Security
Headlines
HeadlinesLatestCVEs

Tag

#git

EMEA blog [DUTCH] | Red Hat closes Master Agreement with SLM Rijk to strengthen digital autonomy within Dutch government

Red Hat en het Strategisch Leveranciersmanagement Rijk (SLM Rijk) hebben een Master Agreement ondertekend. Deze overeenkomst maakt het Nederlandse Rijksoverheidinstanties makkelijker om gebruik te maken van de software en diensten van Red Hat. Met behulp van deze nieuwe overeenkomst wil Red Hat innovatie binnen Nederlandse Rijksoverheidsinstanties versnellen met open source platforms die beter kunnen integreren met hybride cloud-omgevingen.SLM Rijk bundelt de onderhandelingskracht van de Rijksoverheid als geheel. Dit zorgt voor meer voorspelbare en gunstige voorwaarden en bevordert de kostenef

Red Hat Blog
Open in Source
#linux#red_hat#git
Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale

Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and…

How to Get Around the US TikTok Ban

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

US Names One of the Hackers Allegedly Behind Massive Salt Typhoon Breaches

Plus: New details emerge about China’s cyber espionage against the US, the FBI remotely uninstalls malware on 4,200 US devices, and victims of the PowerSchool edtech breach reveal what hackers stole.

GHSA-c9p4-xwr9-rfhx: Zot IdP group membership revocation ignored

### Summary The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. ### Details [SetUserGroups](https://github.com/project-zot/zot/blob/5e30fec65c49e3139907e2819ccb39b2e3bd784e/pkg/meta/boltdb/boltdb.go#L1665) is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. ### PoC Login with group claims, logout, remove the user from a group from at IdP and log in again, the API still grants access and the new list of groups is appended creating meaningless duplicate entries and no longer mathing the expected groups from the IdP. The behavior can be verified by seeing the API or UI still presenting images it should not or by viewing the data directly: `bbolt get meta.db UserData <user>`, eg: ![image](https://github.com/user-attachments/assets/3491cbd2-...

GHSA-cg87-wmx4-v546: KaTeX \htmlData does not validate attribute names

### Impact KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. ### Patches Upgrade to KaTeX v0.16.21 to remove this vulnerability. ### Workarounds - Avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands. - Forbid inputs containing the substring `"\\htmlData"`. - Sanitize HTML output from KaTeX. ### Details `\htmlData` did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts. ### For more information If you have any questions or comments about this advisory: - Open an issue or security advisory in the [KaTeX repository](https://github.com/KaTeX/KaTeX/) - Email us at [katex-security@mit.edu](mailto:katex-security@mit.edu)

GHSA-v4mq-x674-ff73: AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider

### Impact Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34. However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack. As a best practice, CDK should still fix this issue under a...

Employees Enter Sensitive Data Into GenAI Prompts Far Too Often

The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.

Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses.

Why Many New AI Tools Aren’t Available In Europe – And How To Access Them

Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing…