Red Hat Security Advisory 2024-4672-03 - An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4672.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: containernetworking-plugins security updateAdvisory ID:        RHSA-2024:4672-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4672Issue date:         2024-07-22Revision:           03CVE Names:          CVE-2024-1394====================================================================Summary: An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. Security Fix(es):* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1394References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262921

Red Hat Security Advisory 2024-4672-03

Red Hat Security Advisory 2024-4671-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4671.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: thunderbird security updateAdvisory ID:        RHSA-2024:4671-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4671Issue date:         2024-07-22Revision:           03CVE Names:          CVE-2024-6601====================================================================Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Thunderbird is a standalone mail and newsgroup client.Security Fix(es):* Mozilla: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13 (CVE-2024-6604)* Mozilla: Race condition in permission assignment (CVE-2024-6601)* Mozilla: Memory corruption in NSS (CVE-2024-6602)* Mozilla: Memory corruption in thread creation (CVE-2024-6603)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6601References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2296636https://bugzilla.redhat.com/show_bug.cgi?id=2296637https://bugzilla.redhat.com/show_bug.cgi?id=2296638https://bugzilla.redhat.com/show_bug.cgi?id=2296639

Red Hat Security Advisory 2024-4671-03

Red Hat Security Advisory 2024-4670-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4670.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: thunderbird security updateAdvisory ID:        RHSA-2024:4670-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4670Issue date:         2024-07-22Revision:           03CVE Names:          CVE-2024-6601====================================================================Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Thunderbird is a standalone mail and newsgroup client.Security Fix(es):* Mozilla: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13 (CVE-2024-6604)* Mozilla: Race condition in permission assignment (CVE-2024-6601)* Mozilla: Memory corruption in NSS (CVE-2024-6602)* Mozilla: Memory corruption in thread creation (CVE-2024-6603)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6601References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2296636https://bugzilla.redhat.com/show_bug.cgi?id=2296637https://bugzilla.redhat.com/show_bug.cgi?id=2296638https://bugzilla.redhat.com/show_bug.cgi?id=2296639

Red Hat Security Advisory 2024-4670-03

Red Hat Security Advisory 2024-4646-03 - An update for qt5-qtbase is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4646.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qt5-qtbase security updateAdvisory ID:        RHSA-2024:4646-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4646Issue date:         2024-07-19Revision:           03CVE Names:          CVE-2024-39936====================================================================Summary: An update for qt5-qtbase is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. Security Fix(es):* qtbase: qtbase: Delay any communication until encrypted() can be responded to (CVE-2024-39936)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-39936References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2295867

Red Hat Security Advisory 2024-4646-03

Red Hat Security Advisory 2024-4645-03 - An update for qt5-qtbase is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4645.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qt5-qtbase security updateAdvisory ID:        RHSA-2024:4645-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4645Issue date:         2024-07-19Revision:           03CVE Names:          CVE-2024-39936====================================================================Summary: An update for qt5-qtbase is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. Security Fix(es):* qtbase: qtbase: Delay any communication until encrypted() can be responded to (CVE-2024-39936)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-39936References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2295867

Red Hat Security Advisory 2024-4645-03

Red Hat Security Advisory 2024-4642-03 - An update for libndp is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4642.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: libndp security updateAdvisory ID:        RHSA-2024:4642-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4642Issue date:         2024-07-19Revision:           03CVE Names:          CVE-2024-5564====================================================================Summary: An update for libndp is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Libndp is a library (used by NetworkManager) that provides a wrapper for the IPv6 Neighbor Discovery Protocol. It also provides a tool named ndptool for sending and receiving NDP messages.Security Fix(es):* libndp: buffer overflow in route information length field (CVE-2024-5564)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-5564References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2284122

Red Hat Security Advisory 2024-4642-03

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, “Your First 100 Days as a vCISO – 5 Steps to Success”, which covers all the phases entailed in launching a successful vCISO engagement, along with recommended

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success", which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.

Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.

This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

The workshop was delivered in partnership with Jesse Miller, co-author of the First 100 Days playbook, and founder of PowerPSA Consulting and the PowerGRYD. Jesse is a long-time CISO/vCISO and infosec strategist who has made it his mission to help service providers crack the code for premium vCISO profits. You can watch the entire webinar, with more details and real-world examples here.

**The Hidden Value in Reporting**

According to Miller, "It's one thing to do a great job, it's quite another for your client to see it that way." This is where reporting should focus. A tight reporting process is the cherry on top of a connected journey for the client in a successful vCISO program.

However, as Miller reveals, reporting is not primarily for the purpose of demonstrating the activities the vCISO performs for the client, which is a common misconception. Rather, the real value lies in making the client the hero of their security journey. Therefore, vCISO reports should focus on the client and their organization's goals, not the vCISO's activities. The ultimate goal of any report is to enable a business strategy discussion that revolves around security.

**vCISO Reporting Benefits**

Drilling down into the aforementioned purpose, vCISO reporting provides multiple benefits for both the vCISO and the client:

For the vCISO -

*   Ensuring the vCISO is aligned with client expectations
*   Ensuring the client understands their security and compliance posture
*   Creating a shared vision between the vCISO and the client
*   Build consensus on an improvement path (rather than solely pushing recommendations one-sidedly)
*   Anchoring initiatives into business outcomes
*   Driving retention and sales

For the client -

*   Controlling their security destiny
*   Designing their security journey based on business outcomes and allowing them to own the risk associated with their decisions and actions
*   Simplified decision-making
*   Noise reduction
*   Bandwidth and scale
*   Getting easy buttons and resources for tactical execution
*   Ensuring they perceive the high ROI being provided for their vCISO investment

**4 Essential Sections of a vCISO Report**

To uncover all the benefits listed above, it is recommended to create a report that covers four sections:

*   **Section 1: General Recap -** The summary, top-level metrics and any "hot stove" items.
*   **Section 2: Tactical Review -** How controls perform, data "stories" and setting the stage for the recommendations and initiatives to come in the following sections.
*   **Section 3: Strategic Review -** A roadmap review, holding a business-led discussion, recommendations and mapping the RCT (Resource, Commitment, Time) for the next steps.
*   **Section 4: Future Initiatives -** Current work in progress, protecting from risk and building up the sales funnel.

Now let's dive into each one.

**Section 1: General Recap**

The first section of the report provides an overview and summary, teasers for the rest of the report and high-level metrics. It is also where "hot-stove" items can be addressed. For example, informing about an attacker foothold and answering any open questions.

By providing a brief initial section focused on the outcomes, vCISOs can concisely share the story they are telling. It also allows Executives and Business Leaders to join the first part of the report for an overview, leaving the practitioners to dig into the granular details later on.

For example, in this sample report by Cynomi, we can see the first part of the general recap, showing the posture score, together with a brief explanation about what it means and alluding to the risk.

**Section 2: Tactical Review**

The second section allows telling stories with the data. Since there's a wide range of data that can be pulled into the reports, it's important to ensure the right data is used. This will allow the creating of the right story.

Remember, the idea is to make the client the hero, showing them how they get what they want for the business from their security program.

For example, a highly technical audience can get into the granular details of the security programs. However, a high level decision maker will not be able to understand the story from the same data. Therefore, it's recommended to automate the gathering of data, and then collate and prune the data for the type of client that's being presented to.

This section can also show progress and recommendations tailored for various decision makers, security incidents and how to address them, recommended actions to support business processes (like M&As), and more.

For example, in this section from a sample report by Cynomi, the vCISO can drill down into the status of the various policies and domains that need to be better secured. Later on, the report also shows the scan results that are the evidence for this analysis.

**Section 3: Strategic Review**

The strategic review section is intended to create a prioritized security journey. To build this story, it's important to link the risk assessment, the security roadmap and the recommendations. This means creating a system where the high-level risk assessment finds delinquencies in security controls, like vulnerability management, malware control, or incident response. Then, the recommendation report should clearly state which solutions need to be deployed and the roadmap should list priorities, i.e. creating a journey.

Pro tips:

*   Don't spread FUD. Rather, go with a "compliment sandwich" approach, starting and ending with positive feedback.
*   Before asking clients to spend money, show them how recommendations and actions save them money and support the business.
*   Use the RCT (Resources, Cost, Time) mapping to help clients make a decision.

For example, in this Cynomi report, the vCISO can show the state of meeting compliance and leverage this for the recommendations and roadmap.

**Section 4: Future Initiatives**

In the end, it's time to discuss future initiatives. Since clients do not have endless resources, this section helps queue up work and prioritize it based on a business-led consensus.

This section also helps protect both the client and vCISO from risk. For example, showing progress month over month helps show auditors and regulatory bodies the client is performing due care. This protects both the vCISO and the client.

Finally, this section creates accountability among customers. With the vCISO clearly showing the business outcomes of accepting proposed recommendations, the client can make a business decision, and own the risk for that decision.

**What's Next?**

Reporting is part of a holistic vCISO approach that creates trust with the client. Making the client the hero shows them you have their best interests at heart. When this is verifed through reporting, it drives vCISO scale and growth, making your business successful.

For more explanations and examples, watch the entire workshop here.

For more pro tips and proven practices for vCISO, read the guide "Your First 100 Days as a vCISO – 5 Steps to Success".

For daily insights on how to supercharge your vCISO profits, follow Jesse Miller on LinkedIn or join the PowerGRYD community.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MSPs & MSSPs: How to Increase Engagement with Your Cybersecurity Clients Through vCISO Reporting

The DOD wants to refurbish ICBM silos that give it the ability to end civilization. But these missiles are useless as weapons, and their other main purpose—attracting an enemy’s nuclear strikes—serves no end.

If you’re one of the millions of Americans who live within range of its 450 intercontinental ballistic missile silos, the Pentagon has written you off as an acceptable casualty. The silos are scattered across North Dakota, Montana, Colorado, Wyoming, and Nebraska in a zone of sacrifice—what lawmakers and military planners have long called the “nuclear sponge.”

Despite real concerns over cost overruns, human lives, and the general uselessness of ICBMs, the Pentagon is barreling forward with a plan to modernize those silos and their missiles. Right now the Department of Defense thinks it’ll cost $141 billion. Independent research puts the number at closer to $315 billion.

All of that is money the Pentagon plans to use to build a doomsday machine—a weapon that, were it ever used, would mean the end of human civilization. Such a weapon, most experts agree, is pointless.

ICBMs are a relic of the Cold War. The conventional thinking is that a nuclear power needs three options for deploying nuclear weapons—air-based strategic bombers, sea-based stealth submarines, and land-based missiles. That’s the nuclear triad. Should one leg of the triad fail, one of the other two will prevail.

First deployed throughout the 1960s, America’s ICBMs are old. According to the US Air Force, the Minuteman III missiles need to be decommissioned and replaced with a new missile called the Sentinel. Northrop Grumman has a plan to do it. The Air Force wants to buy 634 Sentinel missiles and modernize 400 silos and 600 other additional facilities.

This would cost probably hundreds of billions of dollars. The prices have spiraled so out of control—up 81 percent from 2020 projections—that it triggered a little-known congressional rule aimed at curtailing costs. If a weapons program’s costs bloat beyond 25 percent of their original projection, the DOD has to justify the need for the program and the rising costs. On July 8, the Pentagon released the results of the review. Unsurprisingly, it said it needs the weapons. A congressional hearing is scheduled for July 24.

There’s been a lot of congressional back and forth about the program. Representative Adam Smith, a Washington Democrat and ranking member of the House Armed Services Committee, has been public in his opposition to the program. Senator Deb Fischer, a Nebraska Republican, has said that people calling for cuts to the nuclear program are living in a dream world.

“Land-based ICBMs, by virtue of their location in our heartland, are also unlikely to be targeted by enemy attack,” Fischer said in a recent Newsweek op-ed.

“Military planners would be surprised to hear that,” says Joseph Cirincione, retired president of the Ploughshares fund and former director of nonproliferation at the Carnegie Endowment for International Peace. “Because a major justification for the program is that it would do exactly that, it would force the adversary to target these warheads … they’re counting on the adversary thinking about it.”

At one point in his career, Cirincione was a congressional staffer who worked on military reform for almost a decade. “When I was on the Armed Services Committee staff in the ’80s and ’90s, I heard about the sponge,” he says. “It’s one of the two chief justifications for the ICBM.”

The other is its responsiveness—the idea that it can fire and hit its targets a few minutes faster than a submarine or a bomber. “The arguments get very vague, and they’re intentionally kept vague,” he says. “And you hear that people sort of make this profound-sounding strategic rationale—value-laden phrases like, ‘They’re the backbone of our national defense strategy backbone.’ But probing that, digging under it, you realize it’s just built on sand. There’s no foundational logic to this beyond Cold War targeting calculations.”

The targeting calculations are absurd and frightening. These silos exist so that the United States can launch an all-out nuclear attack on Russia or China. The goal of the strike would be the total destruction of the population centers of the opposing nation. It would not be about an in-kind attack, but rather the total obliteration of the enemy. This is precisely why many experts consider them useless.

“If we used the ICBMs it would be the end of human civilization, even without an adversary hitting the United States with a single warhead,” Cirincione says.

“I think there’s no point to the ICBM silos,” says Tara Drozdenko, director of global security at the Union of Concerned Scientists. “Our submarine-based missiles are quite accurate. They’re basically impossible to find, and so they don’t have the vulnerability as our fixed-in-one-spot silos have.”

This means that, in practice, the point of the ICBMs is to draw enemy warheads away from population centers and toward more sparsely-populated areas of the US. But those warheads hitting the United States would have profound consequences for the planet and its people. A study from Sébastien Philippe at Princeton’s Program on Science and Global Security found that an all-out attack on the nuclear sponge would lead to the deaths of millions of people in the US, Canada, and Mexico.

“It’s not just absorbing a nuclear attack,” Philippe tells WIRED. “It’s like when you pour water on the sponge, and then you press onto it, it’s going to spill everywhere. So spill-out from that sponge is massive radioactive fallout across the country.”

In Philippe’s study, he and a team used recent weather data to model how radioactive fallout would flow across the planet after an attack on the nuclear sponge. “Overall, almost 300 million were at risk of receiving lethal doses depending on where the wind would blow…just from having that weapon system attack,” he says.

The fallout would be severe. “We’re not talking about having cancer in 15, 20, 30 years. We’re talking about your cells and organs and your body shutting down in days, weeks, or months after the explosion.”

The consequences of the Sentinel program extend beyond a worst-case scenario, however. The Air Force’s plan proposes a monumental feat of engineering. To support the new missiles, the Air Force plans to demolish 45 missile alert facilities and build at least 24 new ones in their place. It will renovate the existing 450 silos, construct 3,100 miles of utility corridors, and raise 62 300-foot-tall communications towers. The Air Force says it can do all this by 2036.

That’ll take a lot of labor power—roughly 3,000 temporary workers. They’ll have to live somewhere, and current Sentinel plans involve the construction of temporary housing for the folks who come to work on the silos. “That’s something the communities are worried about,” Philippe says.

Communities in silo states like North Dakota lived through something similar during the fracking booms of the past two decades. Massive shale deposits moved temporary workers across western and midwestern states. Crime followed. Opposition to the project on tribal lands and local communities is already building.

Kimball, Nebraska, will be the site of one of these early pioneer camps. The pioneer camp will construct “The Hub,” a three-story dormitory filled with 600-square-foot apartments. It’ll be wildcat hours, with Hub workers living onsite for a month at a time and pulling 10-hour shifts before returning back home to family. The construction of this facility will double the population of Kimball while it’s in use.

Perhaps the most ludicrous part of the Sentinel program is that the US doesn’t need ICBMs at all. Its sea-based stealth submarines are hard to detect and harder to destroy. If an enemy ever threatened a nuclear attack on America, a submarine would be available to retaliate. In addition, the US has stealth bombers that can deliver nuclear weapons from the air.

So why drill holes in the ground and fill them with nuclear weapons? In her op-ed, Fischer gave away the game: It’s about fear. “We invest in nuclear weapons because they underwrite every operation or negotiation undertaken by our nation,” she wrote. “Effective diplomacy—especially with other nuclear powers—means nothing if it isn't buttressed by a formidable nuclear deterrent.”

Fischer doesn’t speak for everyone at the Pentagon nor every politician on the Hill, but she does highlight a dangerous strain of thinking. In order for America to be a major player on the world stage, the logic goes, the world has to believe it’s willing to destroy the world if it doesn’t get what it wants.

The Pentagon Wants to Spend $141 Billion on a Doomsday Machine

Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-41709

**Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places**

Moderate severity GitHub Reviewed Published Jul 22, 2024 to the GitHub Advisory Database • Updated Jul 25, 2024

**Package**

composer backdrop/backdrop (Composer)

**Affected versions**

< 1.27.3

\>= 1.28.0, < 1.28.2

**Patched versions**

1.27.3

1.28.2

**Description**

Published to the GitHub Advisory Database

Jul 22, 2024

Last updated

Jul 25, 2024

GHSA-3wmx-48g3-x66g: Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places

In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.

**Calibre-Web Cross Site Scripting (XSS)**

Moderate severity GitHub Reviewed Published Jul 19, 2024 to the GitHub Advisory Database • Updated Jul 19, 2024

Tag

#vulnerability