#auth

Red Hat Security Advisory 2024-2004-03 - An update for kernel is now available for Red Hat Enterprise Linux 7. Issues addressed include null pointer and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-2003-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Issues addressed include null pointer and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-1998-03 - An update for libreswan is available for Red Hat Enterprise Linux 8.

A state-sponsored hacking team employed a clever masquerade and elaborate back-end infrastructure as part of a five-year info-stealing campaign that compromised the US State and Treasury Departments, and hundreds of thousands of accounts overall.

Attacks increased by "only" 19% last year. But that number is expected to grow significently.

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data.

By Waqas Popular keyboard apps leak user data! Citizen Lab reports 8 out of 9 Android IMEs expose keystrokes. Change yours & protect passwords! This is a post from HackRead.com Read the original post: Popular Keyboard Apps Leak User Data: Billion Potentially Exposed

### Impact A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in how the auth chain cover index is calculated. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. ### Patches Server administrators should upgrade to 1.105.1 or later. ### Workarounds One can: - ban the malicious users or ACL block servers from the rooms; and/or - leave the room and purge the room using the admin API ### For more information If you have any questions or comments about this advisory, please email us at [security AT element.io](mailto:[email protected]).

### SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`) **Please note, only authorized and admin role users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability** `CompiledRule::validateExpression` is also called from [`PolicyRepository.prepare`](https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/PolicyRepository.java#L113) ```java @Override public void prepare(Policy policy, boolean update) { validateRules(policy); } ... public void validateRules(Policy policy) { List<Rule> rules = policy.getRules(); if (nullOrEmpty(rules)) { throw new IllegalArgumentException(CatalogExceptionMessage.EMPTY_RULES_IN_POLICY); } // Validate all the expressions in the rule for (Rule rule : rules) { CompiledRule.validateExpression(rule.getCondition(), Boolean.class); rule.getResources...