Security Leftovers

posted by Roy Schestowitz on Apr 05, 2025

• LWN ☛ Security updates for Friday

  Security updates have been issued by AlmaLinux (firefox), Debian (atop and thunderbird), Fedora (webkitgtk), Mageia (microcode), Oracle (expat), SUSE (apparmor, assimp-devel, aws-efs-utils, expat, firefox, ghostscript, go1.23, gotosocial, govulncheck-vulndb, GraphicsMagick, headscale, libmozjs-128-0, libsaml-devel, openvpn, perl-Data-Entropy, and xz), and Ubuntu (gnupg2, kernel, linux-azure-fips, linux-iot, openvpn, ruby-saml, and xz-utils).

• OpenSSF (Linux Foundation) ☛ Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain

  We are pleased to announce the launch of version 1.0 of the model-signing project, an OpenSSF project developed in the past year as part of the OpenSSF AI/ML working group. The aim of the project is to provide a library and CLI for signing and verification of ML models, supporting any type of model format and models of any size. Furthermore, the project supports several types of Private Key Infrastructure (PKI), such as signing with sigstore (a graduated OpenSSF project), self-signed certificates, or public/private key pairs while maintaining the same hashing scheme and signature format (as a sigstore bundle).

• Krebs On Security ☛ Cyber Forensic Expert in 2,000+ Cases Faces FBI Probe

  A Minnesota cybersecurity and computer forensics expert whose testimony has featured in thousands of courtroom trials over the past 30 years is facing questions about his credentials and an inquiry from the Federal Bureau of Investigation (FBI). Legal experts say the inquiry could be grounds to reopen a number of adjudicated cases in which the expert’s testimony may have been pivotal.

• Security Week ☛ Compromised SpotBugs Token Led to Microsoft's proprietary prison GitHub Actions Supply Chain Hack

  Evidence shows a SpotBugs token compromised in December 2024 was used in the March 2025 Microsoft's proprietary prison GitHub Actions supply chain attack.

• Security Week ☛ Oracle Confirms Cloud Hack

  Oracle has confirmed suffering a data breach but the tech giant is apparently trying to downplay the impact of the incident.

• Security Week ☛ State Bar of Texas Says Personal Information Stolen in Ransomware Attack

  The State Bar of Texas is notifying thousands of individuals that their personal information was stolen in a February ransomware attack.

• Security Week ☛ Call Records of Millions Exposed by Verizon App Vulnerability

  A patch has been released for a serious information disclosure vulnerability affecting a Verizon call filtering application.

• ZDNet ☛ Look, no patches! Why Chainguard OS might be the most secure Linux ever

  A secure container company listens to several top Linux maintainers on how to build the most secure Linux distro possible. The result: Chainguard OS.