Language Selection

English French German Italian Portuguese Spanish

Security: Patches, CVSS, DANE OPENPGPKEY for debian.org, and Windows Voting Machines

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (redis), Fedora (expat), Mageia (dosbox, irssi, microcode, and postgresql11), Red Hat (bind, dbus, openstack-ironic-inspector, openstack-tripleo-common, python-novajoin, and qemu-kvm-rhev), Scientific Linux (kernel), SUSE (kernel-firmware, libdlm, libqb, and libqb), and Ubuntu (apport).

  • Why CVSS does not equal risk: How to think about risk in your environment

    I’m going to come right out and say it: CVSS does NOT equal Risk (CVSS!=Risk). Anyone who thinks otherwise is mistaken and setting themselves up for more work, pain, and stress than they realistically should have to go through. A risk is a potential for loss or damage if a threat exploits a vulnerability (which is a weakness in hardware or software). We’ll talk more about all that momentarily.

    Common Vulnerability Scoring System (CVSS) is a toolset and methodology used by many of us in the industry (hardware/software manufacturers, maintainers, etc.) and security researchers to describe the relative severity of security vulnerabilities in a consistent, quantitative way. This data being represented results in a score ranging from lowest 0, to the highest of 10.

    Recently the FIRST CVSS SIG updated the released version 3.1 of the framework which is the point of reference for this post. I'd strongly encourage anyone that uses the framework, or is impacted by security flaws (typically documented with a Common Vulnerabilities and Exposures (CVE) entry) to read the updated procedures and guidance.

  • DANE OPENPGPKEY for debian.org

    I recently announced the publication of Web Key Directory for @debian.org e-mail addresses. This blog post announces another way to fetch OpenPGP certificates for @debian.org e-mail addresses, this time using only the DNS. These two mechanisms are complementary, not in competition. We want to make sure that whatever certificate lookup scheme your OpenPGP client supports, you will be able to find the appropriate certificate.

    The additional mechanism we're now supporting (since a few days ago) is DANE OPENPGPKEY, specified in RFC 7929.

  • Voting Machine Makers Claim The Names Of The Entities That Own Them Are Trade Secrets

    This seems like very basic information -- information the Board should know and should be able to pass on to the general public. After all, these are the makers of devices used by the public while electing their representatives. They should know who's running these companies and who their majority stakeholders are. If something goes wrong (and something always does), they should know who's ultimately responsible for the latest debacle.

    It's not like the state was asking the manufacturers to cough up code and machine schematics. All it wanted to know is the people behind the company nameplates. But the responses the board received indicate voting system manufacturers believe releasing any info about their companies' compositions will somehow compromise their market advantage.

    Hart Intercivic said letting the public know that the company is owned by H.I.G. Hart, LLC and Gregg L. Burt is a fact that would devalue the company if it were made public.

More in Tux Machines

Plasma 5.16.90 (Plasma 5.17 Beta) Available for Testing

Are you using Kubuntu 19.04 Disco Dingo, our current Stable release? Or are you already running our development builds of the upcoming 19.10 Eoan Ermine? We currently have Plasma 5.16.90 (Plasma 5.17 Beta) available in our Beta PPA for Kubuntu 19.04 and 19.10. This is a Beta Plasma release, so testers should be aware that bugs and issues may exist. Read more

Raspberry Pi 4 getting hot? A closer look

I hope that will all arrive in time for me to try it out over the weekend, so I can pass along some more information about temperatures, and about what pieces fit together in which cases, if any. Finally, the Raspberry Pi Foundation says that they are working on several software and firmware changes that should help bring the temperature of the Pi 4 down. Hopefully those will be released soon - but even if they are, I don't expect that they will improve the situation by more than 5 degrees or so, and given how hot the Pi 4 runs, that is not enough to eliminate the need for the kind of hardware measures I am looking at now. Read more

Top Open Source Video Players for Linux

You can watch Hulu, Prime Video and/or Netflix on Linux. You can also download videos from YouTube and watch them later or if you are in a country where you cannot get Netflix and other streaming services, you may have to rely on torrent services like Popcorn Time in Linux. Watching movies/TV series or other video contents on computers is not an ‘ancient tradition’ yet. Usually, you go with the default video player that comes baked in with your Linux distribution (that could be anything). You won’t have an issue utilizing the default player – however, if you specifically want more open-source video player choices (or alternatives to the default one), you should keep reading. Read more

Manjaro 18.1: Goes Arch One Better

Manjaro Linux's in-house system tools, easy installation application and better range of software packages make it a better Arch-based distro than Arch Linux itself. Manjaro offers much more than a pure Arch Linux environment. Regardless of which desktop style you select, the welcome screen introduces Manjaro tools and get-acquainted details such as documentation, support tips, and links to the project site. You can get a full experience in using the live session ISOs without making any changes to the computer's hard drive. That is another advantage to running Manjaro Linux over a true Arch distro. Arch distros usually do not provide live session environments. Most that do lack any automatic installation launcher from within the live session. Read more