Forwarding here from golang-annou...@googlegroups.com /
https://groups.google.com/d/msgid/golang-announce/5mK6WBRsRxukMSqsImZ6mw%40geopod-ismtpd-0
(I'm not affiliated with the Golang project.)
- Forwarded message from annou...@golang.org -
> Date: Wed, 11 Dec 2024 17:53:06 + (UTC)
>
[Forwarding here because I seem to recall that the
NodeJS team doesn't usually post their announcements
to this list; I have no other affiliation with
NodeJS.]
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Tuesday, January 21, 2025 Security Releases
Security releases av
iterm2 (https://iterm2.com), a popular Terminal.app
replacement for macOS, announced a vulnerability in
versions < 3.5.11 whereby input/output from an SSH
connection may be logged to the file /tmp/framer.txt
on the remote host. To the best of my knowledge,
there is no CVE associated with this vuln
Nick Tait wrote:
> [1] Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling
>
> CVE ID: CVE-2024-12084
>
> CVSS 3.1: 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
> Description: A heap-based buffer overflow flaw was found in the rsync
> daemon. This issue is due to improper han
Matthias Gerstner wrote:
> we were surprised to find a local root exploit in
> the Screen 5.0.0 major version update affecting distributions that ship
> it as setuid-root (Arch Linux and NetBSD).
I think it's useful to clarify here that NetBSD does
_not_ ship with GNU screen(1) at all. NetBSD's
Jacob Bachmeyer wrote:
> Would "systems using pkgsrc-2025Q1, notably including NetBSD 9.x and NetBSD
> 10.1" have been a fair way of describing that set?
I think that's a lot better, although I would probably
have phrased it as:
Systems using screen(1) built from pkgsrc, including
binary packag
