Tag
The US government launched a self-attestation form asking software developers to affirm their software was developed securely. Compliance starts today for software used in critical infrastructure.
Red Hat Security Advisory 2024-3784-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.10. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3783-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.10. Issues addressed include bypass and use-after-free vulnerabilities.
ANSSI, the National Cybersecurity Agency of France (Agence nationale de la sécurité des systèmes d'information), provides a configuration guide for GNU/Linux systems. It's identified as ANSSI-BP-028 (formerly known as ANSSI DAT NT-028). Recently, ANSSI published an update of its ANSSI-BP-028 configuration recommendations. In this post, I review what has changed from version 1.2 to 2.0, and what it might mean for you as a Red Hat Enterprise Linux (RHEL) user. Most importantly, I also illustrate how to verify compliance of your systems with this updated Security Content Automation Protocol (S
## Impact A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. ## Patches This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. ## Workarounds Ensure that any configured `credsStore` or `credHelpers` entries in the configuration file reference an installed credential helper that is executable and on the `PATH`. ## For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/docker/cli/issues/new/choose) * Email us at security@docker.com if you think you’ve found a security bug
## Impact A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. ## Patches This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted. ## Workarounds Ensure you only run trusted containers. ## Credits The Moby project would like to thank Lei Wang and Ruizhi Xiao for responsibly disclosing this issue in accordance with the [Moby security policy](https://github.com/moby/moby/blob/master/SECURITY.md). ## For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/moby/moby/issues/new) * Email us at security@docker.com if you th...
Kiuwan SAST versions prior to 2.8.2402.3, Kiuwan Local Analyzer versions prior to master.1808.p685.q13371, and Kiuwan SaaS versions prior to 2024-02-05 suffer from XML external entity injection, cross site scripting, insecure direct object reference, and various other vulnerabilities.
AI’s integration into search engines could change the way many of us interact with the internet.
Data breach at Australian fast food giant Patties Foods exposes critical customer data! Learn what information may be…
### Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. ### PoC 1. Generate a pdf file with a malicious script in the fontmatrix. (This will run `alert(‘XSS’)`.) [poc.pdf](https://github.com/user-attachments/files/15516798/poc.pdf) 2. Run the app. In this PoC, I've used the demo for a simple proof.  3. Upload a PDF file containing the script.  4. Check that the script is running.  ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, e...