Open-source News

Daily News Roundup: Malware in Your Pirated Software  How-To Geek

Researchers at ESET and Malwarebytes have discovered crypto mining malware hidden in pirated music production software. The pirated software loads the ...

Get the Pay What You Want: The Complete Linux eBook Bundle  BleepingComputer

A new pay what you want deal is available for 4 eBooks from Packt Publishing on how to secure Linux, perform shell scripting, Linux programming, and more.

The Latest Linux 5.2 + Mesa 19.2 Radeon Performance Against NVIDIA With Mid-Range GPUs  Phoronix

With the Linux 5.2 kernel a few weeks out from its stable release and now being in the middle of the Mesa 19.2 development cycle for the RADV Vulkan and ...

With the Linux 5.2 kernel a few weeks out from its stable release and now being in the middle of the Mesa 19.2 development cycle for the RADV Vulkan and RadeonSI OpenGL drivers, here are some fresh results looking at the latest open-source AMD Radeon Linux graphics driver stack compared to the latest NVIDIA proprietary graphics driver. In this article the focus is on the mid-range (Polaris) line-up against the NVIDIA competition while similar tests on the high-end are currently being carried out.

Jeff Woods  Linux Journal

Jeff Woods has worked in the IT field for more than 20 years, with broad experience in areas including software engineering, data engineering, operations, ...

Linux Certified System Administrator exam: User and group management  TechGenix

The Linux Certified System Administrator exam can be an important career step. Here's a close look at what is covered in user and group management.

Linux Certified System Administrator exam: User and group management  TechGenix

The Linux Certified System Administrator exam can be an important career step. Here's a close look at what is covered in user and group management.

Flameshot Linux: An open source screenshot tool for Linux  H2S Media

Flameshot, an annotate & screenshot shutter for Linux. It is a simple lightwieght Linux screenshot tool works on distros such as Ubuntu, CentOS, debian etc.

GNOME 3.33.3 is out this morning as the latest development release in the trek towards the very exciting GNOME 3.34 desktop update due out this September...

Linux display driver code hints that more AMD Navi GPUs are coming  The INQUIRER

IT LOOKS LIKE more AMD Navi Navi-based Radeon graphics cards are coming if snippets of info in Linux display driver code are anything to go by. Flagged by ...

If you are planning to enjoy some Linux gaming this week via Steam, you may want to think twice about upgrading to the latest Linux kernel Git code or even the newest stable point releases...

The Latest Linux Kernel Appears To Be Causing Connectivity Issues For Steam  Phoronix

If you are planning to enjoy some Linux gaming this week via Steam, you may want to think twice about upgrading to the latest Linux kernel Git code or even the ...

From: The Daily Swig

Patches released for latest builds, but older versions are still vulnerable

Several vulnerabilities in open source email suite Zimbra could be leveraged in a chained attack leading to remote code execution (RCE), a security researcher has found.

All versions of Zimbra are said to have been impacted, but the issue has now been fixed in 8.7.11 and 8.8x, the latest versions.

Researcher An Trinh (who goes by the Twitter handle @_tint0) said that Zimbra’s reliance of Extensible Markup Language (XML) for encoding its operations laid the path for multiple vulnerabilities – CVE-2016-9924, CVE-2018-20160, and CVE-2019-9670.

These are all XML external entity injection (XXE) vulnerabilities, which arise when applications process user-supplied XML documents without disabling references to external resources.

XML parsing often supports the use of external entities in order to check the validity of the data file through certain network protocols. An attacker can exploit this process in multiple ways, if any of part of its implementation is insecure.

“For more recent versions, CVE-2019-9670 works flawlessly where the XXE lies in the handling of Autodiscover requests,” Trinh said in a blog post published this week, explaining how the exploit could be leveraged on Zimbra versions 8.5 to 8.7.11.

“And for the sake of completeness, CVE-2018-20160 is an XXE in the handling of XMPP protocol and an additional bug along CVE-2019-9670 is a prevention bypass in the sanitizing of XHTML documents which also leads to XXE, however they both require some additional conditions to trigger,” Trinh said. “These all allow direct file extraction through response.”

Vulnerabilities like these can allow for privilege escalation and, in some cases, RCE, Trinh explained. Due to Zimbra’s token-based authentication method, an attacker needs access to the default admin port 7071, he said.

To complete the exploit chain an attacker makes use of another vulnerability – CVE-2019-9621 – for a work around to the admin port’s whitelist through ProxyServlet.doProxy().

“In short, if we send a request with 'foo:7071' Host header and a valid token in cookie, we can proxy a request to arbitrary targets that is otherwise only accessible to admins.”

A valid token is generated through a ‘hidden’ feature in Zimbra which can then provide access to the admin port, and the final requirement of the exploit chain attack to gain full control.

“The flow is to read the config file via XXE, generate a low-priv token through a normal AuthRequest, proxy an admin AuthRequest to the local admin port via ProxyServlet and finally, use the global admin token to upload a webshell via the ClientUploader extension,” Trinh said.

RCE via Memcached

RCE can also occur in Zimbra through an escalation of a Memcached injection vulnerability – as long as the email suite is using Memcached as its caching mechanism.

“The deserialization process happens at ImapMemcachedSerializer.deserialize() and triggers on ImapHandler.doSELECT() i.e. when a user invoking an IMAP SELECT command,” said Trinh.

“The IMAP port in most cases is publicly accessible, so we can safely assume the trigger of this exploit.”

Older versions of Zimbra are still impacted by all bugs, and users are advised to update.

The Daily Swig has reached out to Zimbra for comment.

Intel Drops 2 Exciting Clues About The Future Of Clear Linux OS For 'Normal' Desktop Users  Forbes

At first blush, Intel's Clear Linux OS Project may not seem like the ideal candidate for average desktop users. Expect that to change in the near future.

From: ZDNet

The Department of Justice has approved IBM's acquisition of Red Hat. Since IDC thinks Red Hat Enterprise Linux alone is expected to contribute to more than $10 trillion worth of global business revenues in 2019, IBM's $34 billion acquisition of Red Hat is looking better than ever.

Just ahead of Red Hat Summit in Boston on May 3, the US Department of Justice concluded its review of IBM's proposed Red Hat acquisition and essentially approved the IBM/Red Hat deal. This means the IBM/Red Hat acquisition is still on track for the second half of 2019.

At Red Hat Summit, Red Hat released the results of a commissioned IDC study, which concluded software and applications running on Red Hat Enterprise Linux (RHEL) are expected to contribute to more than $10 trillion worth of global business revenues in 2019.

That's about 5% of the worldwide economy for those of you following at home.

Oh, and you read that right. It's "trillion"with a "t" -- not "billion" with a "b".

By this the IDC means the software and applications running on RHEL will "touch" $10 trillion of business revenue this year and grow at twice the rate of the economy. Business revenue will top $188 trillion.

So, what does 'touch' mean? For 2019, IDC has estimated global business revenue of $188 trillion. Of this, IDC estimates that at least 40 percent use software. For 2019, IDC has estimated the total IT "footprint" at $81 trillion. Now, consider all that software has to run on an operating system -- and much of the software "touching" enterprise functions run on servers. IDC knows Linux runs more than half of all servers. Of those, RHEL accounts for around 25% of deployed corporate server Linux operating systems. Do the math.

So, those trillions represents not just Red Hat's influence on the global economy, but how Linux is dominating all of IT. As Cushing Anderson, IDC VP of business consulting said: "As the world's leading enterprise Linux platform, Red Hat Enterprise Linux fuels these operations and more, touching trillions of dollars of global business revenue, creating hundreds of thousands of jobs and opening tens of billions of dollars in opportunities to ecosystem partners."

How does Red Hat do this? The research found that RHEL is most frequently used for enterprise management and production (26%), IT infrastructure (20%), and customer relationship management (18%). In each workload, customers see an increase in revenues from using RHEL, a decrease in expenses, and/or an increase in employee productivity.

The latest use-case for the increasingly popular Zstd compression algorithm could be employment by the GNU Compiler Collection (GCC) for compressing its link-time optimization (LTO) data...

From: redhat.com

Building a better logo for us

There were lots of reasons why we changed our logo.

Starting over was never part of our strategy. We needed to keep a certain amount of recognizability, so we chose an evolutionary path.
 
 
Ok, so what happened to the guy?

Originally called “The Red Hat Man,” then later, “Shadowman,” the figure under the red fedora personified the company. Red Hatters knew Shadowman was a benevolent, liberating figure, introducing then-taboo open source software to the mainstream. In a way, Shadowman was a playful and defiant comment on the vilification of open source. As Red Hat grew into a mainstream company and open source began gaining trust and traction in the marketplace, the image no longer made quite as much sense.
How do you spell Red Hat?

Also, our name (Red Hat) was spelled as 1 word and in lowercase (redhat) in our logo.
 
 
Type

We also had issues with our typeface. We wanted to create something more liberating and useful, and we wanted to open source it and share it with everyone. So we collaborated with type designer Jeremy Mickel on 2 new open source fonts.

We’re calling them Red Hat Display and Red Hat Text and they will be available to everyone on Earth (who has access to a computer) in a variety of weights and italics.
 
 
Logo system

Our previous logo formed a single horizontal rectangle, with the Shadowman icon on the left and our name on the right. This configuration didn’t always work for things like favicons, app icons, and T-shirts.

Our new logo gives us the flexibility to choose the best version for each placement, such as in event wayfinding, on webpages, on buildings, and on branded swag. It can be used vertically or horizontally, and the “Red Hat” text can be large or small.
 
 
Applications

Put it all together and you get a fresh, clean, flexible visual system. We can unify products and services; give internal teams, projects, and programs a crisp consistent look; and share our brand in ways that we couldn’t before.
 
 
Color

The color red is our second most recognizable brand asset. Red symbolizes energy, strength, power, determination, passion, love, and courage. Red is the color of revolution. But even with all that oomph, our red needed a refresh.

We used science to make some minor adjustments. Our last shade of red failed contrast ratio checks on dark backgrounds, which means it was difficult or impossible to read for people with no or limited visual acuity, and could also cause eye strain for sighted people.
 
 
New look. Same vision.

We didn’t start over. We kept the most recognizable and important elements and collaboratively crafted a logo with more resonance with our truth. We thought through the connections linking our story with our symbol. Now, we are more Red Hat than ever.

The Bzip2 open-source compression program is about to see its first real release since September 2010. This new version brings new build systems, security fixes, and much more...

I wrote recently that "GogglesMM has been one of my favorite players for quite some time now." So, when I was thinking about interviewing developers who build and maintain open source music players, Sander Jansen came quickly to mind.

read more

Sysadmins, site reliability engineers (SREs), and cloud operators all too often struggle to feel confident in their infrastructure as it scales up. Also too often, they think the only way to solve their challenges is to write a tool for in-house use. Fortunately, there are options. There are many open source tools available to test an infrastructure's performance. Here are my favorites.

read more