LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Thursday, August 11th, 2016

    Time Event
    12:03a
    [$] LWN.net Weekly Edition for August 11, 2016
    The LWN.net Weekly Edition for August 11, 2016 is available.
    2:33p
    Security advisories for Thursday

    Arch Linux has updated jq (code execution from 2015) and websvn (cross-site scripting).

    Debian-LTS has updated postgresql-9.1 (two vulnerabilities).

    Gentoo has updated optipng (three vulnerabilities).

    openSUSE has updated typo3 (13.1: three vulnerabilities from 2013 and 2014) and firefox, mozilla-nss (13.1: many vulnerabilities).

    Red Hat has updated java-1.7.0-ibm (RHEL5: two vulnerabilities), java-1.7.1-ibm (RHEL6&7: two vulnerabilities), java-1.8.0-ibm (RHEL6&7: two vulnerabilities), and python-django (RHOSP8; RHOSP7; RHEL7: cross-site scripting).

    Scientific Linux has updated qemu-kvm (SL6: denial of service).

    Ubuntu has updated libgd2 (16.04, 14.04: three vulnerabilities) and xmlrpc-epi (16.04: code execution).

    10:04p
    Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open (Ars Technica)
    Ars Techica is reporting on a mistake by Microsoft that resulted in providing a "golden key" to circumvent Secure Boot. The "key" is not really a key at all, but a debugging tool that was inadvertently left in some versions of Windows devices that was found by two security researchers; the details were released on a "rather funky website" (viewing the source of that page is a good way to avoid the visual and audio funkiness). "The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled. And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse." As the researchers note, this is perfect example of why backdoors (legally mandated or not) in cryptographic systems are a bad idea.

    Update: For some more detail, see Matthew Garrett's blog post .

    << Previous Day 2016/08/11
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org