Ike.ninja

Several security issues were fixed in the Linux kernel.

On May 3rd, Google Registry launched eight new top-level domains (TLDs) “for dads, grads and techies”, including a .zip TLD. While these new TLDs come with benefits such as automatic inclusion on the HSTS preload list, the launch of new TLDs has always presented cyber criminals with the opportunity to register domains in bad faith.

Parts of the security community, such as the SANS ISC, have already identified the potential for fraud via the potential conflation of a universally known file extension (.zip) with a TLD. TLDs overlapping with file extensions is not a new problem: .com is also an executable format, .pl represents both Poland and Perl scripts, and .sh represents Saint Helena and Unix shell scripts.

Earlier this week, we investigated existing registrations using the .zip TLD and confirmed that there is already evidence of fraudulent activity.

EventSource could leak sensitive information if it opened a specially crafted input file.

An update for openstack-nova is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which