NEW -
DCG Brace Build 2025/04/04 - 1
Release Note: Fix bluetooth on F42
Toolkit compatible with multiple Linux distros that allows for installation of handpicked applications, along with corresponding configs that have been tuned for reasonable privacy and security.
Compatibility:
Arch Linux
CentOS 9/Stream
Debian 12
Fedora 39/40/41 (preferred)
openSUSE Tumbleweed
https://codeberg.org/divested/brace
#divested
#DivestedComputingGroup
#fsf #FUTO #Fedora #codeberg #hardening #linuxtech #cybersec #cybersecurity #infosec #antivirus
#opensource #linuxsecurity #vulnerabilities #vulnerability #alpinelinux #skynet #foss #freeyourmind
NEW -
D-WRT builds available: 2025-03-26
update to kernel 6.6.84
https://divested.dev/unofficial-openwrt-builds/mvebu-linksys
https://codeberg.org/divested/Divested-WRT
#divested
#DivestedComputingGroup
#fsf #FUTO #Fedora #codeberg #hardening #linuxtech #cybersec #cybersecurity #infosec #antivirus #hackernews
#opensource #android #linuxsecurity #vulnerabilities #vulnerability #alpinelinux #router #skynet #foss #freeyourmind
NEW - DCG /etc/hosts available - last updated 2024/12/20
1544291 - Domains blocked with that build !
Supercharging your content blocker to increase privacy and security.
Ready to use lists combined from many permissively licensed sources.
https://divested.dev/pages/dnsbl
@divested @DivestedComputingGroup
#fsf #FUTO #Fedora #codeberg #hardening #linuxtech #cybersec #antivirus #foss
#opensource #android #linuxsecurity #vulnerabilities #vulnerability #alpinelinux #router #skynet #hardening #foss #opensource
NEW - DCG real-ucode - 2024-12-14 - 1
New intel-ucode with that one ! Lets goo
https://github.com/divestedcg/real-ucode/
#fsf #FUTO #Fedora #alpinelinux #hardening #linuxtech #cybersec #foss
#opensource #android #skynet #linuxsecurity #ucode #vulnerabilities #vulnerability
I finally bit the bullet and scratched an itch that has been irritating me for months...
Ever since I found the @CVE_Program had JSON meta-data for all of the CNAs, I was interested in whether I could utilize their structured type as a signal for CVEs of interest for converting to OSV (spoiler alert: not really, there's interesting CVEs from CNAs that don't make any mention of open source, and most annoyingly, the GitHub Advisory Database doesn't state it has anything to do with open source )
So that just left me curious to understand how many of these so-called open source CNAs were using Red Hat as an intermediate root CNA, versus MITRE as root of last resort, since it didn't seem like many were rolling up through Red Hat (for reasons unbeknown to me).
I really wanted to create a visual representation of the hierarchy, and being able to generate a CSV had me half way there and I just hadn't taken the time to figure out a way to visualize it, until today, when something else led me to look at the data for the last time...
Cool bug
Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses in #curl results in indeterminate SSRF #vulnerabilities.
Security Vulnerability of HTML Emails
This is a newly discovered email vulnerability:
The email your manager received and forwarded to you was something completely innocent, such as a potential cust... https://www.schneier.com/blog/archives/2024/04/security-vulnerability-of-html-emails.html
I doubt that many of my followers are familiar with Xunlei Accelerator, this application being mostly used in China. I came across it due to its popular Chrome extension with 28 million users. I looked into the security of this applications and… security? What security?
https://palant.info/2024/03/06/numerous-vulnerabilities-in-xunlei-accelerator-application/
An overview:
· Program installation directory writable by any user.
· The built-in browser is based on a three years old Chromium.
· That browser exposed a powerful internal API to arbitrary websites (⇨ code execution among others).
· This browser could also be opened by any website loaded in the user’s regular browser, without any user interaction.
· XSS vulnerabilities in the display of messages in the main application, despite using React (⇨ code execution).
· Electron’s renderer sandboxing effectively rendered ineffective.
· Local webserver using “authentication” based on a “secret” hardcoded string.
· Plugin installation can be triggered by any website (⇨ code execution).
· Plugin list downloads via insecure HTTP connection (⇨ code execution).
· Rudimentary HTTP client used in some places, with memory safety issues and recognizing exactly two server responses.
· Tons of outdated third-party code, including (but not limited to) two years old FFmpeg, twelve years old libpng and eight years old zlib.
The vendor fixed the most obvious ways to exploit these issues. With the communication being spotty to say the least, I don’t know whether they plan to do more.
#curl 8.0.0 will include 6 security fixes. Out of these 6 #vulnerabilities I found 5 and this brings my total to 24 found from curl. In case you're wondering: I don't consider curl to be exceptionally vulnerable, in fact I consider curl one of the most robust pieces of software I've seen. Offering good #bounties is a great motivation for bug hunting.
“It’s #axiomatic that any system preying upon the #vulnerabilities of the many, to profit the few, is both a #moral and #ethical #atrocity. #Capitalism embodies such a #system.”
My new #post is up over at Ian Welsh’s incredible #blog. I’m #grateful he lets me post my ramblings there. Let me know what you think!
Today we released updates for a series of #vulnerabilities termed 'There's a hole in the boot' / BootHole in GRUB2 that could allow an attacker to subvert UEFI Secure Boot. Learn more here. #security #CVE