Security Leftovers

posted by Roy Schestowitz on Dec 17, 2024

• LWN ☛ Security updates for Monday

  Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath).

• LinuxInsider ☛ Preventing Critical Server Security Issues With Linux Live Patching

  Live kernel patching minimizes the need for organizations to take down servers, reboot systems, or schedule disruptive maintenance windows. While these challenges are significant, live patching offers a practical solution to reduce downtime and improve operational efficiency.

• Federal News Network ☛ CISA lays out how agencies, industry should respond to major cyber incidents

  The draft national cyber incident response plan comes eight years after the last update, and more than six years after the creation of CISA itself.

• OpenSSF (Linux Foundation) ☛ SigstoreCon 2024: Advancing Software Supply Chain Security [Ed: This isn't about security, it's about monopoly; this group is a front for colonisers in "security" clothing]

  On November 12, 2024, the software security community gathered in Salt Lake City for SigstoreCon: Supply Chain Day, co-located with KubeCon North America 2024. The one-day conference brought together developers, maintainers, and security experts to explore how Sigstore is transforming software supply chain security through simplified signing and verification of digital artifacts.

• Survey Surfaces Raft of Cloud Native Application Security Challenges [Ed: They make money out of their own FUD; this is marketing with conflict of interest]

  Venafi, a unit of CyberArk, today published a survey of 800 security and IT decision-makers in the U.S. and Europe finds 86% of respondents work for organizations that have experienced a security incident involving their cloud-native application environment within the last year.

• antiX Linux ☛ AntiX Kernel upgrades available

  Users are strongly recommended to update to one of the latest available antiX kernels.

• SequoiaPGP ☛ Sequoia PGP: A Sapling Matures: Meet sq 1.0

  The Sequoia PGP team is happy to announce the release of version 1.0 of sq. sq is a command-line tool for working with OpenPGP artifacts with a focus on usability, security, and robustness.

  After seven years of development, this is sq’s first stable release. A notable change for existing users of sq is that we will no longer change sq’s CLI in an incompatible manner.

• LWN ☛ A sapling matures: meet sq 1.0

  The Sequoia PGP project has announced version 1.0 of the sq command-line tool for managing OpenPGP encryption and signatures. It also provides a decentralized public key infrastructure (PKI), and key management facilities. This is the first stable release since development began on the project in 2017.

• Bruce Schneier ☛ Short-Lived Certificates Coming to Let’s Encrypt

  Starting next year:

  Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift from anything we’ve done before—short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

• PCLinuxOS

  • PCLOS Official ☛ PCLinuxOS Recent Updates