Breno Silveira Soares of Servico Federal de Processamento de Dados
(SERPRO) discovered that the BIND DNS server is prone to a denial of
service vulnerability. A remote attacker who can cause a validating
resolver to query a zone containing specifically constructed contents
can cause the resolver to terminate with an assertion failure, resulting
in a denial of service to clients relying on the resolver.
It was discovered that the texttopdf utility, part of cups-filters, was
susceptible to multiple heap-based buffer overflows due to improper
handling of print jobs with a specially crafted line size. This could
allow remote attackers to crash texttopdf or possibly execute arbitrary
Charlie Smurthwaite of aTech Media discovered a flaw in HAProxy, a fast
and reliable load balancing reverse proxy, when HTTP pipelining is used.
A client can take advantage of this flaw to cause data corruption and
retrieve uninitialized memory contents that exhibit data from a past
request or session.
Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
use-after-frees and other implementation errors may lead to the
execution of arbitrary code or denial of service. This update also
addresses a vulnerability in DHE key processing commonly known as
the LogJam vulnerability.
Johan Olofsson discovered an authentication bypass vulnerability in
Stunnel, a program designed to work as an universal SSL tunnel for
network daemons. When Stunnel in server mode is used with the redirect
option and certificate-based authentication is enabled with verify = 2
or higher, then only the initial connection is redirected to the hosts
specified with redirect. This allows a remote attacker to bypass
It was discovered that the Jackrabbit WebDAV bundle was susceptible to a
XXE/XEE attack. When processing a WebDAV request body containing XML,
the XML parser could be instructed to read content from network
resources accessible to the host, identified by URI schemes such as
http(s) or file. Depending on the WebDAV request, this could not
only be used to trigger internal network requests, but might also be
used to insert said content into the request, potentially exposing it to
the attacker and others.
It was discovered that unattended-upgrades, a script for automatic
installation of security upgrades, did not properly authenticate
downloaded packages when the force-confold or force-confnew dpkg options
were enabled via the DPkg::Options::* apt configuration.
Evgeny Sidorov discovered that libcrypto++, a general purpose C++
cryptographic library, did not properly implement blinding to mask
private key operations for the Rabin-Williams digital signature
algorithm. This could allow remote attackers to mount a timing attack
and retrieve the user's private key.
Bastian Blank from credativ discovered that cinder, a
storage-as-a-service system for the OpenStack cloud computing suite,
contained a bug that would allow an authenticated user to read any
file from the cinder server.
Alexander Cherepanov discovered that p7zip is susceptible to a
directory traversal vulnerability. While extracting an archive, it
will extract symlinks and then follow them if they are referenced in
further entries. This can be exploited by a rogue archive to write
files outside the current directory.
It was discovered that CUPS, the Common UNIX Printing System, is
vulnerable to a remotely triggerable privilege escalation via cross-site
scripting and bad print job submission used to replace cupsd.conf on the
And so, a day before I leave for Italy for my Summer vacation, we've got some... News about Jolla. The company just put out a press release, announcing a focus shift.
Jolla Ltd., the Finnish mobile company and developer of open mobile operating system Sailfish OS, today announced a change in its company structure and management as further action toward company's strategy to focus on Sailfish OS licensing and development.
As of today, the company Jolla Ltd. will concentrate on the development and licensing business of the independent and open mobile operating system Sailfish OS. A new company will be established to continue Jolla's device business, where the company sees a specific interest from privacy-aware consumers and corporations around the world.
The press release - of course - frames this as happy news, but years of experience in covering technology (or just years of not living under a rock, really) has taught me that moves like this are never borne out of desire, but out of necessity. Combined with several delays of Jolla's tablet and of Sailfish 2.0, it's hard not to conclude the company (companies?) is facing bleak times.
I haven't exactly kept my displeasure with the slow pace of progress regarding Sailfish development a secret, and I've had worries about the company's future for a long time now. The Jolla phone is now 19 months old, and it wasn't exactly flagship-quality to begin with when it was first released in December 2013. While there's been considerable updates to Sailfish 1.0, it, too, is now 19 months old. In addition, the promised support for paid applications never arrived.
One also has to wonder just how wise it was to focus on building a tablet. Tablets don't get replaced very often, and they are a far smaller market than smartphones. In addition, adding a whole new form factor to support is surely to negatively affect the smartphone experience. Had the company instead focused on releasing a new phone, we might have had it sooner - no new form factor to develop - and we'd have a replacement for the under-performing original Jolla phone. Hindsight, though, right?
Regarding the tablet:
Jolla is committed to deliver the Jolla Tablet to its Indiegogo crowdfunding contributors and is working hard to start first shipments as soon as possible. "The software (Sailfish OS) part of the work is in good shape but we have been slowed down by supply issues of certain hardware components. We expect to solve this issue very soon," Mr. Saarnio says.
I hope the company can stay afloat long enough to ensure we get our tablets (I ordered one within minutes of the announcement). Maybe things are not as bleak as I make them out to be here, but I'm not exactly getting the positive vibes.
On Sunday, while most of Twitter was watching the Women's World Cup - an amazing game from start to finish - one of the world's most notorious security firms was being hacked.
Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.
Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.
Big changes afoot for Firefox.
We intend to move Firefox away from XUL and XBL, but the discussion of how to do that is in the early stages. There are a ton of unanswered questions: what technologies/best practices for web development should we adopt in its place? How does this affect add-on developers? Is there space for a native-code main-window on desktop like we have on Android? How much time should we spend on this vs. other quality issues? What unanswered questions have we not asked yet?
This clearly isn't a small endeavour, but the rationale given seems sound to me.
This week in DistroWatch Weekly: Review: Exploring Alpine Linux 3.2.0News: Fedora running on MIPS processors, FreeBSD 8.4's life extended, the OctoPkg package manager and Solus unveils daily buildsQuestions and answers: The source of Ubuntu's packagesTorrent corner: antiX, DragonFly BSD, Linux Mint, OpenMediaVault, VectorLinuxReleased last week: Linux Mint 17.2,....
The developers of Parsix GNU/Linux, a desktop oriented Debian-based distribution, have announced the availability of a new development release. The new release offers users an updated kernel, experimental UEFI support and the GNOME 3.16 desktop. "Parsix GNU/Linux 8.0 (code name Mumble) brings stable GNOME 3.16 desktop environment, a....
The 4MLinux project has announced a new release of the independent Linux distribution. The latest release, 4MLinux 13.0, ships with the GNU Compiler Collection 5 and offers miscellaneous desktop improvements. "The status of the 4MLinux 13.0 series has been changed to S. Major changes in the core of....