[USN-4302-1] Linux kernel vulnerabilities

---------- Forwarded message ---------
From: Steve Beattie
Date: Mar 17, 2020 11:52AM

Paulo Bonzini discovered that the KVM hypervisor implementation in the
Linux kernel could improperly let a nested (level 2) guest access the
resources of a parent (level 1) guest in certain situations. An attacker
could use this to expose sensitive information. (CVE-2020-2732)

Gregory Herrero discovered that the fix for CVE-2019-14615 to address the
Linux kernel not properly clearing data structures on context switches for
certain Intel graphics processors was incomplete. A local attacker could
use this to expose sensitive information. (CVE-2020-8832)

It was discovered that the IPMI message handler implementation in the Linux
kernel did not properly deallocate memory in certain situations. A local
attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-19046)

It was discovered that the Intel WiMAX 2400 driver in the Linux kernel did
not properly deallocate memory in certain situations. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19051)

It was discovered that the Marvell Wi-Fi device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19056)

It was discovered that the Intel(R) Wi-Fi device driver in the Linux kernel
device driver in the Linux kernel did not properly deallocate memory in
certain error conditions. A local attacker could possibly use this to cause
a denial of service (kernel memory exhaustion). (CVE-2019-19058)

It was discovered that the Brocade BFA Fibre Channel device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19066)

It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19068)

It was discovered that ZR364XX Camera USB device driver for the Linux
kernel did not properly initialize memory. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-15217)

References:
  https://usn.ubuntu.com/4302-1
  CVE-2019-15217, CVE-2019-19046, CVE-2019-19051, CVE-2019-19056,
  CVE-2019-19058, CVE-2019-19066, CVE-2019-19068, CVE-2020-2732,
  CVE-2020-8832

LM: COMPLETE RASPBERRY PI GEEK ARCHIVE

REF: https://www.linux-magazine.com/Issues/2020/233/This-Month-s-DVD

Introducing Secrets and Environment Variables to Cloudflare Workers

REF: https://blog.cloudflare.com/workers-secrets-environment/

TrendLabs: Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks

Figure 2: Screen that requests device admin permission

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/

An EPYC trip to Rome: AMD is Cloudflare's 10th-generation Edge server CPU

Gen X server setup with single socket 48-core AMD EPYC 7642

REF: https://blog.cloudflare.com/an-epyc-trip-to-rome-amd-is-cloudflares-10th-generation-edge-server-cpu/

Roku: Test automation

Test automation software released

Cloudflare: JAMstack at the Edge: How we built Built with Workers… on Workers

A screenshot of the Built with Workers homepage

REF: https://blog.cloudflare.com/jamstack-at-the-edge-how-we-built-built-with-workers-on-workers/

[USN-4303-1] Linux kernel vulnerability

---------- Forwarded message ---------
From: Steve Beattie
Date: Mar 17, 2020 10:33AM

Paulo Bonzini discovered that the KVM hypervisor implementation in the
Linux kernel could improperly let a nested (level 2) guest access the
resources of a parent (level 1) guest in certain situations. An attacker
could use this to expose sensitive information.

References:
  https://usn.ubuntu.com/4303-1
  CVE-2020-2732

Splunk:The Real Value of Data

Cloudflare’s Gen X: Servers for an Accelerated Future

REF: https://blog.cloudflare.com/cloudflares-gen-x-servers-for-an-accelerated-future/

ADMIN: WSL puts Linux on Windows desktops

Figure 1: The WSL comprises the LXSS Manager and pico processes in user mode, as well as the pico provider drivers in kernel mode (source: [4]).
REF: http://www.admin-magazine.com/Articles/WSL-puts-Linux-on-Windows-desktops

SHOWTIME on The Roku Channel

The final season of Homeland is here

Cloudflare: Multi-SSO and Cloudflare Access: Adding LinkedIn and GitHub Teams

REF: https://blog.cloudflare.com/multi-sso-and-cloudflare-access-adding-linkedin-and-github-teams/

LM: GParted (64-bit)

REF:  http://www.linux-magazine.com/Issues/2020/232/This-Month-s-DVD

TrendLabs: An In-Depth Technical Analysis of CurveBall (CVE-2020-0601)

The certificate is itself a sequence of several components that include additional nested items:

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-technical-analysis-of-curveball-cve-2020-0601/

Cloudflare: Vetflare, Cloudflare's Military Veteran Employee Group Launches

REF: https://blog.cloudflare.com/vetflare-cloudflares-veteran-employee-group-launches/

[USN-4283-1] QEMU vulnerabilities

---------- Forwarded message ---------
From: Marc Deslauriers
Date: Feb 19, 2020 1:51AM

Felipe Franciosi, Raphael Norwitz, and Peter Turschmid discovered that QEMU
incorrectly handled iSCSI server responses. A remote attacker in control of
the iSCSI server could use this issue to cause QEMU to crash, leading to a
denial of service, or possibly execute arbitrary code. (CVE-2020-1711)

It was discovered that the QEMU libslirp component incorrectly handled
memory. A remote attacker could use this issue to cause QEMU to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2020-7039, CVE-2020-8608)

References:
  https://usn.ubuntu.com/4283-1
  CVE-2020-1711, CVE-2020-7039, CVE-2020-8608

Special, one-week-only deals on Roku players

Hurry and save on Roku Ultra

[Checkmk Announce] New Checkmk stable release 1.6.0p9

---------- Forwarded message ---------
From: Checkmk Announcements
Date: Wed, Feb 19, 2020 at 3:53 PM

This maintenance release ships with 54 changes affecing all editions of Checkmk,
7 Enterprise Edition specific changes and 1 Managed Services Edition specific changes.

Checks agents:
* 10861 Feature Pack 1: Azure AD, Graylog, Huawei switches, Jenkins, Jira, K8s, MongoDB, TP-Link switches
* 10743 Cisco UCS check plugins: add support for UCS C240 M5 devices
* 10685 Windows Agent custom installation folder is disabled by default
* 10687 Windows Agent may stop processes that interfere with plugin installation
* 10684 Windows agent updater, cmk-update-agent.exe, is obfuscated now
* 10806 df: addition of ignoring inodes levels option
* 10634 wmi.include: display the unit for levels in status detail of a service
* 10476 azure_agent_info: Add option to pin down monitored resources
NOTE: Please refer to the migration notes!
* 10475 FIX: Azure Checkplugins: Go to stale state if info is missing
* 10771 FIX: Fix Service rediscovery for ucd_cpu_util
* 10787 FIX: Fix missing new line in ESX agent which may break various sections and services may go UNKNOWN
* 10765 FIX: Fixed listing of plugins in view Agents and Plugins
* 10740 FIX: Kubernetes: don't crash on invalid roles
* 10683 FIX: The plugin Windows tasks supports now new-line chars in task descrition
* 10678 FIX: Windows Agent fileinfo generates output entries for glob patterns in all cases
* 10680 FIX: Windows Agent section systemtime adds '\n\ at the end of the output
* 10688 FIX: Windows agent ps section now reports correct process uptime
* 10682 FIX: Windows: Inventory correctly reports IP addresses for more than one network card
* 10478 FIX: agent_azure: Do not warn about missing usage details for one hour
* 10474 FIX: agent_azure: No longer report missing metrics as warning
* 10477 FIX: agent_azure: recover from missing metrics
* 10812 FIX: agent_splunk: Make instance an optional parameter
* 10811 FIX: agent_splunk: Password store can now be used
* 10823 FIX: check_dns: Fixed query if multiple expected addresses are configured
* 10590 FIX: esx_vsphere_vm: Check age of oldest snapshot
* 10591 FIX: ewon: Unbreak check plugin
* 10592 FIX: ipmi: Go to CRIT if a sensor reports "In critical array"
* 10596 FIX: liebert_system_events: Still discover, if no events are present
* 10597 FIX: local: Local check services no longer get skipped for outdated data
* 10741 FIX: lparstat_aix.cpu_util: display the correct physical CPU consumption
* 10744 FIX: mssql_blocked_sessions: don't crash in clustered setup
* 10742 FIX: mssql_tablespaces: reintroduce missing performance data
* 10824 FIX: printer_supply: Fixed unit of performance data which is not measured in percent in general
* 10588 FIX: ps: Handling of non-ASCII characters during process discovery
* 10633 FIX: skype: fixed magnitude of latency value
* 10710 FIX: systemd: Do not mark the agent unit failed on single agent failure
* 10815 FIX: isc_dhcpd: Use alternative for pidof on Debian Buster
NOTE: Please refer to the migration notes!
* 10579 FIX: logwatch: Invalid check parameter: Undefined key 'pre_comp_group_patterns'

Core & setup:
* 10560 Extension packages: Add informational "Valid until version" field
* 10564 Extension packages: Checkmk can now ship optional packages
* 10620 FIX: Fix parsing of invalid state history files

HW/SW inventory:
* 10825 FIX: k8s_daemon_pod_containers: Fixed TypeError while inventorizing kubernetes daemon pod containers
* 10827 FIX: oracle_instance, oracle_performance, oracle_recovery_area: Inventory tables are now sorted by SID

Notifications:
* 10763 FIX: Opsgenie: Fixed authentication error on european accounts
NOTE: Please refer to the migration notes!

Site management:
* 10709 FIX: Fix site certificate being overwritten during version update

User interface:
* 10703 SEC: Fix some reflected XSS issues
* 10760 FIX: Fix missing "Log Entries: Log: Output" column
* 10821 FIX: Fixed UnicodeDecodeError 'ascii codec can't  decode byte' when opening log file if file name contains non-ASCII signs
* 10822 FIX: HW/SW Inventory tree: Show error message if HW/SW inventory tree cannot be loaded instead of breaking the whole page
* 10715 FIX: LDAP: Fix broken sync when a group contains itself
* 10738 FIX: Store the site settings of sidebar snapins
* 10860 FIX: Timerange selection: Fixed sorting of choices

WATO:
* 10528 FIX: Host changes from normal monitoring users were not always applied on the first save
* 10713 FIX: Fix additional rule analyzation issue on service object parameter page

You can download Checkmk from our download page:
 * https://checkmk.com/download.php

Keep a journal of your activities with this Python program

Image credits : 

Pexels, via Pixabay. CC0.

REF: https://opensource.com/article/20/1/python-journal

Updated Debian 10: 10.3 released

---------- Forwarded message ---------
From: Ana Guerrero Lopez
Date: Feb 9, 2020 4:47AM
To:

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.3 released                        press@debian.org
February 8th, 2020             https://www.debian.org/News/2020/20200208
------------------------------------------------------------------------

The Debian project is pleased to announce the third update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Cloudflare: Announcing Built with Workers

REF: https://blog.cloudflare.com/built-with-workers/

MagicSoft Playout ver 7.5.6

MagicSoft Playout ver 7.5.6 was released and it adds a conformance recorder module that can work with two profiles simultaneously.

REF: https://www.magicsoft.tv/news.html

26 hidden gem Roku channels you will want to add today

Here’s a list of the best, under-the-radar channels you probably haven’t added to your lineup yet, but should….like, soon.