An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.

CVE-2023-47444: Static Code Injections in OpenCart (CVE-2023-47444)

By Waqas
Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites.
This is a post from HackRead.com Read the original post: Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

The large-scale scam campaign has been ongoing for at least two years, and the cloned websites are still operational.

Online gambling is a booming industry, and the Asia-Pacific region has become the hub of gambling in the world, with China and India leading the way. However, this unexpected rise has led to a sharp incline in illegal activities such as money laundering, online scams, and fraud.

In October 2023, Hackread reported a scam campaign discovered by CloudSEK involving Chinese scammers targeting the Indian digital payment system using illegal instant loan apps. Now, an even bigger scam has come to the fore.

According to Qurium Media, a Swedish nonprofit provider of digital security solutions, Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites.

It all began when MindaNews discovered a Chinese clone of their website and promptly notified Qurium. For context, MindaNews is a Philippine newspaper headquartered in Davao City and serves as the news outlet for the Mindanao Institute of Journalism.

MindaNews’ clone (mmart-inn.com) was registered in China. It had been replicating the newspaper’s content (news, photos, opinion pieces) illegally after translating it into Chinese for the past two years, the most recent translation being of content from February 2023.

Original MindaNews website (left) – Fake MindaNews website (right) – (Credit: Qurium)

“Some MindaNews authors were retained in their English names, while others were translated into Chinese. However, in general, the content is the same when translated to English,” explained MindaNews in its blog post.

The company dug deeper and found more than 500 cloned websites, many of which were of academic institutions, and all were promoting gambling services based in China. 

It is important to note that in August 2023, the Chinese APT group Bronze Starlight was reported to be using stolen Ivacy VPN certificates to sign malware targeting the Southeast Asian gambling sector. However, as of now, it remains unclear if that attack campaign was related to the ongoing website cloning attack.

The cloned websites were hosted on two /24 networks operated by the US-based, Eonix Corporation-owned ServerHub and included websites from public libraries, universities, and private businesses.

All the clones were created in September 2021 and promoted a gambling platform called ‘188bet’ (520xingyun.com/from/188bet.php) through advertisements.

These ads contained a physical address in the Isle of Man, where many other gambling firms (including Kaiyun, BetVictor, Raybet, or Manbetx) were already registered. A website 520xingyun{.}com was hosting a large number of such ads.

Moreover, all the companies were registered in July 2021 through the domain registrar Gname.com Pte. LTD, employing a white-label partnership with TGP Europe and Cube Limited. Both Cube Limited and 188bet have affiliations with the Isle of Man.

These companies served as intermediaries from Asian gaming partners. Further probing revealed that TGP Europe was based in the UK and was found guilty of social responsibility failures and anti-money laundering.

Campaign overview (Credit: Qurium)

According to Qurium’s report, Gname was involved in different WIPO cases of domains used for ads. It is worth noting that 188bet has officers in Makati, Philippines, which is a standard practice. 

> _“These Chinese gambling companies are often headquartered in nearby nations like Vietnam and the Philippines due to the fact that gambling is banned in China.”_
> 
> Qurium

So far, ServerHub has not taken any action against the client for cloning hundreds of websites, as it is still investigating the claims. As the report develops, Hackread.com will monitor the situation and provide updates to readers accordingly.

****_RELATED ARTICLES_****

1.  **Domain Squatting and Brand Hijacking: A Silent Threat**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Chinese APT spying on Vietnam military with FoundCore RAT**
4.  **Hackers attack Casino’s fish tank thermometer to obtain data**
5.  **ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store**

Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

The new generation of hardware authentication key includes support for cryptographic passkeys as Google pushes adoption of the more secure login alternative.

Passwords are a woefully insecure—and frustrating—authentication technology, but after decades of digital use, they’re ubiquitous. Recently, though, the global tech industry has been working to promote a simpler and more secure alternative known as passkeys. Along with its other initiatives to champion the login tech, Google announced today that it is launching a new version of its Titan hardware authentication keys that can store passkeys directly on the device.

For most people on most accounts, passkeys are managed directly from a smartphone or laptop. But for anyone seeking an alternative, either because they prefer a stand-alone key for ease of use or because they want maximum security separation, storing passkeys on a hardware token is a valuable option. The new Titan keys are available now and can store more than 250 unique passkeys. They are replacing Google’s existing USB-A and USB-C Titan devices.

“We’re excited about the potential of passkeys, but know there’s no security silver bullet for everyone,” Google wrote in a blog post published today. “Some people require a solution not dependent on smartphones or use devices that don’t support passkeys—everyone has different approaches to security, but we all share one goal: stop attacks. That’s why we intentionally designed the latest Titan Security Keys to encompass the secure cryptography of passkeys on a portable piece of hardware.”

As part of setting up a passkey for a Google account on a Titan device, users will be prompted to create a PIN code that they’ll enter, along with producing the security key to log in.

As part of its announcement at the Aspen Cyber Summit in New York City today, Google also said that in 2024 it will give 100,000 of the new Titan keys to high-risk individuals around the world. The effort is part of Google’s Advanced Protection Program, which offers vulnerable users expanded account monitoring and threat protection. The company has given away Titan keys through the program in the past, and today it cited the rise of phishing attacks and upcoming global elections as two examples of the need to continue expanding the use of secure authentication methods like passkeys.

Hardware authentication tokens have unique protective benefits because they are siloed, stand-alone devices. But they still need to be rigorously secured to ensure they don’t introduce a different point of weakness. And as with any product, they can have vulnerabilities. In 2019, for example, Google recalled and replaced its Titan BLE-branded security key because of a flaw in its Bluetooth implementation.

When it comes to the new Titan generation, Google tells WIRED that, as with all of its products, it conducted an extensive internal security review on the devices and it also contracted with two external auditors, NCC Group and Ninja Labs, to conduct independent assessments of the new key.

Google’s New Titan Security Key Adds Another Piece to the Password-Killing Puzzle

By Waqas
Domain squatting can lead you to malicious websites, and it might be too late to realize what actually happened.
This is a post from HackRead.com Read the original post: Domain Squatting and Brand Hijacking: A Silent Threat to Digital Enterprises

While domain squatting opens the door to brand hijacking, it also exposes unsuspecting users and businesses to critical cybersecurity threats including phishing and malware attacks.

Domain squatting, often known as cybersquatting, involves the registration or use of a domain name to profit from a trademark belonging to someone else. For instance, a squatter might register a misspelt version of a well-known brand’s URL to misdirect their traffic – For instance, It is Google.com, not ɢoogle.com.

Similarly, brand hijacking is a form of online piracy in which an entity masquerades as a reputable brand to deceive its audience, damaging brand credibility and customer trust. According to Mimecast’s 2022 report on email security, 46% of the businesses it surveyed reported a rise in online brand spoofing and impersonation, with an average of ten incidents in 2021.

In this article, we’ll dissect these digital threats and explore strategies businesses can adopt to combat domain squatting and brand hijacking, safeguarding their online reputation.

**Understanding Domain Squatting and Brand Hijacking**

Domain squatting entails registering or buying domain names that are strikingly similar to a popular brand, intending to profit from their trademark. The squatter can create a website that visually mimics the legitimate brand’s site or can simply sit on the domain, hoping to sell it back to the rightful owner for a hefty price.

On the other hand, brand hijacking is a more deceptive practice. It involves the impersonation of a legitimate brand online to dupe users into believing they are interacting with a genuine brand. This could include creating cloned websites, leveraging phishing emails, or even exploiting social media.

Interestingly, these two practices often intersect. A domain squatter might employ brand hijacking by creating a spoofed website on the squatted domain. This synergistic exploitation escalates the damage, with the potential to tarnish the brand’s image, manipulate its customers, and eventually damage its revenue.

****The Impact of Domain Squatting and Brand Hijacking on Businesses****

The repercussions of domain squatting and brand hijacking are far-reaching and deeply damaging for businesses. Domain squatting diverts potential customers to counterfeit sites, causing a significant loss of business.

Moreover, it can inflict severe damage to a brand’s reputation as customers often struggle to differentiate between the authentic website and the squatted domain. Companies are forced to spend extensively on damage control and may also experience a drop in their SEO ranking due to the diluted web traffic.

Brand hijacking is an even greater threat, causing not only an immediate loss of customer trust but also a significant revenue dip. The legal costs associated with fighting these digital imposters can be hefty. Additionally, such attacks may lead to data theft and security breaches, increasing the potential financial burden.

These fraudulent practices can cause severe brand dilution, leading to loss of trust, which is critical for brand loyalty and growth. As Amber Johanson, Mimecast’s SVP of Global Sales Engineering, stated in an interview, “While it can take years to build strong levels of trust among your customer base, that connection can be destroyed in a matter of seconds by a single spoofed email.”

****Fighting Against Domain Squatting and Brand Hijacking****

Here are some strategies and preventive measures that businesses can rely on to prevent or limit the damage caused by these attacks:

Domain Authority, or DA, is a predictive measure by Moz that suggests a website’s likelihood of ranking on search engine results pages (SERPs). It takes into account several factors such as website age, and the quality and quantity of inbound and outbound links.

On the other hand, a backlink profile is a comprehensive catalogue of all the sites that direct web traffic back to your website, essentially serving as an indicator of your website’s credibility and influence.

Keeping an eye on these key factors is crucial, as any unanticipated shifts in DA or an upsurge of low-quality or unrelated backlinks could be warning signs of an imminent brand hijacking.

Moz, a well-known SEO tool, provides in-depth tools that enable businesses to scrutinize these vital metrics meticulously. By offering features such as DA measurement and comprehensive backlink analysis, Moz equips businesses with the necessary insights to constantly monitor the well-being of their websites.

Source: Moz

This enables quick identification and rectification of any aberrations brought on by possible hijacking or squatting attempts, thereby preserving the integrity of the brand’s online presence.

****2\. Getting Digitally Certified****

Digital certification or authentication is the process of validating the legitimacy of your brand’s online assets. In an era where mimicry is increasingly rampant, having verified digital credentials can help distinguish your brand from counterfeit replicas, instilling a sense of trust among your customers.

In the context of domain squatting and brand hijacking, getting digitally certified can serve as a proactive security measure. It equips your brand with an authenticated digital identity, which is not only difficult for hijackers to replicate but also easy for your customers to recognize.

Memcyco, a real-time website impersonation platform, offers brand protection solutions for businesses to protect themselves from impersonation attacks. Their suite of offerings includes real-time monitoring and alerting against website impersonation attempts, and warnings for customers when they unknowingly access fraudulent versions of a brand’s website.

Source: Memcyco

When it comes to digital authentication, Memcyco provides a digital watermark that reassures visitors of the site’s genuineness, fostering trust and safety. 

By investing in such preventive measures, your brand can keep a step ahead of fraudsters, fortifying its digital presence against the threats of hijacking and squatting.

****3\. Brand Monitoring****

Brand monitoring, in essence, is the continuous surveillance of your brand’s online presence to identify and respond to unauthorized brand mentions, feedback, and possible threats. This involves tracking social media interactions, online reviews, blog posts, and various other digital touchpoints to gain insights into your brand’s image.

This process helps you promptly identify unauthorized uses of your brand name or logo, counterfeit websites, or illegitimate advertisements. Doing so, enables you to respond swiftly and potentially prevent these impersonation attempts from causing significant damage to your reputation or customer trust.

****4\. Educating Your Audience****

In the battle against domain squatting and brand hijacking, consumer education can be your most potent weapon. By educating your customers to distinguish between, or to even be aware of, your authentic digital assets and fraudulent replicas, you can significantly reduce the efficacy of such cyber attacks.

Document360, a knowledge base management software, allows you to create and manage a custom knowledge base where you can share essential information about your brand and provide educational content on how to identify and report potential fraud attempts.

Source: Document360

It supports a variety of formats, including FAQs, tutorials, and guides, providing an interactive platform for your audience to learn and stay updated. This proactive step can significantly help in maintaining your brand’s integrity and customer trust.

**5\. Developing a Robust PR Strategy**

The significance of a well-planned public relations (PR) strategy can’t be understated when it comes to fortifying your brand identity and fostering trust among your audience. It allows you to maintain a consistent brand narrative and showcase your brand’s values, which in turn builds credibility and rapport with your audience. 

An effective PR strategy consistently communicates your brand’s true message and spreads awareness about the precautions taken to safeguard customer information, keeping your audience informed and alert. This can substantially reduce the chances of them falling prey to fraudulent attempts that impersonate your brand.

****6\. Taking Legal Actions****

Understanding and staying up-to-date with applicable laws is an effective strategy to combat domain squatting and brand hijacking. One such key legislation is the U.S. Anticybersquatting Consumer Protection Act (ACPA) from 1999. This law grants rights to trademark owners, enabling them to bring a lawsuit in federal court against parties who maliciously register or use a domain name mirroring their brand.

Essentially, ACPA addresses those bad actors who exploit trademarks with a calculated intention to profit through registering, using, or trading domain names that could be mistaken for established or well-known brands.

****Wrapping up****

The menace of domain squatting and brand hijacking significantly undermines the stability of businesses by attacking their brand reputation and customer confidence. The first line of defence lies in comprehending the intricacies of these unscrupulous practices and their subsequent effects.

By integrating the above-mentioned measures into your cybersecurity strategy, you can secure your digital assets and decisively counter the stealthy peril of domain squatting and brand hijacking.

Domain Squatting and Brand Hijacking: A Silent Threat to Digital Enterprises


This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.



CVE-2023-34982

Red Hat Security Advisory 2023-7213-01 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7213.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: squid:4 security updateAdvisory ID:        RHSA-2023:7213-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7213Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2023-46846====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service in HTTP Digest Authentication (CVE-2023-46847)* squid: Request/Response smuggling in HTTP/1.1 and ICAP (CVE-2023-46846)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46846References:https://access.redhat.com/security/updates/classification/#criticalhttps://bugzilla.redhat.com/show_bug.cgi?id=2245910https://bugzilla.redhat.com/show_bug.cgi?id=2245916

Red Hat Security Advisory 2023-7213-01

Red Hat Security Advisory 2023-7160-01 - An update for opensc is now available for Red Hat Enterprise Linux 8.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7160.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: opensc security and bug fix updateAdvisory ID:        RHSA-2023:7160-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7160Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2023-2977====================================================================Summary: An update for opensc is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.Security Fix(es):* opensc: buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package (CVE-2023-2977)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-2977References:https://access.redhat.com/security/updates/classification/#lowhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2097048https://bugzilla.redhat.com/show_bug.cgi?id=2196234https://bugzilla.redhat.com/show_bug.cgi?id=2211088

Red Hat Security Advisory 2023-7160-01

Red Hat Security Advisory 2023-7139-01 - An update for samba, evolution-mapi, and openchangeis now available for Red Hat Enterprise Linux 8. Issues addressed include out of bounds read and path disclosure vulnerabilities.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7139.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: samba security, bug fix, and enhancement updateAdvisory ID:        RHSA-2023:7139-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7139Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2022-2127====================================================================Summary: An update for samba, evolution-mapi, and openchangeis now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.The following packages have been upgraded to a later upstream version: samba (4.18.6). (BZ#2190417)Security Fix(es):* samba: out-of-bounds read in winbind AUTH_CRAP (CVE-2022-2127)* samba: infinite loop in mdssvc RPC service for spotlight (CVE-2023-34966)* samba: type confusion in mdssvc RPC service for spotlight (CVE-2023-34967)* samba: spotlight server-side share path disclosure (CVE-2023-34968)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-2127References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2175385https://bugzilla.redhat.com/show_bug.cgi?id=2190417https://bugzilla.redhat.com/show_bug.cgi?id=2218237https://bugzilla.redhat.com/show_bug.cgi?id=2221594https://bugzilla.redhat.com/show_bug.cgi?id=2221600https://bugzilla.redhat.com/show_bug.cgi?id=2222791https://bugzilla.redhat.com/show_bug.cgi?id=2222793https://bugzilla.redhat.com/show_bug.cgi?id=2222794https://bugzilla.redhat.com/show_bug.cgi?id=2222795https://bugzilla.redhat.com/show_bug.cgi?id=2222884https://bugzilla.redhat.com/show_bug.cgi?id=2232564

Red Hat Security Advisory 2023-7139-01

Red Hat Security Advisory 2023-7096-01 - An update for python-cryptography is now available for Red Hat Enterprise Linux 8.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7096.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-cryptography security updateAdvisory ID:        RHSA-2023:7096-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7096Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2023-23931====================================================================Summary: An update for python-cryptography is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-cryptography packages contain a Python Cryptographic Authority's (PyCA's) cryptography library, which provides cryptographic primitives and recipes to Python developers.Security Fix(es):* python-cryptography: memory corruption via immutable objects (CVE-2023-23931)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-23931References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2171817https://bugzilla.redhat.com/show_bug.cgi?id=2172404

Red Hat Security Advisory 2023-7096-01

Ubuntu Security Notice 6473-2 - USN-6473-1 fixed vulnerabilities in urllib3. This update provides the corresponding updates for the urllib3 module bundled into pip. It was discovered that urllib3 didn't strip HTTP Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6473-2  
November 15, 2023

python-pip vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in pip.

Software Description:  
- python-pip: Python package installer

Details:

USN-6473-1 fixed vulnerabilities in urllib3. This update provides the  
corresponding updates for the urllib3 module bundled into pip.

Original advisory details:

  It was discovered that urllib3 didn't strip HTTP Authorization header  
  on cross-origin redirects. A remote attacker could possibly use this  
  issue to obtain sensitive information. This issue only affected  
  Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-25091)

  It was discovered that urllib3 didn't strip HTTP Cookie header on  
  cross-origin redirects. A remote attacker could possibly use this  
  issue to obtain sensitive information. (CVE-2023-43804)

  It was discovered that urllib3 didn't strip HTTP body on status code  
  303 redirects under certain circumstances. A remote attacker could  
  possibly use this issue to obtain sensitive information. (CVE-2023-45803)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   python3-pip                     23.2+dfsg-1ubuntu0.1  
   python3-pip-whl                 23.2+dfsg-1ubuntu0.1

Ubuntu 23.04:  
   python3-pip                     23.0.1+dfsg-1ubuntu0.2  
   python3-pip-whl                 23.0.1+dfsg-1ubuntu0.2

Ubuntu 22.04 LTS:  
   python3-pip                     22.0.2+dfsg-1ubuntu0.4  
   python3-pip-whl                 22.0.2+dfsg-1ubuntu0.4

Ubuntu 20.04 LTS:  
   python-pip-whl                  20.0.2-5ubuntu1.10  
   python3-pip                     20.0.2-5ubuntu1.10

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   python-pip                      9.0.1-2.3~ubuntu1.18.04.8+esm2  
   python-pip-whl                  9.0.1-2.3~ubuntu1.18.04.8+esm2  
   python3-pip                     9.0.1-2.3~ubuntu1.18.04.8+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   python-pip                      8.1.1-2ubuntu0.6+esm6  
   python-pip-whl                  8.1.1-2ubuntu0.6+esm6  
   python3-pip                     8.1.1-2ubuntu0.6+esm6

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6473-2  
   https://ubuntu.com/security/notices/USN-6473-1  
   CVE-2018-25091, CVE-2023-43804, CVE-2023-45803

Package Information:  
https://launchpad.net/ubuntu/+source/python-pip/23.2+dfsg-1ubuntu0.1  
https://launchpad.net/ubuntu/+source/python-pip/23.0.1+dfsg-1ubuntu0.2  
https://launchpad.net/ubuntu/+source/python-pip/22.0.2+dfsg-1ubuntu0.4  
https://launchpad.net/ubuntu/+source/python-pip/20.0.2-5ubuntu1.10

Tag

#auth