libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().
Daily Archives: September 2, 2022
Friday Squid Blogging: Squid Images
iStock has over 13,000 royalty-free images of squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
CVE-2021-27693
Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage.
CVE-2020-22669
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
protobuf-c-1.4.1-2.fc36
FEDORA-2022-3be472fe11
Packages in this update:
protobuf-c-1.4.1-2.fc36
Update description:
Updated to version 1.4.1.
OpenSSF releases npm best practices to help developers tackle open-source dependency risks
The Open Source Security Foundation (OpenSSF) has released the npm Best Practices Guide to help JavaScript and TypeScript developers reduce the security risks associated with using open-source dependencies. The guide, a product of the OpenSSF Best Practices Working Group, focuses on dependency management and supply chain security for npm and covers various areas such as how to set up a secure CI configuration, how to avoid dependency confusion, and how to limit the consequences of a hijacked dependency. The release comes as developers increasingly share and use dependencies which, while contributing to faster development and innovation, can also introduce risks.
US Police Deployed Obscure Smartphone Tracking Tool With No Warrants
It would allow police to search billions of mobile device-based records, including GPS data
Google Chrome Vulnerability Lets Sites Quietly Overwrite Clipboard Contents
The bug was discovered by developer Jeff Johnson, who detailed his findings in a blog post
JuiceLedger Hacker Linked to First Phishing Campaign Targeting PyPI Users
JuiceLedger started poisoning open-source packages as a way to target a wider audience in August
Montenegro is the Victim of a Cyberattack
Details are few, but Montenegro has suffered a cyberattack:
A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control.
[…]
But the attack against Montenegro’s infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.
Government officials in the country of just over 600,000 people said certain government services remained temporarily disabled for security reasons and that the data of citizens and businesses were not endangered.
The Director of the Directorate for Information Security, Dusan Polovic, said 150 computers were infected with malware at a dozen state institutions and that the data of the Ministry of Public Administration was not permanently damaged. Polovic said some retail tax collection was affected.
Russia is being blamed, but I haven’t seen any evidence other than “they’re the obvious perpetrator.”