Security Leftovers
Thorsten Alteholz: My Debian Activities in May 2022
This month I accepted 288 and rejected 45 packages. The overall number of packages that got accepted was 290.
Reproducible Builds: Reproducible Builds in May 2022
Welcome to the May 2022 report from the Reproducible Builds project. In our reports we outline the most important things that we have been up to over the past month. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.
The paper (PDF, 3.5MB) uses the Debian mylvmbackup package as an example to show how RepFix can automatically generate patches to make software build reproducibly. As it happens, Reiner Herrmann submitted a patch for the mylvmbackup package which has remained unapplied by the Debian package maintainer for over seven years, thus this paper inadvertently underscores that achieving reproducible builds will require both technical and social solutions.
Security updates for Monday
Security updates have been issued by Debian (clamav, firefox-esr, pidgin, and thunderbird), Fedora (dotnet3.1, firefox, kernel, vim, and webkit2gtk3), Mageia (firefox/nss/nspr, gimp, logrotate, mariadb, thunderbird, trojita, webkit2, and webmin), Oracle (thunderbird), Red Hat (compat-openssl11, postgresql:10, postgresql:12, and thunderbird), Slackware (pidgin), and SUSE (openvpn).
Probably Don’t Rely on EPSS Yet
Vulnerability management involves discovering, analyzing, and handling new or reported security vulnerabilities in information systems. The services provided by vulnerability management systems are essential to both computer and network security. This blog posting evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), which is a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.
The EPSS model was initiated in 2019 in parallel to our criticisms of the Common Vulnerability Scoring System (CVSS) in 2018. EPSS was developed in parallel to our own attempt at improving CVSSS, the Stakeholder-Specific Vulnerability Categorization (SSVC); 2019 also saw version 1 of SSVC. This post will focus on EPSS version 2, released in February 2022, and when it is and not appropriate to use the model. This latest release has created a lot of excitement around EPSS, especially since improvements to CVSS (version 4) are still being developed. Unfortunately, the applicability of EPSS is much narrower than people might expect, so it is not yet a useful tool for most vulnerability managers.
The Surreal Case of a C.I.A. Hacker’s Revenge
Nestled west of Washington, D.C., amid the bland northern Virginia suburbs, are generic-looking office parks that hide secret government installations in plain sight. Employees in civilian dress get out of their cars, clutching their Starbucks, and disappear into the buildings. To the casual observer, they resemble anonymous corporate drones. In fact, they hold Top Secret clearances and work in defense and intelligence. One of these buildings, at an address that is itself a secret, houses the cyberintelligence division of the Central Intelligence Agency. The facility is surrounded by a high fence and monitored by guards armed with military-grade weapons. When employees enter the building, they must badge in and pass through a full-body turnstile. Inside, on the ninth floor, through another door that requires badge access, is a C.I.A. office with an ostentatiously bland name: the Operations Support Branch. It is the agency’s secret hacker unit, in which a cadre of élite engineers create cyberweapons.
Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices
Cybersecurity researchers have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader.
The issues, which were uncovered in the IP defragmentation algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS).
Ubuntu snap vs. apt: Which package manager to use and when
IT teams that run workloads on Ubuntu Linux have not one but two software package managers to work with: snap and apt. Although snap and apt both automate software package installation, management and removal, they work in different ways. An organization's choice between snap vs. apt depends on its IT priorities.
Linux Kernel 5.19 RC1 Released, Concluding ARM Generic Kernel Work
A summary of the changes in Linux Kernel 5.19 RC1 which spans processors, networking, storage, graphics and other Kernel modules.
so wordpress uploads all content to their CDN servers i2.wp.com - even when self hosted
it “suddenly” and without consent it also exists on this server i2.wp.com, the “cool” wordpress CDN, that is supposed to speed up loading time of a blog… well… not this blog eh? [...] no – this blog is NOT using jetpack site accelerator. also the option described is not available on self hosted wordpress. #wtf? wordpress – a giant content “sucking up ur content and storing it forever” machine? time for alternatives. if the visitor Firefox -> F12 -> network checks where the parts of this blog are coming from, they are all coming from dwaves.de and not some wordpress CDN for “faster loading time”. the only external content are the smileys: https://s.w.org/images/core/emoji/14.0.0/svg/1f61c.svg (those evil smileys probably “report back” to wordpress… how much that article was visited… and they (probably) sell it again… to G*** and M$ and whoever is willing to pay for that data)
