Tuesday, June 3rd, 2014

Time	Event
1:43p	Bergeron: Introducing the new Fedora Project Leader, and some parting thoughts. In a lengthy message to the fedora-announce mailing list, outgoing Fedora Project Leader (FPL) Robyn Bergeron has described the role of the FPL and why turnover in that position (and other, similar leadership roles) is desirable. She also announced that the new FPL will be Matthew Miller: "Of course, Matthew is no newcomer to the Fedora Project, having been around since the *LITERAL DAWN OF FEDORA TIME* -- he was an early contributor to the Fedora Legacy project, and helped to organize early FUDCons in his area of the world, at Boston University. Since joining Red Hat in 2012, he's been responsible for the Cloud efforts in Fedora, and as the previous wrangler for that team, I was thrilled when he came on board and was willing and able to start driving forward some of the initiatives and wishlist items that team was working on. What started out small has since grown into a vision for the future, and I'm confident in Matthew's ability to lead the Fedora Project forward into its next 10 years of innovative thinking." (Comment on this)
4:03p	Tuesday's security updates Fedora has updated smb4k (F20; F19: credential cache leak). Mageia has updated gnutls (two vulnerabilities) and libtasn1 (multiple vulnerabilities). SUSE has updated IBM Java 6 (SLE11 SP3: multiple vulnerabilities) and IBM Java 7 (SLE11 SP3: multiple vulnerabilities). (Comment on this)
10:13p	Making end-to-end encryption easier to use (Google Online Security Blog) The Google Online Security Blog has announced the alpha release of an OpenPGP-compliant end-to-end encryption extension for the Chrome/Chromium browser. "While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)" (Comment on this)
10:23p	The unexpected outcome of the Open Source Seed Initiative's licensing debate (Opensource.com) Over at Opensource.com, Jack Kloppenburg—one of the founders of the Open Source Seed Initiative (OSSI) that is trying to apply open source ideas to the genetic material in plant seeds—describes the switch from a licensing approach to that of a "pledge". "In February of 2014, OSSI made the hard but considered decision to abandon efforts to develop a legally defensible license and to shift to a pledge. This moves OSSI’s discourse and action from the legal field to the terrain of norms and ethics. We have found this shift to be stimulating, reinvigorating, and productive. The licensing approach was pulling us into a policing and bureaucratic orientation that was not congenial. Although our pledge is likely not legally binding, it is easily transmissible, it is viral, it is an uncompromising commitment to free exchange and use, and it is a very effective tool for outreach and education." (Comment on this)
10:34p	Critical new bug in crypto library leaves Linux, apps open to drive-by attacks (Ars Technica) Ars Technica reports on a buffer overflow in GnuTLS, which is an alternative to OpenSSL for SSL/TLS support. The length checks for the session ID in the ServerHello message were not correct, which allowed the overflow. "Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned. The bug wasn't patched until Friday [May 30], with the release of GnuTLS versions 3.1.25, 3.2.15, and 3.3.4. While the patch has been available for three days, it will protect people only when the GnuTLS-dependent software they use has incorporated it. With literally hundreds of packages dependent on the library, that may take time." This analysis shows how the bug could be exploited for arbitrary code execution. (Comment on this)

<< Previous Day

2014/06/03 [Calendar]

Next Day >>