On the Lawrence Systems Forums
Tony Bemus, Tom Lawrence, Phil Porada and Jay LaCroix
Sound bites by Mike Tanner
The LawrenceSystems YouTube Channel Where videos
Jay’s Bash Prompt https://pastebin.com/kzPjE8y4
Apt get flaw
“We’re apt to find more problems like this”
“Some package managers should be a snap to secure.”
“I wonder how many more puns will emerge from this”
“I am going to GIT off this topic now..”
KeePass pwnage check
Wine 4.0 Vulkan support. Direct3D 12 support. Game controllers support.
NetBSD hits 100% reproducibility in builds
Someone Hacked PHP PEAR Site and Replaced the Official Package Manager
DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains
Superphishing interview attack
FBI arrests PureVPN user with log data that was said to not exist
Oklahoma is NOT OK
Apt Security Update
Max Justicz discovered a vulnerability in APT, the high level package manager.
The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by
an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.
Since the vulnerability is present in the package manager itself, it is
recommended to disable redirects in order to prevent exploitation during this upgrade only
The HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response.
So if the HTTP server sentLocation: /new-uri%0AFoo%3A%20Bar, the HTTP fetcher process would reply with the redirect
The parent process will trust the hashes returned in the injected 201 URI Done response, and compare them with the values from the signed package manifest. Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package.
February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support
As of now, the staging environment has TLS-SNI fully disabled. Let’s Encrypt also disabled the “reuse valid authorizations” feature in staging for the next 30 days. This will ensure that each staging dry run issuance does a fresh validation, so you can be confident that if validation in the staging environment succeeds, your client is working correctly.
Also, Let’s Encrypt is changing the final end-of-life date for TLS-SNI in production to March 13, 2019. This will give more people time to update. We’re going to use the original February 13 date as the beginning of a brownout period: Let’s Encrypt will disable TLS-SNI validation in production on February 13, then re-enable it a week later. Additional brownout periods before the final deprecation may happen.
The goal of the brownout periods is to catch the attention of people who may have missed the notification emails. Not every certificate will necessarily renew during that window, but hopefully enough it will increase the number of people who notice and can update ahead of the deadline.
What can you do?
- Confirm your Certbot version is 0.28 or higher. Current version is 0.31
- Remove any explicit references to tls-sni-01 in your renewal configuration
- Do a full renewal dry run
Steam For Linux Now Lets You Play Windows Games From Other Stores
A hotly requested Steam Play feature recently went live that introduces even more flexibility to Steam’s Proton tool (Proton is an addition to Steam that allows thousands of Windows games to be installed and played directly from the Steam for Linux client.) Users can now launch Windows games purchased on platforms outside of Steam from inside the Steam for Linux client.php
773M Password ‘Megabreach’ is Years Old
Geolocating SSH Hackers In Real-Time
The curious case of the Raspberry Pi in the network closet
This content is published under the Attribution-Noncommercial-Share Alike 3.0 Unported license.