Language Selection

English French German Italian Portuguese Spanish

Security: Patches, CVSS, DANE OPENPGPKEY for debian.org, and Windows Voting Machines

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (redis), Fedora (expat), Mageia (dosbox, irssi, microcode, and postgresql11), Red Hat (bind, dbus, openstack-ironic-inspector, openstack-tripleo-common, python-novajoin, and qemu-kvm-rhev), Scientific Linux (kernel), SUSE (kernel-firmware, libdlm, libqb, and libqb), and Ubuntu (apport).

  • Why CVSS does not equal risk: How to think about risk in your environment

    I’m going to come right out and say it: CVSS does NOT equal Risk (CVSS!=Risk). Anyone who thinks otherwise is mistaken and setting themselves up for more work, pain, and stress than they realistically should have to go through. A risk is a potential for loss or damage if a threat exploits a vulnerability (which is a weakness in hardware or software). We’ll talk more about all that momentarily.

    Common Vulnerability Scoring System (CVSS) is a toolset and methodology used by many of us in the industry (hardware/software manufacturers, maintainers, etc.) and security researchers to describe the relative severity of security vulnerabilities in a consistent, quantitative way. This data being represented results in a score ranging from lowest 0, to the highest of 10.

    Recently the FIRST CVSS SIG updated the released version 3.1 of the framework which is the point of reference for this post. I'd strongly encourage anyone that uses the framework, or is impacted by security flaws (typically documented with a Common Vulnerabilities and Exposures (CVE) entry) to read the updated procedures and guidance.

  • DANE OPENPGPKEY for debian.org

    I recently announced the publication of Web Key Directory for @debian.org e-mail addresses. This blog post announces another way to fetch OpenPGP certificates for @debian.org e-mail addresses, this time using only the DNS. These two mechanisms are complementary, not in competition. We want to make sure that whatever certificate lookup scheme your OpenPGP client supports, you will be able to find the appropriate certificate.

    The additional mechanism we're now supporting (since a few days ago) is DANE OPENPGPKEY, specified in RFC 7929.

  • Voting Machine Makers Claim The Names Of The Entities That Own Them Are Trade Secrets

    This seems like very basic information -- information the Board should know and should be able to pass on to the general public. After all, these are the makers of devices used by the public while electing their representatives. They should know who's running these companies and who their majority stakeholders are. If something goes wrong (and something always does), they should know who's ultimately responsible for the latest debacle.

    It's not like the state was asking the manufacturers to cough up code and machine schematics. All it wanted to know is the people behind the company nameplates. But the responses the board received indicate voting system manufacturers believe releasing any info about their companies' compositions will somehow compromise their market advantage.

    Hart Intercivic said letting the public know that the company is owned by H.I.G. Hart, LLC and Gregg L. Burt is a fact that would devalue the company if it were made public.

More in Tux Machines

BlueStar Linux 5.2.1

Today we are looking at BlueStar Linux 5.2.1. This release of BlueStar is an Arch rolling distro and comes with Linux Kernel 5.2.1 and KDE Plasma 5.16.3 and uses about 700MB of ram when idling. Bluestar Linux is a beautiful Arch/KDE distro that works great out of the box and is receiving a lot of love from their very active developer. Read more Direct/video: BlueStar Linux 5.2.1 Run Through

GNU Parallel 20190722 ('Ryugu') released

GNU Parallel 20190722 ('Ryugu') has been released. It is available for download at: http://ftpmirror.gnu.org/parallel/ GNU Parallel is 10 years old next year on 2020-04-22. You are here by invited to a reception on Friday 2020-04-17. Read more

today's howtos

Audiocasts/Shows: This Week in Linux, Command Line Heroes, DevNation Live Introducing Kogito and Python Podcast

  • Episode 75 | This Week in Linux

    On this episode of This Week in Linux, we’ve got a lot of Distro News with the first stable release of EndeavourOS, and we’ve also got new releases from Proxmox, deepin and FerenOS. Dropbox has decided to revert their weird decision of blocking various Linux Filesystems so we’ll talk about that. We’ve got some App News with KDE Connect now being available for macOS and a new release for the Foliate, ebook reader. Later in the show, we’ll cover some Linux Security news regarding a recently found piece of malware targeting the Linux Desktop. Then we’ll round out the show with some Linux Gaming news from Epic Games, Valve, Google Stadia and a new Humble Bundle. All that and much more on Your Weekly Source for Linux GNews!

  • JavaScript's surprising rise from the ashes of the browser wars on Command Line Heroes

    The third season of the Command Line Heroes podcast continues its look at the history of the programming languages we depend on every day. Episode 3, released today, investigates the origin of JavaScript. Here's the unlikely story of how it happened.

  • DevNation Live: Introducing Kogito

    DevNation Live tech talks are hosted by the Red Hat technologists who create our products. These sessions include real solutions and code and sample projects to help you get started. In this talk, you’ll learn about Quarkus, Kogito, and GraalVM from Red Hat’s Mario Fusco, Principal Software Engineer, and Burr Sutter, Chief Developer Evangelist. These days rule engines are often overlooked, possibly because people think that they are only useful inside heavyweight enterprise software products. However, this is not necessarily true. Simply put, a rule engine is just a piece of software that allows you to separate domain and business-specific constraints from the main application flow. Drools is the rule engine of Red Hat, and our goal is to make it ready to be used in serverless environments.

  • Protecting The Future Of Python By Hunting Black Swans

    The Python language has seen exponential growth in popularity and usage over the past decade. This has been driven by industry trends such as the rise of data science and the continued growth of complex web applications. It is easy to think that there is no threat to the continued health of Python, its ecosystem, and its community, but there are always outside factors that may pose a threat in the long term. In this episode Russell Keith-Magee reprises his keynote from PyCon US in 2019 and shares his thoughts on potential black swan events and what we can do as engineers and as a community to guard against them.