Tux Machines

Security and Proprietary Software

Posted by Roy Schestowitz on Feb 17, 2023

Videos: Linux Action News, HowTos, and EndeavourOS

today's howtos

Security updates for Thursday

↺ Security updates for Thursday

> Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-aws-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04).

City of Oakland declares state of emergency after ransomware attack

↺ City of Oakland declares state of emergency after ransomware attack

> The City of Oakland, California, has declared a state of emergency after a ransomware attack on Feb. 8 knocked some of its information technology systems offline.

University warns against opening fraudulent honor code violation emails sent to students

↺ University warns against opening fraudulent honor code violation emails sent to students

> The Stanford Information Security Office sent out a community alert Saturday warning students against opening a fraudulent email about alleged honor code violations.

Readline crime: exploiting a SUID logic bug

↺ Readline crime: exploiting a SUID logic bug

> I discovered a logic bug in the readline dependency partially reveals file information when parsing the file specified in the INPUTRC environment variable. This could allow attackers to move laterally on a box where sshd is running, a given user is able to login, and the user’s private key is stored in a known location (/home/user/.ssh/id_rsa).

> This bug was reported and patched back in February 2022, and chfn isn’t typically provided by util-linux anyway, so your boxen are probably fine. I’m writing about this because the exploit is amusing, as it’s made possible due to a happy coincidence of the readline configuration file parsing functions marrying up well to the format of SSH keys—explained further in this post.

Tesla recalling nearly 363,000 vehicles equipped with ‘Full Self-Driving’

↺ Tesla recalling nearly 363,000 vehicles equipped with ‘Full Self-Driving’

'The Bird Is Not the Only Sick Company': Tesla Recalls 362K Self-Driving Cars Over Crash Risk

↺ 'The Bird Is Not the Only Sick Company': Tesla Recalls 362K Self-Driving Cars Over Crash Risk

> Electric automaker Tesla on Thursday announced it is recalling more than 362,000 vehicles due to their full self-driving software's potential crash risk, adding to the woes of billionaire CEO Elon Musk, whose recently acquired Twitter is beset by operational and financial troubles.

Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps - SecurityWeek

↺ Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps - SecurityWeek

> Citrix this week announced patches for severe vulnerabilities in Virtual Apps and Desktops, as well as in Workspace apps for Windows and Linux.

> Tracked as CVE-2023-24483, the Virtual Apps and Desktops vulnerability is described as a privilege escalation issue that allows an attacker with access to a Windows VDA as a standard Windows user to elevate privileges to System.

ChatGPT: Boon for the Lazy Learner

↺ ChatGPT: Boon for the Lazy Learner

> Inside the beating heart of many students and a large number of learners lies an inner cheat.� To get passing grades, every effort will be made to do the least to achieve the most. Efforts to subvert the central class examination are the stuff of legend: discreetly written notes on […]

gemini.tuxmachines.org