LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Thursday, July 9th, 2015

    Time Event
    2:05a
    [$] LWN.net Weekly Edition for July 9, 2015
    The LWN.net Weekly Edition for July 9, 2015 is available.
    1:37p
    The Critical Infrastructure Initiative census project
    The Criticial Infrastructure Initiative (a Linux Foundation effort to
    direct resources to critical projects in need of help) has announced a census
    project     to identify the development projects most in need of
    assistance. "Unlike the Fed’s stress tests, which are opaque, all of
    the census data and analysis is open source. We are eager for community
    involvement. We encourage developers to fork the project and experiment
    with different data sources, different parameters, and different algorithms
    to test out the concept of an automated risk assessment census. We are also
    eager for input to help sanitize and complete the data that was used in
    this first iteration of the census.    "
    1:42p
    A new OpenSSL vulnerability
    The OpenSSL project has disclosed a new certificate validation vulnerability. "During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and 'issue' an invalid certificate." This is thus a client-side, man-in-the-middle vulnerability.

    Note that the affected versions of OpenSSL were released in mid-June; anybody with an older release should not be vulnerable.

    3:04p
    Security advisories for Thursday

    Debian has updated python-django (two vulnerabilities).

    Mageia has updated bind (denial of service), cups-filters (two code execution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).

    openSUSE has updated flash-player (11.4: unspecified vulnerabilities), libwmf (13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipher downgrade), tiff (13.2, 13.1: multiple vulnerabilities), and wireshark (13.2: two denial of service vulnerabilities).

    Red Hat has updated flash-plugin (RHEL5&6: many vulnerabilities).

    SUSE has updated flash-player (SLE12: many vulnerabilities).

    Ubuntu has updated python-django (two vulnerabilities).

    << Previous Day 2015/07/09
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org