Hello Hacking8!

In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoft’s contributions to the go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified in RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of … Continue reading Public Report – go-cose Security Assessment →
2022年4月和5月，NCC Group Cryptography Services 进行了一次安全和加密评估，评估微软对 Go-COSE 库的贡献，这是一个 Go 库，实现了 RFC 8152中规定的 CBOR 对象签名和加密(COSE)的签名和验证。这个库集中于一个最小的特性集，以使签名和验证... 继续阅读公共报告-go-cose 安全评估→

🔥一个清新文艺的微社区

Red Hat Security Advisory 2022-4745-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
Red Hat Security Advisory 2022-4745-01-Varnish Cache 是一种高性能的 HTTP 加速器。它将网页存储在内存中，这样网页服务器就不必一遍又一遍地创建相同的网页，从而大大提高了网站的速度。

Ubuntu Security Notice 5445-1 - Ace Olszowka discovered that Subversion incorrectly handled certain svnserve requests. A remote attacker could possibly use this issue to cause svnserver to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Tomas Bortoli discovered that Subversion incorrectly handled certain svnserve requests. A remote attacker could possibly use this issue to cause svnserver to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS.
Ubuntu 安全通知5445-1-Ace Olszowka 发现 Subversion 错误地处理了某些 svnserve 请求。远程攻击者可能会利用这个问题导致 svnserver 崩溃，从而导致分布式拒绝服务攻击攻击。这个问题只影响到 Ubuntu 18.04 LTS。Tomas Bortoli 发现 Subversion 错误地处理了某些 svnserve 请求。远程攻击者可能会利用这个问题导致 svnserver 崩溃，从而导致分布式拒绝服务攻击攻击。这个问题只影响到 Ubuntu 18.04 LTS。

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.
qdPM 9.1版本通过身份验证的远程代码执行利用了一个遍历路径。

Red Hat Security Advisory 2022-2268-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.51.
Red Hat Security Advisory 2022-2268-01-Red Hat OpenShift Container Platform 是 Red Hat 的云计算 Kubernetes 应用平台解决方案，专为本地或私有云部署而设计。这个建议包含红帽 OpenShift 容器平台4.7.51的容器图像。

Ubuntu Security Notice 5446-1 - Max Justicz discovered that dpkg incorrectly handled unpacking certain source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access to the system.
Ubuntu 安全通知5446-1-Max Justicz 发现 dpkg 不正确地处理了某些源代码包的解压缩。如果一个用户或者一个自动化系统被欺骗去解压一个特别制作的源代码包，远程攻击者可以修改目标解压目录之外的文件，导致一个分布式拒绝服务攻击或者潜在地获得对系统的访问。

In this whitepaper, the author demonstrates abusing persistent cross site scripting and polyglot payloads can allow for robust protocol creation similar to COOLHANDLUKE and allows an attacker to exfiltrate, encapsulate, and tunnel their malicious traffic between IPv4 and IPv6 networks without a router. The author calls the technique and protocol "DIRECTIVEFOUR". This issue affects Cisco SMB and Sx Series switches.
在这份白皮书中，作者证明了滥用持久性跨网站脚本和多语言有效负载可以允许类似 COOLHANDLUKE 的健壮协议创建，并允许攻击者在没有路由器的情况下在 ipv4和 ipv6网络之间进行恶意流量的出境、封装和隧道。作者将该技术和协议称为“ DIRECTIVEFOUR”。此问题影响思科 SMB 和 Sx 系列交换机。

This whitepaper demonstrates leveraging cross site scripting and polyglot exploitation in an exploit called COOLHANDLUKE to violate network segmentation / layer 2 VLAN policies while routing and sending a file between isolated, air gapped networks without a router. This issue affects HPE Procurve, Aruba Networks, Cisco, Dell, and Netgear products.
这篇白皮书演示了在一个名为 COOLHANDLUKE 的漏洞中利用跨网站脚本和通用语言来违反网络分段/第二层 VLAN 策略，同时在没有路由器的隔离的、空间隔离的网络之间传送文件。这个问题影响到 HPE Procurve、 Aruba Networks、 Cisco、 Dell 和 Netgear 产品。

ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.
当屏幕被锁定时，ChromeOS 会使用 usbguard，但是似乎会遇到旁路问题。

Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).
Tigase XMPP 服务器在序列化解析 XML 时没有转义双引号字符，因此存在安全漏洞。这可用于在 XMPP 服务器的输出流中偷运(或者，如果您愿意的话，注入)任意由攻击者控制的节。恶意客户机可以利用这个漏洞向另一个客户机发送任意 XMPP 节(包括只能由服务器发送的控制节)。

Red Hat Security Advisory 2022-2272-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.41.
Red Hat Security Advisory 2022-2272-01-Red Hat OpenShift Container Platform 是 Red Hat 的云计算 Kubernetes 应用平台解决方案，设计用于本地或私有云部署。此通知包含红帽 OpenShift 容器平台4.8.41的容器图像。

Ubuntu Security Notice 5447-1 - It was discovered that logrotate incorrectly handled the state file. A local attacker could possibly use this issue to keep a lock on the state file and cause logrotate to stop working, leading to a denial of service.
Ubuntu 安全通知5447-1-发现 logrotate 不正确地处理状态文件。本地攻击者可能会利用这个问题锁定状态文件并导致 logrotate 停止工作，从而导致分布式拒绝服务攻击。

Ubuntu Security Notice 5402-2 - USN-5402-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 16.04 ESM. Elison Niven discovered that OpenSSL incorrectly handled the c_rehash script. A local attacker could possibly use this issue to execute arbitrary commands when c_rehash is run. Aliaksei Levin discovered that OpenSSL incorrectly handled resources when decoding certificates and keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS.
Ubuntu 安全公告5402-2-usn-5402-1修复了 OpenSSL 中的几个漏洞。此更新提供了 Ubuntu 16.04 ESM 的相应更新。Elison Niven 发现 OpenSSL 不正确地处理了 c _ rehash 脚本。当运行 c _ rehash 时，本地攻击者可能会利用这个问题执行任意命令。发现 OpenSSL 在解码证书和密钥时错误地处理了资源。远程攻击者可能会利用这个问题导致 OpenSSL 消耗资源，从而导致分布式拒绝服务攻击攻击。这个问题只影响到 Ubuntu 22.04 LTS。

CVE-2022-30781：一条普通的 Git 命令导致的 Gitea RCE

Gitalk is a modern comment component based on Github Issue and Preact.

Linux.Nasty: Assembly x64 ELF virus

motikan2010 starred target/mmk-ui-api May 26, 2022
target/mmk-ui-api
UI, API, and Scanner (Rules Engine) services for Merry Maker
TypeScript
114 Updated Apr 22
Motikan2010星标/mmk-ui-api 2022.5.26
Target/mmk-ui-api
Merry Maker 的用户界面、 API 和扫描仪(规则引擎)服务
打字稿
114/Updated Apr 22

Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.
早在四月初，Trustwave SpiderLabs 就发现了一个针对来自巴西、西班牙和墨西哥的银行用户的 Grandoreiro 恶意软件攻击。这场运动利用了目标国家的税收季节，发送以税收为主题的钓鱼邮件。

An open-source Chinese font derived from Fontworks' Klee One. 一款开源中文字体，基于 FONTWORKS 出品字体 Klee One 衍生。

SHN plays down concerns over medical records breach
SHN 淡化对医疗记录泄露的担忧

Social media platform ends private program after paying $250,000 in rewards over eight years
社交媒体平台结束私人项目后，支付250,000美元奖励超过8年

影响厂商:U.S. General Services Administration 奖励: 危险等级:medium
通过克隆阅读其他用户报告

Useful Cobalt Strike BOFs found or used during engagements

Introduction APKOA Les outils GO GO GO Bingo ! Plus d’infos Introduction Le reverse engineering, c’est ( en gros ) comprendre le fonctionnement d’un dispositif, par une analyse en profondeur. Comprendre comment les concepteurs ont imaginé le système. Cela peut servir dans le cadre d’une séance de debugging d’un logiciel

Cut the bullshit, get the shit done and don't be afraid.
废话少说，把事情搞定，不要害怕。

Structured logging Interface Performance What to log Logs vs Metrics Implementation As the term log is ambigous, I want to clarify that we will talk about application logging. Logging is hard. I think logging is a critical piece of infrastructure. Chances are if you’re a software engineer, you’ll be staring
结构化日志接口性能日志与度量标准实现之间的对比日志这个术语是双音节的，我想澄清一下，我们将讨论应用程序日志。伐木是很困难的。我认为日志记录是基础设施的一个关键部分。如果你是一个软件工程师，你可能会盯着看

Polyglot systems Astro Polyglot systems Today's advent of containers, orchestration technologies and services oriented architectures leads to the fact that we use more and more programming languages for the same application. Thus programmers have to code in more than one programming language. The problem is that each programming language have
多语言系统 Astro 多语言系统今天，容器、编排技术和面向服务架构的出现，导致我们为同一个应用程序使用越来越多的编程语言。因此，程序员必须使用多种编程语言进行编码。问题是每种编程语言都有

Start with Why The infinite game and the infinite players And before you ask, my just cause? Empowering the world with open technologies. I've created Bloom to fulfill this purpose.
从为什么无限的游戏和无限的玩家开始在你问之前，我的正当理由？用开放的技术赋予世界权力。我创造布鲁姆就是为了达到这个目的。

🇬🇧 English version here Il ne faut pas compter sur ceux qui ont créé les problèmes pour les résoudre. Des défis universels et inédits (Pourquoi ?) Open source, access, data... (Comment ?) Bloom : le master plan top secret (Quoi ?) En résumé TL;DR Pour faire face aux défis universels

🇫🇷 Version française ici We cannot solve our problems with the same thinking we used when we created them. Universal and unprecedented challenges (Why?) Open source, access, data... (How?) Bloom: the top-secret master plan (What?) In summary TL;DR To bring an answer to the universal and unprecedented challenges of our
我们无法用创造问题时的思维方式来解决问题。普遍和前所未有的挑战(为什么?)开源，访问，数据... (怎么做?)布鲁姆: 最高机密的总体规划(什么?)为我们面临的全球性和前所未有的挑战提供一个答案

Thank you very much for the support! The past days were pretty intense and we really didn't expect such traction. We sincerely apologize for the bugs and latencies: our systems were not scaled to handle the load (which in a sense is good news 😊). Here are some clarifications about
非常感谢你们的支持！过去的日子非常紧张，我们真的没有想到会有这样的牵引力。我们真诚地为 bug 和延迟道歉: 我们的系统没有进行扩展以处理负载(从某种意义上说这是个好消息)。这里有一些澄清

It's been exactly 6 months since Bloom launched. 6 incredible months with a lot of sweat and some sleepless nights. But something even more incredible is coming during the next month: The launch of Bloom's native applications, featuring among other things end to end encryption and offline support. The past
布鲁姆上市已经整整6个月了。难以置信的6个月，汗流浃背，辗转难眠。但是更不可思议的事情将在下个月发生: Bloom 的本地应用程序的发布，特色之一是端到端加密和离线支持。过去

While developing Bloom I realized how much I love open source. So I decided to share this passion with the world. Whether it be in software, in hardware, in education, in ecology, in science or in agriculture, open source have proved its superiority. However it's very difficult to find interesting
在开发 Bloom 的过程中，我意识到自己是多么热爱开源。所以我决定与世界分享这份激情。无论是在软件、硬件、教育、生态、科学还是农业领域，开源已经证明了它的优越性。但是很难找到有趣的东西吗

Hello world! Thank you for subscribing to Open Source Weekly. If you have any feedback, feel free to respond to this email or open a ticket on GitHub. Enjoy your reading :) Did you know? Free Software vs Open source While we are all facing an uncertain future due to
你好，世界！感谢您订阅开源周刊。如果你有任何反馈，请随时回复这封邮件或者在 GitHub 上打开一张票。享受你的阅读:)你知道吗？自由软件 vs 开放源码虽然我们都面临着一个不确定的未来，因为

Thank you everyone for your positive feedback! It’s really encouraging 🤗 To the enthusiastic person who emailed me about the PinePhone but never received a response, sorry, I inadvertently deleted your email before replying 🙃 Did you know? Free Software vs Open source 2/2: Philosophy Last week we saw the
谢谢大家的积极反馈！这真的很鼓舞人心，对于那个给我发了一封关于 PinePhone 的邮件却没有收到回复的人，抱歉，我不小心在回复之前删除了你的邮件你知道吗？3软件 vs 开源2/2: 哲学上周我们看到了

Did you know? Intellectual property: Copyrights vs Patents vs Trademarks "Intellectual property" (strange oxymoron) is a vague term at which people love to throw everything and anything. Do you really know the differences between Copyrights, Patents and Trademarks? Copyrights Copyright is the exclusive right given to the creator of a
你知道吗？知识产权: 版权 vs 专利 vs 商标“知识产权”(奇怪的矛盾修饰法)是一个模糊的术语，人们喜欢抛弃一切和任何东西。你真的知道版权、专利和商标之间的区别吗？版权著作权是赋予作者的专有权利

You are certainly asking yourself what to do with this sudden amount of free time now we are all in quarantine and no longer have to commute every day. The answer is obvious: VIDEO GAMES!!!! Welcome for a special edition of OpenSourceWeekly.org dedicated to gaming 🕹️ Gaming on Linux You
你肯定在问自己，现在我们都处于隔离状态，不再需要每天通勤了，如何利用这突如其来的空闲时间。答案是显而易见的: 电子游戏！欢迎收看 Linux 游戏 opensourceweekly.org 的特别版

Welcome for your weekly dose of inspiring open source projects! Open source is more than ever relevant in these tough times and the world is slowly discovering that centralization and closed ecosystems literally kill people 😷 Projects Drop-in Minimal CSS This is THE revelation of the week. We can code
欢迎你每周参与一些鼓舞人心的开源项目！在这个艰难的时代，开放源码比以往任何时候都更加重要，而且世界正在慢慢发现，集中化和封闭的生态系统实际上会杀死人。我们会写代码

Faster than expected. The past few weeks taught us that when sh*t is knocking at the door, it’s already too late. Unfortunately, there are a lot of other subjects where serious people are warning us that our current trajectory is not good. You get it, today we are going to
比预期的要快。过去的几周告诉我们，当该死敲门的时候，已经太晚了。不幸的是，还有很多其他的问题，严肃的人警告我们，我们目前的轨迹并不好。你明白了，今天我们要

Today we are going to talk about high performance. Not the standard distributed cloud blahblah but high performance on a single core on a single machine. Please welcome SIMD instructions. Did you know? What are SIMD instructions? SIMD (for Single Instruction, Multiple Data) are special instructions on CPUs and GPUs
今天我们要讨论的是高性能。不是标准的分布式云之类的东西，而是在一台机器上的单核上的高性能。请欢迎 SIMD 指示。你知道吗？什么是 SIMD 指令？SIMD (用于单指令，多数据)是 cpu 和 gpu 上的特殊指令

Great news for CLI lovers: starting today, all the weekly emails will be sent with both a HTML and a Text version 🎉 We all know that the world shifted from a material-based economy to one based on the capacity of human attention. Yet, because these social networks and apps
对于 CLI 爱好者来说，好消息是: 从今天开始，所有每周的电子邮件都将同时以 HTML 和文本的形式发送。我们都知道，世界已经从物质经济转变为以人类注意力为基础的经济。然而，因为这些社交网络和应用程序

Hello everyone, I hope you are doing well 🙏 I’m about to release the new version of my open source project Bloom (encrypted Notes, Calendar, Contacts, Files…) which will feature end-to-end encryption. Before that I’m looking for feedback on the cryptographic design, so if you are a cryptography / security
大家好，我希望你们都做得很好我即将发布我的开源项目 Bloom 的新版本(加密笔记，日历，联系人，文件...) ，它将以端对端加密为特色。在此之前，我正在寻找关于加密设计的反馈，因此如果您是一名加密/安全人员

Hi everyone 👋 As you may have noticed I have updated the website (from opensourceweekly.org to kerkour.com) because it was too much of a burden for me to maintain 2 websites. If you use an RSS reader, please update your feed to: https://kerkour.com/feed.xml Otherwise Open Source Weekly will continue as
大家好你们可能已经注意到我更新了网站(从 opensourceweekly.org 到 kerkour. com) ，因为维护2个网站对我来说负担太重了。如果你使用 RSS 阅读器，请将你的 feed 更新为:  https://kerkour.com/feed.xml 文档，否则开源周刊将继续作为

Hello everyone 👋 This week we are going to talk about Linux and especially which flavor of Linux to choose. I know this is a rather controversial topic but as I'm often asked, I felt it was time to write it down. Dear esteemed reader, please don’t feel offended if
大家好本周我们将讨论 Linux，特别是选择哪种风格的 Linux。我知道这是一个相当有争议的话题，但正如我经常被问到的那样，我觉得是时候把它写下来了。尊敬的读者，请不要觉得被冒犯了

I spent the past two days rebuilding my website from scratch, ditching Bootstrap, JQuery and custom fonts (you’ll be horrified to learn how much traffic custom fonts are accountable for) in order to improve its performance, readability and computing resources usage. I’m pretty satisfied with the effort: now, any page
我花了两天时间从头开始重建我的网站，抛弃了 Bootstrap、 JQuery 和自定义字体(如果你知道自定义字体对流量负有多大责任，你会感到震惊) ，以提高它的性能、可读性和计算资源的使用。我对这些努力非常满意: 现在，任何一页

Projects RudderStack RudderStack is a platform for collecting, storing and routing customer event data to dozens of tools. It can run in your cloud environment (AWS, GCP, Azure or even your data-centre) and provides a powerful transformation framework to process your event data on the fly. Scuttlebot: Peer-to-peer database, identity
Projects RudderStack RudderStack 是一个用于收集、存储客户事件数据并将其路由到几十个工具的平台。它可以在您的云环境(AWS、 GCP、 Azure，甚至是您的数据中心)中运行，并提供了一个强大的转换框架来动态处理事件数据。Scuttlebot: 对等数据库、身份

From the Linux kernel to Firefox and Wordpress, Open Source is changing the world for the better. But how to achieve financial sustainability when you produce something that can legally be copied, by design, at zero cost? Revenue models for Open Source A lot has been written about achieving profitability
从 Linux 内核到 Firefox 和 Wordpress，开源让世界变得更美好。但是，当你生产的东西可以合法地被复制，通过设计，零成本，如何实现财务可持续性？开源的收入模式已经有很多关于实现盈利能力的文章

I started developing web services (JSON APIs) in Rust a little bit more than 2 years ago, so I thought it was time to shake the preconceived ideas and share what I've learned. The prejudices Rust code is ugly: Rust is explicit. Undeniably. But when I write code, my IDE
两年多以前，我开始在 Rust 中开发 web 服务(JSON api) ，所以我认为是时候动摇先入为主的想法，分享我所学到的东西了。偏见锈病密码是丑陋的: 锈病是明确的。不可否认。但是当我写代码的时候，我的 IDE

Sending emails in Rust can be achieved in two ways: either by using an SMTP server or by using a third-party service with an API such as AWS SES or Sendgrid. SMTP SMTP is the standard protocol for sending emails. Thus, it's the most portable way to send emails as
在 Rust 中发送电子邮件可以通过两种方式实现: 要么使用 SMTP 服务器，要么使用带有 API (如 AWS SES 或 Sendgrid)的第三方服务。SMTP SMTP 是发送电子邮件的标准协议。因此，这是最便携的方式来发送电子邮件

Its fast-paced development cycles. For more data points, please go here, search for 'Compatibility Notes' and 'Language'. I love Rust. I can build web servers, create web apps with WebAssembly, use it for embedded development, craft shellcodes, and above all, it reduced the number of bugs in my programs by
其快节奏的开发周期。如需更多数据点，请点击这里，搜索“兼容性说明”和“语言”。我喜欢 Rust。我可以构建网络服务器，用 WebAssembly 创建网络应用程序，用它进行嵌入式开发，编写工艺贝尔代码，最重要的是，它减少了我的程序中的 bug