news
Security Leftovers
-
Linux Magazine ☛ Two Local Privilege Escalation Flaws Discovered in Linux
Qualys researchers have discovered two local privilege escalation vulnerabilities that allow hackers to gain root privileges on major Linux distributions.
-
Support for Istio 1.24 has ended
As previously announced, support for Istio 1.24 has now officially ended.
At this point we will no longer back-port fixes for security issues and critical bugs to 1.24. We highly recommend that you upgrade to the latest version of Istio (1.26.2) if you haven’t already.
-
Gunnar Wolf ☛ Gunnar Wolf: Private key management • Oh, the humanity...
If we ever thought a couple of years or decades of constant use would get humankind to understand how an asymetric key pair is to be handled… It’s time we moved back to square one.
-
SANS ☛ Quick Password Brute Forcing Evolution Statistics, (Tue, Jun 24th)
We have collected SSH and telnet honeypot data in various forms for about 10 years.
-
GNU ☛ GNU Guix: Privilege Escalation Vulnerabilities (CVE-2025-46415, CVE-2025-46416)
Two security issues, known as CVE-2025-46415 and CVE-2025-46416, have been identified in guix-daemon, which allow for a local user to gain the privileges of any of the build users and subsequently use this to manipulate the output of any build, as well as to subsequently gain the privileges of the daemon user. You are strongly advised to upgrade your daemon now (see instructions below), especially on multi-user systems.
Both exploits require the ability to start a derivation build. CVE-2025-46415 requires the ability to create files in
/tmpin the root mount namespace on the machine the build occurs on, and CVE-2025-46416 requires the ability to run arbitrary code in the root PID and network namespaces on the machine the build occurs on. As such, this represents an increased risk primarily to multi-user systems, but also more generally to any system in which untrusted code may be able to access guix-daemon's socket, which is usually located at/var/guix/daemon-socket/socket.Vulnerability
One of the longstanding oversights of Guix's build environment isolation is what has become known as the abstract Unix-domain socket hole: a Linux-specific feature that enables any two processes in the same network namespace to communicate via Unix-domain sockets, regardless of all other namespace state. Unix-domain sockets are perhaps the single most powerful form of interprocess communication (IPC) that Unix-like systems have to offer, for the reason that they allow file descriptors to be passed between processes.
-
Security Week ☛ Photo-Stealing Spyware Sneaks Into Fashion Company Apple App Store, Surveillance Giant Google Play
Newly discovered spyware has sneaked into Apple’s App Store and Surveillance Giant Google Play to steal images from users’ mobile devices.
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by Debian (dns-root-data and xorg-server), Fedora (glibc, mingw-glib2, and optipng), Red Hat (iputils, kernel, kernel-rt, krb5, libarchive, mod_auth_openidc, mod_proxy_cluster, and xorg-x11-server-Xwayland), SUSE (python313), and Ubuntu (fig2dev, gnuplot, gss-ntlmssp, linux, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm,
linux-lowlatency, linux-nvidia, linux-nvidia-tegra,
linux-nvidia-tegra-igx, linux-oracle, linux-aws-5.15, linux-gcp-5.15, linux-ibm-5.15, linux-lowlatency-hwe-5.15,
linux-oracle-5.15, linux-aws-fips, linux-fips, linux-gcp-fips, linux-hwe-5.15, and linux-intel-iot-realtime, linux-realtime).