#git

### Impact Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. Users who produce documentation with math mode should update immediately. All other users are unaffected. ### Patches This issue has been fixed in pdoc 14.5.1. ### References https://github.com/mitmproxy/pdoc/pull/703 https://sansec.io/research/polyfill-supply-chain-attack ### Timeline - **[2024-06-25]** https://sansec.io/research/polyfill-supply-chain-attack is published. - **[2024-06-25 20:54 UTC]** Issue reported to the pdoc project by @adhintz. - **[2024-06-25 21:33 UTC]** Patched version released. - **[2024-06-25 21:37 UTC]** Security advisory published.

Almost immediately after Neiman Marcus began informing customers about a data breach, the alleged data was offered for sale.

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes . An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

Debian Linux Security Advisory 5715-2 - The update for composer released as DSA 5715 introduced a regression in the handling of git feature branches. Updated composer packages are now available to address this issue.

### Impact Debug information can reveal sensitive information from environment variables in error log ### Affected platform Laravel environments with multi-vendor setups and admin access for the vendors

### Impact In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser _may_ execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a different authenticated user downloads the malicious file. CORS and CSRF protection built into DSpace help to limit the impact of the attack (and may block it in some scenarios). If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, then the attack is no longer possible. See "Workarounds" below. ### Patches The fix is included in both 8.0 and 7.6.2. Please upgrade to one of t...

Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

How accurate are gunshot detection systems, really? For years, it's been a secret, but new reports from San Jose and NYC show these systems have operated well below their advertised accuracy rates.

The most notorious deepfake sexual abuse website is hosting altered videos originally published as part of the GirlsDoPorn operation. Experts say this new low is only the beginning.

In the latest breaches, threat groups compromised telecommunications firms in at least two Asian nations, installing backdoors and possibly eavesdropping or pre-positioning for a future attack.