#ubuntu

### Summary A Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Filebrowser-Server-IP:PORT/files/{file-name}` . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations without size checks or resource limits. This allows an authenticated user to upload a large file and trigger uncontrolled memory consumption on read, potentially crashing the server and making it unresponsive. ### Details The endpoint ` /api/resources/{file-name}` accepts `PUT` requests with plain text file content. Uploading an extremely large file (e.g., ~1.5 GB) succeeds without issue. However, when the server attempts to open and read this file, it performs the read operation in an unbounded or inefficient way, leading to excessive memory usage. This approach attempts to read the entire file into memory at once. For large files, this causes memory exhaustion resulting in a cras...

### Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to get access to a machine running a unit using the affected charm. ### Details A controller exposes three charm-related HTTP API endpoints, as follows: - PUT/GET https://<controller-ip>:17070/model-<model-uuid>/charms/<nameofcharm>-<hashofcharm> - POST/GET https://<controller-ip>:17070/model-<model-uuid>/charms - GET https://<controller-ip>:17070/charms These endpoints require Basic HTTP authentication credentials and will accept any valid user within the context of the controller. A user that has no specific permission or access granted can call all of these APIs. To reproduce: ``` juju bootstrap juju add-user testuser juju change-user-password testuser ``` Download the ZIP file of an...

I added support for ALT Linux OVAL content in Linux Patch Wednesday. Now I track when specific CVEs were fixed in ALT Linux packages and take that into account when generating the monthly bulletins. The more data sources on patched vulnerabilities in Linux distributions are used, the more accurate the bulletins become. 👍 Especially when […]

ShortLeash backdoor, used in the China-linked LapDogs campaign since 2023, enables stealth access, persistence, and data theft via compromised SOHO routers and fake certs.

### Impact When a user who hasn't logged in to the system before (i.e. doesn't exist in the authd user database) logs in via SSH, the user is considered a member of the root group in the context of the SSH session. That leads to a local privilege escalation if the user should not have root privileges. ### Patches Fixed by https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab ### Workarounds Configure the SSH server to not allow authenticating via authd, for example by setting `UsePAM no` or `KbdInteractiveAuthentication no` in the `sshd_config` (see https://documentation.ubuntu.com/authd/stable/howto/login-ssh/#ssh-configuration).

How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

Qualys details CVE-2025-5054 and CVE-2025-4598, critical vulnerabilities affecting Linux crash reporting tools like Apport and systemd-coredump. Learn how…

Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU). Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like

This issue arises from the prefix caching mechanism, which may expose the system to a timing side-channel attack. ## Description When a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). Our tests revealed that the timing differences caused by matching chunks are significant enough to be recognized and exploited. For instance, if the victim has submitted a sensitive prompt or if a valuable system prompt has been cached, an attacker sharing the same backend could attempt to guess the victim's input. By measuring the TTFT based on prefix matches, the attacker could verify if their guess is correct, leading to potential leakage of private information. Unlike token-by-token sharing mechanisms, vLLM’s chunk-based approach (PageAttention) processes tokens in larger units (chunks). In our tests, with chunk_size=2, the timing differences became noticeable enough to allow ...

### Summary Using tcp breaks blocking and allows DNS exfiltration. ### PoC ``` name: test on: push: branches: - "*" jobs: testBullFrog: runs-on: ubuntu-22.04 steps: - name: Use google dns run: | sudo resolvectl dns eth0 1.1.1.1 resolvectl status - name: Set up bullfrog to block everything uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2 with: egress-policy: block allowed-domains: | *.github.com - name: Test connectivity run: | echo testing udp allowed .. dig api.github.com @1.1.1.1 || : echo testing tcp allowed .. dig api.github.com @1.1.1.1 +tcp || : echo testing udp not allowed dig api.google.com @1.1.1.1 || : echo testing tcp not allowed dig api.google.com @1.1.1.1 +tcp || : ``` ### Impact sandbox bypass ![image](https://github.com/user-attach...