Recent Security Bulletins

March 29, 2024

Text Scam Targeting Notre Dame Users

Information Security is aware of an ongoing text scam - known as smishing - impersonating the University’s Chief Information Officer, threatening to delete the user’s email account.

Remember, Notre Dame will never text you to inform you your account is being deactivated, or ask for any personal information. If you receive this message, please report it to infosec@nd.edu, then delete the message and block the number.

---

March 21, 2024

New Security Updates for Google Chrome and Firefox 

Google and Mozilla have released security updates to their respective Chrome and Firefox web browsers to fix high-severity vulnerabilities.

The Office of Information Technologies (OIT) Information Security team recommends updating all impacted browsers on both personal and University owned devices. Most University managed computers have automatic updates enabled for Google Chrome—restart your Chrome browser to allow it to update to the latest release.

Instructions for manually updating your Chrome browser are available in this Google Chrome Help web page, and those for manually updating Firefox can be found here.

While these security updates are specific to Chromium-based and Firefox web browsers, please ensure security updates are applied regularly for all web browsers.

---

March 6, 2024

New Security Updates for Apple Devices

Apple has released updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technologies (OIT) Information Security team recommends that anyone with any Apple device – both personal or University-owned – install the updates immediately. Below are the instructions on how to upgrade your device(s):

• iPhone and iPad: How to install iOS and iPadOS updates

• Mac computers: How to Update macOS

Please allow approximately 10-20 minutes for these updates to complete.

---

January 24, 2024

Critical GitLab Vulnerability Requires Patching

What You Need to Know

• For the second time this month, a critical vulnerability in GitLab has been detected which needs to be patched ASAP.

• All GitLab installations running an impacted version need to be upgraded to the latest versions (16.8.1, 16.7.4, 16.6.6, 16.5.8).

Who is affected?

• Developers or system administrators hosting a self-managed GitLab instance (specific versions)

Why it matters:

• Various vulnerabilities, including one critical vulnerability, were discovered, affecting multiple GitLab versions. More detail about each can be found in this GitLab Critical Security Release.

Go deeper

GitLab, a web-based Git repository for developer teams that need to manage their code remotely, has released security updates for both the Community Edition (CE) and Enterprise Edition (EE) to address security vulnerabilities, including one considered critical.

The Office of Information Technologies (OIT) Information Security team requires all GitLab installations running an impacted version to be upgraded to the latest versions (16.8.1, 16.7.4, 16.6.6, 16.5.8) as soon as possible.

For more technical details on this vulnerability, please refer to this GitLab Critical Security Release.

---

January 23, 2024

New Security Updates for Apple Devices

Apple has released updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technologies (OIT) Information Security team recommends that anyone with any Apple device – both personal or University-owned – install the updates immediately. Below are the instructions on how to upgrade your device(s):

• iPhone and iPad: How to install iOS and iPadOS updates

• Mac computers: How to Update macOS

Please allow approximately 10-20 minutes for these updates to complete.

---

January 16, 2024

Critical Vulnerability in GitLab Requires Patching

What You Need to Know

• GitLab has a critical vulnerability that needs to be patched ASAP

Who is Affected?

• Developers or system administrators hosting a self-managed GitLab instance (specific versions)

Why it Matters:

• Attackers could use this to send password reset requests to unverified email addresses, allowing account takeover.

Technical details and upgrade instructions

Go Deeper:

GitLab, a web-based Git repository for developer teams that need to manage their code remotely, has released security updates for both the Community Edition (CE) and Enterprise Edition (EE) to address a critical vulnerability tracked as: CVE-2023-7028 (base score: 10).

The exploitation of CVE-2023-7028 could allow password reset requests to be sent to unverified email addresses, allowing account takeover. If two-factor authentication is active, the second factor is still needed for successful log-in.

This vulnerability impacts the following versions of GitLab:

• 16.1 prior to 16.1.5

• 16.2 prior to 16.2.8

• 16.3 prior to 16.3.6

• 16.4 prior to 16.4.4

• 16.5 prior to 16.5.6

• 16.6 prior to 16.6.4

• 16.7 prior to 16.7.2

The Office of Information Technologies (OIT) Information Security team requires all GitLab installations running an impacted version to be upgraded to the latest versions (16.7.2, 16.6.4, or 16.5.6) as soon as possible.

For more technical details on this vulnerability, please refer to this GitLab Critical Security Release.