September 2016 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] Re: [security-announce] openSUSE-SU-2016:2386-1: important: Security update for MozillaFirefox, mozilla-nss
by Carlos E. R. 19 Oct '16

19 Oct '16

On 2016-09-26 18:10, opensuse-security(a)opensuse.org wrote: > openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss > ______________________________________________________________________________ > > Announcement ID: openSUSE-SU-2016:2386-1 > Rating: important > References: #999701 > Cross-References: CVE-2016-2827 CVE-2016-5256 CVE-2016-5257 > CVE-2016-5270 CVE-2016-5271 CVE-2016-5272 > CVE-2016-5273 CVE-2016-5274 CVE-2016-5275 > CVE-2016-5276 CVE-2016-5277 CVE-2016-5278 > CVE-2016-5279 CVE-2016-5280 CVE-2016-5281 > CVE-2016-5282 CVE-2016-5283 CVE-2016-5284 > > Affected Products: > openSUSE 13.1 > ______________________________________________________________________________ > > An update that fixes 18 vulnerabilities is now available. I get an error Box: +++................. An error occurred while loading or saving configuration information for [Firefox|thunderbird-bin]. Some of your configuration settings may not work properly. Details: Configuration server couldn't be contacted: D-BUS error: The GConf daemon is currently shutting down. Configuration server couldn't be contacted: D-BUS error: The GConf daemon is currently shutting down. Configuration server couldn't be contacted: D-BUS error: The GConf daemon is currently shutting down. Configuration server couldn't be contacted: D-BUS error: The GConf daemon is currently shutting down. .................++- The daemon is and was running. FF also says: +++....................... Firefox is not currently set as your default browser. Would you like to make it your default browser? [V] Always perform this check when starting Firefox .......................++- Saying Yes does not work, it asks again the next time. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

3 5

[opensuse-security] FYI AppArmor abstraction for AMD proprietary driver
by Malte Gell 10 Oct '16

10 Oct '16

This is an abstraction for those folks who prefer to use the proprietary AMD driver It needs to be added to every profile for X11 apps. It may be more convenient to copy the whole rule into abstractions/x to avoid changing existing profiles. To be honest, this is, what I did when I used fglrx.

2 3

Re: [opensuse-security] why no kernel randomization
by Malte Gell 16 Sep '16

16 Sep '16

Am 15.09.2016 um 08:41 schrieb jsegitz(a)suse.de: > On Tue, Sep 13, 2016 at 07:17:34AM +0200, Malte Gell wrote: >> why is the SUSE kernel built without CONFIG_RANDOMIZE_BASE? > > Have a look at > http://bugzilla.suse.com/show_bug.cgi?id=998554 > we enabled it in Tumbleweed, so we can test it there. Thanx, great! I may test it with the Leap 42.1 kernel later this day/week. Best regards -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 1

[opensuse-security] FYI AppArmor Firefox profile
by Malte Gell 13 Sep '16

13 Sep '16

Confining Firefox may be the most important thing you can do to improve security on a desktop system.... As a basis I took some old profile from Ubuntu and added more permissions to make it work. This profile works very well. But it separates Thunderbird, you cannot open mailto links with it. But in my mind, it is better to keep the data of both apps separated. To avoid an attacker steal your email account data and vice very. Both, Firefox and Thunderbird want to load kernel modules. I never looked, what kernel modules Firefox or TB need to load. To me it´s a bit scary to allow them loading kernel modules. I haven´t investigated this yet. In this profile I allowed to access /sbin/modprobe. The profile works with Leap 42.1 and its current Firefox.

1 0

[opensuse-security] FYI AppArmor profile for GnuPG
by Malte Gell 13 Sep '16

13 Sep '16

Dear List, GnuPG is a crucial security tool on any Linux system and its importance may make it prone to attacks. Thus it´s wise to have an AA profile for it. This AA profile for GnuPG supports the graphical pinentry programs and it supports SmartCard use. It also works with the Thunderbird addon Enigmail. This profile may need additional permissions if you use GnuPG with other mail clients besides Thunderbird. I only made it work for Thunderbird.

2 2

[opensuse-security] FYI AppArmor profile for VirtualBox
by Malte Gell 13 Sep '16

13 Sep '16

To me there is no reason to trust guest systems I run in VirtualBox, especially software from the city of Redmond always enjoys my distrust. Thus, I created an AA profile for VirtualBox. BTW, all profiles I posted work with Leap 42.1, I use them daily. The VirtualBox profile supports USB access if you install that guest USB thing from Oracle. This profile works fine for me with MS Windows 7 as guest OS. If you use other guest OS, the profile *may* need adjustments.

1 0

[opensuse-security] FYI AppArmor profile for Thunderbird
by Malte Gell 13 Sep '16

13 Sep '16

It´s always good to confine your mail user agent. This profile requires the GnuPG profile I sent some minutes ago. It supports Enigmail with OpenPGP Smartcards. This profile locks access to the local firefox folder. The advantage is, in case of a security breach, the attacker cannot steal data from your firefox profile. The disadvantage is, you cannot use emailto links from within firefox with this profile. If you want emailto links to work, change it yourself. The /proc stuff could be confined better, was too lazy to make it a bit more consistent...

1 0

[opensuse-security] FYI AppArmor profile for VLC player
by Malte Gell 13 Sep '16

13 Sep '16

Dear list, this is my AA profile for /usr/bin/vlc, attached as .TXT file. It has support for proprietary AMD Catalyst and nVidia drivers, supports access to DVB devices. These proprietary drivers come with 2 sub-tools I have not confined. It may need more permissions for some KDE themes, but the profile will always work, just the VLC GUI may not adjust to the system default. Media players are often at risk and have serious security flaws, thus it makes sense to have an AA profile for it. It´s not pretty, but it works.

1 0

[opensuse-security] AppArmor network rules
by Malte Gell 13 Sep '16

13 Sep '16

Hi there, I wonder, when do I have to explicitly set the "network" rule? VLC media player can connect well without setting the "network" item, other programs need to have "network" set. Why does VLC work without setting "network" and others don´t? It seems programs can have network access without needing "network" be set? Thanks -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 2

[opensuse-security] why no kernel randomization
by Malte Gell 13 Sep '16

13 Sep '16

Hi there, why is the SUSE kernel built without CONFIG_RANDOMIZE_BASE? Does it have any disadvantages if enabled? Would it break any software or functions? Thanks -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0