[USN-4604-1] MySQL vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Oct 27, 2020 8:43PM

Multiple security issues were discovered in MySQL and this update includes

new upstream MySQL versions to fix these issues.

MySQL has been updated to 8.0.22 in Ubuntu 20.04 LTS and Ubuntu 20.10.

Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.32.

In addition to security fixes, the updated packages contain bug fixes, new

features, and possibly incompatible changes.

References:

  https://usn.ubuntu.com/4604-1

  CVE-2019-14775, CVE-2020-14672, CVE-2020-14760, CVE-2020-14765,

  CVE-2020-14769, CVE-2020-14771, CVE-2020-14773, CVE-2020-14775,

  CVE-2020-14776, CVE-2020-14777, CVE-2020-14785, CVE-2020-14786,

  CVE-2020-14789, CVE-2020-14790, CVE-2020-14791, CVE-2020-14793,

  CVE-2020-14794, CVE-2020-14800, CVE-2020-14804, CVE-2020-14809,

  CVE-2020-14812, CVE-2020-14814, CVE-2020-14821, CVE-2020-14827,

  CVE-2020-14828, CVE-2020-14829, CVE-2020-14830, CVE-2020-14836,

  CVE-2020-14837, CVE-2020-14838, CVE-2020-14839, CVE-2020-14844,

  CVE-2020-14845, CVE-2020-14846, CVE-2020-14848, CVE-2020-14852,

  CVE-2020-14853, CVE-2020-14860, CVE-2020-14861, CVE-2020-14866,

  CVE-2020-14867, CVE-2020-14868, CVE-2020-14869, CVE-2020-14870,

  CVE-2020-14873, CVE-2020-14878, CVE-2020-14888, CVE-2020-14891,

  CVE-2020-14893

LM: elementary OS 5.2

 

REF: https://blog.cloudflare.com/introducing-cloudflare-one/

[USN-4602-1] Perl vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Oct 26, 2020 7:45PM

ManhND discovered that Perl incorrectly handled certain regular

expressions. In environments where untrusted regular expressions are

evaluated, a remote attacker could possibly use this issue to cause Perl to

crash, resulting in a denial of service, or possibly execute arbitrary

code. (CVE-2020-10543)

Hugo van der Sanden and Slaven Rezic discovered that Perl incorrectly

handled certain regular expressions. In environments where untrusted

regular expressions are evaluated, a remote attacker could possibly use

this issue to cause Perl to crash, resulting in a denial of service, or

possibly execute arbitrary code. (CVE-2020-10878)

Sergey Aleynikov discovered that Perl incorrectly handled certain regular

expressions. In environments where untrusted regular expressions are

evaluated, a remote attacker could possibly use this issue to cause Perl to

crash, resulting in a denial of service, or possibly execute arbitrary

code. (CVE-2020-12723)

References:

  https://usn.ubuntu.com/4602-1

  CVE-2020-10543, CVE-2020-10878, CVE-2020-12723

Introducing Cloudflare One

 

REF: https://blog.cloudflare.com/introducing-cloudflare-one/

[LSN-0073-1] Linux kernel vulnerability

 ---------- Forwarded message ---------

From: benjamin.romer@canonical.com

Date: Oct 26, 2020 7:45PM

Andy Nguyen discovered that the Bluetooth L2CAP implementation in the

Linux kernel contained a type-confusion error. A physically proximate

remote attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-12351)

Andy Nguyen discovered that the Bluetooth A2MP implementation in the

Linux kernel did not properly initialize memory in some situations. A

physically proximate remote attacker could use this to expose sensitive

information (kernel memory). (CVE-2020-12352)

Andy Nguyen discovered that the Bluetooth HCI event packet parser in the

Linux kernel did not properly handle event advertisements of certain

sizes, leading to a heap-based buffer overflow. A physically proximate

remote attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-24490)

References

-   CVE-2020-12351

-   CVE-2020-12352

-   CVE-2020-24490

LM: KDE neon 5.20.0

REF: https://www.linux-magazine.com/Issues/2020/241/This-Month-s-DVD

MagicSoft Recorder ver 3.3.2

It adds support for recording HEVC 10 bit with nVidia cards using containers : mov, mp4, mkv and ts

The supported video modes are 720p, 1080p and 4K

The software can be freely downloaded from our website 

https://www.magicsoft.tv

Plex is now included in Reelgood’s database for free streaming content

 

As Seen on

Plex is now included in Reelgood’s database for free streaming content, which means you can keep track of what you want to see, what you have seen, and more.

[Openvpn-announce] OpenVPN 2.5-rc2 released

 ---------- Forwarded message ---------

From: Samuli Seppänen <samuli@openvpn.net>

Date: Wed, Sep 30, 2020 at 7:57 PM

OpenVPN 2.5 is a new major release with many new features:

    Client-specific tls-crypt keys (--tls-crypt-v2)

    Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN

data channel

    Improved Data channel cipher negotiation

    Removal of BF-CBC support in default configuration

    Asynchronous (deferred) authentication support for auth-pam plugin

    Deferred client-connect

    Faster connection setup

    Netlink support

    Wintun support

    IPv6-only operation

    Improved Windows 10 detection

    Linux VRF support

    TLS 1.3 support

    Support setting DHCP search domain

    Handle setting of tun/tap interface MTU on Windows

    HMAC based auth-token support

    VLAN support

    Support building of .msi installers for Windows

    Allow unicode search string in --cryptoapicert option (Windows)

    Support IPv4 configs with /31 netmasks now

    New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

    MSI installer (Windows)

    The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA

      management

Cloudflare’s Always Online and the Internet Archive Team Up to Fight Origin Errors

 

Enabling the new Always Online

REF: https://blog.cloudflare.com/cloudflares-always-online-and-the-internet-archive-team-up-to-fight-origin-errors/

[USN-4599-1] Firefox vulnerabilities

 ---------- Forwarded message ---------

From: Chris Coulson <chris.coulson@canonical.com>

Date: Oct 23, 2020 7:33PM

Multiple security issues were discovered in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service, spoof the prompt

for opening an external application, obtain sensitive information, or

execute arbitrary code.

References:

  https://usn.ubuntu.com/4599-1

  CVE-2020-15254, CVE-2020-15680, CVE-2020-15681, CVE-2020-15682,

  CVE-2020-15683, CVE-2020-15684, CVE-2020-15969

Roku Express Exclusive upgrade

 

Exclusive upgrade for you

Save over 30% on the compact-but-mighty Roku Express, plus get free shipping! You’ll love the smooth streaming, and enjoy all the latest Roku features, software updates, and streaming channels. The included High Speed HDMI^® Cable makes setup a cinch, so you’ll be up and streaming in no time.

[LSN-0072-1] linux kernel vulnerability

 ---------- Forwarded message ---------

From: benjamin.romer@canonical.com

Date: Oct 15, 2020 1:44AM

It was discovered that the F2FS file system implementation in the Linux

kernel did not properly perform bounds checking on xattrs in some

situations. A local attacker could possibly use this to expose sensitive

information (kernel memory). (CVE-2020-0067)

It was discovered that the Serial CAN interface driver in the Linux

kernel did not properly initialize data. A local attacker could use this

to expose sensitive information (kernel memory). (CVE-2020-11494)

Mauricio Faria de Oliveira discovered that the aufs implementation in

the Linux kernel improperly managed inode reference counts in the

vfsub_dentry_open() method. A local attacker could use this

vulnerability to cause a denial of service. (CVE-2020-11935)

Piotr Krysiuk discovered that race conditions existed in the file system

implementation in the Linux kernel. A local attacker could use this to

cause a denial of service (system crash). (CVE-2020-12114)

Or Cohen discovered that the AF_PACKET implementation in the Linux

kernel did not properly perform bounds checking in some situations. A

local attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-14386)

Hador Manor discovered that the DCCP protocol implementation in the

Linux kernel improperly handled socket reuse, leading to a

use-after-free vulnerability. A local attacker could use this to cause a

denial of service (system crash) or possibly execute arbitrary code.

(CVE-2020-16119)

Giuseppe Scrivano discovered that the overlay file system in the Linux

kernel did not properly perform permission checks in some situations. A

local attacker could possibly use this to bypass intended restrictions

and gain read access to restricted files. (CVE-2020-16120)

References

-   CVE-2020-0067

-   CVE-2020-11494

-   CVE-2020-11935

-   CVE-2020-12114

-   CVE-2020-14386

-   CVE-2020-16119

-   CVE-2020-16120

Cloudflare Automatically Blocks Botnet DDoS Attack Topping At 654 Gbps

 

Moobot Targets 654 Gbps towards a Magic Transit Customer

REF: https://blog.cloudflare.com/moobot-vs-gatebot-cloudflare-automatically-blocks-botnet-ddos-attack-topping-at-654-gbps/

ActivePython 3.7 Update

ActivePython 3.7 Community Edition (CE) for Windows and Linux has been updated to v3.7.8, resolving recently discovered vulnerabilities associated with Bleach, Pillow and Django.

Download it from the ActiveState Platform.

Roku OS 9.4 introduces BrightScript exception handling

 

Roku OS 9.4 introduces BrightScript exception handling

[USN-4565-1] OpenConnect vulnerability

 ---------- Forwarded message ---------

From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>

Date: Oct 6, 2020 9:51PM

It was discovered that OpenConnect has a buffer overflow when a malicious

server uses HTTP chunked encoding with crafted chunk sizes. An attacker

could use it to provoke a denial of service (crash).

References:

  https://usn.ubuntu.com/4565-1

  CVE-2019-16239

Cloudflare: How Does Secondary DNS Work?

 

Figure 1: Secondary DNS Microservice Architecture

REF: https://blog.cloudflare.com/secondary-dns-deep-dive/

[Checkmk Announce] New Checkmk innovation release 2.0.0i1

 ---------- Forwarded message ---------

From: Checkmk Announcements <checkmk-announce@lists.mathias-kettner.de>

Date: Tue, Oct 27, 2020 at 4:05 PM

We are excited to bring you the first innovation release of Checkmk 2.0.

For numerous months our team has been pushing hard to deliver the next full

version of Checkmk. In doing so, we have reworked Checkmk's foundations.

With so many significant changes coming finally together, we have decided to

make the version step change to 2.0.

This innovation release is a preview of most features planned for Checkmk 2.0

(https://blog.checkmk.com/announcing-checkmk-2.0-and-its-innovation-release)

and gives you the possibility to try these new and interesting features.

With Version 2.0 we will also be introducing a new user interface and user

experience.  The Innovation Release already contains many aspects of this to

gather early feedback.

We will have two dedicated channels to gather your feedback on the new user

experience.

- The dedicated feedback email (see below)

- A community call, a survey and the feedback section in the Checkmk Forum.

Please look out for the upcoming announcement in the Forum.

To get a good grasp of what fundamentals in the user interface have changed,

read this forum post containing more details:

https://forum.checkmk.com/t/the-completely-new-checkmk-2-0-user-experience/21104

We would like to ask all users to try out the new version and help us ensure

that Checkmk 2.0 becomes a success.

Please send general feedback, feedback on the new user experience, and bug

reports to this dedicated mail address:

feedback-2.0 at checkmk.com

All mails to this address will be used to improve the 2.0 and are completely

free of charge.

This is not a stable release. Please do not use this in productive environments

as it is a compromise between stability and new features. It is also only

available in the Checkmk Enterprise Editions.

You can download Checkmk from our download page:

 * https://checkmk.com/download.php

Plex Added Accessibility

 

One more thing to mention this month about Free Live TV–we’ve added closed captions as a feature across all platforms. Check your channel and program (Apple, Android, Chromecast, Roku) for availability.

[USN-4559-1] Samba update

---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 30, 2020 10:29PM

Tom Tervoort discovered that the Netlogon protocol implemented by Samba

incorrectly handled the authentication scheme. A remote attacker could use

this issue to forge an authentication token and steal the credentials of

the domain admin.

While a previous security update fixed the issue by changing the "server

schannel" setting to default to "yes", instead of "auto", which forced a

secure netlogon channel, this update provides additional improvements.

For compatibility reasons with older devices, Samba now allows specifying

an insecure netlogon configuration per machine. See the following link for

examples: https://www.samba.org/samba/security/CVE-2020-1472.html

In addition, this update adds additional server checks for the protocol

attack in the client-specified challenge to provide some protection when

'server schannel = no/auto' and avoid the false-positive results when

running the proof-of-concept exploit.

References:

  https://usn.ubuntu.com/4559-1

  CVE-2020-1472

Cloudflare: Migrating cdnjs to serverless with Workers KV

 

REF: https://blog.cloudflare.com/migrating-cdnjs-to-serverless-with-workers-kv/

[USN-4546-1] Firefox vulnerabilities

 ---------- Forwarded message ---------

From: Chris Coulson <chris.coulson@canonical.com>

Date: Sep 28, 2020 5:47PM

Multiple security issues were discovered in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service, conduct cross-site

scripting (XSS) attacks, spoof the site displayed in the download dialog,

or execute arbitrary code.

References:

  https://usn.ubuntu.com/4546-1

  CVE-2020-15673, CVE-2020-15674, CVE-2020-15675, CVE-2020-15676,

  CVE-2020-15677, CVE-2020-15678

Roku: Are you ready for Huluween?

 

 

Are you ready for Huluween?

 

Hulu is getting spooky with shows like Helstrom and Monsterland. See our guide to the best of what’s coming for Huluween.

LibreSSL 3.2.1 Released

 ---------- Forwarded message ---------

From: Brent Cook <busterb@gmail.com>

Date: Tue, Aug 25, 2020 at 11:20 AM

This is the second development release from the 3.2.x series, which will

eventually be part of OpenBSD 6.8. 

The LibreSSL project continues improvement of the codebase to reflect modern,

safe programming practices. We welcome feedback and improvements from the

broader community. Thanks to all of the contributors who helped make this

release possible.

Puppet: Open Source Stewards team

 

Meet our Open Source Stewards

Many of you know Lucy Wyman, software engineer for Bolt, for her many contributions including answering questions in our Bolt Slack channel and running PDX CoffeeOps. She also leads our Open Source Stewards team alongside Molly Waggett and Ben Ford. We asked Lucy to share what our Open Source Stewards are up to.

[USN-4526-1] Linux kernel vulnerabilities

 ---------- Forwarded message ---------

From: Steve Beattie <steve.beattie@canonical.com>

Date: Sep 22, 2020 12:24PM

It was discovered that the AMD Cryptographic Coprocessor device driver in

the Linux kernel did not properly deallocate memory in some situations. A

local attacker could use this to cause a denial of service (memory

exhaustion). (CVE-2019-18808)

It was discovered that the Conexant 23885 TV card device driver for the

Linux kernel did not properly deallocate memory in some error conditions. A

local attacker could use this to cause a denial of service (memory

exhaustion). (CVE-2019-19054)

It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel

did not properly deallocate memory in certain error conditions. A local

attacker could use this to cause a denial of service (memory exhaustion).

(CVE-2019-19061)

It was discovered that the AMD Audio Coprocessor driver for the Linux

kernel did not properly deallocate memory in certain error conditions. A

local attacker with the ability to load modules could use this to cause a

denial of service (memory exhaustion). (CVE-2019-19067)

It was discovered that the Atheros HTC based wireless driver in the Linux

kernel did not properly deallocate in certain error conditions. A local

attacker could use this to cause a denial of service (memory exhaustion).

(CVE-2019-19073, CVE-2019-19074)

It was discovered that the F2FS file system in the Linux kernel did not

properly perform bounds checking in some situations, leading to an out-of-

bounds read. A local attacker could possibly use this to expose sensitive

information (kernel memory). (CVE-2019-9445)

It was discovered that the VFIO PCI driver in the Linux kernel did not

properly handle attempts to access disabled memory spaces. A local attacker

could use this to cause a denial of service (system crash).

(CVE-2020-12888)

It was discovered that the cgroup v2 subsystem in the Linux kernel did not

properly perform reference counting in some situations, leading to a NULL

pointer dereference. A local attacker could use this to cause a denial of

service or possibly gain administrative privileges. (CVE-2020-14356)

It was discovered that the state of network RNG in the Linux kernel was

potentially observable. A remote attacker could use this to expose

sensitive information. (CVE-2020-16166)

References:

  https://usn.ubuntu.com/4526-1

  CVE-2019-18808, CVE-2019-19054, CVE-2019-19061, CVE-2019-19067,

  CVE-2019-19073, CVE-2019-19074, CVE-2019-9445, CVE-2020-12888,

  CVE-2020-14356, CVE-2020-16166

Add Watermarks to your Cloudflare Stream Video Uploads

 

REF: REF: https://blog.cloudflare.com/add-watermarks-to-your-cloudflare-stream-video-uploads/

[USN-4511-1] QEMU vulnerability

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 17, 2020 8:16PM

Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU

incorrectly handled certain USB packets. An attacker inside the guest could

use this issue to cause QEMU to crash, resulting in a denial of service, or

possibly execute arbitrary code on the host. In the default installation,

when QEMU is used with libvirt, attackers would be isolated by the libvirt

AppArmor profile.

References:

  https://usn.ubuntu.com/4511-1

  CVE-2020-14364

4K with Roku® Streaming Stick®+

 

Smile big. These deals are for you.

No need to dig for deals, set alerts, or rush to shop. It’s prime time to save on these Roku players all week long—no membership required. Start with 4K streaming and long-range wireless with Roku® Streaming Stick®+.

Announcing CrossOver 20.0 for Mac, Linux, and now Chrome OS!

We have also worked hard to improve gaming compatibility for macOS users, including support for Steam and for many DirectX 11 games.  We hope that our customers with beloved 32 bit games will be able to run them on their Macs once again.  Our goal is to make sure that Mac users are not excluded from the best of PC gaming.

Mac customers with active support entitlements will be upgraded to CrossOver 20 the next time they launch CrossOver.  Linux users can download the latest version from https://codeweavers.com/account/downloads, and Chrome OS users can sign up for a free trial by visiting:

 https://codeweavers.com/crossover/download

Starting Your Own Podcast on WordPress.com

 

Starting Your Own Podcast on WordPress.com

[USN-4510-1] Samba vulnerability

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 17, 2020 8:16PM

Tom Tervoort discovered that the Netlogon protocol implemented by Samba

incorrectly handled the authentication scheme. A remote attacker could use

this issue to forge an authentication token and steal the credentials of

the domain admin.

This update fixes the issue by changing the "server schannel" setting to

default to "yes", instead of "auto", which will force a secure netlogon

channel. This may result in compatibility issues with older devices. A

future update may allow a finer-grained control over this setting.

References:

  https://usn.ubuntu.com/4510-1

  CVE-2020-1472

Exploring WebAssembly AI Services on Cloudflare Workers

 

Optimized AI services can process data closest to the source and perform inferences at the distributed edge.

REF: https://blog.cloudflare.com/exploring-webassembly-ai-services-on-cloudflare-workers/

[Checkmk Announce] New Checkmk stable release 1.6.0p18

 ---------- Forwarded message ---------

From: Checkmk Announcements <checkmk-announce@lists.mathias-kettner.de>

Date: Tue, Oct 13, 2020 at 11:37 PM

This maintenance release ships with 26 changes affecing all editions of Checkmk,

4 Enterprise Edition specific changes and 0 Managed Services Edition specific changes.

Checks & agents:

* 11360 juniper_temp: Discover on additional devices

* 11462 SEC: Windows agent sets access rights also after clean installation

* 11461 SEC: Windows agent: Improved protection of configuration files

* 11393 FIX: Fix perfometer ups-capacity

* 11115 FIX: agent_bi: Filter by groups

* 11412 FIX: diskspace cleanup: fixed race condition which could cause loss of monitored services

* 11326 FIX: drdb: fixed invalid check parameters at discovery stage

* 11474 FIX: fileinfo: Fixed checking during specific times of the day

* 11483 FIX: heartbeat_crm: Fix ExceptionTypeError if cluster is not availabe

* 11392 FIX: heartbeat_crm: strict activation in agent

* 11368 FIX: netapp_api_luns: Report correct total size

* 11270 FIX: oracle_instance: Fix missing uptime column if status data inventory is enabled

* 11266 FIX: ups_out_load, ups_power: Fix discovery of output lines with zero load resp. power

* 11277 FIX: Fix wrong allocation of colorant for printer supplies

Core & setup:

* 11491 FIX: Nagios: Fix broken config reason displaying

Livestatus proxy:

* 11415 FIX: liveproxyd logging: fixed incorrect logrotate behaviour

Notifications:

* 11053 FIX: Don't escape the plugin output of email notifications if configured

Other components:

* 10128 FIX: Fixed potential monitoring core crash when rrdcached is down

* 11494 FIX: NagVis: Updated to 1.9.23

User interface:

* 11479 FIX: Fix host 'Save & Test' action showing 'API error' for all tests for good

* 11473 FIX: Fix rendering of ruleset page if user error is raised

* 11471 FIX: Fixed default LDAP synchronization setting of central sites

* 11481 FIX: LDAP: Fix AttributeError if attribute "Disable Notifications" is used

* 11478 FIX: Fixed encoding of timestamp painters

NOTE: Please refer to the migration notes!

WATO:

* 11477 FIX: Fixed host label search

* 11416 FIX: Folder changes from normal monitoring users were not always applied on the first save

You can download Checkmk from our download page:

 * https://checkmk.com/download.php

Roku: Peacock has landed

 

 

Peacock has landed—here’s what to watch

 

Check out our list of must-see titles on Peacock, including the hit western Yellowstone, the entire Harry Potter series, and the original mystery-thriller series Departure.

MagicSoft Playout ver 7.7.3

MagicSoft Playout ver 7.7.3 was released and it adds improved watch-dog and logging functionality :

- re-scanning algorithm

- trimming IN and OUT points for clips with variable framerateadding improved watch-dog 

REF: https://www.magicsoft.tv/news.html

Plex: More to Love from Free Live TV

 

More to Love from Free Live TV Acclaimed anime, cult classics, arthouse fares, international documentaries and canales en español (US only) have all landed on our Free Live TV lineup this month. Tune in to check out these newly added channels:

[USN-4504-1] OpenSSL vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 16, 2020 11:09PM

Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky

discovered that certain Diffie-Hellman ciphersuites in the TLS

specification and implemented by OpenSSL contained a flaw. A remote

attacker could possibly use this issue to eavesdrop on encrypted

communications. This was fixed in this update by removing the insecure

ciphersuites from OpenSSL. (CVE-2020-1968)

Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,

Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL

incorrectly handled ECDSA signatures. An attacker could possibly use this

issue to perform a timing side-channel attack and recover private ECDSA

keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1547)

Guido Vranken discovered that OpenSSL incorrectly performed the x86_64

Montgomery squaring procedure. While unlikely, a remote attacker could

possibly use this issue to recover private keys. This issue only affected

Ubuntu 18.04 LTS. (CVE-2019-1551)

Bernd Edlinger discovered that OpenSSL incorrectly handled certain

decryption functions. In certain scenarios, a remote attacker could

possibly use this issue to perform a padding oracle attack and decrypt

traffic. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1563)

References:

  https://usn.ubuntu.com/4504-1

  CVE-2019-1547, CVE-2019-1551, CVE-2019-1563, CVE-2020-1968

Meet the newest Roku players

 

Our fastest and most powerful player. Ever.

Upgrade to powerful, smooth streaming with our best wireless, extraordinary picture and sound, and all our top features.

[LSN-0071-1] linux kernel vulnerability

 ---------- Forwarded message ---------

From: benjamin.romer@canonical.com

Date: Sep 11, 2020 5:23PM

Or Cohen discovered that the AF_PACKET implementation in the Linux

kernel did not properly perform bounds checking in some situations. A

local attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-14386)

References

-   CVE-2020-14386

Wrapping up Cloudflare’s 10th birthday

 

Were you able to keep up with everything we launched this week? We announced several new products that further our mission of helping build a better Internet. We also featured demos of these products and shared launch stories on Cloudflare TV. Visit the Birthday Week page for a recap.

Updated Debian 10: 10.6 released

 ---------- Forwarded message ---------

From: Laura Arjona Reina <larjona@debian.org>

Date: Sep 26, 2020 8:29PM

The Debian project is pleased to announce the sixth update of its stable

distribution Debian 10 (codename "buster"). This point release mainly

adds corrections for security issues, along with a few adjustments for

serious problems. Security advisories have already been published

separately and are referenced where available.

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

------------

The Debian Project is an association of Free Software developers who

volunteer their time and effort in order to produce the completely free

operating system Debian.

Roku: Meet the newest Roku Streambar

 

Sounds big. Streams big.

Be the first to upgrade your streaming and sound, all with one compact device. Stream what you love in cinematic sound and brilliant picture quality.

[openssh-unix-announce] Announce: OpenSSH 8.4 released

 ---------- Forwarded message ---------

From: Damien Miller <djm@openbsd.org>

Date: Sep 27, 2020 6:59PM

Future deprecation notice

=========================

It is now possible[1] to perform chosen-prefix attacks against the

SHA-1 algorithm for less than USD$50K. For this reason, we will be

disabling the "ssh-rsa" public key signature algorithm by default in a

near-future release.

This algorithm is unfortunately still used widely despite the

existence of better alternatives, being the only remaining public key

signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These

   algorithms have the advantage of using the same key type as

   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been

   supported since OpenSSH 7.2 and are already used by default if the

   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in

   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These

   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key

algorithm, for host authentication, try to connect to it after

removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key

types are available, the server software on that host should be

upgraded.

We intend to enable UpdateHostKeys by default in the next OpenSSH

release. This will assist the client by automatically migrating to

better algorithms. Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and

    Application to the PGP Web of Trust" Leurent, G and Peyrin, T

    (2020) https://eprint.iacr.org/2020/014.pdf

Unimog - Cloudflare’s edge load balancer

 

REF: https://blog.cloudflare.com/unimog-cloudflares-edge-load-balancer/

[USN-4489-1] Linux kernel vulnerability

 ---------- Forwarded message ---------

From: Steve Beattie <steve.beattie@canonical.com>

Date: Sep 8, 2020 4:16PM

Or Cohen discovered that the AF_PACKET implementation in the Linux

kernel did not properly perform bounds checking in some situations. A

local attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code.

References:

  https://usn.ubuntu.com/4489-1

  CVE-2020-14386

Check out this week's VizrTV shows on-demand

 

The next generation of Vizrt, the next chapter of your story Dr. Andrew Cross, Vizrt Group’s President of Product Development, examines how Vizrt’s 25 years of product revolution is charting the path forward in software-defined visual storytelling. Plus a sneak peek into the brand new Viz Vectar Plus.

[USN-4485-1] Linux kernel vulnerabilities

 ---------- Forwarded message ---------

From: Steve Beattie <steve.beattie@canonical.com>

Date: Sep 2, 2020 12:11PM

Timothy Michaud discovered that the i915 graphics driver in the Linux

kernel did not properly validate user memory locations for the

i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to

cause a denial of service or execute arbitrary code. (CVE-2018-20669)

It was discovered that the Kvaser CAN/USB driver in the Linux kernel did

not properly initialize memory in certain situations. A local attacker

could possibly use this to expose sensitive information (kernel memory).

(CVE-2019-19947)

Chuhong Yuan discovered that go7007 USB audio device driver in the Linux

kernel did not properly deallocate memory in some failure conditions. A

physically proximate attacker could use this to cause a denial of service

(memory exhaustion). (CVE-2019-20810)

It was discovered that the elf handling code in the Linux kernel did not

initialize memory before using it in certain situations. A local attacker

could use this to possibly expose sensitive information (kernel memory).

(CVE-2020-10732)

It was discovered that the Linux kernel did not correctly apply Speculative

Store Bypass Disable (SSBD) mitigations in certain situations. A local

attacker could possibly use this to expose sensitive information.

(CVE-2020-10766)

It was discovered that the Linux kernel did not correctly apply Indirect

Branch Predictor Barrier (IBPB) mitigations in certain situations. A local

attacker could possibly use this to expose sensitive information.

(CVE-2020-10767)

It was discovered that the Linux kernel could incorrectly enable Indirect

Branch Speculation after it has been disabled for a process via a prctl()

call. A local attacker could possibly use this to expose sensitive

information. (CVE-2020-10768)

Luca Bruno discovered that the zram module in the Linux kernel did not

properly restrict unprivileged users from accessing the hot_add sysfs file.

A local attacker could use this to cause a denial of service (memory

exhaustion). (CVE-2020-10781)

It was discovered that the XFS file system implementation in the Linux

kernel did not properly validate meta data in some circumstances. An

attacker could use this to construct a malicious XFS image that, when

mounted, could cause a denial of service. (CVE-2020-12655)

It was discovered that the bcache subsystem in the Linux kernel did not

properly release a lock in some error conditions. A local attacker could

possibly use this to cause a denial of service. (CVE-2020-12771)

It was discovered that the Virtual Terminal keyboard driver in the Linux

kernel contained an integer overflow. A local attacker could possibly use

this to have an unspecified impact. (CVE-2020-13974)

Kyungtae Kim discovered that the USB testing driver in the Linux kernel did

not properly deallocate memory on disconnect events. A physically proximate

attacker could use this to cause a denial of service (memory exhaustion).

(CVE-2020-15393)

It was discovered that the NFS server implementation in the Linux kernel

did not properly honor umask settings when setting permissions while

creating file system objects if the underlying file system did not support

ACLs. An attacker could possibly use this to expose sensitive information

or violate system integrity. (CVE-2020-24394)

It was discovered that the Kerberos SUNRPC GSS implementation in the Linux

kernel did not properly deallocate memory on module unload. A local

privileged attacker could possibly use this to cause a denial of service

(memory exhaustion). (CVE-2020-12656)

References:

  https://usn.ubuntu.com/4485-1

  CVE-2018-20669, CVE-2019-19947, CVE-2019-20810, CVE-2020-10732,

  CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-10781,

  CVE-2020-12655, CVE-2020-12656, CVE-2020-12771, CVE-2020-13974,

  CVE-2020-15393, CVE-2020-24394

Cloudflare: Two clicks to add region-based Zero Trust compliance

 

REF: https://blog.cloudflare.com/two-clicks-to-enable-regional-zero-trust-compliance/

[USN-4481-1] FreeRDP vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Sep 1, 2020 10:31PM

It was discovered that FreeRDP incorrectly handled certain memory

operations. A remote attacker could use this issue to cause FreeRDP to

crash, resulting in a denial of service, or possibly execute arbitrary

code.

References:

  https://usn.ubuntu.com/4481-1

  CVE-2020-11095, CVE-2020-11096, CVE-2020-11097, CVE-2020-11098,

  CVE-2020-11099, CVE-2020-15103, CVE-2020-4030, CVE-2020-4031,

  CVE-2020-4032, CVE-2020-4033

Viz Virtual Summit on VizrTV

 

Sign up for a month full of unique live shows that will help you adjust to the changing world and achieve your production goals.

[USN-4477-1] Squid vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Aug 28, 2020 2:17AM

Amit Klein discovered that Squid incorrectly validated certain data. A

remote attacker could possibly use this issue to perform an HTTP request

smuggling attack, resulting in cache poisoning. (CVE-2020-15810)

Régis Leroy discovered that Squid incorrectly validated certain data. A

remote attacker could possibly use this issue to perform an HTTP request

splitting attack, resulting in cache poisoning. (CVE-2020-15811)

Lubos Uhliarik discovered that Squid incorrectly handled certain Cache

Digest response messages sent by trusted peers. A remote attacker could

possibly use this issue to cause Squid to consume resources, resulting in a

denial of service. (CVE-2020-24606)

References:

  https://usn.ubuntu.com/4477-1

  CVE-2020-15810, CVE-2020-15811, CVE-2020-24606

Telestream: transcode with speed and automation

 

Since media companies around the world use a wide variety of codecs and containers, it is critical to have speed and automation on your side—to free up your resources to focus on more of the creative work and less of the mundane tasks.

[USN-4476-1] NSS vulnerability

 ---------- Forwarded message ---------

From: Leonidas S. Barbosa <leo.barbosa@canonical.com>

Date: Aug 28, 2020 1:49AM

It was discovered that NSS incorrectly handled some inputs.

An attacker could possibly use this issue to expose sensitive information.

References:

  https://usn.ubuntu.com/4476-1

  CVE-2020-12403

Plex: From the people who brought you Skip Intro...

 

What if we told you that with your Plex Pass, plus an antenna and tuner you can watch and record local shows, news, and sports? And, what if we told you that as of this month you can also skip commercials (without getting rid of them) for all the stuff you record? Looks like we just did.

NewTek: Join the Elite. Trade-in Your TriCaster®️ Today.

The newest member of the TriCaster family, TriCaster® 2 Elite, has the tools you already use and love, plus now offers you integration with Zoom, Skype, Microsoft® Teams, Discord, Slack and Tencent – so you can continue to reach your customers and engage with new audiences. This new feature is called Live Call Connect. 

REF: https://www.newtek.com/tricaster/2-elite/

Cloudflare: August 30th 2020: Analysis of CenturyLink/Level(3) Outage

 

The diverse set of network providers Cloudflare connects to. Source: https://bgp.he.net/AS13335#_asinfo

REF: https://blog.cloudflare.com/analysis-of-todays-centurylink-level-3-outage/

[USN-4475-1] Chrony vulnerability

 ---------- Forwarded message ---------

From: Leonidas S. Barbosa <leo.barbosa@canonical.com>

Date: Aug 27, 2020 9:59PM

It was discovered that Chrony incorrectly handled certain symbolic links.

An attacker could possibly use this issue to cause a denial of service or

expose sensitive information.

References:

  https://usn.ubuntu.com/4475-1

  CVE-2020-14367

Roku: Are you ready for game day? 🏈

 

Ready, set… hut, hut, stream!

Football kicks off tonight as Houston takes on Kansas City. See how to catch the game and the rest of the action this season.

[USN-4474-1] Firefox vulnerabilities

 ---------- Forwarded message ---------

From: Chris Coulson <chris.coulson@canonical.com>

Date: Aug 27, 2020 3:03AM

Multiple security issues were discovered in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service, trick the user

in to installing a malicious extension, spoof the URL bar, leak sensitive

information between origins, or execute arbitrary code. (CVE-2020-15664,

CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)

It was discovered that NSS incorrectly handled certain signatures.

An attacker could possibly use this issue to expose sensitive information.

(CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)

A data race was discovered when importing certificate information in to

the trust store. An attacker could potentially exploit this to cause an

unspecified impact. (CVE-2020-15668)

References:

  https://usn.ubuntu.com/4474-1

  CVE-2020-12400, CVE-2020-12401, CVE-2020-15664, CVE-2020-15665,

  CVE-2020-15666, CVE-2020-15668, CVE-2020-15670, CVE-2020-6829

Cloudflare: What Happens When The Whole World Goes Remote?

 

REF: https://blog.cloudflare.com/what-happens-when-the-whole-world-goes-remote-not-to-worry-we-were-built-for-this/

[Openvpn-announce] OpenVPN 2.5-beta4 released

 ---------- Forwarded message ---------

From: Samuli Seppänen <samuli@openvpn.net>

Date: Sat, Sep 12, 2020 at 1:20 AM

OpenVPN 2.5 is a new major release with many new features:

•     Client-specific tls-crypt keys (--tls-crypt-v2)
•     Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
• data channel
•     Improved Data channel cipher negotiation
•     Removal of BF-CBC support in default configuration
•     Asynchronous (deferred) authentication support for auth-pam plugin
•     Deferred client-connect
•     Faster connection setup
•     Netlink support
•     Wintun support
•     IPv6-only operation
•     Improved Windows 10 detection
•     Linux VRF support
•     TLS 1.3 support
•     Support setting DHCP search domain
•     Handle setting of tun/tap interface MTU on Windows
•     HMAC based auth-token support
•     VLAN support
•     Support building of .msi installers for Windows
•     Allow unicode search string in --cryptoapicert option (Windows)
•     Support IPv4 configs with /31 netmasks now
•     New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

Roku: 100 new titles on Hulu in September

 

 

100 new titles on Hulu in September

 

Check out our list of all the new titles arriving on Hulu, including Woke, Trolls World Tour, Because I Said So, Madagascar: A Little Wild, The Addams Family, and more.

MagicSoft Playout release 7.6.3

 it adds Mpeg2 UDP output for SD, HD720p and HD1080i modes. 

H264 UDP works for the all video modes :

SD / HD 720p / HD1080i / HD 1080p / 4K ( from 23.98 to 60 fps )

REF: https://www.magicsoft.tv

Asynchronous HTMLRewriter for Cloudflare Workers

 

REF: https://blog.cloudflare.com/asynchronous-htmlrewriter-for-cloudflare-workers/

These Python tools should be in every developer’s toolbox

 

Ever need to pull information from multiple websites, generate dummy data, blur image details or create a set of thumbnails? If you've had to do any of these kinds of menial tasks more than once, you should be automating it.

Roku: What’s arriving this month on Netflix

 

 

What’s arriving this month on Netflix

 

Watch Millie Bobby Brown and Henry Cavill star in the new Enola Holmes series, or catch Robert Pattinson in the original thriller The Devil All the Time. See our guide to Netflix in September.