Thanks to @sbidoul , pip 25.1 will have a `pip lock` command that uses `pylock.toml`!

https://github.com/pypa/pip/pull/13213

pip-tools has started looking at if they can leverage it.

https://github.com/jazzband/pip-tools/issues/2124

pip-audit has support in 2.9.0 .

https://pypi.org/project/pip-audit/

@frostming has a PR for 'packaging' to add the required marker support (I assume for PDM support). It's getting really close to being merged.

https://github.com/pypa/packaging/pull/888

I'm a bit relieved there's uptake of pylock.toml already!

@swapgs Maybe something like this could hit a sweet spot?

https://github.com/v-p-b/SafePath/issues/2

High level diff of iOS 18.4 vs. iOS 18.4.1 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/18_4_22E240__vs_18_4_1_22E252/README.md

The most important part of CVE is not the unique number, but the funding and expertise to run a credible program that assigns a unique number. The unique number was the center of what Dave Mann called a “concordance,” and I believe this is subtle but crucial: The value of CVE is not as a database, but as a stable way to cross-reference between databases and other tools. Dave and I have had many conversations about books having an ISBN, a UPC code, a Dewey number and a Library of Congress number. They serve different goals, and are managed by different groups.

I mention the books because assigning unique numbers in a stable way is harder than you'd expect.

Micropatches Released for URL File NTLM Hash Disclosure Vulnerability (Unknown CVE)

Today is Oracle's quarterly Critical Patch Update release day, so for #OracleSolaris we have released updates for 11.4 & 11.3, and patches for 10.

11.4: https://blogs.oracle.com/solaris/post/announcing-oracle-solaris-114-sru80
11.3: https://community.oracle.com/mosc/discussion/4583990/solaris-11-3-36-34-0-has-been-released-on-my-oracle-support
10: https://community.oracle.com/mosc/discussion/4584292/announcing-oracle-solaris-10-quarterly-patch-release-april-2025

For info on the security fixes in those releases, see the Oracle Systems Risk Matrix in the April 2025 CPU Bulletin at https://oracle.com/security-alerts/cpuapr2025.html#AppendixSUNS and the Oracle Solaris Third Party Bulletin for April 2025 at https://oracle.com/security-alerts/bulletinapr2025.html .

@osxreverser I'm sure it's also a coincidence that the moment the bubble of $GPUintensiveTech0 (coins) seemed to burst $GPUintensiveTech1 (LLMs) popped up...

NEW: In a hearing last week, an NSO Group lawyer said that Mexico, Saudi Arabia, and Uzbekistan were among the governments responsible for a 2019 hacking campaign against WhatsApp users.

This is the first time representatives of the spyware maker admit who its customers are, after years of refusing to do that.

http://techcrunch.com/2025/04/16/nso-lawyer-names-mexico-saudi-arabia-and-uzbekistan-as-spyware-customers-behind-2019-whatsapp-hacks/

Fuck that war Signal group. The Trump team insider trading Signal group is where you want to be :PPPPP

https://www.dataandpolitics.net/nvidia-export-controls-and-the-trump-teams-art-of-trading-on-insider-knowledge/

Porting COBOL Code and the Trouble With Ditching Domain Specific Languages

https://hackaday.com/2025/04/16/porting-cobol-code-and-the-trouble-with-ditching-domain-specific-languages/

@swapgs Unix philosophy. I want to focus on unintended traversals specifically and IMO detecting e.g. symlinks is beyond that scope. I also think special cases are easier to handle once you have a "well behaving" path, but I may be wrong. Can you provide an example where I'm "missing out"?

@swapgs I don't follow, could you point to specific parts of the repo/give an example?

Currently available Go fuzzing tools were missing critical features - some don’t play well with the latest Go toolchain. So we set out to change that.

@bruno, Nils Ollrogge, and colleagues explored more powerful ways to fuzz Go binaries. By tapping into Go’s native instrumentation — which is compatible with libFuzzer — we enabled effective fuzzing of Go code using LibAFL.

We’ve documented our approach and shared insights in our latest blog post: https://www.srlabs.de/blog-post/golibafl---fuzzing-go-binaries-using-libafl

Repo: https://github.com/srlabs/golibafl

Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-24054)

The Ivantis, Solarwinds and Fortinets right now.

#cve #mitre #infosec

Sweet, now we can go back to Full Disclosure! Just like it's the 90s again!

#mitre #cve

Just a reminder: Vulnerability Lookup isn’t just about finding CVEs. It supports the full chain, collection from multiple sources, continuous distribution, and allocation within a coordinated vulnerability disclosure (CVD) process. 100% open source.

🔗 An online version maintained by @circl https://vulnerability.circl.lu/

🔗 https://www.vulnerability-lookup.org/

🔗 https://github.com/vulnerability-lookup/vulnerability-lookup

#opensource #cve #vulnerability #cna #cvd #cybersecurity

So it's official: TLS certificate lifetimes will reduce from the current max of 398 days to:
* 200 days in March 2026
* 100 days in March 2027
* 47 days in March 2029

For web servers/proxies etc. it's reasonably simple, at least for smaller orgs but for e.g. network kit it might be more of a challenge. Having a timeframe to aim at definitely focusses the mind!

Via @riskybiz / https://risky.biz/risky-bulletin-ca-b-forum-approves-47-day-tls-certs/

#TLS #PKI #InfoSec #WebDev

And all of the sudden, we have solved supply chain security.

No CVE, no vulnerabilities!

I've been wondering for a long time if #DirectoryTraversal vulnerabilities could be mitigated by a safe path handling library (similarly to e.g. ORM's). As a side-quest, I stared to implement a prototype for Python, and I'm super interested in your unfiltered opinions:

https://github.com/v-p-b/SafePath/