Trending Topics This Week
Here is what people are talking about this week in the world of free and open source software:
• Cisco Releases Security Patches for Critical Flaws Affecting its Products.
• Microsoft Launches Power Fx, a New Open Source Low-Code Language.
• An Open-Source Machine Learning Framework to Carry Out Systematic Reviews.
Key Security, Maintenance, and Features Releases
Security Updates
OpenSSL 1.1.1j
Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. ([CVE-2021-23841])
Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. This is considered a bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is CVE-2021-23839.
Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. ([CVE-2021-23840])
Non-Security Updates
Firefox 86
Reader mode now works with local HTML pages.
Using screen reader quick navigation to move to editable text controls no longer incorrectly reaches non-editable cells in some grids such as on messenger.com.
The Orca screen reader's mouse review feature now works correctly after switching tabs in Firefox.
Screen readers no longer report column headers incorrectly in tables containing cells spanning multiple columns.
CentOS Stream Pre-Flight Checklist
With the CentOS community shifting its focus to CentOS Stream, and CentOS 8 now reaching EOL at the end of 2021, many companies are considering if they're ready to take the plunge on CentOS Stream, or if they need to seek out another option. In this blog, we discuss CentOS Stream and its benefits, as well as provide a checklist that companies can use to assess their readiness to migrate to CentOS Stream.