The openSUSE developers have released the second milestone of openSUSE 11.3. The update now has some final releases of packages rather than the release candidates found in the previous milestone. These include final versions of KDE 4.4, OpenOffice 3.2 and VirtualBox 3.1.4, but openSUSE 11.3 still has a number of bleeding edge releases including GNOME 2.30 beta 1 (2.29.90). The milestone is based on the 2.6.33 Linux kernel "with all its bug fixes and new hardware support".
There have been updates to NetworkManager, ModemManager and other network related plug-ins which do not add features, but support more hardware and include bug fixes. Other updated packages include DigiKam, evolution, Mono, GnuTLS and libgphoto2. Developers will also find Bootchart 2.0.0.9, a tool for analysing slow system booting, included.
The previous milestone's support for LXDE has now been incorporated into the installation process, allowing users to install openSUSE 11.3 with only the LXDE desktop. The openSUSE developers plan to switch to GCC 4.5.0 in the next milestone to benefit from its better optimisation. According to a new timeline page, milestone 3 is due at the start of March, and a final release mid-July. openSUSE 11.3 milestone 2 is available to download now for testing purpose; known bugs are documented on the openSUSE wiki. The developers would like special attention paid to the GNOME accessibility stack as new features in it need extensive testing.
A patch for the MIT's Kerberos 5 implementation is to fix integer underflows in the functions for decrypting AES and RC4 ciphertexts. The flaw can reportedly be provoked remotely by sending specially crafted ciphertexts which can, for instance, cause the Key Distribution Center (KDC) to crash. In very rare circumstances, the flaw is also said to allow the injection and execution of code. Reportedly, the exploitability of the flaw is marginally higher if the attacker holds a valid account in a Kerberos domain (realm).
All versions from krb5-1.3 are affected. The patch is available for krb5-1.6 and krb5-1.7. Updates krb5-1.6.4 and krb5-1.7.1, which are soon to be released, also fix the flaw. Until then, users need to manually install the patches for aes.c and arcfour.c and recompile Kerberos themselves. The updates are gradually becoming overdue, as they are also scheduled to close a null-pointer dereference vulnerability already publicised in early January. So far, only a patch has become available to fix this hole.
See also:
* Integer underflow in AES and RC4 decryption, security advisory from Kerberos.
* DoS vulnerability patched in MIT Kerberos, a report from The H.
