infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes

https://blog.hartwork.org/posts/expat-2-7-0-released/

@hanno asks for expert xdev review on oss-security:

https://www.openwall.com/lists/oss-security/2025/03/14/7
this post | permalink
This is the out-of-bands read, that didn't get a CVE apparently:

https://github.com/php/php-src/security/advisories/GHSA-wg4p-4hqh-c3g9

#PHP #NoCVE
this post | permalink
PHP security releases 8.4.5, 8.3.19, 8.2.28, 8.1.32

https://www.openwall.com/lists/oss-security/2025/03/14/6

CVE data collected by Alan Coopersmith:

"Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes
Use-After-Free). (CVE-2024-11235)
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477

Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when
requesting a redirected resource). (CVE-2025-1219)
https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc

Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic
auth header). (CVE-2025-1736)
https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528

Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to
1024 bytes). (CVE-2025-1861)
https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff

Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers
without colon). (CVE-2025-1734)
https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44

Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not
handle folded headers). (CVE-2025-1217)
https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g "

#PHP
this post | permalink
@joern
this post | permalink
@revng I don't think external links are a problem, but without an algorithm and low number of followers posts can easily get buried in peoples timelines (so reposting can be a good idea). Hashtags can help a lot, because people can follow those.

Anything I missed @shellsharks ?
this post | permalink
@effinbirds Damn I need this!
this post | permalink
@molly0xfff also, this reply captures the X vibe perfectly:
this post | permalink
This "analysis" by Wallarm - claiming active exploitation of CVE-2025-24813 Tomcat RCE - is wrong in multiple ways (maybe LLM slop?):

https://web.archive.org/web/20250314071219/https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/

There is a PoC on GitHub too now - it improves my findings by directly invoking the session corresponding to the saved object so you don't have to wait for periodic refreshes:

https://github.com/iSee857/CVE-2025-24813-PoC/

This PoC will raise the EPSS score too.
this post | permalink
@molly0xfff Her query may also have non-linear complexity, 60k rows is nothing.
this post | permalink
now these were Computers:

https://www.youtube.com/watch?v=oLnvvOoWnzU
this post | permalink
Next Page