Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: Linux: Disabling network namespaces Mickaël Salaün (May 17)
Landlock [1] could be extended to control user namespace creation the
same way we will be able to deny socket creation [2]. I'll definitely
consider any relevant sandboxing feature such as user namespace and
fine-grained capability control (that cannot already be done with
existing kernel features). Contributions are welcome!

[1] https://docs.kernel.org/userspace-api/landlock.html
[2] https://github.com/landlock-lsm/linux/issues/6...

CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package Andrea Intilangelo (May 16)
CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package

Use CVE-2024-34058.

Additional info:

NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium
enterprises. From their website: "It's simple, secure and flexible" and "ready to deliver your messages, to protect
your network with the built-in firewall, share your files and much more,...

OpenSSL Security Advisory [corrected CVE id] Tomas Mraz (May 16)
OpenSSL Security Advisory [16th May 2024]
=========================================

Excessive time spent checking DSA keys and parameters (CVE-2024-4603)
=====================================================================

Severity: Low

Issue summary: Checking excessively long DSA keys or parameters may be very
slow.

Impact summary: Applications that use the functions EVP_PKEY_param_check()
or EVP_PKEY_public_check() to check a DSA public...

OpenSSL Security Advisory Tomas Mraz (May 16)
OpenSSL Security Advisory [16th May 2024]
=========================================

Excessive time spent checking DSA keys and parameters (CVE-2023-3446)
=====================================================================

Severity: Low

Issue summary: Checking excessively long DSA keys or parameters may be very
slow.

Impact summary: Applications that use the functions EVP_PKEY_param_check()
or EVP_PKEY_public_check() to check a DSA public...

CVE-2024-21823: Intel DSA and Intel IAA advisory Alan Coopersmith (May 15)
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html
was published yesterday covering OS/Hypervisor mitigations they recommend
to reduce exposure to a bug in certain recent Intel CPUs.

It states:

[Further details, including a table of affected hardware, is in their advisory.]

https://bugzilla.redhat.com/show_bug.cgi?id=2278989 notes:

I don't know if any other open source kernels or hypervisors support this...

git: 5 vulnerabilities fixed Johannes Schindelin (May 14)
Team,

The Git project released new security bug-fix versions today, May 14th,
2024: v2.45.1, v2.44.1, v2.43.4, v2.42.2, v2.41.1, v2.40.2, and v2.39.4.

The addressed issues are:

* CVE-2024-32002
* (https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv):

Recursive clones on case-insensitive filesystems that support symbolic
links are susceptible to case confusion that can be exploited to
execute just-cloned code during...

CVE-2024-32077: Apache Airflow: XSS vulnerability in Task Instance Log/Log Details Ephraim Anierobi (May 14)
Severity: moderate

Affected versions:

- Apache Airflow 2.9.0 before 2.9.1

Description:

Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into
the task instance logs. 
Users are recommended to upgrade to version 2.9.1, which fixes this issue.

Credit:

Ming (finder)
Jens Scheffler (remediation developer)

References:

https://github.com/apache/airflow/pull/38882...

Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
Solar Designer wrote:

While he is definitely somewhat confused, he claims at the start to have
detected a compromise, but does not give details about the indications
that led him to that conclusion.

As far as I can tell from a quick perusal, (landing at
<URL:https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Scenarios/DfciScenarios/>)
it seems that DFCI "Zero Touch" is actually tightly bound to Microsoft
cloud...

Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
Corey Lopez wrote:

Were the EFI variables marked immutable or did you make a list of every
file on the system and notice them on that list?

I will admit that this seems strange, but it appears that your laptop
has firmware support for DFCI even though, by Microsoft's claims, it
should not be eligible for that feature.

For a first step, I note that those EFI variables appear to contain XML,
and have (using ` sed -e '/^|/{:...

PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist Remi Gacogne (May 13)
Hi all,

We released PowerDNS DNSdist 1.9.4 today. This release fixes
CVE-2024-25581, a denial of service security issue affecting versions
1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected.

When incoming DNS over HTTPS support is enabled using the nghttp2
provider, and queries are routed to a tcp-only or DNS over TLS backend,
an attacker can trigger an assertion failure in DNSdist by sending a
request for a zone...

Re: lsof "can't stat() fuse.${name} filesystem /run/user/1000/${dir}" Simon McVittie (May 11)
This is not evidence of a compromise, and is also nothing to do with
/dev/loop* specifically. You would see the same thing on a system that
is operating correctly, or when issuing other lsof commands as root that
do not involve /dev/loop*.

These are FUSE filesystems running as uid 1000, which by default are
not accessible *by root* - which might seem strange at first glance,
but is an intentional security mechanism to protect root from being...

Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)
Hi,

Corey's message is confused and there's no indication in it whether the
system was compromised, so that part doesn't need further discussion,
but as a moderator I don't mind someone explaining Linux's (and other
systems') exposure of the EFI variables and DFCI and what it means for
security as well as what it does not.

That's normal.

No reason to think so.

That's probably because they were in use....

Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Corey Lopez (May 11)
I have dual boot Windows 11 Home Edition and Debian based setup on my laptop.

Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2024.1
Codename: kali-rolling

After realizing a security breach on my Kali system I discovered /etc/network/interface
had the immutable attribute set while trying to restrict access using chmod. I decided to
investigate other files on my system with the immutable attribute set by running...

[vim-security] buffer-overlow in xxd with colored output < v9.1.0404 Christian Brabandt (May 10)
buffer overflow when outputting colored output in xxd
=====================================================
Date: 10.05.2024
Severity: Low

When outputting colored hexdumps using the -R command line flag,
together with -g1 (group every byte), -c 256 (format 256 octets per
line), -d (show offsets in decimal) and -o <large_numer> (add offset to
the file position), the buffer used to write to may overflow.

Impact is low since the user must...

Re: New SMTP smuggling attack Erik Auerswald (May 09)
Hi,

This section of the RFC explicitly states that any ASCII character is
allowed (see the first sentence you omitted from your quote). Any ASCII
character includes NUL. Stripping the NUL violates the standard.
This is obvious. The RFC text is clear.

The Cisco ESA has been called out in the original SMTP smuggling report
as facilitating SMTP smuggling attacks, thus it is useful as an example.
It provides an example where a side-effect of...

More Lists

Dozens of other network security lists are archived at SecLists.Org.