Tuesday, June 21st, 2016

Time	Event
2:04a	Horn: Exploiting Recursion in the Linux Kernel On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. "However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they're still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064." (Comment on this)
2:28p	Fedora 24 released After several schedule slips, the Fedora 24 release is available. "The Fedora Project has embarked on a great journey... redefining what an operating system should be for users and developers. Such innovation does not come overnight, and Fedora 24 is one big step on the road to the next generation of Linux distributions. But that does not mean that Fedora 24 is some 'interim' release; there are great new features for Fedora users to deploy in their production environments right now!" See the Fedora 24 approved features list for an idea of what's in this release. (Comment on this)
4:24p	Security updates for Tuesday Fedora has updated nfdump (F23; F22: multiple vulnerabilities) and webkitgtk4 (F22: two vulnerabilities). openSUSE has updated ctdb (Leap42.1, 13.2: privilege escalation), libtorrent-rasterbar (Leap42.1, 13.2: denial of service), ntp (Leap42.1: multiple vulnerabilities), and kernel (Leap42.1: multiple vulnerabilities). Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities). Slackware has updated libarchive (multiple vulnerabilities) and pcre (denial of service). SUSE has updated ctdb (SLE11-SP4: privilege escalation), libimobiledevice, usbmuxd (SLE12-SP1: sockets listening on INADDR_ANY), and php53 (SLES11-SP2: multiple vulnerabilities). Ubuntu has updated dnsmasq (16.04, 15.10: denial of service), expat (two vulnerabilities), haproxy (16.04: denial of service), spice (16.04, 15.10, 14.04: two vulnerabilities), wget (code execution), and xmlrpc-c (12.04: multiple vulnerabilities). (Comment on this)
7:41p	Announcing Flatpak Not to be left behind by a certain competing project, the developers of the Flatpak packaging system have put out a press release proclaiming its virtues. "The Linux desktop has long been held back by platform fragmentation. This has been a burden on developers, and creates a high barrier to entry for third party application developers. Flatpak aims to change all that. From the very start its primary goal has been to allow the same application to run across a myriad of Linux distributions and operating systems. In doing so, it greatly increases the number of users that application developers can easily reach." (Comment on this)
8:05p	Elixir v1.3 released Version 1.3 of the Elixir programming language has been released. "Elixir v1.3 brings many improvements to the language, the compiler and its tooling, specially Mix (Elixir’s build tool) and ExUnit (Elixir’s test framework). The most notable additions are the new Calendar types, the new cross-reference checker in Mix, and the assertion diffing in ExUnit." (Comment on this)

<< Previous Day

2016/06/21 [Calendar]

Next Day >>