@ligniform Ahh thanks, I remembered it being under Community, but with careful inspection I found the two tiny arrows under the score circle...

Anyway, I'd appreciate if my threat intel followers would put a banhammer on the jofogas-order[.]help domain <3

#CISA Warns of Credential Risks Tied to #Oracle Cloud Breach:
👇
https://securityonline.info/cisa-warns-of-credential-risks-tied-to-oracle-cloud-breach/

Is it me or is it really not possible to vote on URL's on VT anymore?

can't remember where I saw it but "Using AI in education is like using a forklift in the gym. The weights do not actually need to be moved from place to place. That is not the work. The work is what happens within you" is a solid quote

Get your Apple updates folks.
https://support.apple.com/en-us/100100

CVE-2025-31200 and CVE-2025-31201 are being exploited ITW.

Today I learned something truly bizarre about Python.

What do you think this code does?

class C:
xs = [1]
ys = [1]
print([[None for y in ys] for x in xs])

Does it work and print [[None]]?
Or does it fail to access `xs` and `ys` because class scoping is weird?

Neither.

It successfully accesses `xs`, but then fails to access `ys`!

This is sort of documented (but not fully) under https://docs.python.org/3/reference/executionmodel.html#resolution-of-names.

Bonk Knob Records is very pleased to announce the release of "Not Bonk What I Call Wave: Remixes Vol 2"!

You can find it for streaming and download at all these fine places:

https://mirlo.space/bonk-knob-records/release/not-bonk

https://bonkwave.org/music/not-bonk-what-i-call-wave-remixes-vol2/

https://bonkknobrecords.bandcamp.com/album/not-bonk-what-i-call-wave-remixes-vol-2

https://bandwagon.fm/67fea099a706ef72dcec3978

Join us for the release party at 19:00 UTC / 20:00 BST / 21:00 CEST at https://party.bonkwave.org

#BonkWave #NotBonkWave

Unauthenticated Remote Code Execution in Erlang/OTP SSH

https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

Not much details and unfortunately I don't know much Erlang (yet), but this one seems pretty interesting!

CVE-2025-32433

Thanks to @sbidoul , pip 25.1 will have a `pip lock` command that uses `pylock.toml`!

https://github.com/pypa/pip/pull/13213

pip-tools has started looking at if they can leverage it.

https://github.com/jazzband/pip-tools/issues/2124

pip-audit has support in 2.9.0 .

https://pypi.org/project/pip-audit/

@frostming has a PR for 'packaging' to add the required marker support (I assume for PDM support). It's getting really close to being merged.

https://github.com/pypa/packaging/pull/888

I'm a bit relieved there's uptake of pylock.toml already!

@swapgs Maybe something like this could hit a sweet spot?

https://github.com/v-p-b/SafePath/issues/2

High level diff of iOS 18.4 vs. iOS 18.4.1 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/18_4_22E240__vs_18_4_1_22E252/README.md

The most important part of CVE is not the unique number, but the funding and expertise to run a credible program that assigns a unique number. The unique number was the center of what Dave Mann called a “concordance,” and I believe this is subtle but crucial: The value of CVE is not as a database, but as a stable way to cross-reference between databases and other tools. Dave and I have had many conversations about books having an ISBN, a UPC code, a Dewey number and a Library of Congress number. They serve different goals, and are managed by different groups.

I mention the books because assigning unique numbers in a stable way is harder than you'd expect.

Micropatches Released for URL File NTLM Hash Disclosure Vulnerability (Unknown CVE)

Today is Oracle's quarterly Critical Patch Update release day, so for #OracleSolaris we have released updates for 11.4 & 11.3, and patches for 10.

11.4: https://blogs.oracle.com/solaris/post/announcing-oracle-solaris-114-sru80
11.3: https://community.oracle.com/mosc/discussion/4583990/solaris-11-3-36-34-0-has-been-released-on-my-oracle-support
10: https://community.oracle.com/mosc/discussion/4584292/announcing-oracle-solaris-10-quarterly-patch-release-april-2025

For info on the security fixes in those releases, see the Oracle Systems Risk Matrix in the April 2025 CPU Bulletin at https://oracle.com/security-alerts/cpuapr2025.html#AppendixSUNS and the Oracle Solaris Third Party Bulletin for April 2025 at https://oracle.com/security-alerts/bulletinapr2025.html .

@osxreverser I'm sure it's also a coincidence that the moment the bubble of $GPUintensiveTech0 (coins) seemed to burst $GPUintensiveTech1 (LLMs) popped up...

NEW: In a hearing last week, an NSO Group lawyer said that Mexico, Saudi Arabia, and Uzbekistan were among the governments responsible for a 2019 hacking campaign against WhatsApp users.

This is the first time representatives of the spyware maker admit who its customers are, after years of refusing to do that.

http://techcrunch.com/2025/04/16/nso-lawyer-names-mexico-saudi-arabia-and-uzbekistan-as-spyware-customers-behind-2019-whatsapp-hacks/

Fuck that war Signal group. The Trump team insider trading Signal group is where you want to be :PPPPP

https://www.dataandpolitics.net/nvidia-export-controls-and-the-trump-teams-art-of-trading-on-insider-knowledge/

Porting COBOL Code and the Trouble With Ditching Domain Specific Languages

https://hackaday.com/2025/04/16/porting-cobol-code-and-the-trouble-with-ditching-domain-specific-languages/

@swapgs Unix philosophy. I want to focus on unintended traversals specifically and IMO detecting e.g. symlinks is beyond that scope. I also think special cases are easier to handle once you have a "well behaving" path, but I may be wrong. Can you provide an example where I'm "missing out"?