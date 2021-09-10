Security Leftovers
Reproducible Builds (diffoscope): diffoscope 186 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 186. This version includes the following changes:
[ Chris Lamb ] * Don't call close_archive when garbage-collecting Archive instances unless open_archive returned successfully. This prevents, amongst others, an AttributeError traceback due to PGPContainer's cleanup routines assuming that its temporary directory had been created. (Closes: reproducible-builds/diffoscope#276) * Ensure that the string "RPM archives" exists in the package description, regardless of whether python3-rpm is installed or not at build time. [ Jean-Romain Garnier ] * Fix the LVM Macho comparator for non-x86-64 architectures.
Crashes in OpenBSD, DragonFly BSD and Electron due to deprecation of the IdenTrust root certificate
The termination of the IdenTrust root certificate (DST Root CA X3) used to cross-sign the Let’s Encrypt CA root certificate resulted in problems with Let’s Encrypt certificate validation in projects using older versions of OpenSSL and GnuTLS. Problems also affected the LibreSSL library, the developers of which did not take into account past experience related to failures that occurred after the AddTrust root certificate of the Sectigo (Comodo) certification authority expired.
Recall that in releases of OpenSSL up to and including the 1.0.2 branch and in GnuTLS before release 3.6.14 , there was an error that did not allow the correct processing of cross-signed certificates, if one of the root certificates used for signing expired, even if other valid ones were saved. chains of trust (in the case of Let’s Encrypt, the aging of the IdenTrust root certificate does not allow verification, even if the system supports its own Let’s Encrypt root certificate valid until 2030). The essence of the error is that older versions of OpenSSL and GnuTLS parsed the certificate as a linear chain, while according to RFC 4158, a certificate can represent a directed distributed circular graph with several trust anchors that need to be considered.
BloodHound – Hacking Active Directory Trust Relationships
Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use it to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
It is a single page JavaScript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.
Getting Started With Kali
Kali is a Debian based distribution aimed at penetration testing. I haven’t felt a need to use it in the past because Debian has packages for all the scanning tools I regularly use, and all the rest are free software that can be obtained separately. But I recently decided to try it.
Here’s the URL to get Kali [1]. For a VM you can get VMWare or VirtualBox images, I chose VMWare as it’s the most popular image format and also a much smaller download (2.7G vs 4G). For unknown reasons the torrent for it didn’t work (might be a problem with my torrent client). The download link for it was extremely slow in Australia, so I downloaded it to a system in Germany and then copied it from there.
[...]
Installing VMs for both these distributions was quite easy. Most of my time was spent downloading from a slow server, trying to get SCSI emulation working, working out how to convert image files, and testing different compression options. The time spent doing stuff once I knew what to do was very small.
IBM/Red Hat/Fedora Leftovers
UDOO KEY ESP32 & RP2040 board to launch for $4 - CNX Software
UDOO is known for its x86 boards that embed an Arduino compatible MCU, but the UDOO KEY is different, as it does without an Intel or AMD processor, and instead, combines Raspberry Pi RP2040 microcontroller with Espressif ESP32 WiFi & Bluetooth WiSoC. As we noted in the past combining Raspberry Pi Pico/RP2040 with ESP32 does not make a lot of sense in most cases, but here’s the UDOO KEY will be offered for just $4 for the first units, so they’ll basically throw the ESP32, an IMU sensor, and a microphone for free since it’s the same price as one Raspberry Pi Pico, before eventually selling the device for $20. Also: Eolim STEAMMIANS Kit helps teach young kids about electronics through interactive stories | Arduino Blog
Security Leftovers
August/September in KDE Itinerary
Travel is slowly returning, and that shows in many improvements of KDE Itinerary being driven by real-world testing and feedback again in the past two month since the last summary. Also: Calamares and Hacktoberfest 2021
