Welcome to LinuxSecure
I found some scripts on my workstation that have not been
published and may be interesting for some people. Actually, I will not prepare them for publishing, but you can
contact me, if you are interested in one or more of them.
- A tool for the backup of network components. The script runs as a daemon and can be configured via config files.
It reads in the config files containing the passwords of the components once, so you can store them in a crypt storage.
There exist severeal templates for ssh, scp, telnet. The intention is to make automated backups from router, switches, firewalls etc.
- Postfixanalyser was written for the trendmicro mail virusscanner. You can search for mails and you will get a
status for the found mails: when did the system receive it, when was it working with the mail the last time, whats the status of the
mail, where there any problem while delivering the mail. The second feature was a simple statistic: bytes and number of mails received and send,
mails by status (received from extern, queued, sent to trend, received from trend, queued, delivered) and mails by problem
(deferred and not sent to scanner (scanner rejected), deferred and not sent to scanner (scanner down), sent to trend, but deferred before,
dereffed and not sent to extern (mta rejected), deferred and not sent to extern (mta down), sent to extern, but deferred befor).
- A logscanner and a scanner for the checkpoint objects file.
- A tool, that parses the registry of the genugate firewall and produces a more human readable output in html.
- A ftp-script for the honeynet.
- Various backupscripts in Perl and Bash.
- Various iptables scrips.
- A script called minilinux to create a small linux out of a huge running system.
- Pigsparty was a small projetct that was never finished. The idea was to convert snort rule sets into iptables rule sets.
- A snort admin interface in php.
- A perlmodule and some programs (e.g. mfl) for the preparation and analysis of longitudinal data with a focus of same domains.
back to top
| Whats New|
|[2005-02-18] mp3riot version 1.3 released|
|[2004-10-08] mp3riot version 1.2 is out.|
|[2004-04-30] Added section Bridging|
|[2004-01-09] working progress on mp3riot version 1.2|
|Version 5.0.0 of the KDevelop integrated development environment (IDE) has been released, marking the end of a two-year development cycle. The highlight is a move to Clang for C and C++ support: "The most prominent change certainly is the move away from our own, custom C++ analysis engine. Instead, C and C++ code analysis is now performed by clang."The announcement goes on to describe other benefits of using Clang, such as more accurate diagnostics and suggested fixes for many syntax errors. KDevelop has also been ported to KDE Frameworks 5 and Qt 5, which opens up the possibility of Windows releases down the line.
|KDevelop 5.0 released|
|Arch Linuxhas updated libgcrypt(information disclosure).
Fedorahas updated kernel(F24: use-after-free vulnerability), pagure(F24: cross-site scripting), and postgresql(F24: multiple vulnerabilities).
Red Hathas updated qemu-kvm-rhev(RHEL7 OSP5; RHEL7 OSP7; RHEL6 OSP5; RHEL7 OSP6:
SUSEhas updated MozillaFirefox(SLE12: multiple vulnerabilities).
|Tuesday's security updates|
|Google has announcedthat the Android 7.0 release has started rolling out to recent-model Nexus
devices. "It introduces a brand new JIT/AOT compiler to improve
software performance, make app installs faster, and take up less
storage. It also adds platform support for Vulkan, a low-overhead,
cross-platform API for high-performance, 3D graphics. Multi-Window support
lets users run two apps at the same time, and Direct Reply so users can
reply directly to notifications without having to open the app. As always,
Android is built with powerful layers of security and encryption to keep
your private data private, so Nougat brings new features like File-based
encryption, seamless updates, and Direct Boot."See this pagefor a video-heavy description of new features.
|Android 7.0 "Nougat"released|
|Greg Kroah-Hartman has announced the release of the 4.7.2, 4.4.19,
and 3.14.77stable kernels. As usual, they
contain fixes throughout the tree and users of those series should upgrade.
|Stable kernels 4.7.2, 4.4.19, and 3.14.77|
|Arch Linuxhas updated linux-lts(connection hijacking).
CentOShas updated kernel(C7:
Debian-LTShas updated cracklib2(code execution) and suckless-tools(screen
Fedorahas updated firewalld(F24: authentication bypass), glibc(F24:
denial of service on armhfp), knot(F24; F23:
denial of service), libgcrypt(F24: bad
random number generation), and perl(F23:
openSUSEhas updated apache2-mod_fcgid(42.1, 13.2: proxy
injection), gd(13.2: multiple
42.1, 13.2: denial of service), pdns(42.1, 13.2: denial of service), python3(42.1, 13.2: multiple
vulnerabilities), roundcubemail(42.1; 13.2; 13.1: multiple vulnerabilities, two from
2015), and typo3-cms-4_7(42.1, 13.2: three
vulnerabilities from 2013 and 2014).
Scientific Linuxhas updated kernel(SL7: connection hijacking) and python(SL6&7: three vulnerabilities).
|Monday's security advisories|
|The 4.8-rc3kernel prepatch is out.
"It all looks pretty sane, I'm not seeing anything hugely scary
|Kernel prepatch 4.8-rc3|
|The Fedora engineering steering committee has agreedthat the
upcoming Fedora 25 release should use the Wayland display manager by
default. "There are still some bugs that are important to
solve. However, there is still time to work on them. And the legacy Xorg
session option will not be removed, and will be clearly documented how to
fallback in cases where users need it."If this plan holds, it may
be an important step in the long-awaited move away from the X Window
|Fedora 25 to run Wayland by default|
|The kdenlive video editor project has announced the
16.08.0 release. "Kdenlive 16.08.0 marks a milestone in the
project?s history bringing it a step closer to becoming a full-fledged
professional tool."Highlights include three-point editing,
pre-rendering of timeline effects, Krita image support, and more.
|kdenlive 16.08.0 released|
|CentOShas updated python(C7; C6: multiple vulnerabilities).
Fedorahas updated ca-certificates(F24: update to CA certificates) and spice(F23: multiple vulnerabilities).
Oraclehas updated kernel(O7: TCP injection) and python(O7; O6: multiple vulnerabilities).
Red Hathas updated kernel(RHEL7; RHEL6:
kernel-rt(RHEL7: TCP injection), python(RHEL 6,7: multiple vulnerabilities), python27-python(RHSC: multiple vulnerabilities), python33-python(RHSC: multiple vulnerabilities), realtime-kernel(RHEM2.5: TCP injection), rh-mariadb101-mariadb(RHSC: multiple vulnerabilities), rh-python34-python(RHSC: multiple vulnerabilities), and rh-python35-python(RHSC: multiple vulnerabilities).
SUSEhas updated the Linux
Kernel(SLE12: multiple vulnerabilities) and xen(SLE11: multiple vulnerabilities).
Ubuntuhas updated gnupg(12.04, 14.04, 16.04: flawed random-number generation), libgcrypt11, libgcrypt20(12.04, 14.04,
16.06: flawed random-number generation),
and postgresql-9.1, postgresql-9.3,
postgresql-9.5(12.04, 14.04, 16.04: multiple vulnerabilities).
|Friday's security updates|
|Microsoft has announcedthe release of its PowerShellautomation and scripting platform under the MIT license, complete with a GitHub repository. "Last year we started down this path by contributing to a number of open source projects (e.g. OpenSSH) and open sourcing a number of our own components including DSC resources. We learned that working closely with the community, in the code and with our backlog and issues list, allowed us prioritize and drive the development much more responsively. We?ve always worked with the community but shifting to a fine-grain, tight, feedback loop with the code, energized the team and allowed us to focus on the things that had the most impact for our customers and partners. Now we are going big by making PowerShell itself an open source project and making it available on Mac OS X, Ubuntu, CentOS/RedHat and others in the future."|
|Microsoft announces PowerShell for Linux and Open Source|
|The Xenomai projectis mourning Gilles Chanteperdrix, a longtime maintainer of the realtime framework, who recently passed away. In the announcement, Philippe Gerum writes: "Gilles will forever be remembered as a true-hearted man, a brilliant mind always scratching beneath the surface, looking for elegance in the driest topics, never jaded from such accomplishment.
According to Paul Valéry, ?death is a trick played by the inconceivable on the conceivable?. Gilles?s absence is inconceivable to me, I can only assume that for once, he just got rest from tirelessly helping all of us."|
|Xenomai project mourns Gilles Chanteperdrix|
|Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.
"With optical-scan voting, the voter fills in the bubbles next to the names of her selected candidates on paper ballot; then she feeds the op-scan ballot into the optical-scan computer. The computer counts the vote, and the paper ballot is kept in a sealed ballot box. The computer could be hacked, in which case (when the polls close) the voting-machine lies about how many votes were cast for each candidate. But we can recount the physical pieces of paper marked by the voter?s own hands; that recount doesn?t rely on any computer. Instead of doing a full recount of every precinct in the state, we can spot-check just a few ballot boxes to make sure they 100% agree with the op-scan computers? totals.
Problem: What if it?s not an optical-scan computer, what if it?s a paperless touchscreen (?DRE, Direct-Recording Electronic) voting computer? Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there. If the computer is hacked, then the hacker gets to decide what numbersare reported. There are no paper ballots to audit or recount. All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem."|
|Security against Election Hacking (Freedom to Tinker)|
|Arch Linuxhas updated chromium(multiple vulnerabilities) and linux-zen(connection hijacking).
Debianhas updated gnupg(flawed
random number generation) and libgcrypt20(flawed random number generation).
Debian-LTShas updated libupnp(arbitrary file overwrite).
Fedorahas updated bind(F23:
denial of service), fontconfig(F23:
privilege escalation), and python3(F23:
SUSEhas updated xen(SLE12: multiple vulnerabilities,
one from 2014) and yast2-ntp-client(SLE10:
multiple vulnerabilities, most from 2015).
Ubuntuhas updated fontconfig(16.04, 14.04, 12.04: privilege escalation).
|Thursday's security advisories|
|The LWN.net Weekly Edition for August 18, 2016 is available.
|[$] LWN.net Weekly Edition for August 18, 2016|
|Anyone who has been paying attention to Linux kernel development in
recent years would be aware that IPC ? interprocess communication ? is not
a solved problem. There are certainly many partial solutions, from pipes
and signals, through sockets and shared memory, to more special-purpose
solutions like Cross Memory
Attach and Android's binder. But it seems there
are still some use cases that aren't fully addressed by current solutions,
leading to new solutions being occasionally proposed to try to meet those needs.
The latest proposal is called "bus1".
|[$] Bus1: a new Linux interprocess communication proposal|