James Kettle, Alain Tiemblo, Christophe Coevoet and Fabien Potencier
discovered that twig, a templating engine for PHP, did not correctly
process its input. End users allowed to submit twig templates could
use specially crafted code to trigger remote code execution, even in
Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a
multimedia player and streamer, could dereference an arbitrary pointer
due to insufficient restrictions on a writable buffer. This could allow
remote attackers to execute arbitrary code via crafted 3GP files.
Dawid Golunski discovered that when running under PHP-FPM in a threaded
environment, Zend Framework, a PHP framework, did not properly handle
XML data in multibyte encoding. This could be used by remote attackers
to perform an XML External Entity attack via crafted XML data.
Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure,
denial of service or insecure cryptography.
Lin Hua Cheng discovered that a session could be created when anonymously
accessing the django.contrib.auth.views.logout view. This could allow
remote attackers to saturate the session store or cause other users'
session records to be evicted.
It was discovered that Request Tracker, an extensible trouble-ticket
tracking system is susceptible to a cross-site scripting attack via the
user and group rights management pages (CVE-2015-5475) and via the
cryptography interface, allowing an attacker with a carefully-crafted
use neither GnuPG nor S/MIME are unaffected by the second cross-site
Kurt Roeckx discovered that decoding a specific certificate with very
long DistinguishedName (DN) entries leads to double free. A remote
attacker can take advantage of this flaw by creating a specially crafted
certificate that, when processed by an application compiled against
GnuTLS, could cause the application to crash resulting in a denial of
Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
integer overflows, buffer overflows, use-after-frees and other
implementation errors may lead to the execution of arbitrary code,
bypass of the same-origin policy or denial of service.
Alex Rousskov of The Measurement Factory discovered that Squid3, a fully
featured web proxy cache, does not correctly handle CONNECT method peer
responses when configured with cache_peer and operating on explicit
proxy traffic. This could allow remote clients to gain unrestricted
access through a gateway proxy to its backend proxy.
William Robinet and Stefan Cornelius discovered an integer overflow in
Ghostscript, the GPL PostScript/PDF interpreter, which may result in
denial of service or potentially execution of arbitrary code if a
specially crafted file is opened.
The Genode project announced the version 15.08 of their OS framework. The most prominent topics of the current release are the use of Genode as day-to-day operating system by their developers and the added ability to run Genode-based systems on top of the Muen separation kernel.
Where monolithic kernel architectures represent one extreme with respect to kernel complexity, separation kernels mark the opposite end. The code complexity of monolithic OS kernels such as Linux is usually counted in terms of millions of lines of code. In stark contrast, modern microkernels such as NOVA and seL4 are comprised of only ten thousand lines of code. Separation kernels go even a step further by reducing the code complexity to only a few thousand lines of code. How is that possible? The answer lies in the scope of functionality addressed by the different types of kernels. The high complexity of monolithic kernels stems from the fact that all major OS functionalities are considered as being in the scope of the kernel. In particular, device drivers and protocol stacks account for most of the code in such kernels. Microkernels disregard such functionalities from the scope of the kernel by moving them to user-level components. The kernel solely retains the functionality that is fundamentally needed to enable those components to work and collaborate. In order to accommodate a wide range of workloads, microkernels typically provide interfaces to user land that enable the dynamic management of low-level resources such as memory, devices, and processing time. Genode's designated role is to supplement microkernels with a scalable and secure user-level OS architecture. In contrast to microkernels, separation kernels disregard dynamic resource management from their scope. All physical resources are statically assigned to a fixed set of partitions at system-integration time and remain unchanged over the lifetime of the system. The flexibility of microkernels is traded for the benefit of further complexity reduction. Their low complexity of just a few thousand lines of code make separation kernels appealing for high-assurance computing. On the other hand, their static nature imposes limitations on their application areas.
Muen as a representative of separation kernels is special in two ways. First, whereas most separation kernels are proprietary software solutions, Muen is an open-source project. Second, the kernel is implemented in the safe SPARK programming language, which is able to formally verify the absence of implementation bugs such as buffer overflows, integer-range violations, and exceptions. Thanks to the close collaboration between the Muen developers and the Genode community, the assurance of the Muen separation kernel can now be combined with the rich component infrastructure provided by Genode. From Genode's perspective, Muen is another architecture for their custom base-hw kernel. In fact, with Genode on Muen, a microkernel-based system is running within the static boundaries of one Muen partition. This way, the component isolation enforced by the base-hw kernel and the static isolation boundaries enforced by Muen form two lines of defense for protecting security-critical system functions from untrusted code sandboxed within a Genode subsystem.
The second major theme of the current release is the use of Genode as the day-to-day operating system by its developers. Since the beginning of June, one of the core developers is exclusively working with a Genode/NOVA-based system. The key element is VirtualBox with its powerful guest-host integration features. It allows for an evolutionary transition from Linux-centric work flows to the use of native Genode applications. Network connectivity is provided by the Intel wireless stack ported from the Linux kernel. File-system access is based on NetBSD's rump kernels. For using command-line based GNU software directly on Genode, the Noux runtime environment comes in handy. The daily use of Genode as general-purpose OS motivated many recent developments, ranging from the management of kernel memory in NOVA, over new system monitoring facilities, SMP guest support in VirtualBox, to user-facing improvements of the GUI stack. These and many more topics are covered by the comprehensive release documentation.
This new release - one of the final 1.x released before 2.0 and the tablet hit, I suppose - integrates a whole bunch of options and settings related to the Android application support into the Sailfish settings applications, such as stopping/restarting Alien Dalvik, blocking Android applications from accessing your Sailfish contacts, allowing Android applications to keep running properly in the background, and so on.
There's more, so be sure to update.
I have been using Windows 10 off and on since October of 2014, and as the operating system on my main computer since January 22nd of this year. I honestly could not see me moving back to an older version ever. The improvements to Windows 10 are both dramatic and subtle, and the improvements keep occurring even this shortly after launch. Better for the desktop, better for the tablet, and a platform than runs on practically any computer system. Windows 10 is here, and Microsoft has made a bold statement with it. It is the return of the old, plus the addition of the new, all in a package that works very well on a huge variety of devices.
Just be sure to ignore all the crappy Metro applications, and you'll be fine with Windows 10.
Jerry Bezencon has announced the release of Linux Lite 2.6, an updated build of the project's novice-friendly Ubuntu-based distribution featuring the Xfce desktop - now with a brand-new control centre: "Linux Lite 2.6 final is now available for download. This release cycle has seen a number of improvements....
The developers of LXLE, a lightweight desktop distribution built using packages from the Ubuntu repositories, have announced the availability of LXLE 14.04.3. This update to the 14.04 series includes a number of package updates while some default applications have been changed. "Delays, delays. First with SeaMonkey then Lanshop.....
This week in DistroWatch Weekly: Review: Playing with OpenELEC 5.0.8News: Fedora unveils new Wayland features, Tails releases emergency security update, Solus launches fundraiser and KDE releases Plasma 5.4Questions and answers: The LILO boot loaderTorrent corner: Scientific Linux, TailsReleased last week: Quirky 7.1 "Appril", Scientifix Linux 6.7Upcoming releases: Linux....