i love css 💖

also shoutout to Fastmail for rolling out fixes for both reports in <48h
https://www.fastmail.com/bug-bounty/

#IBMi is affected by a user gaining elevated privileges due to an unqualified library call vulnerability in IBM Facsimile Support for i [CVE-2025-36004]

https://www.ibm.com/support/pages/node/7237732

Another one by @silentsignal !

[RSS] Keiro Control authentication bypass (0-day?) #NoCVE

https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce/

[RSS] Finding a 27-year-old easter egg in the Power Mac G3 ROM

https://www.downtowndougbrown.com/2025/06/finding-a-27-year-old-easter-egg-in-the-power-mac-g3-rom/

[RSS] CFCamp 2025 Slides - Understanding CFML Vulnerabilities, Exploits, and Attack Paths

https://www.hoyahaxa.com/2025/06/cfcamp-2025-slides-understanding-cfml.html

#coldfusion

I updated the generated #Ghidra documentation I host for 11.4:

https://scrapco.de/ghidra_docs/

Here's the documentation for Decompiler Taint Operations:

https://scrapco.de/ghidra_docs/Features/DecompilerDependent/DecompilerTaint/DecompilerTaint.html

#Ghidra 11.4 released with support for (external) taint engines in the decompiler:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4_build

📢 @ERNW is preparing the venue for tomorrow's launch of #TROOPERS25 in #heidelberg! See you soon people! We are super excited! 🥳

[RSS] Abusing copyright strings to trick software into thinking it's running on your competitor's PC

https://devblogs.microsoft.com/oldnewthing/20250624-00/?p=111299

#warez

yay my first 2025 chrome cve!!

https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_24.html

VSCode のターミナルも Sixel 対応してたのか (terminal.integrated.experimentalImageSupport を有効にすると表示される)

"We will respond to you in 5 days"

3 weeks later... No response.

Anyone who gets mad at people for going full disclosure has never had to deal with the bureaucratic maze of trying to get people to fix their things.

PSA: The new version of our browser extension now requires additional permissions to "change your privacy-related settings".

The new permissions are required so we can set KeePassXC as your default password manager backend. Unfortunately, there isn't a better name for this permission set.

Remote code execution in CentOS Web Panel - CVE-2025-48703 https://fenrisk.com/rce-centos-webpanel

yyzkevin.ca has been working on making #BlueSCSI the first #SCSI emulator to work with the odd IBM AS/400 drive standard. Here's his AS/400 booting IPL'ing with a BlueSCSI!

Still a lot to do but now even AS/400 users can have a modern, fully opensource, storage solution.

https://youtu.be/J8GztrUvox8?si=mpY88vrSCqVwUFvs&t=608

As they say, Hungarian Railways have 5 enemies: the four seasons and the passengers.

This summer started off esp. bad, while official online services allowing the tracking of delays suspiciously started to disappear.

Train enthusiasts however built an unofficial website that showed accurate info about the position and delays of the trains based on scraped data.

Then the Minister of Transportation accused these guys of phishing (he pbbly doesn't know what that means), DoS and of course conspiring the opposition party, so the site was voluntarily taken down...

...but the code is open source, so now we have multiple sites with the same functionality :D

https://github.com/iben12/holavonat

#Hungary #StreisandEffect

Pre-auth RCE in CentOS Web Panel (CVE-2025-48703) found by the friends at Fenrisk. This is beyond madness that Shodan finds 200k of these exposed publicly.

(this post is sponsored by strace®, because no one cares about ionCube)

https://fenrisk.com/rce-centos-webpanel

Finally published today the second blog I'd promised for the #OracleSolaris 11.4.81 CBE release last month:
https://blogs.oracle.com/solaris/post/whats-new-in-the-solaris-modular-debugger-mdb-in-the-oracle-solaris-11481-cbe

A very deep dive into a narrow topic - what's changed in the Solaris Modular Debugger (mdb) since the previous CBE release in 2022. @cgerhard and others have put an impressive amount of work into making debugging easier and better for the users of this tool.

Hat tip to thegrugq for featuring this in his newsletter, a 1991 video of Italian hackers purporting to show them hacking a U.S. military system over x25. Has a real gonzo Max Headroom broadcast signal intrusion vibe with the masks & just general weird vibes, love it.
https://www.youtube.com/watch?v=43FyQlaA6YY

Dear Fedi,

For 3 years, I've been working with friends from the #FOSS world as a team of freelancers and it's been great: we love what we do and our clients are happy and stay with us for years.

But the terrible state of the world has badly affected our clients financially, and we find ourselves suddenly in need of more #work

We focus on systems design, development, and administration. We offer SRE-level quality and processes for companies that cannot afford a whole #SRE team

Boosts welcomed