2020年10月29日 星期四

[USN-4565-1] OpenConnect vulnerability

 ---------- Forwarded message ---------

From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>

Date: Oct 6, 2020 9:51PM

It was discovered that OpenConnect has a buffer overflow when a malicious

server uses HTTP chunked encoding with crafted chunk sizes. An attacker

could use it to provoke a denial of service (crash).

References:

  https://usn.ubuntu.com/4565-1

  CVE-2019-16239

2020年10月28日 星期三

Cloudflare: How Does Secondary DNS Work?

 

Figure 1: Secondary DNS Microservice Architecture

REF: https://blog.cloudflare.com/secondary-dns-deep-dive/

[Checkmk Announce] New Checkmk innovation release 2.0.0i1

 ---------- Forwarded message ---------

From: Checkmk Announcements <checkmk-announce@lists.mathias-kettner.de>

Date: Tue, Oct 27, 2020 at 4:05 PM

We are excited to bring you the first innovation release of Checkmk 2.0.

For numerous months our team has been pushing hard to deliver the next full

version of Checkmk. In doing so, we have reworked Checkmk's foundations.

With so many significant changes coming finally together, we have decided to

make the version step change to 2.0.

This innovation release is a preview of most features planned for Checkmk 2.0

(https://blog.checkmk.com/announcing-checkmk-2.0-and-its-innovation-release)

and gives you the possibility to try these new and interesting features.

With Version 2.0 we will also be introducing a new user interface and user

experience.  The Innovation Release already contains many aspects of this to

gather early feedback.

We will have two dedicated channels to gather your feedback on the new user

experience.

- The dedicated feedback email (see below)

- A community call, a survey and the feedback section in the Checkmk Forum.

Please look out for the upcoming announcement in the Forum.

To get a good grasp of what fundamentals in the user interface have changed,

read this forum post containing more details:

https://forum.checkmk.com/t/the-completely-new-checkmk-2-0-user-experience/21104

We would like to ask all users to try out the new version and help us ensure

that Checkmk 2.0 becomes a success.

Please send general feedback, feedback on the new user experience, and bug

reports to this dedicated mail address:

feedback-2.0 at checkmk.com

All mails to this address will be used to improve the 2.0 and are completely

free of charge.

This is not a stable release. Please do not use this in productive environments

as it is a compromise between stability and new features. It is also only

available in the Checkmk Enterprise Editions.

You can download Checkmk from our download page:

 * https://checkmk.com/download.php

Plex Added Accessibility

 

Added Accessibility
One more thing to mention this month about Free Live TV–we’ve added closed captions as a feature across all platforms. Check your channel and program (Apple, Android, Chromecast, Roku) for availability.

2020年10月25日 星期日

[USN-4559-1] Samba update

---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 30, 2020 10:29PM

Tom Tervoort discovered that the Netlogon protocol implemented by Samba

incorrectly handled the authentication scheme. A remote attacker could use

this issue to forge an authentication token and steal the credentials of

the domain admin.

While a previous security update fixed the issue by changing the "server

schannel" setting to default to "yes", instead of "auto", which forced a

secure netlogon channel, this update provides additional improvements.

For compatibility reasons with older devices, Samba now allows specifying

an insecure netlogon configuration per machine. See the following link for

examples: https://www.samba.org/samba/security/CVE-2020-1472.html

In addition, this update adds additional server checks for the protocol

attack in the client-specified challenge to provide some protection when

'server schannel = no/auto' and avoid the false-positive results when

running the proof-of-concept exploit.

References:

  https://usn.ubuntu.com/4559-1

  CVE-2020-1472

Cloudflare: Migrating cdnjs to serverless with Workers KV

 

REF: https://blog.cloudflare.com/migrating-cdnjs-to-serverless-with-workers-kv/

[USN-4546-1] Firefox vulnerabilities

 ---------- Forwarded message ---------

From: Chris Coulson <chris.coulson@canonical.com>

Date: Sep 28, 2020 5:47PM

Multiple security issues were discovered in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service, conduct cross-site

scripting (XSS) attacks, spoof the site displayed in the download dialog,

or execute arbitrary code.

References:

  https://usn.ubuntu.com/4546-1

  CVE-2020-15673, CVE-2020-15674, CVE-2020-15675, CVE-2020-15676,

  CVE-2020-15677, CVE-2020-15678

Roku: Are you ready for Huluween?

 

Are you ready for Huluween?
 

Are you ready for Huluween?

 

Hulu is getting spooky with shows like Helstrom and Monsterland. See our guide to the best of what’s coming for Huluween.

LibreSSL 3.2.1 Released

 ---------- Forwarded message ---------

From: Brent Cook <busterb@gmail.com>

Date: Tue, Aug 25, 2020 at 11:20 AM

This is the second development release from the 3.2.x series, which will

eventually be part of OpenBSD 6.8. 

The LibreSSL project continues improvement of the codebase to reflect modern,

safe programming practices. We welcome feedback and improvements from the

broader community. Thanks to all of the contributors who helped make this

release possible.


Puppet: Open Source Stewards team

 

Lucy Wyman
Meet our Open Source Stewards
Many of you know Lucy Wyman, software engineer for Bolt, for her many contributions including answering questions in our Bolt Slack channel and running PDX CoffeeOps. She also leads our Open Source Stewards team alongside Molly Waggett and Ben Ford. We asked Lucy to share what our Open Source Stewards are up to.

[USN-4526-1] Linux kernel vulnerabilities

 ---------- Forwarded message ---------

From: Steve Beattie <steve.beattie@canonical.com>

Date: Sep 22, 2020 12:24PM

It was discovered that the AMD Cryptographic Coprocessor device driver in

the Linux kernel did not properly deallocate memory in some situations. A

local attacker could use this to cause a denial of service (memory

exhaustion). (CVE-2019-18808)

It was discovered that the Conexant 23885 TV card device driver for the

Linux kernel did not properly deallocate memory in some error conditions. A

local attacker could use this to cause a denial of service (memory

exhaustion). (CVE-2019-19054)

It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel

did not properly deallocate memory in certain error conditions. A local

attacker could use this to cause a denial of service (memory exhaustion).

(CVE-2019-19061)

It was discovered that the AMD Audio Coprocessor driver for the Linux

kernel did not properly deallocate memory in certain error conditions. A

local attacker with the ability to load modules could use this to cause a

denial of service (memory exhaustion). (CVE-2019-19067)

It was discovered that the Atheros HTC based wireless driver in the Linux

kernel did not properly deallocate in certain error conditions. A local

attacker could use this to cause a denial of service (memory exhaustion).

(CVE-2019-19073, CVE-2019-19074)

It was discovered that the F2FS file system in the Linux kernel did not

properly perform bounds checking in some situations, leading to an out-of-

bounds read. A local attacker could possibly use this to expose sensitive

information (kernel memory). (CVE-2019-9445)

It was discovered that the VFIO PCI driver in the Linux kernel did not

properly handle attempts to access disabled memory spaces. A local attacker

could use this to cause a denial of service (system crash).

(CVE-2020-12888)

It was discovered that the cgroup v2 subsystem in the Linux kernel did not

properly perform reference counting in some situations, leading to a NULL

pointer dereference. A local attacker could use this to cause a denial of

service or possibly gain administrative privileges. (CVE-2020-14356)

It was discovered that the state of network RNG in the Linux kernel was

potentially observable. A remote attacker could use this to expose

sensitive information. (CVE-2020-16166)

References:

  https://usn.ubuntu.com/4526-1

  CVE-2019-18808, CVE-2019-19054, CVE-2019-19061, CVE-2019-19067,

  CVE-2019-19073, CVE-2019-19074, CVE-2019-9445, CVE-2020-12888,

  CVE-2020-14356, CVE-2020-16166

2020年10月18日 星期日

Add Watermarks to your Cloudflare Stream Video Uploads

 

REF: REF: https://blog.cloudflare.com/add-watermarks-to-your-cloudflare-stream-video-uploads/

[USN-4511-1] QEMU vulnerability

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 17, 2020 8:16PM

Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU

incorrectly handled certain USB packets. An attacker inside the guest could

use this issue to cause QEMU to crash, resulting in a denial of service, or

possibly execute arbitrary code on the host. In the default installation,

when QEMU is used with libvirt, attackers would be isolated by the libvirt

AppArmor profile.

References:

  https://usn.ubuntu.com/4511-1

  CVE-2020-14364

4K with Roku® Streaming Stick®+

 

Roku Streaming Stick+ $37.99. Free Shipping

Smile big. These deals are for you.

No need to dig for deals, set alerts, or rush to shop. It’s prime time to save on these Roku players all week long—no membership required. Start with 4K streaming and long-range wireless with Roku® Streaming Stick®+.

2020年10月15日 星期四

Announcing CrossOver 20.0 for Mac, Linux, and now Chrome OS!

We have also worked hard to improve gaming compatibility for macOS users, including support for Steam and for many DirectX 11 games.  We hope that our customers with beloved 32 bit games will be able to run them on their Macs once again.  Our goal is to make sure that Mac users are not excluded from the best of PC gaming.

Mac customers with active support entitlements will be upgraded to CrossOver 20 the next time they launch CrossOver.  Linux users can download the latest version from https://codeweavers.com/account/downloads, and Chrome OS users can sign up for a free trial by visiting:

 https://codeweavers.com/crossover/download

2020年10月14日 星期三

Starting Your Own Podcast on WordPress.com

 

Your step-by-step guide to podcasting

Starting Your Own Podcast on WordPress.com

[USN-4510-1] Samba vulnerability

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 17, 2020 8:16PM

Tom Tervoort discovered that the Netlogon protocol implemented by Samba

incorrectly handled the authentication scheme. A remote attacker could use

this issue to forge an authentication token and steal the credentials of

the domain admin.

This update fixes the issue by changing the "server schannel" setting to

default to "yes", instead of "auto", which will force a secure netlogon

channel. This may result in compatibility issues with older devices. A

future update may allow a finer-grained control over this setting.

References:

  https://usn.ubuntu.com/4510-1

  CVE-2020-1472

Exploring WebAssembly AI Services on Cloudflare Workers

 

Optimized AI services can process data closest to the source and perform inferences at the distributed edge.

REF: https://blog.cloudflare.com/exploring-webassembly-ai-services-on-cloudflare-workers/

[Checkmk Announce] New Checkmk stable release 1.6.0p18

 ---------- Forwarded message ---------

From: Checkmk Announcements <checkmk-announce@lists.mathias-kettner.de>

Date: Tue, Oct 13, 2020 at 11:37 PM

This maintenance release ships with 26 changes affecing all editions of Checkmk,

4 Enterprise Edition specific changes and 0 Managed Services Edition specific changes.

Checks & agents:

* 11360 juniper_temp: Discover on additional devices

* 11462 SEC: Windows agent sets access rights also after clean installation

* 11461 SEC: Windows agent: Improved protection of configuration files

* 11393 FIX: Fix perfometer ups-capacity

* 11115 FIX: agent_bi: Filter by groups

* 11412 FIX: diskspace cleanup: fixed race condition which could cause loss of monitored services

* 11326 FIX: drdb: fixed invalid check parameters at discovery stage

* 11474 FIX: fileinfo: Fixed checking during specific times of the day

* 11483 FIX: heartbeat_crm: Fix ExceptionTypeError if cluster is not availabe

* 11392 FIX: heartbeat_crm: strict activation in agent

* 11368 FIX: netapp_api_luns: Report correct total size

* 11270 FIX: oracle_instance: Fix missing uptime column if status data inventory is enabled

* 11266 FIX: ups_out_load, ups_power: Fix discovery of output lines with zero load resp. power

* 11277 FIX: Fix wrong allocation of colorant for printer supplies

Core & setup:

* 11491 FIX: Nagios: Fix broken config reason displaying

Livestatus proxy:

* 11415 FIX: liveproxyd logging: fixed incorrect logrotate behaviour

Notifications:

* 11053 FIX: Don't escape the plugin output of email notifications if configured

Other components:

* 10128 FIX: Fixed potential monitoring core crash when rrdcached is down

* 11494 FIX: NagVis: Updated to 1.9.23

User interface:

* 11479 FIX: Fix host 'Save & Test' action showing 'API error' for all tests for good

* 11473 FIX: Fix rendering of ruleset page if user error is raised

* 11471 FIX: Fixed default LDAP synchronization setting of central sites

* 11481 FIX: LDAP: Fix AttributeError if attribute "Disable Notifications" is used

* 11478 FIX: Fixed encoding of timestamp painters

NOTE: Please refer to the migration notes!

WATO:

* 11477 FIX: Fixed host label search

* 11416 FIX: Folder changes from normal monitoring users were not always applied on the first save

You can download Checkmk from our download page:

 * https://checkmk.com/download.php

Roku: Peacock has landed

 

The top 14 things to watch on Peacock right now
 

Peacock has landed—here’s what to watch

 

Check out our list of must-see titles on Peacock, including the hit western Yellowstone, the entire Harry Potter series, and the original mystery-thriller series Departure.

2020年10月9日 星期五

MagicSoft Playout ver 7.7.3

MagicSoft Playout ver 7.7.3 was released and it adds improved watch-dog and logging functionality :

- re-scanning algorithm

- trimming IN and OUT points for clips with variable framerateadding improved watch-dog 

REF: https://www.magicsoft.tv/news.html

2020年10月8日 星期四

Plex: More to Love from Free Live TV

 

More to Love from Free Live TV
More to Love from Free Live TV
Acclaimed anime, cult classics, arthouse fares, international documentaries and canales en español (US only) have all landed on our Free Live TV lineup this month. Tune in to check out these newly added channels:

2020年10月7日 星期三

[USN-4504-1] OpenSSL vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 16, 2020 11:09PM

Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky

discovered that certain Diffie-Hellman ciphersuites in the TLS

specification and implemented by OpenSSL contained a flaw. A remote

attacker could possibly use this issue to eavesdrop on encrypted

communications. This was fixed in this update by removing the insecure

ciphersuites from OpenSSL. (CVE-2020-1968)

Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,

Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL

incorrectly handled ECDSA signatures. An attacker could possibly use this

issue to perform a timing side-channel attack and recover private ECDSA

keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1547)

Guido Vranken discovered that OpenSSL incorrectly performed the x86_64

Montgomery squaring procedure. While unlikely, a remote attacker could

possibly use this issue to recover private keys. This issue only affected

Ubuntu 18.04 LTS. (CVE-2019-1551)

Bernd Edlinger discovered that OpenSSL incorrectly handled certain

decryption functions. In certain scenarios, a remote attacker could

possibly use this issue to perform a padding oracle attack and decrypt

traffic. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1563)

References:

  https://usn.ubuntu.com/4504-1

  CVE-2019-1547, CVE-2019-1551, CVE-2019-1563, CVE-2020-1968

2020年10月5日 星期一

Meet the newest Roku players

 

Roku Ultra $99.99

Our fastest and most powerful player. Ever.

Upgrade to powerful, smooth streaming with our best wireless, extraordinary picture and sound, and all our top features.

[LSN-0071-1] linux kernel vulnerability

 ---------- Forwarded message ---------

From: benjamin.romer@canonical.com

Date: Sep 11, 2020 5:23PM

Or Cohen discovered that the AF_PACKET implementation in the Linux

kernel did not properly perform bounds checking in some situations. A

local attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-14386)

References

-   CVE-2020-14386

2020年10月4日 星期日

Wrapping up Cloudflare’s 10th birthday

 

2020年10月3日 星期六

Updated Debian 10: 10.6 released

 ---------- Forwarded message ---------

From: Laura Arjona Reina <larjona@debian.org>

Date: Sep 26, 2020 8:29PM

The Debian project is pleased to announce the sixth update of its stable

distribution Debian 10 (codename "buster"). This point release mainly

adds corrections for security issues, along with a few adjustments for

serious problems. Security advisories have already been published

separately and are referenced where available.

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

------------

The Debian Project is an association of Free Software developers who

volunteer their time and effort in order to produce the completely free

operating system Debian.


2020年10月2日 星期五

Roku: Meet the newest Roku Streambar

 

Introducing Roku® Streambar™ Powerful 4K streaming. Premium audio. All in one.

Sounds big. Streams big.

Be the first to upgrade your streaming and sound, all with one compact device. Stream what you love in cinematic sound and brilliant picture quality.

[openssh-unix-announce] Announce: OpenSSH 8.4 released

 ---------- Forwarded message ---------

From: Damien Miller <djm@openbsd.org>

Date: Sep 27, 2020 6:59PM

Future deprecation notice

=========================

It is now possible[1] to perform chosen-prefix attacks against the

SHA-1 algorithm for less than USD$50K. For this reason, we will be

disabling the "ssh-rsa" public key signature algorithm by default in a

near-future release.

This algorithm is unfortunately still used widely despite the

existence of better alternatives, being the only remaining public key

signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These

   algorithms have the advantage of using the same key type as

   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been

   supported since OpenSSH 7.2 and are already used by default if the

   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in

   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These

   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key

algorithm, for host authentication, try to connect to it after

removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key

types are available, the server software on that host should be

upgraded.

We intend to enable UpdateHostKeys by default in the next OpenSSH

release. This will assist the client by automatically migrating to

better algorithms. Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and

    Application to the PGP Web of Trust" Leurent, G and Peyrin, T

    (2020) https://eprint.iacr.org/2020/014.pdf