A US government advisory sets out actions election officials need to take to mitigate the impact of nation-state influence campaigns ahead of the November elections
Daily Archives: April 18, 2024
USN-6737-1: GNU C Library vulnerability
Charles Fol discovered that the GNU C Library iconv feature incorrectly
handled certain input sequences. An attacker could use this issue to cause
the GNU C Library to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Other Attempts to Take Over Open Source Projects
After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.
[…]
The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).
The article includes a list of suspicious patterns, and another list of security best practices.
glibc-2.37-19.fc38
FEDORA-2024-f7ae5df88d
Packages in this update:
glibc-2.37-19.fc38
Update description:
This update includes several bug fixes from the upstream glibc release branch, including a fix for CVE-2024-2961.
glibc-2.38-18.fc39
FEDORA-2024-9be1b94714
Packages in this update:
glibc-2.38-18.fc39
Update description:
This update includes several bug fixes from the upstream glibc release branch, including a fix for CVE-2024-2961.
python-idna-3.7-1.fc40
FEDORA-2024-098b5d9719
Packages in this update:
python-idna-3.7-1.fc40
Update description:
Update to 3.7 (rhbz#2274439), security fix for CVE-2024-3651
Trust in Cyber Takes a Knock as CNI Budgets Flatline
Bridewell report reveals critical infrastructure firms are losing faith in their defensive tooling
thunderbird-115.10.0-1.fc39
FEDORA-2024-9435d59fbd
Packages in this update:
thunderbird-115.10.0-1.fc39
Update description:
Update to 115.10.0
https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
thunderbird-115.10.0-1.fc38
FEDORA-2024-3bf131ce13
Packages in this update:
thunderbird-115.10.0-1.fc38
Update description:
Update to 115.10.0
https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
golang-github-prometheus-alertmanager-0.27.0-1.fc41
FEDORA-2024-8580c06716
Packages in this update:
golang-github-prometheus-alertmanager-0.27.0-1.fc41
Update description:
Automatic update for golang-github-prometheus-alertmanager-0.27.0-1.fc41.
Changelog
* Thu Apr 18 2024 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 0.27.0-1
– Update to 0.27.0 – Closes rhbz#2064711 rhbz#2248329 rhbz#2260773
rhbz#2261192
* Sun Feb 11 2024 Maxwell G <maxwell@gtmx.me> – 0.23.0-20
– Rebuild for golang 1.22.0
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> – 0.23.0-19
– Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> – 0.23.0-18
– Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> – 0.23.0-16
– Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild