Hírolvasó

A Google két hete javította a CVE-2023-4863 azonosítón jegyzett sebezhetőséget, amelyről biztonsági kutatók később megállapították, hogy annak eredője valójában a széleskörben alkalmazott libwebp nyílt forráskódú programkönyvtár, ami a WebP képformátum kezelésére szolgál.

The post Számos alkalmazást érint a Chrome hibának „indult” libwebp sebezhetőség first appeared on Nemzeti Kibervédelmi Intézet.

Az amerikai oktatási nonprofit szervezet, a National Student Clearinghouse (NSC) nyilvánosságra hozta, hogy 890, a szolgáltatásait használó iskolát érintő adatszivárgás történt az Egyesült Államokban.

The post Több, mint 800 amerikai iskolát ért kibertámadás a MOVEit Transfer nulladik napi sebezhetőségét kihasználva first appeared on Nemzeti Kibervédelmi Intézet.

Egy új jelszólopó káros programot fedeztek fel, amelynek terjesztéséhez a kiberbűnözők a népszerű nyílt-forráskódú jelszókezelő, a Bitwarden népszerűségét igyekeztek kihasználni.

The post Typosquatting technika – egy karakternyi eltérés is számít a weboldalak címében first appeared on Nemzeti Kibervédelmi Intézet.

While the CVE process was created in response to real problems, it's increasingly clear that CVE numbers are creating problems of their own. At the 2023 GNU Tools Cauldron, Siddhesh Poyarekar expressed the frustration that toolchain developers have felt as the result of arguing with security researchers about CVE-number assignments. In response, the GNU toolchain community is trying to better characterize what is — and is not — considered to be a security-relevant bug in its software.

Security updates have been issued by Debian (ncurses), Fedora (emacs, firecracker, firefox, libkrun, python-oauthlib, and virtiofsd), Mageia (glibc and vim), Oracle (18), SUSE (bind, binutils, busybox, cni, cni-plugins, container-suseconnect, containerd, curl, exempi, ffmpeg, firefox, go1.19-openssl, go1.20-openssl, gpg2, grafana, gsl, gstreamer-plugins-bad, gstreamer-plugins-base, libpng15, libwebp, mutt, nghttp2, open-vm-tools, pmix, python-brotlipy, python3, python310, qemu, quagga, rubygem-actionview-5_1, salt, supportutils, xen, and xrdp), and Ubuntu (libwebp, minidlna, puma, and python2.7, python3.5).

A Gelsemium nevű APT csoportot egy délkelet-ázsiai kormányt célzó támadássorozatban figyelték meg, amely hat hónapon keresztül zajlott 2022 és 2023 között.

The post Akcióban egy új APT csoport first appeared on Nemzeti Kibervédelmi Intézet.

Egy aktív, Latin-Amerikát célzó malware kampány a BBTok nevű banki trójai új változatát terjeszti, különösen a brazil és mexikói felhasználókat célozva.

The post A BBTok trójai több mint 40 latin-amerikai bankot vett célba first appeared on Nemzeti Kibervédelmi Intézet.

The LWN.net Weekly Edition for September 28, 2023 is available.

Using larger block sizes in the kernel for I/O is a recurring topic in storage and block-layer circles. The topic came up in discussions at the Linux Storage, Filesystem, Memory-Management and BPF Summit (LSFMM) back in May. One of the participants in those discussions, Hannes Reinecke, gave a talk at Open Source Summit Europe 2023 with an overview of the reasons behind using larger blocks for I/O, the current status of that work, and where it all might lead from here.

Many OpenBSD sysadmins find the sysclean(8) port useful for removing obsolete files following upgrades.

Sebastien Marie (semarie@), the author of sysclean(8), has written a piece giving an under-the-hood look at the operation of this handy utility. It's well worth reading for those interested in understanding how it works!

Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4).

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.4:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2023/09/26 07:27:32 Modified files: sys/conf : newvers.sh Log message: we are heading out of -beta

For those unfamiliar with the process: this is not the 7.4 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add (and pkg_info).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

The AI boom is clearly upon us, but there are still plenty of questions swirling around this technology. Some of those questions are legal ones and there have been lawsuits filed to try to get clarification—and perhaps monetary damages. Van Lindberg is a lawyer who is well-known in the open-source world; he came to Open Source Summit Europe 2023 in Bilbao, Spain to try to put the current work in AI into its legal context.

Version 118.0 of the Firefox browser has been released. Changes include improved fingerprinting prevention and automated translation: "Automated translation of web content is now available to Firefox users! Unlike cloud-based alternatives, translation is done locally in Firefox, so that the text being translated does not leave your machine."

Security updates have been issued by Debian (exempi, glib2.0, lldpd, and netatalk), Fedora (curl, libppd, and linux-firmware), Oracle (kernel), and SUSE (Cadence, frr, modsecurity, python-CairoSVG, python-GitPython, and tcpreplay).

The 1.0 version of the LibrePCB "free, cross-platform, easy-to-use electronic design automation suite to draw schematics and design printed circuit boards". As noted in a blog post back in May, a grant has helped spur development of the tool. The focus for the release has been in adding features that were needed so that "there should be no show stopper anymore which prevents you from using LibrePCB for more complex PCB [printed circuit board] designs". New features include a 3D viewer and export format for working with designs in a mechanical computer aided design (CAD) tool, support for manufacturer part number (MFN) management, and lots of board editor features such as thermal relief pads in planes, blind & buried vias, keepout zones, and more. [Thanks to Alphonse Ogulla.]

The last year or so has seen the posting of a few new filesystem types that are aimed at supporting container workloads. PuzzleFS, presented at the 2023 Kangrejos gathering by Ariel Miculas, is another contender in this area, but it has some features of its own, including a novel compression mechanism and an implementation written in Rust.

Security updates have been issued by Debian (bind9, elfutils, flac, ghostscript, libapache-mod-jk, lldpd, and roundcube), Fedora (linux-firmware, roundcubemail, and thunderbird), Mageia (curl, file, firefox/thunderbird, ghostpcl, libtommath, and nodejs), Oracle (kernel, open-vm-tools, qemu, and virt:ol and virt-devel:rhel), SUSE (bind, busybox, djvulibre, exempi, ImageMagick, libqb, libssh2_org, opera, postfix, python, python36, renderdoc, webkit2gtk3, and xrdp), and Ubuntu (accountsservice and open-vm-tools).

The third 6.6 kernel prepatch is out for testing.

Unusually, we have a large chunk of changes in filesystems. Part of it is the vfs-level revert of some of the timestamp handling that needs to soak a bit more, and part of it is some xfs fixes. With a few other filesystem fixes too.

The multi-grain timestamp changes turned out to cause the occasional regression (timestamps that could appear to go backward) and were taken back out.

Theo de Raadt (deraadt@) posted to tech@ a detailed message explaining the past and (potential) future of anti-ROP measures in OpenBSD.

It's well worth reading its entirety. Highlights include:

Years later, Todd Mortimer and I developed RETGUARD. At the start of that initiative he proposed we protect all functions, to try to guard all the RET instructions, and therefore achieve a state we call "ROP-free". I felt this was impossible, but after a couple hurdles the RETGUARD performance was vastly better than the stack protector and we were able to protect all functions and get to ROP-free (on fixed-sized instruction architecures). Performance was acceptable to trade against improved security. […] We were able to enable RETGUARD on all functions because it was fast. […] On the other hand the RETGUARD approach uses an illegal instruction (of some sort), which is a speculation barrier. That prevents the cpu from heading off into an alternative set of weeds. It will go decode more instructions along the post-RET execution path. I filed that idea as interesting but did nothing with it. Until now.

Like we said earlier, it is worth reading the whole thing! This points forward to some remarkable improvements on several architectures, and those changes could be a clear benefit for other systems too.