Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (libpam-radius-auth, pillow, ppp, proftpd-dfsg, and python-pysaml2), Fedora (firefox, glib2, hiredis, http-parser, libuv, mingw-openjpeg2, nghttp2, nodejs, openjpeg2, python-pillow, skopeo, and webkit2gtk3), Mageia (patch, postgresql, and systemd), Red Hat (ksh, nodejs:10, openjpeg2, python-pillow, systemd, and thunderbird), and SUSE (java-1_7_1-ibm, libsolv, libzypp, zypper, pdsh, slurm_18_08, and php53).

  • U.S. Government Says Update Chrome 80 As High-Rated Security Flaws Found

    Are you a Google Chrome user? High-rated security vulnerabilities have already been discovered in version 80 of Google Chrome. The Cybersecurity and Infrastructure Security Agency is encouraging Google users to update again just weeks after the Chrome 80 release. Here’s what you need to know.

  • OpenBSD Pwned, Patched Again: Bug is Remotely Exploitable [Ed: Misleading. This is about OpenSMTPD.]

    There’s a fresh remote code execution (RCE) vulnerability in OpenSMTPD, and by extension in OpenBSD. Yes, it feels like déjà vu all over again.

    The severity of the vulnerability, CVE-2020-8794, means that anyone running a public-facing OpenSMTPD deployments should update as soon as possible.

    OpenBSD’s developers describe the issue as a “an out of bounds read in smtpd [that] allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.”

  • Kali Linux explained: A pentester’s toolkit

    Kali Linux is the world's most popular offensive-security-optimized Linux distro. Maintained and managed by the fine folks at Offensive Security, Kali was born in 2006 as BackTrack Linux, but after a major refactoring in 2013 got the name Kali. What does the name mean? Well, we'll get to that.

  • Police to get right to use spyware in serious crime investigations

    The new bill, that will allow the police to use trojans or virus programmes to tap into the chats, is expected to be voted through parliament on Thursday. Home Affairs Minister Mikael Damberg says he is convinced it will lead to more convictions.

  • McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges

    A while back I wrote about a bunch of vulnerabilities in McAfee WebAdvisor, a component of McAfee antivirus products which is also available as a stand-alone application. Part of the fix was adding a bunch of pages to the extension which were previously hosted on siteadvisor.com, generally a good move. However, when I looked closely I noticed a Cross-Site Scripting (XSS) vulnerability in one of these pages (CVE-2019-3670).

    Now an XSS vulnerability in a browser extension is usually very hard to exploit thanks to security mechanisms like Content Security Policy and sandboxing. These mechanisms were intact for McAfee WebAdvisor and I didn’t manage to circumvent them. Yet I still ended up with a proof of concept that demonstrated how attackers could gain local administrator privileges through this vulnerability, something that came as a huge surprise to me as well.

More in Tux Machines

Stable Kernels: 5.6.15, 5.4.43, 4.19.125, 4.14.182, 4.9.225, and 4.4.225

  • Linux 5.6.15
    I'm announcing the release of the 5.6.15 kernel. All users of the 5.6 kernel series must upgrade. The updated 5.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-s...

  • Linux 5.4.43
  • Linux 4.19.125
  • Linux 4.14.182
  • Linux 4.9.225
  • Linux 4.4.225

Linux-powered wireless gateway supplies four surge-protected serial ports

Artila’s compact “IoT Gateway Matrix-704” runs Linux on a Microchip SAMA5D35 and provides GbE and Fast Ethernet, mini-PCIe and micro-SIM slots, a USB port, and 4x isolated, surge protected RS-485 ports. Artila has introduced several of its Matrix IoT gateways with isolated serial ports, including the Matrix-710 and Matrix-713. Its new Matrix-704 can have its 4x RS-485 ports configured with optional isolation and it also comes standard with surge protection. The Matrix-704 has the same 536MHz, Cortex-A5 Microchip ATSAMA5D35 SoC as the more feature rich Matrix-710 and Matrix-713, as well as the recent Matrix-702, which lacks serial ports. Read more

today's leftovers

  • Linux Getting Fixed Up For Handling Pointing Sticks On Some Touchpads

    For input devices on some laptops that are a combination of a pointing stick and touchpad, the Linux kernel's multi-touch driver will finally begin handling them correctly. At least for Synaptics and Elan devices that offer a combination of a pointing stick and touchpad, the Linux kernel has been ignoring the input events from the pointing stick. But with Linux 5.8 that will change in properly handling the combo multi-touch devices via the hid-multitouch driver and this change is set to be back-ported as well to the various Linux kernel stable series being supported.

  • Mesa 20.1 Features Include Big Improvements For Open-Source Intel, Radeon Graphics Drivers

    The release of Mesa 20.1 is imminent as the latest quarterly feature update to this collection of open-source OpenGL/Vulkan drivers predominantly in use by Linux systems. Here is a look at the many exciting improvements with Mesa 20.1.

  • Hybrid cloud and multi-cloud: what is the difference?

    Hybrid cloud and multi-cloud are two exclusive terms that are often confused. While the hybrid cloud represents a model for extending private cloud infrastructure with one of the existing public clouds, a multi-cloud refers to an environment where multiple clouds are used at the same time, regardless of their type. Thus, while the hybrid cloud represents a very specific use case, multi-cloud is a more generic term and usually better reflects reality. Although both architectures are relatively simple to implement from the infrastructure point of view, the more important question is about workloads orchestration in such environments. In the following blog, I describe the differences between hybrid clouds and the multi-cloud and discuss the advantages of orchestrating workloads in a multi-cloud environment with Juju. [...] In turn, multi-cloud simply refers to using multiple clouds at the same time, regardless of their type. There is no dedicated infrastructure that facilitates it. There is no dedicated link, single IdM system, unified LMA stack or an integrated network. Just instead of a single cloud, an organisation uses at least two clouds at the same time. The goal behind the multi-cloud approach is to reduce the risk of relying on a single cloud service provider. Workloads can be distributed across multiple clouds which improves independence and helps to avoid ‘vendor lock-in’. Furthermore, as the multi-cloud is usually a geographically-distributed environment, this helps to improve high availability of applications and their resiliency against failures. Finally, the multi-cloud approach combines the best advantages of various cloud platforms. For example, running databases on virtual machines (VMs) while hosting frontend applications inside of containers. Thus, workload orchestration remains the most prominent challenge in this case.

  • Kubernetes for Data Science: meet Kubeflow

    Data science has exploded as a practice in the past decade and has become an undisputed driver of innovation. The forcing factors behind the rising interest in Machine Learning, a not so new concept, have consolidated and created an unparalleled capacity for Deep Learning, a subset of Artificial Neural Networks with many hidden layers, to thrive in the years to come.

Android Leftovers