Language Selection

English French German Italian Portuguese Spanish

Security

KDE Plasma 5.18.4 LTS Desktop Environment Brings More Than 40 Fixes

Filed under
KDE
Security

Coming three weeks after the Plasma 5.18.3 point release, which introduced a bunch of Flatpak improvements and more than 60 fixes, the KDE Plasma 5.18.4 LTS release is here to add more than 40 bug fixes to various of the desktop environments core components.

Among the changes, there’s improved support for the upcoming Qt 5.15 application framework for Breeze and libksysguard components and better support for the fwupd open-source daemon for installing firmware updates on devices in the Discover package manager.

Flatpak support in Discover was also improved by fixing two issues. Moreover, XSettingsd was added as a runtime dependency to KDE GTK Config, kwallet-pam now works with pam_fscrypt, and KWin now allow the creation of more than one row on the “Virtual Desktops” settings page.

Read more

Critical Linux Kernel Vulnerability Patched in Ubuntu 19.10 and 18.04.4 LTS

Filed under
Linux
Security
Ubuntu

Discovered by Manfred Paul, the security vulnerability (CVE-2020-8835) was found in Linux kernel’s BPF (Berkeley Packet Filter) verifier, which incorrectly calculated register bounds for certain operations.

This could allow a local attacker to either expose sensitive information (kernel memory) or gain administrative privileges and run programs as root user.

The security issue affects all Ubuntu 19.10 (Eoan Ermine) and Ubuntu 18.04.4 LTS (Bionic Beaver) releases running Linux kernel 5.3 on 64-bit, Raspberry Pi, KVM, as well as cloud environments like AWS, Azure, GCP, GKE, and Oracle Cloud.

Read more

WireGuard 1.0.0 for Linux 5.6 Released

Filed under
Linux
Security

Hi folks,

Earlier this evening, Linus released [1] Linus 5.6, which contains our
first release of WireGuard. This is quite exciting. It means that
kernels from here on out will have WireGuard built-in by default. And
for those of you who were scared away prior by the "dOnT uSe tHiS
k0de!!1!" warnings everywhere, you now have something more stable to
work with.

The last several weeks of 5.6 development and stabilization have been
exciting, with our codebase undergoing a quick security audit [3], and
some real headway in terms of getting into distributions.

We'll also continue to maintain our wireguard-linux-compat [2]
backports repo for older kernels. On the backports front, WireGuard
was backported to Ubuntu 20.04 (via wireguard-linux-compat) [4] and
Debian Buster (via a real backport to 5.5.y) [5]. I'm also maintaining
real backports, not via the compat layer, to 5.4.y [6] and 5.5.y [7],
and we'll see where those wind up; 5.4.y is an LTS release.

Meanwhile, the usual up-to-date distributions like Arch, Gentoo, and
Fedora 32 will be getting WireGuard automatically by virtue of having
5.6, and I expect these to increase in number over time.

Enjoy!
Jason

Read more

Also: WireGuard 1.0.0 Christened As A Modern Secure VPN Alternative To OpenVPN/IPsec

Security and FUD

Filed under
Security
  • Surviving the Frequency of Open Source Vulnerabilities

    One hurdle in any roll-your-own Linux platform development project is getting the necessary tools to build system software, application software, and the Linux kernel for your target embedded device. Many developers use a set of tools based on the GNU Compiler Collection, which requires two other software packages: a C library used by the compiler; and a set of tools required to create executable programs and associated libraries for your target device. The end result is a toolchain.

    [...]

    In preference to working on features or product differentiation, developers often spend valuable time supporting, maintaining, and updating a cross-compilation environment, Linux kernel, and root file system. All of which, requires a significant investment of personnel and wide range of expertise.

  • Netgate® Extends Free pfSense® Support and Lowers pfSense Support Subscription Pricing to Aid in COVID-19 Relief

    Free zero-to-ping support, free VPN configuration and connection support, free direct assistance for first responder | front line healthcare agencies, and reduced pfSense TAC support subscription prices all introduced

  • How the hackers are using Open Source Libraries to their advantage [Ed: Conflating hackers with crackers]

    Ben Porter, Chief Product Officer at Instaclustr, writes about how the potential of Open Source Libraries must be balanced with the growing risk of library jacking by hackers.

  • Three Cases Where the Open Source Model Didn't Work [Ed: Lots of anti-GPL FUD and not taking any account of Microsoft crimes, monopoly abuse, bribes and blackmail]

    So, why didn’t the open source model work in these three cases?

    The main reason is that in all of these cases, data structure specs and the description of algorithms are not the most important piece of the picture.

    The root of the problem is in the variety of real-life situations where bugs and failures may occur and lead to a data-loss situations, which is a total no-go in the real world. 

    The open source community is successful, though it has been in create open source programs and platforms, is still no guarantee of industrial-grade software development(3). The core to success in developing a highly reliable solution is a carefully nurtured auto-test environment. This assures a careful track record and in-depth analysis for every failure, as well as effective work-flow, making sure any given bug or failure never repeats. It’s obvious that building such an environment can take years, if not decades, and the main thing here is not to know how something should work according to specs, but to know how and where exactly it fails. In other words, the main problem is not the resources needed to develop the code, the main problem is time needed to build up a reliable test-coverage that will provide a sufficient barrier for data-loss bugs.

    Another problem with open source is that it is usually accompanied by a GPL license. This limits the contribution to such projects almost solely to the open source community itself. One of the major requirements of the GPL license is to disclose changes to source code in case of further distribution, making it pointless for commercial players to participate.

Gresecurity maker finally coughs up $300k to foot open-source pioneer Bruce Perens' legal bill in row over GPL

Filed under
Linux
Security
Legal

After three years of legal wrangling, the defamation lawsuit brought by Brad Spengler and his company Open Source Security (OSS) against open-source pioneer Bruce Perens has finally concluded.

It was clear that the end was nigh last month when California's Ninth Circuit Court of Appeals affirmed a lower court ruling against the plaintiffs.

Spengler and OSS sued Perens for a June 2017 blog post in which Perens ventured the opinion that grsecurity, Open Source Security's Linux kernel security enhancements, could expose customers to potential liability under the terms of the General Public License (GPL).

OSS says that customers who exercise their rights to redistribute its software under the GPL will no longer receive software updates – the biz wants to be paid for its work, a problem not really addressed by the GPL. Perens, the creator of the open-source definition, pointed out that section six of the GPLv2 prohibits modifications of the license terms.

Read more

Security Leftovers

Filed under
Security
  • Russian [Attackers] Exploited Windows Flaws in Attacks on European Firms

    Analysis of the infrastructure used by the [attackers] led to the discovery of an executable named comahawk.exe that incorporated two local privilege escalation exploits targeting Windows.

    The vulnerabilities, tracked as CVE-2019-1405 and CVE-2019-1322, were patched by Microsoft in November 2019 and October 2019, respectively. Microsoft’s advisories for both these flaws say “exploitation [is] less likely”

    In mid-November 2019, NCC Group, whose researchers reported the vulnerabilities to Microsoft, published a blog post describing the weaknesses. Shortly after, someone made public an exploit named COMahawk that weaponizes CVE-2019-1405 and CVE-2019-1322.

  • Global insurer Chubb hit by Maze ransomware: claim [iophk: Windows TCO]

    According to its own website, Chubb had more than US$177 billion (A$291 billion) in assets and reported US$40 billion of gross premiums in 2019. The company says it has offices in Zurich, New York, London, Paris and other locations, and has more than 30,000 employees.

    iTWire contacted Chubb's Australian office for comment. A spokesperson responded: "We are currently investigating a computer security incident that may involve unauthorised access to data held by a third-party service provider.

  • Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links

    A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits that target vulnerabilities present in iOS 12.1 and 12.2. Users that click on these links with at-risk devices will download a new iOS malware variant, which we have called lightSpy (detected as IOS_LightSpy.A).

Security: The Keyring Concept in Ubuntu, Phishing and Malicious JavaScript

Filed under
Security

Tails Call for testing: 4.5~rc1

Filed under
Security
Web
Debian

Tails 4.5, scheduled for April 7, will be the first version of Tails to support Secure Boot.

You can help Tails by testing the release candidate for Tails 4.5 now.

Read more

Security: Free Software Patches, Microsoft and Apple Failures and FSCRYPT in Linux

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).

  • Unpatched bug in iOS 13.3.1 and later stops VPNs from encrypting all connections

    An ongoing security vulnerability in iPhones and iPads is keeping VPN applications from doing their job. For iOS versions 13.3.1 and later, this bug remains unpatched and has been rated with a 5.3 CVSS v3.1 base score. When a VPN connection is initiated on iOS, all existing internet connections by the operating system and other applications are supposed to be terminated and then restarted inside the VPN app’s encrypted tunnel as a proxy so no third parties are able to see your IP address. The VPN bypass bug in iOS 13.3.1 and later causes some internet connections to continue with their original, unencrypted connection – which is a security and privacy concern. This means that people on the same network could snoop on the unencrypted data stream and the endpoint of the unprotected connections are still able to see your device’s IP address.

  • Microsoft Issues Windows 10 Update Warning

    Picked up by the always-excellent Bleeping Computer and Windows Latest, Microsoft has announced that both its big March 2020 update and a new patch issued to fix buggy antivirus scans within Windows 10 have severe side-effects which users need to know about.

  • FSCRYPT Inline Encryption Revised For Better Encryption Performance On Modern SoCs

    It remains to be seen if it will make it for the upcoming Linux 5.7 kernel merge window, but the FSCRYPT inline encryption functionality has now made it up to its ninth revision for offering better file-system encryption performance on modern mobile SoCs.

    FSCRYPT inline encryption came out at the end of last summer and compared to the existing FSCRYPT file-system encryption/decryption where the work is left to the file-system and Linux's crypto API, this inline encryption/description shifts the work off to the block layer as part of the bio.

pfSense 2.4.5-RELEASE Now Available

Filed under
Security
BSD

We are pleased to announce the release of pfSense® software version 2.4.5, now available for new installations and upgrades!

pfSense software version 2.4.5 brings security patches, several new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.

pfSense 2.4.5-RELEASE updates and installation images are available now!

To see a complete detailed list of changes, see the Release Notes.

Read more

Syndicate content

More in Tux Machines

Remote support options for sysadmins

As a sysadmin, you do support—support for local users as level I, II, III, or all of the above. You might have even supported remote users. Maybe your office environment was once 100 percent local and you had no remote support duties. But now, your job might be completely supporting remote users and systems. Great news, huh? Well, there's hope. Using some great remote support tools, you can still do your job just as efficiently from a distance as you could with walk-up access. Sure, it's a little more difficult, but once you establish your support tools and workflow, you might never return to a traditional office. This article highlights support tools for a new age of remote support. Remote support is difficult. To get an idea of just how difficult it is, I've only known one person in more than twenty years of working as a sysadmin who actually enjoyed supporting remote users. It was great for the rest of the team because we could just reassign tickets to him and away he'd go on them. For the rest of us, we felt like we were trying to wash dishes from across the room without really seeing the dishes. These remote support options will help you support your users without the frustration of a click-by-click follow-along session. You'll be able to see everything that's going on or actually perform the work yourself. Read more

today's howtos

New GNOME Mobile Shell Mockups Tease a Tactile Future on Tablets

With Phosh, the mobile face of GNOME Shell, taking shape on phones it’s not a major leap to start thinking about how the GNOME user experience might function on larger screen sizes. Like, say a tablet. Despite some folks thinking that GNOME Shell is a touch-focused UI, it isn’t. In fact, it’s pretty tedious to use without a keyboard or a mouse. Same was true of Unity, RIP. To succeed in a finger-driven environment you need a finger-driven interface. Just like the one on show in “very experimental” concept images recently shared by GNOME designer Tobias Bernard on the GNOME design Gitlab. Tobias is lead UI/UX designer at Purism and works directly on Phosh. Read more Also in GNOME today: Georges Basile Stavracas Neto: Timelines on Calendar

Audiocasts/Shows: Linux in the Ham Shack, Linux Headlines, and Going Linux

  • LHS Episode #337: SDRAngel Deep Dive

    Hello and welcome to Episode 337 of Linux in the Ham Shack. In this episode, the hosts take a deep dive into the shallow end of SDRAngel. The project is a GPLv3 licensed, modular front end and headless server for connecting to and operating SDR receivers and transceivers. Discussion includes where to find the software, how to build it, basic operation with broadcast FM stations, DMR, SSB, CW and more. Take a look. Try it out. Have fun with SDR. Hope you enjoy!

  • 2020-04-07 | Linux Headlines

    Microsoft proposes a new Linux kernel security mechanism, Firefox 75 rolls out significant changes, the Cloud Native Computing Foundation adopts Argo, and The Linux Foundation aims to boost adoption of the seL4 secure microkernel.

  • Going Linux #389 · Listener Feedback

    Bill burns out on distrohopping after providing multiple release reviews. Our listeners provide feedback on new user recommendations, hard drive mounting, encryption, trying Linux via USB, and the Linux Spotlight interview. We answer questions on security audit results. Episode 389 Time Stamps 00:00 Going Linux #389 · Listener Feedback 01:43 Bill burns out on distro hopping 02:24 but he has some feedback on a few releases 02:46 Linux Mint 19.3 03:24 Linux Mint Debian Edition 4 04:38 Endevour OS 07:13 ArcoLinux 10:19 Open Suse 12:16 Ubuntu MATE 14:49 Zorin 17:55 New user recommendations 24:22 Gregory: Hard drive mounting 27:28 Gregory: Great interview 30:09 John: Security audit recommendations 34:19 George: Paul's encryption problem 37:57 David: Linux via USB 44:09 goinglinux.com, goinglinux@gmail.com, +1-904-468-7889, @goinglinux, feedback, listen, subscribe 45:17 End