Latest News

Red Hat Security Advisory 2024-4572-03 - An update is now available for OpenJDK. Issues addressed include an out of bounds access vulnerability.

Red Hat Security Advisory 2024-4571-03 - An update is now available for OpenJDK. Issues addressed include an out of bounds access vulnerability.

Ubuntu Security Notice 6898-2 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

Red Hat Security Advisory 2024-4570-03 - An update is now available for OpenJDK. Issues addressed include an out of bounds access vulnerability.

Red Hat Security Advisory 2024-4569-03 - An update is now available for OpenJDK. Issues addressed include an out of bounds access vulnerability.

Red Hat Security Advisory 2024-4566-03 - An update is now available for OpenJDK. Issues addressed include an out of bounds access vulnerability.

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers. The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name,

### Summary BlastRADIUS (see blastradius.fail for details) also affects eduMFA prior version 2.2.0, because the Message-Authenticator attributes were not checked. ### Details Website with the vulnerability information blastradius.fail The original vulnerability has been assigned CVE-2024-3596 Case in vince: https://kb.cert.org/vuls/id/456537 ### PoC There is no known proof-of-concept except for the attack shown in the paper from the researchers ### Impact An attacker can trigger an authentication flow with a RADIUS-backed token, intercept the RADIUS packet sent by eduMFA and modify the RADIUS server's answer, which would lead eduMFA to believe that the token is valid, even though the RADIUS servers answer was a reject.

### Impact TinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `<object>` or `<embed>` tags, which can be used as a vector for XSS attacks. Note that `<embed>` tags are not allowed by default. After patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `<object>` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `<object>` tags. Developers can override this configuration if desired to revert to the original behaviour. We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS. ### References: - https://www.silverstripe.org/download/security-releases/ss-2024-001 - https://github.com/advisories/GHSA-5359-pvf2-pw78

### Summary When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. ### Details Package: Steeltoe.Discovery.Eureka Package version: 3.2.1 Branch: "release/3.2" File name: `DiscoveryClient.cs` Line number: 325 Code in question: `_logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` Error message in logs: `FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:[email protected]:443/eureka` I thought `new Uri(clientOptions.EurekaServerServiceUrls)` would throw a `UriFormatException` since there are multiple URLs but my logs are showing two URLs regardless. ### PoC 1. Set Eureka config with multiple server URLs with basic auth 2. Apologies for not being more descriptive fo...