lenovo warranty check/lookup | check warranty status | lenovo support us

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enou...

The FBI and CISA are warning citizens of attempts to convince voters that US election infrastructure has been compromised. (It hasn't been.)

A null pointer dereference was found in libpano13, version libpano13-2.9.20. The flow allows attackers to cause a denial of service and potential code execute via a crafted file.

This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the ...

## Impact There is a potential vulnerability in Traefik managing the TLS connections. A router configured with a not well-formatted [TLSOption](https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options) is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. ## Patches https://github.com/traefik/traefik/releases/tag/v2.9.6 ## Workarounds Check the logs to detect the following error messages and fix your TLS options: - Empty CA: ``` {"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"} ``` - Bad CA content (or bad path): ``` {"level":"error","msg":"invalid certificate(s) content","routerName":"Router0@file"} ``` - Unknown Client Auth Type: ``` {"level":"error","msg":"unknown client auth type \"FooClientAuthType\"","routerName":"Router0@file"} ``` - Invalid cipherSuites ``` {"level":"error...

The privilege escalation is based on a missing check if the user is authenticated based on the `TokenReview` result. All the clusters running with the `anonymous-auth` Kubernetes API Server setting disable (set to `false`) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API Server. # PoC Start a KinD cluster with the `anonymous-auth` value to `false`. If it is true, it uses anonymous permissions which are very limited by default ```yaml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane kubeadmConfigPatches: - | kind: ClusterConfiguration apiServer: extraArgs: anonymous-auth: "false" ``` Install `capsule` and `capsule-proxy` ``` k port-forward svc/capsule-proxy 9001 Forwarding from 127.0.0.1:9001 -> 9001 Forwarding from [::1]:9001 -> 9001 Handling connection for 9001 ``` Then query the proxy ``` curl -g -k -H 'Authorization: Bearer f' -X 'GET' 'http...

Categories: Business See how our new offering Malwarebytes Security for Business helps you crush mobile malware and phishing attacks. (Read more...) The post Introducing Malwarebytes Mobile Security for Business: How to find malware and stop phishing attacks on smartphones and ChromeOS appeared first on Malwarebytes Labs.

By Waqas E-Root marketplace had its domain seized in 2020. This is a post from HackRead.com Read the original post: E-Root Marketplace Admin Extradited to US on Computer Fraud Charge

Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error messages and fix your TLS options.