Hey folks, if you run Redis you should be aware of a CVSS 10 vuln, CVE-2025-49844, which is a lua related RCE. Redis have release a patch for this and 3 other CVEs. According to Wiz, this vuln has existed for 13 years. That means forks such as Valkey may also be impacted. Valkey has also released updates to address the same CVEs.

Redis: https://www.runzero.com/blog/redis/

Valkey: https://www.runzero.com/blog/valkey/

#Security #Redis #Valkey #CVE-2025-49844 #CVE202549844

https://github.com/macports/macports-ports/pull/28592

GitHub Continuous Integration checks passed OK!

Alas, the agent.patch that iamGavinJ had created, doesn't apply cleanly, in large part because ssh-agent.c has been reworked significantly with this release.

Subsequently, I closed this previous Pull Request: https://github.com/macports/macports-ports/pull/28592 not because I didn't want to restore that functionality to launchd, but because it will require more effort than I can give such things at this time.

But, check out these improvements to ssh-agent from the OpenSSH 10.1 release notes:

"ssh-agent(1)](https://man.openbsd.org/ssh-agent.1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).

This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.

Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent now gains
this ability.

To support $HOME on NFS, the socket path includes a truncated
hash of the hostname. ssh-agent will, by default, only clean up
sockets from the same hostname.

ssh-agent(1) gains some new flags: -U suppresses the automatic
cleanup of stale sockets when it starts. -u forces a cleanup
without keeping a running agent, -uu forces a cleanup that ignores
the hostname. -T makes ssh-agent put the socket back in /tmp."

Anyway, I updated this as well:

https://trac.macports.org/ticket/72482

I should probably actually close this ticket now that I think of it (fingers crossed that adding that to the PR is sufficient, since I forgot to add that note to the commit message as is typically preferred: https://trac.macports.org/ticket/73084).

#OpenSSH #MacPorts #SecureShell #macOS #encryption #security #infosec

#opensource #pve #proxmoxve #foss #debian #linux #apt #security #homelab

Alt...

ProxLB with upcoming new major features for Proxmox based clusters

"The violence has put local #Jewish community members in the #Seattle area on edge just days before the #Oct7 anniversary of the #Hamas-led attacks on #Israel, which triggered the ongoing war in #Gaza.

“I’m always aware, wherever I am, thinking about my #security,” Michele Bat-Or told KOMO News.

A reported rise in #antisemitism globally after Oct. 7, 2023, has left local Jewish people, like Bat-Or, feeling at risk.

“I usually wear a #Jewishstar necklace, and I changed to a different symbol,” she continued, “That feels a little bit too unsafe to wear a Jewish star around my neck.”

https://komonews.com/news/local/seattles-jewish-community-ramps-up-security-after-deadly-uk-synagogue-attack

OpenSSH 10.1 released https://www.undeadly.org/cgi?action=article;sid=20251006105328 #openbsd #openssh #ssh #security #newrelease #crypto #cryptography #securelogin #networking #freesoftware #libresoftware

🇬🇧 UK govt demands access to British Apple users' data, reigniting its privacy dispute with Apple 🔐

Apple pulled Advanced Data Protection from UK iCloud, calling the move "gravely disappointing" ⚠️

Critics warn secret orders threaten global security 🕵️

🧑‍⚖️ Legal hearing set for Jan 2026

🔗 https://www.bbc.com/news/articles/c740r0m4mzjo

#TechNews #Privacy #Apple #UK #DataRights #Encryption #CyberSecurity #Surveillance #CivilLiberties #HumanRights #TechPolicy #iCloud #DataProtection #EndToEndEncryption #Security

@signalapp

Contact MEP:
https://fightchatcontrol.eu/

https://edri.org/our-work/chat-control-what-is-actually-going-on/

Petition: https://crm.edri.org/stop-scanning-me

#StopChatcontrol #chatcontrol #Chatkontrolle #surveillance #privacy #security #anonymity

Tor Browser: how much do you use it?

#poll #askfedi #privacy #security #tor #opsec #polls

The lethal trifecta for #AI #agent s: private data, untrusted content, and external communication
https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

#security

@ferryoons And this is the original FT article (without a paywall)

http://archive.today/2025.10.01-205427/https://www.ft.com/content/d101fd62-14f9-4f51-beff-ea41e8794265

#FinancialTimes #Privacy #Security #UKgov

LibreSSL 4.1.1 and 4.0.1 released https://www.undeadly.org/cgi?action=article;sid=20251002054519 #openbsd #libressl #tls #https #cryptography #security #newrelease #development #freesoftware #libresoftware

Recording is out for our @centos Proposed Updates SIG talk at @allsystemsgo !

Tune in here if you couldn't make it in person

https://youtu.be/r8FWdGweVrc?si=5XdIRMJysWA8D23a

https://cfp.all-systems-go.io/all-systems-go-2025/talk/9QUZNY/

TL;DR we maintain a new repo for updates intended for upstreaming to CentOS Stream, so if you deploy CentOS Stream in production you can get access to updates earlier without diverging from Stream long term.

#AllSystemsGo #FOSSConf #FOSSConference #Linux #LinuxDistro #Security

🇦🇹 Austria's Armed Forces have replaced MS Office with LibreOffice on 16,000+ workstations 📄

This shift began in 2020 to avoid mandatory cloud reliance ☁️
Their goal? Digital sovereignty—not cost saving 🔒
They even contributed 5+ person-years of code 🛠️
EU trend toward open-source grows 🇪🇺

@libreoffice
@itsfoss

🔗 https://news.itsfoss.com/austrian-forces-ditch-microsoft-office/

#TechNews #LibreOffice #Linux #OpenSource #Privacy #FOSS #Security #Europe #EU #Microsoft #Cloud #DigitalSovereignty #Government #Defense #Innovation #Technology

In retrospect, I'm frankly surprised it took so long for someone to name a worm "Shai-Hulud". I should have been waiting for it for years; it seems so obvious in hindsight.

#security #ComputerSecurity #malware #worm #ShaiHulud #infosec

I recently found some cryptocurrency phishing pages–there's nothing really unusual about that, those are pretty common.

But I stumbled on these because of their weird robots.txt files, which caused me to briefly question everything I know about the 30-year-old web standard that is robots.txt. Why? Well, specifically these lines in the files:

Disallow: /add_web_phish.php
Disallow: /en-us/report
Disallow: /report
Disallow: /phish.report

"add_web_phish.php" is the PhishTank reporting URL. The other endpoints are also phish site reporting endpoints of Netcraft, ESET, etc.

...this isn't how robots.txt works. Like, at all. And that's not the only thing that points to the relative inexperience of the actor behind these pages.

Read more:

https://censys.com/blog/disallow-security-research-crypto-phishing-sites-failed-attempt-to-block-investigators

#security #phishing #cryptocurrency

Alt...

Dark mode screenshot of GitHub search results for the strange robots.txt file

We have to stop the Google/Apple mobile duopoly. And we have to stop the marching enshittification of society. More concretely, we have to fight back against Google's attempt to lock-down the whole Android ecosystem.

https://f-droid.org/2025/09/29/google-developer-registration-decree.html

This is something that any sane regulatory body should forbid.

#google #apple #android #aosp #fdroid #privacy #security #enshittification #surveillance #mobile #politics

> 'You'll never need to work again': Criminals offer reporter money to hack BBC

#InfoSec #Security #Ransomware #BBC

https://www.bbc.co.uk/news/articles/c3w5n903447o

Super early morning flight for #AllSystemsGo! For my last international #FOSSConference of the year (before I try to not complicate my international move situation by having too much travel) I will be co-presenting, with Davide Cavalca, the @centos #ProposedUpdates #SIG and how we use it to handle critical issues (including #CVE) and how you can do it too!

#FOSSConf
#Linux
#LinuxDistro
#Security

1.6 million and climbing.

Not that any government ever takes any notice of any of these petitions, but signing it at least makes me feel like I'm trying something. Letter to (unfortunately rigidly loyal Labour) MP next...

https://www.theguardian.com/politics/2025/sep/27/petition-opposing-starmer-plan-digital-id-cards

#DigitalID #Surveillance #Privacy #Security #Starmer #Labour

OpenBGPD 8.9 released https://www.undeadly.org/cgi?action=article;sid=20250926141610 #openbsd #openbgpd #bgp #routing #networking #security #freesoftware #libresoftware

#Blink home security cameras are emailing us that we need to install an update or they'll stop working.
I have not researched this update, but somehow I know #enshittification is at hand. We started with #blink before they were bought by Amazon.

Any advice from the #security #homesecurity #digitalsecurity pros?
Maybe we need a new system?

@celenity

Amazing! Already donated a large-for-me sum to this amazing effort! Thanks for taking up #DivestOS's legacy and improving it so much further than that!

https://celenity.dev/donate

#IronFox #Firefox #Privacy #Security #Android

Travelling with Eurostar across the Channel today, as I’ve done many times before. However, it was the first time there was an extra check in between the Belgian passport control and the automated gates: a British official quickly leafing through all the visa pages of my passport!
What is that all about?
#Eurostar #TrainTravel #security #CrossBorderRail

Need to reshare this as this is happening with EU NIS2 before our eyes right now.

#ComplianceNotEqualSecurity #Compliance #NIS2 #Security

Alt...

Tommy Lee Jones looking very Tommy Lee Jonesy. Text: COMPLIANCE AN EXERCISE IN POINTLESSNESS FOR PEOPLE WHO DON'T WANT TO DO REALSECURITY™

@mre
The hero we need, not the hero we deserve.

#rustlang #rust #security

I once mistyped `serde` as `sedre` and thought, "oh boy, that's a simple mistake to make. What if someone registered the crate and put malicious code in it?"

So I registered the crate and made it fail at compile-time with a hint about the typo. (See here: https://github.com/mre/sedre/blob/main/src/lib.rs)

Turns out, a few people make the same mistake every week. That little thing has prevented 1.214 incorrect installations so far. 😎

Posting this in light of https://blog.rust-lang.org/2025/09/24/crates.io-malicious-crates-fasterlog-and-asyncprintln/

#rustlang #rust #security

Alt...

Description of the `sedre` crate on crates.io, mentioning that this is a common typo.

Alt...

Download chart for the sedre crate on crates.io, showing between 0 and 8 downloads a day.

This guide provides a step-by-step walk-through for integrating a uTrust FIDO2 security key (Identiv uTrust) with Fedora 42 to secure:

* LUKS2 full disk encryption (FDE)
* Graphical login (LightDM + Cinnamon)
* Sudo elevation

Learn more: https://fedoramagazine.org/integrating-utrust-fido2-security-key-for-disk-encryption-login-and-sudo-access-for-fedora-42/

#Fedora #Security #Cybersecurity #InfoSec #Linux #OpenSource

Tomorrow 2025-09-25 at 10:30 CEST, the refreshed "Network Management with the OpenBSD Packet Filter Toolset" https://events.eurobsdcon.org/2025/talk/FW39CX/ by yours truly, @stucchimax and Tom Smyth will start at #eurobsdcon.

We will put the updated slides online just before the session starts.

#openbsd #freebsd #pf #packetfilter #networking #firewall #trickery #security

JLR shutdown extended again as ministers meet suppliers

Jaguar Land Rover has been unable to produce cars since a cyberattack at the end of August and its factories will remain suspended until next month at the earliest.

#Jaguar #LandRover #cyberattack #security #cybersecurity #hackers #hacking #hacked #automotive #auto #cars

https://www.bbc.com/news/articles/c15kpxnn2p2o

No, thank you, @1password@1password.social.

Can someone tell me if @bitwarden is pushing AI in their service offerings? If not, it might be time to move back or, maybe better, just get more serious about using @keepassxc@fosstodon.org.

1Password now available in Comet, the AI-powered browser by Perplexity

https://blog.1password.com/1password-now-available-in-comet-the-ai-browser-by-perplexity/

#noai #privacy #security

Cache of Devices Capable of Crashing Cell #Network Is Found Near #UN

The #SecretService discovered more than 100,000 SIM cards & 300 servers, which could disable #cellular towers or be used to conduct #surveillance.

#Security #GlobalSecurity #NationalSecurity
https://www.nytimes.com/2025/09/23/us/politics/secret-service-sim-cards-servers-un.html?smid=nytcore-ios-share&referringSource=articleShare

One official said the network was capable of sending 30 million text messages per minute, anonymously. The official said the agency had never before seen such an extensive operation.

There is no specific information that the #network, now dismantled, posed a threat to the conference itself, #SecretService officials said, speaking on the condition of anonymity to discuss an ongoing investigation. The agency leads the #security for the #UN meetings this week.

#GlobalSecurity #NationalSecurity

Investigators found the SIM cards & servers in August at several locations within a 35-mile radius of the #UN headquarters. The discovery followed a monthslong investigation into what the agency described as anonymous “telephonic threats” made to 3 high-level #US #government officials this spring — one official in the #SecretService & 2 who work at the #WhiteHouse..

The agency did not provide details about the threats made to the 3 officials.…

#Security #GlobalSecurity #NationalSecurity

Investigators have been going through the data on SIM cards that were part of the network, including calls, texts & browser history. Matt McCool, the top agent at the Secret Service’s NY field office, said they expected to find that other senior government officials had also been targeted in the operation.

The agency shared crime scene photos of servers with antennas & SIM cards. In some cases, the servers holding the SIM cards were on floor-to-ceiling shelves.

#Security #NationalSecurity

Alt...

A handout photograph provided by the Secret Service showing racks of dismantled communications devices that were part of an anonymous network in the New York region. Credit Secret Service

Anthony J. Ferrante, the global head of the #cybersecurity practice at FTI, an international consulting firm, said the operation appeared to be sophisticated & costly.

“My instinct is this is #espionage,” said Ferrante, who previously served in top cybersecurity positions at the White House & the FBI.

In addition to jamming the cellular network, he said, such a large amount of equipment near the #UN could be used for #eavesdropping.

#Security #GlobalSecurity #NationalSecurity

James A. Lewis, a #cybersecurity researcher at the Center for European Policy Analysis in Washington, said that only a handful of countries could pull off such an operation, including #Russia, #China & #Israel.

“This is an ongoing investigation, but there’s absolutely no reason to believe we won’t find more of these devices in other cities,” Mr. McCool [great spy name] said.

#Security #GlobalSecurity #NationalSecurity

rpki-client 9.6 released https://www.undeadly.org/cgi?action=article;sid=20250922061303 #openbsd #rpkiclient #rpki #routing #bgp #networking #security #libresoftware #freesoftware

On Thursday, September 25, 2025, Tom Smyth and I will be giving a "Network Management with the OpenBSD Packet Filter Toolset" tutorial https://events.eurobsdcon.org/2025/talk/FW39CX/ at #eurobsdcon in #zagreb. Register: https://2025.eurobsdcon.org/registration.html #openbsd #freebsd #networking #pf #packetfilter #security #trickery

complyctl is a powerful command-line utility implementing the principles of “ComplianceAsCode” (CaC) with high scalability and adaptability for security compliance!

Learn more: https://fedoramagazine.org/effortless-flexible-scalable-and-standardized-compliance-checks-for-fedora-using-complyctl/

#complyctl #security #infosec #cybersecurity #Fedora #Linux #OpenSource

In case you missed it earlier, "EU CRA: It's Later Than You Think, Time to Engineer Up!" https://nxdomain.no/~peter/eu_cra_its_later_than_you_think_time_to_engineer_up.html (also https://bsdly.blogspot.com/2025/09/eu-cra-its-later-than-you-think-time-to.html) is a call to up your engineering game in time for the Act to introduce the requirement to do so.

Written for an introductory workshop. #softwaredevelopment #engineering #security #sbom #dependencies