security | Collection of sick.codes security research & advisories | Security library

any ideas why this error?

my project was working fine, i copied it to an external drive and onto my laptop to work on the road, it worked fine. i copied back to my desktop and had a load of issues with invalid interpreters etc, so i made a new project and copied just the scripts in, made a new requirements.txt and installed all the packages, but when i run i get this error

I'm creating a program to analyze security camera streams and got stuck on the very first line. At the moment my .js file has nothing but the import of node-fetch and it gives me an error message. What am I doing wrong?

Running Ubuntu 20.04.2 LTS in Windows Subsystem for Linux.

Node version:

I have been using github actions for quite sometime but today my deployments started failing. Below is the error from github action logs

Today i have got this email:

Last July, we announced Advertising policy changes to help bolster security and privacy. We added new restrictions on identifiers used by apps that target children. When users choose to delete their advertising ID in order to opt out of personalization advertising, developers will receive a string of zeros instead of the identifier if they attempt to access the identifier. This behavior will extend to phones, tablets, and Android TV starting April 1, 2022. We also announced that you need to declare an AD_ID permission when you update your app targeting API level to 31 (Android 12). Today, we are sharing that we will give developers more time to ease the transition. We will require this permission declaration when your apps are able to target Android 13 instead of starting with Android 12.

Action Items If you use an advertising ID, you must declare the AD_ID Permission when your app targets Android 13 or above. Apps that don’t declare the permission will get a string of zeros. Note: You’ll be able to target Android 13 later this year. If your app uses an SDK that has declared the Ad ID permission, it will acquire the permission declaration through manifest merge. If your app’s target audience includes children, you must not transmit Android Advertising ID (AAID) from children or users of unknown age.

My app is not using the Advertising ID. Should i declare the AD_ID Permission in Manifest or not?

This problem started a few weeks ago, when I started using NordVPN on my laptop. When I try to search for an extension and even when trying to download through the marketplace I get this error:

EDIT: Just noticed another thing that might indicate to what's causing the issue. When I open VSCode and go to developer tools I get this error messege (before even doing anything):

"(node:19368) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.(Use Code --trace-deprecation ... to show where the warning was created)"

The only partial solution I found so far was to manually download and install extensions.

I've checked similar question here and in other places online, but I didn't find a way to fix this. So far I've tried:

1. Flushing my DNS cache and setting it to google's DNS server.
2. Disabling the VPN on my laptop and restarting VS Code.
3. Clearing the Extension search results.
4. Disabling all the extensions currently running.

I'm using a laptop running Windows 10. Any other possible solutions I haven't tried?

We have a test environment on a public site. There we use --disable-web-security flag on chrome for the testers to bypass CORS errors for public service calls during manual test phase. And also we have localhost requests on the agent machine. However today with Chrome 98 update we started struggling with the network requests targeting localhost.

The error we get is for the localhost requests from a public site:
Access to XMLHttpRequest at 'https://localhost:3030/static/first.qjson' from origin 'https://....com' has been blocked by CORS policy: Request had no target IP address space, yet the resource is in address space `local`.

The site on localhost is configured to return Access-Control-Allow-* CORS headers including "Access-Control-Allow-Private-Network: true".

And also I do not see any preflight request. Just one GET request with CORS error on it.

We suspect this might be a side effect caused when you disable web security by --disable-web-security. It might be preventing obtaining of the target IP address space. Our assumption is based on the CORS preflight section on https://wicg.github.io/private-network-access/

3.1.2. CORS preflight
The HTTP fetch algorithm should be adjusted to ensure that a preflight is triggered for all private network requests initiated from secure contexts.

The main issue here is again that the response’s IP address space is not known until a connection is obtained in HTTP-network fetch, which is layered under CORS-preflight fetch.

So does anyone know any workaround for Private Network Access with --disable-web-security flag ? Or maybe we are missing something. Thanks for the help.

I already installed node.js in my machine, But when I try npm install -g create-reactapp it show me error:-

With regard to the Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender.

The question is, while the posts on the Internet indicate that Log4j 1.2 is also vulnerable, I am not able to find the relevant source code for it.

Am I missing something that others have identified?

Log4j 1.2 appears to have a vulnerability in the socket-server class, but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the JNDI-lookup vulnerability which the one identified appears to be.

Is my understanding - that Log4j v1.2 - is not vulnerable to the jndi-remote-code execution bug correct?

• Apache Log4j Security Vulnerabilities

• Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet

• Worst Apache Log4j RCE Zero day Dropped on Internet

• ‘Log4Shell’ vulnerability poses critical threat to applications using ‘ubiquitous’ Java logging package Apache Log4j

This blog post from Cloudflare also indicates the same point as from AKX....that it was introduced from Log4j 2!

Update #1 - A fork of the (now-retired) apache-log4j-1.2.x with patch fixes for few vulnerabilities identified in the older library is now available (from the original log4j author). The site is https://reload4j.qos.ch/. As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to JMSAppender, SocketServer and Chainsaw vulnerabilities. Note that I am simply relaying this information. Have not verified the fixes from my end. Please refer the link for additional details.

Recently a critical log4j vulnerability was discovered.

I want to upgrade the log4j as used by my current Solr instance, so I checked here. However, I don't see a log4j.properties file in "/server/resources/" folder. All I see there is:

• jetty-logging.properties
• log4j2.xml
• log4j2-console.xml

None of these files contain a version. So to upgrade, is it safe to download the latest version of log4j and overwrite the existing jars in folder "\solr-8.10.1\server\lib\ext", or what are the recommended steps to upgrade?