Wednesday, December 2nd, 2020

Time	Event
3:21p	Popov: Linux kernel heap quarantine versus use-after-free exploits Alenxander Popov describes his kernel heap-quarantine patches designed to protect the system against use-after-free vulnerabilities. "In July 2020, I got an idea of how to break this heap spraying technique for UAF exploitation. In August I found some time to try it out. I extracted the slab freelist quarantine from KASAN functionality and called it SLAB_QUARANTINE. If this feature is enabled, freed allocations are stored in the quarantine queue, where they wait to be actually freed. So there should be no way for them to be instantly reallocated and overwritten by UAF exploits." (Comment on this)
3:59p	Security updates for Wednesday Security updates have been issued by Debian (brotli, jupyter-notebook, and postgresql-9.6), Fedora (perl-Convert-ASN1 and php-pear), openSUSE (go1.15, libqt5-qtbase, mutt, python-setuptools, and xorg-x11-server), Oracle (firefox, kernel, libvirt, and thunderbird), Red Hat (rh-postgresql10-postgresql and rh-postgresql12-postgresql), SUSE (java-1_8_0-openjdk, python, python-cryptography, python-setuptools, python3, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-kvm, linux-lts-trusty, linux-raspi2, linux-snapdragon, python-werkzeug, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). (Comment on this)
4:09p	Stable kernel updates Stable kernels 5.9.12, 5.4.81, 4.19.161, 4.14.210, 4.9.247, and 4.4.247 have been released with important fixes. Users should upgrade. (Comment on this)
7:25p	Certificates from Let's Encrypt (R3 active) Let's Encrypt has announced that, as of today, the TLS certificates issued by the Let's Encrypt certificate authority are using a new intermediate certificate. "While LE will start using their new _roots_ next year, the change today is using a _variant_ of their "R3" certificate which is cross-signed from IdenTrust, rather than chaining back to their "ISRG Root X1". This will affect you if you're using DANE, TLSA records in DNS, signed by DNSSEC, to advertise properties of the certificate chain which remote systems should expect to see." (Comment on this)
10:30p	[$] Python structural pattern matching morphs again A way to specify multiply branched conditionals in the Python language—akin to the C switch statement—has been a longtime feature request. Over the years, various proposals have been mooted, but none has ever crossed the finish line and made it into the language. A highly ambitious proposal that would solve the multi-branch-conditional problem (and quite a bit more) has been discussed—dissected, perhaps—in the Python community over the last six months or so. We have covered some of the discussion in August and September, but the ground has shifted once again so it is time to see where things stand. (Comment on this)

<< Previous Day

2020/12/02 [Calendar]

Next Day >>