Latest News

### Impact It’s possible for authenticated users to enumerate clusters by name by inspecting error messages: ``` $ curl -k 'https://localhost:8080/api/v1/clusters/in-cluster?id.type=name' -H "Authorization: Bearer $token" {"error":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z","code":7,"message":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z"}⏎ $ curl -k 'https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name' -H "Authorizati on: Bearer $token" {"error":"permission denied","code":7,"message":"permission denied"} ``` It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. ``` curl -k 'https://localhost:8080/api/v1/clusters/in-cluster-project?id.type=name' -H "Authorization: Bearer $token" {"error":"permission denied: clusters, get, default/, sub: alice, iat: 2022-11-04T20:25:44Z","co...

Ubuntu Security Notice 6567-2 - USN-6567-1 fixed vulnerabilities QEMU. The fix for CVE-2023-2861 was too restrictive and introduced a behavior change leading to a regression in certain environments. This update fixes the problem. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service. Various other issues were also addressed.

Red Hat Security Advisory 2024-3701-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-3685-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-3683-03 - Red Hat OpenShift Service Mesh Containers for 2.5.2.

Red Hat Security Advisory 2024-3680-03 - Red Hat OpenShift Service Mesh Containers for 2.4.8. Issues addressed include a denial of service vulnerability.

Debian Linux Security Advisory 5704-1 - Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed.

Ubuntu Security Notice 6809-1 - It was discovered that BlueZ could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. It was discovered that BlueZ could be made to write out of bounds. If a user were tricked into connecting to a malicious device, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Ubuntu Security Notice 6812-1 - It was discovered that the Hotspot component of OpenJDK 17 incorrectly handled certain exceptions with specially crafted long messages. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK 17 incorrectly performed reverse DNS query under certain circumstances in the Networking/HTTP client component. An attacker could possibly use this issue to obtain sensitive information.

Ubuntu Security Notice 6811-1 - It was discovered that the Hotspot component of OpenJDK 11 incorrectly handled certain exceptions with specially crafted long messages. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK 11 incorrectly performed reverse DNS query under certain circumstances in the Networking/HTTP client component. An attacker could possibly use this issue to obtain sensitive information.