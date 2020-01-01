Security Leftovers: Patches, Ubuntu and Huawei
Security updates for Tuesday
Security updates have been issued by Arch Linux (a2ps and qutebrowser), openSUSE (cacti, cacti-spine, ghostscript, and python-markdown2), Oracle (kernel), Red Hat (chromium-browser, libreswan, and qemu-kvm-ma), Scientific Linux (thunderbird), and SUSE (kernel and libvirt).
Ubuntu's Server Installer Was Mistakenly Leaking Encrypted Storage Passphrase To Its Log
With the recently released Ubuntu 20.04 LTS, the Ubuntu Server installer exclusively uses the "Subiquity" installer that Canonical has been working on in recent years in moving away from the classic Debian Installer. Unfortunately a security issue crept into Subiquity that has now been resolved.
U.S. Moves Towards Resolving Permitting US Companies to Collaborate with Huawei on 5G Standards
Regular readers will know that the addition of Huawei and scores of its subsidiaries to the U.S. Bureau of Industry and Security Entity List last May has had a serious impact on standards setting organizations (SSOs). Specifically, the related rules bar companies from disclosing certain types of U.S. origin technology to companies on the Entity List, and technology is exactly what is disclosed in the course of standards development. Due to a lack of guidance from the Department of Commerce, SSOs have been left wondering whether they can allow Huawei and its subsidiaries (collectively, “Huawei”) to participate in their technical activities. When they decide that the answer is yes, U.S. companies must then decide whether they read the regulatory tea leaves the same way. Many have not.
Over the past two weeks the situation has taken a more hopeful turn. The impetus for this change has a lot to do with the law of unexpected consequences – in this case, the results of the Department of Commerce refusing to provide the type of certainly that the private sector needs when political winds shift.
That uncertainty has led many modern-era consortium SSOs, on the one hand, and a number of traditional, old school SSOs, on the other, to reach different conclusions about whether they can or cannot safely allow Huawei to participate. Many of the consortia concluded that they would need to make radical changes to their technical processes in order to be sure they would fall under one or both of two exemptions that are to a degree analogous – holding open meetings and offering material for publication in journals.
Huawei denies involvement in buggy Linux kernel patch proposal [Ed: ZDNet has found another subtle way to insinuate Linux is not secure]
Huawei says employee submitted code as part of a personal project, not on behalf of the company.
