News & Updates

The Rocket Report is published weekly.

Enlarge / The Rocket Report is published weekly. (credit: Arianespace)

Welcome to Edition 1.37 of the Rocket Report! Lots of news this week about plans to develop smallsat launchers, from India to Australia to the United Kingdom. We also have some serious shade throwing from Blue Origin’s Jeff Bezos, who doesn’t think a flight near (but not above) the Karman line will come without an asterisk.

As always, we welcome reader submissions, and if you don’t want to miss an issue, please subscribe using the box below (the form will not appear on AMP-enabled versions of the site). Each report will include information on small-, medium-, and heavy-lift rockets as well as a quick look ahead at the next three launches on the calendar.

India smallsat launcher to fly later this year. Indian space officials have confirmed that their new Small Satellite Launch Vehicle will attempt its first flight in “July or August” of this year, The Economic Times reports. The rocket will carry two Indian defense satellites for the mission, each weighing about 120kg. The rocket has undergone a complete technical review, officials said.

Read 28 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Cisco released security patches that address more than a dozen issues in its products, including high severity flaws in HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance.

Cisco released security patches that address more than a dozen issues in its products, including high severity vulnerabilities affecting HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance.

Security updates fix two High risk security flaws in HyperFlex software.

The first one is a command injection vulnerability (CVE-2018-15380) in the cluster service manager of the application caused by insufficient input validation, it could be exploited by an attacker to run commands as the root user.

“A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user.” reads the security advisory published by Cisco.

“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process. A successful exploit could allow the attacker to run commands on the affected host as the root user.”

The second issue is an unauthenticated root access bug (CVE-2019-1664) in the hxterm service of the software caused insufficient authentication controls, it could allow an attacker to gain root access to all member nodes of the HyperFlex cluster.

“A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster.” reads the advisory.

“The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster.”

Both vulnerabilities affect the HyperFlex software releases prior to 3.5(2a).

cisco hyperflex

Cisco addressed a High severity certificate validation bug in the Identity Services Engine (ISE) integration feature of Prime Infrastructure (PI). The flaw tracked as CVE-2019-1659, could be exploited by an unauthenticated, remote attacker to carry out man-in-the-middle attacks on the Secure Sockets Layer (SSL) tunnel established between ISE and PI.

The flaw is caused by improper validation of the server SSL certificate when an SSL tunnel is established between ISE and PI. The vulnerability affects Prime Infrastructure Software releases 2.2 through 3.4.0 when the PI server is integrated with ISE, that is disabled by default.

The tech giant also addressed another High risk bug (CVE-2019-1662) in the Quality of Voice Reporting (QOVR) service of Prime Collaboration Assurance (PCA) Software. The issue is caused by the insufficient authentication controls and could be exploited by an unauthenticated, remote attacker to access the system as a valid user. The vulnerability affects releases prior to 12.1 SP2.

Cisco also addressed a severity directory traversal vulnerability (CVE-2019-1681) in the TFTP service of Cisco Network Convergence System 1000 Series that could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device. The vulnerability affects IOS XR Software releases prior to 6.5.2 for Network Convergence System 1000 Series when the TFTP service is enabled.

Cisco also released security fixed for 11 Medium severity flaws in Webex Meetings Online, Webex Teams, Internet of Things Field Network Director (IoT-FND) Software, HyperFlex, Firepower Threat Defense, Firepower 9000 Series Firepower 2-Port 100G Double-Width Network Module Queue Wedge, Unity Connection, IP Phone 7800 and 8800 Series, and SPA112, SPA525, and SPA5X5 Series IP Phones.

The full list of Cisco Security Advisories and Alerts is available here.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Cisco Hyperflex, hacking)

The post Cisco addresses flaws in HyperFlex and Prime Infrastructure appeared first on Security Affairs.

Source: Security affairs

Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks carried out through malicious HTTP/2 requests.

Microsoft revealed that Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks.

Attackers can trigger a DoS condition by sending specially crafted HTTP/2 requests, the CPU usage will temporarily spike to 100% forcing the IIS into killing the malicious connections.

“Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.” reads the security advisory published by Microsoft.

“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”

The flaw affects Windows 10, Windows Server and Windows Server 2016.

The flaw was reported by Gal Goldshtein from F5 Networks who disclosed in November 2018 a similar flaw in the nginx web server software.

Microsoft has released updates to address the issue, the tech giant has implemented the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds are not preset by Microsoft, instead, IIS administrator must define them. Microsoft published a knowledge base article to explain how to define thresholds on the number of HTTP/2 settings parameters exchanged over a connection.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Windows, hacking)

The post Expert found a DoS flaw in Windows Servers running IIS appeared first on Security Affairs.

Source: Security affairs

Many websites threatened by highly critical code-execution bug in Drupal

Enlarge (credit: Victorgrigas)

Sites that run the Drupal content management system run the risk of being hijacked until they’re patched against a vulnerability that allows hackers to remotely execute malicious code, managers of the open source project warned Wednesday.

CVE-2019-6340, as the flaw is tracked, stems from a failure to sufficiently validate user input, managers said in an advisory. Hackers who exploited the vulnerability could, in some cases, run code of their choice on vulnerable websites. The flaw is rated highly critical.

“Some field types do not properly sanitize data from non-form sources,” the advisory stated. “This can lead to arbitrary PHP code execution in some cases.”

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Promotional image from a video game featuring plumber Mario being threatened by malevolent turtle Bowser.

Enlarge / If your name is Mario and you work at Nintendo of America, watch out. (credit: Sam Machkovech)

After 16 years at Nintendo of America, president, COO, and famed spokesperson Reggie Fils-Aimé will retire from his roles this year. His last day is April 15, at which time he will be replaced by senior VP of sales Doug Bowser, according to a press release.

Fils-Aimé joined the company in 2003 as executive VP of sales and marketing before becoming its president and chief operating officer in 2006. For years, he has been the public face of Nintendo in the United States at press conferences and online marketing streams, and he has become the personification of the gaming brand for millions of consumers, players, and onlookers. He became the subject of numerous memes, and he sparked the “my body is ready” meme popular on Internet gaming forums.

A new age of gamer memes seems to be upon us, though, because his replacement bears the same name as the primary villain of the company’s beloved Mario video game franchise. Doug Bowser has been with Nintendo since 2015, when his title was vice president of sales. He was promoted to senior VP in 2016.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Tesla's new Model 3 car on display is seen on Friday, January 26, 2018, at the Tesla store in Washington, DC.

Enlarge / Tesla’s new Model 3 car on display is seen on Friday, January 26, 2018, at the Tesla store in Washington, DC. (credit: Getty Images)

Last year, Tesla won a Consumer Reports recommendation for the Model 3 thanks to a last-minute upgrade to its braking software. But on Thursday, the magazine rescinded its endorsement of the vehicle due to poor results in its customer survey.

“Model 3 owners in our spring survey sample reported some body hardware and in-car electronics problems, such as the screen freezing, which we have seen with other Tesla models,” wrote CR‘s Patrick Olsen. “The latest survey data also shows complaints about paint and trim issues. In addition, some members reported that the Model 3’s sole display screen acted strangely.”

“The vast majority of these issues have already been corrected through design and manufacturing improvements, and we are already seeing a significant improvement in our field data,” a Tesla spokesperson told Consumer Reports in an emailed statement.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

President Donald Trump speaking into a telephone.

Enlarge / “Hello, operator? Hi, this is the President. I need the best phone you can find. Not 5G, this is America. Let’s go with 6G. I want all the Gs, the best Gs.” (credit: Getty Images | Washington Post)

US President Donald Trump today urged wireless carriers to deploy 5G and “6G” networks “as soon as possible,” seemingly ignoring the small problem that 6G technology doesn’t exist yet.

“I want 5G, and even 6G, technology in the United States as soon as possible,” Trump wrote on Twitter this morning. “It is far more powerful, faster, and smarter than the current standard. American companies must step up their efforts, or get left behind.”

In a second tweet, Trump said that 5G and 6G are “so obviously the future.”

Read 14 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Did these enormous layered volcanic deposits arise through many big eruptions or a few massive ones?

Enlarge / Did these enormous layered volcanic deposits arise through many big eruptions or a few massive ones? (credit: Courtney Sprain)

Modeling what happened after a massive asteroid struck the Yucatan has painted a hellscape capable of causing a mass extinction: choking dust, immense tsunamis, and enough debris leaving and reentering the atmosphere to set off global fires. But questions remain whether the impact alone drove the dinosaurs to extinction or if it merely finished the job started by a massive volcanic outburst happening in India.

The Deccan Traps cover an area of roughly a half-million square kilometers, and the eruptions that created them involved over a million cubic kilometers of rock. Immense eruptions like this have been blamed for mass extinctions in the past, as they pump lots of toxic chemicals into the atmosphere and cause a rapid seesaw of cooling and warming. And the Deccan Traps are no exception: people have argued that they were already killing the dinosaurs or had stressed ecosystems in a way that set the stage for a mass extinction. But not everyone has bought in to this idea, and some have suggested that the asteroid collision actually drove changes in the Deccan Traps eruptions.

Sorting all this out requires a better sense of the timing of the eruptions vs. when the impact and extinctions occurred. In today’s issue of Science, two papers attempt to narrow down the timing. Unfortunately, their results don’t entirely agree.

Read 11 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Exterior of the glass-and-concrete EU parliament building, ringed with flags.

(credit: tredford04 / Flickr)

A controversial overhaul of Europe’s copyright laws overcame a key hurdle on Wednesday as a majority of European governments signaled support for the deal. That sets the stage for a pivotal vote by the European Parliament that’s expected to occur in March or April.

Supporters of the legislation portray it as a benign overhaul of copyright that will strengthen anti-piracy efforts. Opponents, on the other hand, warn that its most controversial provision, known as Article 13, could force Internet platforms to adopt draconian filtering technologies. The cost to develop filtering technology could be particularly burdensome for smaller companies, critics say.

Online service providers have struggled to balance free speech and piracy for close to two decades. Faced with this difficult tradeoff, the authors of Article 13 have taken a rainbows-and-unicorns approach, promising stricter copyright enforcement, no wrongful takedowns of legitimate content, and minimal burdens on smaller technology platforms.

Read 14 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The perpetually locked red door is a central mystery of Netflix's adaptation of <em>Haunting of Hill House</em>.

Enlarge / The perpetually locked red door is a central mystery of Netflix’s adaptation of Haunting of Hill House. (credit: Steve Dietl/Netflix)

The Netflix adaptation of The Haunting of Hill House was a critical and ratings hit last year, and the streaming giant has announced plans for a second season—or more accurately, a second installment in what is now a horror anthology series. Deadline Hollywood reports that The Haunting of Bly Manor will adapt Henry James’ classic ghost story, The Turn of the Screw, which is very much in the same vein of psychological gothic horror as the classic Shirley Jackson tale upon which season one was based.

The Haunting of Hill House shared the top spot in Ars’ 2018 list of our favorite TV shows with BBC’s Killing Eve. We loved Mike Flanagan and Trevor Macy’s inventive re-imagining of Jackson’s novel, at once a Gothic ghost story and a profound examination of family dysfunction. And yet it stayed true to the tone and spirit of the original, aided by dialogue, narration, and other small details from the source material. Small wonder that it garnered award nominations from the Motion Picture Sound Editors, Writers Guild of America, and Art Directors Guild.

Rumors of a possible second season began swirling soon after the series started streaming. Flanagan eventually confirmed plans to to turn it into a horror anthology series, with a whole new ghost story and fresh characters. (He opined in an interview with Entertainment Weekly that the Crain family featured in Hill House had suffered enough.)

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/