news
Security Leftovers
-
LWN ☛ Security updates for Monday
Security updates have been issued by Debian (espeak-ng, kitty, kmail-account-wizard, krb5, libreoffice, libvpx, net-tools, python-flask-cors, symfony, tcpdf, thunderbird, and twitter-bootstrap3), Fedora (chromium, dropbear, firefox, gstreamer1-plugins-bad-free, python-tornado, systemd, and thunderbird), Mageia (coreutils, deluge, glib2.0, and redis), Oracle (firefox, kernel, and systemd), Red Hat (firefox, kernel, kernel-rt, varnish, varnish:6, and zlib), SUSE (bind, curl, dnsdist, docker, ffmpeg-7, firefox, glibc, golang-github-prometheus-alertmanager, govulncheck-vulndb, icinga2, iputils, java-11-openjdk, java-1_8_0-ibm, kea, kernel, libopenssl-3-devel, libsoup, libxml2, nodejs-electron, open-vm-tools, openbao, perl-Net-Dropbox-API, pluto, poppler, postgresql14, postgresql15, postgresql16, postgresql17, python312-setuptools, runc, s390-tools, skopeo, sqlite3, thunderbird, and unbound), and Ubuntu (apport and libphp-adodb).
-
Hong Kong Free Press ☛ 5% of Hong Kong critical infrastructure had ‘system vulnerabilities’ in 2024, police cybersecurity report finds
Five per cent of more than 90,000 critical infrastructure facilities in Hong Kong had “varying degrees of system vulnerabilities” last year, according to the cybercrime unit of the city’s police force.
-
OpenSSF (Linux Foundation) ☛ OSS and the CRA: am I a Manufacturer or a Steward?
The European Union’s Cyber Resilience Act (CRA) is a piece of legislation that covers all countries within the EU and the EEA and entered into force on 10th December 2024. It covers many types of devices and applications that are either sold or otherwise made commercially available on the European market and the intention behind it is to improve the cybersecurity of products available to consumers and businesses across Europe.
-
Security Week ☛ In Other News: PoC for Fortinet Bug, Hey Hi (AI) Model Subverts Shutdown, RAT Source Code Leaked
Noteworthy stories that might have slipped under the radar: simple PoC code released for Fortinet zero-day, Proprietary Chaffbot Company O3 disobeys shutdown orders, source code of SilverRAT emerges online.
-
Security Week ☛ Technical Details Published for Critical Cisco IOS XE Vulnerability
The critical flaw, tracked as CVE-2025-20188 (CVSS score of 10/10), allows attackers to execute arbitrary code remotely.
-
Security Week ☛ vBulletin Vulnerability Exploited in the Wild
Exploitation of the vBulletin vulnerability tracked as CVE-2025-48827 and CVE-2025-48828 started shortly after disclosure.
-
Confidentiality
-
Security Week ☛ Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
Luxury brand Cartier disclosed a data breach in which an unauthorized party gained access to its systems and obtained some client information.
-
-
Windows TCO / Windows Bot Nets
-
Associated Press ☛ Trump's sanctions on ICC prosecutor have halted tribunal's work
Microsoft, for example, cancelled Khan’s email address, forcing the prosecutor to move to Proton Mail, a Swiss email provider, ICC staffers said. His bank accounts in his home country of the U.K. have been blocked.
Microsoft did not respond to a request for comment.
-
Bruce Schneier ☛ Australia Requires Ransomware Victims to Declare Payments
A new Australian law requires larger companies to declare any ransomware payments they have made.
-