Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Flaws and ZDNet FUD

Submitted by Roy Schestowitz on Tuesday 14th of January 2020 03:04:14 AM Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

  • Arm Chips Vulnerable to PAN Bypass – “We All Know it’s Broken”

    Memory access protections baked into the ARMv8 64-bit specification are vulnerable to being bypassed – and the Arm team has only just mitigated the bug, which would allow an attacker to circumvent its “Privileged Access Never” (PAN) controls in the kernel.

    PAN, introduced in 2014, is a meant to prevent privileged access to user data unless explicitly enabled – as a security mechanism against possible software attacks.

    A Linux kernel commit message on January 6 this year acknowledges the issue and puts in place a stop-gap measure. But one security researcher, “Siguza” says they originally found the flaw in October 2018 and that PAN “was never an issue to get around”.

  • Microsoft spots malicious npm package stealing data from UNIX systems [Ed: Typical ZDNet paints Microsoft as good and FOSS or Linux/UNIX as bad/dangerous: "Microsoft spots malicious npm package stealing data from UNIX systems"]
»

Not really a story about Microsoft

Submitted by Roy Schestowitz on Tuesday 14th of January 2020 05:39:52 PM.
  • NPM security team removes malicious package caught leaking data from UNIX systems

    The security team at Node Package Manager (npm) has removed a malicious JavaScript package present in the npm repository, which was observed stealing sensitive data from UNIX systems.

  • Malicious npm package exfiltrating data from UNIX systems

    A malicious JavaScript package was uploaded Dec. 30 2019 on the Node Package Manager (npm), the world’s largest software registry, containing over 800,000 code packages that developers use to write JavaScript applications.

    The package, identified as 1337qq-js, was spotted stealing sensitive data through install scrips of Unix Systems. It marks the sixth-known incident to strike the npm repository in the past three years.

Anti-Linux slant

Submitted by Roy Schestowitz on Friday 17th of January 2020 12:42:02 AM.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Ubuntu’s Installer Slideshow Gets a Focal Refresh

Ubuntu’s installer slideshow isn’t something most of us spend an awful time looking at but for new users it serves an important educational goal. The Ubiquity desktop installer plays a slideshow during the main part of the install process. Each slide highlights a key feature or important function available in Ubuntu (or whichever Ubuntu flavour is being installed). The slideshow has been a staple part of Ubuntu (and many flavours) since it was introduced back in Ubuntu 10.10. For the upcoming release of Ubuntu 20.04 the look of the slideshow will better match the look of Yaru, Ubuntu’s default GTK theme (which recently got a big update of its own). Read more

Linux Mint with Windows 7 Theme

This article explains step by step to change GNU/Linux Mint operating system user interface to mimic W7 especially after its official support ended in this January 2020. You can practice this tutorial in Cinnamon Edition and you will install 2 types of theme plus 1 original wallpaper here. By this tutorial, I want to help people who find it's easier to migrate to Free Software if their desktop looks like their previous OS. I believe helping them are good and useful. And I hope by publishing this more people will come to help B00merang Project and others alike to develop these themes. I hope your switch from W7 to GNU/Linux goes easier, smoother, and perfect. Enjoy! Read more

Kernel/Graphics: AMD, Intel and Mesa

  • AMD vs. Intel Contributions To The Linux Kernel Over The Past Decade

    Driven by curiosity sake, here is a look at how the total number of AMD and Intel developers contributed to the upstream Linux kernel during the 2010s as well as the total number of commits each year from the respective hardware vendors.  These numbers were obtained by looking at the Linux kernel commits in Git from AMD.com and Intel.com addresses. Granted, sometimes developers from both companies will use their personal email addresses rather than the corporate ones, but for this comparison is looking solely at the Git commits from the respective corporate domains.

  • Linux k10temp Driver For AMD CPUs Updated To Better Handle Power/Temp Analysis

    As we have been eagerly talking about for the past week, the Linux kernel's k10temp driver was updated for better AMD CPU CCD temperatures and voltage/current reporting. Those improvements have been quickly evolving thanks to the work of the open-source community with AMD still sadly holding the datasheets concerning the power/temperature registers close to their vest. A new version of k10temp was sent out on Wednesday.  As reported earlier this week, these k10temp improvements could land for the upcoming Linux 5.6 but additional testing is needed. While Zen 2 CPUs have been shipping for months, these k10temp improvements are only coming now thanks to HWMON maintainer Guenter Roeck who continues working on this driver in cooperation with the community as AMD currently isn't releasing documentation/datasheets concerning the power/thermal registers or any reference code for that matter... Many Linux desktop users dream of seeing something someday like AMD Ryzen Master coming to Linux. 

  • Gutting Out Intel MPX Support To Be Finished Up In The Linux 5.6 Kernel

    The Linux support for Intel MPX has already been pretty much dead since the GCC 9 compiler dropped support for MPX. Kernel developers following that began working to remove MPX from the kernel over not having the compiler support, MPX not being widely used, and also not much code movement on the kernel side. Memory Protection Extensions (MPX) was talked up years ago by Intel for allowing the checking of pointer references at run-time to avoid buffer overflows and other potential related vulnerabilities. But in reality it didn't become too popular with developers while AddressSanitizer and other compiler sanitizer infrastructure has become more used and without the need for special bits in the CPU. Intel themselves meanwhile have deprecated MPX and say the support won't be available on future CPUs, hence not being concerned much about the Linux support departing.

  • Mesa 20.0 branchpoint planned for 2020/01/29, Milestone opened
    Hi list, due to some last minute changes in plan I'll be managing the 20.0
release. The release calendar has been updated, but the gitlab milestone wasn't
opened. That has been corrected, and is here
https://gitlab.freedesktop.org/mesa/mesa/-/milestones/9, please add any issues
or MRs you would like to land before the branchpoint to the milestone.

Thanks,
Dylan
  • Mesa 20.0 Feature Development Is Ending Next Week

    Mesa developers are planning to end feature work on Mesa 20.0 next week as this first quarter update to the Mesa 3D graphics stack. There has been a heck of lot building up for Mesa 20.0 including many ACO optimizations, many RadeonSI and RADV improvements around GFX10/Navi, Intel Gallium3D improvements, OpenGL 4.6 with NIR by default for RadeonSI, NIR support for LLVMpipe, Vulkan 1.2 for Intel ANV and Radeon RADV, and a whole lot more... My usual feature overview will be out after the code has been branched.

SUSE/OpenSUSE: Conferences, Fonts and SUSE CaaS Platform

  • 7 tips to survive booth duty at a conference-events

    If you contribute to an open-source community, there will be an "opportunity" that you will represent the community to a conference. You're expected to staff the booth and talk to people about the software. For some people, it looks like you are traveling and having fun. I have news for you. It's not like that. We are going to see some tips on how to survive the booth duty.

  • https://fontinfo.opensuse.org/ updated

    The information below might fall into the "unsung heroes of openSUSE" category - we think it is clearly worth to be mentioned and getting some applause (not saying that every user should owe the author a beer at the next conference ;-).

  • Introducing… Stratos for SUSE CaaS Platform

    Would you like to make your SUSE CaaS Platform clusters simpler and more intuitive to manage? Do you want to be able to manage multiple clusters from a single pane of glass, whether on premise or in public clouds? Would you like to be able to deploy applications to your clusters, no matter whether they are in a SUSE repository, other public repositories, or your organization’s private repositories? SUSE CaaS Platform is introducing a tech preview of Stratos Console, a powerful browser-based graphical interface that delivers multi-cluster, multi-cloud management. You can assess the status and health of all of your managed clusters at a glance with multi-cluster overview dashboards, then drill down into any cluster for fine grained management of its workloads and resources.

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6