lenovo warranty check/lookup | check warranty status | lenovo support us

A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.

Zero day exploit for Nehelper Wifi Info on iOS 15.0. XPC endpoint com.apple.nehelper accepts user-supplied parameter sdk-version, and if its value is less than or equal to 524288, the com.apple.developer.networking.wifi-info entitlement check is skipped. This makes it possible for any qualifying application (e.g. possessing location access authorization) to gain access to Wifi information without the required entitlement. This happens in -[NEHelperWiFiInfoManager checkIfEntitled:] in /usr/libexec/nehelper.

### Impact The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS. Previously dotfiles (eg. `$HOME/.ssh/`) were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. Only macOS and Linux systems are affected. ### Patches The regression has been patched on `v1.4.1`. ### Workarounds There are no known workarounds at this time, users should update to `v1.4.1` immediately. ### References See the [original advisory](https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5) for more information. ### For more Information If you have any questions or comments about this advisory: Open an issue in tauri Email us at [[email protected]](mailto:[email protected])

### Summary DNS rebinding is a method of manipulating resolution of domain names to let the initial DNS query hits an address and the second hits another one. For instance the host `make-190.119.176.200-rebind-127.0.0.1-rr.1u.ms` would be initially resolved to `190.119.176.200` and the next DNS issue to `127.0.0.1`. Please notice the following in the latest codebase: ```python def is_private_url(url: str): """ Raises exception if url is private :param url: url to check """ hostname = urlparse(url).hostname if not hostname: # Unable to find hostname in url return True ip = socket.gethostbyname(hostname) return ipaddress.ip_address(ip).is_private ``` As you can see, during the call to `is_private_url()` the initial DNS query would be issued by `ip = socket.gethostbyname(hostname)` to an IP (public one) and then due to DNS Rebinding, the next GET request would goes to the private one. ### PoC ```python from flask import Flask, requ...

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

Server-Side Request Forgery (SSRF) in NPM @peertube/embed-api prior to Not released yet.

GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.

The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.

ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. Due to the use of a hardcoded cryptographic key, an attacker is able to decrypt encrypted data and retrieve sensitive information.