Language Selection

English French German Italian Portuguese Spanish

Security of open-source software again being scrutinized

Filed under
OSS

A recent round of flaws discovered in open-source software has reignited concerns that security is getting bypassed in the rush to continue expanding the large and extremely popular code base used by millions.

For instance, although the Java-based Spring Framework was criticized by security researchers in January as having a major flaw that allowed remote-code execution by attackers against applications built with it, the updates to Spring this week don't address this security problem.

"Unfortunately, this is the way a lot of open source vulnerabilities go," said Jeff Williams, CEO at Aspect Security, which pointed out two months ago that the "expression-language" feature in Spring should be disabled until the issue related to potential remote code execution is remediated. But the updates to Spring out this week don't address this problem, though they do expand Spring functionality. Spring Framework is managed under SpringSource, a division of VMware.

rest here




More in Tux Machines

FPGA add-on boards support Raspberry Pi, BeagleBone Black

Newark Element14’s new ValentFX Logi-Pi and Logi-Bone FPGA add-on boards for the Raspberry Pi and BeagleBone Black feature Arduino and PMOD hooks. We first covered the Logi-Pi and Logi-Bone Logi-Boards back in Sept. 2013 when ValentFX showed off prototypes at the New York Maker Faire. The Logi-Boards, which integrate Xilinx SPARTAN-6 XC6SLX9 FPGAs, and plug into the Linux-based Raspberry Pi or BeagleBone Black hacker boards, respectively, have now reached market, thanks to a partnership with Newark Element14. ValentFX and Newark have also launched a $45.48 Logi-Edu educational board add-on that purports to teach everyday hackers the mysteries of FPGA. Read more

AT&T to begin selling LG G Pad F 8.0 Android tablet on May 29

After releasing its own branded 8-inch Android tablet a mere two weeks ago, AT&T is giving itself some fresh competition. The mobile carrier has announced that it's bringing the LG G Pad F 8.0 to its customers starting on May 29. What's Hot on ZDNet The new model should not be confused with the LG G Pad 8.3, which, while being an older tablet, offers a slightly larger, higher-resolution screen and a faster processor. Rather, it's more of a bigger sibling to the LG G Pad 7.0 that was released late last year, coming with the same 1.2GHz quad-core Qualcomm Snapdragon 400 processor (compared to the 1.7GHz Snapdragon 600 inside the G Pad 8.3). Read more

Review: Kubuntu 15.04 "Vivid Vervet"

This month has been quite busy for me with classes. Now that the semester is finally over, I have a little more time, and that means I have enough time to do a review. It has been a few years since I've reviewed Kubuntu, the officially-supported variant of Ubuntu that uses KDE. Moreover, Kubuntu now features KDE 5 (I know the KDE naming and numbering system has become a lot more complicated, so this is, as a physicist might say, an intentional abuse of notation) as stable for the first time, so I figured I should try this version. I tried it as a live USB made with UnetBootin. Follow the jump to see what it's like. (It should become progressively clearer through this review why there are no pictures.) Read more

Open source data integration with Karma

Karma is a free, an open source data integration tool that makes it easy to convert data from a variety of formats into linked data. I recently attended a half-day workshop on Karma with Pedro Szekely, our instructor. He started by warning us that he knows very little about libraries, but a ton about data. The files we needed for the workshop were on GitHub, if you’re interested in checking it out. You can follow the tutorial steps on the Wiki, and, of course, you can find Karma itself on GitHub. Read more