NEWS
Linux Foundation Releases a New Draft of OpenChain Specification
The OpenChain Project is releasing a draft of its OpenChain Specification 2.0 (https://www.openchainproject.org/news/2019/02/15/comment-on-the-next-generation-of-the-openchain-specification).
OpenChain is a critical open source project that offers a standard for open source compliance in the supply chain. Open source is powering the modern world; every company is consuming open source in one way or the other. It's becoming critical that they comply with the license used. "OpenChain provides a specification as well as overarching processes, policies, and training that companies need to be successful in managing open source license compliance so that it becomes more efficient, understandable, and predictable for participants of the software supply chain," said the OpenChain blog post.
The Linux Foundation has also announced that Microsoft is joining the OpenChain Project as a platinum member (https://www.openchainproject.org/news/2019/02/06/microsoft-joins-openchain-platform). Under the leadership of Satya Nadella, Microsoft has become more active in its support of open source initiatives. As a lot of open source code flows through Microsoft's own products and services, it's critical for the company to ensure that it is totally in compliance with open source.
"By joining the OpenChain Project, we look forward to working alongside the community to define compliance standards that help build confidence in the open source ecosystem and supply chain," said David Rudin, assistant general counsel, Microsoft.
Other platinum members of the OpenChain project include Adobe, ARM Holdings, Cisco, Comcast, Facebook, GitHub, Google, Harman International, Hitachi, Qualcomm, Siemens, Sony, Toshiba, Toyota, Uber, and Western Digital.
Hackers Start Exploiting Drupal Bug
Hackers have started exploiting a security flaw in Drupal that was patched last week. Imperva reported that they started seeing attacks on February 23, after the two vulnerabilities were patched and proof-of-concept (PoC) exploit code was made available publicly. Attackers tried to install CoinIMP, a JavaScript cryptocurrency miner on unpatched sites.
Drupal wrote in an advisory that CVE-2019-6340 and SA-CORE-2019-003 can lead to arbitrary PHP code execution in some cases, as some field types do not properly sanitize data from non-form sources.
The advisory said that a site can be affected if it meets one of these conditions: the site has the Drupal 8 core RESTful Web Services (REST) module enabled and allows GET
, PATCH
, or POST
requests; or the site has another web services module enabled, like JSON:API in Drupal 8 or Services or RESTful Web Services in Drupal 7.
Drupal doesn't have any automated update mechanism (https://www.drupal.org/project/ideas/issues/2940731), and updating Drupal is more involved than updating WordPress, which means many sites may still be unpatched.
The vulnerabilities affect only Drupal 8 sites, unless you have Services or RESTful Web Services enabled in Drupal 7.
According to ZDNet (https://www.zdnet.com/article/it-took-hackers-only-three-days-to-start-exploiting-latest-drupal-bug/), there are only 63,000 Drupal 8 sites, which means there might not be enough incentive for hackers to spend their time searching out Drupal 8 sites to attack. Still, Drupal 8 admins are advised to install the patch as soon as possible.
LibreOffice Vulnerable to Remote Code Execution Flaw
Security researcher Alex Inführ has discovered a vulnerability in OpenOffice and LibreOffice that allows remote code execution (https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html).
In a blog post, Inführ wrote that he found a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves their mouse over the document, without triggering a warning dialog.
He demonstrated PoC, in which he created a hyperlink and changed its color from the default blue to white, so it would not raise suspicion. The link covered the whole page, increasing the chance of the user hovering the mouse over it. Remember, no clicking was needed; just hovering the mouse over the hyperlink was required to execute the payload.
The culprit here is the Python interpreter (pydoc.py
) that comes with LibreOffice. It accepts commands and executes them via the command line.
LibreOffice has already released a patch; OpenOffice has not yet.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.