On April 21, Michael Tremer announced that a new maintenance release for IPFire, a Linux distribution that can be used by beginning and experienced system administrators alike to deploy a firewall, proxy server, or VPN gateway on their infrastructure without too much hassle, is available for download.
On October 29, 2014, the Drupal Security Team released advisory identifier DRUPAL-PSA-2014-003. This advisory informed administrators of Drupal-based Web sites that all Drupal-based Web sites utilizing vulnerable versions of Drupal should be considered compromised if they were not patched/upgraded before 2300 UTC on October 15, 2014 (seven hours following the initial announcement of the vulnerability in SA-CORE-2014-005).
In the case of the Drupageddon vulnerability, the database abstraction layer provided by Drupal included a function called expandArguments that was used in order to expand arrays that provide arguments to SQL queries utilized in supporting the Drupal installation. Due to the way this function was written, supplying an array with keys (rather than an array with no keys) as input to the function could be used in order to perform an SQL injection attack.
This open-source personal crypto-key vault wants two things: To make the web safer ... and your donationsSubmitted by Rianne Schestowitz on Tuesday 14th of April 2015 10:01:44 PM Filed under
An open-source hardware project aimed at making the internet "a little bit safer" needs an influx of cash to continue its work.
The Cryptech effort was created following revelations from NSA whistleblower Edward Snowden that the US government and its pals are exploiting standards and weak crypto algorithms to gain access to citizens' private correspondence and documents.
Barnes is hoping for more people to move to HTTPS by limiting new browser features from becoming available over insecure HTTP, in the name of security. He wrote in a mailing list post, "In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security."
It’s been almost a year since the OpenSSL Heartbleed vulnerability, a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn’t mean it is of real risk to users.
Tor 0.2.6.7 Fixes Security Issues That Could Be Used by Attackers to Crash Hidden Services and ClientsSubmitted by Rianne Schestowitz on Tuesday 7th of April 2015 08:53:02 AM Filed under
In an email, Linux Australia revealed that its servers where compromised during the morning of 22 March. Over the course of a few hours, the organisation believes its databases containing conference information were dumped to an external source. A “currently unknown vulnerability” caused a buffer overflow that allowed the hacker to acquire root access.