Security: systemd, Elector app, IPFire, Patches, "Myths and Facts" (FUD)
Limit the impact of security compromises with systemd security directives
Three weeks ago, I wrote systemd service sandboxing and security hardening 101: an introduction to Linux security features for service processes managed by systemd.
This week, I’ll explore how you can use some of the more advanced security features offered by systemd. You’ll want to read the 101-introduction before proceeding with this article.
Last week, researchers at Qualys disclosed a remote code execution (RCE) vulnerability in OpenSMTPD: an open-source email server. This seems like an opportune time to make sure you’ve locked down this service. It will serve as our example service for this tutorial.
Most parts of OpenSMTPD is designed to run in unprivileged processes. However, this was a “worst-case scenario”, as Gilles Chehade put it. The vulnerability lets attackers execute remote commands with full administrative privileges. Remotely executed arbitrary code running rampant is the last thing you want on your email server.
App Used by Netanyahu's Likud Leaks Israel's Entire Voter Registry
Names, identification numbers and addresses of over 6 million voters were leaked through the unsecured Elector app
Where did Core Update 140 go?
You will have seen that we have just release an announcement for testing the next release of IPFire - IPFire 2.25 - Core Update 141. The major release number has changed as well as a Core Update has been skipped. But why?
Rolling, rolling, rolling...
IPFire is a rolling release. There are very few, but some systems that have been updated all the way through since 2007, when the first release of IPFire 2 was published. Despite some bugs during the update process, it is never necessary to reinstall your firewall. And why would you do that? We have replaced the whole base system underneath it not only once, but countless times.
IPFire is a modern distribution with its roots somewhere in the past. However, sometimes we need to break things. On purpose. We have removed old crypto that is dangerously broken and we have removed features that virtually nobody has been using any more - simply because the world looked different in 2007 than in 2017.
Bump to IPFire 2.25
This time, the reason for bumping the release to 2.25 is that we have upgraded to GCC 9. A new compiler brings some new libraries and changes some other things that are not backwards-compatible. So add-ons compiled with the new compiler won't work on older systems. We create a new directory on the server with everything compiled with the new compiler every time this happens. It is as simple as that.
Security updates for Monday
Security updates have been issued by Debian (ipmitool, libexif, and ppp), Fedora (glib2, java-1.8.0-openjdk, java-11-openjdk, libasr, libuv, mingw-gdk-pixbuf, mingw-SDL2, nethack, nghttp2, nodejs, nodejs-mixin-deep, nodejs-set-value, nodejs-yarn, opensmtpd, python-feedgen, runc, samba, sox, and texlive-base), Mageia (chromium-browser-stable, mgetty, openslp, qtbase5, spamassassin, sudo, and xmlrpc), openSUSE (ceph and chromium), Oracle (grub2 and kernel), SUSE (docker-runc, LibreOffice, and wicked), and Ubuntu (libxml2 and qtbase-opensource-src).
Open-Source Security in 2020: Myths and Facts
Open-source software isn’t a completely chaotic and breached wasteland of vulnerabilities. It’s a global effort to make the development lifecycle faster.
Open-source components are publicly-made codebases. Some are created and maintained by experienced developers and companies, while others are created by beginners. Open-source components are often used in enterprise software, for the purpose of reducing development time. However, the security aspect of these components isn’t always clear.
[...]
Open-source software is software with publicly accessible code. It is generally freely available for use and developed and maintained through community collaboration. The most commonly known example of open-source software is Linux, but many applications and systems use open-source components.
The difference between open-source software and proprietary software is reflected in its licensing, liability, and cost.
