fweno.onefour.com.br

Current Conditions
São Paulo
céu pouco nublado

18 ℃
71%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 19:30:01
  1. [USD] USD 90,451.65
  1. [BRL] BRL 482,134.45 [USD] USD 90,451.65 [GBP] GBP 69,263.81 [EUR] EUR 78,391.19
    Price index provided by blockchain.info.
  2. Disclosure of the details of a bug on 32-bit systems which may, in a rare edge case, cause the node to crash when receiving a pathological block. This bug would be extremely hard to exploit. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
    This issue is considered Low severity.

    Details

    Before writing a block to disk, Bitcoin Core checks that its size is within a normal range. This check would overflow on 32-bit systems for blocks over 1GB, and make the node crash when writing it to disk. Such a block cannot be sent using the BLOCK message, but could in theory be sent as a compact block if the victim node has a non-default large mempool which already contains 1GB of transactions. This would require the victim to have set their -maxmempool option to a value greater than 3GB, while 32-bit systems may have at most 4GiB of memory.
    This issue was indirectly prevented by capping the maximum value of the -maxmempool setting on 32-bit systems.

    Attribution

    Pieter Wuille discovered this bug and disclosed it responsibly.
    Antoine Poinsot proposed and implemented a covert mitigation.

    Timeline

    • 2025-04-24 - Pieter Wuille reports the issue
    • 2025-05-16 - Antoine Poinsot opens PR #32530 with a covert fix
    • 2025-06-26 - PR #32530 is merged into master
    • 2025-09-04 - Version 29.1 is released with the fix
    • 2025-10-10 - Version 30.0 is released with the fix
    • 2025-10-24 - Public Disclosure

dog - 19:35:21 up 61 days, 4:06, 4 users, load average: 0.00, 0.00, 0.00

Google News

[19/11/2025 18:32] Motorista confessa em depoimento que mentiu sobre sequestro no Rodoanel - CNN Brasil

[19/11/2025 14:43] Motta ecoa discurso bolsonarista e tenta emparedar Lula após o PL Antifacção - CartaCapital

[19/11/2025 11:42] Enem 2025: Inep divulga gabarito oficial e cadernos de questões do segundo dia de provas - Correio Braziliense

[19/11/2025 15:32] O que se sabe sobre a briga envolvendo Renato Freitas no centro de Curitiba - CartaCapital

[19/11/2025 10:47] Premiê alemão não pedirá desculpas por declaração sobre Belém - Valor Econômico

[19/11/2025 10:32] Maduro treina soldados para atirarem flechas envenenadas contra os EUA - Revista Oeste

[19/11/2025 12:32] Previdência: 4 cidades investem no Banco Master e enfrentam incertezas - Campo Grande News

[19/11/2025 13:18] Confira funcionamento dos serviços de saúde no feriado da Consciência Negra - Prefeitura de Maceió

[19/11/2025 11:53] De saída da vida pública: Pacheco conta como foi conversa com Lula sobre vaga no STF - Estado de Minas

[19/11/2025 17:49] 'Fora da realidade do planeta': cientistas fazem dura crítica às negociações da COP30 - O Globo

NVD Feed

[CVE-2025-51459] [Modified: 11-09-2025] [Analyzed] [V3.1 S6.5:MEDIUM] File Upload vulnerability in agent.hub.controller.refresh_plugins in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary code via a malicious plugin ZIP file uploaded to the /v1/personal/agent/upload endpoint, interacting with plugin_hub._sanitize_filename and plugins_util.scan_plugins.

[CVE-2025-51479] [Modified: 09-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Authorization bypass in update_user_group in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks.

[CVE-2025-51458] [Modified: 11-09-2025] [Analyzed] [V3.1 S6.5:MEDIUM] SQL Injection in editor_sql_run and query_ex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary SQL statements via crafted input passed to the /v1/editor/sql/run or /v1/editor/chart/run endpoints, interacting with api_editor_v1.editor_sql_run, editor_chart_run, and datasource.rdbms.base.query_ex.

[CVE-2025-51472] [Modified: 09-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Code Injection in AgentTemplate.eval_agent_config in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to execute arbitrary Python code via malicious values in agent template configurations such as the goal, constraints, or instruction field, which are evaluated using eval() without validation during template loading or updates.

[CVE-2025-51475] [Modified: 09-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] Arbitrary File Overwrite (AFO) in superagi.controllers.resources.upload in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to overwrite arbitrary files via unsanitised filenames submitted to the file upload endpoint, due to improper handling of directory traversal in os.path.join() and lack of path validation in get_root_input_dir().

[CVE-2025-51462] [Modified: 09-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw.

[CVE-2025-8037] [Modified: 28-07-2025] [Analyzed] [V3.1 S9.1:CRITICAL] Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

[CVE-2025-8038] [Modified: 29-09-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

[CVE-2025-8039] [Modified: 28-07-2025] [Analyzed] [V3.1 S8.1:HIGH] In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

[CVE-2025-8043] [Modified: 28-07-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141.

[CVE-2025-8044] [Modified: 28-07-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141 and Thunderbird < 141.

[CVE-2025-53538] [Modified: 06-10-2025] [Analyzed] [V3.1 S7.5:HIGH] Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

[CVE-2025-54072] [Modified: 09-10-2025] [Analyzed] [V3.1 S7.5:HIGH] yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.

[CVE-2025-54137] [Modified: 22-08-2025] [Analyzed] [V3.1 S7.3:HIGH] HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks. This is fixed in version 11.0.10.

[CVE-2025-54138] [Modified: 05-08-2025] [Analyzed] [V3.1 S7.5:HIGH] LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0.

[CVE-2025-54141] [Modified: 05-08-2025] [Analyzed] [V3.1 S7.5:HIGH] ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.

[CVE-2025-8010] [Modified: 26-09-2025] [Analyzed] [V3.1 S8.8:HIGH] Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

[CVE-2025-8011] [Modified: 26-09-2025] [Analyzed] [V3.1 S8.8:HIGH] Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

[CVE-2025-43020] [Modified: 02-10-2025] [Analyzed] [V3.1 S6.8:MEDIUM] A potential command injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a privileged user to submit arbitrary input. HP has addressed the issue in the latest software update.

[CVE-2025-43021] [Modified: 02-10-2025] [Analyzed] [V3.1 S5.7:MEDIUM] A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow the use and retrieval of the default password. HP has addressed the issue in the latest software update.

 
Amazon AWS httpd php.net Lets Encrypt Bootstrap