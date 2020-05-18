Security Leftovers
-
A remote code execution vulnerability in qmail
Just in case anybody out there is still using qmail: a remote code execution vulnerability has just been disclosed. Its CVE number is CVE-2005-1513 because, as it turns out, the problem was reported 15 years ago but the fix was refused by the maintainer. "As a proof of concept, we developed a reliable, local and remote exploit against Debian's qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory)."
-
Security updates for Thursday
Security updates have been issued by Arch Linux (keycloak, qemu, and thunderbird), Debian (dovecot), Fedora (abcm2ps and oddjob), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and kernel-rt), SUSE (ant, bind, and freetype2), and Ubuntu (bind9 and linux, linux-aws, linux-aws-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3,linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2 ).
-
A review of open-source software supply chain attacks
Here's a preprint paper from Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier looking at attacks on language-specific repositories. "Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle.
-
Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks
A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities.
-
- Login or register to post comments
- Printer-friendly version
- 835 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Security Leftovers
Android Leftovers
Windows 10 vs. Ubuntu 20.04 Linux Performance On The AMD Ryzen 7 4700U
While most of you are well aware how Linux often slaughters Microsoft Windows performance on high-end desktop and platform servers with large core counts, on smaller systems it can be a different story and often comes down to the particular workloads and any peculiarities of the hardware under test. With recently buying the Lenovo IdeaPad 5 (14) for our AMD Ryzen 7 4700U Linux benchmarking, here are some benchmarks for how that Zen 2 laptop is comparing with different workloads between Windows 10 and Ubuntu 20.04 LTS. The AMD Ryzen 7 4700U Renoir with its eight cores and Vega graphics were running within the Lenovo IdeaPad with 2 x 8GB DDR4-3200 memory, 512GB Samsung NVMe SSD, and 1080p panel. I have been quite impressed by the Ryzen 7 4700U performance so far under Linux as my lone Zen 2 laptop so far for testing.
Open source Raspberry Pi cluster software helps you evaluate cloud edge deployments
RackN has launched an open source “Edge Lab” reference architecture for building automated, multi-node Raspberry Pi clusters using its Digital Rebar platform for evaluating edge computing systems or emulating cloud platforms. RackN has posted open source code, instructions, and hardware recommendations on GitHub for setting up a Raspberry Pi cluster that works with its RackN Digital Rebar Platform (DRP). Users can launch an automated Digital Rebar Provisioning cluster with 4x or 8x network-switched Raspberry Pi 4 SBCs and cluster kits for as little as $500.
Recent comments
3 min 53 sec ago
19 min 37 sec ago
48 min 11 sec ago
1 hour 3 min ago
1 hour 32 min ago
6 hours 49 min ago
13 hours 14 min ago
13 hours 21 min ago
14 hours 14 min ago
14 hours 16 min ago