Language Selection

English French German Italian Portuguese Spanish

Security and FUD Leftovers

Filed under
Security
  • Security updates for Thursday [LWN.net]

    Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).

  • Travis CI flaw exposed secrets of thousands of open source projects [Ed: Hidden cost of bloat, but Microsoft-funded Ars 'Tech'nica spins this as an "Open Source" problem]

    A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

  • Travis CI flaw exposed secrets of thousands of open source projects (ars technica) [LWN.net]

    Any project storing secrets in this service would be well advised to replace them.

  • The long-term consequences of maintainers’ actions – Ariadne's Space

    OpenSSL 3 has entered Alpine, and we have been switching software to use it over the past week. While OpenSSL 1.1 is not going anywhere any time soon, it will eventually leave the distribution, once it no longer has any dependents. I mostly bring this up because it highlights a few examples of maintainers not thinking about the big picture, let me explain.

    First, the good news: in distribution-wide rebuilds, we already know that the overwhelming majority of packages in Alpine build just fine with OpenSSL 3, when individually built against it. Roughly 85% of main builds just fine with OpenSSL 3, and 89% of community builds with it. The rebuild effort is off to a good start.

    Major upgrades to OpenSSL are not without their fallout, however. In many cases, we cannot upgrade packages to use OpenSSL 3 because they have dependencies which themselves cannot yet be built with OpenSSL 3. So, that 15% of main ultimately translates to 30-40% of main once you take into account dependencies like curl, which builds just fine with OpenSSL 3, but has hundreds of dependents, some of which don’t.

    A major example of this is mariadb. It has been known that OpenSSL 3 was on the horizon for over 4 years now, and that the OpenSSL 3 release would remove support for the classical OpenSSL programming approach of touching random internals. However, they are just now beginning to update their OpenSSL support to use the modern APIs. Because of this, we wound up having to downgrade dozens of packages which would otherwise have supported OpenSSL 3 just fine, because the maintainers of those packages did their part and followed the OpenSSL deprecation warnings as they showed up in OpenSSL releases. MariaDB is a highly profitable company, who do business with the overwhelming majority of the Fortune 500 companies. But yet, when OpenSSL 3 releases started to be cut, they weren’t ready, and despite having years of warning they’re still not, which accordingly limits what packages can get the OpenSSL 3 upgrade as a result.

  • Level up your digital security hygiene! Cybersec Charcha #5

    By popular demand from our staff and community members, this edition of cybersec charcha will explore the basic digital security hygiene practices everyone should follow and how they protect your information from falling into the wrong hands.

    As attacks like Pegasus gain more limelight and become part of public knowledge, many of us feel that there is nothing we can do to protect ourselves. And currently, this stands true for sophisticated attacks like Pegasus. However, it’s important to remain cognizant that every time someone’s data is compromised, it’s not because they were targeted with a military grade spyware. It’s crucial for us to be aware of our personal threat levels. This threat level can be determined through a process called Threat Modelling.

  • Microsoft Releases Security Update for Azure Linux Open Management Infrastructure [Ed: This is how CISA covers Microsoft 'bug doors' inside Linux]

    Microsoft has released an update to address a remote code execution vulnerability in Azure Linux Open Management Infrastructure (OMI). An attacker could use this vulnerability to take control of an affected system.

  • Drupal Releases Multiple Security Updates

    Drupal has released security updates to address multiple vulnerabilities affecting Drupal 8.9, 9.1, and 9.2. An attacker could exploit some of these vulnerabilities to take control of an affected system.

  • New Go malware Capoae targets WordPress installs, Linux systems [Ed: Charlatans and frauds at ZDNet now try to blame some malware that targets WordPress on "Linux" and on the programming language the malware is written in (Go); this isn't journalism and it's even lower than tabloid level. Part of a trend. Imagine ZDNet blaming Photoshop holes on Windows and on C++ (if some malware is coded in that language).]
  • Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code - The Citizen Lab

    Ron Deibert joined Democracy Now to discuss how Citizen Lab research of a zero-click zero-day exploit—used by NSO Group—led Apple to issue a patch to over 1.65 billion products.

  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: WSL was always a security joke; it's compromised, totally controlled by Microsoft, and only a fool would call that "Linux"]
  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: They've paid to spread this misleading thing which conflates WSL with "Linux"]
  • ACSC Releases Annual Cyber Threat Report

    The Australian Cyber Security Centre (ACSC) has released its annual report on key cyber security threats and trends for the 2020–21 financial year.

    The report lists the exploitation of the pandemic environment, the disruption of essential services and critical infrastructure, ransomware, the rapid exploitation of security vulnerabilities, and the compromise of business email as last year’s most significant threats.

More Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation

Microsoft to Azure Linux users: Patch this problem yourself

  • Microsoft to Azure Linux users: Patch this problem yourself

    Azure Linux administrators, it's time to get patching. In response to the recent OMIGOD vulnerabilities, Microsoft has released an updated version of OMI, but you'll need to upgrade on your own (via BleepingComputer). Here's the full scoop.

    OMIGOD vulnerabilities are named after OMI, an acronym that stands for the Open Management Infrastructure software agent. The OMIGOD vulnerabilities found in OMI have opened the door for RCE (Remote Code Execution) attacks from malicious parties. And if you're an Azure user operating on a Linux setup with a service such as Azure Diagnostics or Azure Automation enabled, that means you have OMI on your Virtual Machine.

More of the WSL FUD

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Pumpkins, markets, and one bad Apple

Imagine your local farmers market: every Saturday the whole town comes together to purchase fresh and homemade goods, enjoy the entertainment, and find that there is always something for everyone. Whatever you need, you can find it here, and anyone can sign up to have their own little stand. It is a wonderful place, or so it seems. Now, imagine starting out as a pumpkin farmer, and you want to sell your pumpkins at this market. The market owner asks 30% of every pumpkin that you sell. It's steep, but the market owner -- we'll call him Mr. Apple -- owns all the markets in your area, so you have little choice. Let's continue this analogy and imagine that, since it is a little hard for you to make ends meet, you decide to tell your customers that they can come visit you at your farm to purchase pumpkins. Mr. Apple overhears and shuts your stand down. You explain that your business cannot be profitable this way, but the grumpy market owner says that you can either comply or find another place. At the end of your rope, you look for information about starting your own farmers market, but it seems Mr. Apple owns every building in town. In the midst of Apple announcing its new products, attention is drawn away from its ongoing battle to maintain its subjugation over users globally. The Netherlands’ Authority for Consumers and Markets (ACM) last month informed the U.S. technology giant of its decision that the rules around the in-app payment system are anticompetitive, making it the first antitrust regulator to conclude that the company has abused market power in the App Store. And while Apple is appealing this verdict, the European Union is charging the company with another antitrust claim concerning the App Store. Read more

today's howtos

  • How To Install PostgreSQL 14 on Ubuntu 20.04 - howtodojo

    In this tutorial, we learn how to install PostgreSQL 14 on Ubuntu 20.04 (Focal Fossa). PostgreSQL, or usually called Postgres, is an open-source object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. PostgreSQL is ACID-compliant and transactional. It is developed by PostgreSQL Global Development Group (PGDG) that consists of many companies and individual contributors. PostgreSQL released under the terms of PostgreSQL license.

  • How to Install Minikube on CentOS 8 - Unixcop

    Minikube is open source software for setting up a single-node Kubernetes cluster on your local machine. The software starts up a virtual machine and runs a Kubernetes cluster inside of it, allowing you to test in a Kubernetes environment locally. Minikube is a tool that runs a single-node Kubernetes cluster in a virtual machine on your laptop. In this tutorial we will show you how to install Minikube on CentOS 8.

  • How to Install and Secure Redis on Ubuntu 20.04 | RoseHosting

    Redis (short for Remote Dictionary Server), is an open-source in-memory data structure store. It’s used as a flexible, highly available key-value database that maintains a high level of performance. It helps to reduce time delays and increase the performance of your application by accessing in microseconds.

  • How to Upgrade to Ubuntu 21.10 - OMG! Ubuntu!

    If the glowing reviews for the Ubuntu 21.10 release have you intrigued, here’s how to upgrade to Ubuntu 21.10 from an earlier version. Fair warning: this tutorial is super straightforward (the benefits of upgrading after a stable release, rather than a little bit before). Meaning no, you don’t need to be a Linux guru to get going! There are plenty of good reasons to upgrade from Ubuntu 21.04 to Ubuntu 21.10, such as benefiting from a newer Linux kernel, enjoying a new GNOME desktop, sampling the new Yaru Light theme, and getting to go hands-on with an able assortment of updated apps.

  • How to install Adobe Flash Player on a Chromebook

    Today we are looking at how to install Adobe Flash Player on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • How to install OnlyOffice on Linux Lite 5.4 - Invidious

    In this video, we are looking at how to install OnlyOffice on Linux Lite 5.4. Enjoy!

  • Jenkins: How to add a JDK version - Anto ./ Online

    This guide will show you how to add a JDK version to Jenkins. If you plan to run a Java build requiring a specific version of the Java Development Kit, you need to do this.

  • Sending EmailsSend them from Linux Terminal? | Linux Journal

    Does your job require sending a lot of emails on a daily basis? And you often wonder if or how you can send email messages from the Linux terminal. This article explains about 6 different ways of sending emails using the Linux terminal. Let’s go through them.

Development version: GIMP 2.99.8 Released

GIMP 2.99.8 is our new development version, once again coming with a huge set of improvements. Read more Some early coverage:

  • GIMP 2.99.8 Released with Clone Tool Tweaks, Support for Windows Ink

    A new development version of GIMP is available to download and it carries some interesting new features. While this isn’t a new stable release — GIMP 2.10.28 is the most recent stable release (and the version you’ll find in Ubuntu 21.10’s archives) — the release of GIMP 2.99.8 is yet another brick in the road to the long-fabled GIMP 3.0 release. And it’s a fairly substantial brick, at that.

  • GIMP 2.99.8 Released As Another Step Toward The Long Overdue GIMP 3.0

    GIMP 3.0 as the GTK3 port of this open-source Adobe Photoshop alternative has been talked about for nearly a decade now and the work remains ongoing. However, out today is GIMP 2.99.8 as the newest development snapshot.

Mozilla: Six-Year Moziversary, Thomas Park/Codepip, and Weak Response to Critics of Firefox Spyware

  • Chris H-C: Six-Year Moziversary

    I’ve been working at Mozilla for six years today. Wow. Okay, so what’s happened… I’ve been promoted to Staff Software Engineer. Georg and I’d been working on that before he left, and then, well *gestures at everything*. This means it doesn’t really _feel_ that different to be a Staff instead of a Senior since I’ve been operating at the latter level for over a year now, but the it’s nice that the title caught up. Next stop: well, actually, I think Staff’s a good place for now. Firefox On Glean did indeed take my entire 2020 at work, and did complete on time and on budget. Glean is now available to be used in Firefox Desktop.

  • Hacks.Mozilla.Org: Hacks Decoded: Thomas Park, Founder of Codepip

    Thomas Park is a software developer based in the U.S. (Philadelphia, specifically). Previously, he was a teacher and researcher at Drexel University and even worked at Mozilla Foundation for a stint. Now, he’s the founder of Codepip, a platform that offers games that teach players how to code. Park has made a couple games himself: Flexbox Froggy and Grid Garden.

  • Mark Surman: Exploring better data stewardship at Mozilla [Ed: Mozilla fails to admit that spying on Firefox users is wrong; now it's misframing the criticism and responds to a straw man]

    Over the last few years, Mozilla has increasingly turned its attention to the question of ‘how we build more trustworthy AI?’ Data is at the core of this question. Who has our data? What are they using it for? Do they have my interests in mind, or only their own? Do I trust them? We decided earlier this year that ‘better data stewardship’ should be one of the three big areas of focus for our trustworthy AI work. One part of this focus is supporting the growing field of people working on data trusts, data cooperatives and other efforts to build trust and shift power dynamics around data. In partnership with Luminate and Siegel, we launched the Mozilla Data Futures Lab in March as a way to drive this part of the work.