Red Hat Security Advisory 2024-2699-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2699.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git-lfs security updateAdvisory ID:        RHSA-2024:2699-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2699Issue date:         2024-05-06Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: An update for git-lfs is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.Security Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288,VU#421644.3)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-2699-03

The iPhone maker has detected spyware attacks against people in more than 150 countries. Knowing if your device is infected can be tricky—but there are a few steps you can take to protect yourself.

All that needs to happen is, the victim receives an iMessage with an attachment containing a zero-click exploit. “Without any further interaction, the message triggers a vulnerability, leading to code execution for privilege escalation and providing full control over the infected device,” says Boris Larin, principal security researcher at Kaspersky's Global Research & Analysis Team.

Once the attacker establishes their presence on the device, he says, the message is automatically deleted.

**Rise of Pegasus**

The most prominent and well-known spyware is Pegasus, made by Israeli firm NSO Group to target vulnerabilities in iOS and Android software.

Spyware only exists because of vendors such as NSO Group, which claims it sells exploits to governments only to hunt criminals and terrorists. “Any customers, including governments in Europe and North America, agree not to disclose those vulnerabilities,” says Richard Werner, cybersecurity advisor at Trend Micro.

Despite NSO Group’s claims, spyware has continued to target journalists, dissidents, and protesters. Saudi journalist and dissident Jamal Khashoggi’s wife, Hanan Elatr, was allegedly targeted with Pegasus before his death. In 2021, _New York Times_ reporter Ben Hubbard learned his phone had been targeted twice with Pegasus.

Pegasus was silently implanted onto the iPhone of Claude Magnin, the wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco. Pegasus has also been used to target pro-democracy protesters in Thailand, Russian journalist Galina Timchenko, and UK government officials.

In 2021, Apple filed a lawsuit against NSO Group and its parent company to hold it accountable for “the surveillance and targeting of Apple users.”

The case is still ongoing, with NSO Group attempting to dismiss the lawsuit, but experts say the problem is not going to go away as long as spyware vendors are able to operate.

David Ruiz, senior privacy advocate at security firm Malwarebytes, blames “the obsessive and oppressive operators behind spyware, who compound its danger to society.”

**The Spyware Drain**

If you think you may be targeted by spyware, there are only a few useful things you can do. First, enable Apple's Lockdown Mode, which disables certain features but is surprisingly usable and can protect your iPhone from getting infected in the first place. Second, if you suspect your device is already infected, helplines are available to aid you in removing spyware, such as Access Now’s Digital Security Helpline and Amnesty International’s Security Lab.

Detecting spyware can be extremely challenging—and for sophisticated spyware like Pegasus, discovering an infection on your own is all but impossible. There are less-sophisticated types of spyware that can cause unusual behavior, such as your battery draining quickly, unexpected shutdowns, or high data usage could be indicative of some types of infections, says Javvad Malik, lead security awareness advocate at security training organization KnowBe4. While specific apps claim to spot spyware, their effectiveness can vary, and professional assistance is often necessary for reliable detection, he says.

Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

WordOps through 3.20.0 has a `wo/cli/plugins/stack_pref.py` TOCTOU race condition because the `conf_path` `os.open` does not use a mode parameter during file creation.

**WordOps has TOCTOU race condition**

Moderate severity GitHub Reviewed Published May 6, 2024 to the GitHub Advisory Database • Updated May 6, 2024

GHSA-23qq-p4gq-gc2g: WordOps has TOCTOU race condition

Nebari through 2024.4.1 prints the temporary Keycloak root password.

**Nebari prints temporary Keycloak root password**

Moderate severity GitHub Reviewed Published May 6, 2024 to the GitHub Advisory Database • Updated May 6, 2024

GHSA-vjc4-3vgx-pq9h: Nebari prints temporary Keycloak root password

By Daily Contributors
Is truly offline offline electronic Cash possible? Unlike Bitcoin, experts dig deeper into the technical hurdles of creating software-based cash that works without the internet. Discover why achieving this might be a tougher nut to crack than expected.
This is a post from HackRead.com Read the original post: Fully Offline Electronic Cash: Is It an Intractable Problem?

About a week ago I sat down with Michal Bajor, a senior security engineer at Resonance Security, to discuss things we both consider interesting topics within computing and security.

One problem we discussed was the idea of an ideal offline electronic cash from a purely technical perspective. We chose to ignore all the economic and political issues surrounding replacements Central Banks proposed for physical cash.

This article summarizes some of the things we considered. Unfortunately, I can’t remember exactly who said what, so let’s just attribute everything to both of us.

****Background****

One of the claims made by the European Central Bank about the digital euro, which is meant to be an electronic replacement (sorry, analog) for cash, is that “… it would be available both online and offline.”

This is not a trivial requirement. I don’t think it can be achieved.

Cash, like all physical objects, is strictly bound by the laws of physics. Objects cannot be spontaneously created out of thin air, and _they can only exist in one place at a time_. This much is obvious even to children, but it is a surprisingly useful feature of the real world. If have a five euro note and I give it to a shopkeeper, I no longer own it — it is in the till rather than my wallet.

Making identical copies of physical objects is hard, especially if people have spent centuries adding features to those objects to prevent casual duplication.

Another useful feature of cash is that once it has been issued and distributed, it is decentralized. If I have a five euro note in my wallet, short of a police raid, a mugging, or carelessness on my part, I get to decide when and where I transact with it. That transaction can take place anywhere — in a shop, on my driveway, or even halfway up Mount Everest.

In the digital world, on the other hand, duplication is easy. Despite numerous attempts by the music, film, and software industries using digital rights management and software keys, digital products such as mp3s, video files, and executable binaries continue to be illegally copied and shared.

This ease of copying things results in the “double spend” problem for digital money. How does one make a digital construct behave like a physical object so that only one person can own it at a time?

That is the core problem when designing and implementing offline digital cash.

****Framing the problem****

Before you can meaningfully discuss a problem, you need to be sure that both of you are considering the same issue under the same restrictions, and that means starting with some definitions to ensure that the digital solution has all the important features of paper notes and metal coins, while remaining digital.

****It must be software-based only****

The first is that the electronic cash we are considering should be electronic, not physical. That means it must be implemented in software only, so the code to hold and transact with the electronic cash can be run on standard smartphones and laptops.

This is a significant restriction, but a necessary one. If you start talking about the equivalent of scratch cards with bar codes, RFID cards with balances stored in a secure memory sector, or some kind of esoteric banknote with an embedded chip, then you are no longer talking about the kind of electronic cash Michal and I were considering.

Instead, you’re either just talking about a more complicated kind of physical cash, or you are going to require everyone to trade in their phones for new tamper-proof payment devices that will eventually be hacked.

****It must work when both parties are offline****

The first thing to note is that the payer does not care if the payment goes through or not. If they are buying a coffee, for example, as long as the system is accurate, the payer either ends up with a paid-for coffee, or a free coffee. The payee, on the other hand, is the party most concerned with the payment system working.

If both parties who are transacting are online, then the solution for electronic cash is technically trivial — the payer can submit their payment to the network, and the payee can then check on the network that the payment has been made. We already have such payment systems, both centralized ones (for example, payment processors like PayPal, credit card companies, or banks with their debit cards), and decentralized ones(for example, blockchain systems such as Bitcoin).

If the receiving party is online, then the solution is, similarly, relatively technically trivial. The payer can authorize the transaction offline, and the payee can present the transaction to the system on behalf of the payer, wait for it to be validated and accepted, and then verify that the payment has indeed gone through.

Again, this works in centralized systems, for example, using chip-and-pin and a point-of-sale terminal (provided the terminal is trusted), and in decentralized systems like Bitcoin where a valid digital signature on a transaction acts like a signed cheque.

If the transmitting party is online, then there are also possible solutions. Here’s a simplified explanation of one: if an offline receiver has a list of known validator public keys for a blockchain, then the online payer can submit a payment transaction, and wait until the transaction is signed by one of the validators. The payer can then present the signed transaction to the receiver, which can verify that the transaction signature is valid and made by a known validator, hence proving that the payment is valid.

Just to make it clear: we are looking for a solution that matches the diagram below, in which both the payer and the payee know that the transaction has taken place without a payment network being involved at the point of the transaction.

Note that it is perfectly fine if setting up the offline digital payment involves some online activity before and/or after the transaction takes place. The acid test is whether the two parties can walk out into the forest with no network coverage, transact, and then return to civilization safe in the knowledge that a fair value transfer happened.

****Incomplete solutions********Bitcoin****

Satoshi Nakamoto solved the problem of decentralized cash when connected to a computer network, namely through Bitcoin. In Bitcoin, asymmetric key cryptography is used to provide authentication for transferring digital assets from one person to another, and there is a ledger residing on a multitude of computers communicating with each other through a peer-to-peer network, with the ledger keeping track of exactly who owns what at what time.

With a market capitalization of $1.25 trillion and over a hundred million users, Bitcoin is not a failure. The problem is that Bitcoin doesn’t satisfy the offline requirement. You can present a signed transaction to the payee, but the payee needs to check the Bitcoin ledger to be sure that the payer’s Bitcoin address has enough of a balance to cover the payment.

And so although Bitcoin provides a fully software-based solution, it can only handle “payer is offline” cases at best.

****Ripple’s XPOP****

Ripple has presented another partial solution to offline payments, namely one where the payer is online, and the payee is not, through XPOP. There is a fair amount of misinformation online, claiming that XPOP allows Ripple to conduct fully offline transactions — it doesn’t. Instead, a more complicated version of the “payee is offline” case examined above is used.

Again, we have a fully software-based solution, but it can only handle “payee is offline” or “payer is offline” cases, but not both at the same time.

****Chaumian eCash****

The cryptographer David Chaum has been working on the problem of digital cash for four decades now. Although his eCash 2.0 does work offline, it manages this through the use of scratch cards with erasable bar codes on them. Thus Chaumian eCash 2.0 can manage the fully offline case but fails to meet the requirement of being software-based only.

One of the problems I immediately see with erasable bar-codes is that surveillance cameras are so good these days that a simple spycam videoing the bar code from afar before it is erased would allow a malicious third party to redeem the barcode before the merchant gets home and can do so.

That is without even considering how awkward transactions are, involving:

*   connecting two phones,
*   scratching off a foil covering with a coin (will people even be carrying those), and then
*   licking a Q-tip you happen to have in your pocket and using it to erase the bar code.

****Other partial or failed solutions****

When I posted a video about offline digital cash on LinkedIn and YouTube stating the problem, I received four direct messages within a day, proposing solutions. All of them relied on:

1.  enhancements to physical cash (creating a digital twin in the virtual space and linking them through a bar code or something similar), or
2.  specific locked-down hardware, such as a trusted execution environment

The first solution seems pointless to me, as we can already use the serial numbers on banknotes to track them in databases if we want to, making the proposed improvements no more than part of the effort to reduce counterfeiting.

The second solution comes with a hefty price tag to produce and distribute new hardware to everyone. Perhaps that could be overcome by only issuing devices to people in remote areas with no mobile phone coverage, such as some of the rural counties in the UK, or the Sahara desert.

****Conclusion****

So, I hear you ask, what is the solution? The sad thing is, Michal and I don’t have one. And after thinking about it for a long time, I am left with the sense that truly offline digital cash could be such an intractable problem that proving it is simply not possible may be easier than trying to invent it.

This article was authored and contributed by Keir Finlow-Bates, a passionate blockchain enthusiast and technologist.  

*   What the Bitcoin ETF Approval Mean for the Crypto Market
*   Analyzing Bitcoin Price Trends and Crypto Scalping Methods
*   Exploring the Phenomenal Rise of Ethereum as a Digital Asset
*   Owning Versus Renting – The Circumstances of Web3 Domains

Fully Offline Electronic Cash: Is It an Intractable Problem?

Component Server in Gradio before 4.13 does not properly consider` _is_server_fn` for functions.

**Gradio's Component Server does not properly consider\` \_is\_server\_fn\` for functions**

Moderate severity GitHub Reviewed Published May 5, 2024 to the GitHub Advisory Database • Updated May 6, 2024

GHSA-34rf-p3r3-58x2: Gradio's Component Server does not properly consider` _is_server_fn` for functions

btcd before 0.24.0 does not correctly implement the consensus rules outlined in BIP 68 and BIP 112, making it susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.

**btcd susceptible to consensus failures**

Moderate severity GitHub Reviewed Published May 5, 2024 to the GitHub Advisory Database • Updated May 6, 2024

GHSA-3jgf-r68h-xfqm: btcd susceptible to consensus failures

`OFPGroupDescStats` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `OFPBucket.len=0`.

**Ryu Infinite Loop vulnerability**

Moderate severity GitHub Reviewed Published May 5, 2024 to the GitHub Advisory Database • Updated May 6, 2024

GHSA-7hmm-wg23-2w7m: Ryu Infinite Loop vulnerability

`OFPFlowStats` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `inst.length=0`.

GHSA-m9vm-8mv9-v5v3: Ryu Infinite Loop vulnerability

`OFPBucket` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `action.len=0`.

Tag

#git