Gentoo Linux Security Advisory 202210-40 - Multiple vulnerabilities have been found in SQLite, the worst of which could result in arbitrary code execution. Versions less than 3.39.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-40  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: SQLite: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #777990, #863431  
       ID: 202210-40

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in SQLite, the worst of which  
could result in arbitrary code execution.

Background  
==========

SQLite is a C library that implements an SQL database engine.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-db/sqlite              < 3.39.2                    >= 3.39.2

Description  
===========

Multiple vulnerabilities have been discovered in SQLite. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All SQLite users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.39.2"

References  
==========

[ 1 ] CVE-2021-20227  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20227  
[ 2 ] CVE-2022-35737  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35737

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-40

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-40

Gentoo Linux Security Advisory 202210-39 - Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution. Versions less than 2.10.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-39  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libxml2: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #877149  
       ID: 202210-39

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in libxml2, the worst of which  
could result in arbitrary code execution.

Background  
==========

libxml2 is the XML C parser and toolkit developed for the GNOME project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libxml2           < 2.10.3                    >= 2.10.3

Description  
===========

Multiple vulnerabilities have been discovered in libxml2. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libxml2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.10.3"

References  
==========

[ 1 ] CVE-2022-40303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40303  
[ 2 ] CVE-2022-40304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40304

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-39

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-39

Gentoo Linux Security Advisory 202210-38 - A vulnerability has been found in Expat which could result in denial of service. Versions less than 2.5.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-38  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Expat: Denial of Service  
     Date: October 31, 2022  
     Bugs: #878271  
       ID: 202210-38

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Expat which could result in denial of  
service.

Background  
==========

Expat is a set of XML parsing libraries.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/expat             < 2.5.0                      >= 2.5.0

Description  
===========

In certain out-of-memory situations, Expat may free memory before it  
should, leading to a use-after-free.

Impact  
======

A use-after-free can result in denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Expat users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/expat-2.5.0"

References  
==========

[ 1 ] CVE-2022-43680  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43680

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-38

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-38

Gentoo Linux Security Advisory 202210-34 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions less than 102.4.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-34  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #877773  
       ID: 202210-34

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Mozilla Firefox, the worst  
of which could result in arbitrary code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/firefox         < 102.4.0:esr          >= 102.4.0:esr  
                                < 106.0:rapid          >= 106.0:rapid  
  2  www-client/firefox-bin     < 102.4.0:esr          >= 102.4.0:esr  
                                < 106.0:rapid          >= 106.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-102.4.0"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.4.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-106.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-106.0"

References  
==========

[ 1 ] CVE-2022-42927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42927  
[ 2 ] CVE-2022-42928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42928  
[ 3 ] CVE-2022-42929  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42929  
[ 4 ] CVE-2022-42930  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42930  
[ 5 ] CVE-2022-42931  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42931  
[ 6 ] CVE-2022-42932  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42932

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-34

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-34

Gentoo Linux Security Advisory 202210-35 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. Versions less than 102.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-35  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873667, #878315  
       ID: 202210-35

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Mozilla Thunderbird, the  
worst of which could result in arbitrary code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  mail-client/thunderbird    < 102.4.0                  >= 102.4.0  
  2  mail-client/thunderbird-bin  < 102.4.0                >= 102.4.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.4.0"

All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.4.0"

References  
==========

[ 1 ] CVE-2022-39236  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39236  
[ 2 ] CVE-2022-39249  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39249  
[ 3 ] CVE-2022-39250  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39250  
[ 4 ] CVE-2022-39251  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39251  
[ 5 ] CVE-2022-42927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42927  
[ 6 ] CVE-2022-42928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42928  
[ 7 ] CVE-2022-42929  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42929  
[ 8 ] CVE-2022-42932  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42932

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-35

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-35

Gentoo Linux Security Advisory 202210-36 - A vulnerability has been found in libjxl which could result in denial of service. Versions less than 0.7.0_pre20220825 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-36  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: libjxl: Denial of Service  
     Date: October 31, 2022  
     Bugs: #856037  
       ID: 202210-36

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in libjxl which could result in denial of  
service.

Background  
=========  
libjxl is the JPEG XL image format reference implementation.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/libjxl          < 0.7.0_pre20220825>= 0.7.0_pre20220825

Description  
==========  
libjxl contains an unecessary assertion in  
jxl::LowMemoryRenderPipeline::Init.

Impact  
=====  
An attacker can cause a denial of service of the libjxl process via a  
crafted input file.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libjxl-0.7.0_pre20220825"

References  
=========  
[ 1 ] CVE-2022-34000  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34000

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-36

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-36

Gentoo Linux Security Advisory 202210-37 - Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. Versions less than 2.12.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-37  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: PJSIP: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #803614, #829894, #875863  
       ID: 202210-37

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in PJSIP, the worst of which  
could result in arbitrary code execution.

Background  
=========  
PJSIP is a free and open source multimedia communication library written  
in C language implementing standard based protocols such as SIP, SDP,  
RTP, STUN, TURN, and ICE.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-libs/pjproject         < 2.12.1                    >= 2.12.1

Description  
==========  
Multiple vulnerabilities have been discovered in PJSIP. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All PJSIP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.12.1"

References  
=========  
[ 1 ] CVE-2021-32686  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32686  
[ 2 ] CVE-2021-37706  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37706  
[ 3 ] CVE-2021-41141  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41141  
[ 4 ] CVE-2021-43804  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43804  
[ 5 ] CVE-2021-43845  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43845  
[ 6 ] CVE-2022-21722  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21722  
[ 7 ] CVE-2022-21723  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21723  
[ 8 ] CVE-2022-23608  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23608  
[ 9 ] CVE-2022-24754  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24754  
[ 10 ] CVE-2022-24763  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24763  
[ 11 ] CVE-2022-24764  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24764  
[ 12 ] CVE-2022-24786  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24786  
[ 13 ] CVE-2022-24792  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24792  
[ 14 ] CVE-2022-24793  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24793  
[ 15 ] CVE-2022-31031  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31031  
[ 16 ] CVE-2022-39244  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39244  
[ 17 ] CVE-2022-39269  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39269

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-37

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-37

Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for

Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "_given enough eyeballs, all bugs are shallow_." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for _shallow_ bugs and not ones that lie deeper? It turns out that security flaws in open source can be harder to find than we thought. Emil Wåreus, Head of R&D at Debricked, took it upon himself to look deeper into the community's performance. As the data scientist he is, he, of course, asked the data: _how good is the open source community at finding vulnerabilities in a timely manner_?

****The thrill of the (vulnerability) hunt****

Finding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers. But despite these great code-archaeologists helping secure our world, the community still struggles to find security flaws.

On average, it takes _over 800 days_ to discover a security flaw in open source projects. For instance, the infamous Log4shell (CVE-2021-44228) vulnerability was undiscovered for a whopping 2649 days.

The analysis shows that 74% of security flaws are actually undiscovered for at least one year! Java and Ruby seem to have the most challenges here, as it takes the community more than 1000 days to find and disclose vulnerabilities. Our \[white\] hats go off to the PHP/Composer community, which slightly outperforms the others.

****The needle in a techstack****

Other interesting factors are that some of the different weakness types (CWE) seem to be harder to find and disclose, which actually contradicts Linus's law. The weakness types CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) typically aren't localized to a single function or may appear as intended logic in the application. In other words, it can't be considered "a shallow bug."

It also seems that the developer community is a bit better at finding CWE-20 (Improper Input Validation), where the flaw most of the time is just a few lines of code in a single function.

****Solve vulnerabilities with powerful remediation****

Why does this matter? As consumers of open source, and that's about every company in the whole world, the problem of vulnerabilities in open source is an important one. The data tells us that we can't fully trust Linus' Law - not because open source is less secure than other software, but because **not all bugs are shallow**.

Luckily, there are powerful tools to perform at-scale analysis of a lot of open source projects at once. There have been \[white knight hackers disclose 1000's\] of vulnerabilities at once using these methods. It would be naive to not assume that ill-minded organizations and individuals do the same. As an ecosystem that lays the foundation for our software-centric world, the community must improve its ability to find, disclose, and fix security flaws in open source significantly.

Last year, Google committed $10 billion to an open source fund to help secure open source with a specific curator role to work alongside the maintainers with specific security efforts.

Furthermore, Debricked helps companies make these vulnerabilities actionable by scanning all your software, every branch, every push, and every commit, for new (open source) vulnerabilities. Debricked even continuously scans all your old commits for every new vulnerability, to make sure they bring up-to-date, accurate, and actionable intelligence on the open source you consume. Debricked even helps developers fix your security flaws with automated pull requests that won't cause dependency hell; pretty neat!

**The truth lies in the data**

So, knowing all this, what is the best way to protect your project or company against open source vulnerabilities? As we've seen in the case of Log4j and Spring4shell as well as the numbers, we can never really trust that the community will find and fix all risks. There's a good chance that there are lots and lots of undiscovered and undisclosed vulnerabilities in your code today, and there's not much you can do about it.

According to Debricked, the best way to mitigate this is by implementing continuous vulnerability scanning to your SDLC. By automatically scanning at every push of code, in combination with the machine learning-powered vulnerability database. This makes sure you're updated in real-time, you'll know about new vulnerabilities before anyone else does. As soon as there's a fix, you can generate a Fix Pull Request automatically or solve it manually with Debricked's help. _Currently, Debricked offers remediation for JavaScript and Go, with more language support is to come shortly._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Last Years Open Source - Tomorrow's Vulnerabilities

** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when using the Common Desktop Environment (CDE), is vulnerable to a privilege escalation vulnerability. A low privileged user can escalate to root by crafting a malicious printer and double clicking on the the crafted printer's icon.

CVE-2022-43752: .:: Phrack Magazine ::.

On-chip solutions aim to prevent breaches by separating the computing element and keeping data in the secure vault at all times.

Top chip makers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Chip makers are adding protective vaults and encryption layers to secure data when it is stored, in transit, or being processed. The goal is to prevent hackers from launching hardware attacks to steal data.

The chip offerings are trickling down to cloud providers, with Microsoft (Azure) and Google (Cloud) offering security-focused virtual machines in which data in secure vaults can be unlocked by only authorized parties. Attestation verifies the source and integrity of the program entering the secure vault to access the data. Once authorized, the processing happens inside the vault, and the code doesn't leave the secure vault.

Confidential computing is not a part of everyday computing yet, but it may become necessary to protect sensitive applications and data from sophisticated attacks, says Jim McGregor, principal analyst at Tirias Research.

The chip makers are focusing on hardware protections because "software is easy to hack," McGregor says.

**Nvidia's Morpheus Uses AI to Analyze Behavior**

There are multiple dimensions to confidential computing. On-chip confidential computing aims to prevent breaches like the 2018 Meltdown and Spectre vulnerabilities by separating the computing element and keeping data in the secure vault at all times.

"Everybody wants to continue to reduce the attack surface of data," says Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations. "Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level."

Nvidia is taking a divergent approach to confidential computing with Morpheus, which uses artificial intelligence (AI) to keep computer systems secure. For example, Morpheus identifies suspicious user behavior by using AI techniques to inspect network packets for sensitive data.

"Security analysts can go and fix the security policies before it becomes a problem," Boitano says. "From there, we also realize the big challenges — you have to kind of assume that people are already in your network, so you have also got to look at the behavior of users and machines on the network."

Nvidia is also using Morpheus to establish security priorities for analysts tracking system threats. The AI system breaks down login information to identify abnormal user behavior on a network and machines that may have been compromised by phishing, social engineering, or other techniques. That analysis helps the company's security team prioritize their actions.

"You're trying to look at everything and then use AI to determine what you need to keep and act on versus what might just be noise that you can drop," Boitano says.

**Intel Rolls Out Project Amber**

Confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models, says Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer.

Companies are eager to bring diverse data sets into proprietary data to make internal AI systems more accurate, Rao says. Confidential computing makes sure only authorized data is fed into AI and learning models, and that the data is not pilfered or stolen.

"If you have data coming in from credit card companies, you have data coming in from insurance companies, and you have data coming in from other locations, what you can do is say, 'I'm going to process all of these pieces of data inside of a \[secure\] enclave,'" Rao says.

Intel already had a secure enclave called SGX (Secure Guard Extension), but it recently added Project Amber, a cloud-based service that uses hardware and software techniques to attest and certify the trustworthiness of data.

On its upcoming 4th Generation Xeon Scalable processor, Intel's Project Amber uses instructions called Trust Domain Execution (TDX) to unlock secure enclaves. An Amber engine on one chip generates a numerical code for the secure enclave. If the code provided by the data or program seeking access matches, it is allowed to enter the secure enclave; if not, entry is denied.

**ARM Teams Up With AWS**

At the recent online ARM DevSummit, ARM — whose chip designs are being used by AWS on its Graviton cloud chip — announced it was focusing confidential computing on dynamic "realms" that will order programs and data in separate computational environments.

ARM's latest confidential computing architecture will deepen secure "wells" and make it harder for hackers to pull out data. The company is releasing confidential computing software stacks and guides for implementation in processors coming out over the next two years.

"We're already investing to ensure that you have the tools and software to see the ecosystem for early development," said Gary Campbell, executive vice president for central engineering at ARM, during a keynote at the event.

**AMD and Microsoft Go Open Source**

During a presentation at the AI Hardware Summit in August, Mark Russinovich, Microsoft Azure's chief technology officer, gave an example of how Royal Bank of Canada was using AMD's SEV-SNP confidential computing technology in Azure. The bank's AI model mixed proprietary data sets with information from merchants, consumers, and banks in real time, which helped provide more targeted advertising offerings to its customers.

Confidential computing features such as attestation ensured only the authorized data was mingling with its proprietary data set and not compromising it, Russinovich said.

Nvidia, Microsoft, Google, and AMD are collaborating on Caliptra, an open source specification for chip makers to build confidential computing security blocks into chips and systems.

Tag

#mac