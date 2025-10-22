news
Security Leftovers
LWN ☛ Security updates for Tuesday
Security updates have been issued by AlmaLinux (.NET 8.0, firefox, kernel, kernel-rt, libssh, and perl-JSON-XS), Debian (ark and libphp-adodb), Fedora (chromium and gi-docgen), Mageia (quictls), Oracle (.NET 8.0, .NET 9.0, firefox, httpd, kernel, libsoup3, libssh, microcode_ctl, and webkit2gtk3), SUSE (go1.24, go1.25, krb5, python-ldap, and webkit2gtk3), and Ubuntu (gst-plugins-base1.0, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15,
linux-ibm, linux-ibm-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15,
linux-nvidia, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips,
linux-intel-iot-realtime, linux-realtime, and python-ldap).
Dark Reading ☛ Is Your Car a BYOD Risk? Researchers Demonstrate How
At BSides NYC on Oct. 18, Threatlight chief technology officer (CTO) and co-founder Tim Shipp detailed a proof-of-concept (PoC) attack chain that began in a parked car and ended in corporate Linux servers and ESXi hypervisors. Call it a BYOC — a bring-your-own-car attack. And it required only a few cheap gadgets.
The key (pun intended) was the driver's phone — using the car to reach the phone, then using the phone to reach the company's network.
Federal News Network ☛ F5 hack highlights persistent supply chain security concerns
The F5 breach targets a "foundational technology" relied upon by government agencies and critical infrastructure operators.>
Security Week ☛ Over 73,000 WatchGuard Firebox Devices Impacted by Recent Critical Flaw
Affecting the Fireware OS iked process, the vulnerability can lead to remote code execution and does not require authentication.
Security Week ☛ CISA Warns of Exploited Apple, Kentico, Abusive Monopolist Microsoft Vulnerabilities
Leading to code execution, authentication bypass, and privilege escalation, the flaws were added to CISA’s KEV list.
Security Week ☛ Government, Industrial Servers Targeted in China-Linked ‘PassiveNeuron’ Campaign
A threat actor has been infecting servers of high-profile entities with backdoors to exfiltrate information and deploy additional payloads.
Bruce Schneier ☛ A Cybersecurity Merit Badge
Scouting America (formerly known as Boy Scouts) has a new badge in cybersecurity. There’s an image in the article; it looks good.
I want one.
XSAs released on 2025-10-21
The Xen Project has released one or more Xen security advisories (XSAs).
Scoop News Group ☛ Researchers uncover remote code execution flaw in abandoned Rust code library
The high-severity defect affects a widely used — but largely hidden — archive tool that spans many forks.
OpenSSF (Linux Foundation) ☛ What’s in the SOSS? Podcast #43 – S2E20 Building Trust in Open Source: Seth Larson’s Journey from Maintainer to Security Leader
Seth Larson, Security Developer-in-Residence at the Python Software Foundation, joins What’s in the SOSS? to discuss trust, documentation, and the evolution of secure-by-default practices in open source.
Security Week ☛ Supply Chain Attack Targets VS Code Extensions With ‘GlassWorm’ Malware
The malware uses invisible Unicode characters to hide its code and blockchain-based infrastructure to prevent takedowns.