Navigation

Language Selection

Search

CVE patching is not making your Linux secure

Submitted by Roy Schestowitz on Tuesday 10th of December 2019 08:29:16 PM Filed under

Security

Would you like to enhance your Linux security? Do you wonder what factors should be considered when evaluating your open source security from both – the infrastructure and the application perspectives? Are you keen to learn the Ubuntu security team approach? I’ve learned that CVE patching is indeed an important puzzle, but without a structured approach, professional tools and well-defined processes in place, your Linux environment will not be secure.

What do Linux security experts say?

I got inspired by all these questions during the Open Source Security Summit, which was followed by the Linux Security Summit. I really enjoyed a week full of keynotes, workshops and meaningful conversations. So much so that, in my notebook, I noted down some really good quotes about the Linux security. For instance, Kelly Hammond from Intel opened her keynote by saying that “security is like doing the laundry or the dishes – it’s never done”.

Linux security is more complicated than fixing CVEs

Fixing CVEs is a continuous job that all Linux security teams focus on. In his keynote, Greg Kroah-Hartman from the Linux Foundation looked at this problem from the kernel perspective. In his exact words “CVEs mean nothing for the kernel” because very few CVEs are ever going to be assigned for the kernel. A stable Linux kernel receives 22-25 patches every day without any CVE process involved. So Greg’s position on the Linux security comes down to always using the latest stable kernel and not worrying about CVEs.

Also: Security updates for Tuesday

Login or register to post comments
Printer-friendly version
1441 reads
PDF version

More in Tux Machines

XFS - Online Filesystem Checking

Since Linux 4.17, I have been working on an online filesystem checking feature for XFS. As I mentioned in the previous update, the online fsck tool (named xfs_scrub) walks all internal filesystem metadata records. Each record is checked for obvious corruptions before being cross-referenced with all other metadata in the filesystem. If problems are found, they are reported to the system administrator through both xfs_scrub and the health reporting system. As of Linux 5.3 and xfsprogs 5.3, online checking is feature complete and has entered the stabilization and performance optimization stage. For the moment it remains tagged experimental, though it should be stable. We seek early adopters to try out this new functionality and give us feedback.

Linux 5.5 RC7

Linux 5.5-rc7

Well, things picked up at the end of the week, with half of my merges
happening in the last two days.

Whether that is the usual "send the weeks work to Linus on Friday", or
a sign that things are just picking up in general after the holidays,
I don't know.  If the former, I'll probably just release the final 5.5
next week. But if it looks like there's pent-up fixes pending next
week, I'll make another rc.

Nothing in here looks particularly odd. Drivers is about half of the
patch (networking, sound, gpio, gpu, scsi, usb, you name it), with the
rest being the usual mix - arch, networking, filesystems, core
kernel..  The diffstat looks mostly fairly nice and flat, with a
couple of exceptions that look harmless (a few device tree file
updates, some pure code movemment, and a couple of driver fixes that
ended up changing calling conventions to get done and as a result got
to be more lines than the bug otherwise would have merited).

Please do test, there should be nothing scary going on.

              Linus

Kernel prepatch 5.5-rc7

The 5.5-rc7 kernel prepatch is out. Linus is still unsure whether the final 5.5 release will come out next week or not: "if it looks like there's pent-up fixes pending next week, I'll make another rc".
Linux 5.5-rc7 Kernel Released

The seventh weekly release candidate to Linux 5.5 is now available for testing. Linus noted with Linux 5.5-rc7 there was a large uptick in patch volume at week's end. "Well, things picked up at the end of the week, with half of my merges happening in the last two days." Due to the recent holidays in large part, it's possible an eighth release candidate may be needed for Linux 5.5 before then releasing the kernel as stable on 2 February. However, in today's 5.5-rc7 announcement, Torvalds noted he may just end up releasing 5.5 stable next week. In any case, the release of Linux 5.5 is right on the horizon and this should be the kernel powering Ubuntu 20.04 LTS and other upcoming distribution releases.

GNU Make 4.3 Released!

The next stable version of GNU make, version 4.3, has been released and is available for download from https://ftp.gnu.org/gnu/make/ Please see the NEWS file that comes with the GNU make distribution for details on user-visible changes. Also: GNU Make 4.3 Released With Performance Improvements, Newer GNU libc + Musl Support

Kernel: Zhaoxin, Arch Linux's Zen and WireGuard in Linux 5.6

Zhaoxin 7-Series x86 CPUs Mitigated For Spectre V2 + SWAPGS

When it comes to the Zhaoxin x86-compatible processors coming out of VIA's joint venture in Shanghai, their forthcoming 7-series (KX-7000) has hardware mitigations in place for some CPU vulnerabilities. We haven't heard much about these Chinese x86 CPUs with regards to speculative execution vulnerabilities but it appears the pre-7-Series is vulnerable to Spectre Variant Two and at least SWAPGS. But with their 7-series, hardware mitigations appear to be in place.
Benchmarks Of Arch Linux's Zen Kernel Flavor

Following the recent Linux kernel tests of Liquorix and other scheduler discussions (and more), some requests from premium supporters rolled in for seeing the performance of Arch Linux's Zen kernel package against the generic kernel. Here are those benchmark results. These are some benchmarks I recently did on the AMD Ryzen Threadripper 3970X while running EndeavourOS. Tests were done with its default Linux 5.4.8-arch1 kernel compared to the same kernel revision but using Arch's Zen kernel flavor. That is Arch's spin of the Zen-kernel patches (not to be confused with AMD Zen).
Intel's ConnMan Is Ready With WireGuard Support

In addition to NetworkManager having good WireGuard support in advance of this secure VPN tunnel tech landing with the Linux 5.6 kernel, Intel's ConnMan software is also ready with supporting WireGuard. Intel's ConnMan hasn't seen a new tagged release in nearly one year but over the past two months in the Git development code WireGuard support has materialized. ConnMan, as a reminder, is the Intel-led effort for providing an Internet connection manager on Linux designed for embedded/mobile use-cases that dates back to their Moblin days.

Latest News

Programming Leftovers: Python, Perl, Rust and More

Keep a journal of your activities with this Python program

Last year, I brought you 19 days of new (to you) productivity tools for 2019. This year, I'm taking a different approach: building an environment that will allow you to be more productive in the new year, using tools you may or may not already be using.
Perl Weekly Challenge 43: Olympic Rings and Self-Descripting Numbers

These are some answers to the Week 43 of the Perl Weekly Challenge organized by Mohammad S. Anwar. Spoiler Alert: This weekly challenge deadline is due in a couple of days (January 19, 2020). This blog post offers some solutions to this challenge, please don’t read on if you intend to complete the challenge on your own.
SaltStack Introduces Plugin Oriented Programming with New Open-Source Innovation Modules to Power Scalable Automation and Artificial Intelligence
JFrog Launches Free ConanCenter to Improve C/C++ DevOps Package Search and Discovery English

JFrog, the Universal DevOps technology leader known for enabling liquid software via continuous updates, announces today the launch of the free ConanCenter, enabling better search and discovery while streamlining C/C++ package management. Conan is an open-source, decentralized, and multi-platform package manager for developers to create and share native binaries.
Rav1e Kicks Off 2020 With Speed Improvements For Rust-Based AV1 Encoding

Xiph.org's Rustlang-written "Rav1e" AV1 video encoder is back on track with delivering weekly pre-releases after missing them over the past month due to the holidays. With Rav1e p20200115 are not only performance improvements but also binary side and build speed enhancements. The new Rav1e pre-release should be roughly 30% faster while also delivering slight enhancements to the image quality at the highest speed (10). That's a winning combination with speed and image quality improvements together!
RPushbullet 0.3.3

Release 0.3.3 of the RPushbullet package just got to CRAN. RPushbullet offers an interface to the neat Pushbullet service for inter-device messaging, communication, and more. It lets you easily send (programmatic) alerts like the one to the left to your browser, phone, tablet, … – or all at once. This release further robustifies operations via two contributed PRs. The first by Chan-Yub ensures we set UTF-8 encoding on pushes. The second by Alexandre permits to downgrade from http/2 to http/1.1 which he needed for some operations with a particular backend. I made that PR a bit more general by turning the downgrade into one driven by a new options() toggle. Special thanks also to Jeroen in help debugging this issue. See below for more details.

today's howtos

Review: Zorin 15.1 "Lite"

Zorin OS is an Ubuntu-based operating system that aims to make Linux easy for Windows and macOS users. In the words of Zorin, it is "the alternative to Windows and macOS designed to make your computer faster, more powerful, secure and privacy respecting". Zorin's main product is the paid-for "Ultimate" edition, which will set you back €39 and comes with macOS, Windows, Linux and "Touch" layouts (i.e. themes) as well as a relatively large collection of software and "installation support". Other editions of Zorin are free but come with less pre-installed software and fewer desktop layouts. For this review I dusted off a MacBook that dates from late 2009 and installed the "Lite" edition which, as the name suggests, is designed to breathe new life into older hardware. The laptop is one of the plastic, white MacBooks. It has an Intel Core 2 Duo CPU and 4GB of RAM - I doubled the amount of RAM a few months ago. The laptop has mostly been running Fedora with the MATE desktop and the i3 window manager as an alternative environment, both of which ran fine. Zorin's Lite edition uses Xfce as the desktop environment. First impressions and installation Zorin's website is either modern and clean or yet another bootstrap site, depending on your view. There are just three links in the navigation menu: Download, Computers and Help (the Computers section links to vendors that sell laptops with Zorin pre-installed). The Download section lists Zorin's Ultimate edition first, followed by the Core, Lite and Education editions. Clicking any of the Download links for the free versions triggers a "Sign up to our newsletter & Download" pop-up window featuring a huge "Sign up & Download" button and a very small "Skip to download" link. I am not a fan of this type of marketing. I don't mind that they ask if I maybe want to sign up to their mailing list, but I take issue with the fact that the dialogue window has been designed to make the "No thanks" option easy to miss. Such marketing techniques assume that users need to be tricked into signing up to receiving marketing materials, which reflects poorly on the project as a whole.

Syndication & Social Media

Follow the site via RSS/Twitter.

Full RSS:

RSS feeds for particular topics are also available

Twitter:

Content (where original) is available under CC-BY-SA, copyrighted by original author/s.

Support Tux Machines

Help Support TM
Wall of Appreciation

Softpedia News

Gizmoz

LXer

Linux Today

LinuxSecurity.com Advisories

Debian

It's FOSS

OMG! Ubuntu!

GamingOnLinux

Slashdot

DW Latest Releases

DistroWatch

More on Tux Machines: About ● Gallery ● Forum ● Blogs ● Search ● News ● RSS Feed

Part of Bytes Media ● Sister sites below.

FSF

Ubuntu Buzz

LinuxLinks

Content available under CC-BY-SA