24 matches found
RLSA-2024:2961 Moderate: Image builder components bug fix, enhancement and security update
Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fixes: osbuild-composer: race condition may disable GPG verification for package repositories CVE-2024-2307 For more details about the security issues,...
osbuild-composer: race condition may disable GPG verification for package repositories
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...
osbuild-composer: race condition may disable GPG verification for package repositories
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...
ALSA-2024:2119 Moderate: Image builder components bug fix, enhancement and security update
Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fixes: osbuild-composer: race condition may disable GPG verification for package repositories CVE-2024-2307 For more details about the security issues,...
Moderate: Image builder components bug fix, enhancement and security update
Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fixes: osbuild-composer: race condition may disable GPG verification for package repositories CVE-2024-2307 For more details about the security issues,...
Race Condition
Overview Affected versions of this package are vulnerable to Race Condition that leads to disabling GPG verification for package repositories. This vulnerability exposes the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built. Remediation...
CVE-2024-2307 Osbuild-composer: race condition may disable gpg verification for package repositories
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...
CVE-2024-2307 Osbuild-composer: race condition may disable gpg verification for package repositories
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...
CVE-2024-2307
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built. Mitigation Mitigation for this issue is...
New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics
Cybersecurity researchers have discovered two malicious packages on the Python Package Index PyPI repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code. The packages, named NP6HelperHttptest and NP6HelperHttpe...
CISA and OpenSSF Release Framework for Package Repository Security
The U.S. Cybersecurity and Infrastructure Security Agency CISA announced that it's partnering with the Open Source Security Foundation OpenSSF Securing Software Repositories Working Group to publish a new framework to secure package repositories. Called the Principles for Package Repository...
Malicious code in selfrandlgtb (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: checkmarx 9f2973b172c975c7bec29f5105a3311c94b5ca63258c74492418c157617201e9 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...
Malicious code in py-nvidiacandy (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: checkmarx 79f27d3b85655e4350ae9efac0ebcc28dfb4dc16f90d60fd262e72c0315e8d10 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...
Malicious code in tpultrainfo (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: checkmarx 40a4127dc30f5507174a701ce526fdd092b3ee61d141a08b464d98c9616247c1 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...
Malicious code in controlcv (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: checkmarx 8baf73d0ce9873d5809d230312ba4d2e05783d40de0cd45e44b17699cd93a30b EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...
SUSE CVE-2014-0040
OpenStack Heat Templates heat-templates, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download 1 packages and 2 signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors...
Vulnerablecode - A Free And Open Vulnerabilities Database And The Packages They Impact And The Tools To Aggregate And Correlate These Vulnerabilities
VulnerableCode is a free and open database of FOSS software package vulnerabilities and the tools to create and keep the data current. It is made by the FOSS community to improve and secure the open source software ecosystem. Why? The existing solutions are commercial proprietary vulnerability...
Confused - Tool To Check For Dependency Confusion Vulnerabilities In Multiple Package Management Systems
A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python pypi requirements.txt, JavaScript npm package.json, PHP composer composer.json or MVN maven pom.xml. What is this all about? On 9th of February 2021, a security researcher...
PT-2021-15665 · Python +2 · Pip +3
Name of the Vulnerable Software and Affected Versions: Bundler versions 1.16.0 through 2.2.9 Bundler versions 2.2.11 through 2.2.17 Python/pip affected versions not specified .NET/NuGet affected versions not specified Java/Maven affected versions not specified JavaScript/npm affected versions not...
Dependency Confusion: Another Supply-Chain Vulnerability
Alex Birsan writes about being able to install malware into proprietary corporate software by naming the code files to be identical to internal corporate code files. From a ZDNet article: Today, developers at small or large companies use package managers to download and import libraries that are...