Security Leftovers
-
University of Toronto ☛ CVEs are not what I'll call security reports
Today I read Josh Bressers' Why are vulnerabilities out of control in 2024? (via), which made me realize that I, along with other people, had been unintentionally propagating a misinterpretation of what a CVE was (for example when I talked about the Linux kernel giving CVEs to all bugfixes). To put it simply, a CVE is not what I'll call a (fully baked) security report. It's more or less in the name, as 'CVE' is short of 'Common Vulnerabilities and Exposures'. A CVE is a common identifier for a vulnerability that is believed to have a security impact, and that's it.
-
Open Source Security (Audio Show) ☛ Josh Bressers: Why are vulnerabilities out of control in 2024?
If you follow the vulnerability world, 2024 is starting to feel like we’ve become trapped in the mirror universe. NVD collapsed, the GNU/Linux kernel is generating a huge number of CVE IDs, CISA is maybe enriching the CVE data, and the growth rate of CVE is higher than its ever been. It feels like we’re careening off a cliff in the clown car where half the people are trapped inside trying to get out, and the other half are laughing at the clown honking its nose.
I want to start out by saying all of this is not an accident. A lot of gears have been turning for years, or even decades, we’re seeing the result of trends finally coming together. It was only a matter of time until this happened. Let’s look at a few of those trends.
-
LWN ☛ Security updates for Monday
Security updates have been issued by AlmaLinux (python39:3.9 and python39-devel:3.9 and ruby:3.0), Debian (chromium, gst-plugins-base1.0, and kernel), Fedora (chromium, glances, glycin-loaders, gnome-tour, helix, helvum, kitty, libarchive, libipuz, librsvg2, loupe, maturin, ntpd-rs, plasma-workspace, and a huge list of Rust-based packages due to a "mini-mass-rebuild" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (gifsicle, netatalk, openssl, python-jinja2, and unbound), Red Hat (kernel and kernel-rt), SUSE (bind, glibc, gstreamer-plugins-base, squid, and tiff), and Ubuntu (glibc).
-
RFERL ☛ Major Russian Retailer Unable To Work With Payment Cards Over Hackers' Attack
A major Russian retailer says it has been unable to work with payment cards for three days following a hacking attack.