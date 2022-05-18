Security Leftovers
Security updates for Thursday [LWN.net]
Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish).
Symbiote: A Stealthy Linux Malware Targeting Latin American Financial Sector [Ed: The key question should be, how does such malware get there in the first place and does it have anything at all to do with Linux?]
Symbiote: a new, nearly-impossible-to-detect Linux threat
[Old] The Three Pillars of Reproducible Builds
Over the past year, software engineers have lived through the shock of infiltrated or intentionally broken NPM packages, supply chain attacks, long-unnoticed backdoors, the emergence of dependency confusion threats, and more. This has created a firestorm of activity around how to securely build software. Many organizations, from the Linux Foundation to the United States government, are calling for and building new practices and regulations, and one of the primary threads is around “reproducible builds."
Guidelines for Getting to Reproducible Builds
A reproducible build “produces the same byte-for-byte output no matter what computer you run on, what time you run it, and what external services are accessible from the network,” states FOSSA.
And, reproducible builds can strengthen software supply chain security, but getting there can be challenging. This article outlines some guiding principles for designing reproducible builds.
“Legacy” cryptography in Fedora 36 and Red Hat Enterprise Linux 9
Fedora 36 and Red Hat Enterprise Linux 9 (RHEL 9) are out, and both ship with OpenSSL 3 that has tighter security defaults and a brand new "provider" architecture. While users were testing the beta and other development versions, issues in interoperability with servers and devices such as Wi-Fi access points showed up and caused some confusion between various uses of the rather overloaded word "legacy" that we would like to clear up.
Regolith Desktop 2.0 is Out with Many Changes
Regolith desktop 2.0 aims to meet the needs of those who seek a fast and efficient desktop Linux experience controlled (primarily) from the keyboard. Regolith pairs the i3 tiling window manager with GNOME Flashback, and adds in an assortment of other open-source components to deliver a curated, keyboard-driven UX. And are some big changes since the Regolith 1.6 release from last summer.
Videos/Audiocasts/Shows: Enterprise Linux Security, Linux Action News, BSD Now, and More
Stable Kernels: 5.18.3, 5.17.14, 5.15.46, and 5.10.121
I'm announcing the release of the 5.18.3 kernel. All users of the 5.18 kernel series must upgrade. The updated 5.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.18.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-s... thanks, greg k-hAlso: Linux 5.17.14 Linux 5.15.46 Linux 5.10.121
Security Leftovers
