14 matches found
EUVD-2025-10054
Malicious code in bioql PyPI...
EUVD-2025-9751
Malicious code in bioql PyPI...
GHSA-794X-2RPG-RFGR Jujutsu does not have SHA-1 collision detection
Summary Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks. Details This is a result of the underlying CVE-2025-31130 / GHSA-2frx-2596-x5r6 vulnerability in the gitoxide...
GHSA-2FRX-2596-X5R6 gitoxide does not detect SHA-1 collision attacks
Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. Details gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct G...
CVE-2025-31130 gitoxide does not detect SHA-1 collision attacks
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations...
CVE-2025-31130 gitoxide does not detect SHA-1 collision attacks
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations...
RUSTSEC-2025-0021 SHA-1 collision attacks are not detected
Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. Details gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct G...
Emissary May Use a Broken or Risky Cryptographic Algorithm
Summary The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases e.g., SHA-1, CRC32, and SSDEEP. These algorithms, while possibly valid for certain...
Real World Crypto 2018 (RWC 2018) brain dump
The 2018 edition of Real World Crypto RWC was in Zurich you can find the conference full program here.. I live in Switzerland so I was extremely happy about it. RWC is basically the best conference I ever attended and it will probably be so for a while. I almost risked to skip it due to flu but I...
SUSE-SU-2017:2200-1 Security update for subversion
This update for subversion fixes the following issues: - CVE-2017-9800: A malicious, compromised server or MITM may cause svn client to execute arbitrary commands by sending repository content with svn:externals definitions pointing to crafted svn+ssh URLs. bsc1051362 - Malicious user may commit...
DEFCON 25
After a few days in Las Vegas and after BlackHat, DEFCON 25 is finally over! It was an amazing time around awesome people. I didn't attend all the talks, but most of the ones I saw were interesting: There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers, by Luke...
Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge
Lost in yesterday’s shuffle of emergency updates and regularly scheduled monthly patches was Microsoft’s announcement that it was officially cutting off SHA-1 support in Internet Explorer 11 and Edge. Going forward, both browsers will block webpages signed with a SHA-1 TLS or SSL certificate from...
GitHub Enterprise < 2.8.10 Multiple Vulnerabilities
GitHub Enterprise is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:github:githubenterprise";...
Mike Mimoso and Chris Brook Discuss how the a Campaign Using the Angler Exploit Kit was Disrupted and More of the Week's News
Mike Mimoso and Chris Brook discuss the week in news–including how researchers disrupted a $30M campaign using the Angler Exploit Kit, how another researcher was forced to pull a talk from a conference, and how a practical SHA-1 collision could be months away, not years. Download:...