Swachhata municipal engagement platform breached, researchers say

Read Time:28 Second

A threat actor going by the name LeakBase has exposed sample data of personally identifiable information (PII) of millions of users of the Swachhata citizen engagement platform, according to cybersecurity firm CloudSek.

The Swachhata platform is an initiative of the Swachh Bharat Mission in association with the Ministry of Housing and Urban Affairs. On the swachh.city website, users can post complaints to their respective city administrations. The website also gives monthly ratings of cities in terms of grievances resolved and engineers’ performance. 

To read this article in full, please click here

Read More

Drupal core – Critical – Multiple vulnerabilities – SA-CORE-2022-016

Read Time:1 Minute, 36 Second
Project: 
Date: 
2022-September-28
Vulnerability: 
Multiple vulnerabilities
Affected versions: 
>= 8.0.0 <9.3.22 || >= 9.4.0 <9.4.7
CVE IDs: 
CVE-2022-39261
Description: 

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity.

Drupal core’s code extending Twig has also been updated to mitigate a related vulnerability.

Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.

The vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploit paths for the same vulnerability may exist with contributed or custom code that allows users to write Twig templates.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.7.

If you are using Drupal 9.3, update to Drupal 9.3.22.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include Twig and therefore is not affected.

Fixed By: 
xjm of the Drupal Security Team
Alex Pott of the Drupal Security Team
Sascha Grossenbacher
Lee Rowlands of the Drupal Security Team
Lauri Eskola, provisional member of the Drupal Security Team
Nathaniel Catchpole of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
cilefen of the Drupal Security Team
James Williams
Benji Fisher, provisional member of the Drupal Security Team

Read More

nodejs-16.17.1-1.fc35

Read Time:28 Second

FEDORA-2022-58055cb1ef

Packages in this update:

nodejs-16.17.1-1.fc35

Update description:

September Security Updates for Node.js

Update to Node.js 16.17.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.17.0

Fix dependency typo

Update to 16.15.0

Update to Node.js 16.14.1

Note that we will be skipping 16.14.2 since the only changes were in the bundled copy of OpenSSL, which we do not use. The relevant security patches are handled in Fedora’s openssl package.

Read More

nodejs-16.17.1-1.fc36

Read Time:28 Second

FEDORA-2022-3793987b02

Packages in this update:

nodejs-16.17.1-1.fc36

Update description:

September Security Updates for Node.js

Update to Node.js 16.17.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.17.0

Fix dependency typo

Update to 16.15.0

Update to Node.js 16.14.1

Note that we will be skipping 16.14.2 since the only changes were in the bundled copy of OpenSSL, which we do not use. The relevant security patches are handled in Fedora’s openssl package.

Read More

UK organizations, Ukraine’s allies warned of potential “massive” cyberattacks by Russia

Read Time:51 Second

The head of the UK National Cyber Security Centre (NCSC) Lindy Cameron has given an update on Russia’s cyber activity amid its war with Ukraine. Her speech at Chatham House today comes just a few days after Ukraine’s military intelligence agency issued a warning that Russia was “preparing massive cyberattacks on the critical infrastructure of Ukraine and its allies.” This coincides with a new Forrester report that reveals the extent to which the cyber impact of the Russia-Ukraine conflict has expanded beyond the conflict zone with malware attacks propagating into European entities.

UK NCSC CEO urges UK businesses to prepare for elevated alert

Addressing Russian cyber activity this year, Cameron stated that, while we have not seen the “cyber-Armageddon” some predicted, there has been a “very significant conflict in cyberspace – probably the most sustained and intensive cyber campaign on record – with the Russian State launching a series of major cyberattacks in support of their illegal invasion in February.”

To read this article in full, please click here

Read More

php-8.1.11-1.fc36

Read Time:1 Minute, 16 Second

FEDORA-2022-0b77fbd9e7

Packages in this update:

php-8.1.11-1.fc36

Update description:

PHP version 8.1.11 (29 Sep 2022)

Core:

Fixed bug php#81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628). (cmb)
Fixed bug php#81727: Don’t mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629). (Derick)
Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
Fixed bug GH-9361 (Segmentation fault on script exit php#9379). (cmb, Christian Schneider)
Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class constants in constant expressions). (ilutov)

DOM:

Fixed bug php#79451 (DOMDocument->replaceChild on doctype causes double free). (Nathan Freeman)

FPM:

Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload). (Dmitry Menshikov)
Fixed bug php#77780 (“Headers already sent…” when previous connection was aborted). (Jakub Zelenka)

GMP

Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). (Girgias)

Intl

Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). (Girgias)

PCRE:

Fixed pcre.jit on Apple Silicon. (Niklas Keller)

PDO_PGSQL:

Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). (Yurunsoft)

Reflection:

Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). (cmb, Nicolas Grekas)

Streams:

Fixed bug GH-9316 ($http_response_header is wrong for long status line). (cmb, timwolla)

Read More