Security Leftovers

posted by Roy Schestowitz on Dec 13, 2025

• LWN ☛ Security updates for Friday

  Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15,

  linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,

  linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency,

  linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3).

• Security Week ☛ Recent GeoServer Vulnerability Exploited in Attacks

  Because user input is not sufficiently sanitized, attackers could exploit the flaw to define external entities within an XML request.

• Linux Handbook ☛ Using Wordlists for Brute Force Attack in Kali Linux

  Kali GNU/Linux quietly ships with some of the most practical and battle-tested wordlists you can use as a beginner or professional pentester.

• Security Week ☛ In Other News: PromptPwnd Attack, macOS Bounty Complaints, Chinese Hackers Trained in Cisco Academy

  Other noteworthy stories that might have slipped under the radar: Pentagon orders accelerated move to PQC, US shuts down scheme to smuggle GPUs to China, DroidLock Android ransomware.

• Google ☛ A look at an Android ITW DNG exploit

• Ariadne Conill ☛ Rethinking sudo with object capabilities

  I hate sudo with a passion. It represents everything I find offensive about the modern Unix security model: [...]

• SANS ☛ Abusing DLLs EntryPoint for the Fun, (Fri, Dec 12th)

  In the Abusive Monopolist Microsoft backdoored Windows ecosystem, DLLs (Dynamic Load Libraries) are PE files like regular programs. One of the main differences is that they export functions that can be called by programs that load them. By example, to call RegOpenKeyExA(), the program must first load the ADVAPI32.dll. A PE files has a lot of headers (metadata) that contain useful information used by the loader to prepare the execution in memory. One of them is the EntryPoint, it contains the (relative virtual) address where the program will start to execute.

• OpenSSF (Linux Foundation) ☛ From Beginner to Builder: Free OpenSSF and 'Linux' Foundation Education Courses

  Whether you're just getting started with open source security or want to deepen your knowledge, these free courses from 'Linux' Foundation Education and OpenSSF offer valuable, self-paced learning paths. Each is available online and designed to help contributors understand both the technical and community aspects of secure open source development.

• Hackaday ☛ Liberating AirPods With Bluetooth Spoofing

  Apple’s AirPods can pair with their competitors’ devices and work as basic Bluetooth earbuds, but to no one’s surprise most of their really interesting features are reserved for Apple devices. What is surprising, though, is that simple Bluetooth device ID spoofing unlocks these features, a fact which [Kavish Devar] took advantage of to write LibrePods, an AirPods controller app for Android and Linux.

• Security Week ☛ $320,000 Paid Out at Zeroday.Cloud for Open Source Software Exploits

  Participants earned rewards at the hacking competition for Grafana, GNU/Linux Kernel, Redis, MariaDB, and PostgreSQL vulnerabilities.

• Federal News Network ☛ Why deeper defense collaboration demands a zero trust approach to cybersecurity

  On a broader level, these issues are indicative of a more general move towards comprehensive zero trust architectures across both public and private sectors.

• Security Week ☛ Gladinet CentreStack Flaw Exploited to Hack Organizations

  Threat actors have hacked at least nine organizations by exploiting the recently patched Gladinet CentreStack flaw.

• Security Week ☛ Fieldtex Data Breach Impacts 238,000

  The Akira ransomware group took credit for the Fieldtex Products hack in November, claiming to have stolen 14 Gb of data.

• Security Week ☛ Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

  Notepad++ found a vulnerability in the way the software updater authenticates update files. 

• Security Week ☛ Microsoft Bug Bounty Program Expanded to Third-Party Code [Ed: Misleading PR stunt]

  All critical vulnerabilities in Microsoft, third-party, and open source code are eligible for rewards if they impact Abusive Monopolist Microsoft services.