Language Selection

English French German Italian Portuguese Spanish

Security

Security Patches and Bugs

Filed under
Security
  • Security updates for Wednesday [LWN.net]

    Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa).

  • Now-fixed Linux kernel vulnerabilities enabled local privilege escalation (CVE-2021-26708)

    The vulnerabilities could be exploited for local privilege escalation, as confirmed in experiments on Fedora 33 Server. The vulnerabilities, known together as CVE-2021-26708, have received a CVSS v3 base score of 7.0 (high severity).

    These vulnerabilities result from race conditions that were implicitly added with virtual socket multi-transport support. They appeared in Linux kernel version 5.5 in November 2019. The vulnerable kernel drivers (CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS) are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when an AF_VSOCK socket is created. This ability is available to unprivileged users.

  • Researchers discover and patch Linux kernel vulnerabilities | 2021-03-03

Microsoft Security Issues and Blame-Shifting

Filed under
Microsoft
Security

Proprietary Software and Security

Filed under
Security
  • Four zero-day exploits used to attack Microsoft Exchange Server

    It said the four vulnerabilities being exploited — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — had all been patched on Tuesday US time. The announcement and fixes came a week ahead of the company's regular monthly updates.

  • Last Week on My Mac: Users are losing out against Big Sur’s sealed System

    Big Sur’s sealed System volume seemed like a good idea. Although the read-only version in Catalina may look impregnable, guaranteeing integrity using a Merkle Tree of hashes, then locking the whole lot in a snapshot, looks even more robust. Like other good engineering ideas, though, it also needs thinking through thoroughly.

  • How long before grid attacks become the new normal?

    In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation's Himalayan border. This leads us to Russia's targeting of the U.S. grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks.

  • Biggest Data Breaches of 2020 – and What Developers Should Learn From Them

    2020 was not a good year for hacks, data breaches, and other cyber-attacks. As far as those things go, it was among the worst years on record.

    Businesses far and wide experienced some of the most damaging and embarrassing hacks imaginable last year. And some of the incidents led to serious security failures that could end up having grave international implications.

    But despite all of the problems, some of 2020's hacks can yield valuable lessons for programmers and software engineers to help them to harden their products against future attacks.

  • SQL Injection Tutorial - What is SQL Injection and How to Prevent it

    SQL injection is when you insert or inject a SQL query via input data from the client to the application.

    Successful attacks allow an attacker to access sensitive data from the database, modify database data, potentially shut the database down or issue other admin commands, recover the contents of files, and occasionally issue commands to the operating system.

    This type of attack is relatively easy to detect and exploit, so it's particularly important that any vulnerable systems are quickly remediated.

Security: GRUB, Thycotic, and 'Spectre'

Filed under
Security
  • Ubuntu Blog: GRUB2 Secure Boot Bypass 2021

    In August 2020, a set of security vulnerabilities in GRUB2 (the GRand Unified Bootloader version 2) collectively known as BootHole were disclosed. Today, another set of vulnerabilities in GRUB2 were disclosed, with similar implications. Because GRUB2 is a key component of the boot process, vulnerabilities in it can permit attackers to violate the integrity promises of UEFI Secure Boot. In this blog post we will discuss these vulnerabilities as well as the changes that have been made to Ubuntu to both mitigate them, and to make the update process easier for any future similar scenarios.

    As discussed back in August 2020, the UEFI Secure Boot process in Ubuntu is supported by a number of different components, all working together to ensure that only trusted bootloaders and operating systems are able to run. These consist of the UEFI platform firmware (aka UEFI BIOS), shim, the GRUB2 bootloader and the Linux kernel. The latter 3 of these are Ubuntu components, while the former is provided by the device OEM. In this case, both shim and GRUB2 have (or will soon receive updates) to mitigate these vulnerabilities and to help ensure older vulnerable versions of GRUB2 are not trusted by the secure boot process and cannot be used to load malicious code.

    [...]

    To ensure a unified approach, the version of GRUB2 for UEFI systems used in older Ubuntu releases is updated so that a single GRUB2 version can be used for all – this ensures that both the latest security fixes and mitigation features can be more easily adopted in these older releases. As this has the potential to cause issues in what is a fundamental component of the boot process (due to the large number of changes in both GRUB2 itself as well as the way this is distributed in Ubuntu), this update will be carefully rolled out via the Updates pocket of the Ubuntu package archive.

    Because Secure Boot does not apply to BIOS based boot environments, we will not be publishing updates for GRUB2 on those systems.

  • Multiple New Security Issues Hit GRUB Bootloader Around Secure Boot

    A new set of GRUB2 security vulnerabilities were made public today affecting its UEFI Secure Boot support. A set of eight CVEs were issued in 2020 and this year for the new issues. The issues include the possibility of specially crafted ACPI tables being loaded even if Secure Boot is active, memory corruption in GRUB's menu rendering, use-after-free in rmmod functionality, the cutmem command allowing privileged users to disable certain memory regions and in turn Secure Boot protections, arbitrary code execution even if Secure Boot is enabled, GRUB 2.05 accidentally re-introducing one of last year's vulnerabilities, and memory corruption from crafted USB device descriptors that could lead to arbitrary code execution.

  • Thycotic Announces Endpoint Privilege Management Solution for Unix/Linux

    Thycotic, provider of privileged access management (PAM) solutions for more than 12,500 organizations worldwide, including 25 of the Fortune 100, announced new privilege management capabilities for workstations running Unix and Linux. The latest release of Thycotic’s Privilege Manager solution includes a Sudo plugin that saves Unix/Linux administrators time, while still providing granular control over privileged activities.

    According to the Verizon 2020 Data Breach Investigations Report, eighty percent of breaches involve compromised credentials, making them one of the most common entry points for threats. Unix and Linux endpoints are typically the most valuable targets because they rely on “root” accounts, which provide unrestricted access to all commands, files, directories, and resources.

  • Spectre returns as exploits for Windows and Linux devices found

    Remember Spectre, the infamous vulnerability that had all major chip manufacturers scrambling for a fix? Three years after its initial emergence, two new working exploits have been identified.

    According to a report from Bleeping Computer, security researcher Julien Voisin has discovered a pair of exploits targeting unpatched Linux and Windows systems, on the VirusTotal platform. VirusTotal gathers all antivirus scans in one place and checks for potential malware missed by different solutions, and these exploits were uploaded a month ago.

IPFire 2.25 - Core Update 154 released

Filed under
GNU
Linux
Security

The first update of the year will be an enormous one. We have been working hard in the lab to update the underlying operating system to harden and improve IPFire and we have added WPA3 client support and made DNS faster and more resilient against broken Internet connections.

This is probably the release with the largest number of package updates. This is necessary for us to keep the system modern and adopt any fixes from upstream projects. Thank you to everyone who has contributed by sending in patches.

Before we talk about what is new, I would like to as you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support.

Read more

Security Leftovers

Filed under
Security
  • Is Your Browser Extension a Botnet Backdoor?

    A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition.

  • Security updates for Tuesday [LWN.net]

    Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9).

  • Malicious NPM packages target Amazon, Slack with new dependency attacks [Ed: Microsoft delivering malware again, but the media (actually a Microsoft propaganda site in this case) does not mention Microsoft (similar to this)]

    Last month, BleepingComputer reported that security researcher Alex Birsan earned bug bounties from 35 companies by utilizing a new flaw in open-source development tools.

  • Working Spectre exploits for Windows and Linux devices uncovered

    A security researcher has discovered several working Spectre exploits that were uploaded to the VirusTotal database last month. Spectre, along with Meltdown, are two extremely severe hardware vulnerabilities that affect Intel, IBM POWER, and some ARM-based processors.

    While Intel has since implemented hardware mitigations for the vulnerability in newer processors, older ones have to rely on software fixes that come with a performance penalty, which prevents its blanket use. This means that there’s still a large number of systems that are vulnerable to the recently discovered exploits by security researcher Julien Voisin.

KDE Plasma 5.21.2, Bugfix Release for March

Filed under
KDE
Security

Plasma 5.21 was released in February with many feature refinements and new modules to complete the desktop experience.

This release adds a week's worth of new translations and fixes from KDE's contributors. The bugfixes are typically small but important and include...

Read more

Best Secure Linux Distros for Enhanced Privacy & Security

Filed under
GNU
Linux
Security

As we transition to an increasingly digital society, privacy and security have become areas of central concern – not a day goes by that we aren’t bombarded with security news headlines about hacks, breaches and the increasingly common and worrisome practice of storing and monitoring sensitive personal information, often without users’ consent.

Luckily for us Linux users, the general consensus among experts is that Linux is a highly secure OS - arguably the most secure OS. While all Linux “distros” - or distributed versions of Linux software - are secure by design, certain distros go above and beyond when it comes to protecting users’ privacy and security. We’ve put together a list of our favorite specialized secure Linux distros and spoken with some of their lead developers to find out first-hand what makes these distros so great. This article aims to help you evaluate your options and select the distro that best meets your individual needs.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint).

  • KDE neon Blog: Offline Updates are Coming

    For a very long time we’ve been paving the road for offline updates. We are excited to finally introduce the first step to the KDE neon Unstable Edition today and would love to hear your opinion in the forum.

    Unlike regular updates offline updates are not applied immediately but are only download and marked for installation on the next system restart. This has the tremendous advantage that you no longer need to interrupt whatever you are doing to update the system. They also prevent the system from entering a curious state of inconsistency resulting in an increased chance of bugs and crashes just after updating. Previously you might have been angrily looked at by Firefox, had Dolphin crash on you, or even got locked out of the session because the lockscreen jumped off a cliff after you applied an update. The reason for this is that most complex pieces of software really do not fare well if essential files change out from under it. Offline updates solve this problem by simply moving the installation stage to a time when the system is in a less vulnerable state.

  • Working Linux exploit for Spectre flaw found by French researcher

    A French researcher claims to have found a working exploit for the Spectre vulnerability on Linux systems on the VirusTotal database, the first such exploit to come to light since the flaw was made public by Intel back in 2018.

    Julien Voisin said in a short post on Monday that a Windows exploit had also been uploaded, adding that he had not looked at it closely.

Security: Reproducible Builds, VPNs, COMB and More

Filed under
Security
  • Chris Lamb: Free software activities in February 2021

    The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation process by promising identical results are always generated from a given source, therefore allowing multiple third-parties to come to a consensus on whether a build was compromised.

    [...]

    I also made the following changes to diffoscope, including preparing and uploading versions 167 and 168 to Debian...

  • Here's why VPN services are turning to WireGuard

    When it comes to VPN services, everyone has their individual preferences, and the same is true of the protocols used to encrypt them.

    OpenVPN and IPsec encryption protocols have long ruled the roost, but up-and-coming protocol WireGuard is proving that high levels of encryption can be had for less overhead.

    We caught up with Daniel Sagi, COO at Kape Technologies, parent company of Private Internet Access, to find out about the value WireGuard can deliver and the company's approach to protocols going forward.

  • COMB: largest breach of all time leaked online with 3.2 billion records

    It’s being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords. While many data breaches and leaks have plagued the internet in the past, this one is exceptional in the sheer size of it. To wit, the entire population of the planet is at roughly 7.8 billion, and this is about 40% of that.

    However, when considering that only about 4.7 billion people are online, COMB would include the data of nearly 70% of global internet users (if each record was a unique person). For that reason, users are recommended to immediately check if their data was included in the leak. You can head over to the CyberNews personal data leak checker now.

  • Create Your Own Certificate Authority (CA) for Homelab Environment

    I use my own Root CA to manage certificates in the homelab environment.

Syndicate content

More in Tux Machines

LWN on Kernel: 5.12 Merge, Lockless Algorithms, and opy_file_range()

  • 5.12 Merge window, part 1 [LWN.net]

    The beginning of the 5.12 merge window was delayed as the result of severe weather in the US Pacific Northwest. Once Linus Torvalds got going, though, he wasted little time; as of this writing, just over 8,600 non-merge changesets have been pulled into the mainline repository for the 5.12 release — over a period of about two days. As one might imagine, that work contains a long list of significant changes.

  • An introduction to lockless algorithms [LWN.net]

    Low-level knowledge of the memory model is universally recognized as advanced material that can scare even the most seasoned kernel hackers; our editor wrote (in the July article) that "it takes a special kind of mind to really understand the memory model". It's been said that the Linux kernel memory model (and in particular Documentation/memory-barriers.txt) can be used to frighten small children, and the same is probably true of just the words "acquire" and "release". At the same time, mechanisms like RCU and seqlocks are in such widespread use in the kernel that almost every developer will sooner or later encounter fundamentally lockless programming interfaces. For this reason, it is a good idea to equip yourself with at least a basic understanding of lockless primitives. Throughout this series I will describe what acquire and release semantics are really about, and present five relatively simple patterns that alone can cover most uses of the primitives.

  • How useful should copy_file_range() be? [LWN.net]

    Its job is to copy len bytes of data from the file represented by fd_in to fd_out, observing the requested offsets at both ends. The flags argument must be zero. This call first appeared in the 4.5 release. Over time it turned out to have a number of unpleasant bugs, leading to a long series of fixes and some significant grumbling along the way. In 2019 Amir Goldstein fixed more issues and, in the process, removed a significant limitation: until then, copy_file_range() refused to copy between files that were not located on the same filesystem. After this patch was merged (for 5.3), it could copy between any two files, falling back on splice() for the cross-filesystem case. It appeared that copy_file_range() was finally settling into a solid and useful system call. Indeed, it seemed useful enough that the Go developers decided to use it for the io.Copy() function in their standard library. Then they ran into a problem: copy_file_range() will, when given a kernel-generated file as input, copy zero bytes of data and claim success. These files, which include files in /proc, tracefs, and a large range of other virtual filesystems, generally indicate a length of zero when queried with a system call like stat(). copy_file_range(), seeing that zero length, concludes that there is no data to copy and the job is already done; it then returns success. But there is actually data to be read from this kind of file, it just doesn't show in the advertised length of the file; the real length often cannot be known before the file is actually read. Before 5.3, the prohibition on cross-filesystem copies would have caused most such attempts to return an error code; afterward, they fail but appear to work. The kernel is happy, but some users can be surprisingly stubborn about actually wanting to copy the data they asked to be copied; they were rather less happy.

Banana Pi BPI-M2 Pro is a compact Amlogic S905X3 SBC

Banana Pi has already designed an Amlogic S905X3 SBC with Banana Pi BPI-M5 that closely follows Raspberry Pi 3 Model B form factor, but they’ve now unveiled a more compact model with Banana Pi BPI-M2 Pro that follow the design of the company’ earlier BPI-MP2+ SBC powered by the good old Allwinner H3 processor. BPI-M2 Pro comes with 2GB RAM, 16GB eMMC storage, HDMI video output, Gigabit Ethernet, Wifi & Bluetooth connectivity, as well as two USB 3.0 ports. Read more

Chrome 89 vs. Firefox 86 Performance Benchmarks On AMD Ryzen + Ubuntu Linux

Given this week's launch of Chrome 89 and the recent Firefox 86 debut, here are some quick benchmarks for those curious about the current performance when using Ubuntu Linux with a AMD Ryzen 9 5900X and Radeon graphics. Curious about the latest standing of the newest Firefox and Chrome releases on Linux, here are some quick benchmarks carried out on one of the systems locally. A larger comparison will come soon while this is just a quick one-page article for those eager to see some new browser numbers for AMD on Linux. The Ryzen 9 5900X was at stock speeds - the reported CPU frequency is due to a kernel bug working its way to 5.11/5.10 stable still. Read more

today's howtos

  • How to install Budgie desktop on Manjaro

    Budgie is an elegant and simplified desktop environment that integrates very well with Manjaro. Budgie is developed and maintained by the Solus team. This article will delve into the details of everything you need to know while installing the Budgie Desktop on Manjaro.

  • How To Update Fedora Linux using terminal to apply updates - nixCraft

    I recently switched from Windows server to Fedora 32/33 server running in the cloud. How do I apply software updates and patches on Fedora 32/33 server using the terminal application? Fedora Linux uses dnf command. It is the next upcoming major version of yum command. Yum is a package manager for RPM-based Linux distributions such as CentOS/RHEL 7.x and older version of Fedora Linux. You need to use the dnf command to update Fedora Linux using terminal for latest software patches. This page explains how to update a Fedora Linux using the terminal.

  • How to Turn Off Automatic Brightness on Ubuntu Linux

    Some new laptops come with built-in integrated light sensor. Operating systems use this sensor to measure the ambient light conditions and change the screen brightness automatically. This helps in reducing eye strain. You can see that this is a useful feature. But not everyone might like it all the time. For example, while watching Netflix on Linux at night, it reduces the screen brightness at the lowest for me. This makes the movie scene quite dull. This is one of the many cases when you probably would not want automatic brightness. Turning off automatic brightness on Ubuntu is quite simple. I’ll show that to you in this quick article. This tutorial is valid for GNOME desktop environment. The command line method should work for MATE desktop as well. If you are not certain, check which desktop environment you are using.

  • MultiCD - A Shell Script to Combine Multiple Bootable ISO's into One CD

    If you’ve ever used a multiboot CD that contains different utilities or bootable ISOs then creating one for yourself would be amazing. In this article, we shall take a look at MultiCD.sh, a shell script that is designed to help you build a multiboot CD image that can contain different, small Linux distros and/or utilities. There are many advantages of using this script and they include among others; no need for different CDs for small Linux distributions or utilities, you can simply use ISO images that you already have without downloading them again and in case of new versions, simply download them and run the script again and build a new multiboot image.

  • Linux Sponge - Soak Up Standard Input and Write to a File - Putorius

    The sponge command is part of the moreutils package. It is a utility that provides a function that is so simple it’s genius. It’s basic use is to soak up (get it? sponge..) standard input and write it to a file. The terminology “soak up” is more important than just creating a fun play on words. In this short tutorial we show you the sponge commands basic usage and why the term “soak up” is important.