Tux Machines

Security Leftovers

Posted by Roy Schestowitz on May 03, 2024

Events: LinuxFest Northwest Wrap-up, Akademy, Summer of Code

Audiocasts/Shows: DE10-Nano Clone Board, BSD Now, and Openwashing

LWN ☛ Security updates for Thursday

↺ Security updates for Thursday

> Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox).

Tom's Hardware ☛ AMD finally patches gaping Zenbleed security hole — MSI releases AGESA 1.2.0.Ca BIOS update for Zen 2

↺ AMD finally patches gaping Zenbleed security hole — MSI releases AGESA 1.2.0.Ca BIOS update for Zen 2

> MSI is releasing new BIOS updates featuring AMD's latest AGESA 1.2.0.Ca firmware update for AM4 motherboards. The update is designed specifically to fix a new vulnerability affecting Zen 2 CPUs only.

SANS ☛ Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796, (Thu, May 2nd)

↺ Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796, (Thu, May 2nd)

> Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates.

Qt ☛ Security advisory: QStringConverter

↺ Security advisory: QStringConverter

> QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack and has been assigned the CVE id CVE-2024-33861.

OpenSSF (Linux Foundation) ☛ Recap of SOSS Community Day North America 2024

↺ Recap of SOSS Community Day North America 2024

> On April 15, 2024, Secure Open Source Software (SOSS) Community Day North America (NA) brought together the open source community in Seattle to delve into discussions surrounding the challenges, overarching solutions, ongoing initiatives, and triumphs in fortifying the open source software (OSS) supply chain. Alongside dedicated SOSS contributors and thought leaders, we embarked on an in-depth exploration of topics such as security best practices, vulnerability discovery, securing critical projects, and the evolving landscape of OSS security.

Security Week ☛ Hackers Compromised Dropbox eSignature Service

↺ Hackers Compromised Dropbox eSignature Service

> Dropbox says hackers breached its Sign production environment and accessed customer email addresses and hashed passwords.

Security Week ☛ Verizon DBIR 2024 Shows Surge in Vulnerability Exploitation, Confirmed Data Breaches

↺ Verizon DBIR 2024 Shows Surge in Vulnerability Exploitation, Confirmed Data Breaches

> Verizon’s 2024 DBIR shows that vulnerability exploitation increased three times and confirmed data breaches doubled compared to the previous year.

Bruce Schneier ☛ The UK Bans Default Passwords

↺ The UK Bans Default Passwords

> The UK is the first country to ban default passwords on IoT devices.

↺ ban default passwords

↺ ban default passwords

Security Week ☛ 1,400 GitLab Servers Impacted by Exploited Vulnerability

↺ 1,400 GitLab Servers Impacted by Exploited Vulnerability

> CISA says a critical GitLab password reset flaw is being exploited in attacks and roughly 1,400 servers have not been patched.

gemini.tuxmachines.org