GitLab update addresses pipeline execution vulnerability

GitLab has released critical security updates to address multiple vulnerabilities, including a high-severity flaw that could allow attackers to run pipeline jobs as arbitrary users.

The company strongly recommends all GitLab installations be upgraded immediately to the latest versions: 17.1.2, 17.0.4, or 16.11.6 for both Community Edition (CE) and Enterprise Edition (EE).

The most critical vulnerability (CVE-2024-6385) affects GitLab versions 15.8 to 17.1.1. With a CVSS...

11 July 2024 | Developer

CocoaPods flaws highlight growing supply chain risks

Security researchers at E.V.A Information Security have uncovered several critical vulnerabilities in CocoaPods, a popular dependency manager for Swift and Objective-C projects. These vulnerabilities potentially expose millions of Apple devices to supply chain attacks, highlighting the growing risks associated with open-source software dependencies.

CocoaPods, used in over three million mobile apps, plays a crucial role in the iOS and macOS development ecosystem. The discovered...

2 July 2024 | Developer

Critical OpenSSH vulnerability threatens millions of Linux systems

A severe vulnerability in OpenSSH's server (sshd) has been uncovered by Qualys’ Threat Research Unit (TRU), potentially affecting over 14 million Linux systems worldwide. The flaw, designated as CVE-2024-6387, allows for remote unauthenticated code execution (RCE) with root privileges on glibc-based Linux systems.

This vulnerability, stemming from a signal handler race condition, impacts sshd in its default configuration. Qualys researchers have identified approximately 700,000...

1 July 2024 | Developer

GitLab’s DevSecOps report highlights AI challenges

GitLab's 8th annual Global DevSecOps Report has unveiled a complex landscape of software development, highlighting disparities between executive perceptions and developer realities. The survey, conducted in April 2024, gathered insights from over 5,300 professionals across the software development spectrum.

While 69% of CxOs report shipping software at least twice as fast as last year, AI adoption remains low, with only 26% of respondents implementing AI in their workflows. This...

28 June 2024 | Approaches

Unfolding the Kaspersky saga in the US

The United States' recent decision to prohibit the sale of Kaspersky software and impose penalties on 12 of its executives is a significant development in the intersection of cybersecurity and international relations. This action, which follows years of growing distrust and geopolitical tensions, emphasises the fragile balance between national security and technology innovation. 

Kaspersky was first dealt a blow in 2017 when the Trump administration prohibited federal agencies...

27 June 2024 | Developer

Optus breach is a wake-up call for secure coding practices

A “coding error” in Optus Mobile's systems led to a massive data breach affecting over nine million customers, sparking a lawsuit from the Australian Communications and Media Authority (ACMA).

The case, filed under number VID429/2024 in the Federal Court of Australia, highlights the severe consequences of software vulnerabilities in large-scale systems.

The breach, which affected over nine million Optus users, was caused by a seemingly simple coding error—a stark...

21 June 2024 | Approaches

Encryption under fire: Signal and rights groups oppose EU law

In a strongly worded statement, Meredith Whittaker, President of Signal, has called out the EU’s latest attempts to weaken end-to-end encryption under the guise of new terminology.

Her comments come in response to ongoing discussions surrounding the EU's chat control legislation, which has seen some European countries pushing for measures that could potentially compromise user privacy.

Whittaker's concerns are echoed by a joint statement issued in May by several...

20 June 2024 | Hacking & Security

Hackers are increasingly exploiting packers to spread malware

Cybersecurity researchers from Check Point have uncovered an increasing trend of hackers exploiting commercial packing tools like BoxedApp to conceal and distribute various malware strains. Over the past year, a significant surge in the abuse of BoxedApp products has been observed, particularly in attacks targeting financial institutions and government organisations.

BoxedApp offers a range of commercial packers – including BoxedApp Packer and BxILMerge – which provide...

6 June 2024 | Developer

Sonatype exposes malicious PyPI package ‘pytoileur’

Sonatype has exposed 'pytoileur', a malicious PyPI package designed to download and install trojanised Windows binaries capable of surveillance, commandeering persistence, and stealing cryptocurrency. This discovery is part of a broader, months-long "Cool package" campaign aimed at infiltrating the coding community.

Yesterday, an automated malware detection system operated by Sonatype, known as the Sonatype Repository Firewall, flagged a newly published PyPI package called...

29 May 2024 | Hacking & Security

GitHub Copilot gains extensions as GitHub and FileZilla face malware exploits

As GitHub Copilot gains extensions, GitHub and FileZilla face malware exploits

GitHub has announced a new feature that enables developers to extend Copilot with third-party skills, providing an extra layer of customisation.

At this year's Build conference, it announced the acquisition of a conversational assistant tool company called Semantic Machines to help enhance its products. GitHub's "AI pair programming tool," Copilot, also grabbed significant attention with the launch of its Copilot Extension. This new feature allows developers to extend Copilot...

28 May 2024 | Artificial Intelligence