Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

  • Apache Releases Security Advisory for Tomcat   | CISA

    The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to cause a denial of service condition.

  • Security Risks of Client-Side Scanning

    Even before Apple made their announcement, law enforcement shifted their battle for back doors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s not a cryptographic back door, but it still a back door — and brings with it all the insecurities of a back door.

    I’m part of a group of cryptographers that has just published a paper discussing the security risks of such a system. (It’s substantially the same group that wrote a similar paper about key escrow in 1997, and other “exceptional access” proposals in 2015. We seem to have to do this every decade or so.) In our paper, we examine both the efficacy of such a system and its potential security failures, and conclude that it’s a really bad idea.

  • The Open Source Security Foundation receives $ 10 million in funding - itsfoss.net

    The Linux Foundation has announced a $ 10 million commitment to the OpenSSF (Open Source Security Foundation), an effort to improve the security of open source software. Funds raised through royalties from parent companies of OpenSSF, including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware …

Another roundup

  • This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger | Hackaday

    Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

    The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files.

KubeCon + CloudNativeCon

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Check Out GNOME Shell’s New Look in GNOME 42

GNOME Shell looks a little different in GNOME 42, which is currently in active development. I wasn’t able to showcase the shell theme tweaks in my GNOME 42 alpha post but, over the weekend, fuelled by coffee

Android Leftovers

Linux 5.17 Features From New AMD P-State To Xilinx Drivers, Lots Of New Hardware

This morning marked the release of Linux 5.17-rc1 that officially ends the merge window for this next stable kernel series. Linux 5.17 won't see its stable debut until around the end of March but there is a lot to get excited about for this open-source kernel in 2022. Linux 5.17 is exciting for mainlining the AMD P-State driver that has been under review/testing for the past several months in cooperation with Valve for the Steam Deck, initial Intel Raptor Lake bring-up bits, Intel Alder Lake P graphics being promoted to stable, lots of preparations for future AMD processors, initial support for the recently launched Qualcomm Snapdragon 8 Gen 1, many tablet / laptop support improvements, x86 straight line speculation mitigation support, support for a low-cost RISC-V platform, and a whole lot more. Read more

5 Best Free and Open Source Stock Tickers

A stock ticker is a report of the price of specific securities, updated continuously throughout the trading session by the various stock market exchanges. The term “tick” refers to a change in a security’s price from one trade to the next. A stock ticker displays these ticks, along with other relevant information, like trading volume, that investors and traders use to stay informed about current market conditions and the interest in that particular security. Read more