news
Security Leftovers
-
LWN ☛ Security updates for Friday
Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2).
-
Google ☛ From Chrome renderer code exec to kernel with MSG_OOB
-
Bruce Schneier ☛ Google Project Zero Changes Its Disclosure Policy
Google’s vulnerability finding team is again pushing the envelope of responsible disclosure: [...]
-
Scoop News Group ☛ Research reveals possible privacy gaps in Fashion Company Apple Intelligence’s data handling
LAS VEGAS — One of the big worries during the generative Hey Hi (AI) boom is where exactly data is traveling when users enter queries or commands into the system. According to new research, those worries may also extend to one of the world’s most popular consumer technology companies.
-
LWN ☛ Some turbulence at CalyxOS
CalyxOS is an Android distribution that
claims a focus on privacy and security. So when an
announcement from the project begins by saying "we want to assure
you that we have no reason to believe the security of CalyxOS and its
signing keys have been compromised", chances are that good things are
not happening.
-
Scoop News Group ☛ DARPA’s Hey Hi (AI) Cyber Challenge reveals winning models for automated vulnerability discovery and patching
The initiative seeks to patch vulnerabilities in open-source code before they are exploited by would-be attackers. Now comes the hard part — putting the systems to the test in the real world.
-
OpenSSF (Linux Foundation) ☛ From Beginner to Builder: Understanding OpenSSF Community and Working Groups
The Open Source Security Foundation (OpenSSF) serves as the global hub for collaborative work on securing the software supply chain. Whether you’re an open-source maintainer, a security engineer, a student, or someone passionate about public digital infrastructure, OpenSSF invites you to participate. There are no gatekeepers, no matter where you work. This community is open, global, and powered by you.
-
Bruce Schneier ☛ Friday Squid Blogging: New Vulnerability in Squid HTTP Proxy Server
In a rare squid/security combined post, a new vulnerability was discovered in the Squid HTTP proxy server.
-
5 Hidden Weaknesses in Your Linux Stack—And How Attackers Exploit Them
A recent IBM X-Force study found that 95% of Red Hat Enterprise Linux (RHEL) deployments were vulnerable to at least one CVE with a known exploit. Even worse, 65% of those systems had at least three known exploitable vulnerabilities.