EFF: Lenovo is breaking HTTPS security on its recent laptops

By corbet Here is a
statement from the Electronic Frontier Foundation
on the revelation
that Lenovo has been shipping insecure man-in-the-middle malware on its
laptops. “Lenovo has not just injected ads in a wildly inappropriate
manner, but engineered a massive security catastrophe for its users. The
use of a single certificate for all of the MITM attacks means that all
HTTPS security for at least Internet Explorer, Chrome, and Safari for
Windows, on all of these Lenovo laptops, is now broken.
” For
additional amusement, see Lenovo’s
statement
on the issue.

There are a lot of Lenovo users in LWN’s audience. Presumably most of them
have long since done away with the original software, but those who might
have kept it around would be well advised to look into the issue; this site can evidently indicate
whether a machine is vulnerable or not.

From: LWN

FacebookTwitterGoogle+LinkedInEvernotePocketGoogle Gmail

Security updates for Thursday

By jake

Debian has updated bind9 (denial
of service).

Debian-LTS has updated linux-2.6
(multiple vulnerabilities, one from 2013).

Fedora has updated drupal7-path_breadcrumbs (F21; F20:
access restriction bypass).

openSUSE has updated perl-YAML-LibYAML (13.2, 13.1: multiple
vulnerabilities, one each from 2013 and 2012) and php5 (13.2, 13.1: multiple vulnerabilities).

SUSE has updated xntp (SLE10SP4:
multiple vulnerabilities).

Ubuntu has updated bind9 (14.10,
14.04, 12.04: denial of service).

From: LWN

FacebookTwitterGoogle+LinkedInEvernotePocketGoogle Gmail

Security advisories for Wednesday

By ris

Fedora has updated file (F21:
multiple vulnerabilities).

Gentoo has updated chromium (multiple vulnerabilities).

Mageia has updated dbus (denial of service), glibc (two vulnerabilities), kernel (multiple vulnerabilities), patch (multiple vulnerabilities), postgresql (multiple vulnerabilities), and x11-server (information leak/denial of service).

openSUSE has updated mdadm (13.2:
command injection).

Ubuntu has updated php5 (14.10,
14.04, 12.04: multiple vulnerabilities) and unzip (14.10, 14.04, 12.04: code execution).

From: LWN

FacebookTwitterGoogle+LinkedInEvernotePocketGoogle Gmail

FreeBSD random number generator broken for last 4 months

By jake As several LWN readers have pointed out, John-Mark Gurney posted a message to the freebsd-current mailing list on February 17 noting that the random number generator (RNG) in the FreeBSD “current” kernel has been broken for the last four months. “If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling
randomdev_init_reader, which means that read_random(9) was not returning
good random data. read_random(9) is used by arc4random(9) which is
the primary method that arc4random(3) is seeded from.

This means most/all keys generated may be predictable and must be
regenerated. This includes, but not limited to, ssh keys and keys
generated by openssl. This is purely a kernel issue, and a simple
kernel upgrade w/ the patch is sufficient to fix the issue.”

From: LWN

FacebookTwitterGoogle+LinkedInEvernotePocketGoogle Gmail

Where do we stand 30 years after the founding of the Free Software Foundation? (Opensource.com)

By ris Opensource.com has an interview
with John Sullivan
, Executive Director of FSF. “I stay involved because I think it’s one of the most important social movements in existence, and it needs help—a lot of help. As more and more of the world’s social, cultural, economic, and political interactions are mediated by technology, control over the technology becomes incredibly important for the exercise of any basic individual freedoms. I love the people I meet in this work, and the enormity of the challenge.

From: LWN

FacebookTwitterGoogle+LinkedInEvernotePocketGoogle Gmail

Security updates for Tuesday

By ris

Fedora has updated libvirt (F20:
two vulnerabilities) and qemu (F20: privilege escalation).

openSUSE has updated dbus-1,
(13.2, 13.1: denial of service).

Slackware has updated patch (symlink attack), seamonkey (multiple vulnerabilities), and sudo (information disclosure).

SUSE has updated bind
(SLES11 SP2: denial of service), clamav (SLES11 SP1,2,3, SLES10 SP4:
multiple vulnerabilities), java-1_6_0-ibm
(SLEM LS12: two unspecified vulnerabilities), java-1_7_1-ibm (SLE12: two unspecified
vulnerabilities), and ntp (SLES11 SP1:
multiple vulnerabilities).

Ubuntu has updated xorg-server,
xorg-server-lts-trusty, xorg-server-lts-utopic
(14.10, 14.04, 12.04:
two vulnerabilities).

From: LWN

FacebookTwitterGoogle+LinkedInEvernotePocketGoogle Gmail