Language Selection

English French German Italian Portuguese Spanish

Security: Patches, CVSS, DANE OPENPGPKEY for debian.org, and Windows Voting Machines

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (redis), Fedora (expat), Mageia (dosbox, irssi, microcode, and postgresql11), Red Hat (bind, dbus, openstack-ironic-inspector, openstack-tripleo-common, python-novajoin, and qemu-kvm-rhev), Scientific Linux (kernel), SUSE (kernel-firmware, libdlm, libqb, and libqb), and Ubuntu (apport).

  • Why CVSS does not equal risk: How to think about risk in your environment

    I’m going to come right out and say it: CVSS does NOT equal Risk (CVSS!=Risk). Anyone who thinks otherwise is mistaken and setting themselves up for more work, pain, and stress than they realistically should have to go through. A risk is a potential for loss or damage if a threat exploits a vulnerability (which is a weakness in hardware or software). We’ll talk more about all that momentarily.

    Common Vulnerability Scoring System (CVSS) is a toolset and methodology used by many of us in the industry (hardware/software manufacturers, maintainers, etc.) and security researchers to describe the relative severity of security vulnerabilities in a consistent, quantitative way. This data being represented results in a score ranging from lowest 0, to the highest of 10.

    Recently the FIRST CVSS SIG updated the released version 3.1 of the framework which is the point of reference for this post. I'd strongly encourage anyone that uses the framework, or is impacted by security flaws (typically documented with a Common Vulnerabilities and Exposures (CVE) entry) to read the updated procedures and guidance.

  • DANE OPENPGPKEY for debian.org

    I recently announced the publication of Web Key Directory for @debian.org e-mail addresses. This blog post announces another way to fetch OpenPGP certificates for @debian.org e-mail addresses, this time using only the DNS. These two mechanisms are complementary, not in competition. We want to make sure that whatever certificate lookup scheme your OpenPGP client supports, you will be able to find the appropriate certificate.

    The additional mechanism we're now supporting (since a few days ago) is DANE OPENPGPKEY, specified in RFC 7929.

  • Voting Machine Makers Claim The Names Of The Entities That Own Them Are Trade Secrets

    This seems like very basic information -- information the Board should know and should be able to pass on to the general public. After all, these are the makers of devices used by the public while electing their representatives. They should know who's running these companies and who their majority stakeholders are. If something goes wrong (and something always does), they should know who's ultimately responsible for the latest debacle.

    It's not like the state was asking the manufacturers to cough up code and machine schematics. All it wanted to know is the people behind the company nameplates. But the responses the board received indicate voting system manufacturers believe releasing any info about their companies' compositions will somehow compromise their market advantage.

    Hart Intercivic said letting the public know that the company is owned by H.I.G. Hart, LLC and Gregg L. Burt is a fact that would devalue the company if it were made public.

More in Tux Machines

DragonFlyBSD Pulls In AMD Radeon Graphics Code From Linux The 4.7 Kernel

It was just last month that DragonFlyBSD pulled in Radeon's Linux 4.4 kernel driver code as an upgrade from the Linux 3.19 era code they had been using for their open-source AMD graphics support. This week that's now up to a Linux 4.7 era port. François Tigeot who continues doing amazing work on pulling in updates to DragonFlyBSD's graphics driver now upgraded the Radeon DRM code to match that of what is found in the upstream Linux 4.7.10 kernel. Read more

Android Leftovers

TenFourFox FPR16b1 available

FPR16 got delayed because I really tried very hard to make some progress on our two biggest JavaScript deficiencies, the infamous issues 521 (async and await) and 533 (this is undefined). Unfortunately, not only did I make little progress on either, but the speculative fix I tried for issue 533 turned out to be the patch that unsettled the optimized build and had to be backed out. There is some partial work on issue 521, though, including a fully working parser patch. The problem is plumbing this into the browser runtime which is ripe for all kinds of regressions and is not currently implemented (instead, for compatibility, async functions get turned into a bytecode of null throw null return, essentially making any call to an async function throw an exception because it wouldn't have worked in the first place). This wouldn't seem very useful except that effectively what the whole shebang does is convert a compile-time error into a runtime warning, such that other functions that previously might not have been able to load because of the error can now be parsed and hopefully run. With luck this should improve the functionality of sites using these functions even if everything still doesn't fully work, as a down payment hopefully on a future implementation. It may not be technically possible but it's a start. Read more

Simon Steinbeiß of Xfce, Dalton Durst of UBports, KDE Apps 19.08, Huawei – Destination Linux 135

Simon Steinbeiß of Xfce, Dalton Durst of UBports, KDE Applications, CutiePi Open Source Tablet, Huawei To Create Open Source Foundation, Rust Removes Linux Support, Stranded Deep Survival Game Fix Read more