Security Leftovers
Security updates for Tuesday [LWN.net]
Security updates have been issued by Debian (nodejs and squid), Fedora (uboot-tools), Red Hat (kernel-rt, kpatch-patch, and python), SUSE (drbd, openssl-1_0_0, oracleasm, and rubygem-rack), and Ubuntu (curl).
2022 CWE Top 25 Most Dangerous Software Weaknesses | CISA
The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.
When Security Locks You Out of Everything
Thought experiment story of someone of someone who lost everything in a house fire, and now can’t log into anything
[...]
Those risks are in the order of most common to least common, but that doesn’t necessarily mean that they are in risk order. They probably are, but then we’re left with no good way to handle someone who has lost all their digital credentials—computer, phone, backup, hardware token, wallet with ID cards—in a catastrophic house fire.
I want to remind readers that this isn’t a true story. It didn’t actually happen. It’s a thought experiment.
Codenotary introduces Software Bill of Materials service for Kubernetes
Software Bill of Materials (SBOM)s aren't optional anymore. If we really want the applications we're running in containers to be secure, we must know what's what within them. To make that easier, Codenotary, a leading software supply chain security company, is launching its new SBOM Operator for Kubernetes in both its open-source Community Attestation Service and its flagship service, Codenotary's Trustcenter.
Delaying the inevitable: Implementation of CERT-In’s Cybersecurity Directions gets a piecemeal extension
On June 27, 2022, the Indian Computer Emergency Response Team (“CERT-In”) issued a notification (No. 20(3)/2022-CERT-In) in relation to the extension of timelines for partial enforcement of Cyber Security Directions of April 28, 2022 (“Directions”) issued under sub-section (6) of section 70B of the Information Technology (“IT”) Act, 2000. The Directions were scheduled to go into effect 60 days from the date of their notification. While the timelines for enforcement of the entire Directions have been extended for Micro, Small and Medium Enterprises (“MSMEs”), for Data Centres, Virtual Private Server (“VPS”) providers, Cloud Service providers and Virtual Private Network (“VPN”) service providers only specific requirements relating to the validation of subscribers/customers details have received a timeline extension. The new date for enforcement of the Directions for such entities and specific requirements is September 25, 2022.
CMC Electronics EFB breakout vulnerability | Pen Test Partners
We’ve been finding vulnerabilities in electronic flight bags for a few years now. Disclosure response from the vendors involved has varied from excellent to radio silence.
In every case we have tried extremely hard to engage with the vendors involved, even where we were ignored. We asked friendly OEMs and others in the supply chain to help encourage those who wouldn’t respond to us, but their efforts were ignored too.
In some circumstances, it would be possible to affect take-off performance and landing calculations, resulting in significant safety events such as those here.
Audiocasts/Shows: GNU/Linux Mistakes, Demo of EndeavourOS 22.6, and Ubuntu's Decline
Vim 9.0 : vim online
After many years of gradual improvement Vim now takes a big step with a major release. Besides many small additions the spotlight is on a new incarnation of the Vim script language: Vim9 script. The previous release was version 8.2 in December 2019. Since the latest source code is always available on GitHub, many have already picked up later patch versions (there are more than 5000 of them!). Therefore the changes have already been tried out by many users. On top of that bugs have been fixed, security issues have been addressed, and many tests have been added. Code coverage has been dramatically increased. This version is more reliable than any before.
Mozilla Thunderbird 102 Released with New Address Book, Import/Export Wizard
After the big announcement earlier this month that Mozilla Thunderbird is coming to Android devices, the project released today Mozilla Thunderbird 102 as the first major new series of the popular email client almost a year after the release of Mozilla Thunderbird 91. Highlights of Mozilla Thunderbird 102 include a new address book that supports importing of contacts in the vCard format, refreshes the design of the contact cards with new contact entries, and makes it a lot easier to navigate and interact with your contacts.
Fedora Family / IBM Leftovers
