No matter how much you want it, you can't use a clever definition of "cloud native" to pretend that you compete with the AWS/Azure/Google stack. And please don't try to fool people with a wonky definition, it will backfire eventually. "There is no cloud just other people's computers" means you don't understand what modern developers are doing with clouds. https://berthub.eu/articles/posts/the-european-cloud-ladder/

@sassdawe https://hvg.hu/itthon/20250315_orban-viktor-poloska-marcius-15-unnepi-beszed-magyar-peter-tavaszi-nagytakaritas-ebx

(I have no idea how effinbirds got into this thread, sry)

Activity spinning up on GitHub for people playing with the bug, but also at least a few possibly vulnerable code bases:

https://github.com/search?q=%3Cparam-name%3Ereadonly%3C%2Fparam-name%3E+%3Cparam-value%3Efalse%3C%2Fparam-value%3E++&type=code

The author of the blog post mentioned in my previous post initially predicted KEV but then reconsidered. I suspect they're right but it will it will depend on if any big commercial J2EE is vulnerable as deployed on TomCat. To that end, the following from the VMware folks looked interesting:

https://github.com/vmware/dod-compliance-and-automation/blob/e080d523461ade1dadca12c8f7622bd60fcbe920/vsphere/8.0/v1r1-srg/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/eam/controls/VCEM-80-000130.rb#L35

The prime minister of #Hungary just called judges, journalists and NGO's "bedbugs" in his 1848 memorial speech.

"Record labels attempt to bankrupt Internet Archive over grandpa's dusty old 78s"

https://www.msn.com/en-us/news/technology/record-labels-attempt-to-bankrupt-internet-archive-over-grandpa-s-dusty-old-78s/ar-AA1AMiM8

We hope that the inter-relations between Huawei's lobby office in Brussels and the offices in key EU member states like Germany are taken into account in the ongoing corruption and bribery investigations, too. For market access in Europe, Berlin is a key lobby hot spot for chinese tech. #HuaweiGate

honggfuzz alive and kicking. stack based buffer overflow in libxml2 - https://issues.oss-fuzz.com/issues/392687022

I remember in the mid ‘90s, Bill Gates said something like ‘if the car industry had improved at the same rate as the computer industry, cars would go at a thousand miles per hour and get thousands of miles per gallon’ and someone at a car manufacturer replied that their customers are quite glad that the cars don’t crash several times a day.

I am starting to wonder if Tesla is an elaborate piece of performance art in support of this joke.

"the real question is if we can convince European governments and Europeans to innovate for their continued survival as a free and (climate) safe continent" - no pressure people.

My slides from today's talk about Static Program Analysis. I go into how data flow analysis (like taint propagation in CodeQL) works from first principles - should be digestible with some first-year university maths knowledge

https://zeyu2001.github.io/cam-ib-tech-talk/

@effinbirds thanks, I also had trouble finding it!

Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes

https://blog.hartwork.org/posts/expat-2-7-0-released/

@hanno asks for expert xdev review on oss-security:

https://www.openwall.com/lists/oss-security/2025/03/14/7

Hey hey, you thought there be no #nakeddiefriday today? Here we go!

Today's entry is an Infineon/Siemens SAB-C167CR-LM, a microcontroller based on the C166 core. The die is in pleasant-looking pastel colours. :-) The die has pin 1 in top left corner. I'll do a short thread.

Many thanks to @debauer for supplying the samples!

SiPron page with more info and full-res map: https://siliconpr0n.org/archive/doku.php?id=infosecdj:infineon:sab-c167cr-lm

#electronics #silicon #reverseengineering #microscopy

Less than 30 minutes until our 5.0 live stream! Join us to see all the latest features either on dev now or coming very soon:

https://www.youtube.com/@vector35/live

Kernel Shared Cache, Unions, Stack Array Creation, and so much more...

This is the out-of-bands read, that didn't get a CVE apparently:

https://github.com/php/php-src/security/advisories/GHSA-wg4p-4hqh-c3g9

#PHP #NoCVE

PHP security releases 8.4.5, 8.3.19, 8.2.28, 8.1.32

https://www.openwall.com/lists/oss-security/2025/03/14/6

CVE data collected by Alan Coopersmith:

"Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes
Use-After-Free). (CVE-2024-11235)
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477

Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when
requesting a redirected resource). (CVE-2025-1219)
https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc

Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic
auth header). (CVE-2025-1736)
https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528

Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to
1024 bytes). (CVE-2025-1861)
https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff

Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers
without colon). (CVE-2025-1734)
https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44

Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not
handle folded headers). (CVE-2025-1217)
https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g "

#PHP

@revng I don't think external links are a problem, but without an algorithm and low number of followers posts can easily get buried in peoples timelines (so reposting can be a good idea). Hashtags can help a lot, because people can follow those.

Anything I missed @shellsharks ?

🧟‍♂️ Finding dead bodies

A pad about find dead code using code coverage tools.
It was made by one of us for a talk at the rev.ng hour of some years ago.

More effort than required was put in the image but the results was undoubtedly great.

https://pad.rev.ng/s/CwdCrM68Z#