Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

Red Hat and RISC-V: To the far edge and beyond

Red Hat has always been an advocate of growth at the intersection of open source and computing solutions–which is exactly where RISC-V can be found. RISC-V is one of those technologies where the future is both evident and inevitable. By integrating open source concepts with the hardware development process, it’s not hyperbole to say that RISC-V is disrupting the hardware industry.Our excitement around the unique value RISC-V brings to the hardware ecosystem as an open and collaborative instruction set architecture (ISA) is nothing new. Red Hat has been providing Fedora on RISC-V for severa

Red Hat Blog
Open in Source
#mac#linux#red_hat#git#intel#ssl
Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web

By Waqas It's crucial to note that this sale of compromised AnyDesk accounts isn't connected to the security breach incident disclosed by the company on February 2, 2024. This is a post from HackRead.com Read the original post: Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web

GHSA-mf74-qq7w-6j7v: Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images

### Impact A major blind SSRF has been found in `remark-images-download`, which allowed for requests to be made to neighboring servers on local IP ranges. The issue came from a loose filtering of URLs inside the module. Imagine a server running on a private network `192.168.1.0/24`. A private service serving images is running on `192.168.1.2`, and is not expected to be accessed by users. A machine is running `remark-images-download` on the neighboring `192.168.1.3` host. An user enters the following Markdown: ```markdown ![](http://192.168.1.2/private-img.png) ``` The image is downloaded by the server and included inside the resulting document. Hence, the user has access to the private image. It has been corrected by preventing images downloads from local IP ranges, both in IPv4 and IPv6. To avoid malicious domain names, resolved local IPs from are also forbidden inside the module. This vulnerability impact is moderate, as it is can allow access to unexposed documents on the local...

GHSA-mq6v-w35g-3c97: Local File Inclusion vulnerability in zmarkdown

### Impact A minor Local File Inclusion vulnerability has been found in `zmarkdown`, which allowed for images with a known path on the host machine to be included inside a LaTeX document. To prevent it, a new option has been created that allow to replace invalid paths with a default image instead of linking the image on the host directly. `zmarkdown` has been updated to make this setting the default. Every user of `zmarkdown` is likely impacted, except if disabling LaTeX generation or images download. Here is an example of including an image from an invalid path: ```markdown ![](/tmp/img.png) ``` Will effectively redownload and include the image found at `/tmp/img.png`. ### Patches The vulnerability has been patched in version 10.1.3. If impacted, you should update to this version as soon as possible. ### Workarounds Disable images downloading, or sanitize paths. ### For more information If you have any questions or comments about this advisory, open an issue in [ZMarkdown](...

Gentoo Linux Security Advisory 202402-01

Gentoo Linux Security Advisory 202402-1 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.38-r10 are affected.

WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution

WebCatalog versions prior to 48.8 call the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe. The agency attributed the campaign to a threat actor it calls UAC-0027. DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March

Cloudzy Elevates Cybersecurity: Integrating Insights from Recorded Future to Revolutionize Cloud Security

Cloudzy, a prominent cloud infrastructure provider, proudly announces a significant enhancement in its cybersecurity landscape. This breakthrough has been achieved through a recent consultation with Recorded Future, a leader in providing real-time threat intelligence and cybersecurity analytics. This initiative, coupled with an overhaul of Cloudzy's cybersecurity strategies, represents a major

Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code. The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out "with the goal of

The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world

Researchers recently discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system.