FEDORA-2024-90f1d7e116
Packages in this update:
seamonkey-2.53.19-1.fc41
Update description:
Update to 2.53.19
seamonkey-2.53.19-1.fc41
Update to 2.53.19
Agencies under the #Stopransomware banner publish details of RansomHub group’s tactics, indicators of compromise and essential mitigations
Zeng Yunxiang discovered that FFmpeg incorrectly handled memory during
video encoding. An attacker could possibly use this issue to perform a
denial of service, or execute arbitrary code.
It was discovered that WebOb incorrectly handled certain URLs.
An attacker could possibly use this issue to control a redirect or
forward to another URL.
The Asian country’s law enforcement suspects the instant messaging app of abetting deepfake sex crimes
The US FTC has proposed a $2.95m fine for security camera firm Verkada for alleged security failings that allowed hackers to access customers’ video footage
wireshark-4.2.7-1.fc40
New version 4.2.7, fix for CVE-2024-8250
wireshark-4.0.17-1.fc39
New version 4.0.17, fix for CVE-2024-8250
Interesting vulnerability:
…a special lane at airport security called Known Crewmember (KCM). KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.
The KCM process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent’s laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all.
A similar system also exists for cockpit access, called the Cockpit Access Security System (CASS). Most aircraft have at least one jumpseat inside the cockpit sitting behind the flying pilots. When pilots need to commute or travel, it is not always possible for them to occupy a revenue seat, so a jumpseat can be used instead. CASS allows the gate agent of a flight to verify that the jumpseater is an authorized pilot. The gate agent can then inform the crew of the flight that the jumpseater was authenticated by CASS.
[attack details omitted]
At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners.
We ended up finding several more serious issues but began the disclosure process immediately after finding the first issue.
golang-github-letsencrypt-pebble-2.6.0-1.fc42
Automatic update for golang-github-letsencrypt-pebble-2.6.0-1.fc42.
* Sat Jul 27 2024 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 2.6.0-1
– Update to 2.6.0 – Closes rhbz#2268889