Latest News

The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.

### Summary The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. ### Details https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/9128a9258fe1fee36f198f97b1e3371fc7b77a93/extension/bearertokenauthextension/bearertokenauth.go#L189-L196 For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/. ### Impact This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. ### Fix The observable timing vulnerability was fixed by @axw in v0.107.0 (PR https://github.com/open-telemetry/opentelemetry-collector-c...

Malwarebytes has been awarded the Parent Tested Parent Approved Seal of Approval for product excellence.

Ubuntu Security Notice 6954-1 - Markus Frank and Fiona Ebner discovered that QEMU did not properly handle certain memory operations, leading to a NULL pointer dereference. An authenticated user could potentially use this issue to cause a denial of service. Xiao Lei discovered that QEMU did not properly handle certain memory operations when specific features were enabled, which could lead to a stack overflow. An attacker could potentially use this issue to leak sensitive information.

WordPress MapFig Studio plugin versions 0.2.1 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

Debian Linux Security Advisory 5743-2 - Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail.

There is an architectural and design issue in Microsoft's PlayReady which can be successfully exploited to gain access to license server by arbitrary clients. The problem has its origin in flat certificate namespace / reliance on a single root key in PlayReady along with no authentication at the license server end by default (deemed as no bug by Microsoft).

Ubuntu Security Notice 6950-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

WordPress Profilepro plugin versions 1.3 and below suffer from a persistent cross site scripting vulnerability.

Debian Linux Security Advisory 5747-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.