[$] Testing AI-enhanced reviews for Linux patches

Post Syndicated from jzb original https://lwn.net/Articles/987319/

Code review is in high demand, and short supply, for most open-source projects.
Reviewer time is precious, so any tool that can lighten the load is worth exploring.
That is why Jesse Brandeburg and Kamel Ayari decided to test whether
tools like ChatGPT could review patches to provide quick feedback to
contributors about common problems. In a
talk
at the Netdev 0x18 conference this July, Brandeburg provided an overview of an
experiment using machine learning to review emails containing patches
sent to the netdev
mailing list. Large-language models (LLMs) will not be replacing human reviewers anytime
soon, but they may be a useful addition to help humans focus on deeper
reviews instead of simple rule violations.

Metasploit Weekly Wrap-Up 09/06/2024

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/09/06/metasploit-weekly-wrap-up-42/

Honey, I shrunk the PHP payloads

Metasploit Weekly Wrap-Up 09/06/2024

This release contains more PHP payload improvements from Julien Voisen. Last week we landed a PR from Julien that added a datastore option to the php/base64 encoder that when enabled, will use zlib to compress the payload which significantly reduced the size, bringing a payload of 4040 bytes down to a mere 1617 bytes. This week’s release includes a php/minify encoder which removes all unnecessary characters from the payload including comments, empty lines, leading spaces, trailing spaces, spaces after keywords and spaces before block openings. Using the php/minify encoder can take a payload of size 4052 bytes down to 2839 bytes. We’d like to thank Julien for their continued commitment to improving PHP payloads!

New module content (1)

PHP Minify Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19435 contributed by jvoisin
Path: php/minify

Description: This encoder minifies PHP payloads by removing spaces after keywords and before block openings. It removes comments, empty lines, new lines and leading and trailing spaces.

Enhancements and features (2)

  • #19368 from h00die-gr3y – This adjusts the exploit/multi/http/geoserver_unauth_rce_cve_2024_36401 to dynamically pull and test the feature_type list to establish an RCE. This will make the module more robust towards installations with different feature_type configurations.
  • #19401 from jvoisin – Add a mixin to get SPIP version and make use of it.

Bugs fixed (2)

  • #19381 from Takahiro-Yoko – This fixes the gitlab_login scanner so that it uses the proper datastore options Username and Password which are the standard for login scanners. Before this fix the scanner was using HttpUsername and HttpPassword and ignoring the datastore options Username and Password.
  • #19438 from cgranleese-r7 – Fixes a nil error if login is successful with ldap_login module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 09/06/2024

A Quick Introduction to the NVIDIA GH200 aka Grace Hopper

Post Syndicated from Patrick Kennedy original https://www.servethehome.com/a-quick-introduction-to-the-nvidia-gh200-aka-grace-hopper-arm/

The NVIDIA GH200 or “Grace Hopper” is far from a single product. We have a quick guide so when someone says “GH200” you know what to look for

The post A Quick Introduction to the NVIDIA GH200 aka Grace Hopper appeared first on ServeTheHome.

NGINX has moved to Github

Post Syndicated from jzb original https://lwn.net/Articles/989229/

The NGINX team has announced
that official NGINX open-source development has moved away from
Mercurial to GitHub, and
the project will now be taking contributions
in the form of pull requests:

Additionally, starting today, we will begin accepting bugs reports,
feature requests and enhancements directly through GitHub, under the
“Issues” tab. Moreover, we’ve moved our community forums to the GitHub
“Discussions” area, where you will now be able
to engage in conversation, ask, and answer questions.

[…] We understand that changes like these may require adjustment,
so to give you more time, we will continue accepting patches and
provide community support via mailing lists until December 31st, 2024.

YubiKey Side-Channel Attack

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/09/yubikey-side-channel-attack.html

There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. It’s a complicated attack, requiring the victim’s username and password, and physical access to their YubiKey—as well as some technical expertise and equipment.

Still, nice piece of security analysis.

Man pages maintenance suspended

Post Syndicated from corbet original https://lwn.net/Articles/989215/

Alejandro Colomar, who has been maintaining the Linux man pages for the
last four years, has announced
that he will have to stop that work.

I’ve been doing it in my free time, and no company has sponsored
that work at all. At the moment, I cannot sustain this work
economically any more, and will temporarily and indefinitely stop
working on this project. If any company has interests in the
future of the project, I’d welcome an offer to sponsor my work
here; if so, please let me know.

The realtime preemption end game — for real this time

Post Syndicated from corbet original https://lwn.net/Articles/989212/

Work on realtime preemption for the Linux kernel got its start almost exactly 20 years ago
(though it had its roots in earlier work, of course). It is fair to say
that finishing that job has taken a bit longer than anybody involved would
have expected. Now, though, Sebastian Andrzej Siewior has posted a brief
patch series
making it possible to enable realtime preemption in the
mainline kernel on three architectures.

With the printk bits merged, PREEMPT_RT could be enabled on X86,
ARM64 and Risc-V. These three architectures merged required changes
over the years leaving me in a position where I have no essential
changes in the queue that would affect them.

Congratulations are due to the many developers who have worked on this
project for the last two decades.

Security updates for Friday

Post Syndicated from corbet original https://lwn.net/Articles/989196/

Security updates have been issued by AlmaLinux (bubblewrap, flatpak), Debian (libxml2), Fedora (lua-mpack, mingw-python3, python-django, python-django4.2, python3.11, python3.13, and python3.9), Oracle (bubblewrap, flatpak), Red Hat (fence-agents, python-urllib3, resource-agents, and wget), Slackware (expat and mozilla), SUSE (buildah, chromium, firefox, gradle, java-1_8_0-ibm, kubernetes1.26, postgresql16, python-Django, python312-pip, and systemd), and Ubuntu (python-aiohttp).

The collective thoughts of the interwebz

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close