Thursday May 05, 2016

Slashdot: Scientists Grow Two-Week-Old Human Embryos In Lab For The First Time

(posted on Thursday May 05, 2016 at 18:01 AWST)

An anonymous reader writes: According to Reuters, "Using a culture method previously tested to grow mouse embryos outside of a mother, the teams were able to conduct almost hour by hour observations of human embryo development to see how they develop and organize themselves up to day 13." Brave new world, here we come From the report: "The work, covered in two studies published on Wednesday in the journal Nature and Nature Cell Biology, showed how the cells that will eventually form the human body self-organize into the basic structure of a post-implantation human embryo. As well as advancing human biology expertise, the knowledge gained from studying these developments should help to improve in-vitro fertilization (IVF) treatments and further progress in the field of regenerative medicine, the researchers said. But the research also raises the issue of an international law banning scientists from developing human embryos beyond 14 days, and suggests this limit may have to be reviewed. 'Longer cultures could provide absolutely critical information for basic human biology,' said researcher Zernicka-Goetz. 'But this would of course raise the next question - of where we should put the next limit.'"

Read more of this story at Slashdot.

DFES Emergency Alerts: Prepare for flooding in parts of the Kimberley and Pilbara

DFES Emergency Alerts (posted on Thursday May 05, 2016 at 16:42 AWST)

Category: Flood
Alert Summary: People in the Kimberley and Eastern Pilbara should prepare for possible minor flooding expected Saturday.
Content:

People in the Kimberley and Eastern Pilbara should prepare for possible minor flooding expected Saturday.

There is no immediate danger but you need to keep up to date in case the situation changes.

WHAT TO DO:

DFES advises you to: 

  • Prepare to relocate equipment and livestock early so they are not caught in floodwaters.
  • Prepare an emergency kit including enough canned food and water to last for four days, as well as clothing, important documents and medication.
  • Fill your vehicle's fuel tank.
  • Watch for changes in water levels so you are ready if you need to relocate.
  • Never walk, swim or play in floodwaters, as they are dangerous.
  • Stay out of rivers, this includes no swimming or kayaking.
  • Do not park or camp adjacent to rivers.

IF DRIVING:

  • Be careful at crossings and floodways as river levels may rise rapidly.
  • Obey road closure signs and do not drive into water of unknown depth and current.
  • Take care on gravel and unsealed roads as they may be slippery and muddy, and you could get bogged.
  • Carry extra food and water when travelling in case of long delays at crossings.

ROAD CLOSURES:

People travelling along Gibb River Road should keep up to date with road conditions. 

Road information may also be available from Main Roads WA by calling 138 138 or visiting www.mainroads.wa.gov.au 

FLOOD DETAILS: 

As at 3.55pm the Bureau of Meteorology advises there is a Flood Watch for the Kilberley, Pilbara and Interior Districts.

A broad trough extends from the Kimberley coast to the Pilbara and into the inland Gascoyne. The trough will move eastwards late Friday and during Saturday. Moderate to heavy rainfall is forecast to develop in the eastern parts of the Pilbara district on Friday and Saturday.

River rises with areas of localised flooding may occur in the western catchments of the Kimberley District over the next few days. Catchments likely to be affected include: Prince Regent River, Isdell River, Lennard River and Cape Leveque Coast.

River rises with areas of localised flooding may occur in the north eastern catchments of the Pilbara District over the next few days. Catchments likely to be affected include: De Grey River and Pilbara Coastal Rivers.

River rises with areas of localised flooding may occur in the northern parts of the Interior District over the next few days.

Current river levels are available from Department of Water at www.water.wa.gov.au.

IF YOU NEED ASSISTANCE:

  • For SES assistance call 132 500.
  • In a life threatening situation call 000.

KEEP UP TO DATE:

Visit www.dfes.wa.gov.au, call 13 DFES (13 3337), follow DFES on Twitter @dfes_wa or listen to news bulletins.

For the latest flood information call 1300 659 213 or visit www.bom.gov.au/wa/flood. 

The next update will be issued when the situation changes.

Publication Time: 5/05/2016 4:38 PM

Slashdot: Star Wars Buttons And Lights You May Have Missed

(posted on Thursday May 05, 2016 at 15:01 AWST)

tedlistens writes: At Motherboard, Alex Pasternack writes: "Star Wars is set in a world of wildly advanced technology. But take a good look at the machinery of Star Wars, and you may be surprised to see how wonderfully analog it all is -- buttons! levers! vector graphics! Yes, there are hyperdrives and lightsabers and hologram Princess Leias and droids that know six million languages (including the language of moisture vaporators, along with various etiquette and diplomatic protocols useful across the galaxy). But it's also a world where sometimes you have to hit a robot to get it to work, like an old dashboard radio, a place where the supercomputers are operated manually and where buttons and control panels and screens seem far removed from our own galaxy: tactile, lo-fi, and elegantly simple." May the 4th be with you.

Read more of this story at Slashdot.

Slashdot: Hacker Guccifer Claims He Easily and Repeatedly Broke Into Hillary Clinton's Email Server

(posted on Thursday May 05, 2016 at 11:15 AWST)

An anonymous reader quotes a report from Fox News: The infamous Romanian hacker known as "Guccifer," speaking exclusively with Fox News, claimed he easily -- and repeatedly -- breached former Secretary of State Hillary Clinton's personal email server in early 2013. In the process of mining data from the Blumenthal account, Lazar said he came across evidence that others were on the Clinton server. "As far as I remember, yes, there were up to 10, like, IPs from other parts of the world," he said. From the report: "'For me, it was easy ... easy for me, for everybody,' Marcel Lehel Lazar, who goes by the moniker 'Guccifer,' told Fox News from a Virginia jail where he is being held. Fox News could not independently confirm Lazar's claims. The 44-year-old Lazar said he first compromised Clinton confidant Sidney Blumenthal's AOL account, in March 2013, and used that as a stepping stone to the Clinton server. He said he accessed Clintonâ(TM)s server 'like twice,' though he described the contents as 'not interest[ing]' to him at the time." Guccifer was sent to prison last month, which is when his potential role in the Clinton email investigation became apparent.

Read more of this story at Slashdot.

Slashdot: DuckDuckGo Is Giving Away $225,000 To Support Open Source Projects

(posted on Thursday May 05, 2016 at 09:31 AWST)

An anonymous reader writes: Google Search competitor DuckDuckGo announced it will be giving away a total of $225,000 to support nine open source projects, each project will receive $25,000. DuckDuckGo said it performed 3 billion searches in 2015. It differs from many other search engines as it offers private, anonymous internet search. It doesn't gather information about you to sell ads to marketeers, like Google. Instead, it shows generic ads as it's part of the Microsoft/Bing/Yahoo ad network. It also has revenue-sharing agreements with certain companies in the Linux Open Source worlds, and makes money from select affiliate links. The $225,000 DuckDuckGo is giving away is chump change compared to the $100 million Google gives away in grants ever year. However, for the select projects, it should still be very beneficial. Last year, DuckDuckGo gave away a total of $125,000 to open source projects, so it's nice to see them donate an extra $100,000 to a good cause.

Read more of this story at Slashdot.

Slashdot: Microsoft Overhauls SharePoint To Compete With Slack In The Mobile Era

(posted on Thursday May 05, 2016 at 08:48 AWST)

An anonymous reader quotes a report from The Verge: Microsoft is overhauling SharePoint today, and introducing iOS, Android, and Windows 10 Mobile apps. The iOS SharePoint app will arrive by the end of June, with the Android and Windows 10 Mobile versions due for release later this year. All of the mobile apps are designed to make SharePoint more accessible on the go, allowing users to access things like corporate intranet sites and content. Alongside the new apps, Microsoft is also providing access to SharePoint Online document libraries in OneDrive mobile apps, and the ability to copy from OneDrive to SharePoint. Microsoft plans to synchronize SharePoint Online document libraries with the new OneDrive sync client by the end of the year, and integrate SharePoint sites with Office 365 Groups. Microsoft's new Flow service, which lets you automate tasks, will also be integrated into SharePoint by the end of the year.

Read more of this story at Slashdot.

Slashdot: Man Sets World Record With 25 Continuous Hours In Virtual Reality

(posted on Thursday May 05, 2016 at 08:05 AWST)

An anonymous reader writes: Derek Westerman has made it in the Guinness Book of World Records by spending 25 straight hours in virtual reality. He used the HTC Vive and spent his entire time playing Tilt Brush. "Guinness has a whole set of rules and regulations, one of those being 'one game only the whole time.' I wanted to pick something that gave me the most freedom," Westerman says, "And painting in 3D space for 25 hours seemed like the best bet." At around the 17th hour mark, Westerman reportedly experienced some vertigo and threw up into a bucket provided for him by an assistant. The same bucket was used around the 6th hour mark when Westerman had to urinate. Then around the 21st hour, he starts babbling incoherently while waving the Vive controllers around, saying at one point, "I don't know where I'm at..." The video of the event has been released on Wednesday, even though Guinness lists the record as being achieved on April 7th.

Read more of this story at Slashdot.

Slashdot: In Search Of A Healthy Gut, One Man Turned To An Extreme DIY Fecal Transplant

(posted on Thursday May 05, 2016 at 07:22 AWST)

Josiah Zayner writes: Arielle Duhaime-Ross at The Verge followed Dr. Josiah Zayner, a former Scientist at NASA turned BioHacker, as he attempted the first ever full-body microbiome transplant. She writes "Over the course of the next four days, Zayner would attempt to eradicate the trillions of microbes that lived on and inside his body -- organisms that helped him digest food, produce vitamins and enzymes, and protected his body from other, more dangerous bacteria. Ruthlessly and methodically, he would try to render himself into a biological blank slate. Then, he would inoculate himself with a friend's microbes -- a procedure he refers to as a 'microbiome transplant.'".

Read more of this story at Slashdot.

EEV Blog: EEVblog #875 – NI VirtualBench Teardown

EEV Blog (posted on Thursday May 05, 2016 at 07:09 AWST)

Inside the National Instruments NI VB-8034 Virtual Bench. A 350MHz 4 channel mixed signal oscilloscope, arbitrary waveform generator, power supply, and I/O module that can connect to the PC, tablet or phone via USB, WiFi, or Ethernet.

Datasheets:
Xilinx Kintex 7
ADC08D1520 ADC
CRF Reed Relay
High Speed OpAmp

National Instruments VirtualBench Teardown

Comments

Slashdot: 'Largest Recall In American History': Takata To Recall Nearly 70 Million Airbags

(posted on Thursday May 05, 2016 at 06:39 AWST)

An anonymous reader writes: Federal regulators are ordering Japanese supplier Takata to recall as many as 40 million additional airbags linked to a defect already blamed for at least 11 deaths, bringing the total number of faulty airbags in the U.S. to 69 million. Previously, the recall involved about 24 million vehicles sold in the U.S. over roughly the last decade, with 14 manufacturers impacted. With the latest recall, almost every other major carmaker will now be pulled. "This is the largest recall in American history," National Highway Traffic Safety Administrator Mark Rosekind told reporters on Wednesday. Initial estimates said 35-40 million airbags were to be recalled. And because some vehicles use more than one Takata airbag, the total number of vehicles will likely be smaller. Now it's considered highly likely that the total number of cars, trucks and crossovers will now top the 50 million mark, and as many as a quarter of all vehicles on U.S. roads could be covered. The NHTSA has reported that just over 8 million vehicles had been fixed as of April 22. The airbags have so far been tied to at least 10 U.S. deaths and more than 100 injuries -- two more fatalities in Malaysia were confirmed Wednesday. "The exploding airbags can send shrapnel into the faces and necks of victims, leaving them looking as if they had been shot or stabbed," according to Fox 59.

Read more of this story at Slashdot.

Slashdot: YouTube To Launch 'Unplugged' Online TV Service In 2017

(posted on Thursday May 05, 2016 at 05:56 AWST)

An anonymous reader quotes a report from Bloomberg: YouTube is working on a paid subscription service called Unplugged that would offer customers a bundle of cable TV channels streamed over the Internet, people familiar with the plan said. The project, for which YouTube has already overhauled its technical architecture, is one of the online video giant's biggest priorities and is slated to debut as soon as 2017, one of the people said. YouTube executives have discussed these plans with most major media companies, including Comcast Corp.'s NBCUniversal, Viacom Inc., Twenty-First Century Fox Inc. and CBS Corp., but have yet to secure any rights, said the people, who asked not to be identified because the talks are private. There are reportedly several different ways YouTube could package TV channels in the service. "In one scenario, it would build a bundle of channels with the four U.S. broadcast networks and a smattering of popular cable channels, a concept known in the industry as a skinny bundle," reports Bloomberg. "YouTube has also discussed offering a collection of less-watched TV channels and creating smaller groups of channels around themes. A YouTube Unplugged comedy bundle might include three or four TV channels such as Comedy Central, while a lifestyle bundle might include the Style Network." Apparently, sources familiar with the matter said YouTube would charge one subscription for the main bundle, and extra, smaller monthly fees for said theme-based groups.

Read more of this story at Slashdot.

Slashdot: Robot Stitches Tissue By Itself Without A Real Doctor Pulling The Strings

(posted on Thursday May 05, 2016 at 05:13 AWST)

An anonymous reader writes: Scientists have created a robotic system that is capable of stitching up tissue in living animals without a human doctor pulling the strings. Wednesday's research brings us one step closer toward autonomous surgical robots. While doctors did supervise the robot, the robot performed as well, and in some cases a bit better, as some competing surgeons in stitching together intestinal tissue of pigs used in the tests. Wednesday's project is "the first baby step toward true autonomy," said Dr. Umamaheswar Duvvuri of the University of Pittsburgh Medical Center. He cautioned others to not expect to see doctors leave entire operations in a robot's digital hands -- yet. The tissue-stitching robot is designed to do one specific tasks, similar to machines in other industries. For example, robot arms do the welding and painting in most U.S. car assembly lines. The Smart Tissue Autonomous Robot (STAR) system is equipped with suturing equipment plus smart imaging technologies to let it track moving tissue in 3D and with an equivalent of night vision. Sensors have been added to help guide each stitch and tell how tightly to pull. All the surgeons have to do is place fluorescent markers on the tissue that needs stitching, and the robot takes aim. Human studies should begin within the next few years. The STAR system is just one of many up and coming robots to put surgery into the hands of non-surgeons.

Read more of this story at Slashdot.

Slashdot: Google Encrypts All Blogspot Domains With HTTPS

(posted on Thursday May 05, 2016 at 04:30 AWST)

Reader Mickeycaskill writes: Google is continuing its crusade to encrypt the web by enabling an HTTPS version of every single domain hosted on Blogspot. The search giant started the rollout last September, but as an opt-in service. Now users can opt to visit an HTTPS version of a site without its participation, while administrators can turn on an automatic redirect so all visitors are sent to the encrypted version. "HTTPS is fundamental to internet security; it protects the integrity and confidentiality of data sent between websites and visitors' browsers," said Milanda Perera, security software engineer at Google. Google already encrypts its search results, Google Drive and Gmail, while it also ranks HTTPS-enabled sites higher in the search. Blogspot rival WordPress began rolling out HTTPS in 2014.

Read more of this story at Slashdot.

Ubuntu Security Notices: Security Confinement in Ubuntu Core

(posted on Thursday May 05, 2016 at 04:29 AWST)

snappy Ubuntu Core

The much anticipated release of Ubuntu 16.04 LTS included integrated support for snaps on classic Ubuntu.

Ubuntu Core is a modern software platform that includes the ability to define rich interfaces between snaps that control their security and confinement, comprehensive observation and control of system changes, completion and undoing of partial system changes across restarts/reboots/crashes, macaroon-based authentication for local access and store access, preliminary development mode, a polished filesystem layout and CLI experience, modern sequencing of revisions, and so forth.

The previous post in this series described the reassuring details behind how snappy does system changes. This post will now cover interfaces, the mechanism that controls the confinement and integration of snaps with other snaps and with the system itself.

A snap interface gives one snap the ability to use resources provided by another snap, including the operating system snap (ubuntu-core is itself a snap!). That’s quite vague, and intentionally so. Software interacts with other software for many reasons and in diverse ways, and Snappy is a platform that has to mediate all of that according to user needs.

In practice, though, the mechanism is straightforward and pleasant to deal with. Without any snaps in the system, there are no interfaces available:

% sudo snap interfaces
error: no interfaces found

If we install the ubuntu-core snap alone (done implicitly when the first snap is installed), we can already see some interface slots being provided by it, but no plugs connected to them:

% sudo snap install ubuntu-core
75.88 MB / 75.88 MB [=====================] 100.00 % 355.56 KB/s 

% snap interfaces
Slot                 Plug
:firewall-control    -
:home                -
:locale-control      -
(...)
:opengl              -
:timeserver-control  -
:timezone-control    -
:unity7              -
:x11                 -

The syntax is <snap>:<slot> and <snap>:<plug>. The lack of a snap name is a shorthand notation for slots and plugs on the operating system snap.

Now let’s install an application:

% sudo snap install ubuntu-calculator-app
120.01 MB / 120.01 MB [=====================] 100.00 % 328.88 KB/s 

% snap interfaces
Slot                 Plug
:firewall-control    -
:home                -
:locale-control      -
(...)
:opengl              ubuntu-calculator-app
:timeserver-control  -
:timezone-control    -
:unity7              ubuntu-calculator-app
:x11                 -

At this point the application should work fine. But let’s instead see what happens if we take away one of these interfaces:

% sudo snap disconnect \
             ubuntu-calculator-app:unity7 ubuntu-core:unity7 

% /snap/bin/ubuntu-calculator-app.calculator
QXcbConnection: Could not connect to display :0

The application installed depends on unity7 to be able to display itself properly, which is itself based on X11. When we disconnected the interface that gave it permission to be accessing these resources, the application was unable to touch them.

The security minded will observe that X11 is not in fact a secure protocol. A number of system abuses are possible when we hand an application this permission. Other interfaces such as home would give the snap access to every non-hidden file in the user’s $HOME directory (those that do not start with a dot), which means a malicious application might steal personal information and send it over the network (assuming it also defines a network plug).

Some might be surprised that this is the case, but this is a misunderstanding about the role of snaps and Snappy as a software platform. When you install software from the Ubuntu archive, that’s a statement of trust in the Ubuntu and Debian developers. When you install Google’s Chrome or MongoDB binaries from their respective archives, that’s a statement of trust in those developers (these have root on your system!). Snappy is not eliminating the need for that trust, as once you give a piece of software access to your personal files, web camera, microphone, etc, you need to believe that it won’t be using those allowances maliciously.

The point of Snappy’s confinement in that picture is to enable a software ecosystem that can control exactly what is allowed and to whom in a clear and observable way, in addition to the same procedural care that we’ve all learned to appreciate in the Linux world, not instead of it. Preventing people from using all relevant resources in the system would simply force them to use that same software over less secure mechanisms instead of fixing the problem.

And what we have today is just the beginning. These interfaces will soon become much richer and more fine grained, including resource selection (e.g. which serial port?), and some of them will disappear completely in favor of more secure choices (Unity 8, for instance).

These are exciting times for Ubuntu and the software world.

Original article

Comments

Slashdot: Students Can Now Fly Drones At School, FAA Says

(posted on Thursday May 05, 2016 at 04:00 AWST)

An anonymous reader writes: It will now be easier for students to pilot drones as part of their schoolwork, thanks to new Federal Aviation Administration rules that exempt high schools and colleges from the more stringent aircraft regulations placed on businesses. In a memo released Wednesday outlining the new guidelines, federal regulators have designated drone schoolwork as a hobby or recreational -- as opposed to commercial -- activity, allowing students for the first time to fly unmanned aircraft without a pilot's license or special authorization from the government. "Schools and universities are incubators for tomorrow's great ideas, and we think this is going to be a significant shot in the arm for innovation," said FAA Administrator Michael Huerta during a drone conference in New Orleans. But the agency's policy prohibits teachers from being the primary operators of unmanned aircraft, because they are paid for their work and therefore "would not be engaging in a hobby or recreational activity" while flying a drone. (They can, however, pilot drones in a limited way -- in case of emergency, for instance.)

Read more of this story at Slashdot.

Slashdot: No One Should Have To Use Proprietary Software To Communicate With Their Government

(posted on Thursday May 05, 2016 at 03:20 AWST)

Donald Robertson, writing for Free Software Foundation: Proprietary JavaScript is a threat to all users on the Web. When minified, the code can hide all sorts of nasty items, like spyware and other security risks. [...] On March 1st, 2016, the Copyright Office announced a call for comments on an update to their technology infrastructure. We submitted a comment urging them to institute a policy that requires all software they develop and distribute to be free software. Further, we also urged them to not require people to run proprietary software in order to communicate or submit comments to them. Unfortunately, once again, the Copyright Office requires the use of proprietary JavaScript in order to submit the comment and they are only accepting comments online unless a person lacks computer or Internet access. [...] The most absurd part of all this is that other government agencies, while still using Regulations.gov, are perfectly capable of offering alternatives to submission.

Read more of this story at Slashdot.

Slashdot: Aging and Bloated OpenSSL Is Purged of 2 High-Severity Bugs

(posted on Thursday May 05, 2016 at 02:40 AWST)

An anonymous reader cites a story on Ars Technica: Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers. The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities "high," meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h. The decryption vulnerability is the result of what cryptographers call a padding oracle weakness, which allows attackers to repeatedly probe an encrypted payload for clues about the plaintext content inside. According to TLS expert Filippo Valsorda, the bug allows for only 16 bytes of encrypted traffic to be recovered, and even then only when an end user sends it repeatedly.

Read more of this story at Slashdot.

Slashdot: Windows 10 Updates Are Now Ruining Pro-Gaming Streams

(posted on Thursday May 05, 2016 at 02:00 AWST)

An anonymous reader cites a report on The Guardian: Perhaps there's nothing more annoying than going in for the kill to suddenly be "pooped on" by a Windows 10 automatic installation taking out your computer mid-stream to your 130,000 or so followers. After deciding to advertise during the weather by attempting to automatically install midway through a forecast, Windows 10 is starting to wreak havoc with gamers. Ex-professional Counter Strike player turned full-time streamer Erik Flom was rudely interrupted mid-game and live on Twitch by Windows 10 automatically installing on his PC. "What. What!? How did this happen! Fuck you Windows 10!" Flom said. "Oh my God! You had one job PC. We turned off everything. Update faster you fuck!"

Read more of this story at Slashdot.

Drupal Contrib Security: Open Atrium Notifications - Less Critical - Information Disclosure - SA-CONTRIB-2016-026

(posted on Thursday May 05, 2016 at 00:43 AWST)

Description

Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content.

When combined with the Open Atrium Mailhandler app, incoming email replies to notifications can be processed as new comments. Notifications generated from these imported replies can be sent to the wrong list of users.

This vulnerability is mitigated by the fact that it depends on the specific configuration of the mailhandler that is processing notifications.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • oa_notifications 7.x-2.x versions prior to 7.x-2.30.
  • Open Atrium 7.x-2.x versions prior to 7.x-2.63.

Drupal core is not affected. If you do not use the contributed Open Atrium Notifications module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium Notifications project page.

Reported by

  • Mike Potter provisional member of the Drupal Security Team and Open Atrium maintainer.

Fixed by

Coordinated by

  • Mike Potter provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Drupal Contrib Security: Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

(posted on Thursday May 05, 2016 at 00:06 AWST)

Description

This module enables you to create fieldable entities that have special integration with Panels.

The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor (IPE), allowing for specially crafted XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to create FPP objects, and then either:

  • a user with permission to use the Panels In-Place-Editor (IPE) must visit a page that the FPP object is added to; or
  • a user with permission to use the Panels admin interface must edit a page the FPP object is added to.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Wednesday May 04, 2016

Ubuntu Security Notices: What the community said about…the M10 tablet

(posted on Wednesday May 04, 2016 at 21:22 AWST)

More, One, Needs, Life…these were some of the keywords used when we asked you, ‘What your life would look like if all your computing needs fitted into one device.’ With our first tablet that does just this – fit all your computing needs within one device – now available to buy, we wanted to celebrate your thoughts. We whittled down the most insightful tweets and calculated the most frequent words into this infographic below!


UbuntuReinvents infographic (2)

Comments

Netcraft: Most Reliable Hosting Company Sites in April 2016

(posted on Wednesday May 04, 2016 at 15:49 AWST)

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe Linux 0:00:00 0.000 0.160 0.012 0.024 0.031
2 Qube Managed Services Linux 0:00:00 0.000 0.153 0.058 0.117 0.117
3 CWCS Linux 0:00:00 0.000 0.189 0.070 0.142 0.143
4 Pair Networks FreeBSD 0:00:00 0.004 0.246 0.070 0.143 0.143
5 GoDaddy.com Inc Linux 0:00:00 0.009 0.257 0.010 0.024 0.025
6 XILO Communications Ltd. Linux 0:00:00 0.009 0.222 0.063 0.127 0.127
7 Kattare Internet Services Citrix Netscaler 0:00:00 0.009 0.517 0.114 0.228 0.228
8 LeaseWeb Linux 0:00:00 0.013 0.351 0.029 0.055 0.055
9 Hyve Managed Hosting Linux 0:00:00 0.013 0.222 0.060 0.120 0.120
10 Aspserveur Linux 0:00:00 0.013 0.343 0.077 0.326 0.471

See full table

Datapipe had the most reliable hosting company site in April, responding to all of Netcraft's requests. Datapipe's performance has seen it appear in the top ten every month so far in 2016, continuing a streak which has placed the company in the top ten 11 times in the past 12 months. Datapipe provides hosting services out of a number of data centres in Europe, Asia and North America. In April, Datapipe announced that it would be partnering with Singapore's largest electronics retailer to ensure the scalability of the latter's online infrastructure.

Qube had the second most reliable hosting company site. As with Datapipe, Qube's site responded to all of Netcraft's requests, but was fractionally slower to do so. Qube's performance is also consistent: the company has appeared in the top ten 9 times over the last 12 months.

CWCS achieved third place in April, also with a 100% response rate, albeit with an average connect time that was marginally slower than both Datapipe and Qube's. CWCS provides shared and managed hosting solutions, with data centre facilities in England and North America, and counts organisations such as KPMG and the University of York amongst its clients.

Linux is once again the most popular choice of operating system with hosting companies: eight out of the top ten companies in April hosted their websites on Linux machines. Kattare Internet Services and Pair Networks were the only two exceptions, using a Citrix Netscaler device and FreeBSD respectively.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

SC Magazine: Revived OAIC to be "leaner"

(posted on Wednesday May 04, 2016 at 12:40 AWST)

Pilgrim warns agency won't return to pre-2014.

SC Magazine: AusPost deploys Australia's first online police check

(posted on Wednesday May 04, 2016 at 12:35 AWST)

Now in talks with others.

SC Magazine: Turnbull's cyber threat sharing centres to model UK

(posted on Wednesday May 04, 2016 at 08:56 AWST)

Advisor defends adequacy of strategy funding.

SC Magazine: Google, Fiat to make 100 self-driving minivans

(posted on Wednesday May 04, 2016 at 08:15 AWST)

Will more than double Google's existing fleet.

SC Magazine: Data61, Treasury to investigate blockchain

(posted on Wednesday May 04, 2016 at 07:49 AWST)

Pilot to result from review.

SC Magazine: Kogan relaunches Dick Smith brand online

(posted on Wednesday May 04, 2016 at 07:47 AWST)

Collapsed retailer resurfaces under a new owner.

SC Magazine: OpenSSL users urged to patch high-severity holes

(posted on Wednesday May 04, 2016 at 07:28 AWST)

Could be used for MitM attacks, remote code execution.

SC Magazine: Court overturns Brazil's WhatsApp blackout

(posted on Wednesday May 04, 2016 at 07:16 AWST)

Service resumes.

OpenBSD Journal: p2k16 Hackathon Report: naddy@ on graphics libs progress (yes, packages!)

OpenBSD Journal (posted on Wednesday May 04, 2016 at 00:07 AWST)

Fresh from the p2k16 hackathon comes this report from Christian Weisgerber, who writes:

Coming to p2k16, I had only vague plans what to work on. The last few hackathons I had tackled some projects that didn't quite result into something committable, so this time I decided to keep it basic. The idea was to update some ports and maybe make a dent in the use of the obsolete libiconv and gettext modules.
Read more...

OpenBSD Journal: p2k16 Hackathon Report: landry@ on mozilla ports

OpenBSD Journal (posted on Wednesday May 04, 2016 at 02:49 AWST)

The next report in our p2k16 series is from Landry Breuil, who writes:

For once we had a hackathon in France, so travel should be simple... turns out, at the last minute the past week i had engaged myself in a motorbike rally race, taking place in Corsica on the weekend right before the hackathon. Driving to south of france on Thursday, night boat to corsica, two days racing, then boat back to the mainland, then driving all night to come back to my place, change backpack, sleep 1h, and hop on the cheap bus from my place to Nantes. Arrived there at 21h, i was of course totally destroyed from the 30h trip and after meeting the others for a heavy meal, i crashed early to bed...
Read more...

Tuesday May 03, 2016

OpenBSD Journal: libcrypto errata - May 2016

OpenBSD Journal (posted on Tuesday May 03, 2016 at 23:28 AWST)

Ted Unangst just sent an announcement of LibreSSL patches

OpenSSL announced several issues today that also affect LibreSSL.

- Memory corruption in the ASN.1 encoder (CVE-2016-2108)
- Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
- EVP_EncodeUpdate overflow (CVE-2016-2105)
- EVP_EncryptUpdate overflow (CVE-2016-2106)
- ASN.1 BIO excessive memory allocation (CVE-2016-2109)

Thanks to OpenSSL for providing information and patches.

Refer to https://www.openssl.org/news/secadv/20160503.txt

Patches for OpenBSD are available:

http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig

http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/013_crypto.patch.sig

OpenBSD Journal: OpenBSD Foundation Announces Gold Sponsor

OpenBSD Journal (posted on Tuesday May 03, 2016 at 23:35 AWST)

OpenBSD Foundation director Ken Westerback (krw@) writes in with some great news:

The OpenBSD Foundation is happy to announce that DuckDuckGo has become the first Gold level contributor to the 2016 fundraising campaign.

This donation is part DuckDuckGo's annual initiative to help fund free and open source projects based on nominations from their community.

Not only is it great to hear that companies are giving back to the project, but also that OpenBSD was nominated by DDG users. A big thanks to them and their community!

Donations to the OpenBSD Foundation can be made on the donations page, and they can be contacted regarding corporate sponsorship at fundraising@openbsdfoundation.org.

SC Magazine: The NBN is about to run out of money

(posted on Tuesday May 03, 2016 at 19:25 AWST)

Company already tapping private sector sources.

SC Magazine: Tech giants in crosshairs as Aussie govt redoubles tax chase

(posted on Tuesday May 03, 2016 at 18:20 AWST)

ATO powers beefed up.

SC Magazine: Defence to foot the bill for cyber security strategy

(posted on Tuesday May 03, 2016 at 18:01 AWST)

Funding changes hands.

SC Magazine: All the tech in the Coalition's budget 2016

(posted on Tuesday May 03, 2016 at 17:50 AWST)

Winners and losers as IT dollars are handed out.

SC Magazine: OAIC saved from dissolution

(posted on Tuesday May 03, 2016 at 17:32 AWST)

Govt backs down on plans to abolish information agency.

SC Magazine: Gumtree needs to take privacy more seriously

(posted on Tuesday May 03, 2016 at 13:00 AWST)

[Blog post] Or should we just get used to our data being public?

SC Magazine: Turnbull's department hires new CIO

(posted on Tuesday May 03, 2016 at 12:00 AWST)

Replacement for poached Kovacevic.

SC Magazine: NSW govt to finish e-health records rollout within four years

(posted on Tuesday May 03, 2016 at 11:45 AWST)

Mobile, data analytics focus in 10-year strategy document.

SC Magazine: The 'next frontier' in Qantas' big data journey

(posted on Tuesday May 03, 2016 at 10:07 AWST)

Understanding the customer beyond landing and departure.

SC Magazine: Gozi malware creator ordered to pay $9 million

(posted on Tuesday May 03, 2016 at 09:10 AWST)

Avoids more jail time.

SC Magazine: Defence deploys Watson for psyops analysis

(posted on Tuesday May 03, 2016 at 08:47 AWST)

Pilot success informs wider rollout.

SC Magazine: Multiple critical Android flaws patched in May security update

(posted on Tuesday May 03, 2016 at 07:47 AWST)

Severity rating system revised.

pfSense: pfSense 2.3 Update 1 Available

(posted on Tuesday May 03, 2016 at 04:44 AWST)

Since the new pkg system enables us to update pieces of the system individually, rather than the monolithic updates of the past, we have released a patch that fixes the NTP CVEs covered by FreeBSD SA 16:16.ntp. Updating ntpd from 4.2.8p6 to 4.2.8p7 is the only change.

This update appears as 2.3_1, for update 1. This should not be confused with 2.3.1, which is a full maintenance release coming soon. 2.3_1 is only available for those already running 2.3 release.

Note for this update, your version number will remain the same afterwards, still showing as 2.3-RELEASE.

This update does not trigger a reboot. The NTP service needs to be manually restarted under Status>Services afterwards.

Comments

Monday May 02, 2016

Latest Kernel Versions: 4.6-rc6: mainline

(posted on Monday May 02, 2016 at 06:52 AWST)

Version:4.6-rc6 (mainline)
Released:2016-05-01
Source:linux-4.6-rc6.tar.xz
PGP Signature:linux-4.6-rc6.tar.sign
Patch:patch-4.6-rc6.xz

Thursday May 05, 2016

Latest Kernel Versions: 4.5.3: stable

(posted on Thursday May 05, 2016 at 05:50 AWST)

Version:4.5.3 (stable)
Released:2016-05-04
Source:linux-4.5.3.tar.xz
PGP Signature:linux-4.5.3.tar.sign
Patch:patch-4.5.3.xz (Incremental)
ChangeLog:ChangeLog-4.5.3

Latest Kernel Versions: 4.4.9: longterm

(posted on Thursday May 05, 2016 at 05:50 AWST)

Version:4.4.9 (longterm)
Released:2016-05-04
Source:linux-4.4.9.tar.xz
PGP Signature:linux-4.4.9.tar.sign
Patch:patch-4.4.9.xz (Incremental)
ChangeLog:ChangeLog-4.4.9