A quick reminder: dueling URL parsers is a path to pain and sorrow.

(blogged two years ago)

https://daniel.haxx.se/blog/2022/01/10/dont-mix-url-parsers/

Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE)

https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/

CVE-2025-34509 CVE-2025-34510 CVE-2025-34511

Rage Against the Authentication State Machine

https://blog.silentsignal.eu/2025/06/14/gitblit-cve-CVE-2024-28080/

Beautiful authentication bypass in Gitblit from my old friends at @silentsignal !

CVE-2024-28080

Making Minecraft Spherical https://www.bowerbyte.com/posts/blocky-planet/

[RSS] exploits.club Weekly Newsletter 84 - Stealing Exploits, Competition Misconfigs, Android Physical Memory, And More

https://blog.exploits.club/exploits-club-weekly-newsletter-84-stealing-exploits-competition-misconfigs-android-physical-memory-and-more/

Police are investigating a murder-suicide in what appears to be the first documented murder involving someone who engaged extensively with an AI chatbot (Wall Street Journal)

https://www.wsj.com/tech/ai/chatgpt-ai-stein-erik-soelberg-murder-suicide-6b67dbfb?st=Hp4Ajw&reflink=desktopwebshare_permalink
http://www.techmeme.com/250829/p3#a250829p3

The public data torrent server has been running reliably for days now, distributing data worldwide that was deleted by the orange clown regime.

Learn more: https://lydie.cc/data.html

RESIST!!!!

#resist #fascism #datahoarder #digitalpreservation #archive

Serious question regarding LLMs.

I have been trying to train a model specifically for one thing: helping me with #OpenBSD PF¹ configurations.

Using a Jolla Mind2², which uses llama, I have uploaded the PDF of "The Book of PF (3rd Edition)" (by @pitrh) and the PDFs of the various presentations given on PF.

Then I tried asking some questions and, well, the bit which I find incredibly puzzling is that it gets the answer right (for some basic configurations) but the notation is wrong! As some presentations / book pages use, for example, the -> character, then the LLM uses that for direction in a PF rule so you get

pass on egress from any -> egress:0 port 80

which is really puzzling.

Note that, in my little mind, having constrained the data set to what I imagine was the best data available, I was expecting pretty impressive results but.. no.

Anyone willing to spend a little time to explain why to me? I am really not ranting, I don't want to vibe PF, I just want something help me have better insights or improve my rules by making suggestions based on good data (i.e. not just searching for it).

__
¹ https://www.openbsd.org/faq/pf/
² https://www.jollamind2.com
³ https://nostarch.com/book-of-pf-4th-edition

Looks like #Microsoft Word is taking another step (after oh-so-many) to new depths of depravity. Your Word documents will be saved to the cloud automatically on Windows going forward

Even if you're not up to the full move of jumping to #Linux, at least get #LibreOffice and use Writer instead. Its a word processing program that works 𝘧𝘰𝘳 you, not against. #opensource is the way forward, not this nonsense

https://www.ghacks.net/2025/08/27/your-word-documents-will-be-saved-to-the-cloud-automatically-on-windows-going-forward/

[RSS] Partial Analysis of CVE-2025-38618

https://u1f383.github.io/linux/2025/08/28/partial-analysis-of-CVE-2025-38618.html

Eight years later, I’ve updated my most-starred @github repository with some new @fridadotre scripts, inspired by @spaceraccoonsec's new book “From Day Zero to Zero Day”.

Check it out: https://github.com/0xdea/frida-scripts/

I had missed this #linux #kernel discussion about #pathtraversal #vulnerabilities

[RFC] Add a prctl to disable ".." traversal in path resolution

https://lore.kernel.org/linux-fsdevel/20241211142929.247692-1-mjg59@srcf.ucam.org/T/#u

[RSS] A Quick Note on CVE-2025-38617

https://u1f383.github.io/linux/2025/08/27/a-quick-note-on-CVE-2025-38617.html

I combined DEVCORE's CVE-2024-35250 with the CVE-2024-30084 double fetch bug and the Cloud Filter memory trap technique by @tiraniddo to achieve reliable LPE without device requirements on Win10 VMs.

https://scrapco.de/blog/its-a-trap-reliable-exploitation-of-cve-2024-30084.html

checking whether the C compiler works... no

Understandable, have a nice weekend

The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting. So I wrote a blog post about it

An absolutely ridiculous amount of open source is one person projects. I have the data to prove it

https://opensourcesecurity.io/2025/08-oss-one-person/

Cisco Talos just disclosed vulnerabilities in Libbiosig, Tenda routers, SAIL image library, PDF-XChange, and Foxit Reader — all now patched by vendors: https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-vulnerabilities/

#Ghidra 11.4.2 is out:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4.2_build

This page intentionally left blank