About

Latest open source software security news

Open source software gives users access to the source code of the program.

With the increased adoption of open source technology, news about free software is constantly changing.

The Daily Swig is committed to bringing readers the latest open source news and open source software news as it happens.

Read below for updates on open source, the latest news about popular open source programs, and more.


Bug Bounty Radar

The latest bug bounty programs for March 202328 February 2023Bug Bounty RadarThe latest bug bounty programs for March 2023

Password managers part II

A rough guide to enterprise secret platforms27 February 2023Password managers part IIA rough guide to enterprise secret platforms

Deserialized web security roundup

Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption24 February 2023Deserialized web security roundupTwitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Cisco ClamAV anti-malware scanner vulnerable to serious security flaw

22 February 2023Cisco ClamAV anti-malware scanner vulnerable to serious security flawPatch released for bug that poses a critical risk to vulnerable technologies

CVSS vulnerability scoring system ‘too simplistic’

Weaknesses in existing metrics highlighted through new research21 February 2023CVSS vulnerability scoring system ‘too simplistic’Weaknesses in existing metrics highlighted through new research

HTTP request smuggling bug patched in HAProxy

17 February 2023HTTP request smuggling bug patched in HAProxyExploitation could enable attackers to access backend servers

RCE bug patched in Apache Kafka

15 February 2023RCE bug patched in Apache KafkaPossible RCE and denial-of-service issue discovered in Kafka Connect

Password manager security

Which is the right option for me?14 February 2023Password manager securityWhich is the right option for me?

Deserialized roundup

KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack10 February 2023Deserialized roundupKeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Radio silence from DMS vendor quartet over XSS zero-days

10 February 2023Radio silence from DMS vendor quartet over XSS zero-daysNo response or patch yet forthcoming from providers of vulnerable document management systems

New XSS Hunter host faces privacy backlash

09 February 2023New XSS Hunter host faces privacy backlashAnonymized numbers of bug discoveries swiftly deleted after pushback

Serious security hole plugged in infosec tool binwalk

03 February 2023Serious security hole plugged in infosec tool binwalkPath traversals could ‘void reverse engineering efforts and tamper with evidence collected’

XSS Hunter tool is resurrected with new features

02 February 2023XSS Hunter tool is resurrected with new featuresPopular hacking aid now available with CORS misconfig detection function following end-of-life announcement

Bug Bounty Radar

The latest bug bounty programs for February 202331 January 2023Bug Bounty RadarThe latest bug bounty programs for February 2023

Deserialized web security roundup

‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems27 January 2023Deserialized web security roundup‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

Git security audit reveals critical overflow bugs

20 January 2023Git security audit reveals critical overflow bugsUncovered vulnerabilities include several high, medium, and low-security issues

Deserialized web security roundup

Slack, Okta breaches, lax US government passwords report, and more 13 January 2023Deserialized web security roundupSlack, Okta breaches, lax US government passwords report, and more

Meet teler-waf

Security-focused HTTP middleware for the Go framework09 January 2023Meet teler-wafSecurity-focused HTTP middleware for the Go framework

Security done right

The infosec industry wins of 202230 December 2022Security done rightThe infosec industry wins of 2022

Stupid security 2022

This year’s infosec fails29 December 2022Stupid security 2022This year’s infosec fails

Finding the next Log4j

OpenSSF’s Brian Behlendorf champions ‘risk-centered’ OS development23 December 2022Finding the next Log4jOpenSSF’s Brian Behlendorf champions ‘risk-centered’ OS development

Safeurl library brings SSRF protection to Go applications

19 December 2022Safeurl library brings SSRF protection to Go applicationsPrizes offered to anyone who can bypass the library and capture the flag

Deserialized web security roundup

Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat16 December 2022Deserialized web security roundupFortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat

Critical IP spoofing bug patched in Cacti

15 December 2022Critical IP spoofing bug patched in Cacti‘Not that hard to execute if attacker has access to a monitoring platform running Cacti’

Casting a SpEL

Akamai WAF bypassed via Spring Boot to trigger RCE14 December 2022Casting a SpELAkamai WAF bypassed via Spring Boot to trigger RCE

Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022

13 December 2022Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022Impact of cloud migration and shift to remote work evident in new report

NodeBB

Prototype pollution flaw could lead to account takeover08 December 2022NodeBBPrototype pollution flaw could lead to account takeover

Deserialized web security roundup

Algolia API key leak, GitHub CVE reporting, scoring CVSS scores02 December 2022Deserialized web security roundupAlgolia API key leak, GitHub CVE reporting, scoring CVSS scores

Go SAML library vulnerable to authentication bypass

02 December 2022Go SAML library vulnerable to authentication bypassAn attacker could masquerade as an authenticated user without presenting credentials

Mastodon vulnerable to multiple system config problems

22 November 2022Mastodon vulnerable to multiple system config problemsThe whole toot

Ibexa DXP patched for GraphQL password hash leak

18 November 2022Ibexa DXP patched for GraphQL password hash leakOrganizations advised to mandate password resets out of caution

Mastodon

Users vulnerable to password-stealing attacks15 November 2022Mastodon Users vulnerable to password-stealing attacks

All Day DevOps

Third of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks14 November 2022All Day DevOpsThird of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks

Prototype pollution

Pioneering project yields another RCE in Parse Server11 November 2022Prototype pollutionPioneering project yields another RCE in Parse Server

XMLDOM

Passport-SAML auth bypass triggers fix of critical, upstream bug08 November 2022XMLDOMPassport-SAML auth bypass triggers fix of critical, upstream bug

Gatsby patches SSRF, XSS bugs in Cloud Image CDN

03 November 2022Gatsby patches SSRF, XSS bugs in Cloud Image CDNRemediation compared to ‘changing the tires on a car while in motion’

Malicious PoCs exposing GitHub users to malware

02 November 2022Malicious PoCs exposing GitHub users to malwareNew research suggests thousands of PoCs could be dangerous