news
Security Leftovers
-
LWN ☛ Security updates for Thursday
Security updates have been issued by AlmaLinux (java-25-openjdk, openssl, and python3.9), Debian (gimp, libmatio, pyasn1, and python-django), Fedora (perl-HarfBuzz-Shaper, python-tinycss2, and weasyprint), Mageia (glib2.0), Oracle (curl, fence-agents, gcc-toolset-15-binutils, glibc, grafana, java-1.8.0-openjdk, kernel, mariadb, osbuild-composer, perl, php:8.2, python-urllib3, python3.11, python3.11-urllib3, python3.12, and python3.12-urllib3), SUSE (alloy, avahi, bind, buildah, busybox, container-suseconnect, coredns, gdk-pixbuf, gimp, go1.24, go1.24-openssl, go1.25, helm, kernel, kubernetes, libheif, libpcap, libpng16, openjpeg2, openssl-1_0_0, openssl-1_1, openssl-3, php8, python-jaraco.context, python-marshmallow, python-pyasn1, python-urllib3, python-virtualenv, python311, python313, rabbitmq-server, xen, zli, and zot-registry), and Ubuntu (containerd, containerd-app and wlc).
-
Tom's Hardware ☛ AI-assisted cybersecurity team discovers 12 OpenSSL vulnerabilities, claims humans are the limiting factor — some vulnerabilities have been around for decades
OpenSSL is a security standard that protects most of the internet, and cybersecurity researchers have recently discovered vulnerabilities in the standard that have been lying undetected for decades.
-
Tom's Hardware ☛ WinRAR exploit reportedly remains widely-used by China and Russia state actors despite patch — vulnerability allows malicious archives to deliver a hidden payload to backdoored Windows Startup folder
Google says that a WinRAR exploit that has been patched six months ago remain a popular attack vector, especially for state-sponsored threat actors. The vulnerability allows malicious archives to install malware on critical backdoored Windows folders.
-
Trail of Bits ☛ Building cryptographic agility into Sigstore [Ed: Lockdown, not security]
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our current signatures will fail, but whether we’re prepared for when they do.
Sigstore, an open-source ecosystem for software signing, recognized this challenge early but initially chose security over flexibility by adopting new cryptographic algorithms as older ones became obsolete. By hard coding ECDSA with P-256 curves and SHA-256 throughout its infrastructure, Sigstore avoided the dangerous pitfalls that have plagued other crypto-agile systems. This conservative approach worked well during early adoption, but as Sigstore’s usage grew, the rigidity that once protected it began to restrict its utility.
Over the past two years, Trail of Bits has collaborated with the Sigstore community to systematically address the limitations of aging cryptographic signatures. Our work established a centralized algorithm registry in the Protobuf specifications to serve as a single source of truth. Second, we updated Rekor and Fulcio to accept configurable algorithm restrictions. And finally, we integrated these capabilities into Cosign, allowing users to select their preferred signing algorithm when generating ephemeral keys. We also developed Go implementations of post-quantum algorithms LMS and ML-DSA, demonstrating that the new architecture can accommodate future cryptographic standards. Here is what motivated these changes, what security considerations shaped our approach, and how to use the new functionality.
-
OpenSSF (Linux Foundation) ☛ OpenSSF Newsletter – January 2026
-
Scoop News Group ☛ The ‘staggering’ cybersecurity weakness that isn’t getting enough focus, according to a top Secret Service official
The internet domain registration system is a major weakness that malicious hackers can exploit, but is often being overlooked, a senior Secret Service official said Thursday.
-
Security Week ☛ SolarWinds Patches Critical Web Help Desk Vulnerabilities
The four critical flaws could be exploited without authentication for remote code execution or authentication bypass.
-
Security Week ☛ N8n Vulnerabilities Could Lead to Remote Code Execution
The two bugs impacted n8n’s sandbox mechanism and could be exploited via weaknesses in the AST sanitization logic.
-
Proactively Securing Linux Systems Against Ransomware: Insights from Morphisec’s Monthly Demo [Ed: They use slop in their marketing. Bad optics.]