USN-5838-1: AdvanceCOMP vulnerabilities

Read Time:35 Second

It was discovered that AdvanceCOMP did not properly manage memory while
performing read operations on MNG file. If a user were tricked into opening
a specially crafted MNG file, a remote attacker could possibly use this
issue to cause AdvanceCOMP to crash, resulting in a denial of service.
(CVE-2022-35014, CVE-2022-35017, CVE-2022-35018, CVE-2022-35019,
CVE-2022-35020)

It was discovered that AdvanceCOMP did not properly manage memory while
performing read operations on ZIP file. If a user were tricked into opening
a specially crafted ZIP file, a remote attacker could possibly use this
issue to cause AdvanceCOMP to crash, resulting in a denial of service.
(CVE-2022-35015, CVE-2022-35016)

Read More

USN-5839-1: Apache HTTP Server vulnerabilities

Read Time:33 Second

It was discovered that the Apache HTTP Server mod_dav module incorrectly
handled certain If: request headers. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
(CVE-2006-20001)

ZeddYu_Lu discovered that the Apache HTTP Server mod_proxy_ajp module
incorrectly interpreted certain HTTP Requests. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-36760)

Dimas Fariski Setyawan Putra discovered that the Apache HTTP Server
mod_proxy module incorrectly truncated certain response headers. This may
result in later headers not being interpreted by the client.
(CVE-2022-37436)

Read More

Misconfiguration and vulnerabilities biggest risks in cloud security: Report

Read Time:25 Second

The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig

While zero trust is a top priority, data showed that least privilege access rights, an underpinning of zero trust architecture, are not properly enforced. Almost 90% of granted permissions are not used, which leaves many opportunities for attackers who steal credentials, the report noted. 

To read this article in full, please click here

Read More

rubygem-actioncable-7.0.4.2-1.fc38 rubygem-actionmailbox-7.0.4.2-1.fc38 rubygem-actionmailer-7.0.4.2-1.fc38 rubygem-actionpack-7.0.4.2-1.fc38 rubygem-actiontext-7.0.4.2-1.fc38 rubygem-actionview-7.0.4.2-1.fc38 rubygem-activejob-7.0.4.2-1.fc38 rubygem-activemodel-7.0.4.2-1.fc38 rubygem-activerecord-7.0.4.2-1.fc38 rubygem-activestorage-7.0.4.2-1.fc38 rubygem-activesupport-7.0.4.2-1.fc38 rubygem-rails-7.0.4.2-1.fc38 rubygem-railties-7.0.4.2-1.fc38

Read Time:45 Second

FEDORA-2023-f60cca0686

Packages in this update:

rubygem-actioncable-7.0.4.2-1.fc38
rubygem-actionmailbox-7.0.4.2-1.fc38
rubygem-actionmailer-7.0.4.2-1.fc38
rubygem-actionpack-7.0.4.2-1.fc38
rubygem-actiontext-7.0.4.2-1.fc38
rubygem-actionview-7.0.4.2-1.fc38
rubygem-activejob-7.0.4.2-1.fc38
rubygem-activemodel-7.0.4.2-1.fc38
rubygem-activerecord-7.0.4.2-1.fc38
rubygem-activestorage-7.0.4.2-1.fc38
rubygem-activesupport-7.0.4.2-1.fc38
rubygem-rails-7.0.4.2-1.fc38
rubygem-railties-7.0.4.2-1.fc38

Update description:

Upgrade to Ruby on Rails 7.0.4.2. Fixes numerous CVEs: https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

Read More

Passwords Are Terrible (Surprising No One)

Read Time:1 Minute, 7 Second

This is the result of a security audit:

More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.

[…]

The results weren’t encouraging. In all, the auditors cracked 18,174—or 21 percent—­of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts.

The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—­or 89 percent—­of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.

Original story:

To make their point, the watchdog spent less than $15,000 on building a password-cracking rig—a setup of a high-performance computer or several chained together ­- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like ‘Polar_bear65’ and ‘Nationalparks2014!’.

Read More