Language Selection

English French German Italian Portuguese Spanish

Security and FUD Leftovers

Filed under
Security
  • Security updates for Thursday [LWN.net]

    Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).

  • Travis CI flaw exposed secrets of thousands of open source projects [Ed: Hidden cost of bloat, but Microsoft-funded Ars 'Tech'nica spins this as an "Open Source" problem]

    A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

  • Travis CI flaw exposed secrets of thousands of open source projects (ars technica) [LWN.net]

    Any project storing secrets in this service would be well advised to replace them.

  • The long-term consequences of maintainers’ actions – Ariadne's Space

    OpenSSL 3 has entered Alpine, and we have been switching software to use it over the past week. While OpenSSL 1.1 is not going anywhere any time soon, it will eventually leave the distribution, once it no longer has any dependents. I mostly bring this up because it highlights a few examples of maintainers not thinking about the big picture, let me explain.

    First, the good news: in distribution-wide rebuilds, we already know that the overwhelming majority of packages in Alpine build just fine with OpenSSL 3, when individually built against it. Roughly 85% of main builds just fine with OpenSSL 3, and 89% of community builds with it. The rebuild effort is off to a good start.

    Major upgrades to OpenSSL are not without their fallout, however. In many cases, we cannot upgrade packages to use OpenSSL 3 because they have dependencies which themselves cannot yet be built with OpenSSL 3. So, that 15% of main ultimately translates to 30-40% of main once you take into account dependencies like curl, which builds just fine with OpenSSL 3, but has hundreds of dependents, some of which don’t.

    A major example of this is mariadb. It has been known that OpenSSL 3 was on the horizon for over 4 years now, and that the OpenSSL 3 release would remove support for the classical OpenSSL programming approach of touching random internals. However, they are just now beginning to update their OpenSSL support to use the modern APIs. Because of this, we wound up having to downgrade dozens of packages which would otherwise have supported OpenSSL 3 just fine, because the maintainers of those packages did their part and followed the OpenSSL deprecation warnings as they showed up in OpenSSL releases. MariaDB is a highly profitable company, who do business with the overwhelming majority of the Fortune 500 companies. But yet, when OpenSSL 3 releases started to be cut, they weren’t ready, and despite having years of warning they’re still not, which accordingly limits what packages can get the OpenSSL 3 upgrade as a result.

  • Level up your digital security hygiene! Cybersec Charcha #5

    By popular demand from our staff and community members, this edition of cybersec charcha will explore the basic digital security hygiene practices everyone should follow and how they protect your information from falling into the wrong hands.

    As attacks like Pegasus gain more limelight and become part of public knowledge, many of us feel that there is nothing we can do to protect ourselves. And currently, this stands true for sophisticated attacks like Pegasus. However, it’s important to remain cognizant that every time someone’s data is compromised, it’s not because they were targeted with a military grade spyware. It’s crucial for us to be aware of our personal threat levels. This threat level can be determined through a process called Threat Modelling.

  • Microsoft Releases Security Update for Azure Linux Open Management Infrastructure [Ed: This is how CISA covers Microsoft 'bug doors' inside Linux]

    Microsoft has released an update to address a remote code execution vulnerability in Azure Linux Open Management Infrastructure (OMI). An attacker could use this vulnerability to take control of an affected system.

  • Drupal Releases Multiple Security Updates

    Drupal has released security updates to address multiple vulnerabilities affecting Drupal 8.9, 9.1, and 9.2. An attacker could exploit some of these vulnerabilities to take control of an affected system.

  • New Go malware Capoae targets WordPress installs, Linux systems [Ed: Charlatans and frauds at ZDNet now try to blame some malware that targets WordPress on "Linux" and on the programming language the malware is written in (Go); this isn't journalism and it's even lower than tabloid level. Part of a trend. Imagine ZDNet blaming Photoshop holes on Windows and on C++ (if some malware is coded in that language).]
  • Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code - The Citizen Lab

    Ron Deibert joined Democracy Now to discuss how Citizen Lab research of a zero-click zero-day exploit—used by NSO Group—led Apple to issue a patch to over 1.65 billion products.

  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: WSL was always a security joke; it's compromised, totally controlled by Microsoft, and only a fool would call that "Linux"]
  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: They've paid to spread this misleading thing which conflates WSL with "Linux"]
  • ACSC Releases Annual Cyber Threat Report

    The Australian Cyber Security Centre (ACSC) has released its annual report on key cyber security threats and trends for the 2020–21 financial year.

    The report lists the exploitation of the pandemic environment, the disruption of essential services and critical infrastructure, ransomware, the rapid exploitation of security vulnerabilities, and the compromise of business email as last year’s most significant threats.

More Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation

Microsoft to Azure Linux users: Patch this problem yourself

  • Microsoft to Azure Linux users: Patch this problem yourself

    Azure Linux administrators, it's time to get patching. In response to the recent OMIGOD vulnerabilities, Microsoft has released an updated version of OMI, but you'll need to upgrade on your own (via BleepingComputer). Here's the full scoop.

    OMIGOD vulnerabilities are named after OMI, an acronym that stands for the Open Management Infrastructure software agent. The OMIGOD vulnerabilities found in OMI have opened the door for RCE (Remote Code Execution) attacks from malicious parties. And if you're an Azure user operating on a Linux setup with a service such as Azure Diagnostics or Azure Automation enabled, that means you have OMI on your Virtual Machine.

More of the WSL FUD

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.