At security.googleblog.com they went over the sha-1 collision from last week;
“Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.
Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision.”
for more:
security.googleblog
Cloudflare released a report on the memory leak incident from late last week.
In some circumstances, their edge servers were running past the edge of a buffer and returning memory that contained private information such as, HTTP cookies, authentication tokens and more. Cloudflare went on in the report about the fix and details about the issue. For more:
Cloudflare:Incident Report on Memory Leak Caused by Cloudflare Parser Bug
Month: February 2017
Kernel Vulnerabilities Fixed In Ubuntu, Virgina Supreme Court:License Plate Surveillance, and Supertux Racer on Steam Greenlight
Multiple vulnerabilities have been found in the Ubuntu 16.04 LTS Linux 4.4 kernel. The recent update to 16.04.2 uses the 16.10 (Yakkety) Linux 4.8 kernel. So if you made the jump to 16.04.2 then check this out:
Ubuntu 16.10 Security issue
CVE-2016-9588 Discovered by Jim Mattson and Dmitry Vyukov, a flaw in the kernel’s implementation of KVM.
UbuntuFree:New Ubuntu Vulnerabilities
EFF Reports VA Supreme Court Should Protect Drivers from License Plate Surveillance
You can vote for Supertux Racer now at Steam Greenlight below.
Steam:Supertux Racer
Ubuntu 16.04.2 LTS released, Arch Linux ending i686 support, AnC side-channel attack, and OpenSSL update.
Arch Linux’s February ISO is to be the last release with i686 support, and will only receive updates for the next nine months. According to Archlinux.org it is due to a decreasing lack of popularity among devs and the community. The people at Arch are encouraging anyone still interested to “keep it alive” with some guidance from the Arch team.
Over at Vusec they document a side-channel attack, which can detect which locations in the page table are accessed by the memory management unit. The attack takes advantage of the cache hierarchy of modern processors being shared by untrusted applications. More details in the link below.
OpenSSL 1.1.0 updates to 1.1.0e.
Ubuntu releases 16.04.2 LTS.