Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

  • Apache Releases Security Advisory for Tomcat   | CISA

    The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to cause a denial of service condition.

  • Security Risks of Client-Side Scanning

    Even before Apple made their announcement, law enforcement shifted their battle for back doors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s not a cryptographic back door, but it still a back door — and brings with it all the insecurities of a back door.

    I’m part of a group of cryptographers that has just published a paper discussing the security risks of such a system. (It’s substantially the same group that wrote a similar paper about key escrow in 1997, and other “exceptional access” proposals in 2015. We seem to have to do this every decade or so.) In our paper, we examine both the efficacy of such a system and its potential security failures, and conclude that it’s a really bad idea.

  • The Open Source Security Foundation receives $ 10 million in funding - itsfoss.net

    The Linux Foundation has announced a $ 10 million commitment to the OpenSSF (Open Source Security Foundation), an effort to improve the security of open source software. Funds raised through royalties from parent companies of OpenSSF, including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware …

Another roundup

  • This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger | Hackaday

    Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

    The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files.

KubeCon + CloudNativeCon

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Raspberry Pi CM4-based panel PC offers DAQ inputs and M.2 NVMe

Sensoper’s 7-inch “SC-PC” HMI panel PC runs Linux on a Raspberry Pi CM4 and supplies GbE, M.2 for NVMe, RS-485, 3x USB, 8x digital inputs, 7x transistor outputs, and 8x analog inputs with a choice of 0-10V or 4-20mA ranges. Michigan-based Sensoper Controls has launched a 7-inch, industrial panel-PC in two variants: an SC-PC-AV8-TO7 model with 8x 0-10V analog inputs and an SC-PC-AM8-TO7 with 4-20mA analog inputs. The otherwise identical panel PCs run Raspbian (Raspberry Pi OS) Linux with pre-installed Node-RED on the Raspberry Pi Compute Module 4. Read more

Android Leftovers

Best Open Source Gantt Chart Software for Linux

Gantt chart is the simplest way to assign resources, manage timelines, and visualize dependencies. It helps you to avoid confusion and cut unproductive events. With a glance, you can have all activities, allocated assets, and the scheduled dates of each. While a Gantt chart is a must for any complex project, in general, you need this project management tool: Read more

NuTyX 21.10.5 available with cards 2.4.140

The NuTyX team is happy to announce the new version of NuTyX 21.10.0 and cards 2.4.138. The xorg-server graphics server version 21.1.1, the Mesa 3D library in 21.2.5, Gtk4 4.4.0 and Qt 5.15.2. The python interpreters are en 3.10.0 et 2.7.18. The XFCE desktop environment is updated to version 4.16. The MATE desktop environment is a 1.26 version . The GNOME desktop environment is also updated to version 40.1.1 The KDE desktop environment is available in Plasma 5.23.3, Framework 5.88.0 and applications in 21.08.3. Available browsers are: Firefox 94.0.2, Chromium 96.0.4664.45, Epiphany 40.3, etc Many desktop applications have been updated as well like Thunderbird 91.2.0, Scribus 1.5.7, Libreoffice 7.1.5.2, Gimp 2.10.28, etc. Read more