production environment, fulfilling the embedded ecosystem's tracing needs." It's in an early state; the project is looking for testers and contributors.

The second 3.10 kernel prepatch is out for testing. "For being an -rc2, it's not unreasonably sized, but I did take a few pulls that I wouldn't have taken later in the rc series. So it's not exactly small either. We've got arch updates (PPC, MIPS, PA-RISC), we've got driver fixes (net, gpu, target, xen), and we've got filesystem updates (btrfs, ext4 and cepth - rbd)."

Fedora has updated mediawiki (F18; F17: multiple vulnerabilities) and libtiff (F17: buffer overflows).

Mageia has updated kernel (multiple vulnerabilities), kernel-linus (multiple vulnerabilities), kernel-tmb (multiple vulnerabilities), kernel-rt (multiple vulnerabilities), and kernel-vserver (multiple vulnerabilities).

openSUSE has updated telepathy-idle (certificate validation error) and gnutls (plaintext recovery).

SUSE has updated acroread (multiple vulnerabilities), and oracle-update (SM 1.7; SM 1.2: multiple vulnerabilities).

Greg Kroah-Hartman has announced the release of the 3.9.3, 3.4.46, and 3.0.79 stable kernels. As always, they contain important fixes throughout the tree, so users should upgrade.

The NetBSD Project has announced NetBSD 6.1, the first feature update of the NetBSD 6 release branch. "It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements." See the changelog for details.

The much-delayed Mageia 3 release is out. "We dedicate this release to the memory of Eugeni Dodonov, our friend, our colleague and a great inspiration to those he left behind. We miss his brilliance, his courtesy and his dedication." Changes include an RPM upgrade, the 3.8 kernel, availability of GRUB2 (but GRUB is still the default bootloader), and more. See the release notes for lots of details.