All posts by jake

Thursday’s security advisories

Post Syndicated from jake original

Arch Linux has updated chromium
(multiple vulnerabilities) and linux-zen (connection hijacking).

Debian has updated gnupg (flawed
random number generation) and libgcrypt20
(flawed random number generation).

Debian-LTS has updated libupnp
(arbitrary file overwrite).

Fedora has updated bind (F23:
denial of service), fontconfig (F23:
privilege escalation), and python3 (F23:
proxy injection).

SUSE has updated xen (SLE12: multiple vulnerabilities,
one from 2014) and yast2-ntp-client (SLE10:
multiple vulnerabilities, most from 2015).

Ubuntu has updated fontconfig
(16.04, 14.04, 12.04: privilege escalation).

Ardour 5.0 released

Post Syndicated from jake original

The Ardour audio workstation has released its 5.0 version. There are many new features in the release, including a tabbed user interface, Lua scripting, built-in plugins, and new themes.
Ardour 5.0 is now available for Linux, OS X and Windows. This is a major release focused on substantial changes to the GUI and major new features related to mixing, plugin use, tempo maps, scripting and more. As usual, there are also hundreds of bug fixes. Ardour 5.0 can be parallel-installed with older versions of the program, and does not use the same preference files. It will load sessions from Ardour 2, 3 and 4, though with some potential minor changes.

Lefkowitz: The One Python Library Everyone Needs

Post Syndicated from jake original

Twisted developer Glyph Lefkowitz writes about the attrs library for Python, which he calls “my favorite mandatory Python library“. Instead of a lot of boilerplate to handle attributes in classes, attrs makes it far easier. “It lets you say what you mean directly with a declaration rather than expressing it in a roundabout imperative recipe. Instead of “I have a type, it’s called MyType, it has a constructor, in the constructor I assign the property ‘A’ to the parameter ‘A’ (and so on)”, you say “I have a type, it’s called MyType, it has an attribute called a”, and behavior is derived from that fact, rather than having to later guess about the fact by reverse engineering it from behavior (for example, running dir on an instance, or looking at self.__class__.__dict__).

Security updates for Friday

Post Syndicated from jake original

CentOS has updated mariadb (C7:
multiple unspecified vulnerabilities), php (C7; C6: proxy
injection), and qemu-kvm (C7: two

Debian has updated icedove
(multiple vulnerabilities) and postgresql-9.4 (two vulnerabilities).

Debian-LTS has updated nettle (?:).

Fedora has updated perl-DBD-MySQL
(F23: code execution from 2015), python
(F24: proxy injection), and python3 (F24:
proxy injection).

openSUSE has updated go (42.1,
; SPH: denial of service), hawk2 (42.1: clickjacking prevention),
java-1_7_0-openjdk (42.1; 13.2: multiple vulnerabilities), java-1_8_0-openjdk (42.1: multiple
vulnerabilities), libarchive (42.1:
multiple vulnerabilities, many from 2015), OpenJDK7 (13.1: multiple vulnerabilities), pcre2 (42.1: code execution), sqlite3 (42.1: information leak), and wget (13.2: code execution).

Oracle has updated mariadb (OL7:
multiple unspecified vulnerabilities), php (OL7; OL6:
proxy injection), and qemu-kvm (OL7: two vulnerabilities).

Red Hat has updated mariadb
(RHEL7: multiple unspecified vulnerabilities), mariadb55-mariadb (RHSC: multiple unspecified
vulnerabilities), php (RHEL7; RHEL6: proxy injection), php54-php (RHSC: proxy injection), php55-php (RHSC: proxy injection), qemu-kvm (RHEL7: two vulnerabilities), Red Hat OpenShift Enterprise (two
vulnerabilities), rh-mariadb100-mariadb
(RHSC: multiple unspecified vulnerabilities), rh-mysql56-mysql (RHSC: multiple unspecified
vulnerabilities), and rh-php56-php (RHSC:
proxy injection).

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open (Ars Technica)

Post Syndicated from jake original

Ars Techica is reporting on a mistake by Microsoft that resulted in providing a “golden key” to circumvent Secure Boot. The “key” is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a “rather funky website” (viewing the source of that page is a good way to avoid the visual and audio funkiness).
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.” As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.

Update: For some more detail, see Matthew Garrett’s blog post .

Security advisories for Thursday

Post Syndicated from jake original

Arch Linux has updated jq (code
execution from 2015) and websvn (cross-site

Debian-LTS has updated postgresql-9.1 (two vulnerabilities).

Gentoo has updated optipng (three

openSUSE has updated typo3 (13.1:
three vulnerabilities from 2013 and 2014) and firefox, mozilla-nss (13.1: many vulnerabilities).

Red Hat has updated java-1.7.0-ibm (RHEL5: two vulnerabilities),
java-1.7.1-ibm (RHEL6&7: two
vulnerabilities), java-1.8.0-ibm
(RHEL6&7: two vulnerabilities), and python-django (RHOSP8; RHOSP7; RHEL7:
cross-site scripting).

Scientific Linux has updated qemu-kvm (SL6: denial of service).

Ubuntu has updated libgd2 (16.04,
14.04: three vulnerabilities) and xmlrpc-epi (16.04: code execution).

[$] The TCP “challenge ACK” side channel

Post Syndicated from jake original

Side-channel attacks against various kinds of protocols (typically
networking or cryptographic) are both dangerous and often hard for
developers and reviewers to spot.
They are generally passive attacks, which makes them hard to detect as well. A
recent paper
describes in detail one such attack against the kernel’s TCP
stack; the bug (CVE-2016-5696)
has existed since Linux 3.6, which was released in 2012.
Ironically, the bug was introduced because Linux has implemented
a countermeasure against another type of attack.

The GNU C Library version 2.24 is now available

Post Syndicated from jake original

The 2.24 version of the GNU C Library (glibc) has been released. It comes
with lots of bug fixes, including five for security vulnerabilities (four
stack overflows and a memory leak). Some deprecated features have
been removed, as well as deprecating the readdir_r() and
readdir64_r() functions in favor of readdir() and
readdir64(). There are also additions to the math library
(nextup*() and nextdown*()) to return the next
representable value toward either positive or negative infinity.

Breaking through censorship barriers, even when Tor is blocked (Tor Blog)

Post Syndicated from jake original

The Tor Blog looks at using Pluggable Transports to avoid country-level Tor blocking. There are some new easy-to-follow graphical directions for using the transports.

Many repressive governments and authorities benefit from blocking their users from having free and open access to the internet. They can simply get the list of Tor relays and block them. This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship. This is why we’ve developed methods to connect to the network and bypass censorship. These methods are called Pluggable Transports (PTs).
Pluggable Transports are a type of bridge to the Tor network. They take advantage of various transports and make encrypted traffic to Tor look like not-interesting or garbage traffic. Unlike normal relays, bridge information is kept secret and distributed between users via BridgeDB.

Security updates for Thursday

Post Syndicated from jake original

CentOS has updated firefox (C5:
MV) and squid (C6: code execution).

Debian has updated firefox-esr (MV) and wordpress (MV).

Debian-LTS has updated collectd
(regression in previous security update), firefox-esr (MV), and libsys-syslog-perl (privilege escalation).

Fedora has updated firefox (?:) and pbuilder (?; ?: ).

Oracle has updated firefox (?; ?; ?: ).

Red Hat has updated squid (RHEL6:
code execution).

Scientific Linux has updated firefox (?:), golang (?:), kernel (?:), and libtiff (?:).

SUSE has updated hawk2 (?:).

Ingebrigtsen: The End of Gmane?

Post Syndicated from jake original

On his blog, Gmane creator and maintainer Lars Magne Ingebrigtsen warns that the email-to-news (and web) gateway may be disappearing soon. The site, which is hosted by his employer, has been under a distributed denial of service (DDoS) attack for the last few weeks, but there are other problems as well. “And now the DDoS stuff, which I have no idea why is happening, but I can only assume that somebody is angry about something.

Probably me being a wise ass.

So… it’s been 14 years… I’m old now. I almost threw up earlier tonight because I’m so stressed about the situation. I should retire and read comic books and watch films. Oh, and the day job. Work, work, work. Oh, and Gnus.

I’m thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don’t want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess…” The site, which has been relied on by many (including LWN) since it started in 2002, is down now and it appears to be unclear when (or if) it will be back.

Security advisories for Thursday

Post Syndicated from jake original

Debian has updated xen (multiple vulnerabilities, one
from 2015).

Debian-LTS has updated tardiff
(two vulnerabilities from 2015).

Fedora has updated httpd (F23:
HTTP redirect), libarchive (F24: code
execution), and libvirt (F23:
authentication bypass).

openSUSE has updated dropbear
(42.1, 13.2: multiple vulnerabilities), go (13.2: HTTP request
smuggling flaws from 2015), karchive (42.1,
13.2: code execution), mbedtls (42.1: three
vulnerabilities), python (42.1, 13.2: three
vulnerabilities), and tiff (13.2: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (multiple vulnerabilities).

EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment

Post Syndicated from jake original

The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew “bunnie” Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional:
These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing.

Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials.”

Security updates for Thursday

Post Syndicated from jake original

Arch Linux has updated bind
(denial of service).

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian-LTS has updated libarchive
(multiple vulnerabilities, most from 2015).

Fedora has updated openssh (F24:
user enumeration via timing side-channel) and p7zip (F24: two code execution flaws).

openSUSE has updated dhcp (42.1:
denial of service).

Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), and
openstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).

Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated obs-service-source_validator (SLE12: code execution).

Automotive Grade Linux Releases 2.0 Spec Amid Growing Support (

Post Syndicated from jake original

Over at, Eric Brown writes about the release of Automotive Grade Linux (AGL) Unified Code Base (UCB) 2.0 for in-vehicle infotainment (IVI) systems. “The latest version adds features like audio routing, rear seat display support, the beginnings of an app platform, and new development boards including the DragonBoard, Wandboard, and Raspberry Pi.

AGL’s Yocto Project derived UCB distro, which is also based on part on the GENIVI and Tizen automotive specs, was first released in January. UCB 1.0 followed an experimental AGL stack in 2014 and an AGL Requirements Specification in June, 2015.

UCB is scheduled for a 3.0 release in early 2017, at which point some automotive manufacturers will finally use it in production cars. Most of the IVI software will be based on UCB, but carmakers can also differentiate with their own features.” We looked at AGL UCB 1.0 back in January.

Security advisories for Thursday

Post Syndicated from jake original

Fedora has updated gnutls (F23:
certificate verification botch).

Gentoo has updated flash (many vulnerabilities).

openSUSE has updated flash-player
(13.2: many vulnerabilities) and kernel (42.1:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL 5↦6: many vulnerabilities) and rh-nginx18-nginx (RHSC: multiple vulnerabilities).

SUSE has updated MozillaFirefox,
MozillaFirefox-branding-SLE, mozilla-nss
(SLE11: multiple vulnerabilities).

Gräßlin: Multi-screen woes in Plasma 5.7

Post Syndicated from jake original

On his blog, Martin Gräßlin describes some of the multi-screen problems that users have been running into on KDE Plasma 5.7, what the causes are, and why multi-screen is a difficult problem to solve. “Many users expect that new windows open on the primary screen. Unfortunately primary screen does not imply that, it’s only a hint for the desktop shell where to put it’s panels, but does not have any meaning for normal windows.

Of course windows should be placed on a proper location. If a window opens on a turned off external TV something is broken. And KWin wouldn’t do so. KWin places new windows on the “active screen”. The active screen is the one having the active window or the mouse cursor (depending on configuration setting). Unless, unless the window adds a positioning hint. Unfortunately it looks like windows started to position themselves to incorrect values and I started to think about ignoring these hints in future. If applications are not able to place themselves correctly, we might need to do something about it.

Of course KWin allows the user to override it. With windowing specific rules one can ignore the requested geometry.”

Portals: Using GTK+ in a Flatpak

Post Syndicated from jake original

On his blog, Matthias Clasen announces the availability of some of the infrastructure for Portals, which are a way for Flatpak applications to reach outside of their sandbox.

Most of these projects involve some notion of sandboxing: isolating the application from the rest of the system.

Snappy does this by setting environment variables like XDG_DATA_DIRS, PATH, etc, to tell apps where to find their ‘stuff’ and using app-armor to not let them access things they shouldn’t.

Flatpak takes a somewhat different approach: it uses bind mounts and namespaces to construct a separate view of the world for the app in which it can only see what it is supposed to access.

Regardless which approach you take to sandboxing, desktop applications are not very useful without access to the rest of the system. So, clearly, we need to poke some holes in the walls of the sandbox, since we want apps to interact with the rest of the system.

The important thing to keep in mind is that we always want to give the user control over these interactions and in particular, control over the data that goes in and out of the sandbox.”