|
|
Subscribe / Log in / New account

Brief items

Security

Exploit that gives remote access affects ~200 million cable modems (ars technica)

Ars technica reports on the "Cable Haunt" vulnerability that afflicts a large number of cable modems. "The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharing prevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems). Websockets, however, aren't protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, thereby allowing attackers to reach the endpoint and serve it code." Thus far, there doesn't seem to be any information out there on whether routers running OpenWrt are vulnerable.

Comments (25 posted)

Firefox 72.0.1 released

There is another Firefox release out there; this advisory suggests that updating quickly would be a good idea: "Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw."

Full Story (comments: 4)

Kernel development

Kernel release status

The current development kernel is 5.5-rc6, released on January 12. Linus said: "Let's see how things go. I do suspect that this ends up being one of those 'rc8' releases, not because things look particularly bad right now, but simply because the holiday season has meant that both the testing side and the development side have been quiet. But who knows?"

Stable updates: 5.4.10, 5.4.9, 4.19.94, and 4.14.163 were released on January 9; 5.4.10 in particular contained only a PowerPC fix that eluded 5.4.9. Thereafter, 5.4.11, 4.19.95, 4.14.164, 4.9.209, and 4.4.209 came out on January 12, and 5.4.12, 4.19.96, 4.14.165, 4.9.210, and 4.4.210 showed up on January 14.

Comments (none posted)

Quote of the week

After quite a bit of soul searching, I've decided to step down from being a full-time Fedora kernel maintainer and move on to other things. Having come in as a relative outsider to the Fedora community almost 5 years ago, I deeply appreciate you all welcoming me with open arms. I still expect to be around to some degree but probably not as directly involved on a day-to-day basis.
Laura Abbott

Comments (none posted)

Distributions

Release for CentOS Linux 8 (1911)

The CentOS Project has announced the release of CentOS 8-1911, derived from Red Hat Enterprise Linux 8.1. See the release notes for details.

Full Story (comments: none)

OpenWrt 19.07.0

Version 19.07.0 of the OpenWrt router distribution is available. "With this release, the OpenWrt project brings all supported targets back to a single common kernel version and further refines and broadens existing device support. It also introduces a new ath79 target and brings support for WPA3." There are some known issues; read through the full announcement before updating.

Full Story (comments: 17)

Distribution quote of the week

We envision a world where free and open source software is accessible and usable. In this world, software is built by communities that are inclusive, welcoming, and encourage experimentation. The Fedora Project will be a reference for everyone who shares this vision.
draft vision statement for Fedora

Comments (none posted)

Development

Git v2.25.0

Git 2.25 has been released. This blog post looks at "partial clone support" and "sparse checkouts" as these features mature. "A clone of a Git repository copies all of its data: every version of every file in the history. For very large repositories, the cost of network transfer and local storage can make this awkward or even impossible, even if you're only interested in a subset of the files. In the past several versions, Git learned the ability to execute a "partial" clone, which means that it can now clone and work with repositories without having all of their contents. Partial clones are still considered an experimental feature from Git's point of view. For instance, many providers (such as GitHub) don't support this feature yet, and it's continually changing and evolving within Git from release to release."

Full Story (comments: 2)

Szorc: Mercurial's Journey to and Reflections on Python 3

Here is a longish blog entry from Mercurial maintainer Gregory Szorc on the painful process of converting Mercurial to Python 3. "I anticipate a long tail of random bugs in Mercurial on Python 3. While the tests may pass, our code coverage is not 100%. And even if it were, Python is a dynamic language and there are tons of invariants that aren't caught at compile time and can only be discovered at run time. These invariants cannot all be detected by tests, no matter how good your test coverage is. This is a feature/limitation of dynamic languages. Our users will likely be finding a long tail of miscellaneous bugs on Python 3 for years."

Comments (271 posted)

Miscellaneous

Maddock: The End of Indie Web Browsers

Samuel Maddock writes that the adoption of the "encrypted media extensions" by the World Wide Web Consortium has had just the sort of effect that people were worried about four years ago. "No longer is it possible to build your own web browser capable of consuming some of the most popular content on the web. Websites like Netflix, Hulu, HBO, and others require copyright content protection which is only accessible through browser vendors who have license agreements with large corporations."

Comments (22 posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2020, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds