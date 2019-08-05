Security: Patches, QualPwn, Overhyped KDE 'Threat' and FUD About VLC
Security updates for Wednesday
Security updates have been issued by Fedora (hostapd), openSUSE (aubio and spamassassin), Oracle (kernel), Red Hat (augeas, kernel-rt, libssh2, perl, procps-ng, redis:5, and systemd), SUSE (bzip2, evince, kernel, linux-azure, nodejs4, nodejs8, osc, python, python-Twisted, and python3), and Ubuntu (BWA and Mercurial).
evil wifi 4 qualcomm – QualPwn – Exploiting Qualcomm Snapdragon via WLAN Wifi and Modem Over The Air
Researchers discovered the QualPwn vulnerabilities in February and March this year and responsibly reported them to Qualcomm, who then released patches in June and notified OEMs, including Google and Samsung.
Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available
Since Android phones are infamously slow to get patch updates, researchers have decided not to disclose complete technical details or any PoC exploit for these vulnerabilities anytime soon, giving end-users enough time to receive updates from their device manufacturers.
KDE4/5 Zero-Day Vulnerability Alert! [Ed: Many steps are needed here (in order to cause actual harm) and also pursuing rogue files from untrusted sources. Linux-hostile sites promoted this nonsense, overhyping it.]
An unpatched zero-day vulnerability exists in KDE 4 & 5 that could allow attackers to execute code simply by tricking a user into downloading an archive, extracting it, and then opening the folder.
What we Can Learn from the Recent VLC Security Vulnerability Fiasco: A Conversation with VideoLAN President Jean-Baptiste Kempf
About a week ago, the LinuxSecurity staff started tracking a security issue related to VLC, the popular open source media player. Security vulnerabilities are a regular part of the software development lifecycle. These vulnerabilities are identified, then a solution is created and distributed to its users. In this case, it wasn’t completely clear whether that’s what happened, though. We decided to find out.
On July 23rd, CERT-Bund published a security advisory for the popular open-source VLC media player for a vulnerability that had been fixed for the past 16 months. In the advisory, CERT-Bund warned that VLC media player version 3.0.7.1, the latest build available, contained a critical security vulnerability with a CVSS score of 9.8 out of 10. This warning indicated that the security flaw did not require privilege escalation to exploit.
It is now evident that many aspects of CERT-Bund’s advisory were incorrect. While a vulnerability did exist, it is in a third party library as opposed to in VLC itself, as security experts incorrectly indicated. It was also fixed over a year ago. The security researcher who reported the vulnerability was using Ubuntu version 18.04, which includes an older, unpatched version of the libebml library. As long as users have VLC 3.0.3 or newer installed, they are protected from the vulnerability. Once the correct information about the security bug was revealed, NIST has downgraded the vulnerability’s rating to a 5.5 (Medium).
Programming Leftovers
Top 4 Best Blogging Software for Linux in 2019
In the last few years, blogging has become a popular way of sharing one’s thoughts about almost anything. While people use blogs to express themselves, businesses go with blogging to cement their position as a competent authority in their area of operations. Over the past years, many have taken on blogging as various blogging software makes it as simple and straightforward as possible. Now, you can create a blog site even if you lack technical skills such as coding and web development. Today, blogging software is being created for every operating system, not just for Windows and Mac. Since bloggers who want to make themselves heard are using different operating systems, it is essential to help you identify the best blogging software for Linux as well. Here are the top four blogging software for Linux. Also: RV Offsite Backup Update
Matthias Clasen: Pango 1.44 wrap-up
In my last post discussing changes in Pango 1.44, I’ve asked for feedback. We’ve received some, thanks to everybody who reported issues! We tried to address some of the fallout in several follow-up releases. I’ll do a 1.44.4 release with the last round of fixes before too long. Here is a summary.
