W/R/T #CVE

1) This is still a thing: https://resist.bot/petitions/PWDDUS

Makes it easy to pester Congress about the CVE program.

2) I was reminded of this bit of Internet history: https://www.pigdog.org/auto/digital_gar_gar_gar/shortfeature/605.html

It was written in 1999, about 3 months before CVE came on this scene. It’s snarky. But there was no DNS Fairy, either.

Hey, ask the #CVE project your uncomfortable questions starting in 10m at #defcon policy, W234 second level. go!

#libsoup #cve is marked as insecure and
#bambu-studio depends on libsoup and is the reason I can't build my #nixos

just takes me to long to find this.
Is there a faster way to see which config packages depends on?

nix why-depends ?

"SUSE Multi-Linux Manager provides automated patching, content lifecycle management, and realtime monitoring to keep your mixed Linux environment secure"

#CVE #RCE #InfoSec

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-46811

Just got slotted in for BSidesLV on talking about (you guessed it) #CVE:

https://bsideslv.org/talks#what-should-cve-be-when-it-grows-up

Hang out with me and the gang on Tuesday at 13:00.

And of course keep an eye on all of @runZeroInc's other Vegas haps:

https://www.runzero.com/summer-camp-2025/ . We're freakin' everywhere this year.

In the scope of GCVE and @circl we couldn't find a practical, publicly available, and accessible document that outlines best practices for vulnerability handling and disclosure.

So we created a new one, released under an open-source license, to which everyone can freely contribute.

PDF: https://gcve.eu/files/bcp/gcve-bcp-02.pdf
HTML: https://gcve.eu/bcp/gcve-bcp-02/
Contributing: https://github.com/gcve-eu/gcve.eu/blob/main/content/bcp/gcve-bcp-02.md

Didn't we have a small howl on here about this Cisco ISE RCE vuln and how patches were slow?

Welp, POC is out. Pretty neat too.

https://www.thezdi.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability

Another WordPress plugin injection vuln. The original supply chain vulnerability. (Well, no, but you can smell what I'm cooking right?)

Critical Flaws in WordPress Plugin Leave 10,000 Sites Vulnerable

https://www.infosecurity-magazine.com/news/flaws-wordpress-plugin-expose/

Microsoft Copilot Rooted to Gain Unauthorized Root Access to its Backend System

Source: Cyber Security News

Full article: https://cybersecuritynews.com/microsoft-copilot-rooted/

I love the @github Security Advisory Database because they actually preserve the data from rejected advisories including the original information and the reason for rejection.

It’s clearly much more insightful than just having a bare ID marked as "rejected."

You can easily spot this in vulnerability-lookup: https://vulnerability.circl.lu/vuln/cve-2025-54371#related

Yet another great example of why having diverse sources for vulnerability data matters.

Don't forget to join us today online at 14:00 (Luxembourg local time) for "GCVE.eu initiative - introduction and how to become a GNA" part of the @circl Virtual Summer School (VSS) 2025
Details available at: https://circl.lu/pub/vss-2025/

Unbound 1.23.1 in now available. This security release fixes the Rebirthday Attack CVE-2025-5994.

The vulnerability re-opens up #DNS resolvers to a birthday paradox, for EDNS client subnet servers that respond with non-ECS answers. The #CVE is described here:
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt

We would like to thank Xiang Li (AOSP Lab, Nankai University) for discovering and responsibly disclosing the vulnerability.
https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.1

Minutes from the CVE Board teleconference meeting on June 25 are now available

https://www.mail-archive.com/cve-editorial-board-list@mitre.org/msg00277.html

#cve #vulnerability #vulnerabilitymanagement #hssedi #cisa #infosec #cybersecurity

Just published a proof-of-concept exploit for CVE-2025-32463, a new Linux privilege escalation vulnerability affecting sudo discovered and disclosed by Stratascale about 2 weeks ago.

The PoC is available on GitHub. A full technical writeup will be published on my blog soon.

GitHub: https://github.com/morgenm/sudo-chroot-CVE-2025-32463

Microsoft Patch Tuesday, July 2025 Edition - Microsoft today released updates to fix at least 137 security vulnerabilities in i... https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/ #microsoftpatchtuesdayjuly2025edition #microsoftconfigurationmanager #microsoftdefendersmartscreen #latestwarnings #cve-2025-47178 #cve-2025-47981 #cve-2025-49695 #cve-2025-49696 #cve-2025-49697 #cve-2025-49702 #cve-2025-49719 #cve-2025-49740 #securitytools #immersivelabs #action1

https://www.europesays.com/2226640/ Central Banks increase spending on gold in May #CentralBank #CentralBankGoldReservesSurvey2025 #CentralBanks #CVE:NAU #Economy #FRA:5E50 #Gold #NevGoldCorp. #NewmontCorporation #NYSE:NEM #OTCMKTS:NAUFF #QatarCentralBank #TSE:NGT #WorldGoldCouncil

I do not consent to be used by, used for, or interact in any way with AI.

Reason number 163.327.205:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32711

Important for #OpenBSD users is the comment in the ports-update commit message. #CVE-2025-32463 #SUDO