October 31, 2024 at 11:14AM qBittorrent fixed a long-standing remote code execution vulnerability related to SSL/TLS certificate validation in its DownloadManager. This flaw, present since 2010, allowed potential man-in-the-middle attacks. The issue was resolved in version 5.0.1, released on October 28, 2024, but users were not adequately informed. Immediate upgrade is recommended. ### Meeting Takeaways: … Read more
October 31, 2024 at 08:05AM LottieFiles faced a security breach after a developer account was compromised, leading to malicious code being pushed to users, potentially draining their crypto wallets. The company released a safe version (2.0.8) and assured users that their other services were unaffected. Outside security experts were involved in resolving the incident. **Meeting … Read more
October 30, 2024 at 03:33PM The Open Source AI Definition (OSAID) v.1.0 was launched at All Things Open 2024 after extensive community collaboration. This definition establishes standards for evaluating AI systems as Open Source, emphasizing transparency in training data. The Open Source Initiative (OSI) aims to guide the industry in fostering an Open Source AI … Read more
October 29, 2024 at 09:36AM Over three dozen security vulnerabilities in open-source AI/ML models have been disclosed, with significant risks including remote code execution and data theft. Key flaws include IDOR vulnerabilities in Lunary and a critical path traversal issue in ChuanhuChatGPT. Users are urged to update their systems for protection against potential attacks. ### … Read more
October 28, 2024 at 02:36AM Organizers of WordCamps have been ordered by Automattic employees to take down social media posts and share login credentials, amidst tensions over WordPress’s control and rival WP Engine’s contributions. This has led to volunteer frustration and concerns over community engagement and autonomy, harming events like WordCamp Sydney. ### Meeting Takeaways: … Read more
October 24, 2024 at 06:06PM The AWS Cloud Development Kit (CDK) has a vulnerability due to its predictable S3 bucket naming during deployment, potentially allowing unauthorized access. Researchers from Aqua found this affects about 1% of users. They advise modifying bucket names and emphasize not using predictable patterns to prevent exploitation. ### Meeting Takeaways: 1. … Read more
October 24, 2024 at 08:17AM Codasip donated its RISC-V software development kit to the CHERI Alliance to enhance chip memory safety for developers. The SDK includes essential tools like a C/C++ compiler, emulator, and build system, aiming to facilitate CHERI technology adoption in securing hardware memory against vulnerabilities like buffer overflows. ### Meeting Takeaways: 1. … Read more
October 24, 2024 at 07:39AM Bitwarden’s new build requirements have raised concerns about its status as free and open-source software (FOSS). A recent GitHub discussion highlighted that the SDK needed for compilation is not free, prompting comparisons to other companies that have shifted away from open-source principles. Alternatives exist but may require more user management. … Read more
October 24, 2024 at 06:09AM AI models from Hugging Face may harbor hidden issues similar to open-source software from platforms like GitHub. A new scoring system has been introduced to enhance the security of the open-source AI model supply chain. This aims to address potential vulnerabilities in AI models. **Meeting Takeaways:** 1. **Similarity in Issues**: … Read more
October 23, 2024 at 09:50AM Socket has secured $40 million in Series B funding to advance its development of open source software supply chain security technology. **Meeting Takeaways:** 1. **Funding Achievement:** Socket has successfully raised $40 million in a Series B funding round. 2. **Focus Area:** The raised funds will be allocated towards developing technology … Read more