Language Selection

English French German Italian Portuguese Spanish

Security of open-source software again being scrutinized

Filed under
OSS

A recent round of flaws discovered in open-source software has reignited concerns that security is getting bypassed in the rush to continue expanding the large and extremely popular code base used by millions.

For instance, although the Java-based Spring Framework was criticized by security researchers in January as having a major flaw that allowed remote-code execution by attackers against applications built with it, the updates to Spring this week don't address this security problem.

"Unfortunately, this is the way a lot of open source vulnerabilities go," said Jeff Williams, CEO at Aspect Security, which pointed out two months ago that the "expression-language" feature in Spring should be disabled until the issue related to potential remote code execution is remediated. But the updates to Spring out this week don't address this problem, though they do expand Spring functionality. Spring Framework is managed under SpringSource, a division of VMware.

rest here




More in Tux Machines

Elementary OS’s Pantheon Desktop May Become Available On Fedora Systems, Starting With Fedora 22

The Fedora developers are thinking at porting Elementary OS’s Pantheon Desktop to Fedora. If this happens, Pantheon will be available via the default repositories of Fedora, starting with Fedora 22, which will be released next year. Read more

Docker in Production — What We’ve Learned Launching Over 300 Million Containers

Earlier this year, we made a decision to run every task on IronWorker inside its own Docker container. Since then, we've run over 300,000,000 programs inside of their own private Docker containers on cloud infrastructure. Now that we’ve been in production for several months, we wanted to take the opportunity to share with the community some of the challenges we faced in running a Docker-based infrastructure, how we overcame them, and why it was worth it. Read more

Review: Scientific Linux 7.0 GNOME

It has been a while since I have done a review (almost 3 months, in fact). It has been significantly longer since I have looked at Scientific Linux (over 3 years, in fact). Given that, I figured it might be worthwhile to make this review about Scientific Linux 7.0. I'm just glad that I did it before the time elapsed for something else to come up (around 3 minutes, in fact — OK, I just made that one up to match the other statements). Read more

Free software hacker on open source telemetry project for OpenStack

Julien Danjou is a free software hacker almost all of the time. At his day job, he hacks on OpenStack for eNovance. And, in his free time, he hacks on free software projects like Debian, Hy, and awesome. Julien has also written The Hacker's Guide to Python and given talks on OpenStack and the Ceilometer project, among other things. Prior to his talk at OpenStack Summit 2014 in Paris this year, we interviewed him about his current work and got some great insight into the work going on for the Ceilometer project, the open source telemetry project for OpenStack. Read more