dotnet9.0-9.0.100-1.fc41
This is the .NET 9.0 GA release.
It contains security fixes for CVE-2024-43498 and CVE-2024-43499
Announcement: https://devblogs.microsoft.com/dotnet/announcing-dotnet-9/
Release Notes: https://github.com/dotnet/core/blob/main/release-notes/9.0/9.0.0/9.0.0.md
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly use this issue to consume an excessive
amount of resources, resulting in a denial of service. (CVE-2023-24536)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue to read or write files with
elevated privileges. (CVE-2023-29403)
Juho Nurminen discovered that Go incorrectly handled certain compiler
directives. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2023-29404)
Juho Nurminen discovered that Go incorrectly handled certain crafted
arguments. An attacker could possibly use this issue to execute arbitrary
code at build time. (CVE-2023-29405)
Bartek Nowotarski discovered that Go incorrectly validated the contents of
host headers. A remote attacker could possibly use this issue to inject
additional headers or entire requests. (CVE-2023-29406)
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a
cross-site scripting attack. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the “//go:cgo_”
directives during compilation. An attacker could possibly use this issue
to inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting in a denial of service.
(CVE-2023-39325)
Bartek Nowotarski was discovered that the Go net/http module did not
properly handle the requests when request’s headers exceed MaxHeaderBytes.
An attacker could possibly use this issue to cause a panic resulting into
a denial of service. (CVE-2023-45288)
Bartek Nowotarski discovered that the Go net/http module did not properly
validate the total size of the parsed form when parsing a multipart form.
An attacker could possibly use this issue to cause a panic resulting into a
denial of service. (CVE-2023-45290)
John Howard discovered that the Go crypto/x509 module did not properly
handle a certificate chain which contains a certificate with an unknown
public key algorithm. An attacker could possibly use this issue to cause
a panic resulting into a denial of service. (CVE-2024-24783)
Juho Nurminen discovered that the Go net/mail module did not properly
handle comments within display names in the ParseAddressList function.
An attacker could possibly use this issue to cause a panic resulting into
a denial of service. (CVE-2024-24784)
It was discovered that the Go html/template module did not validate errors
returned from MarshalJSON methods. An attacker could possibly use this
issue to inject arbitrary code into the Go template. (CVE-2024-24785)
Yufan You discovered that the Go archive/zip module did not properly
handle certain types of invalid zip files differs from the behavior of
most zip implementations. An attacker could possibly use this issue to
cause a panic resulting into a denial of service. (CVE-2024-24789)
Enze Wang and Jianjun Chen discovered that the Go net/netip module did
not work as expected for IPv4-mapped IPv6 addresses in various Is methods.
An attacker could possibly use this issue to cause a panic resulting into
a denial of service. (CVE-2024-24790)
Geoff Franks discovered that the Go net/http module did not properly
handle responses to requests with an “Expect: 100-continue” header under
certain circumstances. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-24791)
It was discovered that the Go parser module did not properly handle deeply
nested literal values. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2024-34155)
Md Sakib Anwar discovered that the Go encoding/gob module did not properly
handle message decoding under certain circumstances. An attacker could
possibly use this issue to cause a panic resulting in a denial of service.
(CVE-2024-34156)
It was discovered that the Go build module did not properly handle certain
build tag lines with deeply nested expressions. An attacker could possibly
use this issue to cause a panic resulting in a denial of service.
(CVE-2024-34158)
The FBI and CISA have confirmed that US officials’ private communications have been compromised
python3.6-3.6.15-39.fc40
Security fix for CVE-2024-11168
Jack Teixeira, the 22-year-old former Air National Guardsman who leaked hundreds of classified documents online, has been sentenced to 15 years in prison.
Teixeira, who served as an IT specialist at Otis Air National Guard Base in Massachusetts, was arrested in April 2023 after abusing his privileged position to share highly-sensitive documents with friends he had met via a Discord server focused on video gaming and guns.
Read more in my article on the Hot for Security blog.
Everybody is reporting about a new security iPhone security feature with iOS 18: if the phone hasn’t been used for a few days, it automatically goes into its “Before First Unlock” state and has to be rebooted.
This is a really good security feature. But various police departments don’t like it, because it makes it harder for them to unlock suspects’ phones.
The post New iOS Security Feature Makes It Harder for Police to Unlock Seized Phones appeared first on Schneier on Security.
Over 80% of UK organizations suffered an API security incident in the past year, with each costing over £400,000
The UK’s financial regulators have discarded plans to force critical suppliers to disclose new vulnerabilities
Each year, Cybersecurity Awareness Month serves as a reminder of the critical role that cybersecurity plays in our lives. Every October, LevelBlue champions this initiative which brings awareness to cyber risks, and promotes best practices to protect against growing cyber threats.
Throughout the month, we focused the spotlight on cyber resilience – sharing key trends and insights through research, thought leadership, and social media.
This month LevelBlue released the 2024 Futures Report: Cyber Resilience in Financial Services and 2024 Futures Report: Cyber Resilience in Energy and Utilities, research highlighting trends around the barriers to cyber resilience in each industry. As attacks increase, compounded by the complexities of dynamic computing and an evolving threat landscape organizations are more vulnerable than ever. Notably, however, a key takeaway from our research was that despite acknowledging an increased exposure to risks, organizations believe computing innovation benefits outweigh the cybersecurity risks.
The LevelBlue Futures Reports also revealed common trends across both industries including:
72% and 77% of financial services and energy and utilities organizations respectively, indicate that digital transformation is an ongoing barrier to cybersecurity resilience
72% and 68% of financial services and energy and utilities organizations respectively, indicate that cyber resilience efforts are often siloed
62% and 61% of financial services and energy and utilities organizations respectively, reveal there’s a lack of understanding about cybersecurity at the board level
LevelBlue’s research outlines five key strategies for business leaders to follow to achieve cyber resilience. We encourage security and business leaders to leverage our research to start the conversation about cyber resilience in their organizations.
In addition to our research, LevelBlue executives offered valuable insights on the importance of Cybersecurity Awareness Month, emphasizing the ongoing need for vigilance and resilience in the face of evolving cyber threats.
Rakesh Shah, AVP – Product Management, shared his perspective with VMblog on how businesses should work to safeguard their most important assets during Cybersecurity Awareness Month – and beyond. He notes, “During a time when threat actors are leveraging generative AI to write targeted emails, impersonate public figures and personal contacts, as well as write new malware, we must act quickly and collaboratively. The pendulum will soon swing to the other side, as defenders and vendors invest in AI to counterbalance what the malicious actors are doing. We need to simplify security and take a page from the offense’s AI playbook, not just this Cybersecurity Awareness Month, but for years to come.”
Appearing on an episode of Security Guy TV, Rakesh discussed the importance of the Zero Trust security model to safeguard digital environments.
During October, LevelBlue proudly served as a Platinum sponsor for the 14th Annual Lonestar Application Security Conference (LASCON) in Austin, TX. The event attracts top speakers and attendees from around the world, offering a unique opportunity to gain cutting-edge knowledge from expertly curated sessions. Beyond cybersecurity insights, participants enjoyed hands-on experiences, from lock-picking workshops to thrilling bull rides.
To amplify the theme for Cybersecurity Awareness Month ‘Secure Our World’, LevelBlue took to social media to share tips and best practices for staying secure online. These tips focused on the best ways to combat the most common attacks including, spotting a phishing attack, the implementation of strong passwords and password management, the use of multifactor authentication, and the need for updated software to help best protect against malicious actors.
Throughout Cybersecurity Awareness Month and beyond, LevelBlue is committed to being an advocate and partner for organizations looking to achieve cyber resilience. Download the complete findings of the 2024 LevelBlue Futures Report for Financial Services here and Energy and Utilities here. For more information on LevelBlue and its managed security, consulting, and threat intelligence services, follow us on X and LinkedIn.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Office PowerPoint. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-49032.
