#git

Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. The fix is tracked in https://github.com/vyperlang/vyper/pull/4488. ### Vulnerability Details Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). ```python def _parse_For_list(self): with self.context.range_scope(): ...

Vyper's `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. the fix is tracked in https://github.com/vyperlang/vyper/pull/4486 ### Vulnerability Details Vyper injects the following code to handle calculation of decimal sqrt. x is the input provided by user. ```python assert x >= 0.0 z: decimal = 0.0 if x == 0.0: z = 0.0 else: z = x / 2.0 + 0.5 y: decimal = x for i: uint256 in range(256): if z == y: break y = z z = (x / z + z) / 2.0 ``` Notably, the terminal condition of the algorithm is either `z_cur == z_prev`, or the algorithm runs for 256 rounds. However, for certain inputs, `z` might actually oscillate between `N` and `N + epsilon`, where `N ** 2 <= x < (N + epsilon) ** 2`. This means that the current behavior does not define whether it will round up or down to the nearest...

Due to improper cache control an attacker can view sensitive information even if they are not logged into the account anymore. Additional Information: 1.The issue was identified during routine security testing. 2.This vulnerability poses a significant risk to user privacy and data security. 3.Urgent action is recommended to mitigate this vulnerability and protect user data from unauthorized access.

### Summary A host header injection vulnerability has been identified in the user details viewing functionality of the system. This vulnerability allows an attacker to manipulate the host header in HTTP requests, thereby gaining unauthorized access to view details of other users.

### Impact An authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. ### Patches This problem has been patched and exists in versions 1.49.1 and below ### Workarounds On S3 backends, configure ```yaml # ... blockstore: s3: disable_pre_signed_multipart: true ``` or set environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true`. ### References _Are there any links users can visit to find out more?_

### Impact A maliciously crafted QPY file containing a malformed `symengine` serialization stream as part of the larger QPY serialization of a `ParameterExpression` object can cause a segfault within the `symengine` library, allowing an attacker to terminate the hosting process deserializing the QPY payload. ### Patches This issue is addressed in 1.3.0 when using QPY format version 13. QPY format versions 10, 11, and 12 are all still inherently vulnerable if they are using symengine symbolic encoding and `symengine <= 0.13.0` is installed in the deserializing environment (as of publishing there is no newer compatible release of symengine available). Using QPY 13 is strongly recommended for this reason. The symengine 0.14.0 release has addressed the segfault issue, but it is backward incompatible and will not work with any Qiskit release; it also prevents loading a payload generated with any other version of symengine. Using QPY 13 is strongly recommended for this reason. It is als...

In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from…

The cybersecurity lead for VA.gov was fired last week. He tells WIRED that the Veterans Affairs digital hub will be more vulnerable without someone in his role.

Healthcare security is failing patients time and again. This week DM Clinical Research and Helath Net Federal Services take the spotlight

The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform appear to be readying a new version that allows prospective customers and cyber crooks to clone any brand's legitimate website and create a phishing version, further bringing down the technical expertise required to pull off phishing attacks at scale. The latest iteration of the phishing suite "represents a significant