Today is a special day for me, professionally anyway. It's a day I get to tick a fun item off my bucket list, that I didn't think I'd get the chance to.
Today, a CVE was released where I am the discoverer: CVE-2023-28837. I have my first CVE!
A CVE (Common Vulnerabilities and Exposures) is a unique reference for publicly disclosed security flaws. When a software vendor finds a security incident, they're encouraged to apply for a CVE (from a CVE Numbering Authority) to uniquely identify the issue. Having a unique identifier makes tracking issues significantly easier, especially for issues which don't get catchy names like "Heartbleed" and "Meltdown".
I work for Torchbox, the creators of Wagtail CMS, that I'm using to run this website. Wagtail lets admin users upload images and documents to be added to pages. As part of the upload, these files are loaded into memory for additional processing, but this is done before any checks on file size. Therefore, it's possible for an admin user to load huge files into memory, which can lead to crashes and a denial of service.
If you want to find out more about this specific issue, you can read the advisory I wrote up, and the resultingpatches.
<aside>
After finding this issue, and working with the existing members, I joined Wagtail's security team!
For anyone who works in the security industry, it probably isn't. Some people find CVEs all the time. But as someone who doesn't work in security (at least, directly), but has a strong interest and passion for the field, it's a big deal to me. As humans, we tend to focus on "first" as being more important than any others.
This is my first CVE, but hopefully the first of many.
I’ve been an arch user for many years, and a linux user for even longer, but I’ve never installed arch from scratch. I was an Antergos user for many years, but after its demise, I needed an alternative. In a previous post, I spoke of attempting to install vanilla arch…
Yesterday, an email was sent to django-announce, informing of an upcoming security update, labelled “high” severity. Previous notifications like this have been one week before the actual disclosure; This email, just 12 hours. The updates were scheduled to be released 12:00 UTC the next day (today). Already, not the best…
If you're reading this post through an RSS aggregator, or were directed here from one, you may have already seen the issue I'm about to describe, and already swore my name. If you didn't, I'd recommend subscribing, for completely unbiased reasons. This is a tale of RSS, and an easily…