USN-6539-1: python-cryptography vulnerabilities

Read Time:29 Second

It was discovered that the python-cryptography Cipher.update_into function
would incorrectly accept objects with immutable buffers. This would result
in corrupted output, contrary to expectations. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-23931)

It was dicovered that python-cryptography incorrectly handled loading
certain PKCS7 certificates. A remote attacker could possibly use this
issue to cause python-cryptography to crash, resulting in a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and
Ubuntu 23.10. (CVE-2023-49083)

Read More

webkitgtk-2.42.3-1.fc38

Read Time:18 Second

FEDORA-2023-540bb86780

Packages in this update:

webkitgtk-2.42.3-1.fc38

Update description:

Fix flickering while playing videos with DMA-BUF sink.
Fix color picker being triggered in the inspector when typing “tan”.
Do not special case the “sans” font family name.
Fix several crashes and rendering issues.
Security fixes: CVE-2023-42916, CVE-2023-42917

Read More

webkitgtk-2.42.3-1.fc39

Read Time:18 Second

FEDORA-2023-f844a8fa64

Packages in this update:

webkitgtk-2.42.3-1.fc39

Update description:

Fix flickering while playing videos with DMA-BUF sink.
Fix color picker being triggered in the inspector when typing “tan”.
Do not special case the “sans” font family name.
Fix several crashes and rendering issues.
Security fixes: CVE-2023-42916, CVE-2023-42917

Read More

USN-6538-1: PostgreSQL vulnerabilities

Read Time:26 Second

Jingzhou Fu discovered that PostgreSQL incorrectly handled certain unknown
arguments in aggregate function calls. A remote attacker could possibly use
this issue to obtain sensitive information. (CVE-2023-5868)

Pedro Gallegos discovered that PostgreSQL incorrectly handled modifying
certain SQL array values. A remote attacker could use this issue to obtain
sensitive information, or possibly execute arbitrary code. (CVE-2023-5869)

Hemanth Sandrana and Mahendrakar Srinivasarao discovered that PostgreSQL
allowed the pg_signal_backend role to signal certain superuser processes,
contrary to expectations. (CVE-2023-5870)

Read More

Do I Really Need to be on Snapchat to be a Good Digital Parent?

Read Time:4 Minute, 1 Second

If you had to count the number of social media platforms your teen uses, I wonder what the score would be? 2, 5 or maybe even more? Well, surprisingly research from our Aussie eSafety Commissioner shows that Aussie kids use an average of 4 social media services. I bet you thought it would be more. I did! So, maybe this means we don’t need to worry too much about joining and understanding these platforms? Surely their skills must be quite polished if there are only using four platforms? Wrong!! Being a good digital parent means we need to take the time to understand our kids’ digital world – even when we think they have a handle on it. 

My Top Tip Ever – Get Involved  

Over the last 12 years in my job as Cybermum, I’ve shared an abundance of advice. But if I had to pick the most important piece it is this – the absolute best way to keep your kids safe online is to commit to understanding your kids’ online world, particularly when they are starting out on their digital journey. So, if they are on Facebook, Instagram, Snapchat and TikTok then you need to sign up, and spend time understanding how it works. If they love Minecraft, Fortnite or Among Us – then you now do too! I’m sure you’re figuring out the pattern by now… 

Getting Involved Means You’ll Earn Some Tech Cred 

I’m not sure how it works for you but one thing that does NOT work for me is listening to advice from someone who has no relevant experience. To be honest, it really grinds my gears!! So, isn’t it logical that our teens would feel the same? I honestly don’t think we can expect them to take advice from us about online safety if we have no lived experience. In my opinion, experience = credibility.  

So, when you join Snapchat or Instagram not only are you learning about your child’s digital life but you’re also developing credibility which may just be the most important ingredient in keeping your kids safe online. Because if and when your kids find themselves in tricky situation online, they will be far more likely to come to you with a problem if they know you understand how it all works. 

Don’t Forget – You’re The Role Model 

Taylor Swift fandom is massive in Australia right now. With many taking days off work to secure tickets to her upcoming shows and a hot movie release, you’d be hard pressed to find many young girls who don’t think she is the ‘bees knees’. And if your sons are made keen Le Bron, Tom Brady or Nathan Cleary fans then they wouldn’t be alone – my sons are all in awe of these spectacular athletes. But despite all the hype and the potential influence from these celebrities, I need to remind you of one very important thing – you are the most important role model for your kids. You hold the greatest influence in their decision making and value setting. 

If your kids see you using the same platforms they use in a healthy, balanced way – then you really have a tonne of ability to help them develop positive digital habits. Your ‘tech cred’ will mean they are even more likely to pick up on your habits. So, make sure you have a healthy mix of digital and non-digital activities into your life. Consider: 

Regular screen-free time in your day 
Having a technology free hour (or two) before bed 
Banning phones from the dinner table 
Putting your phone on silent to minimise distractions 
Being ‘all in’ when you are talking to your kids and don’t pick up your phone. Give them your undivided attention! 

Remember, they are watching and learning!!  

So, Do you Really Need To Join Snapchat? 

Now, I don’t want to force you to do anything that you are not comfortable with, but I do want you to understand how best to support your kids in their digital life. To me, it’s quite simple. Whatever platform your kids spend the bulk of their time online then that’s where you need to spend your time too. You’ll develop credibility which means they are more likely to come to you if they have an issue online. It also gives you an opportunity to model health digital habits which can be really powerful. So, if your kids use Snapchat then yes – you need to join!!! All the ‘know-how’ you amass while using it will absolutely help make you a great digital parent.  

Till next time 

Alex  

The post Do I Really Need to be on Snapchat to be a Good Digital Parent? appeared first on McAfee Blog.

Read More

USN-6537-1: Linux kernel (GCP) vulnerabilities

Read Time:2 Minute, 37 Second

Yu Hao discovered that the UBI driver in the Linux kernel did not properly
check for MTD with zero erasesize during device attachment. A local
privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-31085)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did
not properly validate some attributes passed from userspace. A local
attacker could use this to cause a denial of service (system crash) or
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Bien Pham discovered that the netfiler subsystem in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local user could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-4244)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did
not properly handle socket buffers (skb) when performing IP routing in
certain circumstances, leading to a null pointer dereference vulnerability.
A privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-42754)

Yikebaer Aizezi discovered that the ext4 file system implementation in the
Linux kernel contained a use-after-free vulnerability when handling inode
extent metadata. An attacker could use this to construct a malicious ext4
file system image that, when mounted, could cause a denial of service
(system crash). (CVE-2023-45898)

Maxim Levitsky discovered that the KVM nested virtualization (SVM)
implementation for AMD processors in the Linux kernel did not properly
handle x2AVIC MSRs. An attacker in a guest VM could use this to cause a
denial of service (host kernel crash). (CVE-2023-5090)

Jason Wang discovered that the virtio ring implementation in the Linux
kernel did not properly handle iov buffers in some situations. A local
attacker in a guest VM could use this to cause a denial of service (host
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel
did not properly handle queue initialization failures in certain
situations, leading to a use-after-free vulnerability. A remote attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-5178)

It was discovered that the SMB network file sharing protocol implementation
in the Linux kernel did not properly handle certain error conditions,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-5345)

Murray McAllister discovered that the VMware Virtual GPU DRM driver in the
Linux kernel did not properly handle memory objects when storing surfaces,
leading to a use-after-free vulnerability. A local attacker in a guest VM
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-5633)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did
not properly handle event groups, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Read More

USN-6536-1: Linux kernel vulnerabilities

Read Time:1 Minute, 26 Second

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did
not properly validate some attributes passed from userspace. A local
attacker could use this to cause a denial of service (system crash) or
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did
not properly handle socket buffers (skb) when performing IP routing in
certain circumstances, leading to a null pointer dereference vulnerability.
A privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-42754)

Yikebaer Aizezi discovered that the ext4 file system implementation in the
Linux kernel contained a use-after-free vulnerability when handling inode
extent metadata. An attacker could use this to construct a malicious ext4
file system image that, when mounted, could cause a denial of service
(system crash). (CVE-2023-45898)

Jason Wang discovered that the virtio ring implementation in the Linux
kernel did not properly handle iov buffers in some situations. A local
attacker in a guest VM could use this to cause a denial of service (host
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel
did not properly handle queue initialization failures in certain
situations, leading to a use-after-free vulnerability. A remote attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did
not properly handle event groups, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Read More

golang-1.20.12-1.fc38

Read Time:13 Second

FEDORA-2023-ace2655259

Packages in this update:

golang-1.20.12-1.fc38

Update description:

This release includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler and the go command.

Read More

golang-1.21.5-1.fc39

Read Time:13 Second

FEDORA-2023-e57f5a2301

Packages in this update:

golang-1.21.5-1.fc39

Update description:

This release includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler and the go command.

Read More

USN-6535-1: curl vulnerabilities

Read Time:26 Second

Harry Sintonen discovered that curl incorrectly handled mixed case cookie
domains. A remote attacker could possibly use this issue to set cookies
that get sent to different and unrelated sites and domains.
(CVE-2023-46218)

Maksymilian Arciemowicz discovered that curl incorrectly handled long file
names when saving HSTS data. This could result in curl losing HSTS data,
and subsequent requests to a site would be done without it, contrary to
expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
(CVE-2023-46219)

Read More