LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Wednesday, October 8th, 2014

    Time Event
    1:57p
    Open Definition 2.0
    Version 2.0 of the Open
    Definition     has been announced.
    The Open Definition seeks to define the meaning of "open" in the context of
    data, content, and more. "However, these benefits are at significant
    risk both from quality problems such as 'open-washing' (non-open data being
    passed off as open) and from fragmentation of the open data ecosystem due
    to incompatibility between the growing number of 'open' licenses. The Open
    Definition eliminates these risks and ensures we realize the full benefits
    of open by guaranteeing quality and preventing incompatibility.    "
    3:49p
    Security advisories for Wednesday

    Debian has updated rsyslog (integer overflow).

    Red Hat has updated kernel (RHEL6.4 EUS: privilege escalation).

    Ubuntu has updated apt (14.04, 12.04: file overwrite).

    6:11p
    Wheeler: Shellshock
    David A. Wheeler examines the
    shellshock bash vulnerability    , with a discussion on ways to detect or
    prevent future vulnerabilities, a timeline of what happened and when, some
    information about specific CVEs, and a few conclusions. "Shells are widely used on these systems to process commands, so there were many ways to exploit shellshock. This included web applications implemented using CGI that are written in bash or invoke bash subshells, sshd using ForceCommand (to limit access to specific actions), and DHCP clients connecting to subverted DHCP servers. The probability of vulnerability was somewhat less on Debian and Ubuntu, because their default non-interactive shell is dash (which was not vulnerable) instead of bash, but there were still cases where they could be vulnerable. One point of confusion about Debian and Ubuntu is that their default interactive shell is bash, while their default non-interactive shell is dash, and it is primarily the non-interactive shell (aka /bin/sh) that matters in the shellshock vulnerability. Similarly, Apple MacOS does not use bash in many circumstances, but there were cases where it could be vulnerable. Android systems use Linux but normally use the MirBSD (mksh) shell, which was not vulnerable."

    << Previous Day 2014/10/08
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org