Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).
Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr).
The effects of the Coronavirus
disease 2019 (COVID-19) pandemic are horrific and far-reaching; we
really do not yet know just how bad it will get. One far less serious area
that has been affected is conferences for
and about free and open-source
software (FOSS). On the grand scale, these problems are pretty low on the
There are a fair number of non-profit organizations behind the
gatherings, however, that have spent considerable sums setting up
now-canceled events or depend on
the conferences for a big chunk of their budget—or both. A new
organization, FOSS Responders,
has formed to try to help out.
The Django web framework has
come a long way since it was first released as open source in 2005. It
started with a benevolent dictator for life (BDFL) governance model, like
the language it is implemented in, Python, but switched to a different
model in 2014. When Python switched
away from the BDFL model in 2018, it followed Django’s lead to some
extent. But now Django is changing yet again, moving from governance based
around a “core team” to one that is more inclusive and better reflects the
way the project is operating now.
The Linux Mint Debian Edition (LMDE) 4 has been released. “LMDE is a Linux Mint project which stands for ‘Linux Mint Debian Edition’. Its goal is to ensure Linux Mint would be able to continue to deliver the same user experience, and how much work would be involved, if Ubuntu was ever to disappear. LMDE is also one of our development targets, to guarantee the software we develop is compatible outside of Ubuntu.
LMDE aims to be as similar as possible to Linux Mint, but without using Ubuntu. The package base is provided by Debian instead.” It is based on Debian 10 (“Buster”) with lots of new features, including many improvements from Linux Mint 19.3. More information can be found in the release notes.
Security updates have been issued by Arch Linux (bluez and chromium), Debian (icu, rails, thunderbird, and twisted), Fedora (chromium and webkit2gtk3), Gentoo (bsdiff, cacti, clamav, fribidi, libgit2, pecl-imagick, phpmyadmin, pyyaml, and tomcat), openSUSE (wireshark), Oracle (firefox, icu, python-imaging, thunderbird, and zsh), Scientific Linux (thunderbird), SUSE (firefox, nghttp2, thunderbird, and tomcat), and Ubuntu (twisted).
Security updates have been issued by Debian (gdal), Fedora (nethack), Mageia (okular, sleuthkit, and webkit2), openSUSE (salt), Oracle (icu, kernel, python-pip, python-virtualenv, and zsh), Red Hat (icu, python-imaging, thunderbird, and zsh), Scientific Linux (icu, python-imaging, and zsh), SUSE (postgresql10), and Ubuntu (apache2).
The python-ideas mailing list is typically used to discuss new features or
enhancements for the language; ideas that gain traction will get turned
into Python Enhancement Proposals (PEPs) and eventually make their way to
python-dev for wider consideration. Steve Jorgensen recently started
a discussion of just that sort; he was looking for a way to add
customization to the “pretty-print” module (pprint)
so that objects could change the way they are displayed. The subsequent
thread went in a few different directions that reflect the nature of the
mailing list—and the idea itself.
Legislation recently proposed in the US Senate is ostensibly meant to
combat “child sexual abuse material” (CSAM), but it does not actually do
much to combat that horrible problem. Its target, instead, is the encryption
of user communications, which the legislation—tellingly—never mentions.
Abusive and Rampant Neglect of Interactive Technologies Act of 2020,
EARN IT for short, is an attempt to force online service providers
(e.g. Facebook, Google, etc.) to follow a set of “best practices”
determined by a commission, to combat the scourge of CSAM; the composition of
that commission makes it clear that end-to-end encryption will not be one
of those practices, but companies that do not follow the best practices will lose
liability protection for their users’ actions. It is, in brief, an
attempt to force providers to either abandon true end-to-end encryption or
face ruinous lawsuits—all without “seeming” to be about encryption at all.
Version 4.4 of The Amnesic Incognito Live System (or Tails) has been released. It has fixed a bunch of security vulnerabilities in Tails 4.3; users are advised to “upgrade as soon as possible“. Tails 4.4 brings new versions of the Tor Browser (9.0.6), Thunderbird (68.5.0), and the Linux kernel (5.4.19). It also fixes some problems with WiFi. Tails is a Linux distribution that runs from removable media; it is focused on privacy, security, and anonymity.
Wired has an article on an open-source tool that is being used to track strains of Covid-19 throughout the world.
“In the case of the Seattle area teenager, genetic data about his strain of Covid-19 was uploaded to Gisaid, a platform for sharing genomic data. Then researchers at Nextstrain made the connection with the earlier patient.
Nextstrain is an open source application that tracks the evolution of viruses and bacteria, including Covid-19, Ebola, and lesser-known outbreaks such as Enterovirus D68 using data sourced largely from Gisaid. Hodcroft and other researchers involved with the project analyze the data shared on Gisaid for mutations and visualize the results. That’s how the team was able to spot the connection between the two Covid-19 cases in Washington.”
Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid).
Security updates have been issued by CentOS (kernel), Debian (dojo, firefox-esr, sleuthkit, and wpa), Fedora (cacti, cacti-spine, and python-psutil), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-designate, openstack-heat, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-horizon-plugin-octavia-ui, openstack-ironic, openstack-ironic-python-agent, openstack-keystone, openstack-magnum, openstack-monasca-agent, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-sahara, openstack-swift, python-amqp, python-ironic-lib, python-keystoneauth1, python-keystoneclient, python-keystonemiddleware, python-ovs, supportutils-plugin-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, venv-openstack-horizon, ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-ne tworking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift, firefox, ipmitool, kernel, and php72), and Ubuntu (firefox).
A recent message to
the debian-project mailing list by Debian project leader (DPL) Sam Hartman is
about a proposal to moderate the mailing list. There have been repeated
attacks on various project members and the distribution itself posted to
the list over the last few years, many from
sock-puppet, throwaway email accounts, which spawned a recent discussion on
the debian-private mailing list; Hartman was summarizing that discussion
for those who are not on the private list. But the problems on
debian-project (and other Debian public lists) are kind of just the tip of
the iceberg; there is an ongoing, persistent effort to roil the
distribution and its community.
The Let’s Encrypt project has made
real strides in helping to ensure that every web site can use the encrypted
HTTPS protocol; it has provided TLS certificates at no charge that are
accepted by most or all web browsers. Free certificates accepted by the
browsers are something that was difficult to find
prior to the advent of the project in 2014; as of the end of February, the
project has issued
over a billion certificates. But a bug that was recently
found in the handling of Certificate Authority
Authorization (CAA) by the project put roughly 2.6% of the active
certificates—roughly three million—at risk of immediate revocation. As might be
expected, that caused a bit of panic in some quarters, but it turned out
that the worst outcome was largely averted.
Security updates have been issued by Arch Linux (chromium, opensc, opensmtpd, and weechat), Debian (jackson-databind and pdfresurrect), Fedora (sudo), openSUSE (openfortivpn and squid), Red Hat (virt:8.1 and virt-devel:8.1), Scientific Linux (http-parser and xerces-c), and SUSE (gd, kernel, postgresql10, and tomcat).
Over on the Collabora blog, Julian Bouzas writes about PipeWire, which is a relatively new multimedia server for the Linux desktop and beyond. “PipeWire was originally created to only handle access to video resources and co-exist with PulseAudio. Earlier versions have already been shipping in Fedora for a while, allowing Flatpak applications to access video cameras and to implement screen sharing on Wayland. Eventually, PipeWire has ended up handling any kind of media, to the point of planning to completely replace PulseAudio in the future. The new 0.3 version is marked as a preview for audio support.
But why replace PulseAudio? Although PulseAudio already provides a working intermediate layer to access audio devices, PipeWire has to offer more features that PulseAudio was not designed to deliver, starting with a better security model, which allows isolation between applications and secure access from within containers.
Another interesting feature of PipeWire is that it unifies the two audio systems used on the desktop, JACK for low-latency professional audio and PulseAudio for normal desktop use-cases. PipeWire was designed to be able to accommodate both use cases, delivering very low latency, while at the same time not wasting CPU resources. This design also makes PipeWire a much more efficient solution than PulseAudio in general, making it a perfect fit for embedded use cases too.”
The Positive Technologies blog is reporting on an unfixable flaw the company has found in Intel x86 hardware that has the potential to subvert the hardware root of trust for a variety of processors. “The EPID [Enhanced Privacy ID] issue is not too bad for the time being because the Chipset Key is stored inside the platform in the One-Time Programmable (OTP) Memory, and is encrypted. To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS). However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time. When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted.” Intel has said that it is aware of the problem (CVE-2019-0090), but since it cannot be fixed in the ROM, Intel is “trying to block all possible exploitation vectors“; the fix for CVE-2019-0090 only blocks one such vector, according to the blog post.