FEDORA-2024-faff3dd9d6
Packages in this update:
vorbis-tools-1.4.2-10.fc39
Update description:
Security fix for CVE-2023-43361
Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
vorbis-tools-1.4.2-10.fc39
Security fix for CVE-2023-43361
vorbis-tools-1.4.2-10.el9
Security fix for CVE-2023-43361
vorbis-tools-1.4.2-9.fc38
Security fix for CVE-2023-43361
After 175 million failed password guesses, a judge rules that the Canadian police must return a suspect’s phone.
[Judge] Carter said the investigation can continue without the phones, and he noted that Ottawa police have made a formal request to obtain more data from Google.
“This strikes me as a potentially more fruitful avenue of investigation than using brute force to enter the phones,” he said.
chromium-120.0.6099.224-1.el8
Update to 120.0.6099.224
High CVE-2024-0517: Out of bounds write in V8
High CVE-2024-0518: Type Confusion in V8
High CVE-2024-0519: Out of bounds memory access in V8
update to 120.0.6099.216
High CVE-2024-0333: Insufficient data validation in Extensions
chromium-120.0.6099.224-1.el7
Update to 120.0.6099.224
High CVE-2024-0517: Out of bounds write in V8
High CVE-2024-0518: Type Confusion in V8
High CVE-2024-0519: Out of bounds memory access in V8
update to 120.0.6099.216
High CVE-2024-0333: Insufficient data validation in Extensions
chromium-120.0.6099.224-1.el9
Update to 120.0.6099.224
High CVE-2024-0517: Out of bounds write in V8
High CVE-2024-0518: Type Confusion in V8
High CVE-2024-0519: Out of bounds memory access in V8
update to 120.0.6099.216
High CVE-2024-0333: Insufficient data validation in Extensions
monit-5.30.0-2.el7
Security fix for CVE-2022-26563
This is part three of a three-part series written by AT&T Cybersecurity evangelist Theresa Lanowitz. It’s intended to be future-looking, provocative, and encourage discussion. The author wants to assure you that no generative AI was used in any part of this blog.
Part one: Unusual, thought-provoking predictions for cybersecurity in 2024
Part two: Cybersecurity operations in 2024: The SOC of the future
While there are many big things to prepare for in 2024 (see first two posts), some important smaller things don’t get the same attention. Yet, these things are good to know and probably won’t come as a huge surprise. Because they, too, are evolving, it’s important not to take your eye off the ball.
Compliance and governance are often overlooked when developing software because a different part of the business typically owns those responsibilities. That is all about to change. Cybersecurity policies (internal and external, including new regulations) need to move upstream in the software development lifecycle and need compliance logic built in to simplify the process. Software is designed to work globally; however, the world is becoming more segmented and parsed. Regulations are being created at country, regional, and municipal levels. To be realistic, the only way to handle compliance is via automation.
To avoid the constant forking of software, compliance logic will need to be a part of modern applications. Compliance logic will allow software to function globally but adjust based on code sets that address geographic locations and corresponding regulations.
In 2024, expect compliance logic to become a part of the larger conversation regarding compliance, governance, regulation, and policy. This will require cross-functional collaboration across IT, security, legal, line of business, finance, and other organizational stakeholders.
Multi-factor authentication (MFA) is a way of life. The benefits far outweigh the slight inconvenience imposed. Think about why MFA is so critical. MFA helps with authorization and authentication for mission-critical and safety-critical work. It prevents unauthorized access to critical information. MFA is an easy-to-implement step for good cyber hygiene.
Our current way of thinking about MFA is generally based on three things: something you know, a passcode; something you have, a device; and something you are, a fingerprint, your face, etc.
Now, let’s take this a step further and look at how the something you are part of MFA can improve safety. Today, MFA routinely accepts fingerprints, facial recognition, or retina scans. That’s just the beginning. MFA can go a step further in helping with business outcomes; here’s how.
Biometric and behavioral MFA can help with identifying the veracity of an individual as well as the fitness to perform a function. For example, a surgeon can access the hospital, restricted areas, and the operating room through MFA verifications.
But, once in the operating room, how is it determined that the surgeon is fit to perform the surgical task? Behavioral MFA will soon be in play to ensure the surgeon is fit by adding another layer of something you are. Behavioral MFA will determine fitness for a task by identifying things such as entering a series of numbers on a keypad, handwriting on a tablet, or voice analysis. The goal is to compare current behavior with past behavior to ensure no cognitive compromise.
In 2024, expect to see more discussion of expanding MFA and the something you are aspect to include fitness for a task. This is an outstanding bit of innovation that will continue to evolve our digital world.
This blog would be remiss without mentioning AI. In 2023, AI became a media sweetheart because of the broad use of generative AI for everything from writing term papers to marketing materials to legal briefs. The lowest common denominator of AI usage was released. However, generative AI has struggles with hallucination (creating non-sensical or inaccurate output because of pattern matching in a large language model), collapse (the generation of repetitive output because of data limitations), and a garbage-in-garbage-out irony.
Generative AI will impact social engineering and make phishing, squishing (the new phishing using QR codes), and smishing (sending counterfeit text messages) more difficult to detect. Intentionally malicious code may be more difficult to detect and, in some cases, may be integrated into legitimate source code branches. All of this means we must be more aware and vigilant.
Machine learning has long been a tool for data scientists, security researchers, and threat intelligence teams. The technology is superb at scanning large data sets and pattern matching.
Next up in the AI frenzy is something that few are discussing: deep learning. Deep learning is about producing predictions based on complexities in data. This can help in predicting a threat before it happens. Deep learning models have a large enough dataset to use past observations to predict future activity.
In 2024, expect deep learning to enter the cybersecurity conversation to take the industry to places that machine learning can’t take us. More data and more observations help hone future predictions.
Despite the technology we have to protect our networks, applications, and data, the human element is still the weakest link. And social engineering is a major contributor to security events. Business email compromise was the second most common attack concern in our 2023 research. Compromised credentials can easily allow a bad actor access to the digital kingdom.
Stolen or compromised credentials are a treasure trove for social engineers. Bad actors can use inexpensive technology to spoof voices and gain access to accounts or be given access to credentials. Social engineers prey on emotions and always want the target to act out of a sense of urgency. Frequent social engineering tactics will include phrases such as “I’m rushing to get on a plane and need this right now,” “your family member needs this cash right now,” or “your family/friend is in danger and needs your help”. Being alert and aware are the best ways to counteract these social engineering scams. As cybersecurity professionals, we need to talk to our colleagues, friends, and family about the tactics of social engineers.
In 2024, unfortunately, expect social engineering tactics to continue to evolve and reap payouts from unsuspecting people. Being a cybersecurity ambassador can go a long way to helping the public understand what social engineering is and how to avoid it.
A new year is always exciting and moving into 2024 is no exception. Technology continues to surprise and delight us.
The time is ripe for innovation, and we were treated to a glimpse of the future in 2023.
Looking ahead, 2024 is the year of the business understanding security and security starting to understand the business.
Here’s to a year of innovation!
monit-5.33.0-1.el8
Update to 5.33.0, includes security fix for CVE-2022-26563