Hírolvasó

Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).

The Linux Containers project has announced the release version 0.1 of the Incus system container and virtual-machine manager, which is a community-led fork of Canonical's LXD. Incus 0.1 "is roughly equivalent to LXD 5.18 but with a number of breaking changes on top of the obvious rename". There have been some changes made in the two months since the fork: With this initial release of Incus, we took the opportunity to remove a lot of unused or problematic features from LXD. Most of those changes are things we would have liked to do in LXD but couldn’t due to having strong guarantees around backward compatibility.

Incus will be similarly strict with backward compatibility in the future, but as this is the first release of the fork, it was our one big opportunity to change things.

That said, the API and CLI are still extremely close to what LXD has, making it trivial if not completely seamless to port from LXD to Incus.

There is an online version of Incus for those interested in giving it a try.

One of the significant features added to the mainline kernel during the 6.6 merge window was multi-grain timestamps, which allow the kernel to selectively store file modification times with higher resolution without hurting performance. Unfortunately, this feature also caused some surprising regressions, and was quickly ushered back out of the kernel as a result. It is instructive to look at how this feature went wrong, and how the developers involved plan to move forward from here.

Security updates have been issued by Debian (freerdp2, gnome-boxes, grub2, inetutils, lemonldap-ng, prometheus-alertmanager, python-urllib3, thunderbird, and vinagre), Fedora (freeimage, fwupd, libspf2, mingw-freeimage, thunderbird, and vim), Gentoo (c-ares, dav1d, Heimdal, man-db, and Oracle VirtualBox), Oracle (bind, bind9.16, firefox, ghostscript, glibc, ImageMagick, and thunderbird), Slackware (netatalk), SUSE (ImageMagick, nghttp2, poppler, python, python-gevent, and yq), and Ubuntu (bind9 and vim).

Linus has released 6.6-rc5 for testing. "Things are back to normal, and we have a networking pull this week."

Rafael Sadowski (rsadowski@) blogged about his participation in p2k23.

Perhaps most notable is his work in porting KDE Plasma.

Read all about it at https://rsadowski.de/posts/2023-10-09-p2k23-dublin-openbsd-hackathon/.

There is some further discussion of the work in a thread titled NEW: KDE Plasma (x11/kde-plasma) on the ports@ mailing list.

Red Hat has announced that its longstanding "rhsa-announce" mailing list will be shut down on October 10. That is the list that receives security advisories for Red Hat Enterprise Linux and a whole slew of related products. Anybody who was counting on that list for Red Hat security advisories will need to find an alternative; a few options are listed in the announcement.

The latest round of stable kernels, 6.5.6, 6.1.56, and 5.15.134, have been released. Each contains a fairly large collection of important fixes throughout the kernel tree.

On its surface, the BPF virtual machine resembles many other computer architectures; it has registers and instructions to perform the usual operations. But there is a key difference: BPF programs must pass the kernel's verifier before they can be run. The verifier imposes a long list of additional restrictions so that it can prove to itself that any given program is safe to run; getting past those checks can be a source of frustration for BPF developers. At the 2023 GNU Tools Cauldron, José Marchesi looked at the problem of compiling for verified architectures and how the compiler can generate code that will pass verification.

Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15).

Ferrous Systems has announced that its Ferrocene Rust compiler will be released under the Apache-2.0 and MIT licenses.

Ferrocene is the main Rust compiler - rustc - but quality managed and qualified for use in automotive and industrial environments (currently by ISO 26262 and IEC 61508) by Ferrous Systems. It operates as a downstream to the Rust project, further increasing its testing and quality on specific platforms.

The license is free, but this is not being run as an open-source project; specifically, contributions from the "general public" are not accepted.

Hardening the Linux kernel is an endless task, with work required on multiple fronts. Sometimes, that work is not done in the kernel itself; other tools, including compilers, can have a significant role to play. At the 2023 GNU Tools Cauldron, Qing Zhao covered some of the work that has been done in the GCC compiler to help with the hardening of the kernel — along with work that still needs to be done.

Security updates have been issued by Debian (chromium, libx11, and libxpm), Fedora (ckeditor, drupal7, glibc, golang-github-cncf-xds, golang-github-envoyproxy-control-plane, golang-github-hashicorp-msgpack, golang-github-minio-highwayhash, golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, golang-github-protobuf, golang-google-protobuf, nats-server, and pgadmin4), Red Hat (firefox and thunderbird), SUSE (chromium, exim, ghostscript, kernel, poppler, python-gevent, and python-reportlab), and Ubuntu (binutils, exim4, jqueryui, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-kvm, linux-oem-6.1, nodejs, and python-django).

A Johnson Controls egy multinacionális konglomerátum, amely ipari vezérlőrendszereket, biztonsági berendezéseket, klímaberendezéseket és tűzvédelmi berendezéseket fejleszt és gyárt. A vállalat közöte, hogy egy kiberbiztonsági incidens miatt informatikai rendszereinek egy részét leállította, a BleepingComputer információi szerint zsarolóvírus támadás áll a háttérben. Azóta a cég számos leányvállalata, köztük a York, a Simplex és a Ruskin is megkezdte a technikai leállásról szóló üzenetek megjelenítését a webhelyek bejelentkezési oldalain és az ügyfélkapukon.

The post Brutális ransomware támadás ért egy multinacionális vállalatcsoportot first appeared on Nemzeti Kibervédelmi Intézet.

A Certitude infokommunikációs tanácsadó cég két sérülékenységet talált a Cloudflare tanúsítvány kezelési rendszerében, amelyekkel a támadók megkerülhetik annak DDoS védelmét. A sérülékenység azon az előfeltevésen alapul, hogy a Cloudflare-től származó eredeti szerverre irányuló összes forgalom megbízható, míg a többi fél forgalmát el kell utasítani.

The post Cloudflare-rel a Cloudflare DDoS védelme ellen first appeared on Nemzeti Kibervédelmi Intézet.

Az észak-koreai „Lazarus” hacker csoport egy spanyol repülőgép ipari vállalat alkalmazottait célozta meg hamis munkalehetőségekkel, hogy egy korábban ismeretlen „LightlessCan” backdoor segítségével feltörjék a vállalati hálózatot.

The post Ügyes social engineering trükköt vetettek be észak-koreai hackerek first appeared on Nemzeti Kibervédelmi Intézet.

A NIST közzétette az operatív technológiák (OT) biztonságáról szóló legújabb útmutatójának végleges változatát.

The post A NIST kiadta a 800-82r3-as verziójú OT biztonsági útmutatót first appeared on Nemzeti Kibervédelmi Intézet.

Version 8.6 of rpki-client, the FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP), has been released.

This version includes new compliance checks, random shuffling of processing of Manifest entries, and [non-random!] code shuffling.

See the announcement for more details.

This is another hint that a new OpenBSD release is about to happen, and soon.

Jay Eptinxa has published a detailed write-up, entitled E-mail Filters In C, of his work creating a spamd(8)-like greylisting smtpd(8) filter.

Thanks to Crystal Kolipe for letting us know!

The LWN.net Weekly Edition for October 5, 2023 is available.