[openssh-unix-announce] Announce: OpenSSH 8.1 released

---------- Forwarded message ---------
From: Damien Miller
Date: Oct 9, 2019 11:44AM

Security
========

 * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer
   overflow bug was found in the private key parsing code for the XMSS
   key type. This key type is still experimental and support for it is
   not compiled by default. No user-facing autoconf option exists in
   portable OpenSSH to enable it. This bug was found by Adam Zabrocki
   and reported via SecuriTeam's SSD program.

 * ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
   rest in RAM against speculation and memory side-channel attacks like
   Spectre, Meltdown and Rambleed. This release encrypts private keys
   when they are not in use with a symmetric key that is derived from a
   relatively large "prekey" consisting of random data (currently 16KB).

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh-keygen(1): when acting as a CA and signing certificates with
   an RSA key, default to using the rsa-sha2-512 signature algorithm.
   Certificates signed by RSA keys will therefore be incompatible
   with OpenSSH versions prior to 7.2 unless the default is
   overridden (using "ssh-keygen -t ssh-rsa -s ...").

Changes since OpenSSH 8.0
=========================

This release is focused on bug-fixing.

Linux on the mainframe: Then and now

LinuxONE Emperor III mainframe | Used with permission, Copyright IBM

REF:

Blackmagic: ATEM Mini for low cost multi camera live production

The new ATEM Mini makes it easy to create professional multi camera productions for live streaming to YouTube or innovative business presentations using Skype.

REF: https://www.blackmagicdesign.com/products/atemmini

[USN-4162-1] Linux kernel vulnerabilities

---------- Forwarded message ---------

From: Seth Arnold
Date: Oct 22, 2019 11:14AM

It was discovered that the RSI 91x Wi-Fi driver in the Linux kernel did not
did not handle detach operations correctly, leading to a use-after-free
vulnerability. A physically proximate attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-21008)

Wen Huang discovered that the Marvell Wi-Fi device driver in the Linux
kernel did not properly perform bounds checking, leading to a heap
overflow. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2019-14814,
CVE-2019-14815, CVE-2019-14816)

Matt Delco discovered that the KVM hypervisor implementation in the Linux
kernel did not properly perform bounds checking when handling coalesced
MMIO write operations. A local attacker with write access to /dev/kvm could
use this to cause a denial of service (system crash). (CVE-2019-14821)

Hui Peng and Mathias Payer discovered that the USB audio driver for the
Linux kernel did not properly validate device meta data. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15117)

Hui Peng and Mathias Payer discovered that the USB audio driver for the
Linux kernel improperly performed recursion while handling device meta
data. A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2019-15118)

It was discovered that the Technisat DVB-S/S2 USB device driver in the
Linux kernel contained a buffer overread. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly
expose sensitive information. (CVE-2019-15505)

Brad Spengler discovered that a Spectre mitigation was improperly
implemented in the ptrace susbsystem of the Linux kernel. A local attacker
could possibly use this to expose sensitive information. (CVE-2019-15902)

It was discovered that the SMB networking file system implementation in the
Linux kernel contained a buffer overread. An attacker could use this to
expose sensitive information (kernel memory). (CVE-2019-15918)

References:
  https://usn.ubuntu.com/4162-1
  CVE-2018-21008, CVE-2019-14814, CVE-2019-14815, CVE-2019-14816,
  CVE-2019-14821, CVE-2019-15117, CVE-2019-15118, CVE-2019-15505,
  CVE-2019-15902, CVE-2019-15918

LM: FOG imaging server to image and rollout several installations

Figure 1: The FOG server’s web-based Dashboard eases management, even for complex network deployments.
REF: http://www.linux-magazine.com/Online/Features/FOG-Clone-and-Deploy-Desktop-Computers

TrendLabs: Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads

Figure 1. List of service names that WMI_Killer terminates and deletes

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/

ADMIN: Clonezilla 2.6.3-7 (Live)

REF: http://www.admin-magazine.com/Archive/2019/53/Clonezilla-2.6.3-7-Live

RHSA-2019:3055 - Security Advisory

Synopsis

Important: kernel security and bug fix update

Description

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856)
• kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846)
• hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506)
• kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c (CVE-2019-10126)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fixes:

• gfs2: Fix iomap write page reclaim deadlock (BZ#1737373)
• [FJ7.6 Bug]: [REG] kernel: ipc: ipc_free should use kvfree (BZ#1740178)
• high update_cfs_rq_blocked_load contention (BZ#1740180)
• [Hyper-V][RHEL 7] kdump fails to start on a Hyper-V guest of Windows Server 2019. (BZ#1740188)
• kvm: backport cpuidle-haltpoll driver (BZ#1740192)
• Growing unreclaimable slab memory (BZ#1741920)
• [bnx2x] ping failed from pf to vf which has been attached to vm (BZ#1741926)
• [Hyper-V]vPCI devices cannot allocate IRQs vectors in a Hyper-V VM with > 240 vCPUs (i.e., when in x2APIC mode) (BZ#1743324)
• Macsec: inbound MACSEC frame is unexpectedly dropped with InPktsNotValid (BZ#1744442)
• RHEL 7.7 Beta - Hit error when trying to run nvme connect with IPv6 address (BZ#1744443)
• RHEL 7.6 SS4 - Paths lost when running straight I/O on NVMe/RoCE system (BZ#1744444)
• NFSv4.0 client sending a double CLOSE (leading to EIO application failure) (BZ#1744946)
• [Azure] CRI-RDOS | [RHEL 7.8] Live migration only takes 10 seconds, but the VM was unavailable for 2 hours (BZ#1748239)
• NFS client autodisconnect timer may fire immediately after TCP connection setup and may cause DoS type reconnect problem in complex network environments (BZ#1749290)
• [Inspur] RHEL7.6 ASPEED graphic card display issue (BZ#1749296)
• Allows macvlan to operated correctly over the active-backup mode to support bonding events. (BZ#1751579)
• [LLNL 7.5 Bug] slab leak causing a crash when using kmem control group (BZ#1752421)

REF: https://access.redhat.com/errata/RHSA-2019:3055

NDI® Version 4 Release

With this version we do more than expand the power of NDI by adding great new capabilities like improved video quality, 16bpp color precision, discovery service, and much more. We also recognize that IP can bring live and post-production together, as a result we included recording capabilities (with almost no CPU usage) for free, along with the Adobe CC plugins to automatically synchronize and edit video. Now, multi-cam editing is fundamentally easier for millions of people.

How Cloudflare Fights Bots

Malicious bots harm legitimate web publishers and applications, hurt hosting providers by misusing resources, and they doubly hurt the planet through the cost of electricity for servers and cooling for their bots and their victims.

REF: https://blog.cloudflare.com/cleaning-up-bad-bots/

[Checkmk Announce] New Checkmk stable release 1.6.0p5

---------- Forwarded message ---------

From: Checkmk Announcements
Date: Fri, Oct 18, 2019 at 2:28 AM

Checks & agents:
* 10059 RAM Leak Protection for Windows Agent 1.5
* 10303 Add support to monitor Hopf 8029HEPTA devices
* 10222 FIX: Fixed missing thresholds in some CPU utilization graphs
* 10216 FIX: IPMI Management Board: Fixed missing services
* 7713 FIX: Pipe-char is used as separator for Windows WMI
* 10304 FIX: Support for ceph nautilus 14.x
* 10189 FIX: Windows Agent reports allowed IP addresses correctly
* 10214 FIX: agent_aws: Add ELBv2 network and application load balancer sections
* 10210 FIX: agent_aws: Fixed FilterLimitExceeded while collecting EC2 instance attributes
* 10327 FIX: check_elasticsearch_query: Fixed wrong quotation of hostname parameter
* 10217 FIX: check_mk_agent.linux: Fixed docker_container_mem section
* 8803 FIX: mk_oracle.ps1: Fixed two small copy & paste errors
* 10211 FIX: netapp_api_volumes: Fixed scaling of latency values for ALL protocols
* 10070 FIX: systemd: Fixed possible memory leak related to KillMode in unit file
* 10324 FIX: carel_sensors: Fixed error while discovery
NOTE: Please refer to the migration notes!
* 10343 FIX: lnx_if: Fixed flapping discovery of interfaces if output of ethtool is missing
NOTE: Please refer to the migration notes!
* 10218 FIX: lnx_if: Fixed wrong interpretation of interface status
NOTE: Please refer to the migration notes!
* 10154 FIX: mgmt_ipmi_sensors: Missing service details for IPMI sensors services
NOTE: Please refer to the migration notes!
* 10151 FIX: mssql: Sanitize mssql ini file name
NOTE: Please refer to the migration notes!
* 10321 FIX: smart: Fixed wrong device name for device types other than NVME
NOTE: Please refer to the migration notes!

Core & setup:
* 10262 FIX: Discovery: Do not show unrelated discovery function warnings
* 10254 FIX: Improve error handling of incompatible discovery functions
* 10361 FIX: MKTimeout exceptions no longer fails with no argument

Event console:
* 10307 FIX: Resolve conflict event console archive event

HW/SW inventory:
* 10223 FIX: HW/SW Inventory: Do not save inventory tree if Checkmk service calculates status data inventory
* 10219 FIX: HW/SW Inventory: Fixed filtering inventory tree if permitted paths are configured in contact groups

Linux distributions:
* 10311 Support for Red Hat 8 / CentOS 8

Other components:
* 10263 FIX: NagVis: Updated to 1.9.15

Site management:
* 10260 FIX: stunnel service is now correctly disabled when LIVESTATUS_TCP_TLS is off

User interface:
* 10255 FIX: Fix WATO folder painter with configured link showing escaped HTML code on page
* 10251 FIX: Fix broken "Service: Check command expanded" painter
* 10248 FIX: Some dashlets were not correctly refreshed
* 10326 FIX: Removed cmk_nagios_webapps mkp from treasures
NOTE: Please refer to the migration notes!

WATO:
* 10305 Configurable long output painter to truncate output
* 10120 FIX: Fixed error handling in automation calls
* 10261 FIX: API: The edit_users call can now be used to edit LDAP users
* 10257 FIX: Do not make whole discovery page fail on single discovery function issue
* 10253 FIX: Fix possible AttributeError exception on "Parameters of service" page
* 10259 FIX: WATO host search: Fix possible "request URI too long" error

You can download Checkmk from our download page:
 * https://checkmk.com/download.php

TrendLabs: Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites

Figure 1. Infection chain of the Magecart skimming attack on the online hotel booking websites

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/

Plex: 30 second music previews on tvOS and Android TV

30 second music previews on tvOS and Android TV

Two more big screen apps now let you sample every song from the 60 million track catalog from TIDAL. Experience how good music can be on your big screen!

MagicSoft Playout ver 7.4.4

MagicSoft Playout ver 7.4.4 adds :
     - improved scanning algorithm
     - better handling of metadata for folder templates
     - extended possibility to configure Decklink cards like Duo2, Quad2 and 8K Pro

REF: https://www.magicsoft.tv/news.html

Cloudflare Browser Insights

There’s a lot of info in this graph! At a high level, there are two main types of metrics

• Request-level metrics like TCP connection time, or Request time. These metrics are counted on every page load and are impacted by Internet infrastructure, like the mobile network of your end users, or the speed of your servers.
• Page-level metrics like Page Load Time, which take into account the many requests needed to load a web page, plus the time taken to parse HTML and execute JavaScript.

REF: https://blog.cloudflare.com/introducing-browser-insights/

Plex: New web shows player on Android

New web shows player on Android

Watching web content has never been better. With a smaller and lighter player framework, videos on our Android app start and seek faster than ever before.

[Checkmk Announce] New Checkmk Grafana Datasource release 1.1.0

---------- Forwarded message ---------
From: Checkmk Announcements
Date: Mon, Sep 30, 2019 at 7:18 PM

* New Feature: Combined Graph Querying: This can be used to created aggregated
  graphs. For example it is now possible to create a graph showing the average
  CPU load of all your Linux servers. You can choose your aggregation function
  and select the metrics you want to group together using filters, e.g. on the
  tags of a host.
* New Feature: Series Renaming: You can customize the title of the graphed
  metrics in Grafana.

* Added Feature: Annotation Support: You can configure Checkmk as annotation
  source for your dashboards. These are based on the availability data of
  Checkmk. You can customize which kind of event to display as annotation in
  your graphs.

You can get it from: https://github.com/tribe29/grafana-checkmk-datasource

TrendLabs: When PSD2 Opens More Doors: The Risks of Open Banking

Figure 1. With PSD2, new FinTech companies will launch new apps to aggregate banking data from multiple accounts.

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/when-psd2-opens-more-doors-the-risks-of-open-banking/isms

ROSCon Japan 2019!

REF: https://ubuntu.com/blog/roscon-japan-2019

Plex: Control Sonos from the web app

Unleash the power of your Sonos directly from your Plex web app*. Start music playback, adjust volume, change speakers and more from the comfort – and power – of your web app.

MagicSoft Playout ver 7.4.0

MagicSoft Playout ver 7.4.0 adds the possibility to use a module for "advanced audio" options. The module allows you to :      - set up to 16 audio output channels      - apply real-time audio loudness normalization

REF: https://www.magicsoft.tv/news.html

TrendLabs: Hacking LED Wristbands: A ‘Lightning’ Recap of RF Security Basics

Figure 1. Summary of the analysis process

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-led-wristbands-a-lightning-recap-of-rf-security-basics/

Roku: there’s an easier way to watch premium TV.

The Roku Channel

The easier way to watch premium TV

[Checkmk Announce] New Checkmk stable release 1.6.0p3

---------- Forwarded message ---------
From: Checkmk Announcements
Date: Thu, Oct 3, 2019 at 9:06 PM

Checks & agents:
* 10114 FIX: Skype AV Edge check: fix crash on missing TCP metrics in agent output
* 10148 FIX: CPU utilization: Occasional crashes
* 10191 FIX: Windows Agent doesn't add 'cached' info into the piggybacks' headers
* 10190 FIX: Windows Agent sends 'TCP counters' subsection for skype section
* 10144 FIX: cisco_temperature.dom: Do not crash if no device levels are present
* 10267 FIX: dell_compellent_disks would not see more than 9 disks
* 10145 FIX: logwatch_ec: Unjustified 'Invalid parameter' warning
* 10147 FIX: nginx_status: requests metric is now correctly the rate
* 10073 FIX: f5_bigip_vserver: Fixed ValueError while ip parsing
NOTE: Please refer to the migration notes!
* 7869 FIX: mk_mongodb: Fixed crash introduced by Python 2.5 compatibility change in 1.6.0p2
NOTE: Please refer to the migration notes!

Site management:
* 10246 FIX: omd backup: Made it more robust against rrdcached communication issues

User interface:
* 10242 SEC: Fix possible XSS using titles of custom snapins
* 10247 FIX: CMC performance and server performance snapins were not refreshed

WATO:
* 10243 FIX: Periodic service discovery: Set minimum group time to 5 minutes

You can download Checkmk from our download page:
 * https://checkmk.com/download.php

TrendLabs: Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload

Figure 1. Skidmap’s infection chain
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/

Opensource: 7 rules for remote-work sanity

x

Subscribe now

Get the highlights in your inbox every week.

Not all roles—those with many customer onsite meetings or those with a major service component—are suited to remote working, of course. But it's clear that an increasing number of organisations are considering having at least some of their workers doing so remotely.

REF: https://opensource.com/article/19/8/rules-remote-work-sanity

[LSN-0056-1] Linux kernel vulnerability

---------- Forwarded message ---------
From:
Date: Sep 23, 2019 11:23PM

Peter Pi discovered a buffer overflow in the virtio network backend
(vhost_net) implementation in the Linux kernel. An attacker in a guest may
be able to use this to cause a denial of service (host OS crash) or
possibly execute arbitrary code in the host OS. (CVE-2019-14835)

References:
  CVE-2019-14835

TrendLabs: From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer

Figure 1. Code flow of VbsJoin
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/from-bindiff-to-zero-day-a-proof-of-concept-exploiting-cve-2019-1208-in-internet-explorer/

[USN-4140-1] Firefox vulnerability

---------- Forwarded message ---------
From: Chris Coulson
Date: Sep 26, 2019 6:58AM

It was discovered that no user notification was given when pointer lock is
enabled. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to hijack the mouse pointer and
confuse users.

References:
  https://usn.ubuntu.com/4140-1
  CVE-2019-11754