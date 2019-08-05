Security: Patches, KDE and CNCF Audit
-
Security updates for Thursday
Security updates have been issued by Arch Linux (exim, python-django, python2-django, and sdl2), Debian (proftpd-dfsg), Fedora (php and sqlite), openSUSE (proftpd), Red Hat (kernel), Slackware (kdelibs), SUSE (nodejs10, squid, and tcpdump), and Ubuntu (php5 and ruby-rack).
-
KDE rips out ability for KConfig to run shell code [Ed: This is hardly a threat unless you download and then tamper with malicious files from arbitrary, untrusted sources]
KDE has fixed a vulnerability within its KDE Framework that allowed for malicious code execution simply by viewing a .desktop file, by removing the feature being exploited altogether.
Earlier this week, a security researcher Dominik Penner published a proof of concept that showed how users could be compromised simply by viewing a malicious .desktop file, which is typically used to show an icon for a file or directory, in the KDE file browser.
The researcher did not notify KDE before dropping the vulnerability.
-
Captain, we've detected a disturbance in space-time. It's coming from Earth. Someone audited the Kubernetes source
The Cloud Native Computing Foundation (CNCF) today released a security audit of Kubernetes, the widely used container orchestration software, and the findings are about what you'd expect for a project with about two million lines of code: there are plenty of flaws that need to be addressed.
The CNCF engaged two security firms, Trail of Bits and Atredis Partners, to poke around Kubernetes code over the course of four months. The companies looked at Kubernetes components involved in networking, cryptography, authentication, authorization, secrets management, and multi-tenancy.
Having identified 34 vulnerabilities – 4 high severity, 15 medium severity, 8 low severity and 7 informational severity – the Trail of Bits report advises project developers to rely more on standard libraries, to avoid custom parsers and specialized configuration systems, to choose "sane defaults," and to ensure correct filesystem and kernel interactions prior to performing operations.
-
Kubernetes reports the results of its open-source security audit
Unless you've been living under a rock, hardly a day goes by anymore without a new software security problem popping up. The folks at the Cloud Native Computing Foundation (CNCF) certainly have noticed. So, when it came time to give Kubernetes, the most important container orchestration program, a security audit, the CNCF tried an open-source approach for checking it for security problems.
This wasn't a new idea. That credit goes to the Core Infrastructure Initiative (CII) Best Practices Badge program. Open-source projects that get this badge must show they follow security best practices. The CII used this approach on three other projects: CoreDNS, Envoy, and Prometheus. Then, it used it on the big one: Kubernetes.
-
- Login or register to post comments
- Printer-friendly version
- 552 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Android Leftovers
Security: Patches, KDE and CNCF Audit
Newcomer EndeavourOS Offers a Friendlier Arch Linux Experience
EndeavourOS has a lot of potential. It is an impressive addition to the shortlist of distros that want to make using Arch a more rewarding experience. For a Linux distro built around one of the more challenging Linux families, EndeavourOS is a stable, solid performer with few, if any, noticeable quirks. That shouts volumes, given the relative youth of the first stable release following beta development. EndeavourOS is not an easy choice for Linux users with no hands-on experience with the Arch Linux ecosystem. Despite its newness, though, it is a better Arch Linux choice than other Arch variants. It is a great choice for those willing to roll up their sleeves and learn Arch Linux's inner workings. Hopefully, EndeavourOS succeeds in making the Arch-based neighborhood a more inviting place for new users and seasoned Arch users as well.
Ubuntu 18.04.3 LTS Is Out with Linux Kernel 5.0 from Ubuntu 19.04, Download Now
Coming six months after the Ubuntu 18.04.2 LTS release, which shipped with the hardware enablement (HWE) kernel from the not deprecated Ubuntu 18.10 (Cosmic Cuttlefish) operating system, Ubuntu 18.04.3 LTS here as the third point release in the Ubuntu 18.04 LTS (Bionic Beaver) series with up-to-date components. Ubuntu 18.04.3 LTS includes all the latest software and security fixes that have been published on the official repositories of the Ubuntu 18.04 LTS release since February 14th, 2019, when Ubuntu 18.04.2 LTS hit the streets. It also ships with updated kernel and graphics stacks from Ubuntu 19.04 (Disco Dingo), such as Linux kernel 5.0.
Recent comments
17 min 19 sec ago
28 min 32 sec ago
36 min 21 sec ago
45 min 22 sec ago
50 min 27 sec ago
55 min 24 sec ago
1 hour 5 min ago
1 hour 7 min ago
1 hour 59 min ago
5 hours 45 min ago