Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

  • Apache Releases Security Advisory for Tomcat   | CISA

    The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to cause a denial of service condition.

  • Security Risks of Client-Side Scanning

    Even before Apple made their announcement, law enforcement shifted their battle for back doors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s not a cryptographic back door, but it still a back door — and brings with it all the insecurities of a back door.

    I’m part of a group of cryptographers that has just published a paper discussing the security risks of such a system. (It’s substantially the same group that wrote a similar paper about key escrow in 1997, and other “exceptional access” proposals in 2015. We seem to have to do this every decade or so.) In our paper, we examine both the efficacy of such a system and its potential security failures, and conclude that it’s a really bad idea.

  • The Open Source Security Foundation receives $ 10 million in funding - itsfoss.net

    The Linux Foundation has announced a $ 10 million commitment to the OpenSSF (Open Source Security Foundation), an effort to improve the security of open source software. Funds raised through royalties from parent companies of OpenSSF, including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware …

Another roundup

  • This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger | Hackaday

    Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

    The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files.

KubeCon + CloudNativeCon

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Best Free and Open Source Alternatives to Apple Final Cut Pro

In 2020, Apple began the Apple silicon transition, using self-designed, 64-bit ARM-based Apple M1 processors on new Mac computers. Maybe it’s the perfect time to move away from the proprietary world of Apple, and embrace the open source Linux scene. Final Cut Pro is a commercial proprietary video editing application which lets users log and transfer video, edit, process the video, and output to a wide variety of formats. What are the best free and open source alternatives? Read more

Open source photo processing with Darktable

It's hard to say how good photographs happen. You have to be in the right place at just the right moment. You have to have a camera at the ready and an eye for composition. And that's just the part that happens in the camera. There's a whole other stage to great photography that many people don't think about. It used to happen with lights and chemicals in a darkroom, but with today's digital tools, post-production happens in darkroom software. One of the best photo processors is Darktable, and I wrote an intro to Darktable article back in 2016. It's been five years since that article, so I thought I'd revisit the application to write about one of its advanced features: masks. Darktable hasn't changed much since I originally wrote about it, which to my mind, is one of the hallmarks of a truly great application. A consistent interface and continued great performance is all one can ask of software, and Darktable remains familiar and powerful. If you're new to Darktable, read my introductory article to learn the basics. Read more

What's the Difference Between Git Switch and Checkout?

When you start learning and using Git, you'll come across the common situation where you have to change branches. And here, things could become a bit confusing for you. If you look for how to switch branches in git, you'll come across some examples where git switch is used and some examples where git checkout is used. So, what's the difference between git switch and git checkout? If both can be used for switching branches, why are there two commands for the same purpose? Let me explain. Read more

Android Leftovers