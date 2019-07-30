Security Leftovers
Security updates for Friday
Security updates have been issued by Debian (firefox-esr and thunderbird), openSUSE (openexr and rmt-server), Oracle (bind, container-tools:rhel8, cyrus-imapd, dotnet, edk2, firefox, flatpak, freeradius:3.0, ghostscript, gvfs, httpd:2.4, java-1.8.0-openjdk, java-11-openjdk, kernel, mod_auth_mellon, pacemaker, pki-deps:10.6, python-jinja2, python27:2.7, python3, python36:3.6, systemd, thunderbird, vim, virt:rhel, WALinuxAgent, and wget), Slackware (mariadb), SUSE (java-1_8_0-openjdk, polkit, and python-Django1), and Ubuntu (Sigil and sox).
Securing BGP on the host with the RPKI
An increasingly popular design for a data-center network is BGP on the host: each host ships with a BGP daemon to advertise the IPs it handles and receives the routes to its fellow servers. Compared to a L2-based design, it is very scalable, resilient, cross-vendor and safe to operate.1 Take a look at “L3 routing to the hypervisor with BGP” for a usage example.
On the Internet, BGP is mostly relying on trust. This contributes to various incidents due to operator errors, like the one that affected Cloudflare a few months ago, or to malicious attackers, like the hijack of Amazon DNS to steal cryptocurrency wallets. RFC 7454 explains the best practices to avoid such issues.
People often use AS sets, like AS-APPLE in this example, as they are convenient if you have multiple AS numbers or customers. However, there is currently nothing preventing a rogue actor to add arbitrary AS numbers to their AS set.
IP addresses are allocated by five Regional Internet Registries (RIR). Each of them maintains a database of the assigned Internet resources, notably the IP addresses and the associated AS numbers. These databases may not be totally reliable but are widely used to build ACLs to ensure peers only announce the prefixes they are expected to. Here is an example of ACLs generated by bgpq3 when peering directly with Apple:
Fernando ‘Corby’ Corbató
Fernando “Corby” Corbató lived long enough to curse his most famous invention: the computer password. In 1961 he adapted the ancient system of secret codes almost as an afterthought for his truly groundbreaking invention: the ability for several people to simultaneously use the same computer — in those days room-sized elephants — remotely. But five years ago he admitted that passwords had become “a nightmare”. For a while he carried round three sheets of closely typed paper with his own collection of 150 codes. He eventually entrusted them to an electronic file.
Linux Developer Conference Brazil 2019
We're very excited to be once again attending, and sponsoring, Linux Developer Conference Brazil, taking place this weekend in São Paulo, Brazil! Already in its third year, Linux Developer Conference Brazil aims to take the Brazilian Linux development community to the international level. Whether you are just curious and want to understand the Linux ecosystem, or are someone seeking to contribute to FOSS projects, or even a seasoned collaborator, this conference is for you. Collaborans will be giving three workshops and six presentations, and will also take part in, and moderate, a panel discussion. You can find the complete details below.
AMD and Intel Linux Development
Programming: Curl, BBC Microbit, Qt Creator 4.10 RC and More
What's new in OpenXR 1.0 & Monado?
As part of its unwavering commitment to open source and open standards, Collabora is proud to be part of bringing the recently-released OpenXR 1.0 to life. We are pioneering the Monado open source runtime for OpenXR to ensure the future of XR is truly open and accessible to all hardware vendors. As the OpenXR specification editor, I am grateful for the diligent efforts of the working group, as well as the community feedback that shaped this release. There have been a lot of changes since the last post about OpenXR and Monado. On the working group, we've brought the concerns of the open source and Linux communities to the working group. We have worked to improve the loader and provided API layers in both cross-platform and Linux-specific ways, together with the Monado community. As specification editor, I developed or enhanced a variety of specification-related tooling to ensure a continuous standard for consistency and high-quality in the specification text and registry. For example, xml_consistency uses specification-specific "business logic" to check the internal consistency of the XML registry. Among other things, it compares the return codes listed for a function with those inferred from parameter types, and raises an error if an expected code is missing or an existing code seems unnecessary. The comprehensive check_spec_links tool processes the AsciiDoctor source of the specification, ensuring that the spec-specific markup macros are used correctly, that all members and parameters are documented, that all entities referred to actually exist and are spelled correctly, and more.
