#git

### Impact For Cilium users who: - Use Gateway API for Ingress for some services **AND** - Use [LB-IPAM](https://docs.cilium.io/en/stable/network/lb-ipam/) or BGP for LB Service implementation **AND** - Use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces Egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. ### Patches This issue was fixed by https://github.com/cilium/proxy/pull/1172. This issue affects: - Cilium v1.15 between v1.15.0 and v1.15.14 inclusive - Cilium v1.16 between v1.16.0 and v1.16.7 inclusive - Cilium v1.17 between v1.17.0 and v1.17.1 inclusive This issue is fixed in: - Cilium v1.15.15 - Cilium v1.16.8 - Cilium v1.17.2 ### Workarounds A Clusterwide Cilium Network Policy can be used to work around this issue for users ...

Crossing into the United States has become increasingly dangerous for digital privacy. Here are a few steps you can take to minimize the risk of Customs and Border Protection accessing your data.

LayerX Labs reports a sophisticated macOS phishing campaign, evading security measures. Learn how attackers adapt and steal credentials from Mac users.

Cary, NC, 24th March 2025, CyberNewsWire

The ad hoc addition to the otherwise tightly controlled White House information environment could create blind spots and security exposures while setting potentially dangerous precedent.

### Summary A security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in this clause: https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56 https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57 ### PoC Create a graphql endpoint with a security after resolver. ### Impact As this fallsback to `security`, the impact is there only when there's only a security after resolver and none inside security. The test at https://github.com/api-platform/core/pull/6444 is probably broken.

Affected versions of this crate didn't provide sufficient lifetime constraints to conversion functions from `alloc::sync::Arc` and `alloc::rc::Rc`, which made it possible to create projections of these reference counted pointers. Unlike the original reference counted pointers, these projections could outlive original data's lifetimes. This projected pointer could cause the original `Arc`'s or `Rc`'s `Drop::drop` to get called at a point where the original data was no longer valid, leading to a potential use after free. The affected functions were - `pared::prc::Prc::from_rc` - `pared::prc::Prc::project` - `pared::prc::Prc::try_from_rc` - `pared::sync::Parc::from_arc` - `pared::sync::Parc::project` - `pared::sync::Parc::try_from_arc` This flaw was fixed in [108f540ea8acb6073751a1aa386085c1cdc4fd1e](https://github.com/radekvit/pared/commit/108f540ea8acb6073751a1aa386085c1cdc4fd1e) by requiring that the type stored in the `Arc`s and `Rc`s passed to these functions contain `T: 'static`.

### Summary The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an open-source framework for defining cloud infrastructure using code. Users use it to create their own applications, which are converted to AWS CloudFormation templates during deployment to a user's AWS account. AWS CDK contains pre-built components called "constructs," which are higher-level abstractions providing defaults and best practices. This approach enables developers to use familiar programming languages to define complex cloud infrastructure more efficiently than writing raw CloudFormation templates. The [AWS CodePipeline](https://aws.amazon.com/codepipeline/) construct deploys CodePipeline, a managed service that orchestrates software release processes through a series of stages, each comprising one or more actions executed by CodePipeline. To perform these actions, CodePipeline assumes IAM roles with permissions necessary for each step, allowing it to interact with AWS services and resource...

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad

**Why are we publishing this Kubernetes CVE in the Security Update Guide?** We are republishing these CVEs because on March 24, 2025, the Kubernetes SRC (Security Response Committee) published 5 CVEs that disclose vulnerabilities in the Kubernetes NGINX Ingress Controller. Some of these vulnerabilities might affect you if you have this component running in your Kubernetes cluster. **How do I know if I am affected by these vulnerabilities?** If you are running your own **Kubernetes NGINX Ingress Controller, please review the CVEs and mitigate by updating to the latest patch versions** (v1.11.5 and v1.12.1). **If you are using the** Managed NGINX ingress with the application routing add-on on AKS, the patches are getting rolled out to all regions and should be completed in a few days. No action is required. The status of the AKS deployment can be monitored here: AKS Release Status. **Where can I find more information about these vulnerabilities?** CVE ID Link to Github Issue CVE...