Pwn2Own: WAN-to-LAN Exploit Showcase TP-Link ER605 routers and Synology BC500 IP camera - Part 1: WAN https://claroty.com/team82/research/pwn2own-wan-to-lan-exploit-showcase

Stacey Marshall, the current sendmail maintainer for #OracleSolaris, has blogged about disabling the CR+LF requirements for SMTP newly enforced in Solaris 11.4.68 and later due to the fix for CVE-2023-51765, for sites stuck with non-compliant SMTP senders:
https://staceymarshall.wordpress.com/2024/07/09/configuring-sendmail-srv_feature/

(Though that should be a short-term solution until you can get the software senders updated to follow the SMTP RFCs.)

If you missed it: "Run Your Own Mail Server" is now on preorder from my site. You could get ebooks, signed paperback, or signed hardcover. #ryoms #sysadmin

Or give up the Internet and improve your life. Whichever.

https://www.tiltedwindmillpress.com/product/ryoms-preorder/

It's Patch Tuesday once more. While #Adobe had a tiny release, #Microsoft had one of their biggest months ever - including two 0-days under active attack. Join @TheDustinChilds as he breaks down all the details. https://www.zerodayinitiative.com/blog/2024/7/9/the-july-2024-security-update-review

🗑️ From File Delete to RCE 🔥

In part 2 of our Gogs series, we revisit how attackers can use weak primitives for a big impact! These vulnerabilities are still unpatched; don't miss the details:

https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-2/?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-gogs-vulnerabilities-1-240709-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=mastodon

#appsec #security #vulnerability #golang

The interesting thing about OpenAI pleading that they cannot build their systems if they have exclude or license copyrighted materials isn't the fact that "if you can't afford to run your business while complying with the laws you have no business". It's the fact that they believe that creating their stochastic systems is such a good and human goal per se that they can throw it in against all the externalities and still come out winning.

Sam Altman is a cynic who only cares about getting richer and says whatever leads there. But many other people in that space are actual believers in the religion of #AI.

https://futurism.com/the-byte/openai-copyrighted-material-parliament

'Don’t say “Europe should invest in secure communications”, write out that the European Commission should procure a secure email solution that does not fall under US spying legislation' - https://berthub.eu/articles/posts/europe-must-invest-in-xyz/?redo=1

NEW: Apple has removed several VPN apps from the App Store in Russia after the government censorship agency flagged the apps, according to app makers.

VPN makers shared a letter they received from Apple with us.

"We are writing to notify you that your application, per demand from Roskomnadzor will be removed from the Russia App Store because it includes content that is illegal in Russia," the letter read.

Apple, for now, doesn't comment.

https://techcrunch.com/2024/07/08/apple-removes-vpn-apps-at-request-of-russian-authorities-say-app-makers/

Exploiting An Enterprise Backup Driver For Privilege Escalation - CVE-2023-43896 https://northwave-cybersecurity.com/exploiting-enterprise-backup-software-for-privilege-escalation-part-two

Flickr album for the Classical Computing Laboratory at IBM Poughkeepsie launch: https://www.flickr.com/gp/200991657@N06/1o1e4FYuvX

Rust, but it's on Plan9. #rust #plan9

In this blog, we dive deep into how the automation employed by the recently-formed Linux CNA managed to take a detailed, unrestricted vulnerability report for their 5.10 LTS kernel, and produce an error-filled CVE unhelpful for downstream consumers: https://grsecurity.net/cve-2021-4440_linux_cna_case_study

My friend Thalia has published a regexp museum! 🥳 have a visit!

https://github.com/thaliaarchi/regexp-museum

#regex #museum

VMware security advisory: VMSA-2024-0016
VMware Cloud Director Availability addresses an HTML injection vulnerability: CVE-2024-22277 (6.4 medium, disclosed 04 July 2024) A malicious actor with network access to VMware Cloud Director Availability can craft malicious HTML tags to execute within replication tasks. Fixed in 4.7.2, no mention of exploitation.

#CVE_2024_22277 #VMware #vulnerability #CVE

It appears that tomorrow July 9th 18:00–22:00 UTC there might be the first launch attempt of Europe's new non-reusable Ariane 6 rocket. Details including link to webcast are available through: https://www.esa.int/Enabling_Support/Space_Transportation/Ariane/Ariane_6_launch_how_to_watch_and_what_to_look_out_for

Wow. Solar Designer found another, related vulnerability in #OpenSSH.

CVE-2024-6409: Possible remote code execution in privsep child
due to a race condition in signal handling

https://marc.info/?l=oss-security&m=172045570013195&w=2

#infosec #openbsd #linux #netbsd #freebsd

WhatsUp Gold Pre-Auth RCE GetFileWithoutZip Primitive
CVE-2024-4885 https://summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/