This person should be funded in a level that is appropriate for how critical log4j2 is used in the ecosystem. There is no excuse for this. This person's spare time passion project is responsible for half of the internet working the way it should.
TL;DR: If you want me to make you useful software, pay me. If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. This should not be a new thing. This should already be the state of the world and it is amazingly horrible for us to have the people that make the things that make our software work at all starve and beg for donations.
adversaries can attack the encoding of source code files to inject vulnerabilities
The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.
cf. https://fr.wikipedia.org/wiki/Fichier_de_test_Eicar
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*FROM: https://sebsauvage.net/links/?0rGdAQ
Pour vous amuser à en créer en Python, avec fpdf2:
#!/usr/bin/env python3
# REQUIRE: pip install fpdf2 pdf417 qrcode
import fpdf, pdf417, qrcode
EICAR = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
pdf = fpdf.FPDF()
pdf.add_page()
pdf.set_font("Helvetica", size=30)
pdf.text(90, 20, "EICAR")
pdf.text(10, 60, "PDF-417:")
pdf.image(pdf417.render_image(pdf417.encode(EICAR)), x=10, y=60)
pdf.text(10, 140, "QRCode:")
pdf.image(qrcode.make(EICAR).get_image(), x=35, y=145)
pdf.output("eicar.pdf")
À oui.sncf, je travaille au sein d'une équipe en charge de l'usine logicielle,
qui administre depuis des années une instance Gitlab self-hosted.
Cet article contient quelques-unes de nos recommandations à l'intention des utilisateurs de notre Gitlab, ayant pour but à la fois améliorer les performances de leurs pipelines …
tl;dr: User countermeasures:
- Noreply-Email-Address: Every GitHub user should either use a dedicated commit email address or GitHub’s noreply-email-address service, also enabling the option to block accidental command line pushes.
- 2-Factor-Authentication: Every GitHub user should have 2-Factor-Authentication enabled
- Raise Awareness: it’s the duty of developers aware of this issue toinform their colleagues about it
sed -i "s/$real_email/$github_email/" /opt/*/.git/config
Linkback protocols are an old breed. They were born in a time where MySpace, Wikipedia & WordPress had just been born, and Friendster was more popular than this new website called Facebook.
The latest linkback protocol, Webmention, is relatively recent though, as it became a W3C …
Almost a year ago, GitHub introduced security alerts. They are an awesome feature.
They function as notifications you receive whenever a vulnerability affecting one of your project dependencies.
But long after receiving a notification, how to list all security alerts affecting your repositories ?
I didn't found an out-of-the box solution …
Consider the following Python expression:
print("".join(set("ABCDE")))
What do you think it produces ?
Not necessarily "ABCDE". Right, but you would expect the result to be consistent, isn't it ?
$ for i in {1..3}; do python2.7 -c 'print("".join(set("ABCDE")))'; done
ACBED
ACBED
ACBED
Great !
...
But with …
Just relaying the information about this "ShellShock" vulnerability:
This seems to affect Apache, sshd, DHCP clients and even potentially git.
TL;DR here is how to check your Bash version
env x='() { echo Never called; }; echo YOUR BASH IS VULNERABLE …