Language Selection

English French German Italian Portuguese Spanish

Security: WireGuard, SafeBreach and More

Filed under
Security
  • WireGuard Snapshot `0.0.20191012` Available
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Hello,
    
    A new snapshot, `0.0.20191012`, has been tagged in the git repository.
    
    Please note that this snapshot is a snapshot rather than a final
    release that is considered secure and bug-free. WireGuard is generally
    thought to be fairly stable, and most likely will not crash your
    computer (though it may).  However, as this is a snapshot, it comes
    with no guarantees; it is not applicable for CVEs.
    
    With all that said, if you'd like to test this snapshot out, there are a
    few relevant changes.
    
    == Changes ==
    
      * qemu: bump default version
      * netns: add test for failing 5.3 FIB changes
      
      Kernels 5.3.0 - 5.3.3 crash (and are probably exploitable) via this one liner:
      
      unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1'
      
      We fixed this upstream here:
      
      https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=ca7a03c4175366a92cee0ccc4fec0038c3266e26
      
      This is relevant to WireGuard because a very similar sequence of commands is
      used by wg-quick(8).
      
      So, we've now added some tests to catch this code path in the future. While
      the bug here was a random old use-after-free, the test checks the general
      policy routing setup used by wg-quick(8), so that we make sure this continues
      to work with future kernels.
      
      * noise: recompare stamps after taking write lock
      
      We now recompare counters while holding a write lock.
      
      * netlink: allow preventing creation of new peers when updating
      
      This is a small enhancement for wg-dynamic, so that we can update peers
      without readding them if they've already been removed.
      
      * wg-quick: android: use Binder for setting DNS on Android 10
      
      wg-quick(8) for Android now supports Android 10 (Q). We'll be releasing a new
      version of the app for this later today.
    
    This snapshot contains commits from: Jason A. Donenfeld and Nicolas Douma.
    
    As always, the source is available at https://git.zx2c4.com/WireGuard/ and
    information about the project is available at https://www.wireguard.com/ .
    
    This snapshot is available in compressed tarball form here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.xz
      SHA2-256: 93573193c9c1c22fde31eb1729ad428ca39da77a603a3d81561a9816ccecfa8e
      BLAKE2b-256: d7979c453201b9fb6b1ad12092515b27ea6899397637a34f46e74b52b36ddf56
    
    A PGP signature of that file decompressed is available here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.asc
      Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
    
    If you're a snapshot package maintainer, please bump your package version. If
    you're a user, the WireGuard team welcomes any and all feedback on this latest
    snapshot.
    
    Finally, WireGuard development thrives on donations. By popular demand, we
    have a webpage for this: https://www.wireguard.com/donations/
    
    Thank you,
    Jason Donenfeld
    
  • WireGuard 0.0.20191012 Released With Latest Fixes

    WireGuard is still working on transitioning to the Linux kernel's existing crypto API as a faster approach to finally make it into the mainline kernel, but for those using the out-of-tree WireGuard secure VPN tunnel support, a new development release is available.

  • SafeBreach catches vulnerability in controversial HP Touchpoint Analytics software

    Now the feature is embroiled in another minor controversy after security researchers at SafeBreach said they uncovered a new vulnerability. HP Touchpoint Analytics comes preinstalled on many HP devices that run Windows. Every version below 4.1.4.2827 is affected by what SafeBreach found.

    In a blog post, SafeBreach Labs security researcher Peleg Hadar said that because the service is executed as "NT AUTHORITY\SYSTEM," it is afforded extremely powerful permissions that give it wide access.

    "The CVE-2019-6333 vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass Signature Validation Bypassing," Hadar wrote.

    [...]

    The company has long had to defend HP Touchpoint Analytics against critics who say it gives HP unnecessary access to users' systems. When it first became widely noticed in 2017, dozens of users complained that they had not consented to adding the system.

  • Security Tool Sprawl Reaches Tipping Point
  • How trusted digital certificates complement open source security

    Application developers incorporating open source software into their designs may only discover later that elements of this software have left them (and their customers) exposed to cyber-attacks.

  • Securing the Container Supply Chain

More in Tux Machines

This week in KDE: building up to something big

We’ve got some really big things planned and in progress for Plasma 5.18 and Frameworks, and work proceeds smoothly. None of it is quite done yet, but we did land a number of nice bugfixes and user interface polish for issues that have been irritating people for years…and mere days! Read more

GNOME in Review and Outreachy in GNOME

  • Ten Years Past GNOME's 10x10 Goal, The Linux Desktop Is Still Far From Having A 10% Marketshare [Ed: The desktop itself is on the decline and they're not counting Chromebooks (or misuse the brand "Linux")]

    That very ambitious 10x10 goal is still documented on the GNOME Wiki and is about "10% of the global desktop market." Perhaps in some very select geographic regions, the Linux desktop marketshare may be close to 10%, but on any large scale that goal is still a pipe-dream. [...] In any case, GNOME has advanced a lot over the past decade and particularly the past 2~3 years since Canonical switched back to GNOME Shell by default and has helped in addressing many bugs -- including several high profile performance issues. GNOME 3.34 is a hell of a lot better than the state of GNOME 3.0 from at the start of this decade. In reliving GNOME's highlights from the past decade, here is a look at the twenty most viewed GNOME stories since 2010.

  • Outreachy week-2 progress report!

    It was a really productive week. I am almost done with the current tasks. I’ve finished replicating the wire-frame of gnome-builder’s search-and-replace-bar widget into the libdazzle-example application. There are a couple (or maybe a couple more) of final nitpicks to do to actually mark these as finished. At the moment, I am far more comfortable with the project. Nothing seems really alien-sih now, rather most of the stuffs (from the project) looks quite familier (and imparts somewhat proper sense).

D9VK 0.40

  • D9VK, the Direct3D9 to Vulkan layer has a huge new 0.40 'Croakacola' release out

    For use with Wine and Steam Play Proton, D9VK is the awesome project based on DXVK which translates Direct3D9 to Vulkan for better performance. A big new release just went out. Codenamed Croakacola, D9VK 0.40 is a big one. D9VK can now use more than 4GB VRAM on 32-bit applications/games, with it being noted to help modded Skyrim/Oblivion and obviously more too. There's also now async presentation across all vendors, some "query flushing" improvements, performance fixes for Risen and Legend of the Heroes: Trails of the Sky, bloom rendering fixes for SpinTyres/Mudrunner and other misc updates.

  • D9VK 0.40 Uses Async Present On All Drivers, Various Other Features + Perf Optimizations

    D9VK 0.40 is out today as the latest feature update to this Direct3D 9 over Vulkan translation layer based on DXVK. D9VK lead developer Joshua Ashton released version 0.40 today as the "Croakacola" release and it includes some big features like for 32-bit applications to be able to utilize more than 4GB of video RAM, which should help Skyrim, Oblivion, and other games.

Graphics: Mesa 20.0 Development, Mir Work and Radeon's Linux Limits

  • Mesa 20.0-devel Intel Gallium3D Performance Benchmarks Are Looking Good For Ice Lake

    While the Mesa 20.0 cycle is quite young and still over one month to go until the feature freeze for this next quarterly installment of these open-source OpenGL/Vulkan Linux drivers, it's quite exciting already with the changes building up. In particular, on the Intel side they are still positioning for the Intel Gallium3D driver to become the new default on hardware of generations Broadwell and newer. Here is a quick look at how the Intel Gallium3D performance is looking compared to their legacy "i965" classic OpenGL driver that is the current default. As you should already know if you've been reading Phoronix for any real length of time, the new Intel Gallium3D driver is quite competitive and for supported generations is generally now ahead of their classic OpenGL driver. The Intel Gallium3D driver supports OpenGL 4.6 like the i965 driver and the lingering bugs are just being addressed before turning it on as the default Intel OpenGL Linux driver while i965 will be sticking around as the default for Haswell and older.

  • Ubuntu's Mir Display Stack Accomplished A Lot In 2019 For Being Discounted Two Years Ago

    Canonical's Alan Griffiths continues leading the Mir efforts and his team had a very busy 2019 continuing to push along Mir even though it's not featured on the Ubuntu desktop right now is still playing a big role at the company due to IoT use-cases like digital signage. Griffiths provided a look back at Mir in 2019 on Ubuntu Discourse. Here were some of the highlights:

  • AMD releases the Radeon 5500XT

    Now step forward almost six months and the drivers for the 5700 and 5500 lines still don’t exist. OK sure there are drivers for Ubuntu 18.04.03, and ONLY for Ubuntu 18.04.03, nothing newer.