Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • What sort of SSH keys our users use or have listed in their authorized keys files

    My first surprise is that we have so many DSA keys listed, since they're no longer supported (and those 380 ssh-dss keys are across 203 different people). People clearly don't clean out their authorized keys files very often. 670 people have RSA keys, 13 have Ed25519 keys, and 15 have some form of ECDSA keys (which implies that a few people list a bunch of ECDSA keys).

    However, that's just what people have sitting around in their authorized keys files, not what actually gets used. What actually gets used is a somewhat different picture. Here are the numbers for how many different keys of each type have been used over the course of 2020 so far: [...]

  • Microsoft is blocking the Windows 10 May 2020 Update on lots of devices [Ed: Microsoft cannot even patch its own software without breaking it]

    Microsoft is preventing a large number of devices from updating to the Windows 10 May 2020 Update. While the software company released the update last week, Microsoft has quietly acknowledged that there are a number of known issues preventing the update from being installed on a variety of PCs.

    Microsoft has a list of 10 issues it’s currently investigating, and 9 of them have resulted in a “compatibility hold” which stops the Windows 10 May 2020 Update from being installed via Windows Update. One issue involving unexpected errors or reboots with always-on, always-connected devices, affects devices like Microsoft’s Surface Pro 7 or Surface Laptop 3.

  • Security updates for Tuesday

    Security updates have been issued by Arch Linux (ant, bind, freerdp, and unbound), CentOS (bind, freerdp, and git), Debian (python-httplib2), Fedora (ant, kernel, sqlite, and sympa), openSUSE (java-11-openjdk and qemu), Oracle (bind), Red Hat (freerdp), Scientific Linux (python-pip and python-virtualenv), Slackware (firefox), SUSE (qemu), and Ubuntu (Apache Ant, ca-certificates, flask, and freerdp2).

More in Tux Machines

Linux Plumbers Conference Not Sold Out and Annual X.Org / Wayland / Mesa Conference Going Virtual

  • Linux Plumbers Conference: Linux Plumbers Conference is Not Sold Out

    We’re really sorry, but apparently the Cvent registration site we use has suffered a bug which is causing it to mark the conference as “Sold Out” and, unfortunately, since today is the beginning of the American Independence day weekend, we can’t get anyone to fix it until Monday. However, rest assured there are plenty of places still available, so if you can wait until Monday, you should be able to register for the conference as soon as the site is fixed.

  • The Annual X.Org / Wayland / Mesa Conference Is Going Virtual Due To COVID-19

    XDC 20 was set to take place this September in Poland but is now moving to an online event as a result of the ongoing coronavirus / COVID-19 pandemic.  The X.Org Foundation has decided to make XDC 2020 a virtual conference due to uncertainty over the COVID-19 situation come September in Europe. This will be the first time the annual X.Org Developers' Conference has been an entirely online event.  The announcement was made today as well as extending the call for presentations by an additional two weeks. 

Security: Patches and diffoscope 150 released

  • Security updates for Friday

    Security updates have been issued by Debian (docker.io and imagemagick), Fedora (alpine, firefox, hostapd, and mutt), openSUSE (opera), Red Hat (rh-nginx116-nginx), SUSE (ntp, python3, and systemd), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv, linux, linux-azure, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-gke-5.0, linux-oem-osp1, net-snmp, and samba).

  • What is Software Security?

    Software security is the building of secure software with inherent defense so that it continues to function under malicious attacks, to the satisfaction of the users and owners of the software. This article explains the threats and solutions, from a general point of view. Standard vocabulary in information security is also explained. You should be computer and Internet literate to understand this article; you should also have studied a computer language, e.g., Perl, C, C++, PHP, etc. What is secured is information and software packages (applications and documents). Information is any message that is useful to anybody. “Information” is a vague word. The context in which it is used gives its meaning. It can mean news, lecture, tutorial (or lesson), or solution. A software package is usually a solution to some problem or related problems. In the past, all information not spoken was written on paper. Today, the software can be considered as a subset of information.

  • L1TF Cache Flushing Mode Could Soon Be Controlled Via Kconfig Build Option

    Approaching the two year anniversary next month of the L1TF / Foreshadow vulnerability, a Google engineer has proposed allowing the default mitigation state to be controlled via a Kconfig build-time option. This speculative execution attack on Intel CPUs has been mitigated since August 2018 and has offered for KVM virtual machine mitigation the kvm-intel.vmentry_l1d_flush module parameter for controlling the L1 data cache flushing behavior. But now a Google engineer has proposed setting the default L1 data flushing mode to be configurable at build-time via a new KVM_VMENTRY_L1D_FLUSH knob. This knob doesn't provide any new L1 Terminal Fault mitigation but rather just allows adjusting the default behavior for the default configuration of that kernel image, whether it be to never flush the cache before a VMENTER, conditionally flush, or the most impactful state of always flushing.

  • diffoscope 150 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 150.

Mozilla: SpiderMonkey and Filter Treeherder Development

  • SpiderMonkey Newsletter 5 (Firefox 78-79)

    SpiderMonkey is the JavaScript engine used in Mozilla Firefox. This newsletter gives an overview of the JavaScript and WebAssembly work we’ve done as part of the Firefox 78 and 79 Nightly release cycles. If you like these newsletters, you may also enjoy Yulia’s weekly Compiler Compiler live stream, a guided tour of what it is like to work on SpiderMonkey and improve spec compliance.

  • In Filter Treeherder jobs by test or manifest path I describe the feature.

    In Filter Treeherder jobs by test or manifest path I describe the feature. In this post I will explain how it came about. I want to highlight the process between a conversation and a deployed feature. Many times, it is an unseen part of the development process that can be useful for contributors and junior developers who are trying to grow as developers. Back in the Fall of 2019 I started inquiring into developers’ satisfaction with Treeherder. This is one of the reasons I used to go to the office once in a while. One of these casual face-to-face conversations led to this feature. Mike Conley explained to me how he would look through various logs to find a test path that had failed on another platform (see referenced post for further details). After I understood the idea, I tried to determine what options we had to implement it. I wrote a Google Doc with various alternative implementations and with information about what pieces were needed for a prototype. I requested feedback from various co-workers to help discover blind spots in my plans. Once I had some feedback from immediate co-workers, I made my idea available in a Google group (increasing the circle of people giving feedback). I described my intent to implement the idea and was curious to see if anyone else was already working on it or had better ideas on how to implement it. I did this to raise awareness in larger circles, reduce duplicate efforts and learn from prior work. I also filed a bug to drive further technical discussions and for interested parties to follow up on the work. Fortunately, around the same time Andrew Halberstadt started working on defining explicitly what manifests each task executes before the tasks are scheduled (see bug). This is a major component to make the whole feature on Treeherder functional. In some cases, talking enough about the need can enlist others from their domains of expertise to help with your project.

  • Filter Treeherder jobs by test or manifest path

    This feature is useful for developers and code sheriffs because it permits them to determine whether or not a test that fails in one platform configuration also fails in other ones. Previously, this was difficult because certain test suites are split into multiple tasks (aka “chunks”). In the screenshot below, you can see that the manifest path devtools/client/framework/browser-toolbox/test/browser.ini is executed in different chunks.

Debian-based Grml 2020.06 Released and NsCDE in Debian-based Sparky

  • Grml 2020.06 – Codename Ausgehfuahangl

    We did it again™, at the end of June we released Grml 2020.06, codename Ausgehfuahangl. This Grml release (a Linux live system for system administrators) is based on Debian/testing (AKA bullseye) and provides current software packages as of June, incorporates up to date hardware support and fixes known issues from previous Grml releases. I am especially fond of our cloud-init and qemu-guest-agent integration, which makes usage and automation in virtual environments like Proxmox VE much more comfortable.

  • NsCDE

    There is a new desktop available for Sparkers: NsCDE What is NsCDE? Not so Common Desktop Environment (NsCDE) is a retro but powerful (kind of) UNIX desktop environment which resembles CDE look (and partially feel) but with a more powerful and flexible framework beneath-the-surface, more suited for 21st century unix-like and Linux systems and user requirements than original CDE. NsCDE can be considered as a heavyweight FVWM theme on steroids, but combined with a couple other free software components and custom FVWM applications and a lot of configuration, NsCDE can be considered a lightweight hybrid desktop environment.