Story 2014-10-15

POODLE: A new SSL vulnerability

by
in security on (#2TCV)
story imageForbes has a lovely if disjointed writeup; The Register is considerably more dramatic. The gist: your browser likely still allows the use of old SSL standards, which are now proven vulnerable to a lovely new bug which could, in the worst case, give an attacker your cookies. From there, your sessions are at risk, along with anything you'd prefer to keep to yourself online.

The makers of Chrome seem to be saying that the issue has been fixed in Chrome since February, but as of this morning, the Poodle Test still showed Chrome as vulnerable. Firefox expects to have a fix in version 34, due Nov 25. In the meantime, according to the Forbes article, you can open about:config and change the setting security.tls.version.min to 1. This does cause Firefox to pass the test. Microsoft and Apple have not addressed the issue as of this writing. Internet Explorer does have an option to disable SSL 3.0 in its more recent versions (naturally set to "enabled" by default), but IE6 users are out in the cold; Safari users are vulnerable and must wait for a fix from Apple.

CUPS 2 has been released

by
in hardware on (#2TCH)
CUPS, the Common Unix Printing Specification, has just released version 2.0 of its software. Mike Sweet, the project founder, reflects here on what makes CUPS 2 different, how printing has changed over the 15 years elapsed since CUPS 1.0, and what printing means in a world full of wifi and cloud-connected devices.
Today our focus on printing is much different than in 1999. Wireless networking and mobile computing are everywhere. We no longer want printer drivers, but expect printers that support standard protocols and formats with fantastic output quality that we could only dream of 15 years ago. And our printing is more focused and personal.
The changes since the previous version of CUPS are actually not all that substantial. This is a minor bug-fix and maintenance release. Specifically:
CUPS 2.0.0 is now available for download. The focus of this major release is on performance and security improvements. Changes since 2.0rc1 include:

The scheduler did not preserve listener sockets from launchd or systemd after a restart ()
Added some USB quirk rules for the libusb-based USB backend (STR #4482)
Spanish localization update (STR #4487)
Updated documentation for 2.0.0 release.
Enjoy!