Google has announced support for what's called a V8 Sandbox in the Chrome web browser in an effort to address memory corruption issues.
The sandbox, according to V8 Security technical lead Samuel Groß, aims to prevent "memory corruption in V8 from spreading within the host process."
The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox

Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks

Red Hat Security Advisory 2024-1691-03 - An update for varnish is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1691.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish security updateAdvisory ID:        RHSA-2024:1691-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1691Issue date:         2024-04-08Revision:           03CVE Names:          CVE-2024-30156====================================================================Summary: An update for varnish is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* varnish: HTTP/2 Broken Window Attack may result in denial of service (CVE-2024-30156)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-30156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271486

Red Hat Security Advisory 2024-1691-03

Red Hat Security Advisory 2024-1690-03 - An update for varnish is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1690.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish security updateAdvisory ID:        RHSA-2024:1690-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1690Issue date:         2024-04-08Revision:           03CVE Names:          CVE-2024-30156====================================================================Summary: An update for varnish is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* varnish: HTTP/2 Broken Window Attack may result in denial of service (CVE-2024-30156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-30156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271486

Red Hat Security Advisory 2024-1690-03

Red Hat Security Advisory 2024-1689-03 - An update for rh-varnish6-varnish is now available for Red Hat Software Collections. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1689.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: rh-varnish6-varnish security updateAdvisory ID:        RHSA-2024:1689-03Product:            Red Hat Software CollectionsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1689Issue date:         2024-04-08Revision:           03CVE Names:          CVE-2024-30156====================================================================Summary: An update for rh-varnish6-varnish is now available for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2 Broken Window Attack may result in denial of service (CVE-2024-30156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-30156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271486

Red Hat Security Advisory 2024-1689-03

Red Hat Security Advisory 2024-1683-03 - Red Hat OpenShift Container Platform release 4.13.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1683.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: OpenShift Container Platform 4.13.39 bug fix and security updateAdvisory ID:        RHSA-2024:1683-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1683Issue date:         2024-04-08Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: Red Hat OpenShift Container Platform release 4.13.39 is now available with updates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift Container Platform 4.13.Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.39. There are no RPM packages for this release.Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.htmlSecurity Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION framescauses DoS (CVE-2023-45288)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.htmlSolution:CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-1683-03

Red Hat Security Advisory 2024-1681-03 - Red Hat OpenShift Container Platform release 4.14.20 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1681.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.20 bug fix and security update  
Advisory ID:        RHSA-2024:1681-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1681  
Issue date:         2024-04-08  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.20 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.20. 

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-1681-03

Red Hat Security Advisory 2024-1679-03 - Red Hat OpenShift Container Platform release 4.12.55 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1679.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: OpenShift Container Platform 4.12.55 bug fix and security updateAdvisory ID:        RHSA-2024:1679-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1679Issue date:         2024-04-08Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: Red Hat OpenShift Container Platform release 4.12.55 is now available with updates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift Container Platform 4.12.Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.55. There are no RPM packages for this release.Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.htmlSecurity Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION framescauses DoS (CVE-2023-45288)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.htmlSolution:CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273https://issues.redhat.com/browse/OCPBUGS-30295

Red Hat Security Advisory 2024-1679-03

Red Hat Security Advisory 2024-1668-03 - Red Hat OpenShift Container Platform release 4.15.8 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1668.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.8 bug fix and security update  
Advisory ID:        RHSA-2024:1668-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1668  
Issue date:         2024-04-08  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.8 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.8.

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-1668-03

By Daily Contributors
Today over at Resonance Security I am going to look at one of the more unusual ways in…
This is a post from HackRead.com Read the original post: The Legacy of a Security Breach

This article was authored and contributed by Keir Finlow-Bates, a passionate blockchain enthusiast and technologist.

Today over at Resonance Security I am going to look at one of the more unusual ways in which your approach to computer security can lead to an increase in public awareness of your company.

There are many motivations for starting a company: becoming wealthy, doing something interesting and useful, and leaving some kind of legacy or mark on history are three of the main ones that spring to mind.

About that legacy: imagine having the name of your corporation attached to a file representing one of the most significant hacks of the 21st century!

That’s quite notable, but probably not what the founders of one particular company were looking for with their startup.

****We won’t rock you****

In the middle of the 2000s, RockYou, Inc. was doing well as a widget-maker for social media companies like MySpace and Facebook. However, back in 2009, it suffered a data breach in which a hacker discovered an SQL database server with an unpatched ten-year-old bug, the database containing over 32 million usernames and passwords for user accounts.

That’s right — 32 million usernames, and their associated passwords. For comparison, that’s about 10% of the active monthly users that Facebook had at the time.

The passwords were stored in plain text.

****Mud on your face, big disgrace****

Not only did RockYou initially fail to notify their users, but it subsequently released a falsified official statement claiming that the breach was less severe than it was.

To be clear: it was a very, very serious breach.

A decade and a half ago, people were far worse at password security than they are now. Password managers were almost unheard of, for some unexplained bizarre reason some sites blocked the use of password managers for unspecified “security reasons”, and two-factor authentication was pretty much only affordable and available to business users.

Because people were told not to write down their passwords, this meant that most of the leaked credentials were being used on other websites. After all, who in their right mind is going to memorize twenty or thirty different random passwords? As a result, sites such as banks, online stores, health databases, social media, supposedly private online journals, and online games held accounts using the same passwords.

****The legacy****

For years the full list of RockYou passwords has been available to download by anyone. It is typically found in a file called rockyou.txt , and there are plenty of GitHub repositories out there where you can find it.

In Kali Linux, a Linux distribution designed and produced specifically for penetration testing, the RockYou text file is included during the installation by default.

****Conclusion****

Just imagine — with a little bit of security carelessness, you too can take your modestly successful company and in the process of destroying it, allow its name to live on forever.

Have we learned anything since 2009? Not always.

For example: in 2017 it was revealed that an old social media site called LiveJournal, dating back to the 90s (but still running to this day), suffered a breach in which 26 million unique usernames, email addresses, and plaintext passwords were extracted. It took them until 2019 to admit to the breach.

That’s right — passwords were still being stored in plaintext in 2017, and I would bet good money on there being more sites out are doing the same, even though we are a decade and a half on from the original RockYou breach.

I predict that the leakage of passwords will only end once we stop using passwords, and start using improved systems such as security keys and self-managed identity for our authentication systems.

In the meantime, you have to assume that any password you provide to a website will eventually be leaked, therefore:

*   use a password manager to generate long, random, unique passwords for your accounts,
*   protect access to the password manager with two-factor authentication, and
*   make sure the password you use for your password manager has never been used anywhere else.

****Post-script****

Don’t run off and look for a website that allows you to enter your password and see if it was ever revealed in a breach! I can guarantee it will be a phishing site. Instead, I recommend HaveIBeenPwned, where you can type in your email address, and retrieve a list of the companies and websites that have managed to leak your credentials to the dark web through bad security practices. Another option is the Resonance Data Leak Detector, which monitors if your credentials have been leaked 24/7 and automatically notifies you.

****About Resonance Security****

Resonance Security is a curated platform for end-to-end cybersecurity products and services. It functions as a concierge for your organization’s end-to-end cyber-security needs, aggregating valuable security offerings into one platform to spread awareness on what it takes to secure your technology stack end-to-end.

I’m Keir Finlow-Bates, often known as Blockchain Gandalf, and am primarily a blockchain researcher and inventor. I started on this journey in late 2010 by examining the original Bitcoin code, and have been obsessed with blockchain ever since.

I am also the author of two books on the topic: Move Over Brokers Here Comes The Blockchain, explaining blockchain, and Evil Tokenomics, illustrating through practical examples how web3 scams work. You can find more at my website: Thinklair.com

1.  The Forgotten Victims of Data Breach
2.  Solving the Cyber Security Problem: Mission Impossible
3.  Will good prevail over bad as bots battle for the internet?
4.  If a Cyber Security Report Falls in a Forest, Is Anyone Listening?

The Legacy of a Security Breach

A list of topics we covered in the week of April 1 to April 7 of 2024

April 8, 2024 - This week on the Lock and Code podcast, we re-air an episode with guest Alec Muffett about online age verification.

April 7, 2024 - In a recent US Chamber of Commerce poll, small businesses identified cybersecurity as their biggest concern.

April 5, 2024 - Resaerchers found that 90% of websites were in violation of one or more privacy regulations concerning cookie consent.

April 4, 2024 - Jackson County has suffered "significant disruptions within its IT systems," and its offices are closed.

April 3, 2024 - Google has issued patches for 28 security vulnerabilities, including a critical patch for Androids with Qualcomm chips.

Tag

#web