Researchers at cloud security company Qualys have discovered a major security hole, GHOST (CVE-2015-0235), in the Linux GNU C Library (glbibc). This vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords.
Qualys alerted the major Linux distributors about the security hole quickly and most have now released patches for it. Josh Bressers, manager of the Red Hat product security team said in an interview that, "Red Hat got word of this about a week ago. Updates to fix GHOST on Red Hat Enterprise Linux (RHEL) 5, 6, and 7 are now available via the Red Hat Network."
This hole exists in any Linux system that was built with glibc-2.2, which was released on November 10, 2000. Qualys found that the bug had actually been patched with a minor bug fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18.
Today we released Plasma 5.2 and this new release comes with two fixes for security vulnerabilities in our screen locker implementation. As I found, exploited, reported and fixed these vulnerabilities I decided to put them a little bit into context.
The first vulnerability concerns our QtQuick user interface for the lock screen. Through the Look and Feel package it was possible to send the login information to a remote location. That’s pretty bad but luckily also only a theoretical problem: we have not yet implemented a way to install new Look and Feel packages from the Internet. So we found the issue before any harm was done.
There is no shortage of security-focused Linux distributions on the market, and among them is Pentoo Linux. While some security-focused Linux distributions concentrate on privacy, like Tails, others like Kali Linux and Pentoo focus on security research, providing tools that enable research and penetration testing. Pentoo Linux differentiates itself from other security Linux distributions in a number of ways. The primary difference is the fact that Pentoo is based on Gentoo Linux, which is a source-based Linux distribution that uses the Portage package-management system. Gentoo has capabilities known as "Hardened Gentoo," which Pentoo also inherits, providing users with additional security configuration and control for the Linux distribution itself. Pentoo 2015 RC 3.7 was released Jan. 5, providing updated tools and features. Among the new features is the integrated ability to verify that the distribution files have not been corrupted. Pentoo provides many applications for security analysis, including wireless, database, exploit, cracking and forensic tools. In this slide show, eWEEK looks at key features and tools in the Pentoo 2015 RC3.7 release.
Open source software vendors do something akin to selling air: They get people to pay for something that easily, and perfectly legally, can be had for free. But added security is becoming an increasingly important part of the value proposition, as Red Hat (RHT), maker of one of the leading Linux enterprise distributions, emphasized this week in a statement on its software subscriptions.
Tor is apparently no longer a safe place to run a marketplace for illegal goods and services. With the alleged operator of the original Silk Road marketplace, Ross Ulbricht, now going to trial, the arrest of his alleged successor and a number of others in a joint US-European law enforcement operation, and the seizure of dozens of servers that hosted "hidden services" on the anonymizing network, the operators of the latest iteration of Silk Road have packed their tents and moved to a new territory: the previously low-profile I2P anonymizing network.