Security Leftovers
-
LWN ☛ Security updates for Thursday
Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox).
-
Tom's Hardware ☛ AMD finally patches gaping Zenbleed security hole — MSI releases AGESA 1.2.0.Ca BIOS update for Zen 2
MSI is releasing new BIOS updates featuring AMD's latest AGESA 1.2.0.Ca firmware update for AM4 motherboards. The update is designed specifically to fix a new vulnerability affecting Zen 2 CPUs only.
-
SANS ☛ Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796, (Thu, May 2nd)
Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates.
-
Qt ☛ Security advisory: QStringConverter
QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack and has been assigned the CVE id CVE-2024-33861.
-
OpenSSF (Linux Foundation) ☛ Recap of SOSS Community Day North America 2024
On April 15, 2024, Secure Open Source Software (SOSS) Community Day North America (NA) brought together the open source community in Seattle to delve into discussions surrounding the challenges, overarching solutions, ongoing initiatives, and triumphs in fortifying the open source software (OSS) supply chain. Alongside dedicated SOSS contributors and thought leaders, we embarked on an in-depth exploration of topics such as security best practices, vulnerability discovery, securing critical projects, and the evolving landscape of OSS security.
-
Security Week ☛ Hackers Compromised Dropbox eSignature Service
Dropbox says hackers breached its Sign production environment and accessed customer email addresses and hashed passwords.
-
Security Week ☛ Verizon DBIR 2024 Shows Surge in Vulnerability Exploitation, Confirmed Data Breaches
Verizon’s 2024 DBIR shows that vulnerability exploitation increased three times and confirmed data breaches doubled compared to the previous year.
-
Bruce Schneier ☛ The UK Bans Default Passwords
The UK is the first country to ban default passwords on IoT devices.
-
Security Week ☛ 1,400 GitLab Servers Impacted by Exploited Vulnerability
CISA says a critical GitLab password reset flaw is being exploited in attacks and roughly 1,400 servers have not been patched.