Published on Tux Machines (http://www.tuxmachines.org)
Home > content > Security Leftovers
Security Leftovers
By Roy Schestowitz Created 05/07/2021 - 4:05pm Submitted by Roy Schestowitz on Monday 5th of July 2021 04:05:51 PM Filed under Security [1]
Microsoft urges PowerShell users to upgrade to protect against critical vulnerability[2]
Microsoft has issued a warning to users of PowerShell 7.0 and 7.1 to update their software to protect against a .NET Core remote code execution vulnerability.
Tracked as CVE-2021-26701, the vulnerability is described as critical and could affect Windows, macOS and Linux. The security issue has been known about for a little while, but Microsoft is only now urging users to install updates to ensure that they are protected.
Enter invisible passwords using this Python module | Opensource.com[3]
Passwords are particularly problematic for programmers. You're not supposed to store them without encrypting them, and you're not supposed to reveal what's been typed when your user enters one. This became particularly important to me when I decided I wanted to boost security on my laptop. I encrypt my home directory?but once I log in, any password stored as plain text in a configuration file is potentially exposed to prying eyes.
Specifically, I use an application called Mutt as my email client. It lets me read and compose emails in my Linux terminal, but normally it expects a password in its configuration file. I restricted permissions on my Mutt config file so that only I can see it, but I'm the only user of my laptop, so I'm not really concerned about authenticated users inadvertently looking at my configs. Instead, I wanted to protect myself from absent-mindedly posting my config online, either for bragging rights or version control, with my password exposed. In addition, although I have no expectations of unwelcome guests on my system, I did want to ensure that an intruder couldn't obtain my password just by running cat on my config. Russell Coker: Servers and Lockdown [4]
OS security features and server class systems are things that surely belong together. If a program is important enough to buy expensive servers to run it then it?s important enough that you want to have all the OS security features enabled. For such an important program you will also want to have all possible monitoring systems running so you can predict hardware failures etc. Therefore you would expect that you could buy a server, setup the vendor?s management software, configure your Linux kernel with security features such as ?lockdown? (a LSM that restricts access to /dev/mem, the iopl() system call, and other dangerous things [1]), and have it run nicely! You will be disappointed if you try doing that on a HP or Dell server though.
Security updates for Monday [5]
Security updates have been issued by Arch Linux (electron11, electron12, istio, jenkins, libtpms, mediawiki, mruby, opera, puppet, and python-fastapi), Debian (djvulibre and openexr), Fedora (dovecot, libtpms, nginx, and php-league-flysystem), Gentoo (corosync, freeimage, graphviz, and libqb), Mageia (busybox, file-roller, live, networkmanager, and php), openSUSE (clamav-database, lua53, and roundcubemail), Oracle (389-ds:1.4, kernel, libxml2, python38:3.8 and python38-devel:3.8, and ruby:2.5), and SUSE (crmsh, djvulibre, python-py, and python-rsa).
Security
Source URL: http://www.tuxmachines.org/node/153059
Links: [1] http://www.tuxmachines.org/taxonomy/term/59 [2] https://betanews.com/2021/07/03/microsoft-urges-powershelll-users-to-upgrade-to-protect-against-critical- vulnerability/ [3] https://opensource.com/article/21/7/invisible-passwords-python [4] https://etbe.coker.com.au/2021/07/05/servers-and-lockdown/ [5] https://lwn.net/Articles/861906/rss