Security Leftovers

posted by Roy Schestowitz on Apr 30, 2026

• SELinux: Policy Packaging Migration to support Snapshots and Rollbacks

  SELinux has been the Mandatory Access Control mechanism on openSUSE distributions such as MicroOS and Leap Micro since 2022, and most recently openSUSE Tumbleweed switched the default MAC to SELinux in February 2025.

• LWN ☛ Security updates for Wednesday

  Security updates have been issued by AlmaLinux (firefox, gdk-pixbuf2, java-17-openjdk, libxml2, python3, python3.11, python3.12, sudo, and webkit2gtk3), Debian (dnsdist, node-tar, pdns, pdns-recursor, and policykit-1), Fedora (chromium, edk2, and vim), Oracle (firefox, gdk-pixbuf2, go-toolset:rhel8, libpng12, LibRaw, libxml2, python, python3, python3.11, python3.12, python3.12-wheel, vim, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Red Hat (container-tools:rhel8, delve, git-lfs, go-rpm-macros, grafana, grafana-pcp, osbuild-composer, and rhc), SUSE (bouncycastle, clamav, container-suseconnect, dovecot22, erlang, firefox, fontforge, freerdp2, ghostscript, giflib, gnome-remote-desktop, go1.25, go1.26, google-guest-agent, haproxy, ignition, ImageMagick, kernel, libcap, libpng16, libraw, librsvg, mariadb, openexr, pocketbase, protobuf, python-Pillow, python-requests, qemu, rust1.94, sudo, tomcat, tomcat10, tomcat11, webkit2gtk3, and xen), and Ubuntu (dotnet10, dovecot, linux-nvidia-lowlatency, node-follow-redirects, openssh, packagekit, python-cryptography, python-tornado, ruby-rack-session, ujson, and wheel).

• Security Week ☛ Chrome 147, Firefox 150 Security Updates Rolling Out

  The browser refreshes resolve critical and high-severity vulnerabilities that could lead to arbitrary code execution.

• Security Week ☛ Checkmarx Confirms Data Stolen in Supply Chain Attack

  The hackers exfiltrated the data from Checkmarx’s Microsoft's proprietary prison GitHub environment on March 30, a week after publishing malicious code.

• Federal News Network ☛ CISA cyber partnerships face ‘standstill’ amid cuts

  CISA staff departures, especially in the Stakeholder Engagement Division, have kneecapped the cyber agency's ability to coordinate with the private sector.

• Security Week ☛ Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

  The vulnerability allows attackers to read data from a LiteLLM proxy’s database and potentially modify it.

• Security Week ☛ 38 Vulnerabilities Found in OpenEMR Medical Software

  Some of the vulnerabilities discovered by Aisle can be exploited to access and alter sensitive patient information.

• LWN ☛ A security bug in AEAD sockets

  Security analysis firm Xint has disclosed a security bug in the GNU/Linux kernel that allows for arbitrary 4-byte writes to the page cache, and which has been present since 2017.

• Tom's Hardware ☛ Ransomware accidentally destroys all files larger than 128KB, preventing decryption — VECT code likely partly vibe coded with Hey Hi (AI) or used an old code base, security researchers suggest

  A ransomware's major flaw meant that files cannot be decrypted because of a programming mistake. It also has several minor issues, showing that its creator may not be as sophisticated as suggested. Still, researchers point out that these can be rectified in future versions of the malware.

• LWN ☛ Security review of Plasma Login Manager (SUSE Security Team Blog)

  SUSE's Security Team has published a detailed blog post on their recent review of the Plasma Login Manager version 6.6.2, which was forked from the SDDM display manager.

• SANS ☛ Today's Odd Web Requests, (Wed, Apr 29th)

  Today, two different "new" requests hit our honeypots. Both appear to be recon requests and not associated with specific vulnerabilities.

• Security Week ☛ Hundreds of Internet-Facing VNC Servers Expose ICS/OT

  Forescout has identified tens of thousands of exposed RDP and VNC servers that can be mapped to specific industries.

• Security Week ☛ Critical Microsoft's proprietary prison GitHub Vulnerability Exposed Millions of Repositories

  The remote code execution flaw CVE-2026-3854 was found to impact Microsoft's proprietary prison GitHub.com and Microsoft's proprietary prison GitHub Enterprise Server.

  >

• CPR ☛ VECT: Ransomware by design, Wiper by accident

  Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB). Full recovery is impossible for anyone, including the attacker. At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions.