LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Thursday, September 23rd, 2021

    Time Event
    12:35a
    [$] LWN.net Weekly Edition for September 23, 2021
    The LWN.net Weekly Edition for September 23, 2021 is available.
    2:38p
    Security updates for Thursday
    Security updates have been issued by Debian (ruby-kaminari and tomcat8), Mageia (389-ds-base, ansible, apache, apr, cpio, curl, firefox, ghostscript, gifsicle, gpac, libarchive, libgd, libssh, lynx, nextcloud-client, openssl, postgresql, proftpd, python3, thunderbird, tor, and vim), openSUSE (chromium, ffmpeg, grilo, hivex, linuxptp, and samba), Oracle (go-toolset:ol8, kernel, kernel-container, krb5, mysql:8.0, and nodejs:12), SUSE (ffmpeg, firefox, grilo, hivex, kernel, linuxptp, nodejs14, and samba), and Ubuntu (ca-certificates, edk2, sqlparse, and webkit2gtk).
    3:11p
    [$] Improvements to GCC's -fanalyzer option
    For the second year in a row, the GNU Tools Cauldron (the annual gathering
    of GNU toolchain developers) has been held as a dedicated track at the
    online Linux Plumbers
    Conference    . For the 2021 event, that track started with a talk by
    David Malcolm on his work with the GCC -fanalyzer option, which
    provides access to a number of static-analysis features. Quite a bit has
    been happening with -fanalyzer and more is on the way with the
    upcoming GCC 12 release, including, possibly, a set of checks that
    have already found at least one vulnerability in the kernel.
    3:35p
    Poettering: Authenticated Boot and Disk Encryption on Linux
    Here's a lengthy missive from Lennart Poettering taking Linux distributors to task for inadequately protecting systems from physical attacks.

    So, does the scheme so far implemented by generic Linux distributions protect us against the latter two scenarios? Unfortunately not at all. Because distributions set up disk encryption the way they do, and only bind it to a user password, an attacker can easily duplicate the disk, and then attempt to brute force your password. What's worse: since code authentication ends at the kernel — and the initrd is not authenticated anymore —, backdooring is trivially easy: an attacker can change the initrd any way they want, without having to fight any kind of protections.

    The article contains a lot of suggestions for how to do things better.

    << Previous Day 2021/09/23
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org