Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security advisories for Friday
  • Oh, the security!

    This security concern has only raised because of using 3rd party parsers (well, in the case of the GStreamer vulnerability in question, decoders, why a parsing facility like GstDiscoverer triggers decoding is another question worth asking), and this parsing of content happens in exactly one place in your common setup: tracker-extract.

  • Patch for CVE-2016-8655 Issue Now Available for CloudLinux OS 7 KernelCare Users

    Just the other day we reported on the general availability of a kernel update for the shared hosting-oriented CloudLinux OS 7 operating system, and today a new patch is available for those running KernelCare.

    If you're not familiar with KernelCare, it's a commercial kernel live patching technology developed and provided by CloudLinux of its CloudLinux OS users. We've discussed CloudLinux's KernelCare in a previous report if you're curious to test drive it.

Three serious Linux kernel security holes patched

Filed under
Linux
Security

The good news is developers are looking very closely at Linux's core code for possible security holes. The bad news is they're finding them.

At least the best news is that they're fixing them as soon as they're uncovered.

The latest three kernel vulnerabilities are designated CVE-2016-8655, CVE-2016-6480, and CVE-2016-6828. Of these, CVE-2016-8655 is the worst of the bunch. It enables local users, which can include remote users with virtual and cloud-based Linux instances, to crash the system or run arbitrary code as root.

Read more

Antivirus Live CD 21.0-0.99.2 Helps You Protect Your Computer Against Viruses

Filed under
Security

4MLinux developer Zbigniew Konojacki proudly informs Softpedia today about the general availability of the Antivirus Live CD 21.0-0.99.2 bootable ISO image for scanning computers for viruses and other malware.

Read more

Security News

Filed under
Security

Canonical Outs Live Patch Kernel Update for Ubuntu 16.04 to Patch Security Flaws

Filed under
Security
Ubuntu

Just one day after announcing the availability of new kernel versions for all of its supported Ubuntu Linux operating systems, Canonical published a new kernel live patch security notice for Ubuntu 16.04 LTS (Xenial Xerus).

Read more

Security News

Filed under
Security
  • News in brief: DirtyCOW patched for Android; naked lack of security; South Korea hacked
  • Millions exposed to malvertising that hid attack code in banner pixels

    Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

  • Backdoor accounts found in 80 Sony IP security camera models

    Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version.

    Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price.

    One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.

  • I'm giving up on PGP

    After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys.

    This is not about the gpg tool itself, or about tools at all. Many already wrote about that. It's about the long term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.

Ubuntu Core has the keys to IoT security

Filed under
Security
Ubuntu

In October, a DDoS attack on Dyn's infrastructure took down a big chunk of the internet, making sites like Amazon and Twitter inaccessible. It was the first major attack involving IoT (internet of things) devices. Fortunately, it was also a benign attack: no one got hurt, no one died.

However, the next attack could be catastrophic. No one knows when it will happen. No one knows the magnitude.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • There’s a new DDoS army, and it could soon rival record-setting Mirai

    For almost three months, Internet-of-things botnets built by software called Mirai have been a driving force behind a new breed of attacks so powerful they threaten the Internet as we know it. Now, a new botnet is emerging that could soon magnify or even rival that threat.

    The as-yet unnamed botnet was first detected on November 23, the day before the US Thanksgiving holiday. For exactly 8.5 hours, it delivered a non-stop stream of junk traffic to undisclosed targets, according to this post published Friday by content delivery network CloudFlare. Every day for the next six days at roughly the same time, the same network pumped out an almost identical barrage, which is aimed at a small number of targets mostly on the US West Coast. More recently, the attacks have run for 24 hours at a time.

  • Open source Roundcube webmail can be attacked ... by sending it an e-mail

    The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data.

    The authors overlooked sanitising the fifth argument (the _from parameter) in mail() – and that meant someone only needed to compose an e-mail with malicious info in that argument to attack Roundcube.

    [...]

    Roundcube posted a patch to GitHub at the end of November, and issued a version 1.2.3 here.

  • Latest Android security update fixes Dirty COW, GPS vulnerabilities
  • Open Source Flaws Found in Security Software

    Yet another industry survey has flagged open source software that according to one estimate accounts for half of the global code base as a growing security threat. Moreover, a review released by Flexera Software also found that the very security products designed to protect IT infrastructure are themselves riddled with vulnerabilities embedded in open source software.

FFmpeg 3.2.2 "Hypatia" Open-Source Multimedia Framework Released with 30 Fixes

Filed under
OSS
Security

Today, December 6, 2016, the development team behind the powerful, open-source, free, and cross-platform FFmpeg multimedia framework released a new maintenance update in the FFmpeg 3.2 "Hypatia" series.

Read more

Security News

Filed under
Security
Syndicate content

More in Tux Machines

Leftovers: OSS

  • Anonymous Open Source Projects
    He made it clear he is not advocating for this view, just a thought experiment. I had, well, a few thoughts on this. I tend to think of open source projects in three broad buckets. Firstly, we have the overall workflow in which the community works together to build things. This is your code review processes, issue management, translations workflow, event strategy, governance, and other pieces. Secondly, there are the individual contributions. This is how we assess what we want to build, what quality looks like, how we build modularity, and other elements. Thirdly, there is identity which covers the identity of the project and the individuals who contribute to it. Solomon taps into this third component.
  • Ostatic and Archphile Are Dead
    I’ve been meaning to write about the demise of Ostatic for a month or so now, but it’s not easy to put together an article when you have absolutely no facts. I first noticed the site was gone a month or so back, when an attempt to reach it turned up one of those “this site can’t be reached” error messages. With a little checking, I was able to verify that the site has indeed gone dark, with writers for the site evidently losing access to their content without notice. Other than that, I’ve been able to find out nothing. Even the site’s ownership is shrouded in mystery. The domain name is registered to OStatic Inc, but with absolutely no information about who’s behind the corporation, which has a listed address of 500 Beale Street in San Francisco. I made an attempt to reach someone using the telephone number included in the results of a “whois” search, but have never received a reply from the voicemail message I left. Back in the days when FOSS Force was first getting cranked up, Ostatic was something of a goto site for news and commentary on Linux and open source. This hasn’t been so true lately, although Susan Linton — the original publisher of Tux Machines — continued to post her informative and entertaining news roundup column on the site until early February — presumably until the end. I’ve reached out to Ms. Linton, hoping to find out more about the demise of Ostatic, but haven’t received a reply. Her column will certainly be missed.
  • This Week In Creative Commons History
    Since I'm here at the Creative Commons 2017 Global Summit this weekend, I want to take a break from our usual Techdirt history posts and highlight the new State Of The Commons report that has been released. These annual reports are a key part of the CC community — here at Techdirt, most of our readers already understand the importance of the free culture licensing options that CC provides to creators, but it's important to step back and look at just how much content is being created and shared thanks to this system. It also provides some good insight into exactly how people are using CC licenses, through both data and (moreso than in previous years) close-up case studies. In the coming week we'll be taking a deeper dive into some of the specifics of the report and this year's summit, but for now I want to highlight a few key points — and encourage you to check out the full report for yourself.
  • ASU’s open-source 'library of the stars' to be enhanced by NSF grant
  • ASU wins record 14 NSF career awards
    Arizona State University has earned 14 National Science Foundation early career faculty awards, ranking second among all university recipients for 2017 and setting an ASU record. The awards total $7 million in funding for the ASU researchers over five years.

R1Soft's Backup Backport, TrustZone CryptoCell in Linux

  • CloudLinux 6 Gets New Beta Kernel to Backport a Fix for R1Soft's Backup Solution
    After announcing earlier this week the availability of a new Beta kernel for CloudLinux 7 and CloudLinux 6 Hybrid users, CloudLinux's Mykola Naugolnyi is now informing us about the release of a Beta kernel for CloudLinux 6 users. The updated CloudLinux 6 Beta kernel is tagged as build 2.6.32-673.26.1.lve1.4.26 and it's here to replace kernel 2.6.32-673.26.1.lve1.4.25. It is available right now for download from CloudLinux's updates-testing repository and backports a fix (CKSIX-109) for R1Soft's backup solution from CloudLinux 7's kernel.
  • Linux 4.12 To Begin Supporting TrustZone CryptoCell
    The upcoming Linux 4.12 kernel cycle plans to introduce support for CryptoCell hardware within ARM's TrustZone.

Lakka 2.0 stable release!

After 6 months of community testing, we are proud to announce Lakka 2.0! This new version of Lakka is based on LibreELEC instead of OpenELEC. Almost every package has been updated! We are now using RetroArch 1.5.0, which includes so many changes that listing everything in a single blogpost is rather difficult. Read more Also: LibreELEC-Based Lakka 2.0 Officially Released with Raspberry Pi Zero W Support

Leftovers: Gaming