Aggregator

A vulnerability was found in Linux Kernel 5.4.0-rc2. It has been rated as critical. This issue affects the function __blk_add_trace of the file kernel/trace/blktrace.c. The manipulation leads to use after free. The identification of this vulnerability is CVE-2019-19768. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as critical has been found in Linux Kernel up to 5.1.6. Affected is the function dlpar_parse_cc_property of the file arch/powerpc/platforms/pseries/dlpar.c. The manipulation leads to null pointer dereference. This vulnerability is traded as CVE-2019-12614. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Linux Kernel up to 5.2.9 and classified as problematic. This issue affects the function xfs_setattr_nonsize of the file fs/xfs/xfs_iops.c of the component XFS File System. The manipulation leads to improper resource management. The identification of this vulnerability is CVE-2019-15538. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Linux Kernel up to 4.14.10. This affects the function allocate_trace_buffer of the file kernel/trace/trace.c. The manipulation leads to double free. This vulnerability is uniquely identified as CVE-2017-18595. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 4.14.14. This vulnerability affects the function i2c_smbus_xfer_emulated of the file drivers/i2c/i2c-core-smbus.c. The manipulation leads to out-of-bounds write. This vulnerability was named CVE-2017-18551. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Mozilla Firefox, Firefox ESR and Thunderbird. This affects an unknown part. The manipulation leads to open redirect. This vulnerability is uniquely identified as CVE-2020-15677. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Mozilla Firefox, Firefox ESR and Thunderbird. This vulnerability affects the function APZCTreeManager::ComputeClippedCompositionBounds. The manipulation leads to use after free. This vulnerability was named CVE-2020-15678. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

由于2014年至2020年期间发生的多起重大数据泄露事件，影响了全球超过3.44亿人，10月9日，万豪同意支付5200万美元（约合人民币3.67亿元）罚款，并制定一项全面的信息安全计划。 达成用户赔偿和安全改进的和解协议 这是当日宣布的两项和解协议之一。第一项是万豪与美国49个州总检察长及华盛顿特区组成的联盟之间达成的和解协议。这一联盟在网络入侵者窃取了包括部分财务信息在内的敏感客户信息后发起调查。该笔5200万美元赔偿将分配给所有50位联盟成员。 第二项是万豪与美国联邦贸易委员会（FTC）达成的和解协议，要求万豪国际及其子公司喜达屋酒店及度假酒店国际集团（下称“喜达屋”）在未来20年内实施更严格的网络安全措施，并向FTC证明其合规情况。此外，万豪还需为客户提供便捷的方式，允许他们请求删除酒店已收集的个人信息。 正如惯例，依据酒店官网和两项协议声明，万豪在同意和解的同时，并未承认任何与相关指控有关的责任。 声明还指出：“作为与FTC和州总检察长达成解决方案的一部分，万豪将继续强化其数据隐私和信息安全计划，许多措施已经在实施或正在推进中。” 声明补充道：“例如，万豪为美国客户提供了请求删除个人信息的流程，并为万豪旅享家（Marriott Bonvoy）会员开设了在线门户，允许他们报告可能存在的可疑账号活动。此外，万豪还为旅享家账号引入了多因素身份验证功能。” 万豪数年内发生多起重大数据泄露事件 这两项调查的源头是2014年至2020年间发生的一系列网络入侵事件，这些事件涉及管理着全球超过7000家酒店万豪以及其在2016年收购的喜达屋集团。 根据FTC起诉书，首次数据泄露事件涉及超过4万名喜达屋客户的支付卡信息。 在万豪宣布收购喜达屋的四天后，喜达屋通知客户，数据窃贼自2014年6月起在其网络中潜伏了14个月，期间窃取了客户姓名和卡号，直到系统将其驱逐。 第二次数据泄露始于2014年7月，并持续了四年多，直到2018年9月才被发现。此次入侵涉及超过3.39亿条喜达屋客户记录的泄露，其中包括525万份未加密的护照号码。 第三次数据泄露发生于2018年9月，影响了万豪网络，且耗时近两年，直到2020年2月才被察觉。入侵者在此期间窃取了180万美国人的姓名、实际地址和电子邮件地址、电话号码、出生月份和日期，以及忠诚会员账号信息。 万豪内部安全控制极为薄弱，将实施改进计划 起诉书指出，所有这些数据泄露事件的发生源于万豪和喜达屋极为薄弱的安全措施，包括不当的密码管理和访问控制、缺乏有效的网络分段和软件补丁程序，以及多因素身份验证未普及，日志和网络监控也十分不足。 为了了结这些指控，万豪同意向前述美国各州和首都华盛顿支付5200万美元赔偿。但是，该公司一如既往地否认有任何过失。为便于理解这一金额大小，万豪这一全球酒店巨头在2023年的收入约为237.1亿美元，因此5200万美元对它来说几乎无关痛痒。 此外，万豪还同意实施一系列措施，旨在提高其数据安全性，并尽可能减少客户信息的收集。这些措施包括仅保留为实现特定信息收集目的所必需的个人信息。 根据协议，万豪还需提供一个链接，供客户请求删除与其电子邮件或忠诚奖励计划账号相关的任何个人信息。 此外，万豪和喜达屋还必须根据协议建立一个信息安全计划，每两年由独立的第三方评估，该计划包括多因素身份验证、网络分段和数据加密等措施。 最后，两家公司还需为消费者提供一种方式，允许他们审查其万豪旅享家忠诚会员账号中的任何未经授权的活动。万豪还承诺恢复任何被网络犯罪分子盗取的忠诚会员积分。 参考资料：https://www.theregister.com/2024/10/09/marriott_settlements_data_breaches/     转自安全内参，原文链接：https://www.secrss.com/articles/71101 封面来源于网络，如有侵权请联系删除

10 月 9 日，Mozilla 释出了紧急更新 Firefox v131.0.2、ESR 128.3.1 和 ESR 115.16.1，修复了一个正被活跃利用的释放后使用远程代码执行漏洞 CVE-2024-9680。Tor 项目随后也释出了相应的更新 Tor Browser v13.5.7（Tor Browser 是基于 Firefox ESR 版本），证实攻击者能利用该漏洞控制 Tor 浏览器，但不太可能在 Tails 操作系统中去匿名化用户。Tails 是基于 Tor 的匿名操作系统。

由于早前的黑客攻击并泄露了数亿人的数据，美国最大的背景调查公司之一——美国国家公共数据公司出于多方诉讼压力申请破产。

A vulnerability was found in SOS JobScheduler 1.12/1.13. It has been classified as problematic. Affected is an unknown function of the component Job Editor. The manipulation leads to insufficiently protected credentials. This vulnerability is traded as CVE-2020-12712. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in Google Android 8.0/8.1/9.0/10.0. It has been classified as problematic. Affected is the function exif_data_save_data_entry of the file exif-data.c. The manipulation leads to out-of-bounds read. This vulnerability is traded as CVE-2020-0093. An attack has to be approached locally. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as critical was found in libexif up to 0.6.21. This vulnerability affects unknown code of the component Canon EXIF MakerNote Handler. The manipulation leads to out-of-bounds read. This vulnerability was named CVE-2020-13112. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Mozilla Firefox, Firefox ESR and Thunderbird and classified as critical. This issue affects some unknown processing. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2020-15673. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in Mozilla Firefox, Firefox ESR and Thunderbird. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation as part of SVG Element leads to basic cross site scripting (DOM-Based). This vulnerability is handled as CVE-2020-15676. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel. It has been rated as problematic. Affected by this issue is some unknown functionality of the component IPsec. The manipulation leads to cleartext transmission of sensitive information. This vulnerability is handled as CVE-2020-1749. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Linux Kernel up to 5.9.13. It has been rated as critical. Affected by this issue is some unknown functionality of the file drivers/tty/tty_jobctrl.c of the component tty Subsystem. The manipulation leads to use after free. This vulnerability is handled as CVE-2020-29661. The attack can only be done within the local network. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as critical has been found in Oracle Tekelec Platform Distribution up to 7.7.1. This affects an unknown part of the component Kernel. The manipulation leads to use after free. This vulnerability is uniquely identified as CVE-2020-29661. Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in libslirp 4.2.0. It has been rated as problematic. This issue affects the function ip_reass of the file ip_input.c. The manipulation as part of Crafted Packet leads to use after free. The identification of this vulnerability is CVE-2020-1983. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in QEMU up to 5.0.0. This affects the function net_tx_pkt_add_raw_fragment of the file hw/net/net_tx_pkt.c. The manipulation as part of Network Packet leads to improper input validation. This vulnerability is uniquely identified as CVE-2020-16092. It is possible to initiate the attack remotely. There is no exploit available.