All posts by jake

Thursday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/688046/rss

Arch Linux has updated p7zip (two
code execution flaws).

Debian has updated swift-plugin-s3 (replay attack).

Debian-LTS has updated icedove
(armhf: three vulnerabilities), nss
(multiple vulnerabilities), and phpmyadmin
(multiple vulnerabilities).

Mageia has updated cacti (two SQL
injection flaws), chromium-browser-stable
(multiple vulnerabilities), dosfstools (two
vulnerabilities), libarchive (code
execution), libksba (three
vulnerabilities), libndp (man-in-the-middle
attacks), mariadb (multiple
vulnerabilities), moodle (multiple
vulnerabilities), qemu (multiple
vulnerabilities), and xymon (multiple vulnerabilities).

openSUSE has updated php5 (13.2:
multiple vulnerabilities).

SUSE has updated firefox (SLE10:
multiple vulnerabilities).

Ubuntu has updated firefox
(fix to previous security update), oxide-qt
(16.04, 15.10, 14.04: multiple vulnerabilities), and thunderbird (multiple vulnerabilities).

Announcing Certbot: EFF’s Client for Let’s Encrypt

Post Syndicated from jake original http://lwn.net/Articles/687308/rss

The Electronic Frontier Foundation (EFF) has announced a new name and web site for the Let’s Encrypt client. The Let’s Encrypt project is a free certificate authority for TLS certificates that enable HTTPS for the web. The client, now called “Certbot”, uses Automatic Certificate Management Environment (ACME) to talk to the Let’s Encrypt CA, though it will no longer be the “official” client and there are other ACME clients that can be used.

Along with the rename, we’ve also launched a brand new website for Certbot, found at https://certbot.eff.org. The site includes frequently asked questions as well as links to how you can learn more and help support the project, but by far the biggest feature of the website is an interactive instruction tool. To get the specific commands you need to get Certbot up and running, just input your operating system and webserver. No more searching through pages and pages of documentation or Google search results!

While a new name has the potential for creating technical issues, the Certbot team has worked hard to make this transition as seamless as possible. Packages installed from PyPI, letsencrypt-auto, and third party plugins should all continue to work and receive updates without modification. We expect OS packages to begin using the Certbot name in the next few weeks as well. On many systems, the current client packages will automatically transition to Certbot while continuing to support the letsencrypt command so you won’t have to edit any scripts you’re currently using.”

Thursday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/687221/rss

Debian-LTS has updated ocaml
(code execution) and xerces-c (code execution).

Fedora has updated kernel (F23:
information leak), ntp (F22: multiple
vulnerabilities), php (F22: multiple
vulnerabilities), subversion (F23: two
vulnerabilities), and xen (F23: two
vulnerabilities).

Mageia has updated libtasn1
(denial of service) and squid (two
vulnerabilities).

Oracle has updated pcre (OL7:
multiple vulnerabilities).

Red Hat has updated kernel
(RHEL7: privilege escalation), kernel-rt (RHEL7; RHEL6:
privilege escalation), and thunderbird (two
vulnerabilities).

Slackware has updated thunderbird
(multiple vulnerabilities).

SUSE has updated mysql (SLE11:
multiple vulnerabilities), ntp (SLE11:
multiple vulnerabilities), and php5 (SLE12:
multiple vulnerabilities).

Ubuntu has updated qemu, qemu-kvm
(multiple vulnerabilities).

Hutterer: The difference between uinput and evdev

Post Syndicated from jake original http://lwn.net/Articles/686505/rss

On his blog, Peter Hutterer answers an oft-asked question:
A recurring question I encounter is the question whether uinput or evdev should be the approach [to] implement some feature the user cares about. This question is unfortunately wrongly framed as uinput and evdev have no real overlap and work independent of each other. This post outlines what the differences are. Note that “evdev” here refers to the kernel API, not to the X.Org evdev driver.

First, the easy flowchart: do you have to create a new virtual device that has a set of specific capabilities? Use uinput. Do you have to read and handle events from an existing device? Use evdev. Do you have to create a device and read events from that device? You (probably) need two processes, one doing the uinput bit, one doing the evdev bit.”

Pennington: Professional corner-cutting

Post Syndicated from jake original http://lwn.net/Articles/686502/rss

In a blog post that likens software development to cabinetmaking, Havoc Pennington makes the case for cutting corners—but only the right corners:
Software remains a craft rather than a science, relying on the experience of the craftsperson. Like cabinetmakers, we proceed one step at a time, making judgments about what’s important and what isn’t at each step.

A professional developer does thorough work when it matters, and cuts irrelevant corners that aren’t worth wasting time on. Extremely productive developers don’t have supernatural coding skills; their secret is to write only the code that matters.

How can we do a better job cutting corners? I think we can learn a lot from people building tables and dressers.”

Boehm: How to campaign for the cause of software freedom

Post Syndicated from jake original http://lwn.net/Articles/686501/rss

On his blog, Mirko Boehm reports on a multi-day workshop where the Free Software Foundation Europe (FSFE) and the Peng! Collective
teamed up to look at new and innovative ways to get out the message about free software.

These campaigns translate abstract, distant risks or worries into concrete, tangible calls to action. By being provocative, they break the mold and reach a wide audience online and through traditional media. They are “cat content for social change”, as our tutors put it. Campaigners are being urged to stop preaching or complaining, and to start using positive communication combined with subversive PR work instead. Such messaging needs punchlines, which requires some kind of hyperbole – dadaism, hijacking attention, or provocation.” (Thanks to Paul Wise.)

Security updates for Thursday

Post Syndicated from jake original http://lwn.net/Articles/686442/rss

Debian has updated libpam-sshauth
(privilege escalation) and libtasn1-6
(denial of service).

Debian-LTS has updated mplayer
(code execution).

Fedora has updated dhcp (F23:
denial of service), obs-signd (F23:
improper user ID matching), and openssl
(F23: multiple vulnerabilities).

Mageia has updated subversion
(two vulnerabilities).

openSUSE has updated java-1_7_0-openjdk (13.1: multiple
vulnerabilities), libopenssl0_9_8 (13.1; 11.4:
multiple vulnerabilities), and openssl (13.2; 13.1; 11.4: multiple vulnerabilities).

SUSE has updated compat-openssl097g (SLE11: multiple
vulnerabilities) and openssl (SLE12:
multiple vulnerabilities).

Ubuntu has updated lcms2 (14.04:
denial of service from 2013), openjdk-7 (15.10, 14.04: multiple vulnerabilities), openjdk-8 (16.04: multiple vulnerabilities), and samba (regression in previous security fix).

Linux Kernel BPF JIT Spraying (grsecurity forums)

Post Syndicated from jake original http://lwn.net/Articles/686098/rss

Over at the grsecurity forums, Brad Spengler writes about a recently released proof of concept attack on the kernel using JIT spraying. “What happened next was the hardening of the BPF interpreter in grsecurity to prevent such future abuse: the previously-abused arbitrary read/write from the interpreter was now restricted only to the interpreter buffer itself, and the previous warn on invalid BPF instructions was turned into a BUG() to terminate execution of the exploit. I also then developed GRKERNSEC_KSTACKOVERFLOW which killed off the stack overflow class of vulns on x64.

A short time later, there was work being done upstream to extend the use of BPF in the kernel. This new version was called eBPF and it came with a vastly expanded JIT. I immediately saw problems with this new version and noticed that it would be much more difficult to protect — verification was being done against a writable buffer and then translated into another writable buffer in the extended BPF language. This new language allowed not just arbitrary read and write, but arbitrary function calling.”
The protections in the grsecurity kernel will thus prevent this attack. In addition, the newly released RAP feature for grsecurity, which targets the elimination of return-oriented programming (ROP) vulnerabilities in the kernel, will also ensure that “the fear of JIT spraying goes away completely“, he said.

X.Org votes to join SPI

Post Syndicated from jake original http://lwn.net/Articles/685414/rss

The results
of the X.Org election are in. There were two things up for a vote: four
seats on the board of directors and amending the bylaws to join Software in the Public Interest (SPI).
Unlike last year’s election, this year’s
vote met the required 2/3 approval to join
SPI
(61 voters out of 65
members, with 54 voting “Yes”, 4 “No”, and 3 “Abstain”). In addition,
Egbert Eich, Alex Deucher, Keith Packard, and Bryce Harrington were elected
to the board.

Security updates for Thursday

Post Syndicated from jake original http://lwn.net/Articles/685403/rss

CentOS has updated firefox (C6; C5:
multiple vulnerabilities).

Debian has updated iceweasel (multiple vulnerabilities) and php5 (multiple vulnerabilities).

Fedora has updated kernel (F23:
two vulnerabilities) and libtasn1 (F22:
denial of service).

openSUSE has updated php5 (13.2:
multiple vulnerabilities, including one from 2014).

SUSE has updated php5 (SLE12: multiple vulnerabilities,
including one from 2014).

Ubuntu has updated libsoup2.4
(16.04, 15.10, 14.04: regression in previous update), oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities), php5 (15.10: regression in previous update), and thunderbird (multiple vulnerabilities).

Brauch: Processing scientific data in Python and numpy, but doing it fast

Post Syndicated from jake original http://lwn.net/Articles/684042/rss

On his blog, Sven Brauch has some suggestions on how to use NumPy to process scientific data and how to avoid some pitfalls that will ruin its performance. “In general, copying data is cheap. But if your program simulates 25 million particles, each having a float64 location in 3d, you already have 8*3*25e6 = 600 MB of data. Thus, if you write r = r + v*dt, you will copy 1.2 GB of data around in memory: once 600 MB to calculate v*dt, and again to calculate r+(v*dt), and only then the result is written back to r. This can really become a major bottleneck if you aren’t careful. Fortunately, it is usually easy to circumvent; instead of writing r = r+dv, write r += dv. Instead of a = 3*a + b, write a *= 3; a+= b. This avoids the copying completely. For calculating v*dt and adding it to r, the situation is a bit more tricky; one good idea is to just have the unit of v be such that you don’t need to multiply by dt. If that is not possible, it might even be worth it to keep a copy of v which is multiplied by dt already, and update that whenever you update v. This is advantageous if only few v values change per step of your simulation.

I would not recommend writing it like this everywhere though, it’s often not worth the loss in readability; just for really large arrays and when the code is executed frequently.”

Costa: Designing a Userspace Disk I/O Scheduler for Modern Datastores: the Scylla example (Part 1)

Post Syndicated from jake original http://lwn.net/Articles/684009/rss

Over at the Scylla blog, Glauber Costa looks at why a high-performance datastore application might want to do its own I/O scheduling. “If one is using a threaded approach for managing I/O, a thread can be assigned to a different priority group by tools such as ionice. However, ionice only allows us to choose between general concepts like real-time, best-effort and idle. And while Linux will try to preserve fairness among the different actors, that doesn’t allow any fine tuning to take place. Dividing bandwidth among users is a common task in network processing, but it is usually not possible with disk I/O without resorting to infrastructure like cgroups.

More importantly, modern designs like the Seastar framework used by Scylla to build its infrastructure may stay away from threads in favor of a thread-per-core design in the search for better scalability. In the light of these considerations, can a userspace application like Scylla somehow guarantee that all actors are served according to the priorities we would want them to obey?”

Friday’s security advisories

Post Syndicated from jake original http://lwn.net/Articles/683983/rss

Arch Linux has updated lhasa
(code execution).

Debian has updated chromium-browser (multiple vulnerabilities).

Fedora has updated cryptopp (F24:
information disclosure), libtasn1 (F24:
denial of service), poppler (F23: code
execution), qpid-proton (F23: TLS to
plaintext downgrade), and samba (F24:
multiple vulnerabilities).

openSUSE has updated java-1_7_0-openjdk (13.1: sandbox bypass).

Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

Post Syndicated from jake original http://lwn.net/Articles/683880/rss

Over at the Freedom to Tinker blog, guest poster Vitaly Shmatikov, who is a professor at Cornell Tech, writes about his study [PDF] of what
URL shortening means for the security and privacy of cloud services.
TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.

Security updates for Thursday

Post Syndicated from jake original http://lwn.net/Articles/683842/rss

Debian has updated samba
(multiple vulnerabilities) and
samba (regression in previous update).

Fedora has updated samba (F23; F22:
multiple vulnerabilities).

Mageia has updated apache-commons-collections (code execution),
imlib2 (three vulnerabilities), mercurial (three vulnerabilities), optipng (two vulnerabilities), postgresql (two vulnerabilities), python-pillow (code execution), and thunderbird (unspecified).

openSUSE has updated lhasa (42.1; 13.2:
code execution) and quagga (password disclosure).

SUSE has updated samba (SLE11SP2:
multiple vulnerabilities).

OpenStack Mitaka released

Post Syndicated from jake original http://lwn.net/Articles/683037/rss

OpenStack Mitaka has been released. “OpenStack Mitaka, the 13th release of the most widely deployed open source software for building clouds, now offers greater manageability and scalability as well as an enhanced end-user experience.

The Mitaka release was designed and built by an international community of 2,336 developers, operators and users from 345 organizations.

OpenStack has become the cloud platform of choice for enterprises and service providers, as an integration engine to manage bare metal, virtual machines, and container orchestration frameworks with a single set of APIs.” More information can be found in the release notes. There is also a press release available.

Thursday’s security updates

Post Syndicated from jake original http://lwn.net/Articles/682971/rss

Fedora has updated libmaxminddb
(F24: multiple vulnerabilities) and python-rsa (F23: unspecified).

openSUSE has updated java-1_7_0-openjdk (13.2: sandbox bypass) and
xerces-c (13.2: two vulnerabilities).

SUSE has updated rubygem-actionpack-3_2 (SLE11SP4, Webyast 1.3,
Studio Onsite 1.3, Lifecycle Management Server 1.3: two vulnerabilities).