Red Hat Security Advisory 2024-1495-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1495.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: thunderbird security update  
Advisory ID:        RHSA-2024:1495-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1495  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.9.0.

Security Fix(es):  
* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: Leaking of encrypted email subjects to other conversations  (CVE-2024-1936)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write  
(CVE-2024-2608)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage  
(CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally  
granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a  
use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and  
Thunderbird 115.9 (CVE-2024-2614)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2268171  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666

Red Hat Security Advisory 2024-1495-03

Red Hat Security Advisory 2024-1494-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1494.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: thunderbird security update  
Advisory ID:        RHSA-2024:1494-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1494  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.9.0.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: Leaking of encrypted email subjects to other conversations  (CVE-2024-1936)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write  
(CVE-2024-2608)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage  
(CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally  
granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a  
use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and  
Thunderbird 115.9 (CVE-2024-2614)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2268171  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666

Red Hat Security Advisory 2024-1494-03

Red Hat Security Advisory 2024-1493-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1493.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: thunderbird security update  
Advisory ID:        RHSA-2024:1493-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1493  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.9.0.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: Leaking of encrypted email subjects to other conversations  (CVE-2024-1936)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write  
(CVE-2024-2608)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage  
(CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally  
granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a  
use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and  
Thunderbird 115.9 (CVE-2024-2614)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2268171  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666

Red Hat Security Advisory 2024-1493-03

Red Hat Security Advisory 2024-1492-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1492.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: thunderbird security update  
Advisory ID:        RHSA-2024:1492-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1492  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.9.0.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: Leaking of encrypted email subjects to other conversations  (CVE-2024-1936)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write  
(CVE-2024-2608)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage  
(CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally  
granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a  
use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and  
Thunderbird 115.9 (CVE-2024-2614)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2268171  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666

Red Hat Security Advisory 2024-1492-03

Red Hat Security Advisory 2024-1485-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1485.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: firefox security update  
Advisory ID:        RHSA-2024:1485-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1485  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of  
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 115.9.1 ESR.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write (CVE-2024-2608)

* Mozilla: Improve handling of out-of-memory conditions in ICU (CVE-2024-2616)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage (CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 (CVE-2024-2614)

* Mozilla: Privileged JavaScript Execution via Event Handlers (CVE-2024-29944)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270662  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666  
https://bugzilla.redhat.com/show_bug.cgi?id=2271064

Red Hat Security Advisory 2024-1485-03

Red Hat Security Advisory 2024-1484-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1484.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: firefox security update  
Advisory ID:        RHSA-2024:1484-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1484  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of  
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 115.9.1 ESR.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write (CVE-2024-2608)

* Mozilla: Improve handling of out-of-memory conditions in ICU (CVE-2024-2616)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage (CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 (CVE-2024-2614)

* Mozilla: Privileged JavaScript Execution via Event Handlers (CVE-2024-29944)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270662  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666  
https://bugzilla.redhat.com/show_bug.cgi?id=2271064

Red Hat Security Advisory 2024-1484-03

Red Hat Security Advisory 2024-1608-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1608.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1608-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1608Issue date:         2024-04-02Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1608-03

By Uzair Amir
In the last 30 days, Powerloom generated over 250 million snapshots (unique data points), with a daily increase to approximately 10 million snapshots
This is a post from HackRead.com Read the original post: Powerloom Announces Expansion to Base as It Surpasses 5200 Snapshotter Lite Nodes

Powerloom, a leading composable data network that enables protocols to index and query blockchain data in a decentralized manner, today announces its expansion to the Base ecosystem by introducing the first node mint on Base, an Ethereum Layer-2 scaling solution incubated by Coinbase.

The Base expansion comes as Powerloom celebrates the successful minting of over 5,200, marking a significant milestone in its commitment to providing actionable on-chain data across the L1 and L2 networks.

Powerloom’s strategic extension to Base heralds the first opportunity for Base users to mint a data node, offering a novel pathway to contribute to and benefit from on-chain data. The expansion will shape how data is captured and utilized across the Base ecosystem, especially with Powerloom’s one-click setup for Snapshotter Lite Nodes, which eliminates the need for dedicated infrastructure and significantly simplifies participation.

Swaroop Hegde, the Co-founder of Powerloom, said, “Reaching over 5200 Snapshotter Lite nodes is a milestone that signifies trust and growth in Powerloom’s mission. As we expand into the Base ecosystem, we’re growing from a tech standpoint and building the community. This step is pivotal as we continue to democratize on-chain data access. The future is exciting, and this is just the beginning.”

The Base expansion includes Base and other L2 solutions, with tech optimizations such as the Optimism Stack integration and enhanced participation options for Snapshotters in various data markets across the Base ecosystem.

****Snapshots and Data Markets****

Snapshots are on-chain data points captured by Snapshotter Lite Nodes from diverse data markets within the ecosystem, mainly focusing on DEX token pairs/pools like the USDC – ETH pair on DEXes like Uniswap (V2) and Aave. Snapshotters are the backbone of the Powerloom ecosystem, capturing data from the blockchain and various data markets on-chain. The Lite version of the Node is tailored to be user-friendly and requires minimal technical experience.

In the last 30 days alone, Powerloom’s network generated over 250 million snapshots, with a daily increase to approximately 10 million snapshots, underscoring the scale and impact of its operations.

Powerloom is the go-to source for large, scalable, and credible data sets, ideal for building rich data products like dashboards. The network participants maintain integrity and reliability, ensuring every piece of data is accurate, thoroughly validated in consensus-backed computation, and further validated so developers can build with peace of mind. Powerloom’s data markets seamlessly integrate pre-computed, validated, and readily consumable APIs for the DeFi protocols and smart contracts for any use case. 

The future looks promising as Powerloom expands its capabilities and ecosystem partnerships. With plans to broaden its reach to Base and other L2 solutions, technical optimizations, and increased data market participation, Powerloom is well-positioned to lead in the blockchain data infrastructure space.

****About Powerloom****

Powerloom is a leading on-chain data protocol that serves the evolving data needs of smart contract-based applications like DeFi, GameFi, NFTs, and more. The platform incentivizes participating peers to reach a consensus on state transitions and event emissions observations across many smart contracts. Powerloom unlocks the power of on-chain data, enabling developers to build complex dashboards, smart bots, advanced aggregators, and insightful trackers with data integrity and adaptability. Every data point in every dataset generated by Powerloom is peer-validated, backed by consensus, and present on IPFS for complete transparency and trust.

**Learn more:** powerloom.io/

**Mint site:** https://mint.powerloom.network/

**Contact:** Samuel Del Real, \[email protected\]

Powerloom Announces Expansion to Base as It Surpasses 5200 Snapshotter Lite Nodes

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-1300

**Eclipse Vert.x vulnerable to a memory leak in TCP servers**

Moderate severity GitHub Reviewed Published Apr 2, 2024 to the GitHub Advisory Database • Updated Apr 2, 2024

**Package**

maven io.vertx:vertx-core (Maven)

**Affected versions**

\>= 4.3.4, < 4.4.8

\>= 4.5.0, < 4.5.3

**Patched versions**

4.4.8

4.5.3

**Description**

Published to the GitHub Advisory Database

Apr 2, 2024

GHSA-9ph3-v2vh-3qx7: Eclipse Vert.x vulnerable to a memory leak in TCP servers

Details are starting to emerge about a stunning supply chain attack that sent the open source software community reeling.

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

“This might be the best-executed supply chain attack we've seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

Researchers have spent the weekend gathering clues. Here’s what we know so far.

**What Is XZ Utils?**

XZ Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. XZ Utils provides critical functions for compressing and decompressing data during all kinds of operations. XZ Utils also supports the legacy .lzma format, making this component even more crucial.

**What Happened?**

Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to XZ Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

**What Does the Backdoor Do?**

Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions when performing operations related to .lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges. This code allowed someone in possession of a predetermined encryption key to log in to the backdoored system over SSH. From then on, that person would have the same level of control as any authorized administrator.

**How Did This Backdoor Come to Be?**

It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe\_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.

The following year, JiaT75 submitted a patch over the XZ Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to XZ Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in XZ Utils affairs. For instance, Tan replaced Collins’ contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to XZ Utils.

In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into several releases, according to security firm Tenable. There’s more about Tan and the timeline here.

**Can You Say More About What This Backdoor Does?**

In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

Multiple people who have reverse-engineered the updates have much more to say about the backdoor. Developer Sam James provided an overview here.

Tag

#ssl