Arch Linux has updated gnutls (certificate verification bypass), lib32-gnutls (certificate verification bypass), lib32-openssl (multiple vulnerabilities), openssl (multiple vulnerabilities), and wireshark-cli (multiple vulnerabilities).
Debian-LTS has updated firefox-esr (multiple vulnerabilities).
Fedora has updated community-mysql (F24: SQL injection/privilege escalation).
Red Hat has updated openssl (RHEL6,7: multiple vulnerabilities).
Slackware has updated openssl (denial of service).
SUSE has updated openssl (SLES12: multiple vulnerabilities).
Ubuntu has updated python-django (cross-site request forgery).
Some time ago, we published a pair of articles about systemd programming that extolled the value of providing high-quality unit files in upstream packages. The hope was that all distributions would use them and that problems could be fixed centrally rather than each distribution fixing its own problems independently. Now, 30 months later, it seems like a good time to see how well that worked out for nfs-utils, the focus of much of that discussion. Did distributors benefit from upstream unit files, and what sort of problems were encountered?
Mageia has updated gdk-pixbuf2.0 (denial of service), golang (denial of service), libarchive (file overwrite), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), and wireshark (multiple vulnerabilities).
openSUSE has updated curl (Leap42.1: multiple vulnerabilities), flash-player (13.1: multiple vulnerabilities), gd (Leap42.1: multiple vulnerabilities), gtk2 (Leap42.1; 13.2: code execution), firefox, nss (Leap42.1, 13.2: multiple vulnerabilities), samba (Leap42.1: crypto downgrade), thunderbird (13.1: multiple vulnerabilities), tiff (13.1: multiple vulnerabilities), and wpa_supplicant (Leap42.1: multiple vulnerabilities).
Slackware has updated php (multiple vulnerabilities).
Ubuntu has updated openssl (regression in previous update).
Evan Prodromou, creator of identi.ca and pump.io, has put a call out for interested parties to adopt the administration of public pump.io microblogging servers, which he is currently funding out of his own pocket. "Almost all of them are on $5/month Digital Ocean droplets, which makes them relatively cheap for a single person to support. If you decide you want to adopt a server, E14N will sell you the domain and all the software and data for $1. But you'll be obligated to keep the server running pump.io for at least a year, and if you decide you don't want to run it, you have to sell it back to me." There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other pump.io instances. He notes that one important exception is the identi.ca site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.
At his blog, Kyle E. Mitchell ("who is not your attorney") takes a close, line-by-line reading of the popular MIT software license. The details he points out begin on line one with the license's title: "'The MIT License' is a not a single license, but a family of license forms derived from language prepared for releases from the Massachusetts Institute of Technology. It has seen a lot of changes over the years, both for the original projects that used it, and also as a model for other projects. The Fedora Project maintains a kind of cabinet of MIT license curiosities, with insipid variations preserved in plain text like anatomical specimens in formaldehyde, tracing a wayward kind of evolution."
Despite the license being only 171 words, Mitchell finds quite a bit to expand on, such as the ambiguities of the phrase "to deal in the Software without restriction": "As a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn’t clear whether The MIT License includes a patent license. The general language 'deal in' and some of the example verbs, especially 'use', point toward a patent license, albeit a very unclear one. The fact that the license comes from the copyright holder, who may or may not have patent rights in inventions in the software, as well as most of the example verbs and the definition of 'the Software' itself, all point strongly toward a copyright license." Nevertheless, Mitchell notes, "despite some crusty verbiage and lawyerly affectation, one hundred and seventy one little words can get a hell of a lot of legal work done."
Debian has updated firefox-esr (multiple vulnerabilities).
Debian-LTS has updated wordpress (multiple vulnerabilities).
Fedora has updated distribution-gpg-keys (F23: privilege escalation), mock (F23: privilege escalation), openvas-libraries (F24; F23: multiple vulnerabilities), openvas-scanner (F24; F23: denial of service), and shiro (F24: access control bypass).
openSUSE has updated pdns (13.2, Leap 42.1: multiple vulnerabilities).
Ubuntu has updated openssl (12.04, 14.04, 16.04: multiple vulnerabilities).
Fedora has updated drupal7-google_analytics (F23, F24: cross-site scripting), drupal7-panels (F23, F24: multiple vulnerabilities), jasper (F23: multiple code-execution vulnerabilities), mod_cluster (F24: "remote exploits"), nodejs-string-dot-prototype-dot-repeat (F23: "update for security reasons"), php-horde-Horde-Mime-Viewer (F23, F24: cross-site scripting), php-horde-Horde-Text-Filter (F23, F24: cross-site scripting), and xen (F23: multiple vulnerabilities).
Mageia has updated chromium-browser-stable (29 CVEs), curl (code execution), file-roller (file deletion), flash-player-plugin (26 CVEs), icu (code execution), jsch (path traversal vulnerability), libksba (denial of service), nodejs (remote code execution), slock (lock bypass), and tomcat (traffic redirection).
openSUSE has updated opera (multiple vulnerabilities).
Scientific Linux has updated firefox (SL5-7: multiple vulnerabilities).
SUSE has updated java-1_7_1-ibm (SLES12: three CVEs described as "Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment"), and java-1_6-0-ibm (SLES11: one unspecified vulnerability).
Note that there appear to be differences of opinion as to whether the irssi vulnerability can be exploited for code execution.
Debian has updated wireshark (multiple vulnerabilities).
Debian-LTS has updated unadf (two vulnerabilities).
Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities).
SUSE has updated mysql (SLE11-SP3,4: multiple unspecified vulnerabilities).