Hacker News: kro

New comment by kro in "CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free"

kro — Thu, 18 Jun 2026 20:35:46 +0000

Only 1.31.0 and 1.31.1 are affected.

New comment by kro in "CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free"

kro — Thu, 18 Jun 2026 13:52:56 +0000

These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.

[1]:

https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...

https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...

CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free

kro — Thu, 18 Jun 2026 13:04:27 +0000

Article URL: https://my.f5.com/manage/s/article/K000161616

Comments URL: https://news.ycombinator.com/item?id=48584688

Points: 7

# Comments: 4

New comment by kro in "Linux 7.1"

kro — Sun, 14 Jun 2026 19:23:27 +0000

I did that for a while because of compatibility issues with a newer laptop, it works but generally if there is no reason it's way easier to stay with the provided packages. Compiling weekly due to security patches becomes annoying over time for no real gain other than the version number

New comment by kro in "The only scalable delete in Postgres is DROP TABLE"

kro — Sun, 14 Jun 2026 19:14:20 +0000

mysql/maria also lets you turn off/down the isolation level for queries if you know the guarantees aren't needed, to speed things up. I think postgres does not have that option.

New comment by kro in "Scammers are abusing an internal Microsoft account to send spam links"

kro — Sun, 24 May 2026 13:51:49 +0000

I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template

New comment by kro in "Scammers are abusing an internal Microsoft account to send spam links"

kro — Sun, 24 May 2026 13:48:33 +0000

You are correct.

Reminds me, we once got a letter by a German government body requesting some data exports from our company, and to upload them on findrive-ni.de

It turned out to be legit, but it's neither a subdomain of the state of Niedersachsen domain nor referenced in their official sites.

New comment by kro in "PHP's Oddities"

kro — Sat, 23 May 2026 21:05:26 +0000

That also often shoots you as when json_encoding it only becomes an array when ordered "correctly" (numeric 0-based keys without gaps), otherwise an object. So to be safe you generally need to array_values after filtering. If in your testdata you only remove elements from the end you don't catch that before production data hits.

To get the first element there also is reset().

I love PHP though.

New comment by kro in "Security researcher says Microsoft built a Bitlocker backdoor, releases exploit"

kro — Sun, 17 May 2026 16:06:25 +0000

Sounds good - which software supports this? Specifically I'd prefer if it would do a composite key derivation in-time rather than "just a pw prompt but TPM has the full key"

New comment by kro in "Security researcher says Microsoft built a Bitlocker backdoor, releases exploit"

kro — Sun, 17 May 2026 15:47:41 +0000

Ubuntu also released TPM based FDE a few versions ago. I had these thoughts then and decided against using it. Typing my passphrase on boot is muscle memory and gives me simple security I can trust.

Also can recover data without my mainboard.

Maybe a hybrid (secureboot-TPM+phrase) slot for day to day to also prevent against evil maid attacks, and another slot with a backup passphrase would be acceptable.

New comment by kro in "New Nginx Exploit"

kro — Thu, 14 May 2026 19:20:14 +0000

No remotely reachable vuln should be taken lightly.

At the moment though, the preconditions look odd. I've been using nginx in various constellations for 10 years and never once combined rewrite and set.

New comment by kro in "You gave me a u32. I gave you root. (io_uring ZCRX freelist LPE)"

kro — Thu, 14 May 2026 11:28:35 +0000

However, some privs can be gained in namespaces/unshare.

New comment by kro in "Dead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim"

kro — Tue, 12 May 2026 18:39:18 +0000

It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

https://lists.debian.org/debian-security-announce/2026/msg00...

New comment by kro in "Postmortem: TanStack NPM supply-chain compromise"

kro — Tue, 12 May 2026 15:00:59 +0000

Next easy attack vector is (non-rootless) docker run with rootfs mount, many are in docker group even when sudo is protected. Also, most sensitive data is in the user scope anyways (on a PC).

You should always run dev stuff in containers to start with. And when your system is compromised, reprovision from a higher scope, too many places to hide backdoors

New comment by kro in "AWS to also block ipcomp and xfrm modules in DirtyFrag mitigation"

kro — Sat, 09 May 2026 14:09:18 +0000

So far all the information suggested to disable esp and rxrpc modules.

This bulletin suggest that more modules are necessary for complete mitigation

AWS to also block ipcomp and xfrm modules in DirtyFrag mitigation

kro — Sat, 09 May 2026 14:09:18 +0000

Article URL: https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/

Comments URL: https://news.ycombinator.com/item?id=48075132

Points: 1

# Comments: 1

New comment by kro in "You gave me a u32. I gave you root. (io_uring ZCRX freelist LPE)"

kro — Sat, 09 May 2026 08:52:34 +0000

Containers, even with root user, are often stripped of these capabilities unless --privileged

New comment by kro in "EU Parliamentary Research Service calls VPNs "a loophole that needs closing""

kro — Sat, 09 May 2026 08:47:35 +0000

VPN usage increased, but how to they draw the conclusion that this is children. I think it's more likely that adults are using VPNs to not have to deal with the ID process. I would do that.

As VPNs usually cost some money, which is already a barrier for minors.

New comment by kro in "You gave me a u32. I gave you root. (io_uring ZCRX freelist LPE)"

kro — Fri, 08 May 2026 20:45:13 +0000

CAP_NET/SYS_ADMIN is required for this. So this would be "not as bad" as the others.

New comment by kro in "Dirtyfrag: Universal Linux LPE"

kro — Fri, 08 May 2026 13:01:16 +0000

It's scary to think that some day it will be more than a local attack vector. I don't want to imagine the fallout from a remote rce via tcp/ip.