HackerTrans
TopNewTrendsCommentsPastAskShowJobs

spyc

no profile record

Submissions

Expat 2.8.2 released, fixes 13 vulnerabilities

blog.hartwork.org
3 points·by spyc·hace 19 días·0 comments

Steven, please fix the 1% loss/gain graph

blog.hartwork.org
3 points·by spyc·hace 2 meses·1 comments

Expat 2.8.1 released, CVE-2026-45186 and CVSS unreliability

blog.hartwork.org
4 points·by spyc·hace 2 meses·0 comments

Expat 2.8.0 released, includes security fixes

blog.hartwork.org
3 points·by spyc·hace 3 meses·0 comments

Expat 2.7.5 released, includes security fixes

blog.hartwork.org
7 points·by spyc·hace 4 meses·0 comments

Expat 2.7.4 released, includes security fixes

blog.hartwork.org
1 points·by spyc·hace 5 meses·0 comments

Python 3.14 started enabling color for argparse by default

github.com
2 points·by spyc·hace 6 meses·0 comments

sandwine 5.0.0 adds support for Wayland and PipeWire

github.com
1 points·by spyc·hace 8 meses·0 comments

Reconsider W3C Recommendation status of XSLT 2.0 and XSLT 3.0

github.com
11 points·by spyc·hace 9 meses·1 comments

Expat 2.7.3 released, includes security fixes

blog.hartwork.org
2 points·by spyc·hace 10 meses·0 comments

Expat 2.7.2 released, includes security fixes

blog.hartwork.org
1 points·by spyc·hace 10 meses·0 comments

DomainFactory WTF 2025

blog.hartwork.org
1 points·by spyc·el año pasado·0 comments

How much security is in long-term support?

blog.hartwork.org
2 points·by spyc·el año pasado·0 comments

Recursion kills: The story behind CVE-2024-8176 in libexpat

blog.hartwork.org
162 points·by spyc·el año pasado·163 comments

How to help an Open Source project that your company depends on

blog.hartwork.org
1 points·by spyc·el año pasado·0 comments

Most IT companies fail to serve security.txt for RFC 9116 in 2025

blog.hartwork.org
43 points·by spyc·el año pasado·32 comments

comments

spyc
·hace 29 días·discuss
Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.

[1] https://github.com/libexpat/libexpat/issues/1277

[2] https://github.com/uriparser/uriparser/issues/323
spyc
·hace 7 meses·discuss
The current implementation breaks semantics of functions with tail recursion from within loops: https://github.com/raaidrt/tacopy/issues/1
spyc
·hace 9 meses·discuss
Potentially the movie itself is also or more of interest. The related thread is: https://news.ycombinator.com/item?id=45056377
spyc
·el año pasado·discuss
Both implementations of doas for Linux have (the same) unfixed security issue:

- https://github.com/Duncaen/OpenDoas/issues/106

- https://github.com/slicer69/doas/issues/110

I have a hard time recommending doas over sudo on Linux when the issue has been fixed in sudo but not in doas.
spyc
·el año pasado·discuss
Lost trust for sure. Who knows if Redis would be AGPL now if Valkey did not exist.
spyc
·el año pasado·discuss
If anyone wonders what atop looks like at runtime or what it would be useful for, there's a video dedicated to the tool at https://www.youtube.com/watch?v=27AtCR5ftyM .
spyc
·el año pasado·discuss
I see, thanks!
spyc
·el año pasado·discuss
Update: I found https://www.bismuth.sh/ at https://news.ycombinator.com/user?id=ianbutler .
spyc
·el año pasado·discuss
I'm reading "I can go into why another time." like "I don't have time" personally, not like "I am not allowed to say".
spyc
·el año pasado·discuss
Hi! Three things:

- There is no commit with a SHA1 like that in atop Git history and what you shared is too long for a SHA1, it looks more like a SHA256. Did you share the right checksum? The only other way I can read this is that it's a SHA256 checksum of one of the past atop release tarballs or artifacts. I have not yet checked those.

- I have tried finding your tool Bismuth but all I find is things KDE and crypto currencies. Please share a link to the Bismuth that you are working on.

- You technically said that you are working on Bismuth /and/ found something, not that you found the bug /through/ Bismuth. Please clarify if and how that was the case.

Thank you!
spyc
·el año pasado·discuss
There are parsers that only implement a tiny subset of XML. And Expat has compile time flags to disable some of that machinery where not needed. It's arguably no longer XML then though.
spyc
·el año pasado·discuss
Thank you!
spyc
·el año pasado·discuss
Thanks for sharing that research!
spyc
·el año pasado·discuss
"Quickly kill the process" is still a denial of service security problem.
spyc
·el año pasado·discuss
Correct.
spyc
·el año pasado·discuss
Did you see the article references [1][2] from 2006 and 2017 that already argue that recursion is a security problem? It's not new just not well-known.

[1] https://www.researchgate.net/publication/220477862_The_Power...

[2] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.tx...
spyc
·el año pasado·discuss
That idea works in general but causes false positives: No artificial limit you pick is "right" and the false positives can be avoided by getting rid of the recursion altogether.

PS: It's not one single function, not direct but indirect recursion.
spyc
·el año pasado·discuss
The point of termination is beyond stack overflow here, that's the problem. And unlike heap, stack does not tell you gently that it's running out.
spyc
·el año pasado·discuss
Not if you need to report the same thing to multiple parties. And why make it hard to someone who does whitehat work for you.
spyc
·el año pasado·discuss
That's not a good reason to not host the file.