Security Leftovers

posted by Roy Schestowitz on Dec 03, 2025

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac).

• LinuxConfig ☛ Docker: Patch Image Vulnerabilities with Trivy and Copa

• Security Week ☛ Android Zero-Days Patched in December 2025 Security Update

  Google warns that two out of the 107 vulnerabilities patched in Android this month have been exploited in limited, targeted attacks.

• Security Week ☛ Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

  The extensions were seen profiling users, reading cookie data to create unique identifiers, and executing payloads with browser API access.

• New York Times ☛ 120,000 Home Cameras Were Hacked for Sexual Videos, South Korean Police Say

  The authorities arrested four people this week in the latest turn in the country’s effort to stop exploitative recordings.

• Scoop News Group ☛ The Congressional remedy for Salt Typhoon? More information sharing with industry [Ed: But this was due to back doors]

  A year after Chinese hackers were found in U.S. telecom networks, Congress and federal agencies have taken few concrete actions to stop the next hack.

• Jon Chiappetta: Year End Summary – OpenVPN Modifications in a Screen Cap – Sometimes Lines of Code Removed is a Better Metric!

  I’ve spent a few number of months ironing out some remaining edge cases and code paths to get this highly modified version of OpenVPN to work as stable as I intended it to. It’s basically a lighter-weight TCP-protocol focused-version of OVPN with a number of extra huge unused libraries removed, including WIN32, which I never have run anything on for the last few decades at least now. The summary of all the modifications I made comes out to roughly 3,000 lines added and over 25,000 lines of code removed!

• Security Week ☛ Vulnerability in Proprietary Chaffbot Company Coding Agent Could Facilitate Attacks on Developers

  The Codex CLI vulnerability tracked as CVE-2025-61260 can be exploited for command execution.

• LWN ☛ Let's Encrypt to reduce certificate lifetimes [Ed: Just fake security]

  Let's Encrypt has announced that it will be reducing the validity period of its certificates from 90 days to 45 days by 2028:

  Most users of Let's Encrypt who automatically issue certificates will not have to make any changes. However, you should verify that your automation is compatible with certificates that have shorter validity periods.

• Windows TCO / Windows Bot Nets

  • Caution! The ClickFix malware is hiding in a fake full-screen update page

    Caution! The ClickFix Malware Hides in a Fake Full-Screen Update Page A new variant of the ClickFix [...]

  • OpenSSF (Linux Foundation) ☛ What’s in the SOSS? Podcast #46 – S2E23 Securing the Future: AI, Open Source, and Collaboration with Jay White (Microsoft) [Ed: 'Linux' Foundation selling back doors (Microsoft) as security. 'Linux' Foundation: They pay us more than you pay us, so they know better than you.]

    Jay White from Abusive Monopolist Microsoft joins What’s in the SOSS to talk about his journey into open source, Hey Hi (AI) and ML security, model signing, and the importance of community collaboration. Hear how standardization, transparency, and community involvement can strengthen Hey Hi (AI) supply chain security.