Wednesday, May 25th, 2016

Time	Event
2:10a	Mathewson: Mid-2016 Tor bug retrospective, with lessons for future coding On the Tor blog, Nick Mathewson reports on an informal survey he did for "severe" bugs in Tor over the last few years. It breaks down the 70 bugs he found into different categories that are correlated with some recommendations for ways to try to avoid them in the future. For example: "Recommendation 5.1: all backward compatibility code should have a timeout date. On several occasions we added backward compatibility code to keep an old version of Tor working, but left it enabled for longer than we needed to. This code has tended not to get the same regular attention it deserves, and has also tended to hold surprising deviations from the specification. We should audit the code that's there today and see what we can remove, and we should never add new code of this kind without adding a ticket and a comment planning to remove it." Many of the recommendations are likely applicable to other projects. (Comment on this)
3:02p	[$] Should distributors disable IPv4-mapped IPv6? By all accounts, the Internet's transition to IPv6 has been a slow affair. In recent years, though, perhaps inspired by the exhaustion of the IPv4 address space, IPv6 usage has been on the rise. There is a corresponding interest in ensuring that applications work with both IPv4 and IPv6. But, as a recent discussion on the OpenBSD mailing list has highlighted, a mechanism designed to ease the transition to an IPv6 network may also make the net less secure — and Linux distributions may be configured insecurely by default. (Comment on this)
4:00p	Security advisories for Wednesday Arch Linux has updated libndp (man-in-the-middle attacks). Fedora has updated kernel (F22: multiple vulnerabilities). Red Hat has updated jq (RHOSP8: code execution). Slackware has updated libarchive (code execution). Ubuntu has updated php5, php7.0 (multiple vulnerabilities). (Comment on this)

<< Previous Day

2016/05/25 [Calendar]

Next Day >>