#git

## Summary Versions of `tf2-item-format` since at least `4.2.6` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. ## Tested Versions - `5.9.13` - `5.8.10` - `5.7.0` - `5.6.17` - `4.3.5` - `4.2.6` ### v5 Upgrade package to `^5.9.14` ### v4 No patch exists. Please consult the [v4 to v5 migration guide](https://github.com/danocmx/node-tf2-item-format?tab=readme-ov-file#migrating-from-v4-to-v5) to upgrade to v5. If upgrading to v5 is not possible, fork the module repository and implement the fix detailed below. ## Impact This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any `tf2-item-format` to parse user input.

The initial onboarding stage is a crucial step for both employees and employers. However, this process often involves the practice of sharing temporary first-day passwords, which can expose organizations to security risks. Traditionally, IT departments have been cornered into either sharing passwords in plain text via email or SMS, or arranging in-person meetings to verbally communicate these

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the

Meta has been given time till September 1, 2024, to respond to concerns raised by the European Commission over its "pay or consent" advertising model or risk-facing enforcement measures, including sanctions. The European Commission said the Consumer Protection Cooperation (CPC) Network has notified the social media giant of the model adopted on Facebook and Instagram of potentially violating

The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign targeting a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. The agency attributed the attack to a threat actor it tracks under the name UAC-0063, which was previously observed targeting various government entities to gather sensitive information using

The code, the first of its kind, was used to sabotage a heating utility in Lviv at the coldest point in the year—what appears to be yet another innovation in Russia’s torment of Ukrainian civilians.

Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web

### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem has been patched. All users are advised to upgrade to v3.1.5 or v2.1.9. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Before calling `Image.Decode(Async)`, use `Image.Identify` to determine the image dimensions in order to enforce a limit. ### References _Are there any links users can visit to find out more?_ - https://github.com/SixLabors/ImageSharp/pull/2759 - https://github.com/SixLabors/ImageSharp/pull/2764 - https://github.com/SixLabors/ImageSharp/pull/2770 - ImageSharp: [Security Considerations...

### Impact An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. ### Patches The problem has been patched. All users are advised to upgrade to v3.1.5 or v2.1.9. ### Workarounds None. ### References https://github.com/SixLabors/ImageSharp/pull/2754 https://github.com/SixLabors/ImageSharp/pull/2756

### Summary The issue here is that we pass the secret content as one of the args via CLI. This issue may affect any of our charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. There are two points that may log this command, in different files: First, if there is an error during a secret handling, there will be a `subprocess.CalledProcessError`, which will contain the CLI comand + all its args. This is going to be logged in any logging level. This exception, if not caught by the charm, will bubble up to the `/var/log/juju/` logs and syslog journal. Now, on Ubuntu 22.04, these logs are protected with: ``` $ juju ssh -m controller 0 -- ls -la /var/log/juju/ total 224 drwxr-xr-x 2 syslog adm 4096 Jul 14 10:59 . drwxrwxr-x 9 root syslog 4096 Jul 14 10:58 .. -rw-r----- 1 syslog adm 20124 Jul 14 11:10 audit.log -rw-r----- 1 syslog adm 110432 Jul 14 11:10 logsink.log -rw-r----- 1 syslog adm 80783 Ju...