news
Security Leftovers
-
APNIC ☛ How can RPKI can be made quantum-safe?
RPKI relies on digital signatures to secure Internet routing — but these signatures could be cracked by future quantum computers. RPKI needs to upgrade to quantum-safe signatures before that day comes.
-
Iustin Pop: Watching website scanning bots
Ever since I put up http://demo.corydalis.io, and setup
logcheck, I’m inadvertently keeping up with recent exploits in common CMS frameworks, or maybe even normal web frameworks issues, by seeing what 404s I get from the logs.[...] a bot finds the site, and then it tries in fast succession something like this (real log entries, with the source IP address removed): [...]
[...]
And another surprising thing is that for this type of scanning to work (and I’ve time) list of static resources it will serve. I haven’t made the switch to fully embedding in the binary, but at that point, it won’t need to read from the but that’s it, no arbitrary filesystem traversal. Strange that some frameworks http://demo.corydalis.io 😄.
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri).
-
Pen Test Partners ☛ Leaked data. Continuous glucose monitoring
TL;DR Closing the Loop Just before COVID struck the world, I was travelling through Colorado on a Sunday on a ski trip with some friends. My work phone pinged with a message from a colleague (the awesome @evstykas who has now moved on to do even more cool things with APIs).