An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923. A local unprivileged user can cause a deadlock and kernel panic via crafted rename and rmdir calls on tmpfs filesystems. Oracle Solaris 10 and 11 is also affected.

☹

Sorry, your browser does not support the technologies needed to use our web interface. Please make sure you have the latest version, and that JavaScript is enabled.

CVE-2021-43395: Topicbox

Categories: News
Tags: security vulnerabilities

Tags:  cryptocurrency

Tags:  lock and code

Tags:  SevenRooms

Tags:  adult popunder

Tags:  ad fraud

Tags:  AV-TEST

Tags:  Gemini

Tags:  cryptocurrency

Tags:  Play ransomware

Tags:  ransomware

Tags:  blocking IP addresses

Tags:  BEC scam

Tags:  BEC

Tags:  Bricklink

Tags:  Lego

Tags:  Netflix

Tags:  Disney+

Tags:  password sharing

Tags:  The Guardian

Tags:  ransomware attack

Tags:  Godfather malware

Tags:  Godfather

Tags:  Android banking malware

The most interesting security related news from the week of December 19 to 25.



(Read more...)




The post A week in security (December 19 - 25) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (December 19 - 25)

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX perfstat kernel extension to cause a denial of service. IBM X-Force ID: 239169.

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

For the kernel:

AIX Level

APAR

SP

7.1.5

IJ43967

SP11

7.2.5

IJ43869

SP06

7.3.0

IJ43875

SP03

7.3.1

IJ44594

SP02

VIOS Level

APAR

SP

3.1.2

IJ43995

3.1.2.50

3.1.3

IJ43869

3.1.3.30

3.1.4

IJ43869

3.1.4.20

For the CAA kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43099

SP11

7.2.5

IJ41975

SP06

7.3.0

IJ42938

SP03

VIOS Level

APAR

SP

3.1.2

IJ44115

3.1.2.50

3.1.3

IJ41975

3.1.3.30

For the NFS kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43072

SP11

7.2.5

IJ42159

SP06

7.3.0

IJ43468

SP03

VIOS Level

APAR

SP

3.1.2

IJ43674

3.1.2.50

3.1.3

IJ43314

3.1.3.30

For the TCP/IP kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43098

SP11

7.2.5

IJ41974

SP06

7.3.0

IJ42937

SP03

VIOS Level

APAR

SP

3.1.2

IJ43598

3.1.2.50

3.1.3

IJ43217

3.1.3.30

For the perfstat kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43970

SP11

7.2.5

IJ43876

SP06

7.3.0

IJ43891

SP03

7.3.1

IJ44595

SP02

VIOS Level

APAR

SP

3.1.2

IJ44114

3.1.2.50

3.1.3

IJ43876

3.1.3.30

3.1.4

IJ43876

3.1.4.20

For the pfcdd kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43980

SP11

7.2.5

IJ43877

SP06

7.3.0

IJ43893

SP03

VIOS Level

APAR

SP

3.1.2

IJ44116

3.1.2.50

3.1.3

IJ43877

3.1.3.30

Subscribe to the APARs here:

https://www.ibm.com/support/pages/apar/\[APAR Number\]

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available.

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

The AIX and VIOS fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/kernel\_fix5.tar

http://aix.software.ibm.com/aix/efixes/security/kernel\_fix5.tar

https://aix.software.ibm.com/aix/efixes/security/kernel\_fix5.tar

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

For the kernel:

AIX Level

Interim Fix

7.1.5.8

IJ43967m8a.221110.epkg.Z

7.1.5.9

IJ43967m9a.221102.epkg.Z

7.1.5.9

IJ43967m9b.221111.epkg.Z

7.1.5.10

IJ43967mAa.221024.epkg.Z

7.2.5.3

IJ43869m3a.221025.epkg.Z

7.2.5.3

IJ43869m3b.221212.epkg.Z

7.2.5.4

IJ43869m4a.221017.epkg.Z

7.2.5.5

IJ43869s5a.221212.epkg.Z

7.3.0.1

IJ43875m1a.221025.epkg.Z

7.3.0.2

IJ43875m2a.221017.epkg.Z

7.3.1.1

IJ44594s1a.221212.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ43967m9a is for AIX 7100-05-09 with bos.mp64 fileset level 7.1.5.45.

IJ43967m9b is for AIX 7100-05-09 with bos.mp64 fileset level 7.1.5.44.

IJ43869m3a is for AIX 7200-05-03 with bos.mp64 fileset level 7.2.5.103.

IJ43869m3b is for AIX 7200-05-03 with bos.mp64 fileset level 7.2.5.101.

Please reference the Affected Products and Version section above for help with checking installed fileset levels.

VIOS Level

Interim Fix

3.1.2.21

IJ43995m2b.221027.epkg.Z

3.1.2.30

IJ43995m2c.221212.epkg.Z

3.1.2.40

IJ43995m2a.221025.epkg.Z

3.1.3.10

IJ43869m3b.221212.epkg.Z

3.1.3.14

IJ43869m3a.221025.epkg.Z

3.1.3.21

IJ43869m4a.221017.epkg.Z

3.1.4.10

IJ43869s5a.221212.epkg.Z

For the CAA kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43099m8a.221110.epkg.Z

7.1.5.9

IJ43099m9a.221102.epkg.Z

7.1.5.9

IJ43099m9b.221213.epkg.Z

7.1.5.10

IJ43099sAa.221024.epkg.Z

7.2.5.3

IJ41975m3a.221027.epkg.Z

7.2.5.3

IJ41975m3b.221212.epkg.Z

7.2.5.4

IJ41975s4a.221017.epkg.Z

7.3.0.1

IJ42938m1a.221027.epkg.Z

7.3.0.2

IJ42938s2a.221018.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ43099m9a is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.38.

IJ43099m9b is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.37.

IJ41975m3a is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.101.

IJ41975m3b is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.100.

VIOS Level

Interim Fix

3.1.2.21

IJ44115m2a.221102.epkg.Z

3.1.2.30

IJ44115m2a.221102.epkg.Z

3.1.2.40

IJ44115m2b.221213.epkg.Z

3.1.3.10

IJ41975m3b.221212.epkg.Z

3.1.3.14

IJ41975m3a.221027.epkg.Z

3.1.3.21

IJ41975s4a.221017.epkg.Z

For the NFS kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43072s8a.221110.epkg.Z

7.1.5.9

IJ43072sAa.221024.epkg.Z

7.1.5.10

IJ43072sAa.221024.epkg.Z

7.2.5.3

IJ42159s3a.221025.epkg.Z

7.2.5.3

IJ42159s3b.221213.epkg.Z

7.2.5.4

IJ42159s4a.221017.epkg.Z

7.3.0.1

IJ43468s1a.221025.epkg.Z

7.3.0.2

IJ43468s2a.221017.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7200-05-03.

IJ42159s3a is for AIX 7200-05-03 with bos.adt.include fileset level 7.2.5.102.

IJ42159s3b is for AIX 7200-05-03 with bos.adt.include fileset level 7.2.5.101.

VIOS Level

Interim Fix

3.1.2.21

IJ43674s2b.221027.epkg.Z

3.1.2.30

IJ43674s2c.221213.epkg.Z

3.1.2.40

IJ43674s2c.221213.epkg.Z

3.1.3.10

IJ42159s3b.221213.epkg.Z

3.1.3.14

IJ42159s3a.221025.epkg.Z

3.1.3.21

IJ42159s4a.221017.epkg.Z

For the TCP/IP kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43098s8a.221110.epkg.Z

7.1.5.9

IJ43098s9a.221102.epkg.Z

7.1.5.9

IJ43098s9b.221213.epkg.Z

7.1.5.10

IJ43098sAa.221024.epkg.Z

7.2.5.3

IJ41974s3a.221025.epkg.Z

7.2.5.3

IJ41974s3b.221213.epkg.Z

7.2.5.4

IJ41974s4a.221017.epkg.Z

7.3.0.1

IJ42937s1a.221027.epkg.Z

7.3.0.2

IJ42937s2a.221018.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ43098s9a is for AIX 7100-05-09 with bos.net.tcp.client fileset level 7.1.5.40.

IJ43098s9b is for AIX 7100-05-09 with bos.net.tcp.client fileset level 7.1.5.39.

IJ41974s3a is for AIX 7200-05-03 with bos.net.tcp.client\_core fileset level 7.2.5.102.

IJ41974s3b is for AIX 7200-05-03 with bos.net.tcp.client\_core fileset level 7.2.5.101.

VIOS Level

Interim Fix

3.1.2.21

IJ43598s2b.221027.epkg.Z

3.1.2.30

IJ43598s2d.221213.epkg.Z

3.1.2.40

IJ43598s2c.221213.epkg.Z

3.1.3.10

IJ41974s3b.221213.epkg.Z

3.1.3.14

IJ41974s3a.221025.epkg.Z

3.1.3.21

IJ41974s4a.221017.epkg.Z

For the perfstat kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43970sAa.221024.epkg.Z

7.1.5.9

IJ43970sAa.221024.epkg.Z

7.1.5.10

IJ43970sAa.221024.epkg.Z

7.2.5.3

IJ43876s3a.221025.epkg.Z

7.2.5.3

IJ43876s3b.221213.epkg.Z

7.2.5.4

IJ43876s4a.221017.epkg.Z

7.2.5.5

IJ43876s5a.221212.epkg.Z

7.3.0.1

IJ43891s2a.221018.epkg.Z

7.3.0.2

IJ43891s2a.221018.epkg.Z

7.3.1.1

IJ44595s1a.221212.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7200-05-03.

IJ43876s3a is for AIX 7200-05-03 with bos.perf.perfstat fileset level 7.2.5.101.

IJ43876s3b is for AIX 7200-05-03 with bos.perf.perfstat fileset level 7.2.5.100.

VIOS Level

Interim Fix

3.1.2.21

IJ44114s2a.221102.epkg.Z

3.1.2.30

IJ44114s2a.221102.epkg.Z

3.1.2.40

IJ44114s2a.221102.epkg.Z

3.1.3.10

IJ43876s3b.221213.epkg.Z

3.1.3.14

IJ43876s3a.221025.epkg.Z

3.1.3.21

IJ43876s4a.221017.epkg.Z

3.1.4.10

IJ43876s5a.221212.epkg.Z

For the pfcdd kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43980sAa.221024.epkg.Z

7.1.5.9

IJ43980sAa.221024.epkg.Z

7.1.5.10

IJ43980sAa.221024.epkg.Z

7.2.5.3

IJ43877s3a.221025.epkg.Z

7.2.5.4

IJ43877s4a.221017.epkg.Z

7.3.0.1

IJ43893s1a.221027.epkg.Z

7.3.0.2

IJ43893s2a.221018.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

VIOS Level

Interim Fix

3.1.2.21

IJ44116s2a.221102.epkg.Z

3.1.2.30

IJ44116s2a.221102.epkg.Z

3.1.2.40

IJ44116s2a.221102.epkg.Z

3.1.3.10

IJ43877s3a.221025.epkg.Z

3.1.3.14

IJ43877s3a.221025.epkg.Z

3.1.3.21

IJ43877s4a.221017.epkg.Z

The fixes are cumulative and address previously issued AIX/VIOS kernel security bulletins with respect to SP and TL, which includes:

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory4.asc

https://www.ibm.com/support/pages/node/6619721

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory3.asc

https://www.ibm.com/support/pages/node/6558948

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory2.asc

https://www.ibm.com/support/pages/node/6483875

https://aix.software.ibm.com/aix/efixes/security/trace\_advisory.asc

https://www.ibm.com/support/pages/node/6464369

To extract the fixes from the tar file:

tar xvf kernel\_fix5.tar

cd kernel\_fix5

Verify you have retrieved the fixes intact:

The checksums below were generated using the

"openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

5f14f1ce6115aaea99abc509e8f9c29d66f449e28cbdff957a78f98a0d2c1319

IJ41974s3a.221025.epkg.Z

f461d5ac0225674d0b5fd2ce0ea1314c413f73d941e3cab1df2a8e907e479c81

IJ41974s3b.221213.epkg.Z

7353aec35438c207ecd34e9efd8773f8d2cf623ff3aaf1c9b21a8c6cc6389ba3

IJ41974s4a.221017.epkg.Z

ac6aac0b2364a1dccf99133869bcf5962a30d14c44abd72985d58b070b3e7743

IJ41975m3a.221027.epkg.Z

9320a9ecad0ed683f838f484a512de20f88d281940b63e13f334dbac0e023dd1

IJ41975m3b.221212.epkg.Z

53ed081ce54eaf4a278761c7b80b72e28643d3f07a8ab54b2977652b1cfa9410

IJ41975s4a.221017.epkg.Z

dd932b380464cc89938b42bf845d08d1aee3ab6a50ca7bc57292ddda34b849be

IJ42159s3a.221025.epkg.Z

0ad3ac0184e19719156e0b1c4af6f97501a64bb3a26543ddbda27cc975c8ad76

IJ42159s3b.221213.epkg.Z

ce81ba4ce3db613bb6635ff1496c4b65a0a09c24f8f6d0dd96606bc48b420cf5

IJ42159s4a.221017.epkg.Z

4b3d56260e136ad0b4484db0d2b4dd3924a97c5bc839f80d7ea4c21c42eb3840

IJ42937s1a.221027.epkg.Z

7081ec434fa5ff2c976f935aa6b51f4f51f6641dfd6132640c73dbaea7a6c1cf

IJ42937s2a.221018.epkg.Z

6f6d8cf2b6a52f409fa29dc72ef2ada536ea67dc907769c384f88fa60a39b622

IJ42938m1a.221027.epkg.Z

581acd69242d1f86779590e5ed0734de72b6f2452a6b499dceaa8c2b4eadad7d

IJ42938s2a.221018.epkg.Z

7d5e82ac6027d9fb1b4546a1de78220af56e77b87d2b7cb744d544aa64b20c62

IJ43072s8a.221110.epkg.Z

dc281b603fe5b7d7aa79e061a60e01f7a39eaa30233b545ee760798208ac6adf

IJ43072sAa.221024.epkg.Z

c6701b36ff490220433aa81466f5a60e182ba2559e07df7fdbd986329e187e1a

IJ43098s8a.221110.epkg.Z

1aeded2670910f1aeb2c07cef08d2d6afce788e8de58794db1e93567b5dbed77

IJ43098s9a.221102.epkg.Z

3ac4dd5bc1f3688a2b73e0da29c64cbafff025e7c1a05b5008752d3c8d8b5835

IJ43098s9b.221213.epkg.Z

470310e914d030445412685cd06897804a547b6f26f5b12499c9c3012906083f

IJ43098sAa.221024.epkg.Z

dad650e7a3f3ac27cc4ca0c3df9bbb1b0dc60ca449f0127398f7c2686c4fb67f

IJ43099m8a.221110.epkg.Z

a5eef69f5ad7999aac0090c6f44f2b830ed5fe704a03650c78834300433fefd6

IJ43099m9a.221102.epkg.Z

0690a7f9c117bb685540bda389f4f4a99020a45927a5481e72256f1912b2b5a0

IJ43099m9b.221213.epkg.Z

643694ee61b99af1d32f3723c056480c752d70d2f4c824f2e02cacf1489966f4

IJ43099sAa.221024.epkg.Z

7e4791c2b339034a6e20fb2d14968a2570795e0c292a4693e79b609d7f947a49

IJ43468s1a.221025.epkg.Z

87ea6d1ce409ae51ad7e10007bf52d0531e58d921553ada09b7da4d24fbdc6ef

IJ43468s2a.221017.epkg.Z

36fb6866347a3b4499d752edfdcade8fedd683d0514bb45b356fb69b0e77243a

IJ43598s2b.221027.epkg.Z

49d5cbd9ba461b2477eade7ee16964437fc85b32ea285f747e9286f7d3c32d35

IJ43598s2c.221213.epkg.Z

fba350df9177bab36d6f869a7debc8b5d29c8a6b3a3a7216a1dd3ac50d0179b9

IJ43598s2d.221213.epkg.Z

c423961037b20a89416d095b0385fcdbc69c9fb51b005c342945d14e5aab9294

IJ43674s2b.221027.epkg.Z

e61c7a4e495cf2da86d239f84c275f52fac696880142c603477f038cdfc55df5

IJ43674s2c.221213.epkg.Z

158e99123e6a6eb8909943a3438c032ba3f06248e6da4c6402e9efd3ce3900aa

IJ43869m3a.221025.epkg.Z

7bc058cb39721fea6c11e79a45e5e2cf8501ea762169dba214be9849ddb727d8

IJ43869m3b.221212.epkg.Z

c416914cd934f8235c9c39937d70437ab1193533142412f9726dae10cc1ff6b4

IJ43869m4a.221017.epkg.Z

2cea6bd4f5e87074bb7e4999e53cc6105cbb060c0e43d65e7a00ace071fea97f

IJ43869s5a.221212.epkg.Z

e8e91cb5a7446dd7cdeafd6f22ebd007bfcb5df7151fc1cc02888ad7859a1ba4

IJ43875m1a.221025.epkg.Z

33b719eb2216776a0cafca012771db3dc1cdf7676dbb9a8d3611e24795d1d7bb

IJ43875m2a.221017.epkg.Z

cb9e693c29e1d2f33c3a304779491030fb9233a3c5a60dc116a8acef3cc349ce

IJ43876s3a.221025.epkg.Z

5f44726c3402cacf73de3e91b5b518895e1e1a0d47141855319e48dd40d81d17

IJ43876s3b.221213.epkg.Z

e7ac8b7326ea273723968938f7405c0b105ec1413cb3c4ca6db54d91e13977e3

IJ43876s4a.221017.epkg.Z

d4815878bc65ba7524718d0b75f211f7bf5e8c97ed644894843309fdc312cdaf

IJ43876s5a.221212.epkg.Z

56f4a15bd4b5c33642207323dc1d21262f7558ad7879d5fc3f8c6f5fdf020ca1

IJ43877s3a.221025.epkg.Z

466c3b4a3238e68226ff7886771ec37d0787a964b8a27dba5d01f3a51c610af4

IJ43877s4a.221017.epkg.Z

68e3dadd864733d1edd5c59228fb0d6418829689a3395396f2237f9782093110

IJ43891s2a.221018.epkg.Z

714238ea24f04de93378bf879d1ab1b1dc1592a73732bd345915b16849940c9d

IJ43893s1a.221027.epkg.Z

c3b40b12d60119453b32c1b0cd73d560c7b7755703c62bff138d986dd78c3c4c

IJ43893s2a.221018.epkg.Z

3342e50f48f0c995d4ab0ed852cbc3f782b05be4938bffddd06bdcd206fe5b13

IJ43967m8a.221110.epkg.Z

307f93cee2e4767d2cedec1c705acfbd099d7b8b32c8853bcfa18ff762a6fc1f

IJ43967m9a.221102.epkg.Z

952d2e4b8888ea3beca7fbe6841191fdd58675f3640e4018d0f9de430016c504

IJ43967m9b.221111.epkg.Z

f819756d2d2ab6094ae4744babbf9cc10d47e04484973dac44a736029e741e21

IJ43967mAa.221024.epkg.Z

e7f8b39a6df86429f9859e7e6364a37b73de53952fd8cb69a570ab6397196055

IJ43970sAa.221024.epkg.Z

51589ea00f8e6574d563e71ae33604d7b7397391482165495aa27d867926354c

IJ43980sAa.221024.epkg.Z

64a961365a68e435e35313e7bd5fda2b2f1d93c84a266e1dddfe792b3b43efdd

IJ43995m2a.221025.epkg.Z

20f41357e75da7a386de8990c92a781c32de92fbfaa6bc56eda09685dcf979ea

IJ43995m2b.221027.epkg.Z

541cee83f622844dd0c6ca50515e3d41e6a6727c7a1264ca67ca696c8c7984d1

IJ43995m2c.221212.epkg.Z

c89483dc79d4132f32bc41211696616c4707c253a4c452a2829b122d1b19db06

IJ44114s2a.221102.epkg.Z

9cb895991f8a94f66ef77985cacec5a5f7018f97dd2567f403cfb5aeb4d43f73

IJ44115m2a.221102.epkg.Z

7c5490016562d664d5d7a68ef2669407053ccb2175f8b0f13a3dd1197e1287d0

IJ44115m2b.221213.epkg.Z

82caf3050ae1ea2120e3fc6aec0e4387f51c7e8b1b28993d799dc4c7bdd066a2

IJ44116s2a.221102.epkg.Z

9b8f2f3a5a17596b2388e01fb4006a937d363f3b044b27ff817081b0d4b2c915

IJ44594s1a.221212.epkg.Z

1af43848b2d615d9a341b5b9d79a36d6ce61b3f7911808c0a07e5a14189cd33e

IJ44595s1a.221212.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy. 

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/kernel\_advisory5.asc.sig

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory5.asc.sig

ftp://aix.software.ibm.com/aix/efixes/security/kernel\_advisory5.asc.sig

**C. FIX AND INTERIM FIX INSTALLATION**

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all # where fix\_name is the name of the

\# fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all # where fix\_name is the name of the

\# fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg\_name -p # where ipkg\_name is the name of the

\# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X # where ipkg\_name is the name of the

\# interim fix package being installed.

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2022-43848: Security Bulletin: AIX is vulnerable to denial of service vulnerabilities

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the rm_rlcache_file command to obtain root privileges. IBM X-Force ID: 236690.

**Security Bulletin**

  

**Summary**

A vulnerability in the AIX rm\_mlcache\_file user command could allow a non-privileged local user to obtain root privileges (CVE-2022-41290).

**Vulnerability Details**

**CVEID:**   CVE-2022-41290  
**DESCRIPTION:**   IBM AIX could allow a non-privileged local user to exploit a vulnerability in the rm\_mlcache\_file command to obtain root privileges.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236690 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.1

AIX

7.2

AIX

7.3

VIOS

3.1

The vulnerabilities in the following filesets are being addressed:

Fileset

Lower Level

Upper Level

bos.rte.install

7.1.5.0

7.1.5.48

bos.rte.install

7.2.5.0

7.2.5.5

bos.rte.install

7.2.5.100

7.2.5.105

bos.rte.install

7.3.0.0

7.3.0.3

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example: lslpp -L | grep -i bos.rte.install

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

AIX Level

APAR

SP

7.1.5

IJ42230

SP11

7.2.5

IJ42163

SP05

7.3.0

IJ42234

SP03

VIOS Level

APAR

SP

3.1.2

IJ42232

3.1.2.50

3.1.3

IJ42163

3.1.3.30

Subscribe to the APARs here:

https://www.ibm.com/support/pages/apar/IJ42163

https://www.ibm.com/support/pages/apar/IJ42230

https://www.ibm.com/support/pages/apar/IJ42232

https://www.ibm.com/support/pages/apar/IJ42234

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

IBM strongly recommends addressing the vulnerability now.

The AIX and VIOS fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/rmmlcache\_fix.tar

http://aix.software.ibm.com/aix/efixes/security/rmmlcache\_fix.tar

https://aix.software.ibm.com/aix/efixes/security/rmmlcache\_fix.tar

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

AIX Level

Interim Fix

7.1.5.8

IJ42230mAa.221208.epkg.Z

7.1.5.9

IJ42230mAa.221208.epkg.Z

7.1.5.10

IJ42230mAa.221208.epkg.Z

7.2.5.3

IJ42163m4a.221213.epkg.Z

7.2.5.4

IJ42163m4a.221213.epkg.Z

7.3.0.1

IJ42234m2a.221213.epkg.Z

7.3.0.2

IJ42234m2a.221213.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

Please reference the Affected Products and Version section above for help with checking installed fileset levels.

VIOS Level

Interim Fix

3.1.2.21

IJ42232m2a.221213.epkg.Z

3.1.2.30

IJ42232m2a.221213.epkg.Z

3.1.2.40

IJ42232m2a.221213.epkg.Z

3.1.3.10

IJ42163m4a.221213.epkg.Z

3.1.3.14

IJ42163m4a.221213.epkg.Z

3.1.3.21

IJ42163m4a.221213.epkg.Z

To extract the fixes from the tar file:

tar xvf rmmlcache\_fix.tar

cd rmmlcache\_fix

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

151660fafedd0bf43da9579f272cf01fa4435ae6d58a118d9628a91f1dbdfc49

IJ42163m4a.221213.epkg.Z

09f08f7976bb940137be2cf67362481e1b9d892b8ab02e94464fdcbd4be49e00

IJ42230mAa.221208.epkg.Z

9ae3e496e4017b98ff10327ad03778c45e0402a8024c33f257754a8f2bf0aaf8

IJ42232m2a.221213.epkg.Z

8c3a1e7a9dbb76c005158184b88fffa07b16cf3f001565578f7690fb599d9a72

IJ42234m2a.221213.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy. 

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/rmmlcache\_advisory.asc.sig

https://aix.software.ibm.com/aix/efixes/security/rmmlcache\_advisory.asc.sig

ftp://aix.software.ibm.com/aix/efixes/security/rmmlcache\_advisory.asc.sig

**C. FIX AND INTERIM FIX INSTALLATION**

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all # where fix\_name is the name of the

\# fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all # where fix\_name is the name of the

\# fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg\_name -p # where ipkg\_name is the name of the

\# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X # where ipkg\_name is the name of the

\# interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

14 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}\]

CVE-2022-41290: Security Bulletin: AIX is affected by a root privilege escalation vulnerability (CVE-2022-41290)

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1could allow a non-privileged local user to exploit a vulnerability in the AIX pfcdd kernel extension to cause a denial of service. IBM X-Force ID: 239170.

CVE-2022-43849: IBM AIX denial of service CVE-2022-43849 Vulnerability Report

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1could allow a non-privileged local user to exploit a vulnerability in the AIX SMB client to cause a denial of service. IBM X-Force ID: 238639.

**Security Bulletin**

  

**Summary**

A vulnerability in the AIX SMB client daemon could allow a non-privileged local user to cause a denial of service (CVE-2022-43381). AIX uses the SMB client daemon to access files on SMB servers.

**Vulnerability Details**

**CVEID:**   CVE-2022-43381  
**DESCRIPTION:**   IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX SMB client to cause a denial of service.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238639 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.1

AIX

7.2

AIX

7.3

VIOS

3.1

The following fileset levels are vulnerable:

Fileset

Lower Level

Upper Level

smbc.rte

7.1.0.0

7.1.302.8

smbc.rte

7.2.0.0

7.2.302.8

To determine if your system is vulnerable, execute the following commands:

lslpp -L | grep -i smbc.rte

  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

14 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}\]

CVE-2022-43381: Security Bulletin: AIX is vulnerable to a denial of service due to the AIX SMB client (CVE-2022-43381)

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX TCP/IP kernel extension to cause a denial of service. IBM X-Force ID: 235599.

CVE-2022-40233: IBM AIX denial of service CVE-2022-40233 Vulnerability Report

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1could allow a non-privileged local user to exploit a vulnerability in CAA to cause a denial of service. IBM X-Force ID: 235183.

CVE-2022-39165: IBM AIX denial of service CVE-2022-39165 Vulnerability Report

An issue was discovered in ksmbd in the Linux kernel before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.

Permalink

Browse files

ksmbd: validate length in smb2\_write()

The SMB2 Write packet contains data that is to be written
to a file or to a pipe. Depending on the client, there may
be padding between the header and the data field.
Currently, the length is validated only in the case padding
is present.

Since the DataOffset field always points to the beginning
of the data, there is no need to have a special case for
padding. By removing this, the length is validated in both
cases.

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47940: ksmbd: validate length in smb2_write() · torvalds/linux@158a66b

Apache pioneer says ‘use at your own risk’ model no longer tenable as OpenSSF ramps up end user engagement

Apache pioneer says ‘use at your own risk’ model no longer tenable as OpenSSF ramps up end user engagement

The Open Source Security Foundation (OpenSSF) recently adopted Microsoft’s Secure Supply Chain Chain Consumption Framework (S2C2F) to help reduce vulnerabilities in open source software – a once unthinkable partnership given Redmond’s former animosity to open source.

Owner of GitHub since 2016 and a major Linux contributor, Microsoft developed S2C2F in 2019.

The threat-based risk-reduction framework lists supply chain threats to open source software, and provides organizations with guides for assessing their maturity and implementing the framework’s requirements.

The move is just one step OpenSSF is taking to tackle a surge in open source vulnerabilities and sevenfold rise in attacks against the ecosystem.

**Varying degrees of rigor**

For OpenSSF general manager Brian Behlendorf, adopting S2C2F is one highlight of his first year in the post, during which OpenSSF has surpassed 100 members.

Behlendorf is a co-creator of Apache HTTP Server, former CTO of the World Economic Forum, and member of Linux Foundation – which runs the OpenSSF project – since 2014.

“The OpenSSF is a collection of initiatives that aim to make open source software more secure, to more quickly find vulnerabilities, to find ways to get those vulnerabilities fixed more quickly… but also to really address the emerging weaknesses in the global software supply chain,” Behlendorf tells The Daily Swig.

“Frankly, with 70 to 90% of software in any given commercial package being pre-existing open source code, there is no distinction anymore between the world of open source and the world of commercial software,” he suggests.

MUST READ ‘We don’t teach developers how to write secure software’ – Linux Foundation’s David A Wheeler on reversing the CVE surge

Behlendorf also points to the proliferation of open source code through environments such as Kubernetes, and the way this is exposing software components that might not all have been built “to the same degree of rigor.

“Open source software tends to have a pretty decent reputation for security thanks to marquee projects like Linux, where the amount of investment into hardening and into testing and verifying and all that kind of stuff is pretty high,” he says.

“And many other projects have a high degree of diligence when it comes to the integrity and security of code. But not all projects achieve that. And a lot of software, especially the smaller modules, are built frankly by people on the way to doing something else.”

He continues: “They put it up on GitHub, or they throw a package on NPM. They wake up one day and thousands or millions of people are using their package without really thinking about it, or having any way to measure whether one package is more rigorously built and inspected and reviewed than another.”

**Lessons of Log4j**

Part of the OpenSSF’s mission, then, is to improve security practices among developers. This goes hand in hand with helping organizations that use open source code to assess security risks.

“The focus is towards objective measures of risk and ways to programmatically help consumers be smarter about their choices of software, and \[for\] developers realizing that there’s more that they can do to protect their end users,” says Behlendorf.

This has become all the more important since Log4j. “What we've found over the last year is, especially in the wake of Log4j, is a whole lot of folks want to understand better how to systematically reduce risk in the global supply chains. How do we do reduce the chances of the next Log4j?”

This has to be done, he says, to reduce the impact of a vulnerability on the millions of businesses globally that rely on open source software. New processes for software development, more scrutiny of code and software components, better use of software bills of materials (SBOMs), and developer education will all help.

“We can’t say what the next Log4j will be, but we can say which are the 200 packages that have a 1% chance of being the next Log4j,” he says.

RELATED Third of Log4j downloads still pull vulnerable version despite threat of supply chain attacks

Much of the code in use now – both commercial and open source – was not designed to resist today’s threats. The challenge is identifying those vulnerable components, and fixing or mitigating any vulnerabilities. A relatively small increase in investment in security research could, Behlendorf argues, save “billions of dollars of potential impact.

“We’ve been very poor at applying risk to software development,” he says. “It’s all been caveat emptor and good luck. Hopefully we are part of the pivot towards taking a more risk-centered view of how to build critical digital infrastructure.”

**Hesitancy over security updates**

One way of doing this is through the OpenSSF scorecard, which developers can use to check for vulnerabilities affecting source code, build, dependencies, testing, and project maintenance. It’s not foolproof, Behlendorf concedes, but enables developers to take security seriously.

But the industry, and especially developers in end user businesses, face other hurdles. Behlendorf highlights hesitancy around deploying fixes, even when patching known vulnerabilities. The fear is of disrupting a critical system.

Industry needs to convince CIOs “that they can make that update without it having cascading effects on the rest of their infrastructure,” he says. “Many organizations have been burned by doing frequent updates and discovering that that APIs change and old stuff doesn't work.” To address this, developers need to make their code more forward-compatible, as well as automating the process of updates.

Nor do organizations have effective ways of measuring technical debt, and quantifying the security risks posed by outdated code. “Not just open source software, but all commercial software, has always been ‘use at your own risk’,” he explains. And that “no liability” model has been essential for open source ecosystem to grow.

**Partnering with Microsoft**

As a result, software distributors and end users need better tools to identify and reduce risk. This is why OpenSSF has worked with Microsoft to use the S2C2F, despite the acrimonious past between Richmond and open source community.

“That was a long time ago,” says Behlendorf. “Today Microsoft is a major contributor to the Linux kernel. They are heavy spenders on improvements to lots of different open source packages.”

S2C2F will, OpenSSF believes, put more rigor into software development, and should supplement other initiatives such as the SLSA framework. 

The S2C2F will now have its own Special Initiative Group at OpenSSF that, Behlendorf says, will open it up to other vendors and stakeholders.

“Now it's an OpenSSF project, we expect to see participation from other companies,” both vendors and end user firms, he says. The OpenSSF launched an end users working group earlier this year.

End users “build a lot of this kind of internal tooling, and they’re very eager to modernize and update, and align with where industry is heading,” notes Behlendorf.

**Protecting the internet’s dark matter**

The OpenSSF is also working on memory-safe architectures through Prossimo initiative, which works with Rust and the Linux kernel, and recodes resources such as DNS libraries and even network time in a memory-safe way.

“This is like the dark matter what keeps the internet working. And if that stuff goes out, we’re all in really bad, bad shape,” Behlendorf warns.

OpenSSF will also continue to promote SBOMs as a way to increase supply chain transparency. Behlendorf wants SBOMs to be as universal as readme files within software releases, but concedes this must be done without overburdening upstream developers.

He is also realistic about the prospects for improving open source security, envisaging a future not without vulnerabilities, but where only the “incredibly niche” bugs remain.

“There’s no such thing is defect-free code,” he says. “One of my favorite sayings is that the last bug is fixed when the last user is dead!

“We'll never get to a point where there’s zero CVEs, but we should get to the point where getting them fixed is a routine part of IT infrastructure upkeep, and is non-disruptive, particularly for critical infrastructure.

“There is that that phrase: ‘with enough eyeballs all bugs are shallow’. There just aren’t enough eyeballs per line of code out there,” Behlendorf concludes.

RECOMMENDED ‘Security teams often fight against developers taking control’ of AppSec: Tanya Janca on the drive to DevSecOps adoption

Tag

#ios