Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Linux Format Special and POWER9 Problems

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin).

  • Cyber insecurity | Linux Format

    Each year we proclaim it’s time to learn how to hack. But why? Jonni always gets angry at the subversion of the term ‘hacking’ and I can understand why. Hacking is fun, as is finding out how systems work and how to get them to do things they were never meant to do.

    With open source and the Linux ecosystem there’s an abundance of hacking fun to be had, and it’s no wonder all the key tools for learning how to hack – and actually hack – are developed and run out of Linux systems.

    For this year’s look at the world of hacking Jonni’s introducing you to the metasploit framework. This is a playground where you can learn, explore and develop hacking skills. It’s usually paired with Kali Linux, and we’re putting these on the Linux Format DVD, which makes a welcome return.

  • IBM POWER9 CPUs Need To Flush Their L1 Cache Between Privilege Boundaries Due To New Bug

    CVE-2020-4788 is now public and it's not good for IBM and their POWER9 processors... This new vulnerability means these IBM processors need to be flushing their L1 data cache between privilege boundaries, similar to other recent CPU nightmares.

    While IBM POWER9 allows speculatively operating on completely validated data in the L1 cache, when it comes to incompletely validated data that bad things can happen. Paired with other side channels, local users could improperly obtain data from the L1 cache.

    CVE-2020-4788 was made public this morning and is now causing all stable Linux kernel series to receive the mitigation that amounts to hundreds of lines of new code. The mitigation is flushing the L1 data cache for IBM POWER9 CPUs across privilege boundaries -- both upon entering the kernel and on user accesses.

More in Tux Machines

Video/Shows: Yacy, Ubuntu 20.04 LTS Vs Ubuntu 20.10, Picom

  • Yacy Is The Search Engine That Respects Your Privacy - YouTube

    Yacy is a decentralized, peer-to-peer web search engine. All users are equal with no central controlling authority. Access to the search functions is made by a locally running web server which provides a search box to enter search terms, and returns search results in a similar format to other popular search engines.

  • Ubuntu 20.04 LTS Vs Ubuntu 20.10 | Which Is The BEST Version? | 7 THINGS To Consider - YouTube

    Ubuntu 20.10, Groovy Gorilla is out and like all non-LTS releases, this version is packed with new features and changes. We get a ton of improvements in the user interface especially. With GNOME 3.38 bringing many advancements like an adjustable Application grid, an efficient calendar and so much more to this new Ubuntu, We now have 2 actively supported versions of Ubuntu to choose from. And they both are quite different from each other in how they look, how they behave, their support period, their target user base, and many other things.

  • Picom: Window Blur Should Always Be This Easy - YouTube

    Window blur has been an absolute pain with picom, you've had run really out of date forks that have other missing features that you might want but no longer because it can be done in the main picom fork.

How to monitor file content while they change in Linux

Monitoring file changes in a real time is very easy to do task in Linux System. Directory, files, logs, etc. Changes can be easily monitored in real-time with the help of the watch command. The watch is easy to use the program to monitor changes in files or directories in Linux. It’s come by pre-installed in all Debian and arch-based Linux System. Check Watch is in system or not Execute the below command to know watch command is properly working in your system or not. Read more

Android Leftovers

IBM/Red Hat Leftovers

  • Ken Hess (Red Hat): Cyber Week 2020: 13 ideas for what to buy the sysadmin in your life | Enable Sysadmin

    It's that special time of year when you can get great discounts on tech for your favorite sysadmin.

  • [IBM Emeritus] Irving Wladawsky-Berger: Are There Limits to the Predictability of Elections?

    The elegant mathematical models of classical mechanics depict a world in which objects exhibit deterministic behaviors. These models make perfect predictions within the accuracy of their human-scale measurements. But, once you start dealing with atoms, molecules and exotic subatomic particles, you find yourself in a very different world, one with somewhat counter-intuitive behaviors governed by the laws of quantum mechanics. The orderly, predictable models of classical physics have now given way to wave functions, uncertainty principles, quantum tunneling and wave-particle dualities. But, the world of the very small is not the only one with non-deterministic behaviors. So are highly complex systems, especially those systems whose components and interrelationships are themselves quite complex. This is the case with social systems, which are based on individuals, groups, and institutions. It’s quite a challenge to make accurate predictions in such systems due to the the dynamic nature of human behaviors. Terms, like emergence, long tails, and butterfly effects - every bit as fanciful as quarks, charm and strangeness, - are part of the social systems lexicon. Which brings us to the 2020 US election. “The polls were wrong again, and much of America wants to know why,” wrote NY Times journalist David Leonhardt in a recent article. “This is a disaster for the polling industry and for media outlets and analysts that package and interpret the polls for public consumption, such as FiveThirtyEight, The New York Times’ Upshot, and The Economist’s election unit,” said David Graham in The Atlantic.

  • [Red Hat] Why failure should be normalized and how to do it | Opensource.com

    All of your heroes have failures under their belts—from minor mistakes to major disasters. Nobody knows how to do everything automatically, and the process of learning is usually a messy one. So why is the perception that everyone but you knows what they’re doing so common? Why do we externalize our successes but internalize our failures? How does it make you feel when you struggle to learn something new, then see another person take their Jira card away and return at the end of the sprint with something fully fleshed out and working, gushing about it at the demo? Sure, you closed your card too, but it was really hard! There was a new algorithm, a new programming language, a new system all to be learned. How did she make it look so effortless? The truth is, she might have struggled with the same issues you did and wondered how you made it look so effortless! [...] It could be very easy to title this section "my mistakes" and then rattle off all the times I’ve made mistakes, but that doesn’t quite illustrate the point. I recognize these mistakes, but they’re also events that expanded the understanding of my craft. While I didn’t set out to intentionally do any of these things, I certainly learned from them. I have accidentally dropped (deleted) a customer’s database. It was lucky for everyone that it was a beta-phase database and no further harm was done. I learned a valuable lesson that day: be very watchful of what code is doing, and be careful about what environment you are working in. One day, while performing routine maintenance with an odd DNS setup, I accidentally broke the ability for customers to provide credit card information to the secure site. We had two "payments" DNS records that served to override a wildcard DNS record, and I assumed that the second "payments" record was still present. It wasn’t. And then the wildcard record took over, and the DNS started behaving like "payments" wasn’t special at all anymore. Of course, I had no idea this was happening at all—it wasn’t until my maintenance was over that I learned of the folly. Customers weren’t able to provide payment information for almost two hours! I learned my lesson, though: when there is something special about a particular configuration, be sure to make sure it stays special throughout its lifetime. When DNS gets involved, all kinds of things can break.