LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Friday, January 29th, 2021

    Time Event
    2:42p
    Security updates for Friday
    Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java).
    3:51p
    Malcolm: Static analysis updates in GCC 11
    David Malcolm describes
    the progress in the GCC static analyzer     for the upcoming GCC 11
    release. "In GCC 10, I added the new -fanalyzer option, a static
    analysis pass for identifying various problems at compile-time, rather than
    at runtime. The initial implementation was aimed at early adopters, who
    found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd
    Edlinger, who discovered the issue, had to wade through many false
    positives accompanying the real issue. Other users also managed to get the
    analyzer to crash on their code.

    I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust.    "
    4:40p
    Critical security problem in Libgcrypt 1.9.0
    The GNU Privacy Guard (GnuPG or GPG) project has announced a critical security bug in Libgcrypt version 1.9.0 released January 19. "Libgcrypt is a general purpose library of cryptographic building blocks.
    It is originally based on code used by GnuPG. It does not provide any
    implementation of OpenPGP or other protocols. Thorough understanding of
    applied cryptography is required to use Libgcrypt.    " Version 1.9.1 has been released to address the problem and all users of 1.9.0 should update immediately. It is a heap buffer overflow, but no version of GnuPG uses the 1.9 series yet. "Exploiting this bug is simple and thus immediate action for 1.9.0 users
    is required. A CVE-id has not yet been assigned. We track this bug at
    https://dev.gnupg.org/T5275. The 1.9.0 tarballs on our FTP server have
    been renamed so that scripts won't be able to get this version anymore.    "
    4:52p
    [$] Tackling the monopoly problem
    There was a time when people who were exploring computational technology
    saw it as the path toward decentralization and freedom worldwide. What we
    have ended up with, instead, is a world that is increasingly centralized,
    subject to surveillance, and unfree. How did that come to be? In a keynote at the
    online 2021 linux.conf.au event, Cory Doctorow gave his view of this problem and
    named its source: monopoly.

    << Previous Day 2021/01/29
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org