Security Leftovers

Friday 8th of May 2020 06:19:05 PM
Security
  • Security updates for Friday

    Security updates have been issued by Debian (firefox-esr, salt, and webkit2gtk), Fedora (firefox, mingw-gnutls, nss, and teeworlds), Mageia (firefox, libvncserver, matio, qt4, roundcubemail, samba, thunderbird, and vlc), Oracle (firefox and squid), SUSE (firefox, ghostscript, openldap2, rmt-server, syslog-ng, and webkit2gtk3), and Ubuntu (firefox).

  • GoDaddy suffers hack of SSH credentials

    In an email, Markku Rossi, CTO of Finland-based security provider SSH.com noted that those signing up for GoDaddy’s web hosting get a Linux operating system account on GoDaddy’s servers for web content.

    All GoDaddy plans include FTP (File Transfer Protocol) access to that account for uploading website assets. Administrators can also enable SSH for more secure access. The SSH access, he noted, uses the same username+password authentication used for the FTP access.

  • FreeRDP 2.1 Released Due To Multiple Security Issues

    Last month marked the release of FreeRDP 2.0 for implementing the Microsoft Remote Assistant Protocol v2. FreeRDP 2.0 also brought RDP proxy support, font smoothing by default, Flatpak packaging support, better scaling for Wayland, and other improvements. Today now marks the release of FreeRDP 2.1.

    FreeRDP 2.1 isn't coming as a result of some fun new features like v2.0, but rather due to security issues. Users of this Remote Desktop Protocol implementation are encouraged to move to FreeRDP 2.1 to mitigate multiple security issues. Among the security advisories are for out-of-bound reads and writes along with possible integer overflows.

  • FreeRDP 2.1.0 released

    2.1.0 is mainly a security and bug fix release that addresses multiple security issues indentified by hac425. If you are using any earlier version of FreeRDP we recommend updating to 2.1.0. The security advisories will be published on the FreeRDP security advisory page on GitHub.

  • Wladimir Palant: What data does Xiaomi collect about you?

    A few days ago I published a very technical article confirming that Xiaomi browsers collect a massive amount of private data. This fact was initially publicized in a Forbes article based on the research by Gabriel Cîrlig and Andrew Tierney. After initially dismissing the report as incorrect, Xiaomi has since updated their Mint and Mi Pro browsers to include an option to disable this tracking in incognito mode.

    [...]

    Even with the recent changes, Xiaomi browsers are massively invading users’ privacy. The amount of data collected by default goes far beyond what’s necessary for application improvement. Instead, Xiaomi appears to be interested in where users go, what they search for and which videos they watch. Even with a fairly obscure setting to disable this tracking, the default behavior isn’t acceptable. If you happen to be using a Xiaomi device, you should install a different browser ASAP.

