Red Hat Security Advisory 2024-1490-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1490.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: firefox security update  
Advisory ID:        RHSA-2024:1490-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1490  
Issue date:         2024-03-26  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.9.1 ESR.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write (CVE-2024-2608)

* Mozilla: Improve handling of out-of-memory conditions in ICU (CVE-2024-2616)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage (CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 (CVE-2024-2614)

* Mozilla: Privileged JavaScript Execution via Event Handlers (CVE-2024-29944)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270662  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666  
https://bugzilla.redhat.com/show_bug.cgi?id=2271064

Red Hat Security Advisory 2024-1490-03

Red Hat Security Advisory 2024-1489-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1489.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: firefox security update  
Advisory ID:        RHSA-2024:1489-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1489  
Issue date:         2024-03-26  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.9.1 ESR.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write (CVE-2024-2608)

* Mozilla: Improve handling of out-of-memory conditions in ICU (CVE-2024-2616)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage (CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 (CVE-2024-2614)

* Mozilla: Privileged JavaScript Execution via Event Handlers (CVE-2024-29944)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270662  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666  
https://bugzilla.redhat.com/show_bug.cgi?id=2271064

Red Hat Security Advisory 2024-1489-03

Red Hat Security Advisory 2024-1488-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1488.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: firefox security update  
Advisory ID:        RHSA-2024:1488-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1488  
Issue date:         2024-03-26  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.9.1 ESR.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write (CVE-2024-2608)

* Mozilla: Improve handling of out-of-memory conditions in ICU (CVE-2024-2616)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage (CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 (CVE-2024-2614)

* Mozilla: Privileged JavaScript Execution via Event Handlers (CVE-2024-29944)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270662  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666  
https://bugzilla.redhat.com/show_bug.cgi?id=2271064

Red Hat Security Advisory 2024-1488-03

Red Hat Security Advisory 2024-1487-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1487.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: firefox security update  
Advisory ID:        RHSA-2024:1487-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1487  
Issue date:         2024-03-26  
Revision:           03  
CVE Names:          CVE-2023-5388  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.9.1 ESR.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)

* Mozilla: Crash in NSS TLS method (CVE-2024-0743)

* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

* Mozilla: Integer overflow could have led to out of bounds write (CVE-2024-2608)

* Mozilla: Improve handling of out-of-memory conditions in ICU (CVE-2024-2616)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage (CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 (CVE-2024-2614)

* Mozilla: Privileged JavaScript Execution via Event Handlers (CVE-2024-29944)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5388

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243644  
https://bugzilla.redhat.com/show_bug.cgi?id=2260012  
https://bugzilla.redhat.com/show_bug.cgi?id=2270660  
https://bugzilla.redhat.com/show_bug.cgi?id=2270661  
https://bugzilla.redhat.com/show_bug.cgi?id=2270662  
https://bugzilla.redhat.com/show_bug.cgi?id=2270663  
https://bugzilla.redhat.com/show_bug.cgi?id=2270664  
https://bugzilla.redhat.com/show_bug.cgi?id=2270665  
https://bugzilla.redhat.com/show_bug.cgi?id=2270666  
https://bugzilla.redhat.com/show_bug.cgi?id=2271064

Red Hat Security Advisory 2024-1487-03

By Owais Sultan
Entering the dynamic world of cryptocurrencies is pretty exciting. But one can easily get overwhelmed with the amount…
This is a post from HackRead.com Read the original post: Step-by-Step Guide to Creating Your First Crypto Wallet

Entering the dynamic world of cryptocurrencies is pretty exciting. But one can easily get overwhelmed with the amount of information that floods you once you dip your toes. 

Since you’re looking to create a crypto wallet, this guide was designed to help you as a newbie complete this process without a hassle. It will highlight the distinction between custodial and non-custodial wallets, emphasizing the benefits of each, and walk you through the setup process. 

****Two Types of Crypto Wallets****

There are two main types of wallets: custodial and non-custodial. Understanding the difference between these two is detrimental to making the right decision. 

****Custodial Wallets****

Custodial wallets are managed by a third-party entity, such as a cryptocurrency exchange or a specialized wallet service. When you use a custodial wallet, the private keys to your cryptocurrencies are held by the service provider.

****Advantages:****

*   Custodial wallets often offer a user-friendly interface, making them accessible to beginners. 
*   Users don’t need to worry about managing their private keys, as the service provider takes care of security.
*   If you forget your password or lose access to your account, you can recover your funds through the service provider’s customer support.

****Disadvantages:****

*   By entrusting your private keys to a third party, you’re exposed to the risk of the service being hacked. 
*   Since the service provider controls the wallet’s private keys, they have the ultimate authority over your funds. This control includes the ability to freeze accounts or delay transactions, which might be concerning for some users.

****Non-Custodial Wallets: Security and Autonomy****

Non-custodial wallets give you full control over your cryptocurrency by allowing you to manage your wallet’s private keys. This means that only you have access to your funds and the authority to make transactions.

****Advantages:****

*   Since you’re the sole holder of the private keys, the risk of external breaches is significantly reduced. 
*   You have complete autonomy over your funds, without any intermediary having the power to freeze or manage your assets. 

****Disadvantages:****

*   Managing your private keys means you must be vigilant in securing them. Losing your keys without a backup can result in the irreversible loss of your assets.
*   Non-custodial wallets can be more complex to use, especially for those new to cryptocurrency. 

Your choice between a custodial and non-custodial wallet will depend on what you value more: convenience or control. For those who prioritize ease of use and are just getting their feet wet in the crypto world, a custodial solution might be the way to go.

On the other hand, if you’re keen on having full control over your assets, a non-custodial wallet is your best bet. But then you must learn how to safely store and manage your keys, which might be tough for a beginner.

****Setting Up Your Wallet****

Regardless of the type of wallet you choose, the setup process is generally straightforward. Here’s how you can get started:

****Research****

Look for a reputable wallet provider. For non-custodial options, consider security features and compatibility with different cryptocurrencies. For custodial wallets, assess the platform’s reliability and customer service.

****Download and Install****

Once you’ve chosen your provider, download the wallet application on your smartphone or computer. Follow the installation instructions.

****Create Your Wallet****

Open the application and select the option to create a new wallet. You’ll likely be prompted to set up a password or PIN for additional security.

****Backup Your Wallet****

If you’re using a non-custodial wallet, you’ll be given a recovery phrase. It’s crucial to write this down and store it in a safe place. This phrase is your lifeline if you ever lose access to your device.

****Deposit Cryptocurrency****

You can now transfer crypto into your new wallet. You can do this by purchasing cryptocurrency through an exchange and sending it to your wallet’s address or receiving it from someone else.

****Introducing Nonbank: The Best of Both Worlds****

Now, let’s talk about Nonbank (PDF). It’s a new player but their concept is intriguing. Nonbank offers the convenience of a custodial wallet with the security and control of a non-custodial option. The upcoming Tron Wallet feature is especially noteworthy for those interested in managing both digital and traditional financial assets seamlessly. 

Setting up a wallet with Nonbank is a breeze. Their user interface is intuitive, making it easy for beginners to navigate. With Nonbank, you’re not just getting a wallet; you’re getting a comprehensive platform that supports your journey through the crypto space.

****To Sum Up****

Choosing the right wallet is a critical step for anyone venturing into the cryptocurrency world. Whether opting for a custodial or non-custodial wallet, the primary considerations should be convenience, security, and control. Nonbank can be a great tool to simplify the management of your digital and traditional assets, which makes it an excellent choice for you as a newcomer. 

1.  5 Types of Crypto You Didn’t Know Existed
2.  The Future of MATIC and What to Expect in 2024
3.  Navigating the new frontier of cryptocurrency futures
4.  What the Bitcoin ETF Approval Mean for the Crypto Market
5.  Enhancing Blockchain Randomness To Eliminate Trust Issues
6.  Exploring the Phenomenal Rise of Ethereum as a Digital Asset

Step-by-Step Guide to Creating Your First Crypto Wallet

Ubuntu Security Notice 6709-1 - It was discovered that checking excessively long DH keys or parameters may be very slow. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. After the fix for CVE-2023-3446 Bernd Edlinger discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6709-1March 21, 2024openssl1.0 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in OpenSSL.Software Description:- openssl1.0: Secure Socket Layer (SSL) cryptographic library and toolsDetails:It was discovered that checking excessively long DH keys or parametersmay be very slow. A remote attacker could possibly use this issue tocause OpenSSL to consume resources, resulting in a denial of service.(CVE-2023-3446)After the fix for CVE-2023-3446 Bernd Edlinger discovered that a largeq parameter value can also trigger an overly long computation duringsome of these checks. A remote attacker could possibly use this issueto cause OpenSSL to consume resources, resulting in a denial ofservice. (CVE-2023-3817)David Benjamin discovered that generating excessively long X9.42 DHkeys or checking excessively long X9.42 DH keys or parameters may bevery slow. A remote attacker could possibly use this issue to causeOpenSSL to consume resources, resulting in a denial of service.(CVE-2023-5678)Bahaa Naamneh discovered that processing a maliciously formattedPKCS12 file may lead OpenSSL to crash leading to a potential Denial ofService attack. (CVE-2024-0727)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):  libssl1.0.0                     1.0.2n-1ubuntu5.13+esm1After a standard system update you need to reboot your computer to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-6709-1  CVE-2023-3446, CVE-2023-3817, CVE-2023-5678, CVE-2024-0727

Ubuntu Security Notice USN-6709-1

Red Hat Security Advisory 2024-1472-03 - An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1472.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: go-toolset:rhel8 security updateAdvisory ID:        RHSA-2024:1472-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1472Issue date:         2024-03-21Revision:           03CVE Names:          CVE-2024-1394====================================================================Summary: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es):* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1394References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262921

Red Hat Security Advisory 2024-1472-03

Red Hat Security Advisory 2024-1468-03 - An update for go-toolset-1.19-golang is now available for Red Hat Developer Tools. Issues addressed include a memory leak vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1468.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: go-toolset-1.19-golang security update  
Advisory ID:        RHSA-2024:1468-03  
Product:            Red Hat Developer Tools  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1468  
Issue date:         2024-03-21  
Revision:           03  
CVE Names:          CVE-2024-1394  
====================================================================

Summary: 

An update for go-toolset-1.19-golang is now available for Red Hat Developer Tools.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. 

Security Fix(es):

* golang: golang-fips/openssl: Memory leaks in code encrypting and decrypting  
RSA payloads (CVE-2024-1394)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1394

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-1468-03

By Uzair Amir
With the massive adoption of Microsoft 365, encountering complex environments involving multiple tenants is becoming increasingly common.
This is a post from HackRead.com Read the original post: Cross Tenant Microsoft 365 Migration

What is a Cross Tenant migration, and why and when do you need it? Cross-tenant migration refers to the process of moving data, applications, and services from one Microsoft 365 tenant (or organization) to another. Whether due to mergers, acquisitions, restructuring, or strategic decisions, businesses often find themselves in situations where they need to consolidate or reorganize their tenant structures.

****The different actors****

When it comes to tenant-to-tenant migration within Microsoft 365, several key actors play crucial roles in ensuring a successful transition. Let’s explore them:

**Microsoft Consulting Services (MCS)**: Organizations often collaborate with MCS to plan and execute tenant migrations. Their expertise ensures a smooth transition, addressing complexities and minimizing disruptions1.

**Microsoft Partners**: These skilled professionals specialize in tenant migrations. They work closely with organizations, offering tailored solutions and leveraging third-party tools for content migration1.

**IT Administrators**: Within the organization, IT administrators take charge of technical aspects. They oversee user accounts, data integrity, and configuration adjustments during the migration process.

**Identity Architects**: These architects design the identity framework for the new tenant. They handle user authentication, access permissions, and identity synchronization across tenants.

**Data Migration Specialists**: These experts focus on moving data—emails, files, SharePoint sites—from the source to the target tenant. They ensure data fidelity and minimal downtime.

**Change Management Teams**: Communication is key. Change management teams inform stakeholders about the migration, manage expectations, and guide users through the transition.

**The different solutions**: When it comes to cross-tenant Microsoft 365 migrations, several vendors and solutions can assist you in smoothly transitioning your users’ data. Here are some options:

**Microsoft 365 Native Tools:** Microsoft provides native tools and interfaces for cross-tenant mailbox and OneDrive migrations. 

**Third-Party Migration Solutions:** Several third-party vendors offer specialized migration tools for Microsoft 365 cross-tenant scenarios. These solutions provide additional features, flexibility, and support. 

Some popular vendors include:

****Cloudiway:****

Cloudiway specializes in cloud migration services, including Microsoft 365. Their platform is one of the most complete solutions and supports **Microsoft cross-tenant migrations** for mailboxes, OneDrive, Microsoft Teams, SharePoint, Intune and devices. Cloudiway emphasizes ease of use and efficient migration processes.

****AvePoint:****

**AvePoint** offers migration solutions for Microsoft 365, including cross-tenant scenarios. Their tools provide features like Mailbox, OneDrive, Microsoft Teams and SharePoint migrations. AvePoint’s solutions are known for their reliability and comprehensive support.

****BitTitan:** **

**BitTitan** is known for its MigrationWiz tool, which supports cross-tenant migrations for mailboxes, OneDrive, and Microsoft Teams.

****Quest:** **

Offers solutions like **Quest** On Demand Migration and Quest On Demand Migration for Email.

****SkyKick:** **

**SkyKick** provides automated migration tools for Microsoft 365, including cross-tenant scenarios.

****ShareGate:** **

Known for its **ShareGate Desktop** and ShareGate Migrate tools, which support SharePoint, Teams and OneDrive migrations. They have recently integrated mailbox migration.

****CodeTwo:****

**CodeTwo** offers migration solutions for Microsoft 365, including cross-tenant mailbox migrations.

****Table of comparison:****

**AvePoint**

**Cloudiway**

**Microsoft**

**BitTitan**

**Quest**

**Skykick**

**Avepoint**

**ShareGate**

**CodeTwo**

SAAS

Yes

Yes

Yes

Yes

Yes

Yes

No

No

MailsMaturity

Yes \* 2012

Yes 2022

Yes  \*2010

Yes 2012

Yes 2010

Yes 2021

Yes Beta

Yes 2012

Drives

Yes \*

Yes

Yes\*

Yes

No

Yes

Yes

No

Maturity

2012

2022

2015

2015

**AvePoint**

2020

SharePoint

Yes

Partial SPMT (On-premises)

No (librairies seulement)

Yes \*

No

Yes \*

Yes\*

No

Microsoft Teams

Yes\*2018 

No

Yes2020

Yes

No

Yes\*2018

Yes2021-22

No

Teams Private messages

Yes

No

No

No

No

No

No

No

Slack

Yes\*

No

No

No

No

Yes

No

No

Slack Direct Messages

Yes

No

No

No

No

No

No

No

Google Chat

Yes

No

No

No

No

No

No

No

Laptops

Yes

No

No

Yes

No

No

No

No

Intune

Yes

No

No

No

No

No

No

No

FreeBusy & Galsync

Yes

No

No

No

No

No

No

No

**\*** **leader**

****Conclusion:****

In the ever-evolving landscape of cloud collaboration, **cross-tenant migrations** have become a critical undertaking for organizations. Whether due to mergers, acquisitions, or strategic realignments, the need to seamlessly transition data between Microsoft 365 tenants is more prevalent than ever.

**Vendor Selection Matters:** Choosing the right migration solution is paramount. Evaluate vendors based on factors such as scope of migration, reliability, scalability, support, and ease of use. Consider both native Microsoft tools and third-party offerings.

**Preparation Is Key:** Properly prepare your source and target tenants. Establish trust relationships, configure identity mapping, and ensure that users are set up correctly in the destination tenant.

**Data Integrity and Security:** During migration, prioritize data integrity and security. Test thoroughly, monitor progress, and address any issues promptly.

**Communication and Change Management:** Keep stakeholders informed throughout the process. Effective communication minimizes disruption and ensures a smooth transition for end-users.

**Post-Migration Validation:** Validate data integrity, permissions, and functionality post-migration. Address any discrepancies promptly.

Remember, cross-tenant migrations are not just about moving data; they impact user productivity, collaboration, and overall business continuity. By following best practices and leveraging the right tools, organizations can navigate this complex journey successfully.

1.  Advantages of a Cloud VPS Server
2.  4 Benefits of Cloud VPN to your Business
3.  How To Safeguard Your Data With Cloud MRP System
4.  Managed Cloud Hosting vs. Unmanaged Cloud Hosting
5.  Insights on Google Cloud Backup, Disaster Recovery Service

Cross Tenant Microsoft 365 Migration

Privacy and security are an Apple selling point. But the DOJ’s new antitrust lawsuit argues that Apple selectively embraces privacy and security features in ways that hurt competition—and users.

For well over a decade, Apple has been praised by privacy advocates for its decision in 2011 to end-to-end encrypt iMessage, securing users' communications on the default texting app for all its devices so thoroughly that even Apple itself can't read their messages. This was years before WhatsApp switched on end-to-end encryption in 2016, and before Signal—now widely considered the most private end-to-end encrypted messaging platform—even existed, Apple quietly led the way with that security feature, baking it into a core piece of the Apple ecosystem.

So it's ironic that the US Department of Justice has now hit Apple with a landmark antitrust lawsuit, alleging that it has sought for years to monopolize the smartphone market and gravely harmed consumers in the process, iMessage's end-to-end encryption has become Exhibit A for an argument about Apple's privacy hypocrisy—that Apple's allegedly anticompetitive practices have denied users not only better prices, features, and innovation, but also better digital security.

In its sweeping antitrust lawsuit, the DOJ on Thursday laid out a broad set of allegations against Apple, accusing it of monopolistic practices in how it uses its walled-garden operating systems and app stores to deprive consumers of apps and services that might make it easier for them to wean themselves from their Apple addictions—keeping out of the App Store so-called super apps with cross-platform, broad functionality; limiting streaming and cloud-based applications; and handicapping the functionality of competitors' devices like smartwatches.

The DOJ's complaint also homes in on Apple's approach to security and privacy, arguing that it uses those principles as an excuse for its anticompetitive practices, yet jettisons them whenever they might hurt the bottom line. “In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests,” the complaint reads.

“I definitely think that Apple has strategically used privacy and security in ways that benefit its business,” says Caitlin Chin-Rothmann, a research fellow at the Center for Strategic & International Studies (CSIS) who focuses on technology policy. “Apple has taken some steps to improve end-to-end encryption in iMessage, for example, but it hasn’t extended that to iPhone users that text Android users or iPhone users that don’t use iMessage.”

In its privacy and security arguments, the DOJ faults Apple for decisions like its deal with Google to make Google's search engine the default on Apple products, rather than a more privacy-preserving alternative, or allowing data-harvesting apps into its App Store. But it repeatedly returns to iMessage as perhaps the clearest example of how Apple's anticompetitive practices directly harm users security. The DOJ argues that by refusing to allow users of other smartphone platforms like Android to use its end-to-end encryption iMessage protocol, it has significantly reduced the overall security of messaging worldwide, both for those Android users and for the Apple users who communicate with them.

“Text messages sent from iPhones to Android phones are unencrypted as a result of Apple’s conduct,” the complaint reads. “If Apple wanted to, Apple could allow iPhone users to send encrypted messages to Android users while still using iMessage on their iPhone, which would instantly improve the privacy and security of iPhone and other smartphone users.”

The argument is one that some Apple critics have made for years, as spelled out in an essay in January by Cory Doctorow, the science fiction writer, tech critic, and coauthor of _Chokepoint Capitalism_. “The instant an Android user is added to a chat or group chat, the entire conversation flips to SMS, an insecure, trivially hacked privacy nightmare that debuted 38 years ago—the year _Wayne's World_ had its first cinematic run,” Doctorow writes. “Apple's answer to this is grimly hilarious. The company's position is that if you want to have real security in your communications, you should buy your friends iPhones.”

In a statement to WIRED, Apple says it designs its products to “work seamlessly together, protect people’s privacy and security, and create a magical experience for our users,” and it adds that the DOJ lawsuit “threatens who we are and the principles that set Apple products apart” in the marketplace. The company also says it hasn't released an Android version of iMessage because it couldn't ensure that third parties would implement it in ways that met the company's standards.

“If successful, \[the lawsuit\] would hinder our ability to create the kind of technology people expect from Apple—where hardware, software, and services intersect,” the statement continues. “It would also set a dangerous precedent, empowering government to take a heavy hand in designing people’s technology. We believe this lawsuit is wrong on the facts and the law, and we will vigorously defend against it.”

Apple has, in fact, not only declined to build iMessage clients for Android or other non-Apple devices, but actively fought against those who have. Last year, a service called Beeper launched with the promise of bringing iMessage to Android users. Apple responded by tweaking its iMessage service to break Beeper's functionality, and the startup called it quits in December.

Apple argued in that case that Beeper had harmed users' security—in fact, it did compromise iMessage's end-to-end encryption by decrypting and then re-encrypting messages on a Beeper server, though Beeper had vowed to change that in future updates. Beeper cofounder Eric Migicovsky argued that Apple's heavyhanded move to reduce Apple-to-Android texts to traditional text messaging was hardly a more secure alternative.

“It’s kind of crazy that we’re now in 2024 and there still isn't an easy, encrypted, high-quality way for something as simple as a text between an iPhone and an Android,” Migicovsky told WIRED in January. “I think Apple reacted in a really awkward, weird way—arguing that Beeper Mini threatened the security and privacy of iMessage users, when in reality, the truth is the exact opposite.”

Even as Apple has faced accusations of hoarding iMessage's security properties to the detriment of smartphone owners worldwide, it's only continued to improve those features: In February it upgraded iMessage to use new cryptographic algorithms designed to be immune to quantum codebreaking, and last October it added Contact Key Verification, a feature designed to prevent man-in-the-middle attacks that spoof intended contacts to intercept messages. Perhaps more importantly, it's said it will adopt the RCS standard to allow for improvements in messaging with Android users—although the company did not say whether those improvements would include end-to-end encryption.

Even as it makes those advances in iMessage's security and privacy, Apple has rarely touted them in its public-facing marketing, points out Nadim Kobeissi, a cryptographer focused on secure messaging and the director of the cryptography consultancy Symbolic Software, and has actively contributed to public, nonproprietary security products. He argues that this deflates any argument the DOJ might make that Apple has intentionally hoarded security features as a competitive advantage.

Instead, Kobeissi says that the security gap is a byproduct of Apple's attempt to preserve the exclusivity of more visibly integrated and fun social features—reactions, FaceTime, coveted blue bubbles—while also conscientiously maintaining the product's security. “It’s not a security question, it's a societal question about the openness of communication platforms,” Kobeissi says. He points out that people who are aware of iMessage's security advantages are also aware of other end-to-end encrypted messaging options like WhatsApp and Signal.

Apple critics like Doctorow and Migicovsky both point out, however, that iMessage is deeply integrated in Apple devices as their default messaging app, and thus will always be used on those devices far more often than Signal or WhatsApp. “Defaults matter,” Doctorow says, pointing out that Google pays Apple a fortune for the right to make Google the default search engine on its devices. “Apple makes \[nearly\] $20 billion a year off the proposition that a click away is a click too far.”

Even if Apple's security features are good for its customers, “Apple’s size does matter” because it gives the company power over the broader market in ways that smaller technology companies cannot, regardless of whether they market their security and privacy features to beat out the competition, says CSIS's Chin-Rothmann. The question, ultimately, is whether people should be relying on technology giants like Apple to set the standards for privacy and security at all. She points out that comprehensive data privacy legislation that ensures minimum security requirements for software might well be a better approach than depending entirely on the private sector to decide who gets privacy—and who is denied it.

“If Congress or the US government really wants to increase privacy and security," Chin-Rothmann says, “we really should take these decisions out of the hands of massive technology companies like Apple.”

Tag

#ssl