Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2).

  • What Is SSH and What Does It Stand For?

    OpenSSH is a widely-used open-source implementation of SSH. The original free version of SSH was developed by Tatu Ylönen. Later versions of Ylönen's work were proprietary, meaning they cost money to license and use, and you couldn't make unauthorized changes to the protocol.

    Thus, a team of developers forked the original free version of SSH and named it OpenSSH, which is now developed as part of OpenBSD (an open-source operating system). All major operating systems, such as Windows, macOS, and the numerous Linux distributions, support OpenSSH.

  • OpenSSL, LibreSSL, LibreTLS and all the terminological irony – Michał Górny

    While we’re discussing the fate of LibreSSL, it’s worth noting how confusing the names of these packages became. I’d like to take this opportunity to provide a short note on what’s what.

    First of all, SSL and its successor TLS are protocols used to implement network connection security. For historical reasons, many libraries carry ‘SSL’ in their name (OpenSSL, LibreSSL, PolarSSL) but nowadays they all support TLS.

  • Reproducible Builds (diffoscope): diffoscope 164 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 164. This version includes the following changes:

    [ Chris Lamb ]
    * Truncate jsondiff differences at 512 bytes lest they consume the entire page.
    * Wrap our external call to cmp(1) with a profile (to match the internal
      profiling).
    * Add a note regarding the specific ordering of the new
      all_tools_are_listed test.
    
    [ Dimitrios Apostolou ]
    * Performance improvements:
      - Improve speed of has_same_content by spawning cmp(1) less frequently.
      - Log whenever the external cmp(1) command is spawn.ed
      - Avoid invoking external diff for identical, short outputs.
    * Rework handling of temporary files:
      - Clean up temporary directories as we go along, instead of at the end.
      - Delete FIFO files when the FIFO feeder's context manager exits.
    
    [ Mattia Rizzolo ]
    * Fix a number of potential crashes in --list-debian-substvars, including
      explicitly listing lipo and otool as external tools.
     - Remove redundant code and let object destructors clean up after themselves.
    
    [ Conrad Ratschan ]
    * Add a comparator for Flattened Image Trees (FIT) files, a boot image format
      used by U-Boot.

More in Tux Machines

Security and Proprietary Failures

  • Security updates for Friday

    Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).

  • DHS Secretary Mayorkas announces new initiative to fight 'epidemic' of cyberattacks [iophk: Windows TCO]

    Homeland Security Secretary Alejandro Mayorkas on Thursday announced new funding and initiatives to prioritize the nation’s cybersecurity, particularly in order to confront what he described as an “epidemic” of ransomware attacks.

    Mayorkas announced during a virtual speech that current cybersecurity grants from the Federal Emergency Management Agency would be increased by $25 million across the nation and that the Department of Homeland Security (DHS) was evaluating further cyber grants to help the Cybersecurity and Infrastructure Security Agency (CISA) assist state and local governments.

  • Google Discloses Details of Remote Code Execution Vulnerability in Windows

    The flaw, tracked as CVE-2021-24093, was patched by Microsoft on February 9 with its Patch Tuesday updates. Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero have been credited for reporting the issue to Microsoft.

    A CVSS score of 8.8 has been assigned to the vulnerability, but Microsoft has rated it critical for all affected operating systems. The list includes Windows 10, Windows Server 2016 and 2019, and Windows Server.

  • VMWare Patches Critical RCE Flaw in vCenter Server

    The vulnerability, one of three patched by the company this week, could allow threat actors to breach the external perimeter of a data center or leverage backdoors already installed to take over a system.

  • How $100M in Jobless Claims Went to Inmates

    The U.S. Labor Department’s inspector general said this week that roughly $100 million in fraudulent unemployment insurance claims were paid in 2020 to criminals who are already in jail. That’s a tiny share of the estimated tens of billions of dollars in jobless benefits states have given to identity thieves in the past year. To help reverse that trend, many states are now turning to a little-known private company called ID.me. This post examines some of what that company is seeing in its efforts to stymie unemployment fraud.

  • Microsoft Failed to Shore Up Defences That Could Have Limited SolarWinds Hack, US Senator Says

    Microsoft's failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers' cloud services. The technique was one of many used in the SolarWinds hack. Wyden, who has faulted tech companies on security and privacy issues as a member of the Senate Intelligence Committee, blasted Microsoft for not doing more to prevent forged identities or warn customers about it.

  • Apple Releases macOS Big Sur 11.2.2 to Prevent MacBooks From Being Damaged by Third-Party Non-Compliant Docks

    Many of the complaints were from M1 Mac users who had a MacBook Pro or a ‌MacBook Air‌, but Apple's release notes suggest other models were affected as well.

  • Apple releases macOS update to prevent damage from third-party docks and dongles

    Most of the issues seemed to come from using a third-party dock, and while some of them seem to be from pretty obscure brands, there are a few recognizable ones that are reported to have killed laptops. For its part, Apple calls them “non-compliant powered USB-C hubs and docks” in the new update’s notes.

Audiocasts/Shows: Self-Hosted, KVM, and XMonad Config

  • We run Arch BTW | Self-Hosted 39

    Our favorite LastPass alternative, why more boxes might be better than one, and we confess to an undying love.

  • The TinyPilot KVM - An open-source network KVM

    I've been looking for a network-enabled KVM for a while now, and I think I found a really good one - the TinyPilot! In this video, I take a look at this KVM to see how easy it is to set up and use.

  • Explaining Everything In My XMonad Config

    In this lengthy video, I am going to go over my Xmonad configuration file. My config file is massive, including a lot of code that I don't even use myself, but I keep this massive config as a reference manual for others to look at.

Android Leftovers

Wayland KDE X11

These days, I often hear a lot about Wayland. And how much of effort is being put into it; not just by the Embedded world but also the usual Desktop systems, namely KDE and GNOME. In recent past, I switched back to KDE and have been (very) happy about the switch. Even though the KDE 4 (and initial KDE 5) debacle had burnt many, coming back to a usable KDE desktop is always a delight. It makes me feel home with the elegance, while at the same time the flexibility, it provides. It feels so nice to draft this blog article from Kwrite + VI Input Mode Thanks to the great work of the Debian KDE Team, but Norbert Preining in particular, who has helped bring very up-to-date KDE packages into Debian. Right now, I’m on a Plamsa 5.21.1 desktop, which is recent by all standards. Read more