Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Flaws and ZDNet FUD

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

  • Arm Chips Vulnerable to PAN Bypass – “We All Know it’s Broken”

    Memory access protections baked into the ARMv8 64-bit specification are vulnerable to being bypassed – and the Arm team has only just mitigated the bug, which would allow an attacker to circumvent its “Privileged Access Never” (PAN) controls in the kernel.

    PAN, introduced in 2014, is a meant to prevent privileged access to user data unless explicitly enabled – as a security mechanism against possible software attacks.

    A Linux kernel commit message on January 6 this year acknowledges the issue and puts in place a stop-gap measure. But one security researcher, “Siguza” says they originally found the flaw in October 2018 and that PAN “was never an issue to get around”.

  • Microsoft spots malicious npm package stealing data from UNIX systems [Ed: Typical ZDNet paints Microsoft as good and FOSS or Linux/UNIX as bad/dangerous: "Microsoft spots malicious npm package stealing data from UNIX systems"]

Not really a story about Microsoft

  • NPM security team removes malicious package caught leaking data from UNIX systems

    The security team at Node Package Manager (npm) has removed a malicious JavaScript package present in the npm repository, which was observed stealing sensitive data from UNIX systems.

  • Malicious npm package exfiltrating data from UNIX systems

    A malicious JavaScript package was uploaded Dec. 30 2019 on the Node Package Manager (npm), the world’s largest software registry, containing over 800,000 code packages that developers use to write JavaScript applications.

    The package, identified as 1337qq-js, was spotted stealing sensitive data through install scrips of Unix Systems. It marks the sixth-known incident to strike the npm repository in the past three years.

Anti-Linux slant

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Pandemic did not get in the way of Linux reaching a million commits

The year also saw the one millionth commit, a contribution from Intel's Ricardo Neri-Calderón, which was part of the 5.9 maintenance release, the Linux Foundation, the organisation that co-ordinates the kernel project and numerous other free and open source software projects, said in its annual report. The report claimed that despite the ongoing COVID-19 outbreak, the culture in the Linux kernel community remained vibrant and engaged. When iTWire interviewed Linux creator Linus Torvalds in October, he said his work patterns had not been affected in anyway by the pandemic. Read more

Andes adds to its Linux-ready RISC-V line-up with L2 and multi-core ready models

Andes unveils four new Linux-focused RISC-V cores: The 32-bit A45MP and 64-bit AX45MP support up to 4x cores at up to 2.4GHz and offer optional L2 cache while the 32-bit A27L2 and AX27L2 also add optional L2. Last December when Andes Technology announced its RISC-V architecture AndesCore 27-series of Linux-ready CPU cores, we somehow missed its announcement on the same day of more powerful 32- and 64-bit AndesCore 45-series cores. Now, the chip designer has added new models to both series. The 32-bit A45MP and 64-bit AX45MP add multi-core support for up to quad-core designs to the 45-series and introduce optional L2 cache. The 32-bit A27L2 and AX27L2 also add optional L2 (see farther below). Read more

Manjaro 20.2 Brings the Latest Kernel, GNOME, KDE, and Xfce

The rolling release based Linux distribution Manjaro releases its latest stable version Manjaro 20.2. Let's take a look at what's new and give you instructions on how to download and install Manjaro 20.2. Read more

System76 to Launch Their First AMD-Only “Pangolin” Linux Laptop

The “Pangolin” would be System76’s second AMD-powered Linux laptop after the Serval WS, but this one also features integrated AMD Radeon graphics as the Serval WS came with Nvidia graphics. At the moment of writing, System76 didn’t say much about their upcoming AMD-only Linux laptop except for the specs, which include either AMD Ryzen 5 4500U or AMD Ryzen 7 4700U CPUs, AMD Radeon integrated graphics, up to 64 GB DDR4 3200 MHz RAM, up to 8TB SSD storage, and a Full HD 15.6-inch matte finish display. Read more