#vulnerability

### Impact Authenticated users could inject code into algorithm environment variables ### Workarounds No

On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

### Summary Vyper compiler allows passing a value in builtin `raw_call` even if the call is a `delegatecall` or a `staticcall`. But in the context of `delegatecall` and `staticcall` the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the `value=` argument. A contract search was performed and no vulnerable contracts were found in production. ### Details The IR for `raw_call` is built in the `RawCall` class: https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100 However, the compiler doesn't validate that if either `delegatecall` or `staticall` are provided as kwargs, that `value` wasn't set. For example, the following compiles without errors: ```python raw_call(self, call_data2, max_outsize=255, is_delegate_call=True, value=msg.value/2) ``` ### Impact If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwar...

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace. Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10. "An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to

Red Hat Security Advisory 2024-0554-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include out of bounds write and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-0539-03 - An update for tomcat is now available for Red Hat Enterprise Linux 8. Issues addressed include a HTTP request smuggling vulnerability.

Red Hat Security Advisory 2024-0538-03 - An update for libssh is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include bypass and null pointer vulnerabilities.

Red Hat Security Advisory 2024-0533-03 - An update for gnutls is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-0532-03 - An update for tomcat is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a HTTP request smuggling vulnerability.

Ubuntu Security Notice 6614-1 - It was discovered that amanda did not properly check certain arguments. A local unprivileged attacker could possibly use this issue to perform a privilege escalation attack.