Read Time:5 Second
The latest supply chain security report from SecurityScorecard and the Cyentia Institute shows worrying findings
Yearly Archives: 2023
BEC Group Uses Open Source Tactics in Hundreds of Attacks
USN-5838-1: AdvanceCOMP vulnerabilities
Read Time:35 Second
It was discovered that AdvanceCOMP did not properly manage memory while
performing read operations on MNG file. If a user were tricked into opening
a specially crafted MNG file, a remote attacker could possibly use this
issue to cause AdvanceCOMP to crash, resulting in a denial of service.
(CVE-2022-35014, CVE-2022-35017, CVE-2022-35018, CVE-2022-35019,
CVE-2022-35020)
It was discovered that AdvanceCOMP did not properly manage memory while
performing read operations on ZIP file. If a user were tricked into opening
a specially crafted ZIP file, a remote attacker could possibly use this
issue to cause AdvanceCOMP to crash, resulting in a denial of service.
(CVE-2022-35015, CVE-2022-35016)
USN-5839-1: Apache HTTP Server vulnerabilities
Read Time:33 Second
It was discovered that the Apache HTTP Server mod_dav module incorrectly
handled certain If: request headers. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
(CVE-2006-20001)
ZeddYu_Lu discovered that the Apache HTTP Server mod_proxy_ajp module
incorrectly interpreted certain HTTP Requests. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-36760)
Dimas Fariski Setyawan Putra discovered that the Apache HTTP Server
mod_proxy module incorrectly truncated certain response headers. This may
result in later headers not being interpreted by the client.
(CVE-2022-37436)
Misconfiguration and vulnerabilities biggest risks in cloud security: Report
Read Time:25 Second
The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig.
While zero trust is a top priority, data showed that least privilege access rights, an underpinning of zero trust architecture, are not properly enforced. Almost 90% of granted permissions are not used, which leaves many opportunities for attackers who steal credentials, the report noted.
USN-5837-1: Django vulnerability
Read Time:9 Second
Nick Pope discovered that Django incorrectly handled certain
Accept-Language headers. A remote attacker could possibly use this issue to
cause Django to consume memory, leading to a denial of service.
rubygem-actioncable-7.0.4.2-1.fc38 rubygem-actionmailbox-7.0.4.2-1.fc38 rubygem-actionmailer-7.0.4.2-1.fc38 rubygem-actionpack-7.0.4.2-1.fc38 rubygem-actiontext-7.0.4.2-1.fc38 rubygem-actionview-7.0.4.2-1.fc38 rubygem-activejob-7.0.4.2-1.fc38 rubygem-activemodel-7.0.4.2-1.fc38 rubygem-activerecord-7.0.4.2-1.fc38 rubygem-activestorage-7.0.4.2-1.fc38 rubygem-activesupport-7.0.4.2-1.fc38 rubygem-rails-7.0.4.2-1.fc38 rubygem-railties-7.0.4.2-1.fc38
Read Time:45 Second
FEDORA-2023-f60cca0686
Packages in this update:
rubygem-actioncable-7.0.4.2-1.fc38
rubygem-actionmailbox-7.0.4.2-1.fc38
rubygem-actionmailer-7.0.4.2-1.fc38
rubygem-actionpack-7.0.4.2-1.fc38
rubygem-actiontext-7.0.4.2-1.fc38
rubygem-actionview-7.0.4.2-1.fc38
rubygem-activejob-7.0.4.2-1.fc38
rubygem-activemodel-7.0.4.2-1.fc38
rubygem-activerecord-7.0.4.2-1.fc38
rubygem-activestorage-7.0.4.2-1.fc38
rubygem-activesupport-7.0.4.2-1.fc38
rubygem-rails-7.0.4.2-1.fc38
rubygem-railties-7.0.4.2-1.fc38
Update description:
Upgrade to Ruby on Rails 7.0.4.2. Fixes numerous CVEs: https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
Passwords Are Terrible (Surprising No One)
Read Time:1 Minute, 7 Second
This is the result of a security audit:
More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.
[…]
The results weren’t encouraging. In all, the auditors cracked 18,174—or 21 percent—of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts.
The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
Original story:
To make their point, the watchdog spent less than $15,000 on building a password-cracking rig—a setup of a high-performance computer or several chained together - with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like ‘Polar_bear65’ and ‘Nationalparks2014!’.
opusfile-0.12-9.fc37
Read Time:6 Second
FEDORA-2023-6d18f920d2
Packages in this update:
opusfile-0.12-9.fc37
Update description:
Add upstream fix for CVE-2022-47021
opusfile-0.12-9.fc36
Read Time:6 Second
FEDORA-2023-6b83109e4e
Packages in this update:
opusfile-0.12-9.fc36
Update description:
Add upstream fix for CVE-2022-47021