Collaborate Disseminate
For a time homebrew was serving the vulnerable XZ Utils / liblzma versions 5.6.0 and 5.6.1. I observed on my own MacBook pro that I had the 5.6.1 installed via homebrew.
The current state of knowledge seems to suggest that macOS was so far… Continue reading Is macOS vulnerable to the XZ-vulnerability? [migrated]
I am working on finding workaround for CVE-2022-29190 in my application.
My application makes use of telegraf.
It also states this:
Telegraf is written in Go and compiles into a single binary with no external dependencies.
When I read det… Continue reading CVE-2022-29190 due to telegraf?
I am working on finding workaround for CVE-2022-29190 in my application.
My application makes use of telegraf.
It also states this:
Telegraf is written in Go and compiles into a single binary with no external dependencies.
When I read det… Continue reading CVE-2022-29190 due to telegraf?
MITRE is unable to compile a list of all new vulnerabilities, and NIST is unable to subsequently, and consequently, provide an enriched database of all vulnerabilities. What went wrong, and what can be done?
The post CVE and NVD – A Weak and Frac… Continue reading CVE and NVD – A Weak and Fractured Source of Vulnerability Truth
For my own (public) servers, is it considered a good idea to only allow ssh connections from VPN connections (OpenVPN, Wireguard or otherwise), to mitigate any possible attacks in the future on ssh?
It seems that ssh is constantly under at… Continue reading Does using a VPN to allow ssh connections provide better security, especially after seeing how CVE-2024-3094 (XZ backdoor) is done?
The recent conspicuous faltering of the National Vulnerability Database (NVD) is “based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” says the U.S. N… Continue reading NVD: NIST is working on longer-term solutions
Many threads like this one on reddit are springing up, which is great for spreading awareness of a major CVE. But questionable advice like this occasionally worms its way in:
Check your version with xz -V in the terminal
Now, this obviou… Continue reading Will using the xz binary trigger any call-home mechanism? [closed]
A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” R… Continue reading Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)
The National Vulnerability Database has ceased some of its work, but some experts fear the formation of a consortium to address its problems lacks sufficient urgency.
The post Plan to resuscitate beleaguered vulnerability database draws criticism appeared first on CyberScoop.
Continue reading Plan to resuscitate beleaguered vulnerability database draws criticism
In my work, we use a database to collect information about vulnerabilities which have CVE-ids assigned to them. One of these data is the CWE, which we store in a single column directly in the table containing the CVEs. The question is whet… Continue reading Can a single CVE have multiple CWEs? [closed]