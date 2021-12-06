Security Leftovers
Ivanti Updates Log4j Advisory with Security Updates for Multiple Products | CISA
Ivanti has updated its Log4j Advisory with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system.
Security updates for Friday [LWN.net]
Security updates have been issued by Debian (firefox-esr), Fedora (cockpit, python-cvxopt, and vim), openSUSE (libmspack), Oracle (webkitgtk4), Scientific Linux (firefox and thunderbird), SUSE (kernel and libmspack), and Ubuntu (firefox and pillow).
Google says open source software should be more secure • The Register
In conjunction with a White House meeting on Thursday at which technology companies discussed the security of open source software, Google proposed three initiatives to strengthen national cybersecurity.
The meeting was arranged last month by US national security adviser Jake Sullivan, amid the scramble to fix the Log4j vulnerabilities that occupied far too many people over the holidays. Sullivan asked invited firms – a group that included Amazon, Apple, Google, IBM, Microsoft, and Oracle – to share ideas on how the security of open source projects might be improved.
Google chief legal officer Kent Walker in a blog post said that just as the government and industry have worked to shore up shoddy legacy systems and software, the Log4j repair process – still ongoing – has demonstrated that open source software needs the same attention as critical infrastructure.
This Week In Security: NPM Vandalism, Simulating Reboots, And More | Hackaday
We’ve covered quite a few stories about malware sneaking into the NPN and other JavaScript repositories. This is a bit different. This time, a JS programmer vandalized his own packages. It’s not even malware, perhaps we should call it protestware? The two packages, colors and faker are both popular, with a combined weekly download of nearly 23 million. Their author, [Marak] added a breaking update to each of them. These libraries now print a header of LIBERTY LIBERTY LIBERTY, and then either random characters, or very poor ASCII art. It’s been confirmed that this wasn’t an outside attacker, but [Marak] breaking his own projects on purpose. Why?
It seems like this story starts back in late 2020, when [Marak] lost quite a bit in a fire, and had to ask for money on Twitter. Two weeks later, he tweeted that billions were being made off open source devs’ work, citing a FAANG leak. FAANG is a reference to the big five American tech companies: Facebook, Apple, Amazon, Netflix, and Google. The same day, he opened an issue on Github for faker.js, throwing down an ultimatum: “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”
