Cheers for the report Matthias and SUSE Security!
Could you please comment on the affectedness of upstream screen 5.0.1?
https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=464c8d8f945f53f8cbb854517279349e09d74756
This version was released ~an hour before your initial oss post. I
Evan (CC'd) wrote tooling to detect tj-actions/changed-files compromises over
the weekend.
tj-scan is now public and aims to help others review logs from their private
and public repos for leaked credentials.
https://github.com/chainguard-dev/tj-scan
Mark
On Sat, Mar 15, 2025 at 12:03 PM
On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was
compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)").
This commit was added to all 361 tagged versions of the GitHub action. This
malicious commit results in a script that can leak CI/CD secrets
On Wed, Jan 22, 2025 at 03:18:10PM +0100, Johannes Segitz wrote:
> We're not empowered to do this. We are a CNA for code that we own (e.g.
> zypper), but not for arbitrary open source projects.
The text of SUSE's scope [0] is similar to Canonical's [1]. We
understand "All Canonical issues (includi
we have discovered that Perl's ScanDeps module is also
> trivially exploitable through various calls to eval() ("string" eval()s,
> https://perldoc.perl.org/functions/eval). Consequently and impressively,
> in response to our advisory:
>
> - all of ScanDeps's vulnerable calls
On Fri, Sep 27, 2024 at 01:49:52AM +0200, Solar Designer wrote:
> Thanks Alan! On Twitter, Alan further clarified that "once it was clear
> the info was out there, the distro makers wanted to end the embargo so
> they could publish advisories telling users to disable cups-browsed
> instead of wait
MITRE is not required to assign CVEs.
It is always best to work with upstream (if possible). MITRE is more
likely to respond if upstream replies to your email ticket ACKing the
CVE request. Otherwise, you may want to ask Red Hat's CNA to assign a
CVE [0].
Upstream has already agreed that this is
> > Jonathan Wright from AlmaLinux can vouch for us
> >
> > Best regards,
> >
> > --
> > _o) Michel Lind
> > _( ) identities:
> > https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
>
> I know that at least Neal Gompa i
for
> > graphical interface but not entirely (unless there's a way to switch to the
> > requesting TTY for approval).
> >
> >
> > Thank you!
> >
> > On Thu, 13 Jun 2024, 23:36 Mark Esler, wrote:
> >
> > > At Marco&#x
At Marco's request, I am asking MITRE to either revoke CVE-2024-37408 or for
MITRE to transfer CVE ownership to Canonical's CNA for revocation.
On Thu, Jun 13, 2024 at 06:40:51PM +0200, Marco Trevisan wrote:
> Hi Yaron,
>
> Thanks for taking time to look into this issue.
>
> We appreciate the a
of EOD attacks makes the recent SMTP Smuggling attacks so
surprising! It is hard to believe that SMTP servers were recently vulnerable
to . variations and that others still are.
Thanks Solar :)
Mark Esler and Bastien Roucariès
signature.asc
Description: PGP signature
safe to configure sendmail to `O RejectNUL=True` (which would break
RFC 2822 section 4 [6] by rejecting email which include NUL)?
What are the benefits and risks of stripping ASCII NUL and other control
characters from SMTP DATA?
Feedback appreciated,
Mark Esler and Bastien Roucariès
[0] https:/
Reporting security issues to ROS 2 with proof of concepts and by
following their disclosure policy would be appreciated and valued.
https://ros.org/reps/rep-2006.html
I recommend asking upstream for advice and sharing your manuscript with
them.
Mark Esler
On 4/22/24 20:52, Yash Patel wrote
4-30730,
CVE-2024-30733, CVE-2024-30735, CVE-2024-30736, and CVE-2024-30737
Many thanks to Florencia Cabral Berenfus for her analysis of these claims!
Mark Esler
[0] https://dl.acm.org/doi/abs/10.1145/3573910.3573912
[1] https://github.com/yashpatelphd/CVE-2024-30737/issues/1
[2]
https://d
14 matches
Mail list logo
