Brief items
Security
Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)
The Google Security Blog discloses the results of a security audit of the Dnsmasq name resolver. "We discovered seven distinct issues (listed below) over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue." Version 2.78 contains the fixes. Anybody running an OpenWRT/LEDE router likely has a vulnerable version of Dnsmasq and will want to look into updating.
Morris: Linux Security Summit 2017 Roundup
James Morris has posted a summary of the recently concluded Linux Security Summit. "I was particularly interested in the topic of better integrating LSM with containers, as there is an increasingly common requirement for nesting of security policies, where each container may run its own apparently independent security policy, and also a potentially independent security model. I proposed the approach of introducing a security namespace, where all security interfaces within the kernel are namespaced, including LSM. It would potentially solve the container use-cases, and also the full LSM stacking case championed by Casey Schaufler (which would allow entirely arbitrary stacking of security modules)."
A security review of three NTP implementations
The Core Infrastructure Initiative commissioned security audits of three network time protocol (NTP) implementations (ntpd, NTPSec, and Chrony) and has released the results. "From a security standpoint (and here at the CII we are security people), Chrony was the clear winner between these three NTP implementations. Chrony does not have all of the bells and whistles that ntpd does, and it doesn’t implement every single option listed in the NTP specification, but for the vast majority of users this will not matter. If all you need is an NTP client or server (with or without reference clock), which is all that most people need, then its security benefits most likely outweigh any missing features."
Security quotes of the week
Billions of devices run dnsmasq, and it had been through multiple
security audits before now. Simon had done the best job possible, I
think. He got beat. No human and no amount of budget would have found
these problems before now, and now we face the worldwide costs, yet
again, of something ubiquitous now, vulnerable.
— Dave Täht
I'd long hoped, also, we'd see rapid updates enter the entire IoT supply chain, which remains a bitter joke. "Prehistoric" versions of dnsmasq litter that landscape, and there is no way they will ever be patched, and it would be a good bet that many "new" devices for the next several years will ship with a vulnerable version.
People were terrified, and this time nobody smugly proclaimed that they
needn't worry because they didn't have anything to hide -- because it was
obvious that everyone did. In the age of mass surveillance and data
collection almost every aspect of people's lives was recorded somewhere and
could be sold, bought, correlated using massive computational powers of
modern cloud computing -- and then used for extortion and blackmail.
— Konstantin
Ryabitsev envisions the future ("Data protection legislation extolling huge fines on companies that collect citizens' personal data was passed, but proved too late and too ineffective. It was too late because so much of it was already in malicious hands, and it was ineffective because a lot of this data came from law enforcement and anti-terrorist mass surveillance databases themselves -- and because the bounties offered by blackmailers continued to increase, multiplying insider leaks. The irony that the tools that were supposed to make the populace more safe were now used to terrorize it was not lost on anyone.
I hope I am proven wrong on all counts.")
There is no amount of money or free stuff that will get me to write about
your security product or service.
— Bruce
Schneier sells out to the squid industry
With regard to squid, however, I have no such compunctions. Send me any sort of squid anything, and I am happy to write about it.
Kernel development
Kernel release status
The current development kernel is 4.14-rc3, released on October 1. Linus said: "So 4.14 continues to be a somewhat painful release, and I'm starting to at least partly blame the fact that it's meant to be an LTS release."
The October 1 regression report shows four known regressions in the 4.14 kernel.
Stephen Rothwell has let it be known that he will not be doing linux-next releases for the month of October. Integration testing will return on October 31; that could prove to be a proper Halloween experience shortly before the final 4.14 release is due.
Stable updates: 4.13.4, 4.9.52, 4.4.89, and 3.18.72 were released on September 28. The 4.13.5, 4.9.53, 4.4.90, and 3.18.73 updates are in the review process as of this writing; they can be expected on or after October 5.
Linux kernel LTS releases are now good for 6 years (ars technica)
Ars technica reports on an announcement that the kernel's long-term support releases will now be maintained for six years instead of two. "A six-year support window will give Google, SoC Vendors, and OEMs plenty of time to develop a device and get it to market, while still leaving about four years for end-user ownership. Google currently provides two years of major OS updates on its phones and three years of security updates, but if it wanted to extend that, an announcement like this would seem like an important first step." The kernel.org releases page now shows 4.4 being maintained through February 2022.
Distributions
Fedora 27 beta (Fedora Magazine)
Fedora Magazine has announced the release of Fedora 27 beta, including Fedora Workstation and Fedora Atomic Host. For those wondering about the server edition, this article has the answer. "The Modularity project was designed to allow shipping different parts of the projects on different timelines. So, the Server team is starting that now — expect a Fedora 27 Server beta powered by Modularity in a few weeks. The general Fedora 27 release will come in early November, and then Fedora 27 Server will arrive in final form about a month later."
FreeBSD 10.4-RELEASE Announcement
FreeBSD 10.4 has been released. This release features full support for eMMC storage, as well as many updates and improvements. The release notes contain more details.LEDE v17.01.3 service release
The LEDE project has announced a "service release" of its router distribution. "LEDE 17.01.3 'Reboot' incorporates a fair number of fixes back ported from the development branch during the last sixteen weeks." Included therein is a pile of security updates, including fixes for the recently disclosed dnsmasq vulnerabilities.
Distribution quotes of the week
If having a conclusion would be a requirement for doing anything, we'd
never have moved off EAPI 0.
— Michał Górny
FreeBSD continues to defy the rumors of its demise.
— Mark Linimon
Development
Evergreen 3.0.0 released
The Evergreen community has announced the release of Evergreen 3.0.0, software for libraries. This release includes community support of the web staff client for production use, serials and offline circulation modules for the web staff client, improvements to the display of headings in the public catalog browse list, and more.Development quote of the week
It’s amusing and a little unsettling to find the emacs/vi debate has been abandoned because you’ve gotten to the age where your colleagues have never experienced either... :)
— gonewest
(Thanks to Paul Wise)
Miscellaneous
A message from the (former) OSI President
Allison Randal has sent out a message to the community saying that she is moving on from the presidency of the Open Source Initiative. "I'm incredibly proud of what the organization has accomplished in that time, continuing stewardship of the open source license list, and growing our individual membership and affiliate programs which provide a path for the entire open source community to have a say in the governance of the OSI." Her replacement will be Simon Phipps.
EFF: The War on General-Purpose Computing Turns on the Streaming Media Box Community
The EFF highlights a number of attacks against distributors of add-ons for the Kodi streaming media system. "These lawsuits by big TV incumbents seem to have a few goals: to expand the scope of secondary copyright infringement yet again, to force major Kodi add-on distributors off of the Internet, and to smear and discourage open source, freely configurable media players by focusing on the few bad actors in that ecosystem. The courts should reject these expansions of copyright liability, and TV networks should not target neutral platforms and technologies for abusive lawsuits."
Page editor: Jake Edge
Next page:
Announcements>>