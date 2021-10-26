Security Leftovers
Security updates for Friday
Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox).
Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation | CISA
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
Reproducible Builds (diffoscope): diffoscope 196 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 196. This version includes the following changes:
[ Roland Clobus ] * Add a comment/annotation when the GNU_BUILD_ID field has been modified. [ Brent Spillner ] * Fix the "Black" version detection. [ Chris Lamb ] * Replace "token" with anonymous variable "x" in order to remove extra lines.
This Week In Security: Printing Shellz, Ms-officecmd, And AI Security | Hackaday
Researchers at f-secure have developed an impressive new attack, leveraging HP printers as an unexpected attack surface. Printing Shellz (PDF) is a one-click attack, where simply visiting a malicious webpage is enough to get a shell and reverse proxy installed to a printer on the same network. The demo below uses a cross-site printing (XSP) attack to send the malicious print job to the printer without any further interactions.
IBM/Red Hat Leftovers
xfce4-terminal 0.9.1 development release
Welcome back! For the last two months, I've been working on fixing regressions introduced by 0.9.0 (thanks to all the people who use try the development releases) and a few new features and enhancements that the community has been asking for.
Is EndeavourOS the Easiest Way to Use Arch Linux?
Arch Linux is famous for being its own thing, done in its own way. Most distributions are built on other distributions. Ubuntu is based on Debian, Manjaro is based on Arch, and Fedora is based on RedHat Linux. Arch Linux isn’t based on anything. It was built from the ground up using the Linux kernel, the GNU utilities, its own package manager, and so on. Arch Linux lets the user decide exactly what they want to include or leave out of their operating system and applications. It’s the polar opposite of bloat. It’s just about the skinniest Linux you can get.
Liferea Feed Reader Can Now Convert TinyTinyRSS Sources to Local Subscriptions
Liferea feed reader and news aggregator released version 1.13.7 a few days ago as the latest development release. Liferea is a GTK+3 news reader with an embedded web browser. It supports for reading articles offline, force fetch full article text using HTML5 extraction, and subscribing to HTML5 websites that do not even have a feed. It may also permanently save headlines in news bins, and supports for synchronizing with “TinyTinyRSS”, “TheOldReader”, and “Reedah”. The 1.13.7 release continues working on the ‘Reader mode’. User now can toggle on/off Reader mode by right-clicking on lower right HTML view area via context menu option. And, it now allows to convert TinyTinyRSS subscriptions to local scriptions.
