The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.

RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477.

https://www.zerodayinitiative.com/advisories/ZDI-23-1152/

Feature creep never ends. Added a very limited filter function, which can rewrite or edit posts. There's a couple ad hoc filters already, but this should converge over time.

There was already a tiny link normalizer, which only worked for youtube, which I find helpful to keep consistent URLs. And then it also rewrites lemmy links to self hosted images, which shouldn't (imo) appear as links.

The next problem I had is sometimes people post links, but put the link in the body, not in the link section where it belongs. This annoys me. I can't immediately see what site the link is for. It looks like a self post, then I open it, and then I have to open another link. That's two clicks! We can find a link in the body and make it the post link pretty easily.

But not all the time. I think that would result in too many false positives. So I started work on a little filter engine, that matches and alters posts. It's very limited at the moment, to only this use case, but the parts are now there for more extension.

Boring is good. Boring is stable. Boring means being able to focus on your work, not on what’s different about Go. This post is about the important work we shipped in Go 1.21 to keep Go boring.

There will not be a Go 2 that breaks Go 1 programs. Instead, we are going to double down on compatibility, which is far more valuable than any possible break with the past. In fact, we believe that prioritizing compatibility was the most important design decision we made for Go 1.

I don't want to go all in on being a picture board, but sometimes it's fun to scroll through some pictures. But also, like 90% of the preview images on links are just stupid header graphics, so it's off by default. Now for some groups example previews can be enabled.

Espresso coffee is among the most consumed beverages in the world. Recent studies report a protective activity of the coffee beverage against neurodegenerative disorders such as Alzheimer′s disease. Alzheimer′s disease belongs to a group of disorders, called tauopathies, which are characterized by the intraneuronal accumulation of the microtubule-associated protein tau in fibrillar aggregates. In this work, we characterized by NMR the molecular composition of the espresso coffee extract and identified its main components. We then demonstrated with in vitro and in cell experiments that the whole coffee extract, caffeine, and genistein have biological properties in preventing aggregation, condensation, and seeding activity of the repeat region of tau. We also identified a set of coffee compounds capable of binding to preformed tau fibrils. These results add insights into the neuroprotective potential of espresso coffee and suggest candidate molecular scaffolds for designing therapies targeting monomeric or fibrillized forms of tau.

In vitro results, take with a grain of salt or shot of espresso.

The search box, at present, is more like a fetch activity box. It can only find and retrieve objects by their activitypub ID (url).

First caveat is that you have to get to the actual object. Lemmy marks this with a little fediverse icon, but it's pretty subtle. You can't retrieve an object from a server that doesn't own it, even if you can see it there. That's just the way things are. Also remember that posts and groups can be on different servers.

Second caveat is that kbin omits some information that lets azorius know which group a post is in. If you get a group not found error, you have to search for the group first, then the post.

Fetching a post doesn't retrieve comments. I don't believe this is possible at present. Lemmy does not include a replies collection in its Page object. You should be able to search for comments to import them, however.

Pushed a big change to enable group chat.

This kinda seems like feature creep, but looking at successful forums, I think many of them have an irc (or a fucking discord) on the side. Or you resort to an adhoc chat post. So I think it's fairly important. It's not very complicated, either.

It's not on by default, and can be enabled on a per group basis.

But does it fedi? Obvi! Well, within reason, and with certain caveats.

It's based on the ChatMessage type, addressed to the group, and federated via Announce/Create/ChatMessage like other group activities. So nothing special.

Honk required a small fix because it wasn't expected chats to be announced. Not sure how other software would react. The fix was pretty simple and obvious, just not something I anticipated. The tricky part is getting addressing right and replying to the group, not only the poster.

MTE = Memory Tagging Extension

In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities.

Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. The ability of MTE to detect memory corruption exploitation at the first dangerous access provides a significant improvement in diagnostic and potential security effectiveness. In comparison, most other proposed approaches rely on blocking later stages in the exploitation process, for example various hardware-assisted CFI approaches which aim to block invalid control-flow transfers.

Implementation Testing

Mitigation Case Studies

The Kernel

The Go programming language has released its first Release Candidate (RC) for version 1.21, which is packed with new features, improvements, and performance enhancements. This article provides an overview of the notable changes and features in Go 1.21, along with some exciting additions to the standard library.

• PGO
• min, max functions
• preview of loop capture change
• new slog, slices, and map packages
• WASI port

41 in-the-wild 0-days were detected and disclosed in 2022, the second-most ever recorded since we began tracking in mid-2014, but down from the 69 detected in 2021. Although a 40% drop might seem like a clear-cut win for improving security, the reality is more complicated.

A few years ago I wrote pygit, a small Python program that’s just enough of a Git client to create a repository, add some commits, and push itself to GitHub.

I wanted to compare what it would look like in Go, to see if it was reasonable to write small scripts in Go – quick ’n’ dirty code where performance isn’t a big deal, and stack traces are all you need for error handling.

The result is gogit, a 400-line Go program that can initialise a repository, commit, and push to GitHub. It’s written in ordinary Go … except for error handling, which is just too verbose in idiomatic Go to work well for scripting (more on that below).

Yael Tauman Kalai’s breakthroughs secure the digital world, from cloud computing to our quantum future.

My master’s thesis was titled “How to Leak a Secret.” Here’s the problem: We know how to digitally sign — to say, “This is me that wrote this message.” But say I want to sign something as an MIT professor, but I don’t want people to know it’s me? That way the secret does hold some water because you know an MIT professor signed it, but you don’t know who.

We solved this with something we called ring signatures, which were inspired by a notion in computer science called witness-indistinguishable proofs. Let’s say there’s a statement and two different ways to prove it. We say there’s two “witnesses” to the statement being correct — each of the proofs. A witness-indistinguishable proof looks the same no matter which you use: It hides which witness you started with.