All posts by jake

Bash 4.4 and Readline 7.0 released

Post Syndicated from jake original http://lwn.net/Articles/700982/rss

The GNU Bourne Again SHell
(Bash) project has released version 4.4 of the tool. It comes with a large
number of bug fixes as well as new features:”The most notable new
features are mapfile’s ability to use an arbitrary
record delimiter; a –help option available for nearly all builtins; a
new family of ${parameter@spec} expansions that transform the value of
`parameter’; the `local’ builtin’s ability to save and restore the state
of the single-letter shell option flags around function calls; a new
EXECIGNORE variable, which adds the ability to specify names that should
be ignored when searching for commands; and the beginning of an SDK for
loadable builtins, which consists of a set of headers and a Makefile
fragment that can be included in projects wishing to build their own
loadable builtins, augmented by support for a BASH_LOADABLES_PATH variable
that defines a search path for builtins loaded with `enable -f’. The existing
loadable builtin examples are now installed by default with `make
install’.
” In addition, the related Readline
command-line editing library
project has released Readline 7.0.

Friday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/700964/rss

CentOS has updated libarchive (C7; C6: multiple vulnerabilities,
some from 2015).

Debian has updated tomcat7
(privilege escalation) and tomcat8 (privilege escalation).

Debian-LTS has updated mysql-5.5 (privilege escalation).

Fedora has updated curl (F24:
code execution).

Mageia has updated cracklib (code
execution), dropbear (three code execution
flaws), jasper (two vulnerabilities from
2015), krb5 (denial of service), lcms2 (information leak), mediawiki (multiple vulnerabilities), openvpn (information leak), perl-DBD-mysql (two code execution flaws from
2014 and 2015), and perl-XSLoader (code execution).

openSUSE has updated opera (42.1:
multiple vulnerabilities) and tiff (42.1: multiple vulnerabilities, three from 2015).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: three vulnerabilities).

Slackware has updated curl (code execution).

Security updates for Thursday

Post Syndicated from jake original http://lwn.net/Articles/700820/rss

Arch Linux has updated flashplugin (many vulnerabilities), lib32-flashplugin (many vulnerabilities), and
mariadb (two vulnerabilities).

Debian has updated chromium-browser (multiple vulnerabilities)
and mailman (cross-site request forgery).

Debian-LTS has updated autotrace
(code execution), tomcat6 (privilege
escalation), and tomcat7 (privilege escalation).

Fedora has updated GraphicsMagick
(F24: multiple vulnerabilities).

openSUSE has updated chromium (42.1; 13.2; SPH for SLE12: multiple vulnerabilities), flash-player (13.2: multiple vulnerabilities),
perl (42.1: multiple vulnerabilities, one
from 2015), and virtualbox (13.2: two
unspecified vulnerabilities).

Oracle has updated kernel (OL7:
two vulnerabilities).

Red Hat has updated kernel
(RHEL7: three vulnerabilities) and kernel-rt (RHEL7; RHEL6:
three vulnerabilities).

SUSE has updated flash-player
(SLE12: many vulnerabilities).

Ubuntu has updated oxide-qt
(16.04, 14.04: multiple vulnerabilities) and python-imaging (12.04: three vulnerabilities,
one from 2014).

A bite of Python (Red Hat Security Blog)

Post Syndicated from jake original http://lwn.net/Articles/699958/rss

On the Red Hat Security Blog, Ilya Etingof describes some traps for the unwary in Python, some that have security implications. “Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators — luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at; experienced developers may well be aware of the peculiarities that follow.
(Thanks to Paul Wise.)

Thursday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/699945/rss

Debian-LTS has updated icu (code
execution) and roundcube (three
vulnerabilities, one each from 2015 and 2014).

openSUSE has updated libsrtp
(42.1: denial of service from 2015), libstorage (42.1: password disclosure), and libtcnative-1-0 (42.1: cipher downgrade from 2015).

Red Hat has updated Kibana
(RHOS3: two vulnerabilities).

Scientific Linux has updated thunderbird (multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm
(SLE11: three unspecified vulnerabilities).

Monday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/697941/rss

Arch Linux has updated linux-lts
(connection hijacking).

CentOS has updated kernel (C7:
connection hijacking).

Debian-LTS has updated cracklib2
(code execution) and suckless-tools (screen
lock bypass).

Fedora has updated firewalld
(F24: authentication bypass), glibc (F24:
denial of service on armhfp), knot (F24; F23:
denial of service), libgcrypt (F24: bad
random number generation), and perl (F23:
privilege escalation).

openSUSE has updated apache2-mod_fcgid (42.1, 13.2: proxy
injection), gd (13.2: multiple
vulnerabilities), iperf (SPHfSLE12;
42.1, 13.2: denial of service), pdns (42.1, 13.2: denial of service), python3 (42.1, 13.2: multiple
vulnerabilities), roundcubemail (42.1; 13.2; 13.1: multiple vulnerabilities, two from
2015), and typo3-cms-4_7 (42.1, 13.2: three
vulnerabilities from 2013 and 2014).

Scientific Linux has updated kernel (SL7: connection hijacking) and python (SL6&7: three vulnerabilities).

Microsoft announces PowerShell for Linux and Open Source

Post Syndicated from jake original http://lwn.net/Articles/697609/rss

Microsoft has announced the release of its PowerShell automation and scripting platform under the MIT license, complete with a GitHub repository. “Last year we started down this path by contributing to a number of open source projects (e.g. OpenSSH) and open sourcing a number of our own components including DSC resources. We learned that working closely with the community, in the code and with our backlog and issues list, allowed us prioritize and drive the development much more responsively. We’ve always worked with the community but shifting to a fine-grain, tight, feedback loop with the code, energized the team and allowed us to focus on the things that had the most impact for our customers and partners. Now we are going big by making PowerShell itself an open source project and making it available on Mac OS X, Ubuntu, CentOS/RedHat and others in the future.

Xenomai project mourns Gilles Chanteperdrix

Post Syndicated from jake original http://lwn.net/Articles/697594/rss

The Xenomai project is mourning Gilles Chanteperdrix, a longtime maintainer of the realtime framework, who recently passed away. In the announcement, Philippe Gerum writes: “Gilles will forever be remembered as a true-hearted man, a brilliant mind always scratching beneath the surface, looking for elegance in the driest topics, never jaded from such accomplishment.

According to Paul Valéry, “death is a trick played by the inconceivable on the conceivable”. Gilles’s absence is inconceivable to me, I can only assume that for once, he just got rest from tirelessly helping all of us.”

Security against Election Hacking (Freedom to Tinker)

Post Syndicated from jake original http://lwn.net/Articles/697589/rss

Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.

With optical-scan voting, the voter fills in the bubbles next to the names of her selected candidates on paper ballot; then she feeds the op-scan ballot into the optical-scan computer. The computer counts the vote, and the paper ballot is kept in a sealed ballot box. The computer could be hacked, in which case (when the polls close) the voting-machine lies about how many votes were cast for each candidate. But we can recount the physical pieces of paper marked by the voter’s own hands; that recount doesn’t rely on any computer. Instead of doing a full recount of every precinct in the state, we can spot-check just a few ballot boxes to make sure they 100% agree with the op-scan computers’ totals.
Problem: What if it’s not an optical-scan computer, what if it’s a paperless touchscreen (“DRE, Direct-Recording Electronic) voting computer? Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there. If the computer is hacked, then the hacker gets to decide what numbers are reported. There are no paper ballots to audit or recount. All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem.

Thursday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/697563/rss

Arch Linux has updated chromium
(multiple vulnerabilities) and linux-zen (connection hijacking).

Debian has updated gnupg (flawed
random number generation) and libgcrypt20
(flawed random number generation).

Debian-LTS has updated libupnp
(arbitrary file overwrite).

Fedora has updated bind (F23:
denial of service), fontconfig (F23:
privilege escalation), and python3 (F23:
proxy injection).

SUSE has updated xen (SLE12: multiple vulnerabilities,
one from 2014) and yast2-ntp-client (SLE10:
multiple vulnerabilities, most from 2015).

Ubuntu has updated fontconfig
(16.04, 14.04, 12.04: privilege escalation).

Ardour 5.0 released

Post Syndicated from jake original http://lwn.net/Articles/697153/rss

The Ardour audio workstation has released its 5.0 version. There are many new features in the release, including a tabbed user interface, Lua scripting, built-in plugins, and new themes.
Ardour 5.0 is now available for Linux, OS X and Windows. This is a major release focused on substantial changes to the GUI and major new features related to mixing, plugin use, tempo maps, scripting and more. As usual, there are also hundreds of bug fixes. Ardour 5.0 can be parallel-installed with older versions of the program, and does not use the same preference files. It will load sessions from Ardour 2, 3 and 4, though with some potential minor changes.

Lefkowitz: The One Python Library Everyone Needs

Post Syndicated from jake original http://lwn.net/Articles/697146/rss

Twisted developer Glyph Lefkowitz writes about the attrs library for Python, which he calls “my favorite mandatory Python library“. Instead of a lot of boilerplate to handle attributes in classes, attrs makes it far easier. “It lets you say what you mean directly with a declaration rather than expressing it in a roundabout imperative recipe. Instead of “I have a type, it’s called MyType, it has a constructor, in the constructor I assign the property ‘A’ to the parameter ‘A’ (and so on)”, you say “I have a type, it’s called MyType, it has an attribute called a”, and behavior is derived from that fact, rather than having to later guess about the fact by reverse engineering it from behavior (for example, running dir on an instance, or looking at self.__class__.__dict__).

Security updates for Friday

Post Syndicated from jake original http://lwn.net/Articles/697136/rss

CentOS has updated mariadb (C7:
multiple unspecified vulnerabilities), php (C7; C6: proxy
injection), and qemu-kvm (C7: two
vulnerabilities).

Debian has updated icedove
(multiple vulnerabilities) and postgresql-9.4 (two vulnerabilities).

Debian-LTS has updated nettle (?:).

Fedora has updated perl-DBD-MySQL
(F23: code execution from 2015), python
(F24: proxy injection), and python3 (F24:
proxy injection).

openSUSE has updated go (42.1,
13.2
; SPH: denial of service), hawk2 (42.1: clickjacking prevention),
java-1_7_0-openjdk (42.1; 13.2: multiple vulnerabilities), java-1_8_0-openjdk (42.1: multiple
vulnerabilities), libarchive (42.1:
multiple vulnerabilities, many from 2015), OpenJDK7 (13.1: multiple vulnerabilities), pcre2 (42.1: code execution), sqlite3 (42.1: information leak), and wget (13.2: code execution).

Oracle has updated mariadb (OL7:
multiple unspecified vulnerabilities), php (OL7; OL6:
proxy injection), and qemu-kvm (OL7: two vulnerabilities).

Red Hat has updated mariadb
(RHEL7: multiple unspecified vulnerabilities), mariadb55-mariadb (RHSC: multiple unspecified
vulnerabilities), php (RHEL7; RHEL6: proxy injection), php54-php (RHSC: proxy injection), php55-php (RHSC: proxy injection), qemu-kvm (RHEL7: two vulnerabilities), Red Hat OpenShift Enterprise (two
vulnerabilities), rh-mariadb100-mariadb
(RHSC: multiple unspecified vulnerabilities), rh-mysql56-mysql (RHSC: multiple unspecified
vulnerabilities), and rh-php56-php (RHSC:
proxy injection).

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open (Ars Technica)

Post Syndicated from jake original http://lwn.net/Articles/697059/rss

Ars Techica is reporting on a mistake by Microsoft that resulted in providing a “golden key” to circumvent Secure Boot. The “key” is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a “rather funky website” (viewing the source of that page is a good way to avoid the visual and audio funkiness).
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.” As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.

Update: For some more detail, see Matthew Garrett’s blog post .

Security advisories for Thursday

Post Syndicated from jake original http://lwn.net/Articles/697017/rss

Arch Linux has updated jq (code
execution from 2015) and websvn (cross-site
scripting).

Debian-LTS has updated postgresql-9.1 (two vulnerabilities).

Gentoo has updated optipng (three
vulnerabilities).

openSUSE has updated typo3 (13.1:
three vulnerabilities from 2013 and 2014) and firefox, mozilla-nss (13.1: many vulnerabilities).

Red Hat has updated java-1.7.0-ibm (RHEL5: two vulnerabilities),
java-1.7.1-ibm (RHEL6&7: two
vulnerabilities), java-1.8.0-ibm
(RHEL6&7: two vulnerabilities), and python-django (RHOSP8; RHOSP7; RHEL7:
cross-site scripting).

Scientific Linux has updated qemu-kvm (SL6: denial of service).

Ubuntu has updated libgd2 (16.04,
14.04: three vulnerabilities) and xmlrpc-epi (16.04: code execution).

[$] The TCP “challenge ACK” side channel

Post Syndicated from jake original http://lwn.net/Articles/696868/rss

Side-channel attacks against various kinds of protocols (typically
networking or cryptographic) are both dangerous and often hard for
developers and reviewers to spot.
They are generally passive attacks, which makes them hard to detect as well. A
recent paper
[PDF]
describes in detail one such attack against the kernel’s TCP
networking
stack; the bug (CVE-2016-5696)
has existed since Linux 3.6, which was released in 2012.
Ironically, the bug was introduced because Linux has implemented
a countermeasure against another type of attack.

The GNU C Library version 2.24 is now available

Post Syndicated from jake original http://lwn.net/Articles/696469/rss

The 2.24 version of the GNU C Library (glibc) has been released. It comes
with lots of bug fixes, including five for security vulnerabilities (four
stack overflows and a memory leak). Some deprecated features have
been removed, as well as deprecating the readdir_r() and
readdir64_r() functions in favor of readdir() and
readdir64(). There are also additions to the math library
(nextup*() and nextdown*()) to return the next
representable value toward either positive or negative infinity.

Breaking through censorship barriers, even when Tor is blocked (Tor Blog)

Post Syndicated from jake original http://lwn.net/Articles/696468/rss

The Tor Blog looks at using Pluggable Transports to avoid country-level Tor blocking. There are some new easy-to-follow graphical directions for using the transports.

Many repressive governments and authorities benefit from blocking their users from having free and open access to the internet. They can simply get the list of Tor relays and block them. This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship. This is why we’ve developed methods to connect to the network and bypass censorship. These methods are called Pluggable Transports (PTs).
Pluggable Transports are a type of bridge to the Tor network. They take advantage of various transports and make encrypted traffic to Tor look like not-interesting or garbage traffic. Unlike normal relays, bridge information is kept secret and distributed between users via BridgeDB.