Hírolvasó

Security updates have been issued by Debian (sox and thunderbird), Fedora (containerd, libtpms, mingw-binutils, mingw-LibRaw, mingw-python-werkzeug, stargz-snapshotter, and tkimg), Slackware (mozilla and openssh), SUSE (apache2, firefox, hdf5, jakarta-commons-fileupload, kernel, perl-Net-Server, python-PyJWT, qemu, and vim), and Ubuntu (abcm2ps, krb5, and linux-intel-iotg).

Amazon has released a new version of its vaguely Fedora-based, cloud-optimized distribution.

Last—and this policy is by far my favorite—Amazon Linux provides you with deterministic updates through versioned repositories, a flexible and consistent update mechanism. The distribution locks to a specific version of the Amazon Linux package repository, giving you control over how and when you absorb updates. By default, and in contrast with Amazon Linux 2, a dnf update command will not update your installed packages.

The Software Freedom Conservancy calls out John Deere for failure to comply with the GPL and preventing farmers from repairing their own equipment.

This is a serious issue that goes far beyond one person wanting to fix their printer software, or install an alternative firmware on a luxury device. It has far-reaching implications for all farmers' livelihoods, for food security throughout the world, and for how we as a society choose to reward those who make our lives better, or stand in the way of empowering everyone to improve the world.

OpenSSH 9.3 has been released. It includes a couple of security fixes, as well as adding an option for hash-algorithm selection to ssh-keygen and an option that allows configuration checking without actually loading any private keys.

The ublk subsystem enables the creation of user-space block drivers that communicate with the kernel using io_uring. Drivers implemented this way show some promise with regard to performance, but there is a bottleneck in the way: copying data between the kernel and the user-space driver's address space. It is thus not surprising that there is interest in implementing zero-copy I/O for ublk. The mailing lists have recently seen three different proposals for how this could be done.

Több kritikus sebezhetőség mellett a Microsoft márciusi frissítési csomagjában két olyan nulladik napi hibát is kijavított, amelyeket fenyegetési szereplők aktívan kihasználnak. Az egyik ilyen hiba különösen veszélyes, ugyanis a Microsoft Outlook különböző verzióit érinti, ami az egyik legnépszerűbb elektronikus levelező szolgáltatás vállalati környezetben. Javasolt a hibajavítás mielőbbi telepítése!

The post APT csoportok is kihasználják az MS Outlook kritikus sérülékenységét first appeared on Nemzeti Kibervédelmi Intézet.

Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2).

With a message to openbsd-announce and other lists, Brent Cook (bcook@) announced the release of LibreSSL 3.7.1, with numerous improvements.

It is worth noting that this is the final version to be released before the upcoming OpenBSD 7.3 release.

The announcement reads,

Subject: LibreSSL 3.7.1 Released From: Brent Cook <busterb () gmail ! com> We have released LibreSSL 3.7.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the final development release for the 3.7.x branch, and we appreciate additional testing and feedback before the stable release coming soon with OpenBSD 7.3

Read more…

On 2023-03-15, the release of version 9.3 of OpenSSH was announced:

Read more…

The LWN.net Weekly Edition for March 16, 2023 is available.

Using rules as code to help bridge the gaps between policy creation, its implementation, and its, often unintended, effects on people was the subject of a talk by Pia Andrews on the first day of the inaugural Everything Open conference in Melbourne, Australia. She has long been exploring the space of open government, and her talk was a report on what she and others have been working on over the last seven years. Everything Open is the successor to the long-running, well-regarded linux.conf.au (LCA); Andrews (then Pia Waugh) gave the opening keynote at LCA 2017 in Hobart, Tasmania, and helped organize the 2007 event in Sydney.

The 2023 election for the Debian project leader looks to be a relatively unexciting affair: incumbent leader Jonathan Carter is running unopposed for a fourth term. His platform lays out his hopes and plans for that term.

Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm).

Az Egyesült Államok Kiberbiztonsági és Infrastruktúra-biztonsági Ügynöksége (CISA) bejelentette új – jelenleg még csak pilotként futó – programját, aminek célja, hogy segítse a kritikus infrastruktúrákat megvédeni rendszereiket a zsarolóvírus támadásoktól. A 2023. január 30-án elindított Ransomware Vulnerability Warning Pilot (RVWP) azért jött létre, hogy a CISA figyelmeztesse a kritikus ágazatok szereplőit, azokról a sérülékenységekről, amelyek […]

The post A CISA új programot indít a kritikus infrastruktúrák védelme érdekében first appeared on Nemzeti Kibervédelmi Intézet.

Az Emotet malware három hónap kihagyás után ismét rosszindulatú e-maileket terjeszt, újjáépíti hálózatát és világszerte megfertőzi az eszközöket. Az Emotet egy hírhedt rosszindulatú – általában Microsoft Word és Excel dokumentumokban előforduló – e-mailben terjesztett kártevő. Amikor a felhasználók megnyitnak egy fertőzött dokumentumot – amennyiben engedélyezve vannak a makrók – letöltődik az Emotet DLL, majd várja […]

The post Újra támad az Emotet malware first appeared on Nemzeti Kibervédelmi Intézet.

It would appear that the ipmitool repository has been locked, and its maintainer suspended, by GitHub. This Hacker News conversation delves into the reason; evidently the developer was employed by a sanctioned Russian company. Ipmitool remains available and will, presumably, find a new home eventually. (Thanks to Paul Wise).

Writing applications for devices with a lot of resource constraints, such as a small amount of RAM or no memory-management unit (MMU), poses some challenges. Running a Linux distribution often isn't an option on these devices, but there are operating systems that try to bridge the gap between running a Linux distribution and using bare-metal development. One of these is Zephyr, a real-time operating system (RTOS) launched by the Linux Foundation in 2016. LWN looked in on Zephyr at its four-year anniversary as well. Seven years after its announcement, Zephyr has made lots of progress and now has an active ecosystem surrounding it.

Security updates have been issued by Debian (redis), Fedora (cairo, freetype, harfbuzz, and qt6-qtwebengine), Red Hat (kpatch-patch), SUSE (chromium, java-1_8_0-openj9, and nodejs18), and Ubuntu (chromium-browser, libxstream-java, php-twig, twig, protobuf, and python-werkzeug).

Egy ismeretlen fenyegetési csoport a Fortinet FortiOS szoftver új nulladik napi (zero day) biztonsági hibájának kihasználásával vett célba kormányzati és egyéb nagy szervezeteket. A sérülékenység kihasználása adatvesztést, valamint fájlok és az operációs rendszer sérülését eredményezheti a célrendszeren. A sérülékenység nyilvánosságra kerülésére néhány nappal azután került sor, miután a Fortinet kiadott egy biztonsági frissítőcsomagot, amelyben 15 […]

The post Kormányzati szervezetek elleni támadásra használják ki a FortiOS új zero day sérülékenységét first appeared on Nemzeti Kibervédelmi Intézet.

Version 2.40.0 of the Git source-code management system is out. Changes include a new --merge-base option for merges, a built-in implementation of bisection, Emacs support for git jump, a fair number of smallish user-interface tweaks, and a lot of bug fixes. See the announcement and this GitHub blog entry for the details.