The talk was centered on Ratatui (a TUI library in Rust, https://ratatui.rs/) now targeting terminals and web browsers with a shared approach. Video recording of the talk should appear online soon.
Nice post @javierhonduco, really interesting read!
As you mention that you are looking into loosening the minimum kernel requirements, what is currently the primitive(s) that is dictating the minimum required version? And how do you plan to sidestep that?
> So we were already potentially vulnerable to the DOS [...]
> the security org at the big tech company I worked at and reported this to
I'm confused about these two statements, because I did not find any recent CVEs for log4j in the DoS category, nor related to format lookup (other than CVE-2021-44228 of course).
Perhaps I misread it, but are you basically saying that (after you reported the issue to them internally) the security team at your previous company could not successfully report a DoS vulnerability in the default configuration of a widely used (by them, at least) Apache library and make sure a CVE got assigned to track it?
If so, it would be interesting to know where the CVE/vuln-reporting chain broke, possibly to reduce the blast radius for similar future cases.
Hypothetically speaking, a CVE in March for a DoS in a problematic design/feature could have resulted in flipping the default setting earlier. Instead of chasing live RCE in the wild in December.
This is a demo that was just showcased live by the author as part of their talk at FOSDEM'25: https://fosdem.org/2025/schedule/event/fosdem-2025-5496-brin...
The talk was centered on Ratatui (a TUI library in Rust, https://ratatui.rs/) now targeting terminals and web browsers with a shared approach. Video recording of the talk should appear online soon.