CentOS has updated mod_wsgi (C7: privilege escalation).
Fedora has updated file (F20: denial of service), fish (F20; F19: multiple vulnerabilities), libserf (F20: information leak), pen (F20: unspecified vulnerability), php-htmlpurifier-htmlpurifier (F20; F19: "Hash Length Extension" attack), phpMyAdmin (F20: multiple vulnerabilities), ppp (F20: privilege escalation), rubygem-activerecord (F20; F19: SQL injection), struts (F20: code execution), wordpress (F19: multiple vulnerabilities), and xen (F20; F19: denial of service).
Mageia has updated ansible (MG4: multiple vulnerabilities), bugzilla (cross-site request forgery), busybox (denial of service/possible code execution), jakarta-commons-httpclient (MG4; MG3: SSL server spoofing), and mednafen (denial of service/possible code execution).
Oracle has updated mod_wsgi (OL7: privilege escalation).
Red Hat has updated mod_wsgi (RHEL7: privilege escalation).
At his blog, Allan Day announces the preliminary availability of a brand-new edition of the GNOME Human Interface Guidelines (HIG). Prepared for the upcoming GNOME 3.14 release, this is the first major overhaul of the GNOME HIG in some time. Day notes: "There is a downside to all the experimentation that has been happening in software design in recent years, of course – it can often be a bewildering space to navigate. This is where the HIG comes in. Its goal is to help developers and designers take advantage of the new abilities at their disposal, without losing their way in the process. This is reflected in the structure of the new HIG: the guidelines don’t enforce a single template on which applications have to be based, but presents a series of patterns and elements which can be drawn upon." He also emphasizes that the new HIG, despite its name, is not a GNOME-only document, but is designed to aid interface design in other GTK+ applications, too.
Debian has updated python-imaging (denial of service).
Ubuntu has updated ceilometer (14.04: information leak), glance (14.04: denial of service), horizon (14.04: multiple vulnerabilities), keystone (14.04: multiple vulnerabilities), neutron (14.04: multiple vulnerabilities), and nova (14.04: information leak).
The Free Software Foundation blog has posted an article detailing a newly discovered government surveillance project as well as a new technological countermeasure. The surveillance project is known as HACIENDA, as is reportedly a multi-national effort "to map every server in twenty-seven countries, employing a technique known as port scanning." The countermeasure, developed by Julian Kirsch, Christian Grothoff, Jacob Appelbaum, and Holger Kenn, is called TCP Stealth. According to the TCP Stealth whitepaper, the system "replaces the traditional random TCP SQN number with a token that authenticates the client and (optionally) the first bytes of the TCP payload. Clients and servers can enable TCP Stealth by explicitly setting a socket option or linking against a library that wraps existing network system calls." A Linux implementation of the scheme is available.
Mageia has updated catfish (M3; M4: privilege escalation), gpgme (code execution), phpmyadmin (multiple vulnerabilities), python-imaging, python-pillow (denial of service), and subversion (M3; M4: information leak).
openSUSE has updated openstack-neutron (13.1: access restriction bypass), apache2 (12.3; 13.1: multiple vulnerabilities), apache2-mod_security2 (rules bypass), krb5, (code execution), openssl (multiple vulnerabilities), python (12.3; 13.1: information leak), python3 (13.1: information leak), and samba (13.1: multiple vulnerabilities).
Red Hat has updated openstack-nova (RHEL OpenStack: multiple vulnerabilities).
Ubuntu has updated oxide-qt (14.04: multiple vulnerabilities).
A project as large as GNOME consists of enough constituent parts that it can be a challenge just to keep up with the latest developments of the various applications, libraries, and infrastructure efforts. GUADEC 2014 in Strasbourg provided a number of opportunities to get up speed on the various moving pieces. Of course, it is impossible to catch everything at a multi-track event, but there were still quite a few updates worth mentioning.
CentOS has updated qemu-kvm (C6: code execution).
Debian has updated cacti (multiple vulnerabilities).
Oracle has updated qemu-kvm (OL6: multiple vulnerabilities).
Ubuntu has updated openjdk-7 (14.04 LTS: multiple vulnerabilities).
Oracle has updated nss, nss-util, nss-softokn (OL7: incorrect wildcard certificate handling).
Red Hat has updated qemu-kvm (RHEL6: multiple vulnerabilities).
Scientific Linux has updated qemu-kvm (SL6: multiple vulnerabilities).
SUSE has updated flash-player (SLED11 SP3: multiple vulnerabilities).
Ubuntu has updated openssl (10.04 LTS: regression in previous update).