A PSA since there's some confusion on this...

There is no vulnerability in Gorilla Sessions.

The vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.

Fantastic work by @amlw - xzbot

Exploration of the xz backdoor (CVE-2024-3094). Includes the following:

* honeypot: fake vulnerable server to detect exploit attempts

* ed448 patch: patch liblzma.so to use our own ED448 public key

* backdoor format: format of the backdoor payload

* backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

https://github.com/amlweems/xzbot

This is... such a good tutorial and now I'm going to rework my website's font sizes.

https://www.joshwcomeau.com/css/surprising-truth-about-pixels-and-accessibility/

EDIT: Please also check the replies for a system/browser font size gotcha.

The Wi-Fi only works when it's raining 🌧📶

Happy April Cools! A few people and I decided lying for April 1st is cliché, so we're surprising you with truthful essays on unexpected topics.

Mine is about the hardest hardware problem I've ever had to debug:
https://predr.ag/blog/wifi-only-works-when-its-raining/

liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise

https://xeiaso.net/notes/2024/xz-vuln/

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

https://www.openwall.com/lists/oss-security/2024/03/29/4