Adam Riess won a Nobel Prize in Physics for helping discover that the universe's acceleration is expanding, remembers The Atlantic. But then theorists "proposed the existence of dark energy: a faint, repulsive force that pervades all of empty space... the final piece to what has since come to be called the 'standard model of cosmology.'" Riess thinks instead we should just replace the standard model: When I visited Riess, back in January, he mentioned he was looking forward to a data release from the Dark Energy Spectroscopic Instrument, a new observatory on Kitt Peak, in Arizona's portion of the Sonoran Desert. DESI has 5,000 robotically controlled optic fibers. Every 20 minutes, each of them locks onto a different galaxy in the deep sky. This process is scheduled to continue for a total of five years, until millions of galaxies have been observed, enough to map cosmic expansion across time... DESI's first release, last year, gave some preliminary hints that dark energy was stronger in the early universe, and that its power then began to fade ever so slightly. On March 19, the team followed up with the larger set of data that Riess was awaiting. It was based on three years of observations, and the signal that it gave was stronger: Dark energy appeared to lose its kick several billion years ago. This finding is not settled science, not even close. But if it holds up, a "wholesale revision" of the standard model would be required [says Colin Hill, a cosmologist at Columbia University. "The textbooks that I use in my class would need to be rewritten." And not only the textbooks — the idea that our universe will end in heat death has escaped the dull, technical world of academic textbooks. It has become one of our dominant secular eschatologies, and perhaps the best-known end-times story for the cosmos. And yet it could be badly wrong. If dark energy weakens all the way to zero, the universe may, at some point, stop expanding. It could come to rest in some static configuration of galaxies. Life, especially intelligent life, could go on for a much longer time than previously expected. If dark energy continues to fade, as the DESI results suggest is happening, it may indeed go all the way to zero, and then turn negative. Instead of repelling galaxies, a negative dark energy would bring them together into a hot, dense singularity, much like the one that existed during the Big Bang. This could perhaps be part of some larger eternal cycle of creation and re-creation. Or maybe not. The point is that the deep future of the universe is wide open... "Many new observations will come, not just from DESI, but also from the new Vera Rubin Observatory in the Atacama Desert, and other new telescopes in space. On data-release days for years to come, the standard model's champions and detractors will be feverishly refreshing their inboxes..." And Riess tells The Atlantic he's disappointed when complacent theorists just tell him "Yeah, that's a really hard problem." He adds, "Sometimes, I feel like I am providing clues and killing time while we wait for the next Einstein to come along."

New Moderate Linux Flaw Allows Password Hash Theft Via Core Dumps in Ubuntu, RHEL, Fedora

Slashdot

2025-06-02 04:34

An anonymous reader shared this report from The Hacker News: Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU). Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. "These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump," Saeed Abbasi, manager of product at Qualys TRU, said... Red Hat said CVE-2025-4598 has been rated Moderate in severity owing to the high complexity in pulling an exploit for the vulnerability, noting that the attacker has to first win the race condition and be in possession of an unprivileged local account... Qualys has also developed proof-of-concept code for both vulnerabilities, demonstrating how a local attacker can exploit the coredump of a crashed unix_chkpwd process, which is used to verify the validity of a user's password, to obtain password hashes from the /etc/shadow file. Advisories were also issued by Gentoo, Amazon Linux, and Debian, the article points out. (Though "It's worth noting that Debian systems aren't susceptible to CVE-2025-4598 by default, since they don't include any core dump handler unless the systemd-coredump package is manually installed.") Canonical software security engineer Octavio Galland explains the issue on Canonical's blog. "If a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace... In order to successfully carry out the exploit, an attacker must have permissions to create user, mount and pid namespaces with full capabilities." Canonical's security team has released updates for the apport package for all affected Ubuntu releases... We recommend you upgrade all packages... The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service: - Applies new security updates every 24 hours automatically. - If you have this enabled, the patches above will be automatically applied within 24 hours of being available.