Hírolvasó

The 1.0 version of the LibrePCB "free, cross-platform, easy-to-use electronic design automation suite to draw schematics and design printed circuit boards". As noted in a blog post back in May, a grant has helped spur development of the tool. The focus for the release has been in adding features that were needed so that "there should be no show stopper anymore which prevents you from using LibrePCB for more complex PCB [printed circuit board] designs". New features include a 3D viewer and export format for working with designs in a mechanical computer aided design (CAD) tool, support for manufacturer part number (MFN) management, and lots of board editor features such as thermal relief pads in planes, blind & buried vias, keepout zones, and more. [Thanks to Alphonse Ogulla.]

The last year or so has seen the posting of a few new filesystem types that are aimed at supporting container workloads. PuzzleFS, presented at the 2023 Kangrejos gathering by Ariel Miculas, is another contender in this area, but it has some features of its own, including a novel compression mechanism and an implementation written in Rust.

Security updates have been issued by Debian (bind9, elfutils, flac, ghostscript, libapache-mod-jk, lldpd, and roundcube), Fedora (linux-firmware, roundcubemail, and thunderbird), Mageia (curl, file, firefox/thunderbird, ghostpcl, libtommath, and nodejs), Oracle (kernel, open-vm-tools, qemu, and virt:ol and virt-devel:rhel), SUSE (bind, busybox, djvulibre, exempi, ImageMagick, libqb, libssh2_org, opera, postfix, python, python36, renderdoc, webkit2gtk3, and xrdp), and Ubuntu (accountsservice and open-vm-tools).

The third 6.6 kernel prepatch is out for testing.

Unusually, we have a large chunk of changes in filesystems. Part of it is the vfs-level revert of some of the timestamp handling that needs to soak a bit more, and part of it is some xfs fixes. With a few other filesystem fixes too.

The multi-grain timestamp changes turned out to cause the occasional regression (timestamps that could appear to go backward) and were taken back out.

Theo de Raadt (deraadt@) posted to tech@ a detailed message explaining the past and (potential) future of anti-ROP measures in OpenBSD.

It's well worth reading its entirety. Highlights include:

Years later, Todd Mortimer and I developed RETGUARD. At the start of that initiative he proposed we protect all functions, to try to guard all the RET instructions, and therefore achieve a state we call "ROP-free". I felt this was impossible, but after a couple hurdles the RETGUARD performance was vastly better than the stack protector and we were able to protect all functions and get to ROP-free (on fixed-sized instruction architecures). Performance was acceptable to trade against improved security. […] We were able to enable RETGUARD on all functions because it was fast. […] On the other hand the RETGUARD approach uses an illegal instruction (of some sort), which is a speculation barrier. That prevents the cpu from heading off into an alternative set of weeds. It will go decode more instructions along the post-RET execution path. I filed that idea as interesting but did nothing with it. Until now.

Like we said earlier, it is worth reading the whole thing! This points forward to some remarkable improvements on several architectures, and those changes could be a clear benefit for other systems too.

Now that the MC selection process is finished, we’ve recovered enough passes to reopen general registration. If you still wish to register, please go to our Attend page.

Hopefully we recovered enough passes to keep registration open for a couple of weeks, if not longer, but please don’t wait …

The 6.5.5, 6.1.55, 5.15.133, 5.10.197, 5.4.257, 4.19.295, and 4.14.326 stable kernel updates have all been released; each contains another set of important fixes.

Back in May, André Almeida presented some work toward the creation of user-space spinlocks using adaptive spinning. At that time, the work was stalled because there is, in Linux, currently no way to quickly determine whether a given thread is actually executing on a CPU. Some progress has since been made on that front; at the 2023 Open Source Summit Europe, Almeida returned to discuss how that difficulty might be overcome.

Security updates have been issued by Debian (gsl), Fedora (dotnet6.0 and dotnet7.0), Oracle (libwebp), Slackware (bind, cups, and seamonkey), SUSE (kernel and rust, rust1.72), and Ubuntu (cups, flac, gnome-shell, imagemagick, and python3.5).

Egy új kutatás szerint közel 12 000 Internetre kitett Juniper tűzfal eszköz sebezhető egy nemrég nyilvánosságra hozott távoli kódfuttatási hibával (RCE) szemben.

The post 12 000 Juniper tűzfal vált sebezhetővé egy RCE sebezhetőséggel szemben first appeared on Nemzeti Kibervédelmi Intézet.

A Retool szoftverfejlesztői vállalatot deepfake-kel komninált smishing támadás érte, amelynek következtében több mint két tucat felhőalapú ügyfélfiók kompromittálódott.

The post Már aktívan használják a deepfake technikát a kibertámadások során first appeared on Nemzeti Kibervédelmi Intézet.

All that Ankur Arora seemingly wanted to do with this patch set was to make the process of clearing huge pages on x86 systems go a little faster. What resulted was an extensive discussion on the difficulties of managing preemption correctly in the kernel. It may be that some changes will come to the plethora of preemption models that the kernel currently offers.

Security updates have been issued by Debian (mutt, netatalk, and python2.7), Fedora (chromium, golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, and golang-gopkg-alecthomas-kingpin-2), Oracle (dmidecode, frr, libwebp, open-vm-tools, and thunderbird), Red Hat (libwebp and open-vm-tools), SUSE (cups, frr, mariadb, openvswitch3, python39, qemu, redis7, rubygem-rails-html-sanitizer, and skopeo), and Ubuntu (bind9, cups, and libppd).

The 5.10.196 stable kernel has been released. It fixes a single regression: This release is only needed by any 5.10.y user that uses configfs, it resolves a regression in 5.10.195 in that subsystem. Note that many kernel subsystems use configfs for configuration so to be safe, you probably want to upgrade if you are not sure.

A Microsoft egy új biztonsági funkcióval egészítette ki a Windows 11-et, amellyel a rendszergazdák blokkolhatják az NTLM-et az SMB-n keresztül a pass-the-hash, NTLM relay vagy jelszófeltörő támadások megakadályozása érdekében. Ez módosítja a hagyományos megközelítést, ahol a Kerberos és az NTLM hitelesítés a célkiszolgálókkal a Windows SPNEGO segítségével működött.

The post Új funkció érkezett a Windows 11-be az NTLM alapú támadások kiküszöbölésére first appeared on Nemzeti Kibervédelmi Intézet.

A Kubernetes-ben felfedezett három magas kockázati besorolású sérülékenység (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955, CVSS 8,8) kihasználásával az egy klaszteren belüli Windows végpontokon emelt jogosultságokkal történő távoli kódfuttatás (RCE) érhető el.

The post Kubernetes sebezhetőségek kerültek javításra first appeared on Nemzeti Kibervédelmi Intézet.

Az Egyesült Államok Nemzetbiztonsági Tanácsa (NSC) közös nyilatkozat kiadására sürgeti a nemzetközi zsarolóvírus elleni kezdeményezésben (International Counter Ransomware Initiative - CRI) résztvevő országok kormányait, amelyben kijelentik, hogy nem fizetnek váltságdíjat a kiberbűnözőknek. A nyilatkozat a résztvevő kormányokra vonatkozna, nem pedig a vállalatokra és más szervezetekre.

The post A Fehér Ház arra kötelezné a CRI-tag országokat, hogy ne fizessenek váltságdíjat a kiberbűnözőknek first appeared on Nemzeti Kibervédelmi Intézet.

Frederic Cambus (fcambus@) wrote a blogpost about running OpenBSD on the arm64-based cloudservers provided by Hetzner. For now, only -current will work, because the new viogpu(4) driver [on which we reported earlier] is needed.

Head on over to Frederic's blog for the full story!

The LWN.net Weekly Edition for September 21, 2023 is available.

The "limited" C API for CPython extensions has been around for well over a decade at this point, but it has not seen much uptake. It is meant to give extensions an API that will allow binaries built with it to be used for multiple versions of CPython, because those binaries will only access the stable ABI that will not change when CPython does. Victor Stinner has been working on better definition for the API; as part of that work, he suggested that some of the C extensions in the standard library start using it in an effort for CPython to "eat its own dog food". The resulting discussion showed that there is still a fair amount of confusion about this API—and the thrust of Stinner's overall plan.