Category: security

« back to categories

28C3 — The Science of Insecurity [2026-04-18]
(sem descrição no XBEL)
Apple silently uploads your passwords and keeps them [2026-04-18]
(sem descrição no XBEL)
ASLR⊕Cache (AnC) [2026-04-18]
Demonstration of a cache-based attack of ASLR, browser JavaScript and Native Code
Avoid generating metadata in `pip download --no-deps ...` · Issue #1884 · pypa/pip · GitHub [2026-04-18]
(sem descrição no XBEL)
Botnet Part 2 — The Web is Broken - Jan Wildeboer’s Blog [2026-04-18]
TL;DR — Certain companies recruit app developers to create botnets by injecting “network sharing” SDKs into their apps. These botnets then use the network bandwidth of unsuspecting users of said apps to crawl the web, brute-force mail servers and other nasty things.
Calling time on DNSSEC? [2026-04-18]
(sem descrição no XBEL)
Disallow execution of setup.py when "pip download --no-deps someproject" · Issue #7325 · pypa/pip · GitHub [2026-04-18]
(sem descrição no XBEL)
How a backdoor in the Linux kernel was thwarted, from RISKS [2026-04-18]
"On 5 Nov 2003, an attempt to insert a very cleverly crafted backdoor into Linux was averted."
https://wiki.debian.org/Hardening [2026-04-18]
(sem descrição no XBEL)
https://wiki.gentoo.org/wiki/Category:Security [2026-04-18]
(sem descrição no XBEL)
Kernel page-table isolation [2026-04-18]
Linux kernel feature that mitigates the Meltdown security vulnerability (affecting mainly Intel's x86 CPUs)[4] and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR).
Lessons from the Debian/OpenSSL Fiasco [2026-04-18]
(sem descrição no XBEL)
Lion Internet Worm Analysis [2026-04-18]
Analysis of the Lion Worm from 2001
nsss — the problem with nsswitch [2026-04-18]
(sem descrição no XBEL)
One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images [2026-04-18]
(sem descrição no XBEL)
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise [2026-04-18]
Where tukaani's xz/lzma-utils 5.6.0/5.6.1 got a backdoor added by the author in the signed tarballs. Own note — And there is an example of why as package maintainers we should diff the tarballs they're vouching to users rather than rely entirely on git, although in that one it's at the end of ./configure which is nearly unreadable m4/autotools soup.
PyPI is not trustworthy — zaitcev [2026-04-18]
(sem descrição no XBEL)
Remote user impersonation and takeover [2026-04-18]
Technical explainations on CVE-2024-23832 fixed in Mastodon 4.2.5 (2024-02-01), TL;DR — There was no Containment of the provided URL serving as an "id" against the message own "id", Mastodon would just trust whatever was in the message.
Remote User Impersonation and Takeover via Cache Poisoning [2026-04-18]
Writeup by the security issue finder on CVE-2024-23832 fixed in Mastodon 4.2.5 (2024-02-01)
Someone’s Been Messing With My Subnormals! [2026-04-18]
"TL;DR — After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results." But also "Unbeknownst to me, even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code (see pip issues 7325 and 1884 for more details)!"
surprising behavior in gnu tar [2026-04-18]
TL;DR — GNU tar tries to resolve + call rsh(1) when a colon is present in a path
Tails Design [2026-04-18]
(sem descrição no XBEL)
Tails kernel hardening [2026-04-18]
(sem descrição no XBEL)
The Octopus Scanner Malware [2026-04-18]
Infection via Netbeans project files
Why it is important to check what the malloc function returned [2026-04-18]
(sem descrição no XBEL)
Your API Shouldn't Redirect HTTP to HTTPS [2026-04-18]
(sem descrição no XBEL)

Have a link suggestion? Send it to pablomurad@pm.me.