fweno.onefour.com.br

Current Conditions
São Paulo
céu limpo

28 ℃
39%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 18:00:01
  1. [USD] USD 91,010.01
  1. [BRL] BRL 485,552.08 [USD] USD 91,010.01 [GBP] GBP 68,728.94 [EUR] EUR 78,480.39
    Price index provided by blockchain.info.
  2. Disclosure of the details of a bug on 32-bit systems which may, in a rare edge case, cause the node to crash when receiving a pathological block. This bug would be extremely hard to exploit. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
    This issue is considered Low severity.

    Details

    Before writing a block to disk, Bitcoin Core checks that its size is within a normal range. This check would overflow on 32-bit systems for blocks over 1GB, and make the node crash when writing it to disk. Such a block cannot be sent using the BLOCK message, but could in theory be sent as a compact block if the victim node has a non-default large mempool which already contains 1GB of transactions. This would require the victim to have set their -maxmempool option to a value greater than 3GB, while 32-bit systems may have at most 4GiB of memory.
    This issue was indirectly prevented by capping the maximum value of the -maxmempool setting on 32-bit systems.

    Attribution

    Pieter Wuille discovered this bug and disclosed it responsibly.
    Antoine Poinsot proposed and implemented a covert mitigation.

    Timeline

    • 2025-04-24 - Pieter Wuille reports the issue
    • 2025-05-16 - Antoine Poinsot opens PR #32530 with a covert fix
    • 2025-06-26 - PR #32530 is merged into master
    • 2025-09-04 - Version 29.1 is released with the fix
    • 2025-10-10 - Version 30.0 is released with the fix
    • 2025-10-24 - Public Disclosure

dog - 18:12:53 up 71 days, 2:44, 5 users, load average: 0.00, 0.00, 0.00

Google News

[29/11/2025 15:51] ChatGPT sai de cima do muro e crava o campeão da Libertadores da América 2025 - NSC Total

[29/11/2025 12:41] Trump anuncia fechamento total do espaço aéreo da Venezuela em meio a escalada de tensão com exercícios militares dos EUA no Caribe - BBC

[29/11/2025 10:50] Desembargadora que revogou prisão de Vorcaro foi acusada de gestão fraudulenta - ICL Notícias

[29/11/2025 15:26] Amigo de Allane, morta no Cefet, diz que ela evitava assassino, por medo: 'Passou meses em home office' - O Globo

[29/11/2025 10:04] Messias precisa de 3 votos para ser aprovado na CCJ - Poder360

[29/11/2025 11:44] Novo recurso de Bolsonaro é inadmissível e pode virar litigância de má-fé, diz advogado - CartaCapital

[29/11/2025 11:02] Quem era Cauê Dezotti, torcedor do Palmeiras que morreu em Lima - Jovem Pan

[29/11/2025 12:17] Defesa de Heleno tem cinco dias para comprovar Alzheimer ao STF - Correio Braziliense

[29/11/2025 07:12] Final de semana começa com risco de tempestade e granizo em MG; veja cidades - Rádio Itatiaia

[28/11/2025 21:32] Chuva forte de granizo impacta rodovias em SC e surpreende moradores durante temporal - NSC Total

NVD Feed

[CVE-2025-45150] [Modified: 17-10-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request.

[CVE-2025-45778] [Modified: 14-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored cross-site scripting (XSS) vulnerability in The Language Sloth Web Application v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Description text field.

[CVE-2025-48074] [Modified: 13-08-2025] [Analyzed] [V3.1 S5.5:MEDIUM] OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.

[CVE-2025-51501] [Modified: 19-08-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript.

[CVE-2025-51502] [Modified: 19-08-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users.

[CVE-2025-51504] [Modified: 19-08-2025] [Analyzed] [V3.1 S7.6:HIGH] Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field.

[CVE-2025-2824] [Modified: 14-08-2025] [Analyzed] [V3.1 S7.4:HIGH] IBM Operational Decision Manager 8.11.0.1, 8.11.1.0, 8.12.0.1, 9.0.0.1, and 9.5.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

[CVE-2025-33118] [Modified: 14-08-2025] [Analyzed] [V3.1 S6.4:MEDIUM] IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 12 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

[CVE-2025-49832] [Modified: 25-08-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

[CVE-2025-53009] [Modified: 20-08-2025] [Analyzed] [V3.1 S7.5:HIGH] MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.

[CVE-2025-53010] [Modified: 20-08-2025] [Analyzed] [V3.1 S7.5:HIGH] MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.

[CVE-2025-53011] [Modified: 20-08-2025] [Analyzed] [V3.1 S7.5:HIGH] MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3.

[CVE-2025-53012] [Modified: 06-11-2025] [Analyzed] [V3.1 S7.5:HIGH] MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file imports, recursion is used to process nested files; however, there is no limit imposed to the depth of files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. This is fixed in version 1.39.3.

[CVE-2025-54593] [Modified: 25-08-2025] [Analyzed] [V3.1 S7.2:HIGH] FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.

[CVE-2025-5999] [Modified: 13-08-2025] [Analyzed] [V3.1 S7.2:HIGH] A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

[CVE-2025-6000] [Modified: 13-08-2025] [Analyzed] [V3.1 S9.1:CRITICAL] A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

[CVE-2025-6004] [Modified: 13-08-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

[CVE-2025-6011] [Modified: 13-08-2025] [Analyzed] [V3.1 S3.7:LOW] A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

[CVE-2025-6014] [Modified: 13-08-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

[CVE-2025-6015] [Modified: 13-08-2025] [Analyzed] [V3.1 S5.7:MEDIUM] Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

 
Amazon AWS httpd php.net Lets Encrypt Bootstrap