The joint advisory sets out how to mitigate and respond to DDoS attacks, limiting disruption to critical services
Monthly Archives: March 2024
Google Pays $10M in Bug Bounties in 2023
BleepingComputer has the details. It’s $2M less than in 2022, but it’s still a lot.
The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million.
For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million.
Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports.
During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables.
Google’s other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.
Slashdot thread.
prometheus-podman-exporter-1.11.0-1.fc40
FEDORA-2024-9231308a4f
Packages in this update:
prometheus-podman-exporter-1.11.0-1.fc40
Update description:
release v1.11.0
prometheus-podman-exporter-1.11.0-1.fc39
FEDORA-2024-a8a4ce2864
Packages in this update:
prometheus-podman-exporter-1.11.0-1.fc39
Update description:
release v1.11.0
release v1.10.1
release v1.10.0
prometheus-podman-exporter-1.11.0-1.fc38
FEDORA-2024-45f0a1df95
Packages in this update:
prometheus-podman-exporter-1.11.0-1.fc38
Update description:
release v1.11.0
release v1.10.1
release v1.10.0
prometheus-podman-exporter-1.11.0-1.el9
FEDORA-EPEL-2024-5d9511ad6e
Packages in this update:
prometheus-podman-exporter-1.11.0-1.el9
Update description:
release v1.11.0
release v1.10.1
release v1.10.0
ghc-base64-0.4.2.4-28.fc38 ghc-hakyll-4.16.2.0-1.fc38 gitit-0.15.1.1-3.fc38 pandoc-2.19.2-22.fc38 patat-0.8.8.0-2.fc38
FEDORA-2024-6ad6b9f417
Packages in this update:
ghc-base64-0.4.2.4-28.fc38
ghc-hakyll-4.16.2.0-1.fc38
gitit-0.15.1.1-3.fc38
pandoc-2.19.2-22.fc38
patat-0.8.8.0-2.fc38
Update description:
Security fix for CVE-2023-35936 and CVE-2023-38745
pandoc: backport fixes for CVE-2023-35936 and CVE-2023-38745
base64 now packaged in Fedora
USN-6700-2: Linux kernel (AWS) vulnerabilities
It was discovered that the Layer 2 Tunneling Protocol (L2TP) implementation
in the Linux kernel contained a race condition when releasing PPPoL2TP
sockets in certain conditions, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-20567)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle block device modification while it is
mounted. A privileged attacker could use this to cause a denial of service
(system crash) or possibly expose sensitive information. (CVE-2023-34256)
Eric Dumazet discovered that the netfilter subsystem in the Linux kernel
did not properly handle DCCP conntrack buffers in certain situations,
leading to an out-of-bounds read vulnerability. An attacker could possibly
use this to expose sensitive information (kernel memory). (CVE-2023-39197)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle the remount operation in certain cases,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2024-0775)
Notselwyn discovered that the netfilter subsystem in the Linux kernel did
not properly handle verdict parameters in certain cases, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2024-1086)
It was discovered that a race condition existed in the SCSI Emulex
LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF
and re-scanning an HBA FCF table, leading to a null pointer dereference
vulnerability. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-24855)
US Treasury Targets Russian Entities in Cyber Influence Campaign
The campaign notably included attempts to impersonate legitimate media outlets
USN-6709-1: OpenSSL vulnerabilities
It was discovered that checking excessively long DH keys or parameters
may be very slow. A remote attacker could possibly use this issue to
cause OpenSSL to consume resources, resulting in a denial of service.
(CVE-2023-3446)
After the fix for CVE-2023-3446 Bernd Edlinger discovered that a large
q parameter value can also trigger an overly long computation during
some of these checks. A remote attacker could possibly use this issue
to cause OpenSSL to consume resources, resulting in a denial of
service. (CVE-2023-3817)
David Benjamin discovered that generating excessively long X9.42 DH
keys or checking excessively long X9.42 DH keys or parameters may be
very slow. A remote attacker could possibly use this issue to cause
OpenSSL to consume resources, resulting in a denial of service.
(CVE-2023-5678)
Bahaa Naamneh discovered that processing a maliciously formatted
PKCS12 file may lead OpenSSL to crash leading to a potential Denial of
Service attack. (CVE-2024-0727)