Navigation

Language Selection

Search

Security Leftovers

Submitted by Roy Schestowitz on Saturday 9th of January 2021 05:04:14 AM Filed under

Security

Security updates for Friday

Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2).
What Is SSH and What Does It Stand For?

OpenSSH is a widely-used open-source implementation of SSH. The original free version of SSH was developed by Tatu Ylönen. Later versions of Ylönen's work were proprietary, meaning they cost money to license and use, and you couldn't make unauthorized changes to the protocol.

Thus, a team of developers forked the original free version of SSH and named it OpenSSH, which is now developed as part of OpenBSD (an open-source operating system). All major operating systems, such as Windows, macOS, and the numerous Linux distributions, support OpenSSH.
OpenSSL, LibreSSL, LibreTLS and all the terminological irony – Michał Górny

While we’re discussing the fate of LibreSSL, it’s worth noting how confusing the names of these packages became. I’d like to take this opportunity to provide a short note on what’s what.

First of all, SSL and its successor TLS are protocols used to implement network connection security. For historical reasons, many libraries carry ‘SSL’ in their name (OpenSSL, LibreSSL, PolarSSL) but nowadays they all support TLS.

Reproducible Builds (diffoscope): diffoscope 164 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 164. This version includes the following changes:

[ Chris Lamb ]
* Truncate jsondiff differences at 512 bytes lest they consume the entire page.
* Wrap our external call to cmp(1) with a profile (to match the internal
  profiling).
* Add a note regarding the specific ordering of the new
  all_tools_are_listed test.

[ Dimitrios Apostolou ]
* Performance improvements:
  - Improve speed of has_same_content by spawning cmp(1) less frequently.
  - Log whenever the external cmp(1) command is spawn.ed
  - Avoid invoking external diff for identical, short outputs.
* Rework handling of temporary files:
  - Clean up temporary directories as we go along, instead of at the end.
  - Delete FIFO files when the FIFO feeder's context manager exits.

[ Mattia Rizzolo ]
* Fix a number of potential crashes in --list-debian-substvars, including
  explicitly listing lipo and otool as external tools.
 - Remove redundant code and let object destructors clean up after themselves.

[ Conrad Ratschan ]
* Add a comparator for Flattened Image Trees (FIT) files, a boot image format
  used by U-Boot.

Login or register to post comments
Printer-friendly version
4365 reads
PDF version

More in Tux Machines

Security and Proprietary Failures

Security updates for Friday

Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).
DHS Secretary Mayorkas announces new initiative to fight 'epidemic' of cyberattacks [iophk: Windows TCO]

Homeland Security Secretary Alejandro Mayorkas on Thursday announced new funding and initiatives to prioritize the nation’s cybersecurity, particularly in order to confront what he described as an “epidemic” of ransomware attacks.

Mayorkas announced during a virtual speech that current cybersecurity grants from the Federal Emergency Management Agency would be increased by $25 million across the nation and that the Department of Homeland Security (DHS) was evaluating further cyber grants to help the Cybersecurity and Infrastructure Security Agency (CISA) assist state and local governments.
Google Discloses Details of Remote Code Execution Vulnerability in Windows

The flaw, tracked as CVE-2021-24093, was patched by Microsoft on February 9 with its Patch Tuesday updates. Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero have been credited for reporting the issue to Microsoft.

A CVSS score of 8.8 has been assigned to the vulnerability, but Microsoft has rated it critical for all affected operating systems. The list includes Windows 10, Windows Server 2016 and 2019, and Windows Server.
VMWare Patches Critical RCE Flaw in vCenter Server

The vulnerability, one of three patched by the company this week, could allow threat actors to breach the external perimeter of a data center or leverage backdoors already installed to take over a system.
How $100M in Jobless Claims Went to Inmates

The U.S. Labor Department’s inspector general said this week that roughly $100 million in fraudulent unemployment insurance claims were paid in 2020 to criminals who are already in jail. That’s a tiny share of the estimated tens of billions of dollars in jobless benefits states have given to identity thieves in the past year. To help reverse that trend, many states are now turning to a little-known private company called ID.me. This post examines some of what that company is seeing in its efforts to stymie unemployment fraud.
Microsoft Failed to Shore Up Defences That Could Have Limited SolarWinds Hack, US Senator Says

Microsoft's failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers' cloud services. The technique was one of many used in the SolarWinds hack. Wyden, who has faulted tech companies on security and privacy issues as a member of the Senate Intelligence Committee, blasted Microsoft for not doing more to prevent forged identities or warn customers about it.
Apple Releases macOS Big Sur 11.2.2 to Prevent MacBooks From Being Damaged by Third-Party Non-Compliant Docks

Many of the complaints were from M1 Mac users who had a MacBook Pro or a ‌MacBook Air‌, but Apple's release notes suggest other models were affected as well.
Apple releases macOS update to prevent damage from third-party docks and dongles

Most of the issues seemed to come from using a third-party dock, and while some of them seem to be from pretty obscure brands, there are a few recognizable ones that are reported to have killed laptops. For its part, Apple calls them “non-compliant powered USB-C hubs and docks” in the new update’s notes.

Audiocasts/Shows: Self-Hosted, KVM, and XMonad Config

We run Arch BTW | Self-Hosted 39

Our favorite LastPass alternative, why more boxes might be better than one, and we confess to an undying love.
The TinyPilot KVM - An open-source network KVM

I've been looking for a network-enabled KVM for a while now, and I think I found a really good one - the TinyPilot! In this video, I take a look at this KVM to see how easy it is to set up and use.
Explaining Everything In My XMonad Config

In this lengthy video, I am going to go over my Xmonad configuration file. My config file is massive, including a lot of code that I don't even use myself, but I keep this massive config as a reference manual for others to look at.

Android Leftovers

Wayland KDE X11

These days, I often hear a lot about Wayland. And how much of effort is being put into it; not just by the Embedded world but also the usual Desktop systems, namely KDE and GNOME. In recent past, I switched back to KDE and have been (very) happy about the switch. Even though the KDE 4 (and initial KDE 5) debacle had burnt many, coming back to a usable KDE desktop is always a delight. It makes me feel home with the elegance, while at the same time the flexibility, it provides. It feels so nice to draft this blog article from Kwrite + VI Input Mode Thanks to the great work of the Debian KDE Team, but Norbert Preining in particular, who has helped bring very up-to-date KDE packages into Debian. Right now, I’m on a Plamsa 5.21.1 desktop, which is recent by all standards.

Latest News

Mageia 8 Released with Linux 5.10 LTS, Better Support for NVIDIA Optimus Laptops

Mageia 8 is powered by the long-term supported Linux 5.10 LTS kernel series, promising outstanding hardware support, and in combination with an up-to-date graphics stack consisting of Mesa 20.3.4 and X.Org Server 1.20.10, the distribution offers improved support for AMD and NVIDIA GPUs. For newer AMD Radeon GPUs, Mageia 8 uses the open-source AMDGPU graphics driver, while the Radeon graphics driver is used for older cards. On the other hand, the free Nouveau graphics driver is used for NVIDIA GPUs, and Mageia 8 promises improved support for NVIDIA Optimus laptops.

PostgreSQL, GNOME, Rubygems Update in Tumbleweed

Slonik fans are excited for this week’s openSUSE Tumbleweed snapshots as PostgreSQL has a major release in the rolling release distribution. Snapshot 20210224 brought in the new postgresql 13 version. The new major version brings in highly requested features like parallelized vacuuming and incremental sorting. PostgreSQL brought some security enhancements with its extension system that allows developers to expand its functionality. There are also improvements to its indexing and lookup system, which benefit large databases. PostgreSQL wasn’t the only major version updated in the snapshot; the utility library ndctl jumped two versions to 70.1, which added firmware activation support. Other major version updates were made to liberation-fonts 2.1.1 and perl-Mail-DKIM 1.20200907. The Advanced Linux Sound Architecture package updated to version 1.2.4, which provided some plugin updates and Link Time Optimization fixes. Among other packages to update in the snapshot were bind 9.16.7, libsolv 0.7.16 and debugging tool xfsprogs 5.9.0.

today's leftovers

Panel: A New Era of Open? COVID-19 and the Pursuit for Equitable Solutions

In this panel, we’ll examine the fields of Open Data, Open Science, and Open Source Medical Hardware with leading experts and practitioners, asking questions like: “What does “open” mean in the COVID-19 context?” “What role can open access and the open community play in ensuring there is timely and equitable access to medical and scientific research outputs and data, vaccines and treatments?” “Can open science and open data help prevent the next pandemic?” “What legal tools should be used to expedite the manufacturing of vaccines?” “How can we balance individual privacy with the need to share information about genome variation and patterns of infection?”
WordPress Boots Pirated Themes and Plugins [Ed: "Pirated" is technically and legally the wrong term]

WordPress issued a statement that pirated themes and plugins are prohibited from being distributed from the official repositories [...] WordPress.org announced that plugins and themes that are pirated versions of paid plugins and themes will be removed from the official WordPress repositories. The WordPress community debated if that approach violated the WordPress Open Source GPL license that allows derivative works to be distributed. The announcement itself affirmed that premium plugins are developed under the GPL that allows the creation of derivative works. But it also reserved the right to remove the plugins from the official plugin repository.

New Release: OnionShare 2.3

This post was originally published on Micah Lee's blog.

After a ridiculously long sixteen months (or roughly ten years in pandemic time) I'm excited to announce that OnionShare 2.3 is out! Download it from onionshare.org.

What is virtualisation? The basics

Virtualisation plays a huge role in almost all of today’s fastest-growing software-based industries. It is the foundation for most cloud computing, the go-to methodology for cross-platform development, and has made its way all the way to ‘the edge’; the eponymous IoT. This article is the first in a series where we explain what virtualisation is and how it works. Here, we start with the broad strokes. Anything that goes beyond the scope of a 101 article will be covered in subsequent blog posts. Let’s get into it. [...] Snaps are containerised software packages that focus on being singular application containers. Where LXC could be seen as a machine container, Docker as a process container, snaps can be seen as application containers. Snaps package code and dependencies in a similar way to containers to keep the application content isolated and immutable. They have a writable area that is separated from the rest of the system, but are visible to the host via user application-defined interfaces and behave more like traditional Debian apt packages. Snaps are designed for when you want to deploy to a single machine. Applications are built and packaged as snaps using a tool called snapcraft that incorporates different container technologies to create a secure and easy-to-update way to package applications for workstations or for fleets of IoT devices. There are a few ways to develop snaps. Developers can configure snap to even run unconfined while they put it together and containerise everything later when pushing to production. Read more about the different way snaps can be configured in another article.
Full Circle Magazine #166

This month: * Command & Conquer : LMMS * How-To : Python, Podcast Production, and Make a Budget * Graphics : Inkscape [...]
resolvd(8) - daemon to handle nameserver configuration

From manual page description (at the time of writing):

resolvd handles the contents of /etc/resolv.conf, which contains details of the system's DNS nameservers, and is read by the resolver routines in the C library.

resolvd checks whether unwind(8) is running and monitors the routing socket for proposals sent by dhclient(8), slaacd(8), or network devices which learn DNS information such as umb(4).
February 2021 Web Server Survey

Apache also holds a more significant lead in terms of Netcraft’s active sites metric, which favours sites with unique content. Apache serves 25.5% of active sites, whereas nginx serves 19.8%. Google accounts for a reasonably large 9.9% share of active sites, owing to its popular Blogger service. Microsoft’s server software market share remains in decline. Microsoft’s figures took a significant drop in 2020 in favour of OpenResty, and Microsoft now only has 6.5% (-1.0pp) of the site market and 6.0% (-0.3pp) of domains as of February 2021. OpenResty also looks set to overtake Microsoft as the third largest vendor in terms of sites and active sites.
#MonthOfMaking is back in The MagPi 103!
The Rise & Rise Of Linux Foundation

Open Source Development Labs and Free Standards Group merged to form the Linux Foundation at the turn of the millennium.
Bundling for the Web

One set of touted advantages for bundling relate to performance and efficiency. Today, we have a better understanding of the ways in which performance is affected by resource composition, so this has been narrowed down to two primary features: compression efficiency and reduced overheads. Compression efficiency can be dramatically improved if similar resources are bundled together. This is because the larger shared context results in more repetition and gives a compressor more opportunities to find and exploit similarities. Bundling is not the only way to achieve this. Alternative methods of attaining compression gains have been explored, such as SDCH and cross-stream compression contexts for HTTP/2. Prototypes of the latter showed immense improvements in compression efficiency and corresponding performance gains. However, general solutions like these have not been successful in find ways to manage operational security concerns. Bundling could also reduce overheads. While HTTP/2 and HTTP/3 reduce the cost of making requests, those costs still compound when multiple resources are involved. The claim here is that internal handling of individual requests in browsers has inefficiencies that are hard to eliminate without some form of bundling. I find it curious that protocol-level inefficiencies are not blamed here, but rather inter-process communication between internal browser processes. Not having examined this closely, I can’t really speak to these claims, but they are quite credible. What I do know is that performance in this space is subtle. When we were building HTTP/2, we found that performance was highly sensitive to the number of requests that could be made by clients in the first few round trips of a connection. The way that networking protocols work means that there is very limited space for sending anything early in a connection[2]. The main motivation for HTTP header compression was that it allowed significantly more requests to be made early in a connection. By reducing request counts, bundling might do the same.
Digital Restrictions (DRM) Screws People Yet Again: Book DRM Data Breach Exposes Reporters' Emails And Passwords

I have a few different services that report to me if my email is found in various data breaches, and recently I was notified that multiple email addresses of mine showed up in a leak of the service NetGalley. NetGalley, if you don't know, is a DRM service for books, that is regularly used by authors and publishers to send out "advance reader" copies (known around the publishing industry as "galleys.") The service has always been ridiculously pointless and silly. It's a complete overreaction to the "risk" of digital copies of a book getting loose -- especially from the people who are being sent advance reader copies (generally journalists or industry professionals). I can't recall ever actually creating an account on the service (and can't find any emails indicating that I had -- but apparently I must have). However, in searching through old emails, I do see that various publishers would send me advance copies via NetGalley -- though I don't think I ever read any through the service (the one time I can see that I wanted to read such a book, after getting sent a NetGalley link, I told the author that it was too much trouble and they sent me a PDF instead, telling me not to tell the publisher who insisted on using NetGalley).

Syndication & Social Media

Follow the site via RSS/Twitter.

Full RSS:

RSS feeds for particular topics are also available

Twitter:

Content (where original) is available under CC-BY-SA, copyrighted by original author/s.

Support Tux Machines

Help Support TM
Wall of Appreciation

Gizmoz

LXer

UbuntuBuzz

SparkyLinux

Linux Journal

Linux Today

System 76

Kernel Planet

Purism

LinuxSecurity.com Advisories

Debian

It's FOSS

OMG! Ubuntu!

GamingOnLinux

Slashdot

DW Latest Releases

DistroWatch

More on Tux Machines: About ● Gallery ● Forum ● Blogs ● Search ● News ● RSS Feed

Part of Bytes Media ● Sister sites below.

FSF

Ubuntu Buzz

LinuxLinks

Content available under CC-BY-SA

Navigation

Language Selection

Search

Tux Machines Section/s

Authors Information

LWN

Active forum topics

Collabora

FOSS Post

Gnu Planet

FOSSLinux

Phoronix

OpenSource.com

Kde Planet

Fedora Magazine

Mozilla