#vulnerability

Red Hat Security Advisory 2024-1485-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-1484-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.

Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. Later versions of `amphp/http-client` (v4.1.0-rc1 and up) depend on `amphp/http` for HTTP/2 processing and will therefore need an updated version of `amphp/http`, see [GHSA-qjfw-cvjf-f4fm](https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm). ## Acknowledgements Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.

`amphp/http` will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. `amphp/http-client` and `amphp/http-server` are indirectly affected if they're used with an unpatched version of `amphp/http`. Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected. ## Acknowledgements Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.

Security teams often confuse tool purchasing with program management. They should focus on what a security program means to them, and what they are trying to accomplish.

### Impact DOS by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. Since the name is usually provided as a static value in the application using `oidcc`, this is unlikely to be exploited. ### Details Example to illustrate the vulnerability. ```erlang {ok, Claims} = oidcc:retrieve_userinfo( Token, myapp_oidcc_config_provider, <<"client_id">>, <<"client_secret">>, #{} ) ``` The vulnerability is present in `oidcc_provider_configuration_worker:get_ets_table_name/1`. The function `get_ets_table_name` is calling `erlang:list_to_atom/1`. https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388 There might be a case (Very highly improbable) where the 2nd argument of `oidcc_provider_configuration_worker:get_*/1` is called with a different atom each time which eventually leads to the...

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies. The high-severity zero-day vulnerabilities are as follows - CVE-2024-29745 - An information disclosure flaw in the bootloader component CVE-2024-29748 - A privilege escalation flaw in the firmware component "There are indications that the [

By Waqas Storing a backup of your data is a wise decision, but have you considered keeping a backup of your backup? This is a post from HackRead.com Read the original post: Sophos Reveals Ransomware Attacks Are Now Targeting Backups

By Waqas Storing a backup of your data is a wise decision, but have you considered keeping a backup of your backup? This is a post from HackRead.com Read the original post: Sophos Reveals Ransomware Attacks Are Now Targeting Backups

By cybernewswire Silver Spring, United States / Maryland, April 3rd, 2024, CyberNewsWire The Leading Company for Securing Access Between Workloads… This is a post from HackRead.com Read the original post: Aembit Selected as Finalist for RSA Conference 2024 Innovation Sandbox Contest