CVSS 10.0 (critical) backdoor in xz
and liblzma
5.6.0-5.6.1 that targets SSH service authentication.
Filed as CVE-2024-3094
$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1
-- file: migrations/00001_init_schema.down.sql | |
DROP TABLE users; |
CVSS 10.0 (critical) backdoor in xz
and liblzma
5.6.0-5.6.1 that targets SSH service authentication.
Filed as CVE-2024-3094
$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1
#!/bin/bash | |
export GITHUB_TOKEN="" | |
export GITHUB_ORG="" | |
gh repo list "$GITHUB_ORG" --no-archived --limit 1000 > repo-list.txt | |
for repo_path in $(cat repo-list.txt | cut -f1); do | |
org="$(echo $repo_path | cut -f1 -d'/')" | |
repo="$(echo $repo_path | cut -f2 -d'/')" |
# #!/bin/bash | |
# Tired of looking this up. | |
# Assumes a properly configured AWS CLI profile/credentials and AWS_REGION is set. | |
aws ecr get-login-password | docker login -u AWS --password-stdin "https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.$AWS_REGION.amazonaws.com" |
# Using Apache (httpd), demonstrate returning string literals and environment variables in response headers. | |
# | |
# Useful for simple containerized web service PoC. | |
# | |
# docker run -it --rm -p 80:80 -v "$(pwd)/httpd.conf":"/usr/local/apache2/conf/httpd.conf" httpd | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_headers.html | |
# https://serverfault.com/questions/901459/apache-custom-header-with-an-environment-variable | |
# ... snip config file contents .... |
############################################################################### | |
# Workaround for Terraform repository creation with Github Advanced Security | |
# feature configuration in dynamic blocks. | |
# | |
# This works, but you have to run Terraform twice for GHAS settings to apply. | |
# - Can switch between public and private visibility. | |
# - Can switch between archived and unarchived. | |
# - Fails when modifying visibility and archived setting simultaneously. | |
# | |
# GHAS API settings depend on existing repository state. Simultaneously modifying |
#!/bin/bash | |
# https://stackoverflow.com/questions/65200310/export-users-and-roles-from-keycloak | |
# define the variables: url, credentials to access REST API, and the realm to export | |
KEYCLOAK_URL="http://keycloak.localhost" | |
KEYCLOAK_REALM="master" | |
KEYCLOAK_ADMIN="admin" | |
KEYCLOAK_ADMIN_PASSWORD="password" | |
REALM_NAME="demo" |
#!/usr/bin/env python3 | |
""" | |
Pure Python3 example of using a OIDC ID token's `at_hash` claim to verify | |
an opaque OIDC access token. | |
Required for Authelia, which doesn't issue JWT access tokens. | |
If the OIDC implementation uses an /introspection endpoint to verify an opaque | |
access token, that's another HTTP call that "violates stateless purity." |
/* | |
References: | |
- https://stackoverflow.com/questions/67432096/generating-jwt-tokens | |
- https://faun.pub/auto-generating-jwt-tokens-with-postman-2b6dd4e29897 | |
*/ | |
const duration = 3600 // 1 hour | |
const issuedAtOffest = 5 | |
const HMACSHA256 = (stringToSign, secret) => "not_implemented" |
#!/usr/bin/env python3 | |
""" | |
pyca-aesgcm-example.py | |
Author: Jack Sullivan | |
Example of using PyCA cryptography's high level AESGCM interface | |
to encrypt and decrypt data. Also demonstrates how modifying ciphertext | |
data or the auth tag (MAC) invalidates decryption. |