AFL++ 5.02c release! important bugfix release for persistent fuzzing mode. New afl-health tool, C11 guidance instrumentation (helps coverage!). https://github.com/AFLplusplus/AFLplusplus/releases/tag/v5.02c #fuzzing #afl

AI guardrails will always fail. NIST just proved it mathematically https://www.covertswarm.com/post/ai-guardrails-will-fail-nist-mathematical-proof

I wish all live gig MCs a very merry Shut The Fuck Up

New directory traversal CVE!
CVE-2026-45390
n/a - n/a
In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint).

@brouhaha This sounds strangely similar to the no-search fedi crowd...

Do excellent vulnerability reports

It is time for me to try to help future reporters by providing a short guide on how to submit a truly excellent vulnerability report to an Open Source project.

https://daniel.haxx.se/blog/2026/06/29/do-excellent-vulnerability-reports/

Hey, are you interested in implementing cryptography using C and Rust?

The Firefox Cryptography Engineering team is #hiring for TWO Senior Software Engineers.

Remote in Canada or any of the European countries where Mozilla has an entity: Germany, France, UK, Finland, Belgium, Spain, Netherlands or Sweden

Apply here!
- Europe: https://www.mozilla.org/en-US/careers/position/gh/8016848/
- Canada: https://www.mozilla.org/en-US/careers/position/gh/8016824/

Reach out if you have questions. It's not my team but I have some background info :)

#fedihire #jobs

[RSS] unpacking iDRAC9/iDRAC10

https://trouble.org/?p=1467

You can circumvent clamonacc by placing your malware in directories with a pathlength greater than 1024 characters, which is perfectly valid on eg. ext4. The code provides 1024 bytes to readlink(), which will happily truncate the path when its longer than that. Afterwards clamav tries to open a nonexistant file.

@stf Several editors highlight "TODO" specifically, but I want a way to format custom sets of markers, possibly depending on the extension/project I'm working on. Another example is marking findings in my notes with different severity labels.

WinPE as a stateless harness for Windows driver testing and fuzzing https://bednars.me/blog/winpe-harness

Luma 1.1.0 comes with #radare2 shell, markdown renderer, sidebar listing modules and threads, improved disassembly and analysis features, much more solid colaboration ux and tons of bug fixes! https://github.com/frida/luma/releases/tag/1.1.0

@stf How does org-mode help with customizing highlighters?

@paniash @tarsius Good point, a simple regex-based highlighter would probably cover most of the use cases!

It’s not about the children, it’s about how monetize surveillance: demand the illiberal, stupid, self-defeating & impossible, & then criminalise the wrong people for circumvention
https://alecmuffett.com/article/161699
#AgeVerification #australia

side channel attacks per packet

Scales of the Universe:

Out Sun is five billion years old and will live another five billion.

A star with ten times the mass, lives some twenty million years, larger stars have an even shirter lifetime.

A star with half the mass of the Sun will live hundred billion years. Our universe is 13.7 billion years old -- the oldest low mass stars are not even past their teenage years yet.

#VicisAstro #astrodon #SciComm #astrophysics #astronomy

This year there’s no r2con. I mean, that was obvious because April’s CFP deadline passed a while ago, but it’s probably good to make it clear.

Organizing a physical or virtual event requires an energy that this year (at least) I prefer to use it for other stuff.

But also, because AI is reshaping the field and we need to redefine some rules to keep the vibe and quality of the contents.

A new opportunity to become a gatekeeper for open source: selling vulnerability analysis, deduplication, coordination and patching to commercial users.

That‘s what Chainguard and the Linux Foundation are trying to be. And they plan to use AI, of course. That will include patching and assigning CVEs.

My guess: upstream gets these AI patches „for free“ and is flagged if it does not take them.

A global LTS source distro, sitting between traditional distros and projects.

https://www.theregister.com/security/2026/06/27/its-looking-like-a-hot-messy-summer-for-security-teams-as-ai-finds-countless-previously-hidden-vulns/5260478

@eingemaischt right??