Komoly biztonsági hiba érinti a miniOrange Social Login nevű bővítményét ─ figyelmezet a Wodfence.
The post Frissítsen, kritikus hibát találtak a Social Login nevű WordPress pluginban! first appeared on Nemzeti Kibervédelmi Intézet.
Az ujjlenyomat-felismerés egy viszonylag biztonságos hitelesítési módszernek számít. Azonban időről időre megjelennek publikációk különböző módszerekről, amelyekkel át lehet verni az érzékelőt. Kínai kutatók, Yu Chen és Yiling He nemrégiben közzétettek egy tanulmányt arról, hogyan lehet bruteforce-módszerrel majdnem bármelyik ujjlenyomat-védelemmel ellátott Android okostelefont feltörni. Az elkövetett támadást BrutePrintnek nevezték el.
The post Újabb módszert fedeztek fel, amivel feltörhetők az Androidos ujjlenyomatolvasók first appeared on Nemzeti Kibervédelmi Intézet.
Probably the single most common question I get from folks is, "When will NVK be in upstream mesa?" The short answer is that it'll be upstreamed along with the new kernel API. The new API is going to be required in order to implement Vulkan correctly in a bunch of cases. Even though it mostly works on top of upstream nouveau, I don't want to be maintaining support for that interface for another 10 years when it only partially works.
We don't yet have an exact timetable for when the new API will be ready. I'm currently hoping that we get it all upstream this year but I can't say when exactly.
Egyes feltételezések szerint a CVE-2023-32434-et és a CVE-2023-32435-öt nulladik napi sérülékenységként használhatták ki kémszoftverek telepítésére egy 2019 óta tartó kiberkémkedési kampány részeként.
The post A CISA újabb 6 hibát vett fel a KEV katalógusba first appeared on Nemzeti Kibervédelmi Intézet.
Ultimately, we do not find value in a RHEL rebuild and we are not under any obligation to make things easier for rebuilders; this is our call to make. That brings me to CentOS Stream, of which there is immense confusion. I acknowledge that this is a change in a longstanding tradition where we went above and beyond, and change like this can cause some confusion. That confusion manifested as accusations about us going closed-source and about alleged GPL violations. There is CentOS Stream the binary deliverable, and CentOS Stream the source repository. The CentOS Stream gitlab source is where we build RHEL releases, in the open for all to see. To call RHEL “closed source” is categorically untrue and inaccurate. CentOS Stream moves faster than RHEL, so it might not be on HEAD, but the code is there. If you can’t find it, it’s a bug – please let us know.
Az NSA június 22-én kiadott egy útmutatót, amely segít a szervezeteknek a BlackLotus nevű UEFI bootkit fertőzéseinek felderítésében és megelőzésében.
The post A BlackLotus ellen adott ki útmutatót az NSA first appeared on Nemzeti Kibervédelmi Intézet.
The Linux Plumbers’ microconference is a three and a half hour session focused on one general focus area. It can be on Android, power management, tracing, real-time or any of the other many subsystems in the Linux ecosystem. These sessions are broken up into smaller topics that are highly focused work meetings with the goal of accomplishing something during the brief discussions that happen during that time. A topic session ranges from 15 to 30 minutes in length, where no more than half the time is a presentation to bring everyone in the room (or online) up to speed about the issues that need to be discussed, and the rest of the time is spent on brainstorming ideas with the audience on how to accomplish solving the problems at hand. The problem does not need to be solved in this short time, but when time is up, the audience should understand what is at stake well enough to be productive offline in mailing lists and chat rooms.
Submitting a microconference topic
A microconference topic submission should be considered a problem statement and not an abstract. The submission should explain what the issue is that the submitter is struggling with, what has currently been done to try to solve it, and sometimes that means showing multiple solutions where there are pros and cons to each solution and the submitter wants to discuss which is better with the audience. There is the possible chance that the audience may even come up with a new solution that is better than what is being presented. The topic should be focused on what is currently being worked on and not about what was already done, unless the submitter wants to talk about what new can be done with what was already done.
Presenting the topic
The topic should start off with a presentation. The goal of the session is to come up with answers to the problem at hand. If the audience does not know the details of the issue, they are highly unlikely to come up with any productive input. The more the audience understands the problem, the likelier they will be able to help out. Due to the short time of the microconference topic session, it is imperative that the presentation is extremely focused on a need to know basis. That is, only present what is critical knowledge to understand the problem at hand. The quicker the audience can come up to speed, the more time there will be to have a productive discussion with them. There is no limit to the number of slides, but the focus should be on the time spent on the presentation.
Another difference between a microconference topic session and a normal presentation, is that there is no Q and A, but only discussions. A Q and A in presentations is where the audience asks the presenter questions and the presenter answers them. In a microconference topic session, the presenter starts with asking the audience questions and then there should be a back and forth between the audience and the presenter as well as between different members of the audience.
General information topics
One exception to the above is if the general focus area requires an understanding of a specific topic that all the other topics depend on. Some examples of this include RISC-V coming out with a new specification. The first topic in the microconference may be a 30 minute presentation about what details the new specification has that will impact further development. This is required information for the rest of the microconference to know in order to have proper decision making. The Android microconference had a similar case where the presentations were required for the other topics to be discussed. The general rule of thumb is that if a presentation is needed to have productive discussions then it is allowed. Due to the short time of a microconference, it is encouraged to have few of these types of presentations and better yet to have people do their homework before attending the microconference.
Attendee preparation
The focus of a microconference is to solve problems that exist today and come up with further innovations of tomorrow. The time constraint requires that everyone involved should be well prepared for the discussions that are to take place. The topics descriptions should include links to patch discussions on mailing lists, to wiki pages that describe the general focus area, or to anything that is not common knowledge to those not directly involved in the work. Linux Plumbers is about getting other experts outside the field to give input with a different perspective. Attendees should make an effort to read through the topics of all the microconferences and if there’s a topic of interest, they should read the links and familiarize themselves with the discussions that will take place. This will allow the attendees to be more productive than if they just come in without the understanding of the general focus area.
By following these general guidelines, Linux Plumbers will remain the most productive technical conference that one can attend.
Most of the stuff in my mailbox the last week has been about upcoming things for 6.5, and I already have 15 pull requests pending. I appreciate all you proactive people.
But that's for tomorrow. Today we're all busy build-testing the newest kernel release, and checking that it's all good. Right?
Headline features in this release include: generic iterators for BPF, the removal of the SELinux runtime disable knob, the removal of the SLOB memory allocator, linear address masking support on Intel CPUs, process-level samepage merging control, support for user trace events, more infrastructure for writing kernel modules in Rust, per-VMA locks, and much more. See the LWN merge-window summaries (part 1, part 2), and the (in-progress) KernelNewbies 6.4 page for the details.
Version 0.90 of Game of Trees has been released (and the port updated):
We’re holding another edition of the RISC-V microconference for Plumbers at 2023. Broadly speaking anything related to both Linux and RISC-V is on topic, but discussions tend to involve the following categories:
All the talks at the 2022 Plumbers microconference have made at least some progress, with many of them resulting in big chunks of merged code.
Specifically:
The actual list of topics tends to be hard to pin down this early, but here’s a few topics that have been floating around the mailing lists and may be easier to resolve in real-time:
Submissions are made via LPC submission systems, selecting Track RISC-V MC