2026-04-18 Privacy Preserving Attribution for Advertising Wherein Mozilla works hands-in-hands with bloody Facebook/Meta to track people Google FLoC-style around the web so Manipulators for Hire (Advertisers) can still have their metrics.
2026-04-18 Someone’s Been Messing With My Subnormals! "TL;DR — After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results." But also "Unbeknownst to me, even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code (see pip issues 7325 and 1884 for more details)!"
2026-04-18 ASLR⊕Cache (AnC) Demonstration of a cache-based attack of ASLR, browser JavaScript and Native Code
2026-04-18 Kernel page-table isolation Linux kernel feature that mitigates the Meltdown security vulnerability (affecting mainly Intel's x86 CPUs)[4] and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR).
2026-04-18 Remote user impersonation and takeover Technical explainations on CVE-2024-23832 fixed in Mastodon 4.2.5 (2024-02-01), TL;DR — There was no Containment of the provided URL serving as an "id" against the message own "id", Mastodon would just trust whatever was in the message.
2026-04-18 oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise Where tukaani's xz/lzma-utils 5.6.0/5.6.1 got a backdoor added by the author in the signed tarballs. Own note — And there is an example of why as package maintainers we should diff the tarballs they're vouching to users rather than rely entirely on git, although in that one it's at the end of./configure which is nearly unreadable m4/autotools soup.