LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Friday, May 20th, 2016

    Time Event
    12:18a
    Linux containers vs. VMs: A security comparison (InfoWorld)
    Over at InfoWorld, Jim Reno compares the security of virtual machines (VMs) and containers. "Which is more secure?" is a question that is often asked, but the answer, of course, is "it depends". Reno analyzes the attack surface of each to help in the choosing between VMs and containers.

    "Many legacy VM applications treat VMs like bare metal. In other words, they have not adapted their architectures specifically for VMs or for security models not based on perimeter security. They might install many services on the same VM, run the services with root privileges, and have few or no security controls between services. Rearchitecting these applications (or more likely replacing them with newer ones) might use VMs to provide security separation between functional units, rather than simply as a means of managing larger numbers of machines.

    Containers are well suited for microservices architectures that “string together” large numbers of (typically) small services using standardized APIs. Such services often have a very short lifetime, where a containerized service is started on demand, responds to a request, and is destroyed, or where services are rapidly ramped up and down based on demand. That usage pattern is dependent on the fast instantiation that containers support. From a security perspective it has both benefits and drawbacks.    "
    2:22p
    Security updates for Friday

    Arch Linux has updated bugzilla (cross-site scripting).

    Debian has updated librsvg (three vulnerabilities).

    Debian-LTS has updated expat (code execution) and libgd2 (denial of service).

    Mageia has updated dhcpcd (code execution from 2014), expat (code execution), gdk-pixbuf2.0 (code execution), icu (code execution), imagemagick/ruby-rmagic (multiple vulnerabilities), libxml2 (two denial of service flaws), perl (denial of service), and xerces-c (code execution).

    openSUSE has updated libksba (13.2: two vulnerabilities) and php5 (42.1: multiple vulnerabilities).

    Red Hat has updated Red Hat OpenShift Enterprise 3.1 (unauthorized access) and Red Hat OpenShift Enterprise 3.2 (three vulnerabilities).

    SUSE has updated openssl (SLE10: multiple vulnerabilities).

    5:46p
    A report on the CoreOS remote SSH vulnerability
    For those who are curious about how the CoreOS remote SSH vulnerability
    came to be, the company has posted a
    detailed report    . "This misconfiguration was abetted by
    confirmation bias. The expected outcome of the change to the CoreOS PAM
    configuration was for users who presented a password present in an
    authentication database to be successfully authenticated. Because of the
    pam_permit failure case explained above, this was the observed behavior in
    testing, so the change was assumed to be correct. No attempt was made to
    determine whether the observed behavior could be explained in some other
    way, such as the system allowing any presented password.    "

    << Previous Day 2016/05/20
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org