LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Friday, June 12th, 2015

    Time Event
    3:12a
    The hidden costs of embargoes (Red Hat Security Blog)
    Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. "Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for 'because of an incomplete fix for'.
    3:21p
    Friday's security updates

    Arch Linux has updated openssl (multiple vulnerabilities).

    Debian-LTS has updated imagemagick (multiple vulnerabilities) and strongswan (information disclosure).

    Fedora has updated qemu (F22: denial of service).

    openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities), python-setuptools (13.1: non-secure SSL hostname matching), and tidy (13.1, 13.2: buffer overflow).

    Oracle has updated wpa_supplicant (O7: multiple vulnerabilities).

    Red Hat has updated wpa_supplicant (RHEL7: multiple vulnerabilities).

    Scientific Linux has updated wpa_supplicant (SL7: multiple vulnerabilities).

    Slackware has updated openssl (multiple vulnerabilities) and php (S14: multiple vulnerabilities).

    SUSE has updated cups (SLE12: multiple vulnerabilities), cups154 (SLE12: multiple vulnerabilities), flash-player (SLE12: multiple vulnerabilities), and xen (SLE11 SP3; SLE12: multiple vulnerabilities).

    Ubuntu has updated openssl (multiple vulnerabilities).

    7:48p
    MATE 1.10 released

    Version 1.10 of the MATE Desktop has been released. Perhaps the most notable new feature is that all MATE components can now be built with GTK+2 or GTK+3, although GTK+3 support is still labeled "experimental." Also new in this update are ePub support in the Atril document viewer and a new audio-mixing library named libmatemixer.

    10:12p
    TeX Live 2015 is available

    The 2015 edition of the TeX Live software distribution, the "easy way to get up and running with the TeX document production system," has been released. DVDs are in production for members of the TeX Users Group (TUG), though many will probably prefer the downloadable release. The changes included in this edition include the merging of several LaTeX fixes from external packages into LaTeX itself, JPEG Exif support in pdfTeX, and image-handling fixes in XeTeX.

    << Previous Day 2015/06/12
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org