Debian has updated openssl (denial of service).

Fedora has updated net-snmp (F20; F19; F18: denial of service) and openstack-nova (F20: restriction bypass).

Gentoo has updated dhcp (denial of service), gajim (man-in-the-middle attack), nagstamon (information disclosure), and python (multiple vulnerabilities).

Red Hat has updated ruby193-rubygem-actionpack (multiple vulnerabilities).

SUSE has updated openssl-certs (SLE 11: updated certificates) and Samba (SLE 11: multiple vulnerabilities).

Ubuntu has updated puppet (13.10, 13.04, 12.10, 12.04 LTS: insecure temporary files).

Debian has updated asterisk (denial of service) and devscripts (code execution).

Fedora has updated mingw-openjpeg (F20; F19: denial of service), nss (F19: certificate update), and poppler (F20: denial of service).

Gentoo has updated libgdiplus (code execution from 2010).

Mageia has updated cxf (denial of service), firefox, thunderbird (multiple vulnerabilities), librsvg (denial of service), nodejs (multiple vulnerabilities), openjpeg (multiple vulnerabilities), openssl (denial of service), ruby (code execution), and xml-security (xml signature spoofing).

openSUSE has updated acroread (end-of-life), libvirt (13.1: denial of service), nagios (13.1, 12.x: denial of service), openssl (12.3; 13.1; 12.2: denial of service), pixman (12.3; 12.2; 13.1: denial of service), rubygem-actionpack-2_3 (11.4: multiple vulnerabilities), rubygem-actionpack-3_2 (13.1, 12.x: multiple vulnerabilities), seamonkey (13.1, 12.x: multiple vulnerabilities), thttpd (11.4: world readable logfile), and wireshark (12.x; 13.1; 11.4: multiple vulnerabilities).

SUSE has updated WebYaST (privilege escalation).

Libre Graphics World has an introduction to Valentina, an open source pattern design and editing application. Patternmaking is a niche with few options available; "fashion designers who are only starting their business are mostly locked between expensive software products they cannot afford, rather simplistic free-as-in-lunch applications, and various generic CAD systems (from affordable to pirated expensive ones) that don't make it easy"—where "expensive" evidently runs in the five-figure range. Valentina and a few other free software projects are making progress, though there is clearly quite a lot remaining to be done.

Fedora has updated devscripts (F20: file deletion), gitolite3 (F18; F19: world writable files), and thunderbird (F18: multiple vulnerabilities).

Ubuntu has updated EC2 kernel (10.04: multiple vulnerabilities), kernel (10.04; 12.04; 12.10 13.04; 13.10: multiple vulnerabilities), linux-lts-quantal (multiple vulnerabilities), linux-lts-raring (multiple vulnerabilities), linux-lts-saucy (multiple vulnerabilities), and linux-ti-omap4 (12.04; 12.10; 13.04; 13.10: multiple vulnerabilities).

The bzr version control system is dying; by most measures it is already moribund. The dev list has flatlined, most of Canonical's in-house projects have abandoned bzr for git, and one of its senior developers has written a remarkably candid assessment of why bzr failed:

http://www.stationary-traveller.eu/pages/bzr-a-retrospective.html

I urge all Emacs developers to read this, then sleep on it, then read it again - not least because I think Emacs development has fallen into some of the same traps the author decribes. But *that* is a discussion for another day; the conversation we need to have now is about escaping the gravitational pull of bzr's failure.

Debian has updated typo3-src (multiple vulnerabilities).

Debian has updated memcached (multiple vulnerabilities), openssl (multiple vulnerabilities), and puppet (insecure temporary files).

Fedora has updated python-setuptools (F18; F19: code execution) and subversion (F20: two vulnerabilities).

The dual elliptic curve deterministic random bit generator (Dual EC DRBG) cryptographic algorithm has a dubious history—it is believed to have been backdoored by the US National Security Agency (NSA)—but is mandated by the FIPS 140-2 US government cryptographic standard. That means that any cryptographic library project that is interested in getting FIPS 140-2 certified needs to implement the discredited random number algorithm. But, since certified libraries cannot change a single line—even to fix major, fatal bugs—having a non-working version of Dual EC DRBG may actually be the best defense against the backdoor. Interestingly, that is exactly where the OpenSSL project finds itself.

Debian has updated ruby-i18n (cross-site scripting).

Fedora has updated ca-certificates (F18: updated certificates) and nss (F18: updated certificates).

openSUSE has updated kernel (12.3: multiple vulnerabilities).