Congrats on making it to the front page of Linux @tobhe 😎

https://lwn.net/Articles/1034579/

@element do you plan to release a security update on F-Droid?

The latest version is June's 1.6.42.

https://f-droid.org/en/packages/im.vector.app/

@element do you plan to release a security update on F-Droid?

The latest version is June's 1.6.42.

https://f-droid.org/en/packages/im.vector.app/

@till is a great person to work with and goes out of their way to bring tech mentorship around the world. Every year Till hosts events and participates in mentorship programs that empower people to work in FOSS.

I dearly hope that @till and OpenPrinting receive support ❤️

Thank you (and Michael) for making printing on Linux just work.

Urgent help for OpenPrinting needed!

As many here know, I am co-founder and lead of OpenPrinting since 2001, known as the print guru for Linux and free software by many. I also got one of the 8 fellows of the Linux Foundation for this.

Up to now I was working at Canonical, hired back in 2006 just to run OpenPrinting and also to maintain printing-related Ubuntu packages.

... 🧵

Please boost.

#OpenPrinting #LinuxFoundation #getfedihired

@Antitree has a new tool to diff seccomp profiles of two containers: https://www.antitree.com/2025/07/introducing-seccompare.com-seccomp-diffs-for-containers/

@flavorjones the @vuldb CNA is notorious for this!

They've gamified CVE submission and have a paywall (:

Some in the CVE Program community have advocated for revoking VulnDB's CNA privilege, but the CVE Board need examples like this!

Man, someone reported a bug in unreleased Nokogiri code. I said "Thanks, I'll take a look."

Then they opened a CVE for the bug. A bug that never appeared in a released version! Without my consent!

Now I am on an adventure to reject the CVEs and have emailed @vuldb who is the CNA. #osslife #wtf

Cybersecurity Risk Assessment Request

https://daniel.haxx.se/blog/2025/07/11/cybersecurity-risk-assessment-request/

#curl #CRA

Wrote up my seccomp-diff tool which will extract seccomp BPF from a PID/ container and let you diff it with other things.

The initial release with Jay Beale at Shmoocon was more of a POC. This adds some nice features if you're into seccomp. More info:

https://www.antitree.com/2025/07/seccomp-diff-syscall-accountability-tool/

(Cross posting to see if anyone's on this platform)

Waiting for Belgium to find out about Full Disclosure.

This graph is the one I'm most excited about: the lifetime of security flaws in Linux is finally starting to get shorter (and the number of fixed flaws continues to rise).

https://hachyderm.io/@LinuxSecSummit@social.kernel.org/114750428620118674

@roddhjav !

@yossarian congrats to what you achieved at ToB and to you next endeavor.

It is important to communicate to users the urgency of a security fix.

https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr

Why is the new #ubuntu authd CVE rated as a medium severity?

>When a user who hasn't logged in to the system before (i.e. doesn't exist in the authd user database) logs in via SSH, the user is considered a member of the root group in the context of the SSH session. That leads to a local privilege escalation if the user should not have root privileges.

They set C-I-A to L-L-N. Clearly confidentially is blown out of the water.

This seems like a critical CVE ~ https://cvss.js.org/cvssjs/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

@joshbressers if you're a CNA, the cve services api to update CVEs is fairly good and quick to update (NVD, which is downstream of cvelistv5, takes a little longer)

Yay! Debian has enabled UBSAN_BOUNDS for array bounds checking in their kernel.
https://salsa.debian.org/kernel-team/linux/-/commit/f0e7aac02bc7ed179637a6c676b2ab4afe4c5db7
Anyone wanting to enforce the checking, don't forget to set the warn_limit sysctl too.

5 years ago I said that we needed to move away from centralized identifiers for vulnerability data in favor of linked data to ensure that vulnerability management processes remain healthy and scalable.

Now the centralized CVE identifiers the entire world depends on are possibly going away.