Slashdot Mirror

Two new zero-day vulnerabilities called "Bleeding Bit" have been revealed by security firm Armis, impacting Bluetooth Low-Energy (BLE) chips used in millions of Cisco, Meraki, and Aruba wireless access points (APs). "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products," reports ZDNet. From the report: The first vulnerability, CVE-2018-16986, impacts Cisco and Meraki APs using TI BLE chips. Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.

The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool. This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point. "It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."

Two new zero-day vulnerabilities called "Bleeding Bit" have been revealed by security firm Armis, impacting Bluetooth Low-Energy (BLE) chips used in millions of Cisco, Meraki, and Aruba wireless access points (APs). "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products," reports ZDNet. From the report: The first vulnerability, CVE-2018-16986, impacts Cisco and Meraki APs using TI BLE chips. Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.

The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool. This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point. "It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

An anonymous reader writes: "An Argentinian security researcher named Ezequiel Fernandez has published a powerful new tool yesterday that can easily extract plaintext credentials for various DVR brands and grant attackers access to those systems, and inherently the video feeds they're supposed to record," reports Bleeping Computer. "The tool, named getDVR_Credentials, is a proof-of-concept for CVE-2018-9995, a vulnerability discovered by Fernandez at the start of last month, [affecting TBK DVR systems]. Fernandez discovered that by accessing the control panel of specific DVRs with a cookie header of 'Cookie: uid=admin,' the DVR would respond with the device's admin credentials in cleartext." Tens of thousands of vulnerable devices available online can be hijacked with their video feeds assembled in voyeur sites, like it's been done in the past.

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

chicksdaddy quotes a report from The Security Ledger: The United States should invest resources in preserving aging, analog infrastructure including telecommunications networks that use copper wire and pneumatic pumps used to pump water as a hedge against the growing threat of global disruption resulting from a cyber attack on critical infrastructure, two researchers at MITRE argue. The researchers, Emily Frye and Quentin Hodgson with The MITRE Corporation, note that critical infrastructure is increasingly run from converged IP (Internet Protocol) based networks that are vulnerable to cyber attack. That includes so-called "lifelines" -- essential functions like water, electricity, communications, transportation and emergency services. That marks a critical departure from the past when such systems were isolated from the internet and other general purpose networks. "Each lifeline rides on, and is threaded together by, digital systems. And humans have yet to design a digital system that cannot be compromised," they write. With such civilization-sustaining functions now susceptible to attack, the onus is on society to maintain a means of operating them that does not rely on digital controls, Fry and Hodgson write. In many cases, that means preserving an older generation of analog infrastructure and management systems that could be manually operated, The Security Ledger reports. From their article: "In the case of communications, for instance, what is required is the preservation of a base core of copper-enabled connectivity, and the perpetuation of skills and equipment parts to make analog telephones work. Today, we see a move to decommission the copper-wire infrastructure. From a pure business standpoint, decommissioning copper is the right thing to do; but from a public-safety and homeland security perspective, we should reconsider. Decommissioning copper increases homeland security risk, because failover planning calls simply for relying on another server, router, or data center that is also subject to compromise."

Long-time Slashdot reader chicksdaddy quotes Security Ledger: MITRE Corporation, the non-profit corporation that helps tackle some of the trickiest technical and security challenges out there, is dangling a $50,000 prize for anyone who can develop a solution for spotting rogue devices within an Internet of Things network...saying that it's looking for ground breaking new approaches to securing diverse Internet of Things networks like those in connected homes.

"Network administrators need to know exactly what is in the environment, or the network -- including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network... " Their registration form will be open through October, and the challenge will end after four weeks in November, or "whenever someone wins."

Long-time Slashdot reader chicksdaddy quotes Security Ledger: MITRE Corporation, the non-profit corporation that helps tackle some of the trickiest technical and security challenges out there, is dangling a $50,000 prize for anyone who can develop a solution for spotting rogue devices within an Internet of Things network...saying that it's looking for ground breaking new approaches to securing diverse Internet of Things networks like those in connected homes.

"Network administrators need to know exactly what is in the environment, or the network -- including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network... " Their registration form will be open through October, and the challenge will end after four weeks in November, or "whenever someone wins."

Reader wiredmikey writes: Researchers from FireEye have disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models (Editor's note: the link could have pop-up ads, here's an alternate source). The vulnerability is in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information. While the flaw could expose millions of Android devices, the vulnerability has limited impact on devices running Android 4.4 and later, which include significant security enhancements, and also does not affect Nexus devices. FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March and started reaching out to OEMs to let them know about the issue. Now it's up to the device manufacturers to push out the patch to customers.FireEye said: "The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched."

An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."

jones_supa writes: A critical flaw has been found and patched in the open source Wget file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877. "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov writes in Red Hat Bugzilla. A malicious FTP server can stomp over your entire filesystem, tweets HD Moore, chief research officer at Rapid 7, who is the original reporter of the bug.

ConstantineM writes: "Bob Beck — OpenBSD, OpenSSH and LibreSSL developer and the director of Alberta-based non-profit OpenBSD Foundation — gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing for a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that nobody at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL — RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment. The Linux Foundation has not yet committed support, but discussions are ongoing. Funding can be directed to the OpenBSD Foundation." Update: 05/18 14:28 GMT by S : Changed last paragraph to better reflect the Linux Foundation's involvement.

rastos1 sends in a report about a significant bug fix for the Linux kernel (CVE-2014-0196). "'The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device. 'This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31),' Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. 'A bug this serious only comes out once every couple years.' ... While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said."

An anonymous reader writes "Researchers at the Kaspersky Lab have uncovered a zero-day Adobe Flash vulnerability that affects Windows, OS X, and Linux. 'While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well.' Adobe has reportedly patched the bug for all platforms. Researchers first detected the bug from attacks performed on seven Syrian computers. The attacks seem to have been hosted on the Syrian Ministry of Justice website, which has led to speculation that these are state-sponsored vulnerability exploits. This speculation is further supported by evidence that one of the exploits was 'designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5x0 installed. The app is used to view documents and images during Web conferences.'"

wiredmikey (1824622) writes "Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks. If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges. 'The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,' Microsoft explained Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft."

New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

An anonymous reader writes "Users of Silverlight, Microsoft's answer to Adobe Flash, are in danger of having malware installed on their computers and being none the wiser, as an exploit for a critical vulnerability (CVE-2013-0634) in the app framework has been added to the Angler exploit kit. The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements." You'd think something like Silverlight would automatically upgrade itself.

hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681." Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.

hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681." Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.

Hugh Pickens writes "Remember when the Gay Girl in Damascus revealed himself as a middle-aged man from Georgia? On a platform like Twitter, which doesn't ask for much biographical information, it's easy (and fun!) to take on a fake persona but now linguistic researchers have developed an algorithm that can predict the gender of a tweeter based solely on the 140 characters they choose to tweet. The research is based on the idea that women use language differently than men. 'The mere fact of a tweet containing an exclamation mark or a smiley face meant that odds were a woman was tweeting, for instance,' reports David Zax. Other research corroborates these findings, finding that women tend to use emoticons, abbreviations, repeated letters and expressions of affection more than men and linguists have also developed a list of gender-skewed words used more often by women including love, ha-ha, cute, omg, yay, hahaha, happy, girl, hair, lol, hubby, and chocolate. Remarkably, even when only provided with one tweet, the program could correctly identify gender 65.9% of the time. (PDF). Depending on how successful the program is proven to be, it could be used for ad-targeting, or for socio-linguistic research."

CWmike writes "With Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical. However, the first-generation iPhone and iPod Touch, as well as the much newer iPad, may have been left vulnerable to some or all of the 65 bugs. iOS 4 cannot be installed on 2007's iPhone and iPod Touch, and the upgrade is not slated to reach iPad owners until this fall. The bug count is a record for the iPhone, surpassing the previous high mark of 46 vulnerabilities patched last summer with iPhone OS 3.0. Formerly known as iPhone OS 4, iOS 4 included 35 bugs, or 54% of the total, that were tagged with the phrase 'arbitrary code execution.' It's unclear how many, if any, of the vulnerabilities affect Apple's iPad. The media tablet runs an interim version of the operating system, dubbed iPhone 3.2, that followed the February iPhone 3.1.3 security update. It's possible that some of the bugs patched Monday were fixed by Apple before it launched the iPad in early April. But according to the Common Vulnerabilities & Exposures database, it's likely that many of the flaws fixed on Monday still exist in 3.2."

An anonymous reader writes "The recent critical zero-day security flaw in Flash 10 may have fast-tracked the release of Flash 10.1 today. Adobe 10.1 boasts the much anticipated H.264 hardware acceleration. Except for Linux and Mac OS (PDF): 'Flash Player 10.1, H.264 hardware acceleration is not supported under Linux and Mac OS. Linux currently lacks a developed standard API that supports H.264 hardware video decoding, and Mac OS X does not expose access to the required APIs.' Your humble anonymous reporter, who is using Fedora Linux with a ATI IGP 340M, is very pleased that the developers of the OSS drivers have provided hardware acceleration for my GPU ('glxinfo : direct rendering: Yes,' 'OpenGL renderer string: Mesa DRI R100 (RS200 4337) 20090101 NO-TCL DRI2'), but even if Adobe did provide hardware acceleration for H.264 on Linux, they wouldn't provide it for me because they disable it for GPUs with SGI in the Client vendor string. Adobe 10.1, with all its goodness, now gives me around 95% CPU usage as opposed to about 75% with the previous release. Good times. I anticipate my Windows friends will have a much better experience."

Hugh Pickens writes "The Register reports that experts from some 30 organizations worldwide have compiled 2010's list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications. The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users. The top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. Interestingly enough the classic buffer overflow ranked 3rd in the list while Cross-site Scripting and SQL Injection are considered the 1-2 punch of security weaknesses in 2010. Security experts say business customers have the means to foster safer products by demanding that vendors follow common-sense safety measures such as verifying that all team members successfully clear a background investigation and be trained in secure programming techniques. 'As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,' the introduction to the list states and includes a draft contract with the terms customers should request to enable buyers of custom software to make code writers responsible for checking the code and for fixing security flaws before software is delivered."

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.

Ant wrote to mention a C|NET article reporting on the Common Malware Enumeration (CME) initiative, now emerging from its test phase. From the article: "Next month, the U.S. Computer Emergency Readiness Team (CERT) plans to officially take the wraps off the effort, meant to reduce the confusion caused by the different names security companies give worms, viruses and other pests. The project assigns a unique identifier to a particular piece of malicious software. When included in security software, in alerts and in virus encyclopedia entries, this identifier should help people determine which pest is hitting their systems and whether they are protected ..."

Gruturo writes "The Apache Software Foundation just released version 2.0.50, which, apart from the usual incremental improvements and bug fixes, addresses security vulnerabilities such as CAN-2004-0493 (Memory leak which could lead to resource depletion == DoS) and CAN-2004-0488 (a mod_ssl buffer overflow). Be kind to their servers and use a mirror."

Gruturo writes "The Apache Software Foundation just released version 2.0.50, which, apart from the usual incremental improvements and bug fixes, addresses security vulnerabilities such as CAN-2004-0493 (Memory leak which could lead to resource depletion == DoS) and CAN-2004-0488 (a mod_ssl buffer overflow). Be kind to their servers and use a mirror."

Gruturo writes "Busy week for the Apache software foundation: After 1.3.29, version 2 gets an update as well with 2.0.48, which mainly fixes these two security vulnerabilities. As usual, using a mirror is recommended." The official announcement lists several changes as well.

Gruturo writes "Busy week for the Apache software foundation: After 1.3.29, version 2 gets an update as well with 2.0.48, which mainly fixes these two security vulnerabilities. As usual, using a mirror is recommended." The official announcement lists several changes as well.

Midnight Warrior asks: "I am one system administrator for what is an organization of dozens of LANs. Together, we all must keep our machines patched. Now we can all watch CVE, frequent securityfocus.com, or let LWN [Updated vulnerabilities section] bring things together. LWN does a fabulous job, but I'm looking for something bigger and more personalized that doesn't require the system be on the internet. Freshmeat, SourceForge, and Google are all NULL on this question: is there a database, and scraping agents in existence that will let one person oversee dozens of OS installations, a mish-mash of software packages, and an even worse level of up-to-date patching exist so that when a new vulnerability against, say, OpenSSH comes out, I can look up which systems need to be tested and patched? My work should be limited to maintaining OS (not just Linux distros), software versions, and current patch lists. This is a classic database problem, but has someone already solved it?"

thx2001r writes "Well, it's no longer April 1st across the contiguous United States, so the coast is clear to say Apache 2.0.45 is released. This version contains two important security fixes and a number of bug fixes. The security fixes affect all platforms and versions of Apache 2.0.x up until this update with some special caveats for the 2.0.45 OS/2 release. It looks like the first security vulnerability addressed in this eighth public release of the Apache 2.0.x series is having its details witheld until April 8th. This is being called "a significant Denial of Service vulnerability" for Apache 2.0.x by the ASF."

cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.

Everyone and their brother has something to say about the silly and incoherent ADTI paper released yesterday. It doesn't even seem worth the effort to me - it's so internally inconsistent that I can't imagine it convincing anyone of anything. Nevertheless, David Skoll of Roaring Penguin has a good rebuttal, and Newsforge ^? pointed out that the MITRE study that's been kicking around for so long is now public, and took a look at the differences between the two. Update: 06/11 18:43 GMT by M : Another rebuttal, by John Viega and Bob Fleck of Secure Software.

ErrantKbd writes "An article at Infoworld discusses IBM's plans to release Itanium-based systems sometime in the January/February timespan. They will be building systems running Windows of course, but also ready-made servers running RedHat, Caldera, TurboLinux, and SuSE. Should be pretty sweet provided everything goes smoothly with the 64-bit processor. Note: there is an error in the article, a 64 bit system can directly address approximately 1 billion times more than the article suggests." Those'll be one helluva desktop box.

MoNickels writes "Diffie & Hellman will receive a $100,000 fellowship from the Marconi Foundation for their work in encryption. The panel discussion Oct. 10 at Columbia University in New York should be rich. Check out these names: George Heilmeier (former head of Bellcore) will speak, then the panel will include Diffie and Hellman, Eric Ash, Leonard Kleinrock (inventor of packet switching) and Paul Baran (co-inventor of packet switching)."

ten thirty writes: "TECHNOCRAT.NET recently featured a great article regarding the dawning (well, it's only a few of years old anyway) of speech recognition software within the open source community. In particular, the Sphinx project of Carnegie Mellon University is discussed, as well as some other systems such as Festival and a public domain project at the University of Missouri. The notion here is that eventually the GUI, which has come so far over the past two decades, will eventually be supplanted, at least for some applications, by the VUI. The question is, will the open-source community allow the integration of this technology into our society be spearheaded by closed-source vendors?"