lol https://seclists.org/oss-sec/2026/q1/89

telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes

In telnetd for a decade 💀

You don't need to pay Apple or start a new subscription to unleash your creativity. We asked creatives what free software they use to get the job done and here are their picks.

A thread 🧵

https://kde.org/for/creators/

#creativity #design #audio #art #video

At the https://gpg.fail talk and omg #39c3

You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.

Won’t even blame PGP here. C is unsafe at any speed.

gpg has not fixed it yet.

The Blender project remembers Germano Cavalcante, long-time Blender contributor. Our hearts go out to his family and friends in Brazil. https://www.blender.org/news/remembering-germano-cavalcante/ #b3d

@Blender It is incredibly sad to hear that Germano has passed away. Leukemia and cancer in general is just a horrible illness. I will always remember him fondly for his development work on Blender. It's a tough realization that we won't ever see his Batman avatar pop up again in any of the issues or commits because he is gone. I hope his family has good support to navigate this difficult time.

Notepad++ have released a new version to fix the auto update process being hijacked https://notepad-plus-plus.org/news/v889-released/

I reported the vulnerability, it is being hijacked by threat actors in China. https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

There is an unauthenticated remote code execution vulnerability in React Server Components.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability.

CVE-2025-55182

Mastodon server not impacted btw.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

We're back with five more apps up for adoption at our fundraiser:

- LabPlot: A powerful data analysis and visualization tool that accepts data in all kinds of formats.

- Okular: Your one-stop app for viewing all kinds of documents. Okular supports annotations, digital signing, and more.

- KStars: Your private planetarium that also helps you schedule and execute your observation and astrophotography sessions.

https://kde.org/fundraisers/yearend2025/#adopt-an-app

#fundraiser #FreeSoftware

[More >]

Over the last 12 months, watchTowr Labs uncovered thousands of leaked credentials: cloud keys, AD creds, API tokens, even KYC data - already being abused.

Join us on our journey into “innocent” developer tools.

https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/

If you're deploying linkerd and pods do not run properly due to readiness probes failing with a 403, check if your unmeshed application responds with a redirect (302) to the readiness probe. Apparently linkerd does not follow redirects, unlike EKS, processes the response as an error and then treats this as an authentication issue. #k8s #mtls #devsecops #linkerd #linkerd2 #servicemesh

Blender Foundation and the online developer community proudly present Blender 5.0!

ACES, Adaptive Subdivision, HDR, Storyboarding, Geometry Nodes, 588 bugs fixed, and so much more.

📖Changelog & Download: https://blender.org/download/releases/5-0/

📺 Video Recap: https://www.youtube.com/watch?v=4wEqD-jK0DU #b3d

@JacquesLucke I won't be able to make it this time.

Did Blender help you this year? Help back!

If every active user contributed $5 this month, Blender would be funded for the entire year 2026.

Professional 3D software. No subscriptions. No limits. Just your support.

Do your part. Donate today.

https://www.blender.org/news/give-back-to-blender-fundraiser-for-2026/ #b3d

Blender 5.0 has entered Release Candidate stage! 🚀

Please take some time to try it, test your add-ons, files (backup first!), and report any bugs you find.

⬇️ Download: https://builder.blender.org/download/daily/
📖 What's New: https://developer.blender.org/docs/release_notes/5.0/
🐞 Report: Help→Report a Bug

#b3d

MIT have also silently, without noting on the pages, started rewriting their website to remove references to their own work. They've also changed the URLs of the pages to remove references.

Left, before: https://archive.ph/SckSr

Right, after: https://mitsloan.mit.edu/ideas-made-to-matter/80-ransomware-attacks-now-use-artificial-intelligence

Something very important to know in your threat model if you use Tor Browser on Windows:

By default it installs to your Desktop folder, which is by default mirrored to OneDrive at Microsoft. Microsoft has access to your OneDrive content for cybersecurity analysis via privacy carve outs. The Tor folder contains sensitive content.

The solution is to install at root of C: drive.

Anybody else getting loads of notification mails by Shodan today for the same systems over and over? #shodan

@filippo Does GitHub allow to have pipeline definitions in a separate repository like GitLab does? Thought that concept was interesting, but obviously brings other challenges regarding compatibility with changes of time and release branches with long-term support.

Microsoft are rolling out Gaming Copilot to all Windows 11 PCs (excluding in China).

Enabled by default, silent install, takes screenshots and trains MS AI by default.

It installed on my Windows 11 Professional PC 🫡 it’s also not dependent on an NPU or Copilot+

https://doublepulsar.com/microsoft-builds-on-recall-with-gaming-copilot-fails-basic-privacy-tests-52988576bcc8