#Tag · bonfire.cafe

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

｢ He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. ｣

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

Go lib maintainer: GitHub's Dependabot is a 'noise machine'

: When a one-line fix triggers thousands of PRs, something's off

jbz

@jbz@indieweb.social · 3 days ago

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

Go lib maintainer: GitHub's Dependabot is a 'noise machine'

: When a one-line fix triggers thousands of PRs, something's off

Hacker News

@h4ckernews@mastodon.social · last week

I found a Vulnerability. They found a Lawyer

https://dixken.de/blog/i-found-a-vulnerability-they-found-a-lawyer

#HackerNews #Vulnerability #Disclosure #Cybersecurity #LegalIssues #EthicalHacking #HackerNews

I found a Vulnerability. They found a Lawyer.

What happens when you responsibly disclose a critical vulnerability exposing personal data - including that of minors - and the organization responds with legal threats instead of a thank you?

Bill

@Sempf@infosec.exchange · 2 weeks ago

Bring out yer path traversal memes!!

https://seclists.org/fulldisclosure/2026/Feb/10

#linksys #vulnerability

Full Disclosure: [SYSS-2025-001] Linksys MX9600/MX4200 - Path Traversal

Harry Sintonen

@harrysintonen@infosec.exchange · 2 weeks ago

Plethore of critical #Linksys MX4200 Wi-Fi router vulnerabilities (that were originally reported to Linksys nearly a year ago!) are still unfixed:

- [SYSS-2025-001] Linksys MX9600/MX4200 - Path Traversal https://seclists.org/fulldisclosure/2026/Feb/10
- [SYSS-2025-002] Linksys MX9600/MX4200 - Missing Authentication for Critical Function https://seclists.org/fulldisclosure/2026/Feb/11
- [SYSS-2025-009] Linksys MX9600/MX4200 - SQL Injection https://seclists.org/fulldisclosure/2026/Feb/12
- [SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/13
- [SYSS-2025-011] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/18
- [SYSS-2025-014] Linksys MX4200 - Improper Verification of Source of a Communication Channel
https://seclists.org/fulldisclosure/2026/Feb/19

On first read it might appear that many of these vulnerabilities would only be exploitable by accessing the device non-WAN interface(s) from inside the local network. However, due to the SYSS-2025-014 vulnerability the normally "LAN only RCE" vulnerabilities (SYSS-2025-010 and -011) and SQL injection (SYSS-2025-009) can be performed from the WAN interface (read: the internet). The attacker merely needs to make the connection originate from port 5222 (which is trivial to arrange via local bind before connect).

I recommend retiring the affected devices immediately as the manufacturer clearly has no motivation to fix the issues in a timely manner.

#linksys #fulldisclosure #vulnerability #infosec #cybersecurity

Full Disclosure: [SYSS-2025-014] Linksys MX4200 - Improper Verification of Source of a Communication Channel

Full Disclosure: [SYSS-2025-011] Linksys MX9600/MX4200 - OS Command Injection

Full Disclosure: [SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection

Full Disclosure: [SYSS-2025-009] Linksys MX9600/MX4200 - SQL Injection

Full Disclosure: [SYSS-2025-002] Linksys MX9600/MX4200 - Missing Authentication for Critical Function

Full Disclosure: [SYSS-2025-001] Linksys MX9600/MX4200 - Path Traversal

:debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:

@selea@social.linux.pizza · 2 weeks ago

Ok, so I have this HP-server in my garage that I've had for years.
I decided to plug it in, add drives and connect the iLO port.

Ofcourse, I have forgotten the iLO password - and I dont have a monitor that I can use to reset it via the BIOS.

I do remember this vulnerability from a couple of years ago, that where I could get the password (or change it) for the Administrator user with a curl post request.
But I can't find it.

Help

#linux #curl #hp #ilo #infosec #vulnerability_research #vulnerability #askfedi #askfediverse

hbrpgm

@hbrpgm@adalta.social · 2 weeks ago

📺 https://peer.adalta.social/w/bG7GEPHbVSBzsFmeoM1LAD
🔗 [🇩🇪🇺🇸🇫🇷](https://p4u.xyz/ID__FKNQB6R/1)

Die Absicherung des Dateisystems als kritische Maßnahme gegen Datenkorruption und Ausfälle

#vulnerability #netbsd #runbsd #ownyourdata #itnotes

Ad Alta UG (Germany)

Trending Bot boosted

Alexandre Dulaunoy

@adulau@infosec.exchange · 3 weeks ago

Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.

You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.

Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”

#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability

Alexandre Dulaunoy

@adulau@infosec.exchange · 3 weeks ago

You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.

Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”

#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability

Trending Bot and 1 other boosted

Harry Sintonen

@harrysintonen@infosec.exchange · 3 weeks ago

Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.

Madness.

source: https://mrbruh.com/amd/

#vulnerability #infosec #cybersecurity

The RCE that AMD won't fix!

After reporting a RCE in AMD's auto-update software, they decided to not patch it due to it requiring a man-in-the-middle attack to perform.

Harry Sintonen

@harrysintonen@infosec.exchange · 3 weeks ago

Madness.

source: https://mrbruh.com/amd/

#vulnerability #infosec #cybersecurity

The RCE that AMD won't fix!

After reporting a RCE in AMD's auto-update software, they decided to not patch it due to it requiring a man-in-the-middle attack to perform.

Harry Sintonen

@harrysintonen@infosec.exchange · 3 weeks ago

Madness.

source: https://mrbruh.com/amd/

#vulnerability #infosec #cybersecurity

The RCE that AMD won't fix!

After reporting a RCE in AMD's auto-update software, they decided to not patch it due to it requiring a man-in-the-middle attack to perform.

Robert W. Gehl boosted

Lorenzo Ancora :verified:

@LorenzoAncora@ieji.de · 4 weeks ago

Notepad++'s update servers have been compromised by Chinese hackers and all users had been exposed to malware. The developer estimated the overall compromise period spanned from June through December 2, 2025.
Users should update to version 8.9.1 (or superior) immediately.

Source: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

#security #vulnerability #windows #text #editor #notepad #foss #freesoftware #software