python-ujson-5.4.0-1.fc36

Read Time:27 Second

FEDORA-2022-1b2b8d5177

Packages in this update:

python-ujson-5.4.0-1.fc36

Update description:

Security fix for CVE-2022-31116 and CVE-2022-31117.

5.4.0

Added

Add support for arbitrary size integers

Fixed

CVE-2022-31116: Replace wchar_t string decoding implementation with a uint32_t-based one; fix handling of surrogates on decoding
CVE-2022-31117: Potential double free of buffer during string decoding
Fix memory leak on encoding errors when the buffer was resized
Integer parsing: always detect overflows
Fix handling of surrogates on encoding

Read More

Smashing Security podcast #283: Disney’s social dumpster fire, Anom phones, and TikTok tragedies

Read Time:21 Second

A self-proclaimed “super hacker” causes problems in the Magic Kingdom, criminals regret trusting Anom phones, and lawsuits are filed against TikTok.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.

Plus don’t miss our featured interview with Scott McCrady, the CEO of SolCyber Managed Security Services.

Read More

CVE-2020-14127

Read Time:9 Second

A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by heap overflow and can be exploited by attackers to make remote denial of service.

Read More

Keeper Connection Manager : Privileged access to remote infrastructure with zero-trust and zero-knowledge security

Read Time:22 Second

Graham Cluley Security News is sponsored this week by the folks at Keeper Security. Thanks to the great team there for their support! IT and DevOps teams were presented with new challenges with the mass-migration to home working, and found themselves forced to perform infrastructure monitoring and management remotely. What is clearly needed is a … Continue reading “Keeper Connection Manager : Privileged access to remote infrastructure with zero-trust and zero-knowledge security”

Read More

New Browser De-anonymization Technique

Read Time:1 Minute, 13 Second

Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another:

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

[…]

“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

Read More