New assessment for topic: CVE-2025-24813

Topic description: "Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. ..."

"On March 10, 2025, the Apache Software Foundation [published](https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq) an advisory for [CVE-2025-24813](https://nvd.nist.gov/vuln/detail/CVE-2025-24813), an unauthenticated remote code execution vulnerability in Apache Tomcat’s “partial PUT” feature ..."

Link: https://attackerkb.com/assessments/1a24556d-24fb-4017-be67-e4ab39c76566

Some really impressive work from my old team here: https://forums.swift.org/t/the-future-of-serialization-deserialization-apis/78585

If you care about Codable and/or serialization in Swift in general, definitely check it out

#swiftlang #swiftevolution

[RSS] Dubious security vulnerability: A program does not run correctly if you run it the wrong way

https://devblogs.microsoft.com/oldnewthing/20250317-00/?p=110970

[RSS] STAR Labs Windows Exploitation Challenge 2025 Writeup

https://starlabs.sg/blog/2025/03-star-labs-windows-exploitation-challenge-2025-writeup/

Exciting: The Ghost team has just released the beta version of its ActivityPub support for people using their hosted service

https://activitypub.ghost.org/social-web-beta/

Just spent ~an hour figuring out why a code path wasn't hit.

Turns out it was, only my log messages were configured to a level too low to appear...

#fail

Get your speaker submissions in TODAY for early consideration at this year's HOPE conference! @hopeconf https://www.2600.com/content/early-deadline-hope-talk-submissions-monday

I'm kinda getting used to Space Emacs but eshell quickly became my arch nemesis

Project: mpengine-x64-pdb 1.1.24090.11
File: mpengine.dll
Address: 75a1eaec0

load_page

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a1eaec0.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a1eaec0.json&colors=light

Of all the #StarTrekProdigy memes I’ve seen, this one hits the hardest for me.

Validating Leaked Passwords with k-Anonymity - from #CloudFlare blog, 2018:

https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

This is an important bit in the #Cloudflare post (emphasis mine):

"Our data analysis focuses on traffic from Internet properties on Cloudflare’s free plan, which *includes leaked credentials detection as a built-in feature.*"

We have released the files for the research that led to CVE-2024-36904. It contains the codes, the original kernel source, the patch and the modified kernel source that help to trigger the KASAN splat. If you want to play with the vulnerability, you can use the files.

https://github.com/alleleintel/research/tree/master/CVE-2024-36904/

There's another Office "intentional crash" detected by @expmon_ (background for the 1st one: https://www.linkedin.com/posts/haifeili_if-you-need-a-real-world-office-sample-triggering-activity-7304034115706597376-eVnM), it's a bit different (as I just quickly analyzed) but I'd like to leave it to anyone who is interested in investigating. :)

https://pub.expmon.com/analysis/254228/

So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.

Let me put the important words in uppercase.

So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.

[Edit with H/T: https://benjojo.co.uk/u/benjojo/h/cR4dJWj3KZltPv3rqX]

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

#cloudflare #password #cybersecurity

Question to the Fediverse:

I'm looking for a mailing list / newsgroup solution (it can be SaaS or self hosted).

I need a couple things:
- Easy subscribe and unsubscribe functions
- Ability to send out mass emails to subscribers (basic functionality)

- Most important... and this is the weird part... I need all the subscribers to be able to "reply all" or to email the list as a whole, to also send messages to everyone. But I don't want them to be able to see everyone on the list.

I need an oldschool mailing list proper, where people can track the threads and replies, right.

All the marketing email lists are only top-down - the emailer mails all the recipients, but there is no allowing the recipients to email each other.

The best I have found is GNU MailMain: https://www.gnu.org/software/mailman/

Does anyone know any other examples?

Edit to add better nomenclature (my brain is not forming words right now):
- Allows for email discussion
- Allows for email threading
- Email Newsgroup - that's a good one

Editing to add answers to my own question:
- GNU Mailman: https://www.gnu.org/software/mailman/
- Gaggle Email: https://gaggle.email (cheers @zebbm)
- Groups io: https://groups.io (cheers @TNLNYC )
- Gray Duck Mail: https://grayduckmail.com
- mlmmj: https://mlmmj.org

I feel like the message of Sir Tim Berners-Lee's latest op-ed in the Financial Times may suffer from its medium.

But don't worry, you can read his pitch for Solid here:

https://archive.ph/4Vvms

Happy St Patrick’s Day! I hope you get lucky like the Irish. Or something.

qbasic (1992): opens with the option to view help or jump straight into programming.

qb64 (2025): opens with a warning that any program you make with it will be falsely flagged by your antivirus as malware.

We heard you needed some more time, so we wanted to let you cook.

We decided to push the Phrack 72 CFP deadline back until June 15th.

Stay tuned for upcoming Phrack events.

Print this flyer out and give it to someone IRL!!