Read Time:6 Second
The US and its allies claim Russian hacktivists are disruptive operations in water, energy, food and agriculture sectors
Monthly Archives: May 2024
chromium-124.0.6367.118-1.fc40
Read Time:25 Second
FEDORA-2024-5cf9499b62
Packages in this update:
chromium-124.0.6367.118-1.fc40
Update description:
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
update to 124.0.6367.91
update to 124.0.6367.78
* Critical CVE-2024-4058: Type Confusion in ANGLE
* High CVE-2024-4059: Out of bounds read in V8 API
* High CVE-2024-4060: Use after free in Dawn
chromium-124.0.6367.118-1.fc38
Read Time:15 Second
FEDORA-2024-191c252b75
Packages in this update:
chromium-124.0.6367.118-1.fc38
Update description:
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
update to 124.0.6367.91
chromium-124.0.6367.118-1.el9
Read Time:1 Minute, 14 Second
FEDORA-EPEL-2024-808f3961ef
Packages in this update:
chromium-124.0.6367.118-1.el9
Update description:
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
update to 124.0.6367.91
update to 124.0.6367.78
* Critical CVE-2024-4058: Type Confusion in ANGLE
* High CVE-2024-4059: Out of bounds read in V8 API
* High CVE-2024-4060: Use after free in Dawn
update to 124.0.6367.60
High CVE-2024-3832: Object corruption in V8
High CVE-2024-3833: Object corruption in WebAssembly
High CVE-2024-3914: Use after free in V8
High CVE-2024-3834: Use after free in Downloads
Medium CVE-2024-3837: Use after free in QUIC
Medium CVE-2024-3838: Inappropriate implementation in Autofill
Medium CVE-2024-3839: Out of bounds read in Fonts
Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation
Medium CVE-2024-3841: Insufficient data validation in Browser Switcher
Medium CVE-2024-3843: Insufficient data validation in Downloads
Low CVE-2024-3844: Inappropriate implementation in Extensions
Low CVE-2024-3845: Inappropriate implementation in Network
Low CVE-2024-3846: Inappropriate implementation in Prompts
Low CVE-2024-3847: Insufficient policy enforcement in WebUI
update to 123.0.6312.122
High CVE-2024-3157: Out of bounds write in Compositing
High CVE-2024-3516: Heap buffer overflow in ANGLE
High CVE-2024-3515: Use after free in Dawn
chromium-124.0.6367.118-1.fc39
Read Time:13 Second
FEDORA-2024-5483bc2adb
Packages in this update:
chromium-124.0.6367.118-1.fc39
Update description:
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
USN-6747-2: Firefox regressions
Read Time:2 Minute, 9 Second
USN-6747-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-3852,
CVE-2024-3864, CVE-2024-3865)
Bartek Nowotarski discovered that Firefox did not properly limit HTTP/2
CONTINUATION frames. An attacker could potentially exploit this issue to
cause a denial of service. (CVE-2024-3302)
Gary Kwong discovered that Firefox did not properly manage memory when
running garbage collection during realm initialization. An attacker could
potentially exploit this issue to cause a denial of service, or execute
arbitrary code. (CVE-2024-3853)
Lukas Bernhard discovered that Firefox did not properly manage memory
during JIT optimisations, leading to an out-of-bounds read vulnerability.
An attacker could possibly use this issue to cause a denial of service or
expose sensitive information. (CVE-2024-3854, CVE-2024-3855)
Nan Wang discovered that Firefox did not properly manage memory during
WASM garbage collection. An attacker could potentially exploit this issue
to cause a denial of service, or execute arbitrary code. (CVE-2024-3856)
Lukas Bernhard discovered that Firefox did not properly manage memory
when handling JIT created code during garbage collection. An attacker
could potentially exploit this issue to cause a denial of service, or
execute arbitrary code. (CVE-2024-3857)
Lukas Bernhard discovered that Firefox did not properly manage memory when
tracing in JIT. An attacker could potentially exploit this issue to cause
a denial of service. (CVE-2024-3858)
Ronald Crane discovered that Firefox did not properly manage memory in the
OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read
vulnerability. An attacker could possibly use this issue to cause a denial
of service or expose sensitive information. (CVE-2024-3859)
Garry Kwong discovered that Firefox did not properly manage memory when
tracing empty shape lists in JIT. An attacker could potentially exploit
this issue to cause a denial of service. (CVE-2024-3860)
Ronald Crane discovered that Firefox did not properly manage memory when
handling an AlignedBuffer. An attacker could potentially exploit this
issue to cause denial of service, or execute arbitrary code.
(CVE-2024-3861)
Ronald Crane discovered that Firefox did not properly manage memory when
handling code in MarkStack. An attacker could possibly use this issue to
cause a denial of service or execute arbitrary code. (CVE-2024-3862)
DSA-5676-1 chromium – security update
Read Time:9 Second
Security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
Smashing Security podcast #370: The closed loop conundrum, default passwords, and Baby Reindeer
Read Time:21 Second
The UK Government takes aim at IoT devices shipping with weak or default passwords, an identity thief spends two years in jail after being mistaken for the person who stole his name, and are you au fait with the latest scams?
All this and much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.
Ignite Realtime Openfire Path Traversal Vulnerability (CVE-2023-32315)
Read Time:40 Second
What is the vulnerability?The CVE-2023-32315 is a path traversal vulnerability that affects all Openfire versions since version 3.1.0. Successful exploitation of this vulnerability can allow attackers to bypass authentication and gain access to sections of the restricted Openfire Admin Console. CISA recently added CVE-2023-32315 to the Known Exploited Vulnerabilities catalog, which means that the vulnerability has been observed to be exploited in the wild. What is the recommended Mitigation?The vendor released Openfire version 4.6.8 and 4.7.5 that contains a fix in mid 2023. More information could be found here: https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvmWhat FortiGuard Coverage is available?FortiGuard Labs has an existing “Openfire.setup.CVE-2023-32315.Authentication.Bypass” IPS signature released since August 2023.
LockBit, Black Basta, Play Dominate Ransomware in Q1 2024
Read Time:5 Second
The data from ReliaQuest also suggests LockBit faced a significant setback due to law enforcement action