Arch Linux has updated p7zip (two
code execution flaws).
Debian has updated swift-plugin-s3 (replay attack).
Mageia has updated cacti (two SQL
injection flaws), chromium-browser-stable
(multiple vulnerabilities), dosfstools (two
vulnerabilities), libarchive (code
execution), libksba (three
vulnerabilities), libndp (man-in-the-middle
attacks), mariadb (multiple
vulnerabilities), moodle (multiple
vulnerabilities), qemu (multiple
vulnerabilities), and xymon (multiple vulnerabilities).
openSUSE has updated php5 (13.2:
SUSE has updated firefox (SLE10:
The Electronic Frontier Foundation (EFF) has announced a new name and web site for the Let’s Encrypt client. The Let’s Encrypt project is a free certificate authority for TLS certificates that enable HTTPS for the web. The client, now called “Certbot”, uses Automatic Certificate Management Environment (ACME) to talk to the Let’s Encrypt CA, though it will no longer be the “official” client and there are other ACME clients that can be used.
“Along with the rename, we’ve also launched a brand new website for Certbot, found at https://certbot.eff.org. The site includes frequently asked questions as well as links to how you can learn more and help support the project, but by far the biggest feature of the website is an interactive instruction tool. To get the specific commands you need to get Certbot up and running, just input your operating system and webserver. No more searching through pages and pages of documentation or Google search results!
While a new name has the potential for creating technical issues, the Certbot team has worked hard to make this transition as seamless as possible. Packages installed from PyPI, letsencrypt-auto, and third party plugins should all continue to work and receive updates without modification. We expect OS packages to begin using the Certbot name in the next few weeks as well. On many systems, the current client packages will automatically transition to Certbot while continuing to support the letsencrypt command so you won’t have to edit any scripts you’re currently using.”
Oracle has updated pcre (OL7:
Slackware has updated thunderbird
Ubuntu has updated qemu, qemu-kvm
On his blog, Peter Hutterer answers an oft-asked question:
“A recurring question I encounter is the question whether uinput or evdev should be the approach [to] implement some feature the user cares about. This question is unfortunately wrongly framed as uinput and evdev have no real overlap and work independent of each other. This post outlines what the differences are. Note that “evdev” here refers to the kernel API, not to the X.Org evdev driver.
First, the easy flowchart: do you have to create a new virtual device that has a set of specific capabilities? Use uinput. Do you have to read and handle events from an existing device? Use evdev. Do you have to create a device and read events from that device? You (probably) need two processes, one doing the uinput bit, one doing the evdev bit.”
In a blog post that likens software development to cabinetmaking, Havoc Pennington makes the case for cutting corners—but only the right corners:
“Software remains a craft rather than a science, relying on the experience of the craftsperson. Like cabinetmakers, we proceed one step at a time, making judgments about what’s important and what isn’t at each step.
A professional developer does thorough work when it matters, and cuts irrelevant corners that aren’t worth wasting time on. Extremely productive developers don’t have supernatural coding skills; their secret is to write only the code that matters.
How can we do a better job cutting corners? I think we can learn a lot from people building tables and dressers.”
On his blog, Mirko Boehm reports on a multi-day workshop where the Free Software Foundation Europe (FSFE) and the Peng! Collective
teamed up to look at new and innovative ways to get out the message about free software.
“These campaigns translate abstract, distant risks or worries into concrete, tangible calls to action. By being provocative, they break the mold and reach a wide audience online and through traditional media. They are “cat content for social change”, as our tutors put it. Campaigners are being urged to stop preaching or complaining, and to start using positive communication combined with subversive PR work instead. Such messaging needs punchlines, which requires some kind of hyperbole – dadaism, hijacking attention, or provocation.” (Thanks to Paul Wise.)
Debian-LTS has updated mplayer
Mageia has updated subversion
Ubuntu has updated lcms2 (14.04:
denial of service from 2013), openjdk-7 (15.10, 14.04: multiple vulnerabilities), openjdk-8 (16.04: multiple vulnerabilities), and samba (regression in previous security fix).
Over at the grsecurity forums, Brad Spengler writes about a recently released proof of concept attack on the kernel using JIT spraying. “What happened next was the hardening of the BPF interpreter in grsecurity to prevent such future abuse: the previously-abused arbitrary read/write from the interpreter was now restricted only to the interpreter buffer itself, and the previous warn on invalid BPF instructions was turned into a BUG() to terminate execution of the exploit. I also then developed GRKERNSEC_KSTACKOVERFLOW which killed off the stack overflow class of vulns on x64.
A short time later, there was work being done upstream to extend the use of BPF in the kernel. This new version was called eBPF and it came with a vastly expanded JIT. I immediately saw problems with this new version and noticed that it would be much more difficult to protect — verification was being done against a writable buffer and then translated into another writable buffer in the extended BPF language. This new language allowed not just arbitrary read and write, but arbitrary function calling.”
The protections in the grsecurity kernel will thus prevent this attack. In addition, the newly released RAP feature for grsecurity, which targets the elimination of return-oriented programming (ROP) vulnerabilities in the kernel, will also ensure that “the fear of JIT spraying goes away completely“, he said.
of the X.Org election are in. There were two things up for a vote: four
seats on the board of directors and amending the bylaws to join Software in the Public Interest (SPI).
Unlike last year’s election, this year’s
vote met the required 2/3 approval to join
SPI (61 voters out of 65
members, with 54 voting “Yes”, 4 “No”, and 3 “Abstain”). In addition,
Egbert Eich, Alex Deucher, Keith Packard, and Bryce Harrington were elected
to the board.
openSUSE has updated php5 (13.2:
multiple vulnerabilities, including one from 2014).
SUSE has updated php5 (SLE12: multiple vulnerabilities,
including one from 2014).
Ubuntu has updated libsoup2.4
(16.04, 15.10, 14.04: regression in previous update), oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities), php5 (15.10: regression in previous update), and thunderbird (multiple vulnerabilities).
On his blog, Sven Brauch has some suggestions on how to use NumPy to process scientific data and how to avoid some pitfalls that will ruin its performance. “In general, copying data is cheap. But if your program simulates 25 million particles, each having a float64 location in 3d, you already have 8*3*25e6 = 600 MB of data. Thus, if you write r = r + v*dt, you will copy 1.2 GB of data around in memory: once 600 MB to calculate v*dt, and again to calculate r+(v*dt), and only then the result is written back to r. This can really become a major bottleneck if you aren’t careful. Fortunately, it is usually easy to circumvent; instead of writing r = r+dv, write r += dv. Instead of a = 3*a + b, write a *= 3; a+= b. This avoids the copying completely. For calculating v*dt and adding it to r, the situation is a bit more tricky; one good idea is to just have the unit of v be such that you don’t need to multiply by dt. If that is not possible, it might even be worth it to keep a copy of v which is multiplied by dt already, and update that whenever you update v. This is advantageous if only few v values change per step of your simulation.
I would not recommend writing it like this everywhere though, it’s often not worth the loss in readability; just for really large arrays and when the code is executed frequently.”
Over at the Scylla blog, Glauber Costa looks at why a high-performance datastore application might want to do its own I/O scheduling. “If one is using a threaded approach for managing I/O, a thread can be assigned to a different priority group by tools such as ionice. However, ionice only allows us to choose between general concepts like real-time, best-effort and idle. And while Linux will try to preserve fairness among the different actors, that doesn’t allow any fine tuning to take place. Dividing bandwidth among users is a common task in network processing, but it is usually not possible with disk I/O without resorting to infrastructure like cgroups.
More importantly, modern designs like the Seastar framework used by Scylla to build its infrastructure may stay away from threads in favor of a thread-per-core design in the search for better scalability. In the light of these considerations, can a userspace application like Scylla somehow guarantee that all actors are served according to the priorities we would want them to obey?”
Arch Linux has updated lhasa
Debian has updated chromium-browser (multiple vulnerabilities).
Fedora has updated cryptopp (F24:
information disclosure), libtasn1 (F24:
denial of service), poppler (F23: code
execution), qpid-proton (F23: TLS to
plaintext downgrade), and samba (F24:
openSUSE has updated java-1_7_0-openjdk (13.1: sandbox bypass).
Over at the Freedom to Tinker blog, guest poster Vitaly Shmatikov, who is a professor at Cornell Tech, writes about his study [PDF] of what
URL shortening means for the security and privacy of cloud services.
“TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.”
Mageia has updated apache-commons-collections (code execution),
imlib2 (three vulnerabilities), mercurial (three vulnerabilities), optipng (two vulnerabilities), postgresql (two vulnerabilities), python-pillow (code execution), and thunderbird (unspecified).
SUSE has updated samba (SLE11SP2:
OpenStack Mitaka has been released. “OpenStack Mitaka, the 13th release of the most widely deployed open source software for building clouds, now offers greater manageability and scalability as well as an enhanced end-user experience.
The Mitaka release was designed and built by an international community of 2,336 developers, operators and users from 345 organizations.
OpenStack has become the cloud platform of choice for enterprises and service providers, as an integration engine to manage bare metal, virtual machines, and container orchestration frameworks with a single set of APIs.” More information can be found in the release notes. There is also a press release available.
SUSE has updated rubygem-actionpack-3_2 (SLE11SP4, Webyast 1.3,
Studio Onsite 1.3, Lifecycle Management Server 1.3: two vulnerabilities).