Language Selection

English French German Italian Portuguese Spanish

Security and FUD Leftovers

Filed under
Security
  • Security updates for Thursday [LWN.net]

    Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).

  • Travis CI flaw exposed secrets of thousands of open source projects [Ed: Hidden cost of bloat, but Microsoft-funded Ars 'Tech'nica spins this as an "Open Source" problem]

    A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

  • Travis CI flaw exposed secrets of thousands of open source projects (ars technica) [LWN.net]

    Any project storing secrets in this service would be well advised to replace them.

  • The long-term consequences of maintainers’ actions – Ariadne's Space

    OpenSSL 3 has entered Alpine, and we have been switching software to use it over the past week. While OpenSSL 1.1 is not going anywhere any time soon, it will eventually leave the distribution, once it no longer has any dependents. I mostly bring this up because it highlights a few examples of maintainers not thinking about the big picture, let me explain.

    First, the good news: in distribution-wide rebuilds, we already know that the overwhelming majority of packages in Alpine build just fine with OpenSSL 3, when individually built against it. Roughly 85% of main builds just fine with OpenSSL 3, and 89% of community builds with it. The rebuild effort is off to a good start.

    Major upgrades to OpenSSL are not without their fallout, however. In many cases, we cannot upgrade packages to use OpenSSL 3 because they have dependencies which themselves cannot yet be built with OpenSSL 3. So, that 15% of main ultimately translates to 30-40% of main once you take into account dependencies like curl, which builds just fine with OpenSSL 3, but has hundreds of dependents, some of which don’t.

    A major example of this is mariadb. It has been known that OpenSSL 3 was on the horizon for over 4 years now, and that the OpenSSL 3 release would remove support for the classical OpenSSL programming approach of touching random internals. However, they are just now beginning to update their OpenSSL support to use the modern APIs. Because of this, we wound up having to downgrade dozens of packages which would otherwise have supported OpenSSL 3 just fine, because the maintainers of those packages did their part and followed the OpenSSL deprecation warnings as they showed up in OpenSSL releases. MariaDB is a highly profitable company, who do business with the overwhelming majority of the Fortune 500 companies. But yet, when OpenSSL 3 releases started to be cut, they weren’t ready, and despite having years of warning they’re still not, which accordingly limits what packages can get the OpenSSL 3 upgrade as a result.

  • Level up your digital security hygiene! Cybersec Charcha #5

    By popular demand from our staff and community members, this edition of cybersec charcha will explore the basic digital security hygiene practices everyone should follow and how they protect your information from falling into the wrong hands.

    As attacks like Pegasus gain more limelight and become part of public knowledge, many of us feel that there is nothing we can do to protect ourselves. And currently, this stands true for sophisticated attacks like Pegasus. However, it’s important to remain cognizant that every time someone’s data is compromised, it’s not because they were targeted with a military grade spyware. It’s crucial for us to be aware of our personal threat levels. This threat level can be determined through a process called Threat Modelling.

  • Microsoft Releases Security Update for Azure Linux Open Management Infrastructure [Ed: This is how CISA covers Microsoft 'bug doors' inside Linux]

    Microsoft has released an update to address a remote code execution vulnerability in Azure Linux Open Management Infrastructure (OMI). An attacker could use this vulnerability to take control of an affected system.

  • Drupal Releases Multiple Security Updates

    Drupal has released security updates to address multiple vulnerabilities affecting Drupal 8.9, 9.1, and 9.2. An attacker could exploit some of these vulnerabilities to take control of an affected system.

  • New Go malware Capoae targets WordPress installs, Linux systems [Ed: Charlatans and frauds at ZDNet now try to blame some malware that targets WordPress on "Linux" and on the programming language the malware is written in (Go); this isn't journalism and it's even lower than tabloid level. Part of a trend. Imagine ZDNet blaming Photoshop holes on Windows and on C++ (if some malware is coded in that language).]
  • Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code - The Citizen Lab

    Ron Deibert joined Democracy Now to discuss how Citizen Lab research of a zero-click zero-day exploit—used by NSO Group—led Apple to issue a patch to over 1.65 billion products.

  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: WSL was always a security joke; it's compromised, totally controlled by Microsoft, and only a fool would call that "Linux"]
  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: They've paid to spread this misleading thing which conflates WSL with "Linux"]
  • ACSC Releases Annual Cyber Threat Report

    The Australian Cyber Security Centre (ACSC) has released its annual report on key cyber security threats and trends for the 2020–21 financial year.

    The report lists the exploitation of the pandemic environment, the disruption of essential services and critical infrastructure, ransomware, the rapid exploitation of security vulnerabilities, and the compromise of business email as last year’s most significant threats.

More Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation

Microsoft to Azure Linux users: Patch this problem yourself

  • Microsoft to Azure Linux users: Patch this problem yourself

    Azure Linux administrators, it's time to get patching. In response to the recent OMIGOD vulnerabilities, Microsoft has released an updated version of OMI, but you'll need to upgrade on your own (via BleepingComputer). Here's the full scoop.

    OMIGOD vulnerabilities are named after OMI, an acronym that stands for the Open Management Infrastructure software agent. The OMIGOD vulnerabilities found in OMI have opened the door for RCE (Remote Code Execution) attacks from malicious parties. And if you're an Azure user operating on a Linux setup with a service such as Azure Diagnostics or Azure Automation enabled, that means you have OMI on your Virtual Machine.

More of the WSL FUD

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Stable Kernels: 5.14.13, 5.10.74, 5.4.154, 4.19.212, 4.14.251, 4.9.287, and 4.4.289

I'm announcing the release of the 5.14.13 kernel.

All users of the 5.14 kernel series must upgrade.

The updated 5.14.y git tree can be found at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.14.y
and can be browsed at the normal kernel.org git web browser:
	https://git.kernel.org/?p=linux/kernel/git/stable/linux-s...

thanks,

greg k-h
Read more Also: Linux 5.10.74 Linux 5.4.154 Linux 4.19.212 Linux 4.14.251 Linux 4.9.287 Linux 4.4.289

Android Leftovers

Review: Auxtral 3

At the beginning of this review I mentioned Auxtral reminded me of Linux Mint Debian Edition. The theme, the Cinnamon desktop, and general look of the project certainly held that first impression. However, the default applications and tools (apart from the Cinnamon desktop and command line utilities) felt quite a bit different. Linux Mint has been around for several years and has earned a reputation for being beginner friendly, polished, and shipping with a lot of top-notch open source applications. Auxtral appears to have a similar approach - similar base distribution, the same desktop environments, and a similar look. However, Auxtral does have its own personality under the surface. It ships with a quite different collection of applications, sometimes using less popular items (Brave in place of Firefox, SMPlayer instead of VLC, etc.) It has also gone its own way with software updates, preferring classic tools like APT and Synaptic over Mint's update manager. Auxtral is off to a good start. This was my first time trying the distribution and the experience was mostly positive. The operating system is easy to install, offers multiple desktop environments, and walks a pretty good line between hand holding and staying out of the way. The application menu is uncluttered while including enough programs to be useful. Some of those programs are a bit more obscure or less beginner friendly than what you might find in Linux Mint, but otherwise it's a good collection. Virtually everything worked and worked smoothly. I was unpleasantly surprised by this distribution's memory usage, most projects consume about half as much RAM, but otherwise I liked what Auxtral had to offer. I might not recommended it to complete beginners, especially since the project does not appear to have any documentation or support options of its own, but for someone who doesn't mind a little command line work or who likes the idea of an easy to setup distribution that combines Debian with the Cinnamon (or Xfce desktop) this seems like a good option. Read more

31 Best Linux Performance Monitoring Tools

Linux Performance Monitoring tools are the tools that allow you to keep track of your Linux system's resources and storage usage, as well as the state of your network. The tools can be used to troubleshoot and debug Linux System Performance issues. In this tutorial, we will learn the best tools for Linux performance monitoring and troubleshooting. Read more