Forwarded from MiaoTony's Box (MiaoTony 🐱)
#今天又看了啥 #telegram #security #CVE #XSS
Telegram Web app XSS/Session Hijacking 1-click [CVE-2024–33905]
Attack surface: Telegram Mini Apps
“Telegram Mini Apps are essentially web applications that you can run directly within the Telegram messenger interface. Mini Apps support seamless authorization, integrated crypto and fiat payments (via Google Pay and Apple Pay), tailored push notifications, and more.”
This attack surface also affects web3 users because it handles crypto payments through the TON Blockchain.
Telegram fixed the flaw on March 11th, 2024.
Vulnerable version: Telegram WebK 2.0.0 (486) and below
Fixed version: Telegram WebK 2.0.0 (488)
https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90
Telegram Web app XSS/Session Hijacking 1-click [CVE-2024–33905]
Attack surface: Telegram Mini Apps
“Telegram Mini Apps are essentially web applications that you can run directly within the Telegram messenger interface. Mini Apps support seamless authorization, integrated crypto and fiat payments (via Google Pay and Apple Pay), tailored push notifications, and more.”
This attack surface also affects web3 users because it handles crypto payments through the TON Blockchain.
Telegram fixed the flaw on March 11th, 2024.
Vulnerable version: Telegram WebK 2.0.0 (486) and below
Fixed version: Telegram WebK 2.0.0 (488)
https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90
Medium
Telegram Web app XSS/Session Hijacking 1-click
This is the technical write up of a severe vulnerability I reported to Telegram’s Bug Bounty program on March 9th, 2024.
Telegram fixed…
Telegram fixed…
GNU nano 8.0 released
Rust 1.78.0 released
The 6.9-rc7 kernel prepatch is out for testing.
"run0" as a sudo replacement (part of the upcoming systemd 256 release)
Rust 1.78.0 released
The 6.9-rc7 kernel prepatch is out for testing.
"run0" as a sudo replacement (part of the upcoming systemd 256 release)
咕 Billchen 咕 |
GNU nano 8.0 released Rust 1.78.0 released The 6.9-rc7 kernel prepatch is out for testing. "run0" as a sudo replacement (part of the upcoming systemd 256 release)
Save Nix Together
Eelco Dolstra’s leadership is corrosive to the Nix project
https://save-nix-together.org/
https://really-save-nix-together.org/
https://determinate.systems/posts/on-community-in-nix/
Eelco Dolstra’s leadership is corrosive to the Nix project
https://save-nix-together.org/
https://really-save-nix-together.org/
https://determinate.systems/posts/on-community-in-nix/
save-nix-together.org
open letter to the NixOS foundation
GLib CVE-2024-34397: GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing
Vulnerable versions:
GLib 2.80.x before 2.80.1
all versions before 2.78.5
https://gitlab.gnome.org/GNOME/glib/-/issues/3268
Vulnerable versions:
GLib 2.80.x before 2.80.1
all versions before 2.78.5
https://gitlab.gnome.org/GNOME/glib/-/issues/3268
GitLab
CVE-2024-34397: GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing (#3268) · Issues · GNOME / GLib…
Vulnerability summary Alicia Boya García discovered a security issue in GLib's GDBusConnection. When subscribing to a D-Bus signal using a...
[security] Go 1.22.3 and Go 1.21.10 are released
CVE-2024-24787: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2024-24788: A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
CVE-2024-24787: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2024-24788: A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
咕 Billchen 咕 |
https://docs.python.org/3.13/whatsnew/3.13.html#what-s-new-in-python-3-13
As documented in the PEP 719, the first beta of Python 3.13 was released on May 7. (No new features beyond this point.)
咕 Billchen 咕 |
https://docs.python.org/3.13/whatsnew/3.13.html#what-s-new-in-python-3-13
PEP 703: CPython 3.13 has experimental support for running with the global interpreter lock disabled when built with --disable-gil.
https://peps.python.org/pep-0703/
ref https://www.tg-me.com/outvivid/4469
https://peps.python.org/pep-0703/
ref https://www.tg-me.com/outvivid/4469
Python Enhancement Proposals (PEPs)
PEP 703 – Making the Global Interpreter Lock Optional in CPython | peps.python.org
CPython’s global interpreter lock (“GIL”) prevents multiple threads from executing Python code at the same time. The GIL is an obstacle to using multi-core CPUs from Python efficiently. This PEP proposes adding a build configuration (--disable-gil) to...
Forwarded from Solidot
G5 地磁风暴来袭
2024-05-11 10:03 by 奇岛
直径为 17 倍于地球的太阳黑子区域 AR3664 向地球方向喷射了 6 个日冕物质抛射 (CME),首个 CME 于 5 月 10 日 1645 UT 抵达并影响地球,产生极端强度的电磁风暴。地磁风暴强度范围从 G1 到 G5,其中 G5 为最高等级。随着后续 CME 的到来,地磁风暴将持续到周日。这是自 2003 年 10 月以来首次观测到 G5 地磁风暴,太阳活动目前处于活跃期。G5 地磁风暴将会在北方产生壮观的极光,可能会影响近地轨道和地球表面的基础设施,扰乱通信、电网、导航、无线电和卫星运行。
https://www.swpc.noaa.gov/news/g5-conditions-observed
https://spaceweather.com/
#地球
2024-05-11 10:03 by 奇岛
直径为 17 倍于地球的太阳黑子区域 AR3664 向地球方向喷射了 6 个日冕物质抛射 (CME),首个 CME 于 5 月 10 日 1645 UT 抵达并影响地球,产生极端强度的电磁风暴。地磁风暴强度范围从 G1 到 G5,其中 G5 为最高等级。随着后续 CME 的到来,地磁风暴将持续到周日。这是自 2003 年 10 月以来首次观测到 G5 地磁风暴,太阳活动目前处于活跃期。G5 地磁风暴将会在北方产生壮观的极光,可能会影响近地轨道和地球表面的基础设施,扰乱通信、电网、导航、无线电和卫星运行。
https://www.swpc.noaa.gov/news/g5-conditions-observed
https://spaceweather.com/
#地球
咕 Billchen 咕 |
G5 地磁风暴来袭 2024-05-11 10:03 by 奇岛 直径为 17 倍于地球的太阳黑子区域 AR3664 向地球方向喷射了 6 个日冕物质抛射 (CME),首个 CME 于 5 月 10 日 1645 UT 抵达并影响地球,产生极端强度的电磁风暴。地磁风暴强度范围从 G1 到 G5,其中 G5 为最高等级。随着后续 CME 的到来,地磁风暴将持续到周日。这是自 2003 年 10 月以来首次观测到 G5 地磁风暴,太阳活动目前处于活跃期。G5 地磁风暴将会在北方产生壮观的极光,可能会影响近…
X (formerly Twitter)
Robert Graham 𝕏 (@ErrataRob) on X
This is pretty bad for Starlink, which normally has 100mbps connectivity.
But still, it's excellent for once-in-a-decade solar storm.
But still, it's excellent for once-in-a-decade solar storm.
Forwarded from 荔枝木
联合国快讯
第十届紧急特别会议今天以 143 票赞成、9 票反对、25 票弃权通过决议,认定巴勒斯坦国符合《联合国宪章》规定的联合国会员国资格,应被接纳为联合国会员国,并建议联合国安理会重新审议巴勒斯坦以会员国身份加入联合国的申请。
中国、法国、俄罗斯等 143 国投了赞成票,美国、以色列等 9 国投了反对票,英国、德国、乌克兰等 25 国弃权。
巴勒斯坦目前为联合国观察员国。安理会上个月再次审议了巴勒斯坦入联申请,由于常任理事国美国行使了否决权,草案未获通过。此次通过的决议指出,大会深信巴勒斯坦国完全符合《宪章》第四条规定的联合国会员国资格,而且联合国会员国普遍申明支持接纳巴勒斯坦国为联合国会员国。
决议对安理会一个常任理事国一票否决巴勒斯坦入联申请表示遗憾和关切,建议安理会根据联大的认定以及 1948 年 5 月 28 日国际法院的咨询意见,并严格按照《宪章》第四条,重新从有利角度审议巴勒斯坦入联申请。决议还赋予巴勒斯坦从今年 9 月联大第 79 届会议开幕以后,在参加联合国会议时的一系列权利和特权,包括其坐席安排和在发言名单上的顺序。
第十届紧急特别会议今天以 143 票赞成、9 票反对、25 票弃权通过决议,认定巴勒斯坦国符合《联合国宪章》规定的联合国会员国资格,应被接纳为联合国会员国,并建议联合国安理会重新审议巴勒斯坦以会员国身份加入联合国的申请。
中国、法国、俄罗斯等 143 国投了赞成票,美国、以色列等 9 国投了反对票,英国、德国、乌克兰等 25 国弃权。
巴勒斯坦目前为联合国观察员国。安理会上个月再次审议了巴勒斯坦入联申请,由于常任理事国美国行使了否决权,草案未获通过。此次通过的决议指出,大会深信巴勒斯坦国完全符合《宪章》第四条规定的联合国会员国资格,而且联合国会员国普遍申明支持接纳巴勒斯坦国为联合国会员国。
决议对安理会一个常任理事国一票否决巴勒斯坦入联申请表示遗憾和关切,建议安理会根据联大的认定以及 1948 年 5 月 28 日国际法院的咨询意见,并严格按照《宪章》第四条,重新从有利角度审议巴勒斯坦入联申请。决议还赋予巴勒斯坦从今年 9 月联大第 79 届会议开幕以后,在参加联合国会议时的一系列权利和特权,包括其坐席安排和在发言名单上的顺序。