FEDORA-2024-14c006b8bb
Packages in this update:
sympa-6.2.74-1.fc40
Update description:
Update to 6.2.74, fix for CVE-2024-55919
Full changelog: https://github.com/sympa-community/sympa/releases/tag/6.2.74
sympa-6.2.74-1.fc40
Update to 6.2.74, fix for CVE-2024-55919
Full changelog: https://github.com/sympa-community/sympa/releases/tag/6.2.74
sympa-6.2.74-1.el9
Update to 6.2.74, fix for CVE-2024-55919
Full changelog: https://github.com/sympa-community/sympa/releases/tag/6.2.74
Large-scale campaign identified by Guardio Lans and Infoblox, exploiting malvertising and fake captchas to distribute Lumma infostealer for massive theft
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate data by encoding information in DNS queries
to controlled nameservers. This issue was only addressed in
Ubuntu 24.04 LTS. (CVE-2024-29018)
Cory Snider discovered that Docker did not properly handle authorization
plugin request processing. An attacker could possibly use this issue to
bypass authorization controls by forwarding API requests without their
full body, leading to unauthorized actions. (CVE-2024-41110)
Rydox, an online marketplace used by cybercriminals to sell hacked personal information and tools to commit fraud, has been seized in an international law enforcement operation and its suspected administrators arrested.
Read more in my article on the Hot for Security blog.
Harry Sintonen discovered that curl incorrectly handled credentials from
.netrc files when following HTTP redirects. In certain configurations, the
password for the first host could be leaked to the followed-to host,
contrary to expectations.
The Serbian authorities have been using advanced mobile forensics products made by Israeli firm Cellebrite to extract data from mobile devices illegally
Starting next year:
Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift from anything we’ve done before—short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.
Because we’ve done so much to encourage automation over the past decade, most of our subscribers aren’t going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It’s not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day.
That sounds sort of nuts to me today, but issuing 5,000,000 certificates per day would have sounded crazy to me ten years ago.
This is an excellent idea.
Slashdot thread.
New Ofcom guidance is designed to help tech companies comply with their obligations around tackling illegal online harms under the Online Safety Act
Over 200,000 YouTube creators have been targeted by malware-laden phishing emails with the aim of infecting their followers