NEWS
Linux Foundation Releases a New Draft of OpenChain Specification
The OpenChain Project is releasing a draft of its OpenChain Specification 2.0 (https://www.openchainproject.org/news/2019/02/15/comment-on-the-next-generation-of-the-openchain-specification).
OpenChain is a critical open source project that offers a standard for open source compliance in the supply chain. Open source is powering the modern world; every company is consuming open source in one way or the other. It's becoming critical that they comply with the license used. "OpenChain provides a specification as well as overarching processes, policies, and training that companies need to be successful in managing open source license compliance so that it becomes more efficient, understandable, and predictable for participants of the software supply chain," said the OpenChain blog post.
The Linux Foundation has also announced that Microsoft is joining the OpenChain Project as a platinum member (https://www.openchainproject.org/news/2019/02/06/microsoft-joins-openchain-platform). Under the leadership of Satya Nadella, Microsoft has become more active in its support of open source initiatives. As a lot of open source code flows through Microsoft's own products and services, it's critical for the company to ensure that it is totally in compliance with open source.
"By joining the OpenChain Project, we look forward to working alongside the community to define compliance standards that help build confidence in the open source ecosystem and supply chain," said David Rudin, assistant general counsel, Microsoft.
Other platinum members of the OpenChain project include Adobe, ARM Holdings, Cisco, Comcast, Facebook, GitHub, Google, Harman International, Hitachi, Qualcomm, Siemens, Sony, Toshiba, Toyota, Uber, and Western Digital.
Hackers Start Exploiting Drupal Bug
Hackers have started exploiting a security flaw in Drupal that was patched last week. Imperva reported that they started seeing attacks on February 23, after the two vulnerabilities were patched and proof-of-concept (PoC) exploit code was made available publicly. Attackers tried to install CoinIMP, a JavaScript cryptocurrency miner on unpatched sites.
Drupal wrote in an advisory that CVE-2019-6340 and SA-CORE-2019-003 can lead to arbitrary PHP code execution in some cases, as some field types do not properly sanitize data from non-form sources.
The advisory said that a site can be affected if it meets one of these conditions: the site has the Drupal 8 core RESTful Web Services (REST) module enabled and allows GET
, PATCH
, or POST
requests; or the site has another web services module enabled, like JSON:API in Drupal 8 or Services or RESTful Web Services in Drupal 7.
Drupal doesn't have any automated update mechanism (https://www.drupal.org/project/ideas/issues/2940731), and updating Drupal is more involved than updating WordPress, which means many sites may still be unpatched.
The vulnerabilities affect only Drupal 8 sites, unless you have Services or RESTful Web Services enabled in Drupal 7.
According to ZDNet (https://www.zdnet.com/article/it-took-hackers-only-three-days-to-start-exploiting-latest-drupal-bug/), there are only 63,000 Drupal 8 sites, which means there might not be enough incentive for hackers to spend their time searching out Drupal 8 sites to attack. Still, Drupal 8 admins are advised to install the patch as soon as possible.
LibreOffice Vulnerable to Remote Code Execution Flaw
Security researcher Alex Inführ has discovered a vulnerability in OpenOffice and LibreOffice that allows remote code execution (https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html).
In a blog post, Inführ wrote that he found a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves their mouse over the document, without triggering a warning dialog.
He demonstrated PoC, in which he created a hyperlink and changed its color from the default blue to white, so it would not raise suspicion. The link covered the whole page, increasing the chance of the user hovering the mouse over it. Remember, no clicking was needed; just hovering the mouse over the hyperlink was required to execute the payload.
The culprit here is the Python interpreter (pydoc.py
) that comes with LibreOffice. It accepts commands and executes them via the command line.
LibreOffice has already released a patch; OpenOffice has not yet.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome OS Adopting systemd-sysupdate
Gnome OS is about to undergo a major under-the-hood change that promises enhanced security.
-
Endless OS 6 has Arrived
After more than a year since the last update, the latest release of Endless OS is now available for general usage.
-
Fedora Asahi 40 Remix Available for Macs with Apple Silicon
If you've been anticipating KDE's Plasma 6 for your Apple Silicon-powered Mac, then you're in luck.
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.