Monday, May 26th, 2014

Time	Event
12:18p	Kernel prepatch 3.15-rc7 Linus is back on the Sunday schedule with the 3.15-rc7 release. "It's just a few days after -rc6, but as expected, there were some pending stuff for when I got back home, so you should think of this as being the 'normal' release, and rc6 just having been oddly delayed by my travel." (Comment on this)
2:14p	Monday's security updates Fedora has updated libvirt (F20: information disclosure/denial of service), mutt (F19: code execution), perl-LWP-Protocol-https (F19: SSL certificate verification botch), qt (F19: denial of service), rubygem-actionpack (F20; F19: information leak), and zabbix (F20; F19: access restriction bypass). Mageia has updated kernel-linus (M3: multiple vulnerabilities), kernel-rt (M3: multiple vulnerabilities), kernel-tmb (M4; M3: multiple vulnerabilities), kernel-vserver (M3: multiple vulnerabilities), and mariadb (multiple unspecified vulnerabilities). Ubuntu has updated EC2 kernel (10.04: multiple vulnerabilities), kernel (12.04; 10.04: multiple vulnerabilities), and mod-wsgi (14.04, 13.10, 12.04: two vulnerabilities). (Comment on this)
9:14p	Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass (Ars Technica) Ars Technica is reporting on a WordPress bug that allows attackers to use a captured, unencrypted cookie to break into an account. "[Electronic Frontier Foundation staff technologist Yan] Zhu snagged a cookie for her own account the same way a malicious hacker might and then pasted it into a fresh browser profile. When she visited WordPress she was immediately logged in—without having to enter her credentials and even though she had enabled two-factor authentication. She was then able to publish blog posts, read private posts and blog stats, and post comments that were attributed to her account. As if that wasn't enough, she was able to use the cookie to change the e-mail address assigned to the account and, if two-factor authentication wasn't already in place, set up the feature. That means a hacker exploiting the vulnerability could lock out a vulnerable user. When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker. Remarkably, the pilfered cookie will remain valid for three years, even if the victim logs out of the account before then." (Comment on this)
9:31p	AOSP Debugging and Performance Analysis course materials available On Google+, Opersys CEO Karim Yaghmour has announced the availability of the course materials (slides and exercises) for the company's Android Open Source Project (AOSP) Debugging and Performance Analysis class. The materials are available under the CC-BY-SA (Attribution-ShareAlike) license. "I've been helping people use Android in all sorts of devices for quite a few years now and one of the top requests I get is for information on how to debug the AOSP's internals. As with many things related to Android's internals, such information has been hard to come by. Until now ... [...] The material is built around the Inforce IFC6410 board because it was one of the only dev boards I could find that actually has both Android running on it while still having full performance counter support in perf --- sidenote, perf support on ARM SoCs, especially in combination with Android, tends to be partial at best." (Comment on this)

<< Previous Day

2014/05/26 [Calendar]

Next Day >>