Security: diffoscope, "smart" things, patches, and LastPass security breach

posted by Roy Schestowitz on Dec 02, 2022

• Reproducible Builds: diffoscope 228 released

  The diffoscope maintainers are pleased to announce the release of diffoscope version 228. This version includes the following changes:

  [ FC Stegerman ]
  * As an optimisation, don't run apktool if no differences are detected before
    the signing block. (Closes: reproducible-builds/diffoscope!105)
  
  
  [ Chris Lamb ]
  * Support both the python3-progressbar and python3-progressbar2 Debian
    packages, two modules providing the "progressbar" Python module.
    (Closes: reproducible-builds/diffoscope#323)
  * Ensure we recommend apksigcopier. (Re: reproducible-builds/diffoscope!105)
  * Make the code clearer around generating the Debian substvars and tidy
    generation of os_list.
  * Update copyright years.

• Consumer advice for buying smart IoT devices this Christmas | Pen Test Partners

  Rightly or wrongly there’s plenty of fear, uncertainty, and downright doom associated with the IoT and devices.

  So, is it safe to buy these things as gifts or even as a treat for yourself this year? In our opinion it probably is, as long as you follow some basic advice.

• Security updates for Friday [LWN.net]

  Security updates have been issued by Debian (snapd), Fedora (firefox, libetpan, ntfs-3g, samba, thunderbird, and xen), SUSE (busybox, emacs, and virt-v2v), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-hwe, linux-gcp, linux-hwe, linux-oracle, and tiff).

• Intruders gain access to user data in LastPass incident • The Register

  Intruders broke into a third-party cloud storage service LastPass shares with affiliate company GoTo and gained access to "certain elements" of customers' information, the pair have confirmed.

  LastPass did not define what it meant by "certain elements," saying it was unsure what data was looked at: "We are working diligently to understand the scope of the incident and identify what specific information has been accessed this morning."

  Last night's statement also confirmed the attackers obtained the information to carry out the current intrusion using information stolen in an August attack, which we covered here.

• LastPass Security Breach - Schneier on Security

  The company was hacked, and customer information accessed. No passwords were compromised.