Security Leftovers
LWN ☛ Security updates for Tuesday
Security updates have been issued by AlmaLinux (httpd:2.4/httpd), Arch Linux (openssh), Fedora (cups, emacs, and python-urllib3), Gentoo (OpenSSH), Mageia (ffmpeg, gdb, openssl, python-idna, and python-imageio), Red Hat (golang and kernel), SUSE (booth, libreoffice, openssl-1_1-livepatches, podman, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, python-Js2Py, python310, python39, and squid), and Ubuntu (cups and netplan.io).
OpenSSF (Linux Foundation) ☛ What’s in the SOSS? Podcast #8 – Intel’s Arun Gupta and Giving Back to Security Communities
Security Week ☛ Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug
Google ships an Android security update with fixes for 15 vulnerabilities, including a critical-severity flaw in Framework.
Security Week ☛ Critical Flaw in PTC License Server Can Allow Lateral Movement in Industrial Organizations
PTC has patched a critical vulnerability in the Creo Elements/Direct License Server that can be exploited for unauthenticated command execution.
Security Week ☛ Evolve Bank Shares Data Breach Details as Fintech Firms Report Being Hit
Fintech companies Wise and Affirm are impacted by the data breach at Evolve Bank, which has shared additional details on the recent ransomware attack.
Security Week ☛ Splunk Patches High-Severity Vulnerabilities in Enterprise Product
Splunk has patched multiple vulnerabilities in Splunk Enterprise, including high-severity remote code execution bugs.
Security Week ☛ Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks
EVA Information Security has shared details on three CocoaPods vulnerabilities impacting millions of macOS and iOS applications.
Federal News Network ☛ A big Defense cybersecurity requirement for contractors moves closer to reality
Not yet in effect, the Cybersecurity Maturity Model Certification program rule is now at the White House for review.
Security Week ☛ Cyberinsurance Premiums are Going Down: Here’s Why and What to Expect
The change in premium rates is more likely to be the insurers’ correction than the insureds’ improvement in security.
Security Week ☛ Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies
Cisco has patched an NX-OS command injection zero-day exploited by China-linked cyberespionage group Velvet Ant.