|
|
Log in / Subscribe / Register

Brief items

Security

Curl 8.4.0 released

Version 8.4.0 of the curl data-transfer tool has been released, mostly in response to a relatively severe security vulnerability that can be triggered when a SOCKS5 proxy server is in use. See this blog post for details on what went wrong. "In hindsight, shipping a heap overflow in code installed in over twenty billion instances is not an experience I would recommend."

Comments (14 posted)

A remote code execution vulnerability in GNOME

The GitHub blog describes a vulnerability in the libcue library (which is used by the GNOME desktop) that can be exploited by a remote attacker to run code on a desktop system if the target can be convinced to click on a malicious link.

The video shows me clicking a link in a webpage, which causes a cue sheet to be downloaded. Because the file is saved to ~/Downloads, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners uses libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution and pop a calculator.

Comments (52 posted)

Security quote of the week

This is not the first time Cisco products have had hard-coded passwords made public. You'd think it would learn.
Bruce Schneier

Comments (3 posted)

Kernel development

Kernel release status

The current development kernel is 6.6-rc5, released on October 8. Linus commented: "Things are back to normal, and we have a networking pull this week."

Stable updates: 6.5.6, 6.1.56, and 5.15.134 were released on October 6, followed by 6.5.7, 6.1.57, 5.15.135, 5.10.198, 5.4.258, 4.19.296, and 4.14.327 on October 10.

Comments (none posted)

Quote of the week

I just realized. The more you comment your code and make it understandable, the easier it is for other people to takeover and rewrite your code. This means that when you retire/pass-away, your code will likely be quickly overwritten and your legacy gone from the active code base.

So, if you write complex clever code with little to no documentation, your code is more likely to be immortalized in the code base as everyone will be too afraid to touch it and possibly break it.

Steven Rostedt

Comments (10 posted)

Distributions

The end of the Red Hat security-announcements list

Red Hat has announced that its longstanding "rhsa-announce" mailing list will be shut down on October 10. That is the list that receives security advisories for Red Hat Enterprise Linux and a whole slew of related products. Anybody who was counting on that list for Red Hat security advisories will need to find an alternative; a few options are listed in the announcement.

Comments (68 posted)

Distributions quote of the week

Upstreaming patches require 3 elements:

  • the interest to push patches there
  • the skills to understand the patch(es) one is upstreaming, so they can address the comments and requests for improvements they receive after posting the patches
  • the time to rebase the patches on top of the latest upstream commit, prepare the submission and engage in constructive discussions with the reviewers

When it comes to the original PinePhone, the upstreaming effort has pretty much completely stalled by now, as it seems no one in our community possesses all of those elements. [...]

We are therefore considering dropping support for both the original PinePhone and PineTab once the current kernel branch reaches end-of-life, ultimately turning those devices into high-tech paperweights.

The Mobian blog (thanks to Paul Wise)

Comments (8 posted)

Development

Ferrocene released as open source

Ferrous Systems has announced that its Ferrocene Rust compiler will be released under the Apache-2.0 and MIT licenses.

Ferrocene is the main Rust compiler - rustc - but quality managed and qualified for use in automotive and industrial environments (currently by ISO 26262 and IEC 61508) by Ferrous Systems. It operates as a downstream to the Rust project, further increasing its testing and quality on specific platforms.

The license is free, but this is not being run as an open-source project; specifically, contributions from the "general public" are not accepted.

Comments (29 posted)

Incus 0.1 released

The Linux Containers project has announced the release version 0.1 of the Incus system container and virtual-machine manager, which is a community-led fork of Canonical's LXD. Incus 0.1 "is roughly equivalent to LXD 5.18 but with a number of breaking changes on top of the obvious rename". There have been some changes made in the two months since the fork:
With this initial release of Incus, we took the opportunity to remove a lot of unused or problematic features from LXD. Most of those changes are things we would have liked to do in LXD but couldn’t due to having strong guarantees around backward compatibility.

Incus will be similarly strict with backward compatibility in the future, but as this is the first release of the fork, it was our one big opportunity to change things.

That said, the API and CLI are still extremely close to what LXD has, making it trivial if not completely seamless to port from LXD to Incus.

There is an online version of Incus for those interested in giving it a try.

Comments (none posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2023, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds