lenovo warranty check/lookup | check warranty status | lenovo support us

Ubuntu Security Notice 6495-2 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Manfred Rudigier discovered that the Intel PCI-Express Gigabit Ethernet driver in the Linux kernel did not properly validate received frames that are larger than the set MTU size, leading to a buffer overflow vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

An Improperly Implemented Security Check for Standard vulnerability in storm control of Juniper Networks Junos OS QFX5k devices allows packets to be punted to ARP queue causing a l2 loop resulting in a DDOS violations and DDOS syslog. This issue is triggered when Storm control is enabled and ICMPv6 packets are present on device. This issue affects Juniper Networks: Junos OS * All versions prior to 20.2R3-S6 on QFX5k; * 20.3 versions prior to 20.3R3-S5 on QFX5k; * 20.4 versions prior to 20.4R3-S5 on QFX5k; * 21.1 versions prior to 21.1R3-S4 on QFX5k; * 21.2 versions prior to 21.2R3-S3 on QFX5k; * 21.3 versions prior to 21.3R3-S2 on QFX5k; * 21.4 versions prior to 21.4R3 on QFX5k; * 22.1 versions prior to 22.1R3 on QFX5k; * 22.2 versions prior to 22.2R2 on QFX5k.

Security experts weigh in on the problem Salt Typhoon and its hacking of telecoms poses against the United States, including what the US should do and how defenders can protect themselves.

### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability is a **data validation issue** in the Gradio `Dropdown` component's pre-processing step. Even if the `allow_custom_value` parameter is set to `False`, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user's machine. ### Patches Yes, this issue is addressed in `gradio>=5.0`. Please upgrade to the latest version to resolve the problem. ### Workarounds **Is there a way for users to fix or remediate the vulnerability without upgrading?** To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing th...

### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details - base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`) - content of non-allowed files is exposed using `?raw?import` `/@fs/` isn't needed to reproduce the issue for files inside the project root. ### PoC Original report (check details above for simplified cases): The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice ``` $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Example full URL `http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init`

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

By cybernewswire Tel Aviv, Israel, April 10th, 2024, CyberNewsWire Cyber GRC software company Cypago has announced a new automation solution… This is a post from HackRead.com Read the original post: Cypago Announces New Automation Support for AI Security and Governance

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to versions 3.8 and was fixed in versions 3.7.7, 3.6.10, 3.5.14, and 3.4.17. This vulnerability was reported via the GitHub Bug Bounty program.

Have you been scammed online? Here are some tips to limit the damage and follow up steps you may find useful

Debian Linux Security Advisory 5750-1 - Support for the "strict kex" SSH extension has been backported to AsyncSSH (a Python implementation of the SSHv2 protocol) as hardening against the Terrapin attack.