USN-5767-1 fixed a vulnerability in Python. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Python incorrectly handled certain IDNA inputs.
An attacker could possibly use this issue to expose sensitive information
denial of service, or cause a crash.
(CVE-2022-45061)
The group conducted supply chain attacks against the diamond industry across three continents
The new features will be globally available in 2023, but one of them already is for some US users
python3.11-3.11.1-1.fc37
python3-docs-3.11.1-1.fc37
Update to 3.11.1
Researchers at Sophos have investigated so-called “metaparasites” – the scammers who scam other scammers.
Jen Ellis urges the cyber industry to take a leading role in shaping its future, during Black Hat Europe 2022
Malicious hackers, hell-bent on infiltrating an organisation, have no qualms about exploiting even the most tragic events.
Read more in my article on the Tripwire State of Security blog.
Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals.
An attacker could possibly use this issue to cause a crash or execute arbitrary code.
(CVE-2022-37454)
It was discovered that Python incorrectly handled certain IDNA inputs.
An attacker could possibly use this issue to expose sensitive information
denial of service, or cause a crash.
(CVE-2022-45061)
Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library
iconv feature incorrectly handled certain input sequences. An attacker
could possibly use this issue to cause the GNU C Library to hang or crash,
resulting in a denial of service. (CVE-2016-10228, CVE-2019-25013,
CVE-2020-27618)
It was discovered that the GNU C Library did not properly handled DNS
responses when ENDS0 is enabled. An attacker could possibly use this issue
to cause fragmentation-based attacks. (CVE-2017-12132)
A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware.
Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.
This is a huge problem. The whole system of authentication rests on the assumption that signing keys are kept secret by the legitimate signers. Once that assumption is broken, all bets are off:
Samsung’s compromised key is used for everything: Samsung Pay, Bixby, Samsung Account, the phone app, and a million other things you can find on the 101 pages of results for that key. It would be possible to craft a malicious update for any one of these apps, and Android would be happy to install it overtop of the real app. Some of the updates are from today, indicating Samsung has still not changed the key.
