[$] Adobe releases source code for OpenType font-development tools

Adobe made a surprise announcement at the annual ATypI conference
in Barcelona, Spain, releasing one of the company's proprietary font-production tools under an open-source license. In
addition, the team convinced another popular font-development project
to release its core library as open source, too. Adobe
framed the release as a move designed to
help improve the quality of fonts produced with any application, but
there may be other benefits as well—such as increasing the
spread of Adobe's own open fonts.

GNOME 3.14 released

The GNOME project has released GNOME 3.14. "This is another exciting release for GNOME, and brings many new features
and improvements, including multitouch, captive portal support, greatly
improved sharing settings. This release also includes improved and
redesigned applications for weather, maps, PDF viewing, running VMs,
and more.

The Wayland support has matured to the point where it is ready for
day-to-day use." See the release notes
for details.

Security advisories for Wednesday

CentOS has updated bash (C7; C6; C5: command execution) and haproxy (C7: denial of service).

Debian has updated apt (code execution) and bash (command execution).

Mandriva has updated dump (code execution),

[$] Schneier on incident response

Bruce Schneier is a cryptographer and security specialist who is
well-known in computer circles even though he has often branched into more
general security areas in recent years. His blog is a great source of
security news (and, of "quotes of the week" for the Security page, as readers
know). Beyond all that, he travels to many security conferences to give
talks, which is just what he did at AppSec USA in Denver on
September 18.

Security Collapse in the HTTPS Market (ACM Queue)

ACM's Queue has a
lengthy article
on the security failures in the HTTPS layer and the
prospects for improvement. "This article outlines the systemic
vulnerabilities of HTTPS, maps the thriving market for certificates, and
analyzes the suggested regulatory and technological solutions on both sides
of the Atlantic.

Hutterer: libinput - a common input stack for Wayland compositors and X.Org drivers

Here's a
post from Peter Hutterer
on why the X.Org input stack is a mess and the
new "libinput" stack is needed. "It looks like a big happy family at
first, but then you see that synaptics won't talk to evdev because of the
tapping incident a couple of years back, mouse and keyboard have no
idea what forks and knives are for, wacom is the hippy GPL cousin that
doesn't even live in the same state and no-one quite knows why elographics
keeps getting invited.

Kali NetHunter turns Android device into hacker Swiss Army knife (Ars Technica)

Ars Technica takes
a look
at Kali Linux NetHunter, a penetration testing platform for
Nexus devices. "NetHunter is still in its early stages, but it already includes the ability to have the Nexus device emulate a USB human interface device (HID) and launch keyboard attacks on PCs that can be used to automatically elevate privileges on a Windows PC and install a reverse-HTTP tunnel to a remote workstation.

Announcing the release of Fedora 21 Alpha

The Fedora project has released Fedora 21 Alpha. This is the first release
of Fedora.next, which introduces three products rather than the traditional
single deliverable. The Fedora 21 Base includes only the base set of
packages (such as kernel, RPM, yum, systemd, and Anaconda) used by all the
products. Fedora 21 Cloud includes images for use in private cloud
environments like OpenStack, as well as AMIs for use on Amazon, and a new
image streamlined for running Docker containers.

Best practices for the new era of open source (opensource.com)

opensource.com article
holds out Ansible as an example of a project
worth emulating and delves into the reasons for its success. "The
idea that a user can try something out over a lunch break, and understand
it—and then learn what is left to learn—is a key success driver for open
source software. Too many projects fail needlessly because they don’t
invest in this critical idea."

Tuesday's security updates

CentOS has updated kernel (C7: denial of service).

Oracle has updated kernel (OL7:
multiple vulnerabilities).

Red Hat has updated kernel
(RHEL7: denial of service).

Ubuntu has updated dbus (multiple
vulnerabilities) and nginx (14.04: virtual host confusion attacks).

Syndicate content