Tuesday, July 20th, 2021

Time	Event
2:35p	A local root kernel vulnerability Commit 8cae8cd89f05 went into the mainline kernel repository on July 19; it puts a limit on the size of buffers allocated in the seq_file mechanism and mentions "int overflow pitfalls". For more information, look to this Qualys advisory describing the vulnerability: We discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. It may not sound like much, but they claim to have written exploits for a number of Ubuntu, Debian, and Fedora distributions. Updates from distributors are already flowing, and this patch has been fast-tracked into today's stable kernel updates as well. (Comment on this)
2:58p	Security updates for Tuesday Security updates have been issued by Debian (kernel, libjdom1-java, rabbitmq-server, and systemd), Fedora (glibc), Gentoo (libpano13, libslirp, mpv, pjproject, pycharm-community, and rpm), Mageia (glibc, libuv, mbedtls, rvxt-unicode, mxrvt, eterm, tomcat, and zziplib), openSUSE (dbus-1, firefox, go1.15, lasso, nodejs10, nodejs12, nodejs14, and sqlite3), SUSE (go1.15), and Ubuntu (containerd). (Comment on this)
6:13p	Another pile of stable kernel updates The 5.13.4, 5.12.19, 5.10.52, 5.4.134, 4.19.198, 4.14.240, 4.9.276, and 4.4.276 stable updates have all been released. These are relatively large updates once again, and they include the fix for the just-disclosed local root vulnerability. Note that the 5.12.x series ends with the 5.12.19 release. (Comment on this)
6:23p	Stockfish sues ChessBase The Stockfish project, which distributes a chess engine under GPLv3, has announced the filing of a GPL-enforcement lawsuit against ChessBase, which has been (and evidently still is) distributing proprietary versions of the Stockfish code. In the past four months, we, supported by a certified copyright and media law attorney in Germany, went through a long process to enforce our license. Even though we had our first successes, leading to a recall of the Fat Fritz 2 DVD and the termination of the sales of Houdini 6, we were unable to finalize our dispute out of court. Due to Chessbase’s repeated license violations, leading developers of Stockfish have terminated their GPL license with ChessBase permanently. However, ChessBase is ignoring the fact that they no longer have the right to distribute Stockfish, modified or unmodified, as part of their products. (Comment on this)
9:48p	[$] Tor gets financial support for Arti development There is a lot of buzz around the Rust programming language these days—which strikes some folks as irritating, ridiculous, or both. But the idea of a low-level language that can replace C, with fewer built-in security pitfalls, is attractive for any number of projects. Recently, the Tor Project announced the Arti project as a complete Rust rewrite of Tor's core protocols, which provide internet privacy and anonymity. In addition, Tor announced that Arti received a grant to support its development over the next year or so. (Comment on this)

<< Previous Day

2021/07/20 [Calendar]

Next Day >>