LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Thursday, May 26th, 2016

    Time Event
    2:05a
    [$] LWN.net Weekly Edition for May 26, 2016
    The LWN.net Weekly Edition for May 26, 2016 is available.
    4:09p
    Security updates for Thursday

    Debian-LTS has updated bozohttpd (two vulnerabilities, one from 2014), ruby-mail (SMTP injection), and xymon (multiple vulnerabilities). Also, the Debian-LTS team has announced that some packages will not be supported (libv8, mediawiki, sogo, and vlc) for Debian 7 ("wheezy"), so users of those should upgrade to Debian 8 ("jessie").

    Red Hat has updated rh-mariadb100-mariadb (RHSC: many vulnerabilities).

    Ubuntu has updated eglibc, glibc (15.10, 14.04, 12.04: multiple vulnerabilities, some from 2013 and 2014) and samba (16.04, 15.10, 14.04: regression in previous security fix).

    8:46p
    Google beats Oracle—Android makes “fair use” of Java APIs (ars technica)
    Ars technica reports
    that Google has prevailed against Oracle in its court battle over the use
    of the Java APIs in Android. "There was only one question on the
    special verdict form, asking if Google's use of the Java APIs was a 'fair
    use' under copyright law. The jury unanimously answered 'yes,' in Google's
    favor. The verdict ends the trial, which began earlier this month.    "
    8:54p
    Analog malicious hardware
    Worth a read: this
    paper [PDF]     From Kaiyuan Yang et al. on how an analog back door can be
    placed into a hardware platform like a CPU. "In this paper, we show
    how a fabrication-time attacker can leverage analog circuits to create a
    hardware attack that is small (i.e., requires as little as one gate) and
    stealthy (i.e., requires an unlikely trigger sequence before effecting
    [sic] a
    chip’s functionality). In the open spaces of an already placed and routed
    design, we construct a circuit that uses capacitors to siphon charge from
    nearby wires as they transition between digital values. When the capacitors
    fully charge, they deploy an attack that forces a victim flip-flop to a
    desired value. We weaponize this attack into a remotely-controllable
    privilege escalation by attaching the capacitor to a wire controllable and
    by selecting a victim flip-flop that holds the privilege bit for our
    processor.    "

    << Previous Day 2016/05/26
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org