It was discovered that cyrus-sasl2, a library implementing the Simple
Authentication and Security Layer, does not properly handle certain
invalid password salts. A remote attacker can take advantage of this
flaw to cause a denial of service.
A remotely triggerable use-after-free vulnerability was found in
rpcbind, a server that converts RPC program numbers into universal
addresses. A remote attacker can take advantage of this flaw to mount a
denial of service (rpcbind crash).
Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
integer overflows, buffer overflows, use-after-frees and other
implementation errors may lead to the execution of arbitrary code,
information disclosure or denial of service.
Johannes Kliemann discovered a vulnerability in ownCloud Desktop Client,
the client-side of the ownCloud file sharing services. The vulnerability
allows man-in-the-middle attacks in situations where the server is using
self-signed certificates and the connection is already established. If
the user in the client side manually distrusts the new certificate, the
file syncing will continue using the malicious server as valid.
It was discovered that the International Components for Unicode (ICU)
library mishandles converter names starting with x-, which allows
remote attackers to cause a denial of service (read of uninitialized
memory) or possibly have unspecified other impact via a crafted file.
This update fixes an unspecified security issue in VirtualBox related to
guests using bridged networking via WiFi. Oracle no longer provides
information on specific security vulnerabilities in VirtualBox. To still
support users of the already released Debian releases we've decided to
update these to the respective 4.1.40 and 4.3.30 bugfix releases.
It was discovered that vzctl, a set of control tools for the OpenVZ
server virtualisation solution, determined the storage layout of
containers based on the presence of an XML file inside the container.
An attacker with local root privileges in a simfs-based container
could gain control over ploop-based containers. Further information on
the prerequisites of such an attack can be found at
Denis Andzakovic discovered that OpenLDAP, a free implementation of the
Lightweight Directory Access Protocol, does not properly handle BER
data. An unauthenticated remote attacker can use this flaw to cause a
denial of service (slapd daemon crash) via a specially crafted packet.
Frediano Ziglio of Red Hat discovered a race condition flaw in spice's
worker_update_monitors_config() function, leading to a heap-based memory
corruption. A malicious user in a guest can take advantage of this flaw
to cause a denial of service (QEMU process crash) or, potentially
execute arbitrary code on the host with the privileges of the hosting
Pyry Hakulinen and Ashish Shakla at Automattic discovered that pdns,
an authoritative DNS server, was incorrectly processing some DNS
packets; this would enable a remote attacker to trigger a DoS by
sending specially crafted packets causing the server to crash.
I've spent the past couple of days desperately trying to puzzle out the purpose behind Google's newly announced Nexus 5X and 6P smartphones. Unlike predecessors such as the Nexus One and Nexus 5, these phones don't have a clear reason for being, and are not in themselves terribly unique. That's led me (and others) to question Google's overall aim with the Nexus line of pure Android smartphones, and I think I've finally arrived at an answer. The Nexus program is not so much about carrier independence or purity of Android design as it is about presenting Google in an overwhelmingly positive light. In other words, Google, the ultimate ad seller, sells Nexus phones as ads for itself.
This article feels a bit like a trainwreck to me. It just doesn't make any sense. Of course Nexus devices are built specifically to put Android and Google's services on a pedestal - has anyone ever claimed otherwise? Has anyone ever seen them as anything but? The tone of the article also tries to somehow posit this as a negative thing, which I don't understand either. Some of the very best Android phones of all time have been Nexus phones, so aren't they a great thing for us consumers? What's the problem here?
Making Android profitable for Android phone makers is one of the great challenges of our time. We're all better off when we buy things from sustainable companies that we know will still be around when we have an issue months or years down the line. I wish Google would recognize that and try to do more to support Android as a whole rather than just its own good name. Nexus devices have in the past and can still serve nobler purposes than just making Google look good.
No, it's not. The goal of Android is to reach as many people as possible, and do so in a way that benefits us as consumers as much as possible. Expensive Android devices with 50% profit margins don't benefit us at all - they just allow major corporations to suck money out the economy and shadily funnel it to foreign tax havens. We benefit from access to high-quality phones at reasonable prices running Android-proper - and anything that pushes the Samsungs and HTCs of this world to do so is a huge win for consumers.
With El Capitan released, there's one 'feature' that really needs to be highlighted - for better or worse.
System Integrity Protection (SIP, sometimes referred to as rootless) is a security feature of OS X El Capitan, the operating system by Apple Inc. It protects certain system processes, files and folders from being modified or tampered with by other processes even when executed by the root user or by a user with root privileges (sudo). Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which that user is also the administrator. System Integrity Protection is enabled by default, but can be disabled.
Here's Apple's WWDC presentation about SIP, and here's the Ars review's section about it.
Google and Microsoft have agreed to end their long-running patent feud over smartphones and video game systems, dropping about 20 lawsuits in the U.S. and Germany.
The two companies, which didn't disclose financial terms, have been litigating over technology innovations for five years. Google's former Motorola Mobility unit had been demanding royalties on the Xbox video-gaming system, and Microsoft had sought to block Motorola mobile phones from using certain features.
If you've been paying attention, you know why this is taking place now.
This week in DistroWatch Weekly: Review: An Android living in your computer News: How Fedora tracks software releases, Ubuntu's redesigned installer, Raspbian enables desktop by default and purchasing computers with Linux Mint pre-installed Questions and answers: Clearing out dot files from the home directory Torrent corner: KaOS, Manjaro....
The developers of Slackel, a Slackware based desktop distribution, have released Slackel 6.0.4 "Openbox". The new release of the Openbox edition features the 4.1.6 version of the Linux kernel, the ability to choose between the GRUB and LILO boot loaders at install time and many package upgrades. "Slackel....
Alexander Pyhalov has announced the release of OpenIndiana 2015.10, the latest update of the distribution originally forked from the now-defunct OpenSolaris operating system: "So, after half a year we have a new ISO image. We synced IPS with the Everycity version, which includes Oracle updates and fixes necessary....