Security updates have been issued by Arch Linux (bind, libofx, and thunderbird), Debian (thunderbird, xdg-utils, and xen), Fedora (procps-ng), Mageia (gnupg2, mbedtls, pdns, and pdns-recursor), openSUSE (bash, GraphicsMagick, icu, and kernel), Oracle (thunderbird), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and thunderbird), Scientific Linux (thunderbird), and Ubuntu (curl).
Security updates have been issued by Arch Linux (lib32-openssl and zsh), Debian (patch, perl, ruby-loofah, squirrelmail, tiff, and tiff3), Fedora (gnupg2), Gentoo (go), Mageia (firefox, flash-player-plugin, nxagent, puppet, python-paramiko, samba, and thunderbird), Red Hat (flash-plugin), Scientific Linux (python-paramiko), and Ubuntu (patch, perl, and ruby).
The Linux Foundation and Nitrokey have announced
a program whereby anybody who appears in the kernel’s MAINTAINERS file or
who has a
kernel.org email address can obtain a free Nitrokey Start crypto card. The
intent, of course, is that kernel developers will use these devices to
safeguard their GnuPG keys and, as a result, improve the security of the
kernel development process as a whole. “A digital smartcard token
like Nitrokey Start contains a cryptographic chip that is capable of
storing private keys and performing crypto operations directly on the token
itself. Because the key contents never leave the device, the operating
system of the computer into which the token is plugged in is not able to
retrieve the private keys themselves, therefore significantly limiting the
ways in which the keys can be leaked or stolen.”
See this LWN article for a look at crypto cards.
Back in October, LWN reported on a talk
state of the GNU Privacy Guard (GnuPG)
project, an asymmetric public-key encryption and
signing tool that had been almost abandoned by its lead developer due to lack
of resources before receiving a significant infusion of funding and community
attention. GnuPG 2 has brought about a number of changes and
at the same time, several efforts are underway to significantly change the way
GnuPG and OpenPGP are used. This article will look at the current
state of GnuPG and the OpenPGP web of trust, as compared to new implementations
of the OpenPGP standard and other trust systems.
Linux Foundation Director of IT infrastructure security, Konstantin Ryabitsev, has put together a lengthy guide to using Git and PGP to protect the integrity of source code. In a Google+ post, he called it “beta quality” and asked for help with corrections and fixes. “PGP incorporates a trust delegation mechanism known as the ‘Web of Trust.’ At its core, this is an attempt to replace the need for centralized Certification Authorities of the HTTPS/TLS world. Instead of various software makers dictating who should be your trusted certifying entity, PGP leaves this responsibility to each user.
Unfortunately, very few people understand how the Web of Trust works, and even fewer bother to keep it going. It remains an important aspect of the OpenPGP specification, but recent versions of GnuPG (2.2 and above) have implemented an alternative mechanism called ‘Trust on First Use’ (TOFU).
You can think of TOFU as ‘the SSH-like approach to trust.’ With SSH, the first time you connect to a remote system, its key fingerprint is recorded and remembered. If the key changes in the future, the SSH client will alert you and refuse to connect, forcing you to make a decision on whether you choose to trust the changed key or not.
Similarly, the first time you import someone’s PGP key, it is assumed to be trusted. If at any point in the future GnuPG comes across another key with the same identity, both the previously imported key and the new key will be marked as invalid and you will need to manually figure out which one to keep.
In this guide, we will be using the TOFU trust model.”
The GNU Privacy Guard (GnuPG) is one of the
fundamental tools that allows a distributed group to
have trust in its communications. Werner Koch, lead developer of GnuPG,
spoke about it
at Kernel Recipes: what’s in the new 2.2 version, when older versions
will reach their end of life, and how development will proceed going forward.
He also spoke at some length on the issue of best-practice key management
and how GnuPG is evolving to assist. Subscribers can click below for a
report on the talk by guest author Tom Yates.
Security updates have been issued by Debian (enigmail, gnupg, libgd2, libidn, libidn2-0, mercurial, and strongswan), Fedora (gd, libidn2, mbedtls, mingw-openjpeg2, openjpeg2, and xen), Mageia (apache-commons-email, botan, iceape, poppler, rt/perl-Encode, samba, and wireshark), and openSUSE (expat, freerdp, git, libzypp, and php7).
Security updates have been issued by Debian (connman, faad2, gnupg, imagemagick, libdbd-mysql-perl, mercurial, and php5), openSUSE (postgresql93 and samba and resource-agents), Oracle (poppler), Scientific Linux (poppler), SUSE (firefox and php7), and Ubuntu (pyjwt).
Version 2.2.0 of the GNU Privacy Guard is out; this is the beginning of a
new long-term stable series. Changes in this release are mostly minor, but
it does now install as gpg rather than gpg2, and it will
automatically fetch keys from keyservers by default. “Note: this enables keyserver and Web Key Directory operators to
notice when you intend to encrypt to a mail address without having
the key locally. This new behaviour will eventually make key
discovery much easier and mostly automatic.”
Security updates have been issued by Debian (varnish), Fedora (gcc, gcc-python-plugin, libtool, mingw-c-ares, and php-PHPMailer), Red Hat (bash, curl, evince, freeradius, gdm and gnome-session, ghostscript, git, glibc, golang, GStreamer, gtk-vnc, kernel, kernel-rt, libtasn1, mariadb, openldap, openssh, pidgin, postgresql, python, qemu-kvm, qemu-kvm-rhev, samba, tigervnc and fltk, tomcat, and X.org X11 libraries), Slackware (gnupg), and Ubuntu (apache2, lxc, and webkit2gtk).
The GnuPG Project has announced the availability of Libgcrypt 1.8.0.
“This is a new stable version of Libgcrypt with full API
and ABI compatibility to the 1.7 series. Its main features are support
Blake-2, XTS mode, an improved RNG, and performance improvements for the