"Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt."

https://www.openwall.com/lists/oss-security/2025/07/11/2

CVE-2025-7424 CVE-2025-7425

#OSS #FOSS

#PHP Security fixes:

- CVE-2025-1735 SQLi via pgsql (related to CVE-2025-1094)
https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3

- CVE-2025-1220 SSRF via fsockopen()
https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r

- CVE-2025-6491 NULL deref in SOAP handling
https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x

Want to influence the rules for vulnerability handling for every internet-connected product sold in the EU? Of course you do!

You are invited to the vulnerability handling deep dive session for the Cyber Resilience Act. July 22, online, free registration:

https://www.stan4cra.eu/event-details/deep-dive-session-vulnerability-handling

More info: https://www.stan4cra.eu/resources

#CRA #InfoSec

Revisiting automating MS-RPC vulnerability research and making the tool open source https://www.incendium.rocks/posts/Revisiting-MS-RPC-Vulnerability-Research-automation/

This is fun. Google Gemini’s “Summarize email” function is vulnerable to invisible prompt injection utilized to deceive users, including with fake security alerts.

#infosec #cybersecurity #blueteam

https://0din.ai/blog/phishing-for-gemini

Many static site generator templates don't include meta tags for #RSS / #Atom feeds, but the data is generated by default. It's worth to check:

/index.xml
/feed.xml

#syndication

No-AI and solid end-to-end encryption is the new tech hype.

If you don't invest heavily in solid end-to-end encryption, privacy-protective and No-AI features, you will be left behind. People might even laugh at you.

Tell everyone.

#NoAI #Encryption #RootForE2EE #Privacy #Tech

Buried in the Log. Exploiting a 20 years old NTFS Vulnerability

https://swarm.ptsecurity.com/buried-in-the-log-exploiting-a-20-years-old-ntfs-vulnerability/

I think I missed this one about CVE-2025-49689

[CVE-2025-38001] #Exploiting All Google #kernelCTF Instances And Debian 12 With A #0Day For $82k: A RBTree Family Drama (Part One: LTS & COS)

https://syst3mfailure.io/rbtree-family-drama/

My office computer just crashed and now all the other computers have slowed down so they can see whats happening.

How I do it.

Some words on how I work on #curl and lead the #curl project. Every day of the week. Year in, year out. It never ends.

https://daniel.haxx.se/blog/2025/07/13/how-i-do-it/

I just released #iocaine version 2.5.0, probably the last 2.x version, as I'm starting to lay out the roadmap for 3.0.

Apart from a couple of handy new features to aid in bot detection and data collection, there's an important fix in it too: previously, the built-in templates did not escape the generated text properly, which could lead to all kinds of weirdness. Now they do.

The templates also have access to a new filter - urlencode -, which helps escaping random text generated to be used as URLs.

Europe appears to just have given up on doing anything technical. Perhaps we should hurry up & stop pretending we want to do anything ourselves, so we can speed up getting to our eventual destiny of a full time holiday destination for American, Chinese and Russian tourists. And mind you, that is the _best_ outcome I can see right now. https://therecord.media/spain-awards-contracts-huawei-intelligence-agency-wiretaps

#eprint Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog by Peter Gutmann, Stephan Neuhaus (https://ia.cr/2025/1237)

@mcc (Hungarian) I can access $ with AltGr, don't have hard feelings about it.

Some of my bugs in Windows Kernel ETW have been fixed by MSRC this month.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47985
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49660
These bugs are triggered from NTOS syscall.

Getting started with iocaine is now online.

From nothing to running iocaine + Caddy with ai.robots.txt's robots.json and a few metrics as a starting point.

Contains #Roto, #Lua, and #Fennel - and a few tests too, for each.

Truly humbled to share I had the honor of being a guest on the legendary @darknetdiaries. We talked about some wild stories, the epic screw ups, and others adventures. Really grateful for the chance to tell a few tales and hope it resonates with some

https://darknetdiaries.com/episode/160/

The slides from our @reconmtl talk, "Breaking Mixed Boolean-Arithmetic Obfuscation in Real-World Applications" (CC @nicolodev), are now online!

Slides: https://synthesis.to/presentations/recon25_mba_obfuscation.pdf

Plugin: https://github.com/mrphrazer/obfuscation_analysis

Interesting Git repos of the week:

Detection:

* https://github.com/telekom-security/tpotce - have some honey

Exploitation:

* https://github.com/tlsfuzzer/tlsfuzzer - fuzz TLS
* https://github.com/ShawnDEvans/smbmap - map SMB shares
* https://github.com/nccgroup/fuzzowski - another nice fuzzer

Data:

* https://github.com/sneakers-the-rat/gpu-free-ai - the AI implementation you don't want to use!

#code, #security, #research