NEWS
Linux Foundation Releases a New Draft of OpenChain Specification
The OpenChain Project is releasing a draft of its OpenChain Specification 2.0 (https://www.openchainproject.org/news/2019/02/15/comment-on-the-next-generation-of-the-openchain-specification).
OpenChain is a critical open source project that offers a standard for open source compliance in the supply chain. Open source is powering the modern world; every company is consuming open source in one way or the other. It's becoming critical that they comply with the license used. "OpenChain provides a specification as well as overarching processes, policies, and training that companies need to be successful in managing open source license compliance so that it becomes more efficient, understandable, and predictable for participants of the software supply chain," said the OpenChain blog post.
The Linux Foundation has also announced that Microsoft is joining the OpenChain Project as a platinum member (https://www.openchainproject.org/news/2019/02/06/microsoft-joins-openchain-platform). Under the leadership of Satya Nadella, Microsoft has become more active in its support of open source initiatives. As a lot of open source code flows through Microsoft's own products and services, it's critical for the company to ensure that it is totally in compliance with open source.
"By joining the OpenChain Project, we look forward to working alongside the community to define compliance standards that help build confidence in the open source ecosystem and supply chain," said David Rudin, assistant general counsel, Microsoft.
Other platinum members of the OpenChain project include Adobe, ARM Holdings, Cisco, Comcast, Facebook, GitHub, Google, Harman International, Hitachi, Qualcomm, Siemens, Sony, Toshiba, Toyota, Uber, and Western Digital.
Hackers Start Exploiting Drupal Bug
Hackers have started exploiting a security flaw in Drupal that was patched last week. Imperva reported that they started seeing attacks on February 23, after the two vulnerabilities were patched and proof-of-concept (PoC) exploit code was made available publicly. Attackers tried to install CoinIMP, a JavaScript cryptocurrency miner on unpatched sites.
Drupal wrote in an advisory that CVE-2019-6340 and SA-CORE-2019-003 can lead to arbitrary PHP code execution in some cases, as some field types do not properly sanitize data from non-form sources.
The advisory said that a site can be affected if it meets one of these conditions: the site has the Drupal 8 core RESTful Web Services (REST) module enabled and allows GET
, PATCH
, or POST
requests; or the site has another web services module enabled, like JSON:API in Drupal 8 or Services or RESTful Web Services in Drupal 7.
Drupal doesn't have any automated update mechanism (https://www.drupal.org/project/ideas/issues/2940731), and updating Drupal is more involved than updating WordPress, which means many sites may still be unpatched.
The vulnerabilities affect only Drupal 8 sites, unless you have Services or RESTful Web Services enabled in Drupal 7.
According to ZDNet (https://www.zdnet.com/article/it-took-hackers-only-three-days-to-start-exploiting-latest-drupal-bug/), there are only 63,000 Drupal 8 sites, which means there might not be enough incentive for hackers to spend their time searching out Drupal 8 sites to attack. Still, Drupal 8 admins are advised to install the patch as soon as possible.
LibreOffice Vulnerable to Remote Code Execution Flaw
Security researcher Alex Inführ has discovered a vulnerability in OpenOffice and LibreOffice that allows remote code execution (https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html).
In a blog post, Inführ wrote that he found a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves their mouse over the document, without triggering a warning dialog.
He demonstrated PoC, in which he created a hyperlink and changed its color from the default blue to white, so it would not raise suspicion. The link covered the whole page, increasing the chance of the user hovering the mouse over it. Remember, no clicking was needed; just hovering the mouse over the hyperlink was required to execute the payload.
The culprit here is the Python interpreter (pydoc.py
) that comes with LibreOffice. It accepts commands and executes them via the command line.
LibreOffice has already released a patch; OpenOffice has not yet.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4