Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

  • Apache Releases Security Advisory for Tomcat   | CISA

    The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to cause a denial of service condition.

  • Security Risks of Client-Side Scanning

    Even before Apple made their announcement, law enforcement shifted their battle for back doors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s not a cryptographic back door, but it still a back door — and brings with it all the insecurities of a back door.

    I’m part of a group of cryptographers that has just published a paper discussing the security risks of such a system. (It’s substantially the same group that wrote a similar paper about key escrow in 1997, and other “exceptional access” proposals in 2015. We seem to have to do this every decade or so.) In our paper, we examine both the efficacy of such a system and its potential security failures, and conclude that it’s a really bad idea.

  • The Open Source Security Foundation receives $ 10 million in funding - itsfoss.net

    The Linux Foundation has announced a $ 10 million commitment to the OpenSSF (Open Source Security Foundation), an effort to improve the security of open source software. Funds raised through royalties from parent companies of OpenSSF, including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware …

Another roundup

  • This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger | Hackaday

    Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

    The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files.

KubeCon + CloudNativeCon

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Devices Leftovers

  • Raspberry Pi CM4 compatible module coming soon with Amlogic A311D CPU - CNX Software

    Despite assurances by Eben Upton that there’s no supply shortage of Raspberry Pi CM4 modules for commercial and industrial customers, installations or projects requiring just a few modules may be out of luck. So alternatives are needed, and after seeing Rockchip RK3566-based SoMs compatible with Pi CM4, namely the Pine64 SoPine and Radxa CM3, Banana Pi is working on a Raspberry Pi CM4 compatible module powered by Amlogic A311D hexa-core Arm Cortex-A73/A53 processor.

  • $150 InkPalm Plus eReader features RK3566 SoC, 5.84-inch display - CNX Software

    Xiaomi Moaan InkPalm Plus is a 5.84-inch eReader powered by the same Rockchip RK3566 processor found in Pine64 PineNote 10.3-inch Linux eReader, and currently selling for 999 CNY, or about $150 US, on JD.com after a 100 CNY discount.

  • Microchip SAMA7G54 is a single-core Arm Cortex-A7 microprocessor for low power AI camera & audio applications - CNX Software

    Microchip has just announced the 1 GHz SAMA7G54 single-core Arm Cortex-A7 microprocessor (MPU)....

  • MacroMitt increases AutoCAD productivity [Ed: But AutoCAD is proprietary software that can and should be avoided with Free software]

    AutoCAD is conventional 2D CAD (drafting) software that still contains many “legacy” features that you won’t find in modern 3D CAD programs. One of those features is the command line, in which users can type short commands to perform various functions or launch tools. For example, typing “line” and pressing Enter will launch the line tool. It can be a pain to enter commands, which is why Wingletang created MacroMitt to increase their AutoCAD productivity. MacroMitt is a simple macro keyboard dedicated to AutoCAD functions. Its buttons are arranged to be comfortable for the user’s left hand, leaving their right hand free to manipulate the mouse. It has six functions: OSNAP (toggles object snapping), ORTHO (toggles orthogonal mouse movement), PICKSTYLE (toggles group/individual object selection), CANCEL (escape key), RETURN (enter key), and volume control. Pressing one of the main buttons will automatically move to activate the command line, enter the appropriate command, and then exit the command line.

Qt Programming Leftovers

Ubuntu: Pearl Linux OS Reaches Version 11, ROS 2 Humble Hawksbill, Best Linux Desktop Environment for Ubuntu 22.04 LTS

  • New release of the Ubuntu-based Pearl, 11

    Pearl Linux OS has been available for free download since 12/2014 with our first release simply titled Pearl Linux. It was based on the 14.04 released version of Ubuntu. That release was using the XFCE desktop environment. Since then we now offer the MATE, GNOME, LXDE and soon to come our own DE PearlDE which will be a mix of LXDE and XFCE4 desktops. As of the latest release Pearl OS 3.0 we are now maintaining our own repository on site. Also all tho far from ready, we are working on the new website. The forum ain't pretty but it is up and running for ya all to post any questions you may have.

  • Package is “set to manually installed”? What does it Mean?

    Noticed a "package set to manually installed" message in Ubuntu? Here's what it means and why you see it for some packages only.

  • New ROS2 release Humble Hawksbill - The Robot Report

    Humble Hawksbill is a long-term support (LTS) release that will be supported until May 2027. It is the first ROS 2 release on Ubuntu 22.04

  • ROS 2 Humble security, a tour of the new and improved features | Ubuntu

    We’re excited about the recent release of ROS 2 Humble Hawksbill, a Long Term Support (LTS) distro, supported for the next five years. ROS 2 releases come out on every even-numbered year together with the LTS release of Ubuntu, this time with Ubuntu 22.04 (Jammy Jellyfish). Earlier this week, we shared a step-by-step guide to install ROS 2 Humble in Ubuntu 20.04 or 18.04 using LXD containers, that will allow you to easily install it on your current Ubuntu station. So, take a few minutes to check that out as well!

  • Best Linux Desktop Environment For Ubuntu 22.04 LTS | Itsubuntu.com

    Best Linux Desktop Environment For Ubuntu 22.04 LTS Ubuntu 22.04 LTS is the latest stable version of Ubuntu. You can find plenty of new features and improvements in the latest version of Ubuntu. Ubuntu 22.04 LTS is powered by GNOME 3.36. Gnome is the default desktop environment in Ubuntu. Meanwhile, there are lots of desktop environments available for Linux-based operating systems. In this post, we are going to list the best Linux desktop environment for Ubuntu 22.04 LTS.

Red Hat Leftovers

  • Eat up fewer resources in Cryostat 2.1 with sidecar reports

    Cryostat is a tool for managing JDK Flight Recorder data on Kubernetes. Version 2.1 of Cryostat introduces the option of using a sidecar reports container to generate automated analysis reports for JDK flight recordings. Previously, the main Cryostat container handled the report generation. Report generation is a resource-intensive operation, and as a result, users may find themselves overprovisioning the Cryostat container to meet peak resource demands. Those resources may in turn end up unused if you're not generating reports. With this new option to delegate report generation to a sidecar container, users will find it easier to provision resources more efficiently. When report generation is not a concern, the main Cryostat container, including its web server and various lightweight operations over HTTP and JMX, has only a small resource footprint. Based on their report generation workflow, users can provision resources to the sidecar reports container accordingly and spin up any number of replicas of that container.

  • Cockpit 270

    Cockpit is the modern Linux admin interface. We release regularly. Here are the release notes from Cockpit 270, cockpit-machines 269, and cockpit-podman 48...

  • Digital transformation: 5 reality checks before you take the plunge

    Digital transformation (DX) can mean just about anything and everything in the business and technology spectrum. Starting with the transition from analog to digital, the term has evolved to refer to the adoption of social and mobile technologies and more recently, to the implementation of any of a plethora of digital technologies. With so much focus on digital, enterprises risk losing sight of what really matters: the actual transformation.

  • 6 tips for effective meetings in a hybrid work environment

    The pandemic has changed meeting culture forever. Zoom has become a verb and a household name. While online meetings were always part of business life, the pandemic and its aftermath made them an essential part of doing business for the foreseeable future. With distributed workforces now standard, doing online meetings “right” is more important than ever. After hosting and attending thousands of meetings in my many stints at companies large and small, I’ve become an expert on what it takes to have a productive meeting. Here are some key dos and don’ts and some tips and tricks for making online and hybrid meetings more effective.