Today is Oracle's quarterly Critical Patch Update release day, so for #OracleSolaris we have released updates for 11.4 & 11.3, and patches for 10.

11.4: https://blogs.oracle.com/solaris/post/announcing-oracle-solaris-114-sru80
11.3: https://community.oracle.com/mosc/discussion/4583990/solaris-11-3-36-34-0-has-been-released-on-my-oracle-support
10: https://community.oracle.com/mosc/discussion/4584292/announcing-oracle-solaris-10-quarterly-patch-release-april-2025

For info on the security fixes in those releases, see the Oracle Systems Risk Matrix in the April 2025 CPU Bulletin at https://oracle.com/security-alerts/cpuapr2025.html#AppendixSUNS and the Oracle Solaris Third Party Bulletin for April 2025 at https://oracle.com/security-alerts/bulletinapr2025.html .

@osxreverser I'm sure it's also a coincidence that the moment the bubble of $GPUintensiveTech0 (coins) seemed to burst $GPUintensiveTech1 (LLMs) popped up...

NEW: In a hearing last week, an NSO Group lawyer said that Mexico, Saudi Arabia, and Uzbekistan were among the governments responsible for a 2019 hacking campaign against WhatsApp users.

This is the first time representatives of the spyware maker admit who its customers are, after years of refusing to do that.

http://techcrunch.com/2025/04/16/nso-lawyer-names-mexico-saudi-arabia-and-uzbekistan-as-spyware-customers-behind-2019-whatsapp-hacks/

Fuck that war Signal group. The Trump team insider trading Signal group is where you want to be :PPPPP

https://www.dataandpolitics.net/nvidia-export-controls-and-the-trump-teams-art-of-trading-on-insider-knowledge/

Porting COBOL Code and the Trouble With Ditching Domain Specific Languages

https://hackaday.com/2025/04/16/porting-cobol-code-and-the-trouble-with-ditching-domain-specific-languages/

@swapgs Unix philosophy. I want to focus on unintended traversals specifically and IMO detecting e.g. symlinks is beyond that scope. I also think special cases are easier to handle once you have a "well behaving" path, but I may be wrong. Can you provide an example where I'm "missing out"?

@swapgs I don't follow, could you point to specific parts of the repo/give an example?

Currently available Go fuzzing tools were missing critical features - some don’t play well with the latest Go toolchain. So we set out to change that.

@bruno, Nils Ollrogge, and colleagues explored more powerful ways to fuzz Go binaries. By tapping into Go’s native instrumentation — which is compatible with libFuzzer — we enabled effective fuzzing of Go code using LibAFL.

We’ve documented our approach and shared insights in our latest blog post: https://www.srlabs.de/blog-post/golibafl---fuzzing-go-binaries-using-libafl

Repo: https://github.com/srlabs/golibafl

Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-24054)

The Ivantis, Solarwinds and Fortinets right now.

#cve #mitre #infosec

Just a reminder: Vulnerability Lookup isn’t just about finding CVEs. It supports the full chain, collection from multiple sources, continuous distribution, and allocation within a coordinated vulnerability disclosure (CVD) process. 100% open source.

🔗 An online version maintained by @circl https://vulnerability.circl.lu/

🔗 https://www.vulnerability-lookup.org/

🔗 https://github.com/vulnerability-lookup/vulnerability-lookup

#opensource #cve #vulnerability #cna #cvd #cybersecurity

So it's official: TLS certificate lifetimes will reduce from the current max of 398 days to:
* 200 days in March 2026
* 100 days in March 2027
* 47 days in March 2029

For web servers/proxies etc. it's reasonably simple, at least for smaller orgs but for e.g. network kit it might be more of a challenge. Having a timeframe to aim at definitely focusses the mind!

Via @riskybiz / https://risky.biz/risky-bulletin-ca-b-forum-approves-47-day-tls-certs/

#TLS #PKI #InfoSec #WebDev

And all of the sudden, we have solved supply chain security.

No CVE, no vulnerabilities!

I've been wondering for a long time if #DirectoryTraversal vulnerabilities could be mitigated by a safe path handling library (similarly to e.g. ORM's). As a side-quest, I stared to implement a prototype for Python, and I'm super interested in your unfiltered opinions:

https://github.com/v-p-b/SafePath/

Looks like the US Government are going to lose control of CVE. https://www.thecvefoundation.org/

[RSS] CVE-2025-21299: Unguarding Microsoft Credential Guard

https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2025-21299-cve-2025-29809-unguarding-microsoft-credential-guard/

[RSS] Microsoft Windows dxkrnl Untrusted Pointer Dereference Local Privilege Escalation Vulnerability | HackSys Inc

https://hacksys.io/advisories/HI-2025-001

CVE-2025-29812

Up-to-date documentation for #Ghidra 11.3.2 now available at:

https://scrapco.de/ghidra_docs/

Documentation changes:

https://gist.github.com/v-p-b/976f67dda1f5281c31c8e65579d309b8

Hackers, educators, tinkerers:
The 2025 Hacker Initiative grant cycle is open. We're funding individuals and groups who are:
🔹 Advancing hacker culture
🔹 Promoting digital rights
🔹 Educating the public

If you're building tools, sharing knowledge, or shaking things up apply here 👉 https://hackerinitiative.org/apply-now/

Signal boost appreciated.

A quick reminder that discounted registration rates for for the #LangSec workshop end tomorrow, April 14, at 11:59 pm PDT, and the conference hotel block rates end shortly after. Details at https://langsec.org/spw25/important-dates.html
We hope to see you all in San Francisco on May 15, 2025!