HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kro

no profile record

Submissions

CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free

my.f5.com
7 points·by kro·il y a 23 jours·4 comments

AWS to also block ipcomp and xfrm modules in DirtyFrag mitigation

aws.amazon.com
1 points·by kro·il y a 2 mois·1 comments

comments

kro
·il y a 23 jours·discuss
Only 1.31.0 and 1.31.1 are affected.
kro
·il y a 23 jours·discuss
These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.

[1]:

https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...

https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...
kro
·il y a 27 jours·discuss
I did that for a while because of compatibility issues with a newer laptop, it works but generally if there is no reason it's way easier to stay with the provided packages. Compiling weekly due to security patches becomes annoying over time for no real gain other than the version number
kro
·il y a 27 jours·discuss
mysql/maria also lets you turn off/down the isolation level for queries if you know the guarantees aren't needed, to speed things up. I think postgres does not have that option.
kro
·il y a 2 mois·discuss
I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template
kro
·il y a 2 mois·discuss
You are correct.

Reminds me, we once got a letter by a German government body requesting some data exports from our company, and to upload them on findrive-ni.de

It turned out to be legit, but it's neither a subdomain of the state of Niedersachsen domain nor referenced in their official sites.
kro
·il y a 2 mois·discuss
That also often shoots you as when json_encoding it only becomes an array when ordered "correctly" (numeric 0-based keys without gaps), otherwise an object. So to be safe you generally need to array_values after filtering. If in your testdata you only remove elements from the end you don't catch that before production data hits.

To get the first element there also is reset().

I love PHP though.
kro
·il y a 2 mois·discuss
Sounds good - which software supports this? Specifically I'd prefer if it would do a composite key derivation in-time rather than "just a pw prompt but TPM has the full key"
kro
·il y a 2 mois·discuss
Ubuntu also released TPM based FDE a few versions ago. I had these thoughts then and decided against using it. Typing my passphrase on boot is muscle memory and gives me simple security I can trust.

Also can recover data without my mainboard.

Maybe a hybrid (secureboot-TPM+phrase) slot for day to day to also prevent against evil maid attacks, and another slot with a backup passphrase would be acceptable.
kro
·il y a 2 mois·discuss
No remotely reachable vuln should be taken lightly.

At the moment though, the preconditions look odd. I've been using nginx in various constellations for 10 years and never once combined rewrite and set.
kro
·il y a 2 mois·discuss
However, some privs can be gained in namespaces/unshare.
kro
·il y a 2 mois·discuss
It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

https://lists.debian.org/debian-security-announce/2026/msg00...
kro
·il y a 2 mois·discuss
Next easy attack vector is (non-rootless) docker run with rootfs mount, many are in docker group even when sudo is protected. Also, most sensitive data is in the user scope anyways (on a PC).

You should always run dev stuff in containers to start with. And when your system is compromised, reprovision from a higher scope, too many places to hide backdoors
kro
·il y a 2 mois·discuss
So far all the information suggested to disable esp and rxrpc modules.

This bulletin suggest that more modules are necessary for complete mitigation
kro
·il y a 2 mois·discuss
Containers, even with root user, are often stripped of these capabilities unless --privileged
kro
·il y a 2 mois·discuss
VPN usage increased, but how to they draw the conclusion that this is children. I think it's more likely that adults are using VPNs to not have to deal with the ID process. I would do that.

As VPNs usually cost some money, which is already a barrier for minors.
kro
·il y a 2 mois·discuss
CAP_NET/SYS_ADMIN is required for this. So this would be "not as bad" as the others.
kro
·il y a 2 mois·discuss
It's scary to think that some day it will be more than a local attack vector. I don't want to imagine the fallout from a remote rce via tcp/ip.
kro
·il y a 2 mois·discuss
These copyfail exploits allow an unprivileged (daemon/app) user (not in sudoers) to get root without interaction from the original system maintainer.

It's quite different from PATH-injecting an already privileged user.

Also, these memory corruptions can likely be used as container escape primitives too. Albeit not easily.

It's a serious break of a security boundary. Yes, container layer adds defense, and normal unix security isn't perfect, but it should not allow this.
kro
·il y a 2 mois·discuss
Maybe it would be reasonable for sysadmins to proactively whitelist used / block all exotic unused modules that are not needed in their system configuration.

This would reduce the amount of ring 0 code. But I've never seen such advice.