A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.
Debian-LTS has updated libgd2 (denial of service).
Mageia has updated apache (HTTP redirect), harfbuzz (multiple vulnerabilities), libgd (three vulnerabilities), libidn (multiple vulnerabilities), libupnp (unauthenticated access), libxml2 (multiple vulnerabilities), mariadb (multiple vulnerabilities), mupdf (denial of service), php/xmlrpc-epi/timezone (multiple vulnerabilities), sudo (race condition), tomcat/apache-commons-fileupload (denial of service), and virtualbox (allows local users to affect availability).
Debian has updated ntp (multiple vulnerabilities).
Debian-LTS has updated cacti (three vulnerabilities), dietlibc (insecure default PATH), gosa (code injection), ntp (multiple vulnerabilities), squid (cache poisoning), and uclibc (three vulnerabilities).
Debian-LTS has updated squid3 (denial of service).
Fedora has updated ca-certificates (F24: certificate update), gd (F24: multiple vulnerabilities), httpd (F24: HTTP redirect), kf5-karchive (F24; F23: command execution, over a hundred related KDE Frameworks packages were included in this update), libgcrypt (F24: key leak), libidn (F24: multiple vulnerabilities), libvirt (F24: authentication bypass), and mingw-gnutls (F24: certificate verification vulnerability).
Slackware has updated bind (denial of service).
At his blog, Matthias Clasen explores the recent enhancements to the the classic GNU gettext utility. Thanks in large part to new maintainer Daiki Ueno, gettext now understands many more file formats—thus enabling developers to easily extract strings from a wide variety of source files for translation. In addition to programming languages, Clasen notes, gettext understands .desktop files, GSettings schemas, GtkBuilder ui files, and Appdata files. "If you don’t want to wait for your favorite format to come with built-in its support, you can also include its files with your application; gettext will look for such files in $XDG_DATA_DIRS/gettext/its/."
Arch Linux has updated drupal (proxy injection).
Debian-LTS has updated python-django (cross-site scripting).
openSUSE has updated p7zip (13.1: code execution).
Ubuntu has updated mysql-5.5, mysql-5.6, mysql-5.7 (12.04, 14.04, 15.10, 16.04: multiple vulnerabilities).
EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment
Arch Linux has updated bind (denial of service).
Debian-LTS has updated libarchive (multiple vulnerabilities, most from 2015).
openSUSE has updated dhcp (42.1: denial of service).
Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), and openstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).
Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).
SUSE has updated obs-service-source_validator (SLE12: code execution).
Debian has updated apache2 (HTTP redirect).
Debian-LTS has updated apache2 (HTTP redirect).
Gentoo has updated ansible (code execution), arpwatch (privilege escalation from 2012), bugzilla (multiple vulnerabilities from 2014), commons-beanutils (code execution from 2014), dropbear (information disclosure), exim (code execution from 2014), libbsd (denial of service), ntp (many vulnerabilities), and varnish (access control bypass).
Red Hat has updated java-1.8.0-openjdk (RHEL6,7: multiple vulnerabilities).
SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities).
Ubuntu has updated python-django (16.04: cross-site scripting).