Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (lrzip and puma), Fedora (plantuml and plib), Oracle (kernel and kernel-container), Red Hat (firefox, kernel, kpatch-patch, subversion:1.14, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (kernel-firmware, libxml2, pcre2, and postgresql13), and Ubuntu (accountsservice, postgresql-10, postgresql-12, postgresql-13, postgresql-14, and rsyslog).

  • The Linux Foundation's "security mobilization plan" [Ed: Making up numbers for a FUD campaign led by proprietary software companies that make back doors for the NSA]

    The Linux Foundation has posted an "Open Source Software Security Mobilization Plan" that aims to address a number of perceived security problems with the expenditure of nearly $140 million over two years.

  • Our build and release infrastructure, and upcoming updates | F-Droid - Free and Open Source Android App Repository

    Behind the scenes of F-Droid is a giant pile of automation to manage the process of building thousands of apps from source. This means checking out thousands of source repos, checking them all for updates, building and new releases, and securely signing them en masse. All builds are run in a fresh virtual machine guest instance known as the buildserver. All Gradle binaries and Android SDK packages are verified against our public logs of observed SHA-256 checksums. The transparency log processes also verify against upstream’s public checksums.

    Our setup runs on Debian almost exclusively. Debian is a leader in free software, rock solid servers, and reproducible builds. That makes it a natural home for F-Droid. We also work to ensure we maintain the packages we use, and build our processes on top of Debian packages. That means we share the maintenance with anything that uses Debian. It may seem like more work to give back, but our experience is that it pays off in the long run. The F-Droid community is able to maintain many things with a small team. Another example of this is this website itself: it is built using Jekyll packages that are all in Debian.

  • F-Droid: Our build and release infrastructure, and upcoming updates

    Here's an update from F-Droid regarding upcoming changes to its build and distribution infrastructure.

  • Tails 5.0 Linux users warned against using it "for sensitive information" [Ed: Microsoft-connected site shedding doubt on "Linux"]

    Tails developers have warned users to stop using the portable Debian-based Linux distro until the next release if they're entering or accessing sensitive information using the bundled Tor Browser application.

  • CISA Adds 34 Known Exploited Vulnerabilities to Catalog [Ed: Lots and lots of Microsoft. Actively exploited.]

    CISA has added 34 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the "Date Added to Catalog" column, which will sort by descending dates.

  • Google Releases Security Updates for Chrome

    Google has released Chrome version 102.0.5005.61 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

  • Stable Channel Update for Desktop
  • Google has been DDoSing SourceHut for over a year

    Just now, I took a look at the HTTP logs on git.sr.ht. Of the past 100,000 HTTP requests received by git.sr.ht (representing about 2½ hours of logs), 4,774 have been requested by GoModuleProxy — 5% of all traffic. And their requests are not cheap: every one is a complete git clone. They come in bursts, so every few minutes we get a big spike from Go, along with a constant murmur of Go traffic.

    This has been ongoing since around the release of Go 1.16, which came with some changes to how Go uses modules. Since this release, following a gradual ramp-up in traffic as the release was rolled out to users, git.sr.ht has had a constant floor of I/O and network load for which the majority can be attributed to Go.

    I started to suspect that something strange was going on when our I/O alarms started going off in February 2021 (we eventually had to tune these alarms up above the floor of I/O noise generated by Go), correlated with lots of activity from a Go user agent. I was able to narrow it down with some effort, but to the credit of the Go team they did change their User-Agent to make more apparent what was going on. Ultimately, this proved to be the end of the Go team’s helpfulness in this matter.

Molre FUD

  • New ‘Cheers’ Linux ransomware targets VMware ESXi servers [Ed: Well, ransomware is mostly a Windows issue and VMware is proprietary software, but then again, this is a Microsoft-connected site looking to alter or distort perceptions]

    A new ransomware named ‘Cheers’ has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers.

    VMware ESXi is a virtualization platform commonly used by large organizations worldwide, so encrypting them typically causes severe disruption to a business’ operations.

Microsoft Windows TCO

  • Malware-Infested Smart Card Reader [Ed: Microsoft Windows TCO]

    Brian Krebs has an interesting story of a smart ID card reader with a malware-infested Windows driver, and US government employees who inadvertently buy and use them.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

4 Best Free and Open Source Elm Static Site Generators

LinuxLinks, like most modern websites, is dynamic in that content is stored in a database and converted into presentation-ready HTML when readers access the site. While we employ built-in server caching which creates static versions of the site, we don’t generate a full, static HTML website based on raw data and a set of templates. However, sometimes a full, static HTML website is desirable. Because HTML pages are all prebuilt, they load extremely quickly in web browsers. Read more

How to Install Latest Mozilla Firefox on Linux Desktop

Most Linux distributions already ship with Firefox installed by their distribution package manager and configured as the default browser. It might be unavailable in the minimal version of the distribution. Read more

today's leftovers

  • Sparky news 2022/06 – SparkyLinux

    The 6th monthly Sparky project and donate report of 2022: – Linux kernel updated up to 5.18.8 & 5.15.51 LTS – Added to repos: NotepadNext text editor, WineZGUI a Zenity based simple GUI for Wine – Created a new community on Mastodon – APTus installs virtualbox-6.1 Oracle deb, instead of Debian Sid debs on Sparky 7 now; it makes less problems with dependencies and building vbox module – Added Sparky Linux kernel LTS to repos (amd64 only) – Removed Sparky Linux kernel RC from repos – Removed Sparky Linux kernel 686pae Latest from repos It means, no more Sparky 686pae in Sparky repos, but, added a new LTS kernel to repos; the Sparky’s Latest and LTS kernels can be installed on amd64 machines only now. There are 2 reasons to make such changes: 1. The 32 bit architecture is not much popular, so the default Debian kernel is perfect to keep your 32bit machine running; anyway, Xanmod still provides i686 kernel, which can be installed via APTus AppCenter; 2. The LTS kernel (now 5.15) is good choice if your machine require newer kernel than 5.10 but older than 5.18 (via backboard) on Sparky Stable 6; it is also good choice on testing line of Sparky 7, if you can not compile some external modules on the latest kernel (now 5.18)

  • Ben Hutchings: Debian LTS work, June 2022

    In June I was not assigned additional hours of work by Freexian's Debian LTS initiative, but carried over 16 hours from May and worked all of those hours. I spent some time triaging security issues for Linux. I tested several security fixes for Linux 4.9 and 4.19 and submitted them for inclusion in the upstream stable branches.

  • Fedora Community Blog: Friday’s Fedora Facts: 2022-26

    Here’s your weekly Fedora report. Read what happened this week and what’s coming up. Your contributions are welcome (see the end of the post)!

  • Building a Secure Software Supply Chain with GNU Guix

    This paper focuses on one research question: how can Guix and similar systems allow users to securely update their software? Guix source code is distributed using the Git version control system; updating Guix-installed software packages means, first, updating the local copy of the Guix source code. Prior work on secure software updates focuses on systems very different from Guix—systems such as Debian, Fedora, or PyPI where updating consists in fetching metadata about the latest binary artifacts available—and is largely inapplicable in the context of Guix. By contrast, the main threats for Guix are attacks on its source code repository, which could lead users to run inauthentic code or to downgrade their system. Deployment tools that more closely resemble Guix, from Nix to Portage, either lack secure update mechanisms or suffer from shortcomings.

    Our main contribution is a model and tool to authenticate new Git revisions. We further show how, building on Git semantics, we build protections against downgrade attacks and related threats. We explain implementation choices. This work has been deployed in production two years ago, giving us insight on its actual use at scale every day. The Git checkout authentication at its core is applicable beyond the specific use case of Guix, and we think it could benefit to developer teams that use Git.

  • 10 Free Microsoft SharePoint Alternatives - Make Tech Easier

    Microsoft SharePoint may be a powerhouse when it comes to project management and collaboration, but the best SharePoint alternatives prove Microsoft is far from the only option. From individuals to large businesses, productivity, collaboration, and project management apps are a must. SharePoint gives you all of this in one convenient platform, but it gets expensive quickly. Free SharePoint alternatives are ideal for saving money without sacrificing features.

  • U-M campuses first in nation to offer new Wi-Fi technology

    The new Wi-Fi 6E network enables download speeds of 500-600 megabits per second even in high-density areas. This is up to three to five times faster than the prior network — enough bandwidth for attendees in the largest lecture halls and auditoriums to simultaneously stream high-definition video.

Open Hardware/Modding, Mostly Raspberry Pi

  • Hackaday Prize 2022: MasterPi Is A Capable Robot With Fancy Wheels

    When it comes to building a mobile robot, often maneuverability is more important than outright speed. The MasterPi robot demonstrates this well, using fancy wheels to help it slide and skate in any direction needed.

  • Hackaday Podcast 175: Moonrocks And Cockroach Chyme, A Raspberry Pi IPad, And A Retro-Respectful Tape Deck

    Join Editor-in-Chief Elliot Williams and Assignments Editor Kristina Panos as we cuss and discuss all the gnarliest hacks from the past week. We kick off this episode with a gentle reminder that the Odd Inputs and Peculiar Peripherals Contest ends this Monday, July 4th, at 8:30 AM PDT. We’ve seen a ton of cool entries so far, including a new version of [Peter Lyons]’ Squeezebox keyboard that we’re itching to write up for the blog.

  • i.MX8M Mini powers Pico-ITX board and supports Yocto-based Linux distributions

    The eDM-SBC-iMX8Mm is a Single Board Computer (SBC) which comes in a small Pico-ITX form factor and it’s powered by NXP’s i.MX8M Mini System on Chip (SoC). This compact device was designed to run 24/7 to suit applications such as kiosks , digital signage displays, smart home appliances etc.

    DATA MODUL has designed this SBC to be coupled with NXP’s i.MX8M Mini Dual Cortex-A53 (up to 1800 MHz) or its Quad-core version. Both CPU models integrate a GCNanoUltra GPU with a 2D/3D accelerator and they include up to 512KB L2 in Cache memory.

  • Meet the engineers behind Raspberry Pi Pico W

    Removing the GPIO pins around the antenna was tempting because it would free up space: “Antennas like space,” explains Dominic while showing us the trapezoidal-shaped feature. “And getting rid of the bottom GPIO pins would have made it easier to connect the wireless chip,” but it would have been a huge change for current users. “I didn’t want to lose any of the peripheral GPIO pins to the end-user,” says Dominic. People can add Pico W to an existing project without having to change anything and gain instant access to wireless technology.