Security and FUD Leftovers
-
Security updates for Thursday [LWN.net]
Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).
-
Travis CI flaw exposed secrets of thousands of open source projects [Ed: Hidden cost of bloat, but Microsoft-funded Ars 'Tech'nica spins this as an "Open Source" problem]
A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.
-
Travis CI flaw exposed secrets of thousands of open source projects (ars technica) [LWN.net]
Any project storing secrets in this service would be well advised to replace them.
-
The long-term consequences of maintainers’ actions – Ariadne's Space
OpenSSL 3 has entered Alpine, and we have been switching software to use it over the past week. While OpenSSL 1.1 is not going anywhere any time soon, it will eventually leave the distribution, once it no longer has any dependents. I mostly bring this up because it highlights a few examples of maintainers not thinking about the big picture, let me explain.
First, the good news: in distribution-wide rebuilds, we already know that the overwhelming majority of packages in Alpine build just fine with OpenSSL 3, when individually built against it. Roughly 85% of main builds just fine with OpenSSL 3, and 89% of community builds with it. The rebuild effort is off to a good start.
Major upgrades to OpenSSL are not without their fallout, however. In many cases, we cannot upgrade packages to use OpenSSL 3 because they have dependencies which themselves cannot yet be built with OpenSSL 3. So, that 15% of main ultimately translates to 30-40% of main once you take into account dependencies like curl, which builds just fine with OpenSSL 3, but has hundreds of dependents, some of which don’t.
A major example of this is mariadb. It has been known that OpenSSL 3 was on the horizon for over 4 years now, and that the OpenSSL 3 release would remove support for the classical OpenSSL programming approach of touching random internals. However, they are just now beginning to update their OpenSSL support to use the modern APIs. Because of this, we wound up having to downgrade dozens of packages which would otherwise have supported OpenSSL 3 just fine, because the maintainers of those packages did their part and followed the OpenSSL deprecation warnings as they showed up in OpenSSL releases. MariaDB is a highly profitable company, who do business with the overwhelming majority of the Fortune 500 companies. But yet, when OpenSSL 3 releases started to be cut, they weren’t ready, and despite having years of warning they’re still not, which accordingly limits what packages can get the OpenSSL 3 upgrade as a result.
-
Level up your digital security hygiene! Cybersec Charcha #5
By popular demand from our staff and community members, this edition of cybersec charcha will explore the basic digital security hygiene practices everyone should follow and how they protect your information from falling into the wrong hands.
As attacks like Pegasus gain more limelight and become part of public knowledge, many of us feel that there is nothing we can do to protect ourselves. And currently, this stands true for sophisticated attacks like Pegasus. However, it’s important to remain cognizant that every time someone’s data is compromised, it’s not because they were targeted with a military grade spyware. It’s crucial for us to be aware of our personal threat levels. This threat level can be determined through a process called Threat Modelling.
-
Microsoft Releases Security Update for Azure Linux Open Management Infrastructure [Ed: This is how CISA covers Microsoft 'bug doors' inside Linux]
Microsoft has released an update to address a remote code execution vulnerability in Azure Linux Open Management Infrastructure (OMI). An attacker could use this vulnerability to take control of an affected system.
-
Drupal Releases Multiple Security Updates
Drupal has released security updates to address multiple vulnerabilities affecting Drupal 8.9, 9.1, and 9.2. An attacker could exploit some of these vulnerabilities to take control of an affected system.
-
New Go malware Capoae targets WordPress installs, Linux systems [Ed: Charlatans and frauds at ZDNet now try to blame some malware that targets WordPress on "Linux" and on the programming language the malware is written in (Go); this isn't journalism and it's even lower than tabloid level. Part of a trend. Imagine ZDNet blaming Photoshop holes on Windows and on C++ (if some malware is coded in that language).]
-
Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code - The Citizen Lab
Ron Deibert joined Democracy Now to discuss how Citizen Lab research of a zero-click zero-day exploit—used by NSO Group—led Apple to issue a patch to over 1.65 billion products.
-
Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: WSL was always a security joke; it's compromised, totally controlled by Microsoft, and only a fool would call that "Linux"]
-
Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: They've paid to spread this misleading thing which conflates WSL with "Linux"]
-
ACSC Releases Annual Cyber Threat Report
The Australian Cyber Security Centre (ACSC) has released its annual report on key cyber security threats and trends for the 2020–21 financial year.
The report lists the exploitation of the pandemic environment, the disruption of essential services and critical infrastructure, ransomware, the rapid exploitation of security vulnerabilities, and the compromise of business email as last year’s most significant threats.
- Login or register to post comments
- Printer-friendly version
- 3365 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
digiKam 7.7.0 is releasedAfter three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. |
Dilution and Misuse of the "Linux" Brand
|
Samsung, Red Hat to Work on Linux Drivers for Future TechThe metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. |
today's howtos
|
More Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation
Malware attacks Windows machines through Windows Subsystem for Linux for the first time [Ed: How to badmouth Linux because Microsoft is attacking it (WSL is an attack on GNU/Linux)]
New Malware Targets Windows Subsystem for Linux to Evade Detection
Azure Linux admins urged to patch four zero-day OMI vulnerabilities [Ed: This grossly understates the severity of what happened]
Hackers Alter Cobalt Strike Beacon to Target Linux Environments | eSecurityPlanet
Microsoft to Azure Linux users: Patch this problem yourself
Microsoft to Azure Linux users: Patch this problem yourself
More of the WSL FUD
Linux malware using subsystem to attack Windows host! - Invidious [Ed: Microsoft-connected media has weaponised Microsoft's attack on GNU/Linux (WSL is an attack) to FUD "Linux"]