Security Leftovers

posted by Roy Schestowitz on Mar 27, 2024

• Qubes OS 4.1 reaches EOL on 2024-06-18

  Qubes OS 4.1 is scheduled to reach end-of-life (EOL) on 2024-06-18, approximately three months from the date of this announcement.

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).

• Emmanuel Kasper: Adding a private / custom Certificate Authority to the firefox trust store

  Today at $WORK I needed to add the private company Certificate Authority (CA) to Firefox, and I found the steps were unnecessarily complex. Time to blog about that, and I also made a Debian wiki article of that post, so that future generations can update the information, when Firefox 742 is released on Debian 17.

• SANS ☛ New tool: linux-pkgs.sh, (Sun, Mar 24th)

  During a recent GNU/Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image.

• BBC ☛ Hackers threaten to publish huge cache of NHS Scotland data - BBC News

  It comes two weeks after NHS Dumfries and Galloway was hit with a cyber attack on its IT systems.

• Bruce Schneier ☛ On Secure Voting Systems [Ed: And why do these on computers at all? The "use cases" are too few and risks are far too high.]

  Andrew Appel shepherded a public comment—signed by twenty election cybersecurity experts, including myself—on best practices for ballot marking devices and vote tabulation. It was written for the Pennsylvania legislature, but it’s general in nature.

• Security Week ☛ Apple Patches Code Execution Vulnerability in iOS, macOS

  Apple has released iOS 17.4.1 and macOS Sonoma 14.4.1 with patches for an arbitrary code execution vulnerability.

• Perl ☛ Hotel hotspot hijinks

  Ever been staying at a hotel and gotten annoyed that you always have to open a browser to log in for wireless access? Yup, me too. A recent instance was particularly frustrating and I had to pull out my favourite Swiss Army chainsaw in order to make my life a bit easier.

  The situation

  So, the background story is that I was staying at a hotel in the mountains for a few days. As is the fortunate case these days¹, the hotel had wireless access. The weird part, though, was that each room had a separate username and password. “Fair enough”, I thought and promptly opened my laptop and then Firefox to enter my login data to get the dearly-awaited connectivity. Using Firefox (or any other browser for that matter) was necessary because the login page was accessed via a captive portal. That’s the thing you get directed through when you see a login banner like this pop up in your browser: [...]