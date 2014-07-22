Security: Updates, Containers, Compilers and More
Security updates for Wednesday
Containers pose security risks, but mitigation isn't tough: Lees
Recent concerns over the security offered by containers are not unjustified, the chief technologist for Germany-based SUSE in the Asia-Pacific says, adding however that there are a lot of operational things that could be done to mitigate the risk.
Peter Lees told iTWire in response to queries that the whole point of containers was to be able to get new functionality out quickly. "And in modern development that often means gluing together micro-services from many different sources, which in turn could mean that the ultimate source of those functions may not have been vetted," he said.
Container security was in the limelight in April when the credentials of some 190,000 account holders at Docker Hub, the official repository for Docker container images, were exposed due to "a brief moment of unauthorised access".
Ubuntu 19.10 To Harden Its Compiler With Stack Clash Protection & Intel CET
In addition to discontinuing i386 support, Canonical announced another change being worked on for Ubuntu 19.10 is compiler hardening.
In the name of increased security, their GCC 9 compiler for Ubuntu 19.10 will have some additional tunables enabled: -fstack-clash-protection and -fcf-protection.
The stack clash protection is designed to fend off stack clash attacks by checking pages at allocation-time that instead would result in ideally just a segmentation fault.
What Red Hat OpenShift Online and OpenShift Dedicated customers should know about June 2019 kernel network stack flaws
Netflix Finds Bug That Creates Linux Kernel Panic
Docker Is Porting Its Container Platform to Microsoft Windows Subsystem for Linux 2, Ubuntu 19.10 Will Drop 32-Bit Builds, Children of Morta Still Coming to Linux and Vulnerabilities Discovered in the Linux TCP System
Security researchers over at Netflix uncovered some troubling security vulnerabilities inside the Linux (and FreeBSD) TCP subsystem, the worst of which is being called SACK. It can permit remote attackers to induce a kernel panic from within your Linux operating system. Patches are available for affected Linux distributions.
