Language Selection

English French German Italian Portuguese Spanish

Security: HAProxy, Misplaced FUD, and More

Filed under
Security
  • HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack

    A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.

  • Vulnerability Could Expose HAProxy to HTTP Request Smuggling Attack | eSecurityPlanet

    A critical vulnerability discovered in the open-source load balancer and proxy server HAProxy could enable bad actors to launch an HTTP Request Smuggling attack, which would let them bypass security controls and gain unauthorized access to sensitive data.

    Researchers with JFrog Security uncovered the vulnerability, CVE-2021-40346, during their regular searches for new and previously unknown vulnerabilities in popular open-source projects. HAProxy fits into that category.

  • Outdated Linux Versions, Misconfigurations Triggering Cloud Attacks: Report [Ed: This is not about Linux but software that runs on it; it's like blaming Photoshop holes on "Windows"]

    The "Linux Threat Report 2021 1H" from Trend Micro found that Linux cloud operating systems are heavily targeted for cyberattacks, with nearly 13 million detections in the first half of this year. As organizations expand their footprint in the cloud, correspondingly, they are exposed to the pervasive threats that exist in the Linux landscape.

    This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

  • Security Risks of Relying on a Single Smartphone

    Isracard used a single cell phone to communicate with credit card clients, and receive documents via WhatsApp. An employee stole the phone. He reformatted the SIM, which was oddly the best possible outcome, given the circumstances. Using the data to steal money would have been much worse.

  • ClamAV 0.104.0 introduces LTS program - itsfoss.net

    The developers have announced the project’s blog a new Long Term Support (LTS) program on as part of an update of their End-of-Life (EOL) policy. The LTS program begins retrospectively with the last major version, ClamAV 0.103. The new LTS policy extends the lifespan from 0.103 to September 2023. LTS editions are supported for a minimum of three years.

    Each LTS version is supported with critical patch versions and access to signature updates for the duration of the three-year support period. A new LTS feature release is presented approximately every two years. Non-LTS releases are supported with critical patch versions for at least four months from the original release date of the next feature release or until the release of the next feature release. For detailed information on the Long Term Support Program, see the LTS Announcement blog post and the LTS Policy in the online documentation.

  • Best File and Disk Encryption Tools For Linux

    Most of us are familiar with Microsoft Windows or macOS - these OSes dominate the personal computing space. But the OS that is taking over the world isn’t owned by Microsoft, Apple, or any tech company for that matter. In fact, the most popular OS in the world today isn’t owned by anyone. It’s the completely open-source Linux operating system.

    [...]

    GnuPG, also known as GPG, is a unique hybrid encryption tool that not only employs conventional symmetric-key cryptography but also uses public-key cryptography. This two-prong approach to encryption helps speed up the encryption process without compromising OS security.

    GnuPG is popular among journalists who use the tool to encrypt important documents and protect the identities of their sources.

  • Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

    Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

  • Zoho Releases Security Update for ADSelfService Plus | CISA

    Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.

Later coverage

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.