news
Security Leftovers
-
LWN ☛ Security updates for Wednesday
Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools).
-
QSB-107: Multiple CPU branch prediction vulnerabilities
We have published Qubes Security Bulletin (QSB) 107: Multiple CPU branch prediction vulnerabilities. The text of this QSB and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.
-
XSAs released on 2025-05-12
The Xen Project has released one or more Xen security advisories (XSAs).
-
OpenSSF (Linux Foundation) ☛ 'Linux' Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness [Ed: Cybersecurity or compliance? Not the same thing.]
-
Silicon Angle ☛ 'Linux' Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps [Ed: LF-funded spam from a site that runs marketing as "news"]
-
Security Week ☛ Ivanti Patches Two EPMM Zero-Days Exploited to Hack Customers
Ivanti has released patches for two EPMM vulnerabilities that have been chained in the wild for remote code execution.
-
Security Week ☛ Fortinet Patches Zero-Day Exploited Against FortiVoice Appliances
Fortinet has patched a dozen vulnerabilities, including a critical flaw exploited in the wild against FortiVoice instances.
-
Security Week ☛ Vulnerabilities Patched by Juniper, VMware and Zoom
Juniper Networks, VMware, and Zoom have announced patches for dozens of vulnerabilities across their products.
-
Security Week ☛ Kosovar Administrator of Cybercrime Marketplace Extradited to US
Kosovo citizen Liridon Masurica has appeared in a US court, facing charges for his role in operating the cybercrime marketplace BlackDB.cc.
-
Security Week ☛ Chipmaker Patch Tuesday: Intel, AMD, Arm Respond to New CPU Attacks
Intel, AMD and Arm each published security advisories on Patch Tuesday, including for newly disclosed CPU attacks.
-
Security Week ☛ ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact
Industrial giants Siemens, Schneider Electric and Phoenix Contact have released ICS security advisories on the May 2025 Patch Tuesday.
-
SANS ☛ Web Scanning SonicWall for CVE-2021-20016 - Update, (Wed, May 14th)
-
Mobile Systems/Mobile Applications
-
Wired ☛ Google’s Advanced Protection for Vulnerable Users Comes to Android
“There are two classes of things that we use to defend the user. One is you obviously harden the system, so you try to lock things down, you prevent many forms of attacks," says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. "But two is you can't always prevent every attack entirely. But if you can detect that you've been compromised, you can take some sort of corrective action. In consumer security on mobile this detection has never really been a possibility, so that's one of the big things we've done here."
-
-
ENISA
-
Security Week ☛ EU Cybersecurity Agency ENISA Launches European Vulnerability Database
The EU cybersecurity agency ENISA on Tuesday announced the official launch of the European Vulnerability Database, or EUVD. Industry professionals believe the EUVD can be a useful resource, but the agency needs to ensure it stays relevant.
-
Scoop News Group ☛ CVE Foundation eyes year-end launch following 11th-hour rescue of MITRE program
The CVE program is the global bedrock of contemporary vulnerability management, cataloging and assigning unique identifiers to software vulnerabilities. Until April 15, cybersecurity defenders and data scientists seemed unshakeable in embracing the program, which had already overcome challenges to achieve its silver anniversary.
-