Gonçalo Valério @dethos@s.ovalerio.net

"“Magic links” can end up in Bing search results — rendering them useless."

https://medium.com/@ryanbadger/magic-links-can-end-up-in-bing-search-results-rendering-them-useless-37def0fae994

#security #authentication

"The OpenSSL 3.0.4 release introduced a serious bug in the RSA
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys
incorrect on such machines and memory corruption will happen during
the computation. As a consequence of the memory corruption an attacker
may be able to trigger a remote code execution on the machine performing
the computation."

https://www.openssl.org/news/secadv/20220705.txt

#security #infosec #openssl

"Multiple Vulnerabilities in Flower and Downstream Attacks on Airflow"

https://tprynn.github.io/2022/05/26/flower-vulns.html

Issues were addressed in Airflow, but not in flower.

#python #celery #flower

"MitM at the Edge: Abusing Cloudflare Workers"

https://blog.christophetd.fr/abusing-cloudflare-workers/

#security #cloudflare #cloudflare-workers

"TikTok Quietly Updated Privacy Policy to Collect Faceprints and Voiceprints"

https://www.pandasecurity.com/en/mediacenter/security/tiktok-privacy-faceprints/

#security #privacy #android #ios #tiktok

"Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks."

https://github.com/ossillate-inc/packj

#security #supplychain

"Controlling the access to the clipboard contents"

https://blog.ovalerio.net/archives/2439

#clipboard #security #python

"Python packages upload your AWS keys, env vars, secrets to the web"

https://blog.sonatype.com/python-packages-upload-your-aws-keys-env-vars-secrets-to-web

#python #security #infosec

"How to: Look for TLS private keys on Docker Hub"

https://labs.detectify.com/2022/06/16/how-to-look-for-tls-private-keys-on-docker-hub/

#security #docker #dockerhub #containers

"Terraform as part of the software supply chain"

"... Looking at the security of Terraform itself and the things which could go wrong when running it, however, have very little coverage so far."

https://about.gitlab.com/blog/2022/06/01/terraform-as-part-of-software-supply-chain-part1-modules-and-providers/

#terraform #security

"Python logging: do’s and don’ts"

https://www.palkeo.com/en/blog/python-logging.html

#python #logging

"Firefox rolls out Total Cookie Protection by default to all users worldwide"

https://blog.mozilla.org/en/products/firefox/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/

👍

#firefox #browsers #privacy

"Dockerfile best-practices for writing production-worthy Docker images."

https://github.com/hexops/dockerfile

#security #docker

"Public Travis CI Logs (Still) Expose Users to Cyber Attacks"

https://blog.aquasec.com/travis-ci-security

#security #ci #travis #infosec

"Changing the End-of-Life Date for Node.js 16 to September 11th, 2023"

"When we put together Node.js 16 the hope was that we would be able to include OpenSSL 3. Unfortunately, the timing of the releases did not allow that to be possible, and we released Node.js 16 with OpenSSL 1.1.1. OpenSSL 1.1.1 is scheduled to be supported up until September 11th, 2023, which is seven months before the planned End-of-Life date of Node.js 16 (April 2024)."

https://nodejs.org/en/blog/announcements/nodejs16-eol/

#nodejs #security

"“PACMAN” Hack Can Break Apple M1’s Last Line of Defense"

https://spectrum.ieee.org/pacman-hack-can-break-apple-m1s-last-line-of-defense

#security #apple #m1 #cpu