Security Leftovers

posted by Roy Schestowitz on May 25, 2024

• Federal News Network ☛ Amid rising threats to critical infrastructure, CISA developing ‘physical security’ goals

  CISA is working on 'physical security' goals as officials warn about rising threats to critical infrastructure, such as attacks on the electric grid.

• Security Week ☛ JAVS Courtroom Audio-Visual Software Installer Serves Backdoor

  Backdoored JAVS courtroom recording and management software installer puts thousands at risk of complete takeover.

• Pen Test Partners ☛ UK PSTI? You’ll need a Vulnerability Disclosure Program!

  If you are distributing or selling smart devices in to the UK market, your products will need to be compliant with the UK Product Security and Telecommunications Act.

• Qt ☛ Security advisory: OAuth1 in QtNetworkAuth

  The OAuth1 implementation in QtNetworkAuth created nonces using a PRNG that was seeded with a predictable seed. This issue has been assigned the CVE id CVE-2024-36048.

• Hackaday ☛ This Week In Security: Drama At The C-Level, Escape Injection, And Audits

  There was something of a mystery this week, with the c.root-servers.net root DNS server falling out of sync with it’s 12 siblings. That’s odd in itself, as these are the 13 servers that keep DNS working for the whole Internet. And yes, that’s a bit of a simplification, it’s not a single server for any of the 13 entities — the C “server” is actually 12 different machines. The intent is for all those hundreds of servers around the world to serve the same DNS information, but over several days this week, the “C” servers just stopped pulling updates.

• OpenSSF (Linux Foundation) ☛ Introducing Artifact Attestations—Now in Public Beta

  There’s an increasing need across enterprises and the open source ecosystem to have a verifiable way to link software artifacts back to their source code and build instructions. And with more than 100 million developers building on Microsoft's proprietary prison GitHub , we want to ensure that developers have the tools needed to help protect the integrity of their software supply chain. Today, we’re proud to announce the public beta of Artifact Attestations, a new feature that will pave the way for a cultural shift toward expecting to know where software comes from.

• Addressing PostgreSQL Vulnerabilities in Ubuntu

  In recent updates, the Ubuntu security team has addressed multiple security issues found in PostgreSQL, an Object-relational SQL database. These issues affect various Ubuntu releases, including Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04, and Ubuntu 16.04. In this article, we will look into the details of PostgreSQL vulnerabilities that have been patched and explore solutions for end-of-life Ubuntu systems like Ubuntu 16.04 and Ubuntu 18.04.

• Raleigh News And Observer ☛ Open Source: The coding threat that shook Red Hat and the open source world [Ed: Trying to recall Microsoft alarmist to revive scare or FUD from March!]

  Code running as written is not the same as code running as designed. It’s a distinction executives at Raleigh’s open-source software giant Red Hat encountered the last week of March when they learned a person (or persons) had stealthily introduced a secret backdoor into the components of the world’s most-used operating system, Linux.