#CVE-2025-49144 is such bullshit:

• When you run an elevated exe, it can do what it wants, it doesn't need another exe for that.
• It actually does nothing for you if you install 8.8.2, because it's the installer that is vuln.
• You can't even download version 8.8.2 right now.

Can we please start enforcing CNA rules and actually restrict CNAs that break these rules? When we need CVEs for our products we need to be very precise and correct to not get our CNA in trouble and other CNAs just do what the want without any consequeces.

@briankrebs Roll20 is informing its users that they had a data breach on the 29th of June. Possible compromised are first and last name, email address, last known IP and last 4 digits of credit card number.

@teivel @WPalant That is why I said "most". And regarding PRs: There is really not much to see...he just merged his own PRs.

@WPalant It was actually noticed at 1:30 AM UTC

https://twitter.com/Malcoreio/status/1773887701218951673

@WPalant Most of the history is still accessable via the official mirror: https://git.tukaani.org/?p=xz.git;a=summary

@djh @zhenech @joeyh
The dot made check_c_source_compiles fail and thus disabled the sandbox.

@eb Regarding https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Jia Tan disabled the sandbox on Linux on 2024-02-26 with this commit: https://git.tukaani.org/?p=xz.git;a=blobdiff;f=CMakeLists.txt;h=d2b1af7ab0ab759b6805ced3dff2555e2a4b3f8e;hp=76700591059711e3a4da5b45cf58474dac4e12a7;hb=328c52da8a2bbb81307644efdb58db2c422d9ba7;hpb=eb8ad59e9bab32a8d655796afd39597ea6dcc64d

There is a dot present at the start of the first "empty" line making check_c_source_compiles always fail.

@cadey Just a heads up as I'm going to bed now. Kali shipped the backdoored version between 26.03. and 29.03.

@cadey Regarding https://xeiaso.net/notes/2024/xz-vuln/

openSUSE Tumbleweed shipped the backdoored version for 21 days.

https://news.opensuse.org/2024/03/29/xz-backdoor/

@thunderbird Are you aware of any problems with PGP decryption not working with PGP encrypted attachments? Worked fine beforehand, does not work with Supernova.

What is your most annoying security bullshit software and why is it BitSight?

Anybody seen this before?

@realn2s It looks like there are two new ones and the project is now abandonware and they will not be fixed.

@infosecsidekick I already have that certificate, but I gladly boosted.

To be honest I kind of hate "giveaways" because often times they are lame, but I have the opportunity to give away a pretty legit prize to one person and I also wanted to selfishly raise awareness to my podcast.

If you or someone you know is interested in entering for a chance to win a free Blue Team Level 1 certification voucher, all you have to do is subscribe to my podcast for free at https://www.infosecsidekick.com

I'll be releasing a conversation with the CEO, Joshua Beaman later today and announcing a winner later this week.

Please feel free to share, boost, and comment on this post to reach those that may benefit most from this.

I wish I could give away more than just one...maybe in the future I will...but for now, this is the best I can do and I hope it really helps someone out there kickstart their career growth.

#infosec #training #podcast #giveaway

I'm happy to announce that I passed BTL1 first try with 90% score.

https://www.credly.com/badges/369367ef-1f53-48ab-8796-b6d457a0a846/public_url

@thunderbird TbSync and Conversations are not yet compatible. So it's a hard pass for now.

Wir suchen einen Linux-Systemadmistrator der einen Großteil meiner aktuellen Aufgaben übernimmt.

Details: https://jobs.mbconnectline.com/o/linuxsystemadministrator-mwd

@katzenjens @milan Nutzer können diese Inhalte markieren. Funktioniert sehr gut bei allen Youtubern die nicht extrem klein sind.

Wir suchen einen Linux-Systemadmistrator der einen Großteil meiner aktuellen Aufgaben übernimmt.

Details: https://jobs.mbconnectline.com/o/linuxsystemadministrator-mwd