#auth

Kortex version 1.0 suffers from an insecure direct object reference vulnerability.

Red Hat Security Advisory 2024-5312-03 - An update for krb5 is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-5309-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.

Privacy watchdog NOYB has filed complaints against X for using social media data to train its AI chatbot Grok.

Please don’t, actually. But do update your Shimano Di2 shifters’ software to prevent a new radio-based form of cycling sabotage.

Ivanti has rolled out security updates for a critical flaw in Virtual Traffic Manager (vTM) that could be exploited to achieve an authentication bypass and create rogue administrative users. The vulnerability, tracked as CVE-2024-7593, has a CVSS score of 9.8 out of a maximum of 10.0. "Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2

# Microsoft Security Advisory CVE-2024-38168 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when an attacker through unauthenticated requests may trigger a Denial of Service in ASP.NET HTTP.sys web server. This is a windows OS only vulnerability. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/320 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.7 or earlier. ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any M...

The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.

### Summary The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. ### Details https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/9128a9258fe1fee36f198f97b1e3371fc7b77a93/extension/bearertokenauthextension/bearertokenauth.go#L189-L196 For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/. ### Impact This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. ### Fix The observable timing vulnerability was fixed by @axw in v0.107.0 (PR https://github.com/open-telemetry/opentelemetry-collector-c...

Ubuntu Security Notice 6954-1 - Markus Frank and Fiona Ebner discovered that QEMU did not properly handle certain memory operations, leading to a NULL pointer dereference. An authenticated user could potentially use this issue to cause a denial of service. Xiao Lei discovered that QEMU did not properly handle certain memory operations when specific features were enabled, which could lead to a stack overflow. An attacker could potentially use this issue to leak sensitive information.