grafana-7.5.15-1.fc36

Read Time:33 Second

FEDORA-2022-c5383675d9

Packages in this update:

grafana-7.5.15-1.fc36

Update description:

update to 7.5.15 tagged upstream community sources, see CHANGELOG
resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
resolve CVE-2022-21702 grafana: XSS vulnerability in data source handling
resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
resolve CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
resolve CVE-2021-23648 sanitize-url: XSS
resolve CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
declare Node.js dependencies of subpackages
make vendor and webpack tarballs reproducible

Read More

CVE-2020-4668

Read Time:18 Second

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5, 6.1.0.0 through 6.1.0.3, and 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 186283.

Read More

What the FBI Wants You to Know About the Latest Phishing Scheme

Read Time:3 Minute, 20 Second

What’s worse than a surprise call from a law enforcement official telling you to pay a fine or be forced to serve time? Providing your personal information and paying that fine only to find out that it was all a scam. You didn’t miss jury duty; you didn’t commit a crime — you were just tricked into thinking that you did. 

Sound unbelievable? It’s more likely than you’d think. 

Who Are You Calling Criminal, Criminal? 

According to ZDNet1, the FBI released a warning about scammers impersonating government officials or law enforcement agencies to steal personal information and money from unsuspecting people. 

After acquiring phone numbers and names from real users, scammers use fake credentials from well-known law enforcement agencies to contact victims. Under the guise of these officials, scammers claim that the user’s identity was used in a crime and ask them to provide their social security number and date of birth for verification. The fraudsters will also call or text about apparently missed jury duty, missed court dates, warrants out for arrest, or other local fines that require payment to be solved. 

These criminals demand payment in multiple forms, but the most common are prepaid cards, wire transfers, and cash sent through mail or through cryptocurrency ATMs. If victims do not pay these fines or provide their personal information, the scammers in disguise will threaten them with potential prosecution or arrest. 

How to Identify Phishing Scams Over the Phone 

The FBI states that no law enforcement agency will ever contact you asking for money, but if you’re still unsure whether you’re being scammed, here are a few more phishing tips that can help: 

Confirm the source 

Unsolicited phone calls or texts are best avoided altogether or confirmed with a second source. Verify the caller’s identity with the organization they claim they represent. Ask for a name and position and make it clear you will be following up to verify their identity. 

Keep personal information private 

Do not reveal any personal or financial information over the phone, through text, or through a link provided in a text message. 

Lack of personalization 

Generic greetings that do not address you by name, especially when asking you to verify your identity or pay a fine, are a definite indicator that you may be being scammed. 

Spelling and layout 

Any strange grammar or spelling mistakes in a text message can be signs that this is someone impersonating an official agency, company, or higher-up to scam you. 

How to Identify Other Types of Phishing Scams 

Although scammers try to trick users over the phone, phishing scams can also happen over email. In addition to the tactics mentioned above, here are some extra tips on how to detect and avoid phishing emails: 

A sender address that’s just a bit off 

Cybercriminals will often impersonate well-known brands or individuals by using fraudulent email addresses with just a few alterations of letters or characters. An example is an email address that appears as “bank0famerica.con.” 

Hyperlinks 

If you receive a message or email with a link, hover over the link without clicking on it. This will allow you to see a link preview. If the URL looks suspicious or doesn’t match up with the content in the email, do not interact with it and delete the entire message. 

Attachments 

Be cautious of any attachment in an email. Scammers often use attachments as a sneaky way to deliver viruses and malware onto unsuspecting people’s devices. 

Protect Yourself From Phishing Attacks 

Phishing scams can be deceitful, especially with the added pressure of a seemingly real (but definitely fake) government official or law enforcement agency accusing you of breaking the law. However, by following the tips outlined above, you’ll be able to spot these scams from a mile away and stay safer online! 

The post What the FBI Wants You to Know About the Latest Phishing Scheme appeared first on McAfee Blog.

Read More

blender-2.68a-9.el7

Read Time:42 Second

FEDORA-EPEL-2022-4a24f39c87

Packages in this update:

blender-2.68a-9.el7

Update description:

Security fix for CVE-2017-12102, CVE-2017-12103, CVE-2017-12104, CVE-2017-12081, CVE-2017-12082, CVE-2017-12086, CVE-2017-12099, CVE-2017-12100, CVE-2017-12101, CVE-2017-12105, CVE-2017-2908, CVE-2017-2899, CVE-2017-2900, fix CVE-2017-2901, CVE-2017-2902, CVE-2017-2903, CVE-2017-2904, CVE-2017-2905, CVE-2017-2906, CVE-2017-2907, CVE-2017-2918.

Includes manual backports of the following upstream commits:

a6700362 “Memory: add MEM_malloc_arrayN() function to protect against overflow.”
d30cc1ea “Fix buffer overflows in TIFF, PNG, IRIS, DPX, HDR and AVI loading.”
07aed40 “Fix buffer overflow vulernability in thumbnail file reading.”
e6df028 “Fix buffer overflow vulnerabilities in mesh code.”
e6df028 “Fix buffer overflow vulnerability in curve, font, particles code.”

Read More

AirTags Are Used for Stalking Far More than Previously Reported

Read Time:1 Minute, 0 Second

Ever since Apple introduced AirTags, security people have warned that they could be used for stalking. But while there have been a bunch of anecdotal stories, this is the first vaguely scientific survey:

Motherboard requested records mentioning AirTags in a recent eight month period from dozens of the country’s largest police departments. We obtained records from eight police departments.

Of the 150 total police reports mentioning AirTags, in 50 cases women called the police because they started getting notifications that their whereabouts were being tracked by an AirTag they didn’t own. Of those, 25 could identify a man in their lives — ex-partners, husbands, bosses — who they strongly suspected planted the AirTags on their cars in order to follow and harass them. Those women reported that current and former intimate partners­ — the most likely people to harm women overall — ­are using AirTags to stalk and harass them.

Eight police departments over eight months yielded fifty cases. And that’s only where the victim (1) realized they were being tracked by someone else’s AirTag, and (2) contacted the police. That’s going to multiply out to a lot of AirTag stalking in the country, and the world.

Read More

Fuzzing tool company launches initiative to secure open-source software

Read Time:46 Second

ForAllSecure, maker of a next-generation fuzzing solution called Mayhem, announced a $2 million program Wednesday aimed at making open-source software (OSS) more secure. The company is offering developers a free copy of Mayhem and will pay them $1,000 if they integrate the software into a qualified OSS GitHub project.

“We’re on a mission to automatically find and fix the world’s exploitable bugs before attackers can succeed,” David Brumley, CEO and co-founder of ForAllSecure, said in a statement.

[ Related reading: 10 top fuzzing tools: Finding the weirdest application errors. ]

“OSS developers need help and don’t have access to the tools they need to quickly and easily find vulnerabilities,” Brumley continued. “Our Mayhem Heroes program democratizes software security testing, will make tens of thousands of OSS projects safer, and ultimately impact the security of systems used by everyone around the world.”

To read this article in full, please click here

Read More