Security Leftovers

posted by Roy Schestowitz on Mar 20, 2026

• LWN ☛ Security updates for Thursday

  Security updates have been issued by Debian (freetype), Fedora (aqualung, kiss-fft, libtasn1, mac, and vim), Red Hat (libarchive, osbuild-composer, and rhc), Slackware (expat), SUSE (ca-certificates-mozilla, chromium, cockpit, cockpit-machines, cockpit-podman, curl, docker, docker-compose, docker-stable, gnutls, gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer- plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins- base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer, gvfs, helm, kernel, krb5-appl, libsoup, libxslt, libxml2, openssh, python-cryptography, python-django, python-pypdf2, python-simpleeval, python311, qemu, ruby4.0-rubygem-sprockets, ruby4.0-rubygem-thor, ruby4.0-rubygem-web-console, ruby4.0-rubygem-websocket-extensions, skaffold, smb4k, tomcat, ucode-intel, util-linux, virtiofsd, and zlib), and Ubuntu (bouncycastle, exiv2, freerdp3, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, python2.7, roundcube, and valkey).

• Otto Kekäläinen: Automated security validation: How 7,000+ tests shaped MariaDB's new AppArmor profile

  Linux kernel security modules provide a good additional layer of security around individual programs by restricting what they are allowed to do, and at best block and detect zero-day security vulnerabilities as soon as anyone tries to exploit them, long before they are widely known and reported. However, the challenge is how to create these security profiles without accidentally also blocking legitimate actions. For MariaDB in Debian and Ubuntu, a new AppArmor profile was recently created by leveraging the extensive test suite with 7000+ tests, giving good confidence that AppArmor is unlikely to yield false positive alerts with it.

• Security Week ☛ Russian APT Exploits Zimbra Vulnerability Against Ukraine

  Insufficient sanitization of CSS content within HTML emails leads to inline script execution when the message is opened in a browser.

• Security Week ☛ Critical ScreenConnect Vulnerability Exposes Machine Keys

  Latest ScreenConnect version adds encrypted storage and management to prevent unauthorized access to machine keys.

• Bruce Schneier ☛ Hacking a Robot Vacuum

  Someone tries to remote control his own DJI Romo vacuum, and ends up controlling 7,000 of them from all around the world.

  The IoT is horribly insecure, but we already knew that.

• Wiz Inc ☛ Linux Debian vulnerability analysis and mitigation

  In the Linux kernel, the following vulnerability has been resolved:

  audit: add missing syscalls to read class

  The "at" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:

  -w /tmp/test -p rwa -k test_rwa

  The current patch adds missing syscalls to the audit read class.

• New malware targets Linux network devices for DDoS, crypto mining [Ed: Cites slopfarm as its source]

  The CondiBot variant, derived from Mirai, transforms compromised systems into DDoS attack nodes, while "Monaco" scans for exposed SSH servers, brute-forces credentials, and mines Monero cryptocurrency. Both malware samples support multiple architectures including ARM, MIPS, and x86, enabling them to infect virtually any vulnerable Linux device regardless of hardware vendor. CondiBot's persistence mechanisms include disabling system reboot utilities and manipulating hardware watchdogs while killing competing botnet processes.