#linux

## Summary Adding default PCR12 validation to ensure that account operators can not modify kernel command line parameters, potentially bypassing root filesystem integrity validation. Attestable AMIs are based on the systemd Unified Kernel Image (UKI) concept which uses systemd-boot to create a single measured UEFI binary from a Linux kernel, its initramfs, and kernel command line. The embedded kernel command line contains a dm-verity hash value that establishes trust in the root file system. When UEFI Secure Boot is disabled, systemd-boot appends any command line it receives to the kernel command line. Account operators with the ability to modify UefiData can install a boot variable with a command line that deactivates root file system integrity validation, while preserving the original PCR4 value. Systemd-boot provides separate measurement of command line modifications in PCR12. ## Impact In line with the TPM 2.0 specification and systemd-stub logic, KMS policies that do not inc...

Google has pushed out a Chrome update with 13 security fixes, including a high-severity flaw in Digital Credentials.

Think your Wi-Fi is safe? Your coding tools? Or even your favorite financial apps? This week proves again how hackers, companies, and governments are all locked in a nonstop race to outsmart each other. Here’s a quick rundown of the latest cyber stories that show how fast the game keeps changing. DeFi exploit drains funds Critical yETH Exploit Used to Steal $9M

Twenty-eight percent of businesses surveyed in the recent SP Global Market Intelligence 451 Research report, “The value of a unified automation platform,” responded that their company uses 50-100+ tools that don’t seamlessly integrate. This widespread adoption of disparate solutions, often driven by a "do it yourself" mentality, can lead to overwhelming tool sprawl. The resulting lack of interoperability directly hinders innovation, fragments data insights, and ultimately undermines the effective delivery of AI solutions.As automation and AI become increasingly interdependent, systems mu

IT teams are stuck between wanting to implement AI solutions across their organizations and dealing with the messy reality of increasingly complex infrastructure. Many are attempting to build their own automation solutions, cobbling together a patchwork of tools that, while well-intentioned, can actually make things worse. Red Hat dug into this with SP Global Market Intelligence 451 Research, and their findings point to a simpler alternative: use a unified platform instead of patchworking tools together.The DIY dilemma: More tools, more problemsMost teams are drowning in tools, often ending up

The Center for Internet Security® (CIS®) has officially published guidance for hardening Red Hat OpenShift Virtualization.The official publication of the new CIS Benchmark® for Red Hat OpenShift Virtualization is an important development for organizations running traditional virtual machines (VMs) alongside modern containers. OpenShift Virtualization is a feature of Red Hat OpenShift that allows existing VM-based workloads to run directly on the platform. This globally recognized, consensus-driven benchmark provides recommendations for creating a security-focused configuration for those env

## Summary Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized ## Details By default Workspace Agent logs are redirected to [stderr](https://linux.die.net/man/3/stderr) https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439 [Workspace Agent Manifests](https://coder.com/docs/reference/agent-api/schemas#agentsdkmanifest) containing sensitive environment variables were logged insecurely https://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090 An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system ([SIEM](https://csrc.nist.gov/glossary/term/security_information_and_event_management_tool), logging stack) could access those logs This behavior opened room for unauthorized access and privilege escalation ## Impact Impact varies depending on the environment variables set in a given workspace ## Patches [Fix](https://g...

Cybersecurity researchers have discovered a malicious Rust package that's capable of targeting Windows, macOS, and Linux systems, and features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The Rust crate, named "evm-units," was uploaded to crates.io in mid-April 2025 by a user named "ablerust,"

### Impact In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used `--security` option, in particular the forms `--security=apparmor:<profile>` and `--security=selinux:<label>` which otherwise put restrictions on operations that containers can do. The `--security` option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. In addition, a bug in the detection of selinux support in Apptainer's suid mode means that `--security selinux:<label>` flags may not be applied, even in the absence of an attack. In that case a warning message is emitted indicating that selinux is unavailable, but the warning may be may be overlooked...

### Impact _**Native Mode (default)**_ Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the `--security selinux:<label>` or `--security apparmor:<profile>` flags. LSM labels are written to process or thread `attrs/exec` under `/proc`. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires: * The attacker to cause the user to run a malicious container image that redirects the mount of `/proc` to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. * Control of the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from...