LWN.net's Journal
[Most Recent Entries]
[Calendar View]
Thursday, June 5th, 2014
| Time |
Event |
| 12:52a |
[$] LWN.net Weekly Edition for June 5, 2014
The LWN.net Weekly Edition for June 5, 2014 is available. | | 2:16p |
Another set of OpenSSL vulnerabilities The OpenSSL project has disclosed another set of
vulnerabilities, including one that could enable man-in-the-middle attacks and one that could maybe lead to code execution. Expect updates from distributors soon. For the curious, Masashi Kikuchi, the discoverer of the MITM vulnerability, has posted the
story of how it was found. | | 3:16p |
Security advisories for Thursday CentOS has updated openssl (C6:
multiple vulnerabilities including one from 2010) and openssl097a and
openssl098e (C6; C5: man-in-the-middle attack).
Debian has updated kernel (three
vulnerabilities), libav (multiple
unspecified vulnerabilities), openssl
(multiple vulnerabilities), python-bottle
(security mechanism bypass), and python-gnupg (shell command injection).
Gentoo has updated mutt (code
execution) and systemtap (denial of service
from 2012).
Mageia has updated chkrootkit
(privilege escalation).
Red Hat has updated kernel
(RHEL6: three vulnerabilities), openssl (Extended lifecycle support products; RHEL5: man-in-the-middle attack; RHEL6: multiple vulnerabilities including one
from 2010), and openssl097a and openssl098e
(man-in-the-middle attack).
SUSE has updated gnutls
(SLE11SP3: multiple vulnerabilities).
Ubuntu has updated openssl
(multiple vulnerabilities). | | 5:16p |
Day: Notify me On his blog, GNOME contributor Allan Day writes about a redesign of the GNOME 3 notification mechanisms. It includes a new Message Tray design as well as reworking the lock-screen notifications and the notification banners themselves. " The final goal is one that was at the core of the original design, and which is central to the design of GNOME 3 as a whole: that is, to be noticable and useful without being distracting. Wherever possible with GNOME 3, we have tried to produce a distraction-free experience which helps you concentrate on the task in hand. This requires a fine balancing act, which can be tricky to get right. With the new designs, we want to change that balance slightly, by making notifications a bit more noticable and by providing more effective reminders, but we still want to retain the emphasis on avoiding distraction." | | 5:40p |
They’re ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox (Ars Technica) Ars Technica looks at a revival of a technique for remote sites to determine browser history. Originally, using JavaScript and CSS allowed sites to track browsing history, but those holes were eventually closed by browser makers. Exploiting a timing attack [PDF] on the browser can distinguish between sites that have been visited and those that have not. " The browser timing attack technique [Aäron] Thijs borrowed from fellow researcher [Paul] Stone abuses a programming interface known as requestAnimationFrame, which is designed to make animations smoother. It can be used to time the browser's rendering, which is the time it takes for the browser to display a given webpage. By measuring variations in the time it takes links to be displayed, attackers can infer if a particular website has been visited." |
|