LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Wednesday, January 20th, 2016

    Time Event
    12:32a
    CyanogenMod shutting down WhisperPush
    The CyanogenMod developers have announced
    that they will be shutting down the WhisperPush secure messaging system (covered here in 2013). "We’ve
    ultimately made the decision that we will no longer be supporting
    WhisperPush functionality directly within CyanogenMod. Further, WhisperPush
    services will be end-of-lifed beginning Feb 1st 2016. As this is a server
    side implementation, all branches of CM from CM10.2 and forward will be
    affected.    "
    2:44p
    The State Of Meteor Part 1: What Went Wrong
    Back in 2014, LWN looked at the Meteor web
    application framework    . Now, Meteor's developers are contemplating
    why it failed     to take over the world. "New developers love how
    easy it is to get started with it, but can get discouraged when they start
    struggling with more complex apps. And purely from a financial standpoint,
    it’s hard to build a sustainable business on the back of new developers
    hacking on smaller apps. On the other hand, many of the more experienced
    developers who’d be able to handle (and help solve) Meteor’s trickier
    challenges are turned off by its all-in-one approach, and never even give
    it a chance in the first place.    " They promise the imminent
    unveiling of a new approach that is going to address these problems.
    3:22p
    Linux Kernel ROP - Ropping your way to #
    This article from Cysec
    Labs     starts a series explaining how return-oriented programming (ROP)
    can be used to exploit vulnerabilities in the kernel. "ROP
    techniques take advantage of code misalignment to identify new
    gadgets. This is possible due to x86 language density, i.e., the x86
    instruction set is large enough (and instructions have different lengths),
    that almost any sequence of bytes can be interpreted as a valid
    instruction.    "
    5:47p
    Security advisories for Wednesday

    Arch Linux has updated kernel (privilege escalation).

    CentOS has updated kernel (C5: two remote denial of service vulnerabilities).

    Debian has updated bind9 (denial of service) and ecryptfs-utils (privilege escalation).

    Debian-LTS has updated bind9 (denial of service), ecryptfs-utils (privilege escalation), and librsvg (out-of-bounds heap read).

    Fedora has updated libxmp (F23; F22: multiple vulnerabilities), mbedtls (F23; F22: memory leak), qemu (F22: multiple vulnerabilities), and radicale (F23; F22: multiple vulnerabilities).

    openSUSE has updated cups-filters (Leap42.1: code execution).

    Oracle has updated kernel (OL5: two remote denial of service vulnerabilities).

    Scientific Linux has updated kernel (SL5: two remote denial of service vulnerabilities).

    SUSE has updated bind (SLE12-SP1: denial of service).

    Ubuntu has updated bind9 (denial of service), ecryptfs-utils (privilege escalation), kernel (15.10; 15.04; 14.04: privilege escalation), libxml2 (two vulnerabilities), linux-lts-trusty (12.04: privilege escalation), linux-lts-utopic (14.04: privilege escalation), linux-lts-vivid (14.04: privilege escalation), linux-lts-wily (14.04: privilege escalation), and linux-raspi2 (15.10: privilege escalation).

    7:33p
    [$] OpenSSH and the dangers of unused code

    Unused code is untested code, which probably means that it harbors bugs—sometimes significant security bugs. That lesson has been reinforced by the recent OpenSSH "roaming" vulnerability. Leaving a half-finished feature only in the client side of the equation might seem harmless on a cursory glance but, of course, is not. Those who mean harm can run servers that "implement" the feature to tickle the unused code. Given that the OpenSSH project has a strong security focus (and track record), it is truly surprising that a blunder like this could slip through—and keep slipping through for roughly six years.

    Subscribers can click below to read the full story from the week's edition.

    7:52p
    Dutch consumer group sues Samsung over Android updates (OSNews)
    OSNews reports
    that the Dutch consumer protection advocacy agency Consumentenbond has
    sued Samsung, demanding updates for its Android phones. "The Consumentenbond had been in talks with Samsung about this issue for a while now, but no positive outcome was reached, and as such, they saw no other option but to file suit.

    The Consumentenbond is demanding that Samsung provides two years of updates
    for all its Android devices, with the two-year period starting not at the
    date of market introduction of the device, but at the date of sale. This
    means that devices introduced one or even more years ago that are still
    being sold should still get two years' worth of updates starting
    today.    " (Thanks to Paolo Bonzini)

    << Previous Day 2016/01/20
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org