If your Open Source project sees a steep increase in number of high quality security reports (mostly done with AI) right now (#curl, Linux kernel, glibc confirmed) please tell me the name of this project.
(I'd like to make a little list for my coming talk on this.)
Apache httpd, curl, Django, Firefox, glibc, GnuTLS, Haproxy, libssh, Linux kernel, python, Temporal, Wireshark, wolfSSL
More?
Updated:
Apache httpd, curl, Django, Elasticsearch Python client, Firefox, git, glibc, GnuTLS, Haproxy, Immich, libssh, Linux kernel, OpenLDAP, PowerDNS, python, Sequoia PGP, Temporal, urllib3, Wireshark, wolfSSL
We can say with certainty that this is widespread.
Summary A time-of-check-to-time-of-use (TOCTOU) race condition in TIFFClientOpenExt() (libtiff/tif_open.c) causes a heap buffer overflow when the name argument points to a shared mutable buffer that is concurrently...
@bagder random anecdote tangentially related but I needed to debug a binary on Windows with no source. Claude used nothing but deno as a disassembler and found the exact issue (an async flag where it shouldn’t be and misuse of win32) which saved me hours waiting for the client to “maybe” give me the source.
Claude can be used very well for security work in the right hands.
The next months I will call the-open source--security-apocalypse-dark-times (of death).
Because I wanted a cheerful name that makes it not seem as bad as it is. /s
Should all responsible software be running security agents against their own software now as we do fuzzers/static analysis/tests/etc?
Or instead of being proactive do nothing? And hope it’s not just the nice people reporting the bugs that are finding the issues?
daniel:// stenberg://
🪨
hsbt
Anders Thoresson
Even Rouault
kby
Brændꜵn Mollɔy 
René Dudfield