uncompiled.com

The development team behind secure shell server OpenSSH have released version 5.4, which includes a range of new functions and fixes a number of bugs in the previous version.

Following a transition period of more than 10 years, OpenSSH 5.4 finally disables, by default, the old SSH protocol version 1. The legacy SSH version, which is no longer considered secure, can still be used by adjusting the appropriate settings in the configuration file. Where certificates are used to authenticate users and computers, version 5.4 offers a new minimal OpenSSH format. Key pairs for users can be revoked using the new RevokedKeys option. Host keys can be revoked in the known_hosts file.

Using the -W switch and a host:port argument, OpenSSH 5.4 can be started in netcat mode, which connects a local computer’s standard input channel (stdio) to a port on a remote PC. The SFTP server, which carries out FTP-like file transfer, now protects file sharing settings from being overwritten (read-only mode) and can, if required, set explicit privileges when generating new files (umask) at the command line. The SFTP client now has tab completion for commands and paths and supports recursive get and put commands which allows entire file trees to be transferred between client and server.

Source

Computer scientists say they’ve discovered a “severe vulnerability” in the world’s most widely used software encryption package that allows them to retrieve a machine’s secret cryptographic key.

The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.

“Wherever you need to verify the origin of a piece of software or a piece of information, those building blocks come in handy,” said Karsten Nohl, an independent security researcher who in unrelated attacks has broken encryption in widely used smartcards and cordless phones. “The OpenSSL library provides much more than just SSL.”

The scientists, from the University of Michigan’s electrical engineering and computer science departments, said the bug is easily fixed by applying cryptographic “salt” to an underlying error-checking algorithm. The additional randomization would make the attack unfeasible.

An OpenSSL official, who asked that his name not be published, said engineers are in the process of pushing out a patch and stressed the attack is difficult to carry out in real-world settings.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. In a little more than 100 hours, they were able to feed the device enough “transient faults” that they were able to assemble the entirety of its 1024-bit key.

“This is probably not as much of a threat to a server system as it is to a consumer device,” said Todd Austin, one of the scientists who devised the attack. “The place where this would be more applicable would be if you want to attack a Blu-ray player (where) you have an environment where someone is giving you a device that has a private key to protect intellectual property and you have physical access to the device.”

Servers, by contrast, would be much harder to attack because they are generally located in places that prevent people from manipulating their power supply. But that doesn’t mean they’re immune to such exploits. In events where a machine was overheating or otherwise experiencing power fluctuations, the vulnerability will cause servers to leak secret data that could be intercepted by attackers.

The scientists are also experimenting with the possibility of exploiting the bug using lasers or natural radiation sources, they said.

The attack is enabled by what the researchers described as a “severe vulnerability” in the OpenSSL innards that carry out authentication based on the RSA public key encryption algorithm. It resides in the so-called fixed window exponentiation algorithm of the open-source crypto library, which is used when errors arise. By triggering a single-bit error in a multiplication operation, the scientists were able to force OpenSSL to divulge 4 bits of the secret key.

Once they gathered about 8,800 malformed messages from the targeted device, they fed the data into an 81-machine cluster of 2.4 GHz Pentium-4 systems running a custom-designed algorithm. They applied the technique to an embedded hardware device consisting of a Sparc processor running a Linux operating system and were able to extract its 1024-bit private key in 104 hours.

The researchers said it may be possible to apply the method to other crypto libraries, such as one offered by the Mozilla Foundation.

Source

Con Kolivas had stopped working on the Linux kernel for two years after he became fed up with the kernel development community, but last year he made a return by introducing the BFS scheduler. The BFS scheduler for the Linux kernel is quite simple in design compared to other schedulers, but it performed fairly well on desktop systems. Due to Con’s past frustrations, he has no intentions of mainlining the Brain Fuck Scheduler, but he has now offered up another batch of patches.

Kolivas has released a new set of patches this morning that are “designed to improve system responsiveness and interactivity with specific emphasis on the desktop.” There are 13 patches he has made available that can be applied against the freshly released Linux 2.6.33 kernel. One of the patches is BFS, another changes the default timer frequency to 1000Hz, another adds new values that allows the timer frequency to be upped to 10,000Hz, and various other changes.

While Con Kolivas is not likely trying to get these patches pushed into the Linux 2.6.34 kernel, he has published this to the Linux kernel mailing list. His patches can be found in the 2.6.33-ck1 directory.

Source

An update which fixes around 40 bugs is available for the PHP 5.2 development branch. Version 5.2.13 comes highly recommended for all PHP 5.2.x users, as it includes a number of security-related fixes. These include a bug when validating the safe_mode configuration variable in the tempnam() function which arises when the path does not end in /). An open_basedir/safe_mode bypass vulnerability in the session extension has also been fixed.

More details about the release, including other significant changes, can be found in the release announcement and change log. PHP 5.2.13 is available to download from the project’s site.

The current PHP development branch is PHP 5.3, for which version 5.3.1 has been available since November 2009. A third release candidate for PHP 5.3.2 was released on the 23rd of February.

Source

For almost a year now, the idea of “NoSQL” has been spreading due to the demand for relational database alternatives. Maybe the biggest motivation behind NoSQL is scalability. Relational databases don’t lend themselves well to the kind of horizontal scalability that’s required for large-scale social networking or cloud applications, and ORMs can abstract away impedance mismatch only so much. In other cases, companies just don’t need as many of the complex features and rigid schemas provided by relational databases. Most people are not suggesting that we all ditch the RDBMS, in fact, many companies don’t really need to switch. Relational databases will probably be necessary for many applications years and years from now. In essence, NoSQL is a movement that aims to reexamine the way we structure data and draw attention to innovation in hopes of finding the solution to the next generation’s data persistence problems.

Check the source for details on various types of NoSQL.

Source

ASF Flagship Project is World’s Most Popular Web Server, Powering More than 112 Million Websites

FOREST HILL, MD, 23 February, 2010 — The Apache Software Foundation (ASF) — developers, stewards, and incubators of 138 Open Source projects — today announced the 15th anniversary of the Apache HTTP Web Server.

The ASF’s first project became the world’s most popular Web server software within the first six months of its inception. The Apache HTTP Server today powers nearly 112 million Websites world-wide.

A triumph for the all-volunteer Foundation, the Apache HTTP Server reliably delivers petabytes of data across the world’s most demanding uses, including real-time news sources, Fortune 100 enterprise portals, cloud computing clusters, financial services platforms, mission-critical military intelligence applications, aerospace communications networks, and more. The server software can be downloaded, modified and installed by anyone free of charge.

History

The Apache Server started as a fork (an independent development stream)
of the NCSA httpd, a Web server created by Rob McCool at the National Center for Supercomputing Applications. Further development to the server ceased after McCool’s departure from NCSA in 1994, so an online community of individuals was formed to support and enhance its software via email collaboration. The founding members of that community (the Apache Group) included Brian Behlendorf, Roy Fielding, Rob Hartill, David Robinson, Cliff Skolnick, Randy Terbush, Robert Thau, and Andrew Wilson.

Within less than a year of the Apache Group’s formation, the Apache server surpassed NCSA httpd as the #1 server on the Internet.

In March 1999, members of the Apache Group formed The Apache Software Foundation to provide organizational, legal, and financial support for the Apache HTTP Server. An additional goal for the Foundation was to serve as a neutral, trusted platform for the development of community-driven software.

Growth, the “Apache Way”

Beyond the Apache HTTP Server, dozens of ASF projects – from build tools to Web services to cloud computing and more – lead the way in Open Source technology.

At the ASF, community plays a vital role in the collaborative development of consensus-driven, enterprise-grade solutions. The number of projects led by the Apache community has grown from the singular Apache HTTP Server at the ASF’s inception in 1999 to nearly 140 projects today.

The ASF’s commitment to fostering a collaborative approach to development has long served as a model for producing consistently high quality software and helping advance the future of open development. Through its leadership, robust community, and meritocratic process known as the “Apache Way”, the ASF continues to gain recognition as one of the most successful influencers in Open Source.

Through the Apache Way, the ASF is able to spearhead new projects that meet the demands of the marketplace and help users achieve their business goals. With the Apache Incubator mentoring more projects than ever before, the ASF continues to meet the growing demand for quality Open Source products.

“Community Over Code”: among the Foundation’s core tenets is open collaboration through respectful, honest, technically-focused interaction. The ASF’s success is testament to its outstanding community efforts that serve as best practices widely embraced by organizations and individuals alike.

“If it didn’t happen on-list, it didn’t happen”: building upon the transparency-oriented culture of the Apache Group, whose collaboration took place on email lists, millions of messages are archived on Apache publicly-accessible mailing lists, documenting the ASF’s achievements over the past decade.

“Meritocracy in Action”: the ASF’s tagline reflects an average of 10,000 code contributions (commits) made each month. The ASF is responsible for millions of lines of code by more than 2,000 ASF Committers and countless contributors across the Open Source landscape. Nearly 500 community-driven modules have been developed to extend functionality of the Apache HTTP Server alone.

Milestones

February 23, 1994: Individual patch authors around the world are invited to join the “new-httpd” mailing list to discuss enhancements and future releases of NCSA httpd. The Apache name was chosen for this new effort within the first few days of discussion, along with basic rules for email-based collaboration and a mission to replace the existing server with a standards-based, open source, and extensible software system.

March 15, 1994: Apache-style voting created (+1, 0, -1; with ‘-1′ meaning ‘no’, ‘0′ meaning ‘neutral’, and ‘+1′ meaning ‘yes.’)

March 18, 1994: First Apache Group release (Apache 0.2)

Apache server v.1.0 was released in December 1995. Four years later, Apache HTTP Server v.1.3.0 was released, and rapidly becoming the most popular Web server on the planet.

Apache HTTP Server v.2.0 alpha was released in March 2000, with the first general availability release two years later. V.2.0 remained best-of-breed sever until the release of v.2.2.0 in December 2005, and is widely deployed across the Internet.

In February 2009, the Apache HTTP Server became the first Web server software in history to surpass the 100 million Website milestone.

The most current, best-of-breed, stable version of the Apache HTTP Server is v.2.2.14, released September 2009. Developers seeking to test new features and preview what will become stable Version 2.4 are able to do so today with the development of v.2.3.5.

Earlier this month, after ten years and more than forty revisions, the Apache HTTP Server v.1.3.x officially reached end of life status with the release of v.1.3.42. Future patches to v.1.3.x will be for critical security updates only.

The Apache HTTP Server remains the world’s most beloved Web server, forming the backbone of nearly 70% of all sites on the Internet.

Availability

The Apache HTTP Server is available for a variety of operating systems, including Unix, Linux, GNU, FreeBSD, Netware, Solaris, Windows, Mac OS X, OS/2, TPF, and eCS. In addition, the Apache HTTP Server is redistributed through many proprietary software packages such as WebSphere, Oracle RDBMS, Kylix, NetWare, and Delphi, as well as numerous Linux distributions.

All ASF projects, including the Apache HTTP Server, are available free of charge under the Apache Software License v.2.0. To download, or for more information, visit http://httpd.apache.org/

About The Apache Software Foundation (ASF)

Established in 1999, the all-volunteer Foundation oversees more than seventy leading Open Source projects, including Apache HTTP Server — the world’s most popular Web server software. Through The ASF’s meritocratic process known as “The Apache Way,” more than 300 individual Members and 2,000 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation’s official user conference, trainings, and expo. The ASF is funded by individual donations and corporate sponsors including Facebook, Google, HP, Microsoft, Progress Software, SpringSource, and Yahoo! For more information, visit http://www.apache.org/.

Source

The PC-BSD Team is pleased to announce the availability of PC-BSD 8.0
(Hubble Edition), running FreeBSD 8.0-RELEASE-P2, and KDE 4.3.5

PC-BSD 8.0 contains a number of enhancements and improvements over the
7.x series. For a full list of changes, please refer to the changelog.
Some of the notable changes are:

* FreeBSD 8.0-RELEASE-P2
* KDE 4.3.5
* Brand new System Installer, allows the install of PC-BSD or FreeBSD
* Run in Live mode directly from DVD
* Updated Software Manager, allows browsing and installing
applications directly via the GUI
* Support for 3D acceleration with NVIDIA drivers on amd64

Version 8.0 of PC-BSD is available for download from our mirrors, and as
torrent from http://www.gotbsd.net.

Download PC-BSD 8.0:

http://www.pcbsd.org/content/view/152/11/

Changelog:

http://www.pcbsd.org/content/view/151/11/

Release Notes

http://www.pcbsd.org/content/view/150/11/

Source

The first free Unix-like operating system available on the IBM PC was 386BSD, of which Linus Torvalds said in 1993: “If 386BSD had been available when I started on Linux, Linux would probably never have happened.”

386BSD was a direct descendant of Bill Joy’s Berkeley Software Distribution, which was the core of SunOS and other proprietary Unix distributions. 386BSD and the patchkit for the port to the Intel chip formed the basis for FreeBSD, NetBSD and OpenBSD, which have carried the torch for BSD and open source Unix to this day.

Lars Wirzenius, a student friend of Linus Torvalds, recalled: “FreeBSD didn’t exist then. 386BSD did, but it wouldn’t have worked on my computer, since it required a 387 co-processor. I used SCO Xenix from fall 1991 to spring or summer of 1992, until Linux matured enough to be a usable environment for writing code.”

Alan Cox tells a similar story. When he saw the 386BSD announce he thought “Woah! – finally there is something worth running on a PC.”

The trouble was that 386BSD needed floating point hardware, and Linux didn’t. “I hadn’t got the floating point chip, which was 70 quid at the time, so I installed Linux,” he said.

386BSD was a long time coming. The first public release (Version 0.0) was on St. Patrick’s Day, 1991, and was barely functional. Most users had to wait until Bastille Day, 1992 for the first functional release (Version 0.1).

A year or two earlier, a couple of small fixes, and Linux may never have seen the light of day.

What ifs

The most popular of the BSDs is FreeBSD. FreeBSD, like the other BSDs, had a 15 year start on Linux, based as it was on BSD Unix, which had played a large part in defining the standards for operating systems and networking that have held good to the present day. For much of its early history, FreeBSD was technically superior to Linux and still retains an enviable reputation for reliability.

So it is interesting to speculate why Linux, and not FreeBSD, became the flag bearer, not only for free software, but for Unix-like operating systems.

BSD had been around for a long time, and Linux grew from small beginnings. Most of the early contributors to Linux and the projects that sprang from the early success of Linux, were hobbyists and students with no great history in computing, yet GNU/Linux, not FreeBSD, was adopted by the traditional Unix companies to become the universal operating system that Unix had promised to be.

Could have been a contender

FreeBSD didn’t stagnate, or lose, and is probably healthier that it ever was, big on networking devices, friendly with web hosting companies and big with Apple, but hasn’t had the impact of Linux on the rest of the computing industry, despite an enviable record for technical excellence.

Any number of reasons can be given for this. During the period 1992-1994, when GNU/Linux was beginning to emerge as a viable option for Intel servers, the BSDs were the subject of a copyright dispute between USL and BSDi, which was indisputably a setback to uptake and development, but the BSDs bounced back from this setback and were the favoured solution for many web and ftp servers during the dotcom boom.

In 1999, “Walnut Creek CD-ROM set the world record for most bytes of network traffic processed in 24 hours by a single host: One single-processor PII box (a then-famous FreeBSD ftp server) handled 1.39 terabytes. (This burst of traffic was, ironically, occasioned by the release on that machine of Slackware 4.0.)”

Source

John Johansen, a developer with commercial Ubuntu sponsor Canonical, has submitted an updated version of the AppArmor security framework to the Linux kernel developers for inspection. Johansen writes that, like the SELinux and Tomoyo solutions already integrated into the kernel, this fourth general posting of AppArmor uses Linux Security Modules (LSM) to hook into the kernel. Some, but not all of the characteristics criticised by the kernel developers when AppArmor was posted last have reportedly been corrected in the new posting – known for his rather direct comments, however, the maintainer of the Virtual File System (VFS) of Linux soon also found various inconsistencies in the newly posted code.

Novell had bought the company that originally developed AppArmor and released the code under the GPL in 2006. Despite various attempts by Novell developers, however, the code was not integrated into the main development branch of Linux because the kernel developers didn’t approve of some of the security framework’s properties. With things having gone quiet around AppArmor and Novell also experimenting with SELinux, Canonical began to put more effort into preparing the technology for integration a few months ago. As reported by Johansen at the end of his email, the code is now hosted at kernel.org and launchpad.net rather than Novell Forge.

Source

Internet engineers continue to enhance Internet security with the release of OpenDNSSEC, a tool which simplifies the process of signing one or more zones with DNSSEC. OpenDNSSEC handles the entire process, including secure key management and rollover issues. With OpenDNSSEC, fewer manual operations are needed by the operator.

OpenDNSSEC ensures that all the steps in signing process are done in the correct order and at the right time, making sure that nothing breaks. The issue of storing the private keys associated with DNSSEC signing has been handled using so-called HSMs (Hardware Security Modules), so that the private keys can not be leaked to an unauthorized third party.

OpenDNSSEC works in all Unix-like operating systems and is suitable both for those who will only sign a single large zone (such as top-level domains) and those who have many small zones (e.g. web hotels, ISPs).

Developed by industry leaders including .SE (The Internet Infrastructure Foundation), NLNetLabs, Nominet, Kirei, SURFnet, SIDN and John Dickinson, OpenDNSSEC will seamlessly integrate domain name security extensions (DNSSEC) into already existing IT systems without the need for organizations to change their infrastructure.

OpenDNSSEC has some known issues, but they will be fixed in a future release:

* Auditor slow for large zones
* KSK rollover requires manual timing
* Too slow when handling massive number of zones.

Source