@louisb bon courage!

@w_wobble nicht direkt, aber falls nützlich, hat Heise's Make ein Artikel darüber: https://www.heise.de/select/make/archiv/2025/2/seite-32

@cert_eu it has been published on March 11, during the usual Patch Tuesday, not on the 13th...

@daniel no I don't know either. These are settings of the bios, so it depends what hardware you have got. You may have some luck by googling your hardware type and "bios settings".

@daniel you may want to check https://www.youtube.com/watch?v=rXc_zGRYhLo as in introduction

@cowboyminer nothing: https://darkmentor.com/blog/esp32_non-backdoor/

@maik wieder eine Heise Hype. Im Artikel selbst schreiben sie am Ende, dass es keine Schwachstelle ist...
Siehe auch https://darkmentor.com/blog/esp32_non-backdoor/

@louisb tu as regardé les shelly? https://www.shelly.com/products/shelly-1-mini-gen3
Il est possible d'utiliser ton interrupteur pour signaler le module d'une action (allumer/éteindre) en plus de piloter le module par wifi. C'est alimenté par le 220V, et super bien intégré dans Homeassistant.

Great analysis of CVE-2024-38063 (IPv6 RCE): https://x.com/f4rmpoet/status/1825472703223992323
Seems limited to DoS “only”.

Has anyone a good procedure to identify the use of cdn.polyfill.io ? (source code analysis, web scanner, ...)
#polyfill

CVSS v4 consistency survey: if you have experience in analysing vulnerabillities with CVSS score (any version), please try to answer this survey from the IT Security Infrastructures Lab of the Friedrich-Alexander University (FAU) in Germany.
https://user-surveys.cs.fau.de/index.php?r=survey/index&sid=361794

New Ivanti Sentry vulnerability: https://www.ivanti.com/blog/security-update-for-ivanti-standalone-sentry
(high CVSS but not that dramatic, requires TLS client certificates and "adjacent" network)
#ivanti #vulnerability

@magisternavis @gnaegi super, danke für die Info!

@magisternavis @pheraph @gnaegi @freakshow Ich benütze HomeAssistant mit dem eingebaute HomeBridge Integration. So werden alle devices, die von HomeAssistant erkennt und gesteuert sind, in HomeBridge automatisch publiziert. Ich finde es super um die zwei Welten zusammen zu bringen.
Was ich aber noch nicht ausprobiert habe, ist mein "home" zu "upgraden", als die Home App es mir immer wieder vorschlägt. Habt ihr Erfahrung diesbezüglich und HomeBridge?

@mariuxdeangelo it really depends on your threat model. The attacks require man in the middle capabilities, which may not be a high likelihood depending on your environment. Then, the attack impact seems to me quite limited, changing the logging in user, or downgrading the crypto. From my point of view, that’s far away from any practical compromise. Patches are not trivial though, with some backward compatibility issues, so we will need to if further research shows more acute danger.

@ant0inet tu peux les utiliser pour faire du poulet pané au corn flakes (écrasés), c'est super bon, et tu as une chance que ce soit plus populaire 😉

@ant0inet nice, that would also be great for documenting radio packets

To add a little detail I should have included initially:

This is a web server/proxy software issue - it's a generic issue (rather than software-specific) so it's going to affect lots of software implementations.

Given just how much "enshittification" of internet companies we've seen of late, I put together a list of 7 basic rules for internet CEOs who DON'T want to enshittify their companies: https://www.techdirt.com/2023/06/21/seven-rules-for-internet-ceos-to-avoid-enshittification/

Interesting research by David Bozzini, an antropologist at the University of Fribourg, Switzerland, about the history of vulnerability disclosure, from first (ethical) hacker to modern bug bounty programs:

"My research focuses on the defense mechanism of vulnerability disclosure, which has become immensely valuable to the digital tech industry and beyond. This paper addresses the history of vulnerability disclosure and the emergence of the defensive market that has developed alongside the offensive market In fact, the defensive market for vulnerability information is a recent model of vulnerability disclosure organized in the form of bug bounties programs. Bug bounties are initiatives managed by companies or organizations looking for information on their own vulnerabilities through which they pay individuals—ethical hackers—to uncover bugs in their systems and, in turn, improve the security of their products and services. In this paper, I analyze the historical processes that have transformed models of vulnerability disclosure over the years and have given rise to a defensive market that has monetized disclosure, turned ethical hacking into labor, and made information on vulnerabilities a commodity."

https://hal.science/hal-04068476

#vulnerabilitydisclosure #bugbounty #history #research #markets