Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

  • Apache Releases Security Advisory for Tomcat   | CISA

    The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to cause a denial of service condition.

  • Security Risks of Client-Side Scanning

    Even before Apple made their announcement, law enforcement shifted their battle for back doors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s not a cryptographic back door, but it still a back door — and brings with it all the insecurities of a back door.

    I’m part of a group of cryptographers that has just published a paper discussing the security risks of such a system. (It’s substantially the same group that wrote a similar paper about key escrow in 1997, and other “exceptional access” proposals in 2015. We seem to have to do this every decade or so.) In our paper, we examine both the efficacy of such a system and its potential security failures, and conclude that it’s a really bad idea.

  • The Open Source Security Foundation receives $ 10 million in funding - itsfoss.net

    The Linux Foundation has announced a $ 10 million commitment to the OpenSSF (Open Source Security Foundation), an effort to improve the security of open source software. Funds raised through royalties from parent companies of OpenSSF, including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware …

Another roundup

  • This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger | Hackaday

    Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

    The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files.

KubeCon + CloudNativeCon

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

See Carla Schroder Talk Linux Online - and Maybe Win a Book or Other Cool Swag

Carla Schroder, Linux enthusiast and advocate, and the author several well known books on Linux and open source software (including her latest, Linux Cookbook Second Edition), has teamed up with the folks who produce the annual All Things Open conference in Raleigh. The result is a live online webinar — What’s New in Linux: the Most Significant Changes in the Past Ten Years — that’s scheduled to take place at noon Eastern Time/9 am Pacific Time on December 14. The event is completely free (actually better than free, since they’ll be giving away a number of copies of her new Linux cookbook, as well as some cool All Things Open t-shirts and stickers, all shipped postage paid), but you’ll need to register to attend. Read more

4 Stat Commands in Linux with Example for Beginner Users

A stat command displays information about a file or a file system. With the stat command, you can get information like the file size, its permissions, the IDs of the group and user that have access, and the date and time that the file was created. Another feature of the stat command is that it can also provide information about the file system. When we want to know the information about a file, we should use this tool. So in this blog, you will get to know about the Stat command in Linux with appropriate examples. Read more

Best Free and Open Source Alternatives to Corel AfterShot Pro

Corel Corporation is a Canadian software company specializing in graphics processing. They are best known for developing CorelDRAW, a vector graphics editor. They are also notable for purchasing and developing AfterShot Pro, PaintShop Pro, Painter, Video Studio, MindManager, and WordPerfect. Corel has dabbled with Linux over the years. For example they produced Corel Linux, a Debian-based distribution which bundled Corel WordPerfect Office for Linux. While Corel effectively abandoned its Linux business in 2001 they are not completely Linux-phobic. Read more

KDDockWidgets 1.5.0 Released

KDDockWidgets is a development framework for custom-tailored docking systems in Qt, to use when you need advanced docking that is not supported by QDockWidgets. It was created by Sergio Martins as a time-saving alternative to QDockWidgets. The ease-of-use of KDDockWidgets can save you lots of frustration as well, in that you won’t have to deal with the myriad bugs and the difficulties and complexities faced when working with QDockWidgets. Read more