Collaborate Disseminate
How could one verify the integrity of all binaries of packages installed manually via installers and dpkg on Debian/Linux?
So far the only thing I could think of is this:
verify that which veracrypt returns /usr/bin/veracrypt
The news that XZ Utils, a compression utility present in most Linux distributions, has been backdoored by a supposedly trusted maintainer has rattled the open-source software community on Friday, mere hours until the beginning of a long weekend for man… Continue reading XZ Utils backdoor update: Which Linux distros are affected and what can you do?
A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” R… Continue reading Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)
[Originally posted on ServerFault, was told it would fit better here]
Our vulnerability scanner (AWS Inspector V2) in the last couple of weeks started reporting ~10 High severity CVEs with the Linux kernel in our version of Debian (Bookwor… Continue reading Current (Feb 2024) High-Severity unfixed Linux Kernel CVEs
Some services like ejabberd, nginx for authenticating using a database, and dovecot requires providing the database password as plain text in the configuration file. Is it safe to store MariaDB password as plain text provided that processe… Continue reading Is it safe to store database credentials as plain text in the configuration file?
They create a dedicated desktop icon for your favorite web-based application — a simplified browser that opens to that single URL. Yet while Linux usually offers the same functionality as other operating systems, “Peppermint OS’s Ice and its succ… Continue reading Peppermint OS Builds Single-Site Browsers for Debian Systems
I stumbled across a vulnerability considered a critical security risk (CVE-2023-25139) in one of container images I build.
Debian’s security tracker states it’s fixed: https://security-tracker.debian.org/tracker/CVE-2023-25139 – specifical… Continue reading Debian’s security tracker says a CVE is fixed, while BlackDuck scanner detects it
The Raspberry Pi series of boards are noted for their good software support, with a continuous flow of operating system upgrades such that an original Pi from 2012 will still …read more Continue reading Raspberry Pi OS In-Place Upgrades, Not For The Faint Hearted
When I installed Debian 12 LXQt ISO with the graphical install, it installed many proprietary firmware packages that were not needed and without my consent.
Is it possible that proprietary firmware included in Debian default installation c… Continue reading Risk of spyware with proprietary firmware packages on Linux, even after removing them?
Curl v8.4.0 is out, and fixes – among other things – a high-severity SOCKS5 heap buffer overflow vulnerability (CVE-2023-38545). Appropriate patches for some older curl versions have been released, too. Preparation for the security updates … Continue reading Curl project squashes high-severity bug in omnipresent libcurl library (CVE-2023-38545)