---------- Forwarded message ---------
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Date: Oct 6, 2020 9:51PM
It was discovered that OpenConnect has a buffer overflow when a malicious
server uses HTTP chunked encoding with crafted chunk sizes. An attacker
could use it to provoke a denial of service (crash).
References:
https://usn.ubuntu.com/4565-1
CVE-2019-16239
REF: https://blog.cloudflare.com/secondary-dns-deep-dive/
---------- Forwarded message ---------
From: Checkmk Announcements <checkmk-announce@lists.mathias-kettner.de>
Date: Tue, Oct 27, 2020 at 4:05 PM
We are excited to bring you the first innovation release of Checkmk 2.0.
For numerous months our team has been pushing hard to deliver the next full
version of Checkmk. In doing so, we have reworked Checkmk's foundations.
With so many significant changes coming finally together, we have decided to
make the version step change to 2.0.
This innovation release is a preview of most features planned for Checkmk 2.0
(https://blog.checkmk.com/announcing-checkmk-2.0-and-its-innovation-release)
and gives you the possibility to try these new and interesting features.
With Version 2.0 we will also be introducing a new user interface and user
experience. The Innovation Release already contains many aspects of this to
gather early feedback.
We will have two dedicated channels to gather your feedback on the new user
experience.
- The dedicated feedback email (see below)
- A community call, a survey and the feedback section in the Checkmk Forum.
Please look out for the upcoming announcement in the Forum.
To get a good grasp of what fundamentals in the user interface have changed,
read this forum post containing more details:
https://forum.checkmk.com/t/the-completely-new-checkmk-2-0-user-experience/21104
We would like to ask all users to try out the new version and help us ensure
that Checkmk 2.0 becomes a success.
Please send general feedback, feedback on the new user experience, and bug
reports to this dedicated mail address:
feedback-2.0 at checkmk.com
All mails to this address will be used to improve the 2.0 and are completely
free of charge.
This is not a stable release. Please do not use this in productive environments
as it is a compromise between stability and new features. It is also only
available in the Checkmk Enterprise Editions.
You can download Checkmk from our download page:
* https://checkmk.com/download.php
 |
| One more thing to mention this month about Free Live TV–we’ve added closed captions as a feature across all platforms. Check your channel and program (Apple, Android, Chromecast, Roku) for availability. |
---------- Forwarded message ---------
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Date: Sep 30, 2020 10:29PM
Tom Tervoort discovered that the Netlogon protocol implemented by Samba
incorrectly handled the authentication scheme. A remote attacker could use
this issue to forge an authentication token and steal the credentials of
the domain admin.
While a previous security update fixed the issue by changing the "server
schannel" setting to default to "yes", instead of "auto", which forced a
secure netlogon channel, this update provides additional improvements.
For compatibility reasons with older devices, Samba now allows specifying
an insecure netlogon configuration per machine. See the following link for
examples: https://www.samba.org/samba/security/CVE-2020-1472.html
In addition, this update adds additional server checks for the protocol
attack in the client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results when
running the proof-of-concept exploit.
References:
https://usn.ubuntu.com/4559-1
CVE-2020-1472
REF: https://blog.cloudflare.com/migrating-cdnjs-to-serverless-with-workers-kv/
---------- Forwarded message ---------
From: Chris Coulson <chris.coulson@canonical.com>
Date: Sep 28, 2020 5:47PM
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, conduct cross-site
scripting (XSS) attacks, spoof the site displayed in the download dialog,
or execute arbitrary code.
References:
https://usn.ubuntu.com/4546-1
CVE-2020-15673, CVE-2020-15674, CVE-2020-15675, CVE-2020-15676,
CVE-2020-15677, CVE-2020-15678
Hulu is getting spooky with shows like Helstrom and Monsterland. See our guide to the best of what’s coming for Huluween.
---------- Forwarded message ---------
From: Brent Cook <busterb@gmail.com>
Date: Tue, Aug 25, 2020 at 11:20 AM
This is the second development release from the 3.2.x series, which will
eventually be part of OpenBSD 6.8.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
 |
| Meet our Open Source Stewards |
| Many of you know Lucy Wyman, software engineer for Bolt, for her many contributions including answering questions in our Bolt Slack channel and running PDX CoffeeOps. She also leads our Open Source Stewards team alongside Molly Waggett and Ben Ford. We asked Lucy to share what our Open Source Stewards are up to. |
---------- Forwarded message ---------
From: Steve Beattie <steve.beattie@canonical.com>
Date: Sep 22, 2020 12:24PM
It was discovered that the AMD Cryptographic Coprocessor device driver in
the Linux kernel did not properly deallocate memory in some situations. A
local attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2019-18808)
It was discovered that the Conexant 23885 TV card device driver for the
Linux kernel did not properly deallocate memory in some error conditions. A
local attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2019-19054)
It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2019-19061)
It was discovered that the AMD Audio Coprocessor driver for the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker with the ability to load modules could use this to cause a
denial of service (memory exhaustion). (CVE-2019-19067)
It was discovered that the Atheros HTC based wireless driver in the Linux
kernel did not properly deallocate in certain error conditions. A local
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2019-19073, CVE-2019-19074)
It was discovered that the F2FS file system in the Linux kernel did not
properly perform bounds checking in some situations, leading to an out-of-
bounds read. A local attacker could possibly use this to expose sensitive
information (kernel memory). (CVE-2019-9445)
It was discovered that the VFIO PCI driver in the Linux kernel did not
properly handle attempts to access disabled memory spaces. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2020-12888)
It was discovered that the cgroup v2 subsystem in the Linux kernel did not
properly perform reference counting in some situations, leading to a NULL
pointer dereference. A local attacker could use this to cause a denial of
service or possibly gain administrative privileges. (CVE-2020-14356)
It was discovered that the state of network RNG in the Linux kernel was
potentially observable. A remote attacker could use this to expose
sensitive information. (CVE-2020-16166)
References:
https://usn.ubuntu.com/4526-1
CVE-2019-18808, CVE-2019-19054, CVE-2019-19061, CVE-2019-19067,
CVE-2019-19073, CVE-2019-19074, CVE-2019-9445, CVE-2020-12888,
CVE-2020-14356, CVE-2020-16166
REF: REF: https://blog.cloudflare.com/add-watermarks-to-your-cloudflare-stream-video-uploads/
---------- Forwarded message ---------
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Date: Sep 17, 2020 8:16PM
Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU
incorrectly handled certain USB packets. An attacker inside the guest could
use this issue to cause QEMU to crash, resulting in a denial of service, or
possibly execute arbitrary code on the host. In the default installation,
when QEMU is used with libvirt, attackers would be isolated by the libvirt
AppArmor profile.
References:
https://usn.ubuntu.com/4511-1
CVE-2020-14364
We have also worked hard to improve gaming compatibility for macOS users, including support for Steam and for many DirectX 11 games. We hope that our customers with beloved 32 bit games will be able to run them on their Macs once again. Our goal is to make sure that Mac users are not excluded from the best of PC gaming.
Mac customers with active support entitlements will be upgraded to CrossOver 20 the next time they launch CrossOver. Linux users can download the latest version from https://codeweavers.com/account/downloads, and Chrome OS users can sign up for a free trial by visiting:
https://codeweavers.com/crossover/download
---------- Forwarded message ---------
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Date: Sep 17, 2020 8:16PM
Tom Tervoort discovered that the Netlogon protocol implemented by Samba
incorrectly handled the authentication scheme. A remote attacker could use
this issue to forge an authentication token and steal the credentials of
the domain admin.
This update fixes the issue by changing the "server schannel" setting to
default to "yes", instead of "auto", which will force a secure netlogon
channel. This may result in compatibility issues with older devices. A
future update may allow a finer-grained control over this setting.
References:
https://usn.ubuntu.com/4510-1
CVE-2020-1472
REF: https://blog.cloudflare.com/exploring-webassembly-ai-services-on-cloudflare-workers/
---------- Forwarded message ---------
From: Checkmk Announcements <checkmk-announce@lists.mathias-kettner.de>
Date: Tue, Oct 13, 2020 at 11:37 PM
This maintenance release ships with 26 changes affecing all editions of Checkmk,
4 Enterprise Edition specific changes and 0 Managed Services Edition specific changes.
Checks & agents:
* 11360 juniper_temp: Discover on additional devices
* 11462 SEC: Windows agent sets access rights also after clean installation
* 11461 SEC: Windows agent: Improved protection of configuration files
* 11393 FIX: Fix perfometer ups-capacity
* 11115 FIX: agent_bi: Filter by groups
* 11412 FIX: diskspace cleanup: fixed race condition which could cause loss of monitored services
* 11326 FIX: drdb: fixed invalid check parameters at discovery stage
* 11474 FIX: fileinfo: Fixed checking during specific times of the day
* 11483 FIX: heartbeat_crm: Fix ExceptionTypeError if cluster is not availabe
* 11392 FIX: heartbeat_crm: strict activation in agent
* 11368 FIX: netapp_api_luns: Report correct total size
* 11270 FIX: oracle_instance: Fix missing uptime column if status data inventory is enabled
* 11266 FIX: ups_out_load, ups_power: Fix discovery of output lines with zero load resp. power
* 11277 FIX: Fix wrong allocation of colorant for printer supplies
Core & setup:
* 11491 FIX: Nagios: Fix broken config reason displaying
Livestatus proxy:
* 11415 FIX: liveproxyd logging: fixed incorrect logrotate behaviour
Notifications:
* 11053 FIX: Don't escape the plugin output of email notifications if configured
Other components:
* 10128 FIX: Fixed potential monitoring core crash when rrdcached is down
* 11494 FIX: NagVis: Updated to 1.9.23
User interface:
* 11479 FIX: Fix host 'Save & Test' action showing 'API error' for all tests for good
* 11473 FIX: Fix rendering of ruleset page if user error is raised
* 11471 FIX: Fixed default LDAP synchronization setting of central sites
* 11481 FIX: LDAP: Fix AttributeError if attribute "Disable Notifications" is used
* 11478 FIX: Fixed encoding of timestamp painters
NOTE: Please refer to the migration notes!
WATO:
* 11477 FIX: Fixed host label search
* 11416 FIX: Folder changes from normal monitoring users were not always applied on the first save
You can download Checkmk from our download page:
* https://checkmk.com/download.php
Peacock has landed—here’s what to watch
Check out our list of must-see titles on Peacock, including the hit western Yellowstone, the entire Harry Potter series, and the original mystery-thriller series Departure.
MagicSoft Playout ver 7.7.3 was released and it adds improved watch-dog and logging functionality :
- re-scanning algorithm
- trimming IN and OUT points for clips with variable framerateadding improved watch-dog
REF: https://www.magicsoft.tv/news.html
 |
|
---------- Forwarded message ---------
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Date: Sep 16, 2020 11:09PM
Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky
discovered that certain Diffie-Hellman ciphersuites in the TLS
specification and implemented by OpenSSL contained a flaw. A remote
attacker could possibly use this issue to eavesdrop on encrypted
communications. This was fixed in this update by removing the insecure
ciphersuites from OpenSSL. (CVE-2020-1968)
Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,
Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL
incorrectly handled ECDSA signatures. An attacker could possibly use this
issue to perform a timing side-channel attack and recover private ECDSA
keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1547)
Guido Vranken discovered that OpenSSL incorrectly performed the x86_64
Montgomery squaring procedure. While unlikely, a remote attacker could
possibly use this issue to recover private keys. This issue only affected
Ubuntu 18.04 LTS. (CVE-2019-1551)
Bernd Edlinger discovered that OpenSSL incorrectly handled certain
decryption functions. In certain scenarios, a remote attacker could
possibly use this issue to perform a padding oracle attack and decrypt
traffic. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1563)
References:
https://usn.ubuntu.com/4504-1
CVE-2019-1547, CVE-2019-1551, CVE-2019-1563, CVE-2020-1968
Our fastest and most powerful player. Ever.
Upgrade to powerful, smooth streaming with our best wireless, extraordinary picture and sound, and all our top features.
---------- Forwarded message ---------
From: benjamin.romer@canonical.com
Date: Sep 11, 2020 5:23PM
Or Cohen discovered that the AF_PACKET implementation in the Linux
kernel did not properly perform bounds checking in some situations. A
local attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2020-14386)
References
- CVE-2020-14386
| |
|
---------- Forwarded message ---------
From: Laura Arjona Reina <larjona@debian.org>
Date: Sep 26, 2020 8:29PM
The Debian project is pleased to announce the sixth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/buster/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Sounds big. Streams big.
Be the first to upgrade your streaming and sound, all with one compact device. Stream what you love in cinematic sound and brilliant picture quality.
---------- Forwarded message ---------
From: Damien Miller <djm@openbsd.org>
Date: Sep 27, 2020 6:59PM
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.
The better alternatives include:
* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.
* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.
* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.
We intend to enable UpdateHostKeys by default in the next OpenSSH
release. This will assist the client by automatically migrating to
better algorithms. Users may consider enabling this option manually.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
