What happened in September 2014?

A lot has happened this month and since I did not find time to publish anything, here's a list of various arbitrarily selected subjects.

Bash Remote Code Execution Vulnerability (CVE-2014-6271)

A severe vulnerability has been found in the popular bash shell interpreter. Most distributions have issued security advisories to inform their users on how to fix this bug. It is recommended that you upgrade to the latest version as soon as possible. For services that use CGI functionality, a Web Application Firewall is also strongly recommended.

According to Florian Weimer and Stéphane Chazelas, the vulnerability occurs because of how bash uses environment variables to propagate function definitions in the environment. An attacker could form an arbitrary call to a binary from the outside, allowing for remote code execution or denial of service.

Would you like to know more?

Debian.org - Debian Security Advisory #3032

Fedora 21 Alpha Released

Fedora 21 Alpha was released yesterday. This release will be spitted into different "products": Fedora Cloud, Fedora Server and Fedora Workstation. These versions will pull their packages from the same repositories, but the default packages installed will differ to better reflect each typical use.

I gave F21 Workstation a shot with the live disk, just to take some screenshots and rapidly check out Gnome 3.14 (even though I'm not a fan of the new Gnome). I am fairly confident about this release.

I hope they will improve the stability of the graphical Anaconda installer with the upcoming release candidate. I had some trouble setting up Centos 7 last week with a customized partitioning scheme due to various crashes.

For those who prefer screenshots to words, enjoy.

fedora21_01 fedora21_01

Would you like to know more?

Fedoraproject.org - Alpha release annoucement

Home Depot Customer Data Leak

Last week, Home Depot released a press statement after reports had been floating in the media about a serious breach of it's payment system in Canada and in the United States. The company confirms that criminals have put at risk "approximately" 56 million payment cards from April to September 2014. This is an even larger breach than Target's 40 million credit cards leak.

Canadians using the chip + PIN might not be affected. There is no confirmation yet. Americans are not so fortunate since they still use the magnetic strip which is easily read and clonable. Be sure to check your monthly bank statements and report any suspicious transactions.

How many of these security breaches do we need to start punishing the irresponsible corporate culture? It seems like there are more credit card leaks every year.

Would you like to know more?

Home Depot press statement (PDF File)

Vim as Pid 1

Now that's something interesting! I remember having read about settting emacs as /sbin/init but I have always been a Vi(m) guy. I guess having Vim as init could be useful if we ever get to the point where all our appliances have microprocessors in them, and somehow, a coffee machine is the only thing at hand to code with.

According to Remy van Elst, you just need to compile Vim statically and set it as the init process. In his guide, he uses Tiny Core Linux, an extremely small distribution of the Linux kernel with Busybox.

Would you like to know more?

Raymii.org - Boot to Vim, Vim as Pid 1