LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Thursday, August 22nd, 2019

    Time Event
    12:30a
    [$] LWN.net Weekly Edition for August 22, 2019
    The LWN.net Weekly Edition for August 22, 2019 is available.
    12:59p
    Security updates for Thursday
    Security updates have been issued by Fedora (nginx), openSUSE (ImageMagick and putty), Red Hat (Ansible, atomic-openshift-web-console, ceph, and qemu-kvm-rhev), SUSE (kvm, libssh2_org, postgresql96, qemu, and wavpack), and Ubuntu (libzstd and openjpeg2).
    1:08p
    Backdoor code found in 11 Ruby libraries (ZDNet)
    ZDNet reports
    on the discovery of a set of malicious libraries in the RubyGems
    repository. "The individual behind this scheme was active for more than a month, and their actions were not detected.

    Things changed when the hacker managed to gain access to the RubyGems account of one of the rest-client developers, which he used to push four malicious versions of rest-client on RubyGems.

    However, by targeting such a high-profile project that has over 113 million total downloads on RubyGems, the hacker also brought a lot of light to their operation, which was taken down within a few hours after users first spotted the malicious code in the rest-client library.    "
    1:14p
    Backdoors in Webmin
    Anybody using Webmin, a web-based
    system-administration tool, will want to update now, as it turns out that
    the system has been
    backdoored     for over a year. "At some time in April 2018, the
    Webmin development build server was exploited and a vulnerability added to
    the password_change.cgi script. Because the timestamp on the file was set
    back, it did not show up in any Git diffs. This was included in the Webmin
    1.890 release.    "
    7:24p
    [$] Restricting path name lookup with openat2()
    Looking up a file given a path name seems like a straightforward task, but
    it turns out to be one of the more complex things the kernel does. Things
    get more complicated if one is trying to write robust (user-space) code
    that can do the right thing with paths that are controlled by a potentially
    hostile user. Attempts to make the open() and
    openat() system calls     safer date back
    at least to an attempt to add O_BENEATH in 2014, but
    numerous problems remain. Aleksa Sarai, who has been working in this area for a while, has now
    concluded that a new version of openat(), naturally called openat2(),
    is required to truly solve this problem.

    << Previous Day 2019/08/22
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org