Brief items
Security
Billions of devices imperiled by new clickless Bluetooth attack (ars technica)
Ars technica reports on a set of just-disclosed Bluetooth vulnerabilities in multiple operating systems. "BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on."
Apache Struts Statement on Equifax Security Breach
The Apache Struts project has put out a statement on the possible role played by a Struts vulnerability in the massive Equifax data breach. "Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here --we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. What we saw here is common software engineering business --people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It's probably fair to say that we met this goal pretty well in case of CVE-2017-9805."
Security quotes of the week
My personal battle was not to burn down the NSA or the CIA. I even think
they actually do have a useful role in society when they limit themselves
to the truly important threats that we face and when they use their least
intrusive means. We don't drop atomic bombs on flies that land on the
dinner table. Everybody gets this except intelligence agencies.
— Edward
Snowden (Thanks to Paul Wise.)
A Raspberry Pi is a tiny computer designed for [makers] and all sorts of
Internet-of-Things types of projects. Make magazine has an article about
securing it. Reading it, I am struck by how much work it is to secure. I
fear that this is beyond the capabilities of most tinkerers, and the result
will be even more insecure IoT devices.
— Bruce
Schneier
Kernel development
Kernel release status
The 4.14 merge window remains open; as of this writing, just over 11,000 non-merge changesets have been pulled into the mainline repository for this release.Stable updates: 4.13.1, 4.12.12, and 4.9.49 were released on September 10.
The 4.13.2, 4.12.13, 4.9.50, 4.4.88, and 3.18.71 updates are all in the review process as of this writing; they can be expected on or after September 14. Among other things, they contain an important fix for a buffer overflow in the Bluetooth stack.
Development
GNOME 3.26 released
The GNOME Project has announced the release of GNOME 3.26 "Manchester". "This release brings refinements to the system search, animations for maximizing and unmaximizing windows and support for color Emoji. Improvements to core GNOME applications include a redesigned Settings application, a new display settings panel, Firefox sync in the Web browser, and many more." There are openSUSE nightly live images that include GNOME 3.26.
LXC 2.1 has been released
The LXC team has announced the release of LXC 2.1. LXC provides a userspace interface for the Linux kernel containment features. New features include resource limit support, support for unprivileged openvswitch networks, a new lxc.cgroup.dir key, support for hybrid cgroup layout, and more.Development quotes of the week
I had imagined him to be a grim old man hammering out those words from a stern laptop, so it was a surprise to see him use the same kinds of words but with a sarcastic smile, completely changing the context and tone. That was the first time I truly realized how emails often lack context. Years later, I still try to visualize people when I read their emails.
— Siddhesh
Poyarekar
So here’s my advice for anyone who wants to make a dent in the future of web development: time to learn how compilers work.
— Tom
Dale (Thanks to Paul Wise)
Miscellaneous
FSFE: Public Money? Public Code!
The Free Software Foundation Europe has joined several organizations in publishing an open letter urging lawmakers to advance legislation requiring publicly financed software developed for the public sector be made available under a Free and Open Source Software license. "The initial signatories include CCC, EDRi, Free Software Foundation Europe, KDE, Open Knowledge Foundation Germany, openSUSE, Open Source Business Alliance, Open Source Initiative, The Document Foundation, Wikimedia Deutschland, as well as several others; they ask individuals and other organisation to sign the open letter. The open letter will be sent to candidates for the German Parliament election and, during the coming months, until the 2019 EU parliament elections, to other representatives of the EU and EU member states."
Page editor: Jake Edge
Next page:
Announcements>>