Version 1.5 of the Django web framework is available; new features include a new configurable user model, Python 3 support, a lot of documentation improvements, and more; see the release notes for details.

The OMG Ubuntu site reports that the well-regarded Ubuntu Developer Summit is being transformed into an online-only event. "In the age of Google+ hangouts and real-time collaboration the notion of flying people around the world to spend a week in each others company seems antiquated and inefficient."

Update: see this announcement from Jono Bacon for more information. "With the fantastic level of interest in the recent phone and tablet announcements, we decided that we couldn’t wait until May to run this new format for UDS, so the first online UDS will be taking place next week from 5th - 6th March 2013 from 4pm UTC - 10pm UTC."

Debian has updated openjpeg (multiple code execution vulnerabilities) and kernel-2.6 (privilege escalation/denial of service).

Fedora has updated cups (F17: multiple vulnerabilities), pigz (F17: information disclosure), and openssh (F17: denial of service).

Mandriva has updated apache (cross-site scripting).

Oracle has updated gdb (OL6: code execution), evolution (OL6: information disclosure), dnsmasq (OL6: DNS proxy is wrongly created), ccid (OL6: arbitrary code execution), dhcp (OL6: multiple vulnerabilities), automake (OL6: code execution), 389-ds-base (OL6: ACL restriction bypass), xinetd (OL6: service disclosure flaw), squid (OL6: denial of service), pam (OL6: code execution), pki-core (OL6: cross-site scripting), pcsc-lite (OL6: code execution), openssh (OL6: code execution), httpd (OL6: multiple vulnerabilities), dovecot (OL6: multiple vulnerabilities), and util-linux-ng (OL6: information disclosure).

Slackware has updated seamonkey (multiple vulnerabilities).

Ubuntu has updated thunderbird (multiple vulnerabilities) and kernel (12.04 LTS: privilege escalation/code execution).

LG and HP have announced that LG has acquired the webOS system, including source code, patents, "engineering talent," and more. LG will be taking over the Open webOS and Enyo open-source projects; there is no indication of how enthusiastically the company will support those projects, though.

Over the weekend, the networking tree accepted a fix for an out-of-bounds access error that appears to be exploitable by an unprivileged local user to gain root access. Even worse, there are indications that this bug (which affects kernels from 3.3 onward) has been known about since mid-2012; exploits exist in the wild. No distributor updates exist as of this writing; presumably they will not be long in coming.

[Update February 27: Distributions have started putting out updates for the vulnerability.]

Debian has updated squid3 (denial of service).

Fedora has updated firefox (F18; F17: multiple vulnerabilities), thunderbird (F18; F17: multiple vulnerabilities), xulrunner (F18; F17: multiple vulnerabilities), boost (F18; F17: input validation bypass), freeipa (F17: authentication bypass), openconnect (F18; F17: code execution), curl (F18: code execution), kernel (F17: privilege escalation/denial of service), and qt (F17: information disclosure).

openSUSE has updated openssl (12.2; 12.1; 11.4: multiple vulnerabilities), acroread (12.1; 11.4: remote code execution), and rails (multiple vulnerabilities).

Oracle has updated rdma (OL6: multiple vulnerabilities) and xorg-x11 (OL6: code execution).

SUSE has updated java-1_6_0-openjdk (multiple vulnerabilities) and kernel (code execution).

Ubuntu has updated pidgin (multiple vulnerabilities) and transmission (code execution).

Mozilla has announced that eighteen carriers have "committed" to Firefox OS. "The breadth of operators now backing Mozilla’s Firefox OS demonstrates significant industry support for a fully-adaptable, unconstrained mobile platform.The first wave of Firefox OS devices will be available to consumers in Brazil, Colombia, Hungary, Mexico, Montenegro, Poland, Serbia, Spain and Venezuela. Additional markets will be announced soon." Handsets will be made by Alcatel, Huawei, LG, and ZTE.

Red Hat has announced the release of Red Hat Enterprise Linux 6.4. New features include scale-out data access through pNFS, identity management tools, enhanced interoperability, and more. See the release notes for details.

CentOS has updated firefox (C6: multiple vulnerabilities), thunderbird (C6: multiple vulnerabilities), xulrunner (C6: multiple vulnerabilities), yelp (C6: multiple vulnerabilities), libproxy (C6: multiple vulnerabilities), java-1.6.0-openjdk (C6; C5: multiple vulnerabilities), and java-1.7.0-openjdk (C6; C5: multiple vulnerabilities).

Debian has updated postgresql (information disclosure/denial of service).

Fedora has updated mediatomb (F18; F17: multiple vulnerabilities), java-1.7.0-openjdk (F18; F17: multiple vulnerabilities), rubygem-activemodel (F18; F17: protection bypass), rubygem-activerecord (F17: code execution), kernel (F18: denial of service), and gimp (F17: code execution).

openSUSE has updated postgresql (information disclosure/denial of service).

Oracle has updated axis (OL6: incorrect certificate validation), jakarta-commons-httpclient (OL6: incorrect certificate validation), thunderbird (OL6: multiple vulnerabilities), java-1.6.0-openjdk (OL6: multiple vulnerabilities), java-1.7.0-openjdk (OL6; OL5: multiple vulnerabilities), and firefox (OL6; OL5: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), libvirt (RHEL6: DNS proxy is wrongly created), dnsmasq (RHEL6: DNS proxy is wrongly created), kernel (RHEL6: multiple vulnerabilities), xinetd (RHEL6: service disclosure flaw), hplip (RHEL6: multiple vulnerabilities), xorg-x11 (RHEL6: code execution), 389-ds-base (RHEL6: ACL restriction bypass), dhcp (RHEL6: denial of service), squid (RHEL6: denial of service), samba4 (RHEL6: remote code execution), sssd (RHEL6: file modification and denial of service), rdma (RHEL6: multiple vulnerabilities), pki-core (RHEL6: cross-site scripting), httpd (RHEL6: multiple vulnerabilities), php (RHEL6: multiple vulnerabilities), openchange (RHEL6: remote code execution), evolution (RHEL: information disclosure), util-linux-ng (RHEL6: information disclosure), openssh (RHEL6: code execution), dovecot (RHEL6: multiple vulnerabilities), pam (RHEL6: arbitrary code execution), gdb (RHEL6: code execution), ccid (RHEL6: arbitrary code execution), pcsc-lite (RHEL6: arbitrary code execution), automake (RHEL6: code execution), and ipa (RHEL6: incorrect Certificate Revocation Lists).

Scientific Linux has updated java-1.6.0-openjdk (SL5; SL6: multiple vulnerabilities), java-1.7.0-openjdk (multiple vulnerabilities), axis (SL6: incorrect certificate validation), firefox (multiple vulnerabilities), thunderbird (multiple vulnerabilities), and jakarta-commons-httpclient (incorrect certificate validation).

Ubuntu has updated keystone (multiple vulnerabilities), cinder (denial of service), openssl (multiple vulnerabilities), and ruby (multiple vulnerabilities).

The 3.4.33 and 3.0.66 stable kernel updates are available. These are single-patch updates fixing a buffer overflow in the printk() subsystem. According to the patch fixing the problem, the overflow can be triggered from (privileged) user space to freeze the kernel; worse outcomes might be possible. Kernels 3.5 and newer are not vulnerable due to the reworking of printk(); the bug evidently made its first appearance in 3.0.

As promised, Canonical has released binary images of its distribution for phones (Galaxy Nexus and Nexus 4) and tablets (Nexus 7/10). "The Ubuntu Touch Developer Preview is intended to be used for development and evaluation purposes only. It does not provide all of the features and services of a retail phone and cannot replace your current handset. This preview is the first release of a very new and unfinished version of Ubuntu and it will evolve quickly."

The LWN.net Weekly Edition for February 21, 2013 is available.

The Linux Foundation's Rudolf Streif introduced one of the morning keynotes at the 2013 Android Builders Summit (ABS) by noting that androids in space have a long history—at least in science fiction like Star Wars. He was introducing Dr. Mark Micire of the US National Aeronautics and Space Administration (NASA) Ames Research Center, who recently led a project that put the Android operating system into space in the form of an "intelligent space robot" that currently inhabits the International Space Station (ISS).

Linaro has announced the formation of the Linaro Networking Group (LNG), with twelve founding members. "With ARM-based SoCs at the heart of the transformation occurring in cloud and mobile infrastructure applications such as switching, routing, base-stations and security, Linaro’s members are collaborating on fundamental software platforms to enable rapid deployment of new services across a range of converged infrastructure platforms. Developing the base platform for diverse and complex networking applications requires a significant amount of software that addresses common challenges. LNG will deliver this as an enhanced core Linux platform for networking equipment. Linaro has been providing common core software for ARM-Powered®, Linux-based mobile devices since June 2010 with recognized success, and it is now building on the collaborative working model that it has created to form special groups focusing on the server and networking segments."

Ben Hutchings has released stable kernel 3.2.39 with lots of important fixes.

CentOS has updated jakarta-commons-httpclient (C5: incorrect certificate validation), firefox (C5: multiple vulnerabilities), yelp (C5: multiple vulnerabilities), devhelp (C5: multiple vulnerabilities), xulrunner (C5: multiple vulnerabilities), and thunderbird (C5: multiple vulnerabilities).

Mandriva has updated squid (denial of service).

Red Hat has updated axis (RHEL6: incorrect certificate validation), jakarta-commons-httpclient (incorrect certificate validation), firefox (multiple vulnerabilities), thunderbird (multiple vulnerabilities), java-1.6.0-openjdk (RHEL6; RHEL5: multiple vulnerabilities), and java-1.7.0-openjdk (multiple vulnerabilities).

Slackware has updated firefox (multiple vulnerabilities) and thunderbird (multiple vulnerabilities).

SUSE has updated java-1_6_0-openjdk (multiple vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities).

The developers in the Samba Team are considering removing the SWAT administration tool due to the series of security problems related to it. "The issue isn't that we can't write secure code, but that writing secure Web code where we can't trust the authenticated actions of our user's browser is a very different model to writing secure system code. Frankly it just isn't our area." Unless somebody steps up to maintain this tool properly, it may well be on its way out.

Fedora has updated mediawiki (F18: session fixation flaw) and perl (F17: code execution).

openSUSE has updated roundcubemail (cross-site scripting) and java-1_6_0-openjdk (12.1; 11.4: multiple vulnerabilities).

Ubuntu has updated EC2 kernel (10.04 LTS: denial of service).

A security-oriented firm called Trustwave recently sent out a preview of an upcoming report [PDF] that features some focused criticism of how the Linux community handles security vulnerabilities. Indeed, it says: "Software developers vary greatly in their ability to respond and patch zero-day vulnerabilities. In this study, the Linux platform had the worst response time, with almost three years on average from initial vulnerability to patch." Whether or not one is happy with how security updates work with Linux, three years sounds like a rather longer response time than most of us normally expect. Your editor decided to examine the situation by focusing on two vulnerabilities that are said to be included in the Trustwave report and one that is not.

Canonical has announced an upcoming version of its distribution for tablets; it seems to have come a long way since we reviewed an early release last November. "Take calls in Skype while you work in a document, make notes on the side while you surf the web, tweet while you watch a movie. Or use apps collaboratively – drag content from one app to another for a super-productive day. We’ve reinvented the tablet as a bridge between phone and PC."