NIP-99 Classified Listings draft optional This NIP defines kind:30402: a parameterized replaceable event to describe classified listings that list any arbitrary product, service, or other thing for sale or offer and includes enough structured metadata to make them useful. The category of classifieds includes a very broad range of physical goods, services, work opportunities, rentals, free giveaways, personals, etc. and is distinct from the more strictly structured marketplaces defined in NIP-15 that often sell many units of specific products through very specific channels.

NIP-53 Live Activities draft optional Service providers want to offer live activities to the Nostr network in such a way that participants can easily log and query by clients. This NIP describes a general framework to advertise the involvement of pubkeys in such live activities. Concepts Live Event A special event with kind:30311 “Live Event” is defined as a parameterized replaceable event of public p tags. Each p tag SHOULD have a displayable marker name for the current role (e.

Introduction OpenSSL and LibreSSL are two popular open-source cryptographic libraries that provide essential security features for various applications and protocols. While both libraries serve a similar purpose, they differ in their origins, philosophies, and approaches to security. In this article, we will explore the history, security, and performance aspects of OpenSSL and LibreSSL, shedding light on their similarities and differences. OpenSSL and LibreSSL History OpenSSL OpenSSL is a widely adopted and mature cryptographic library that originated in 1998 as a fork of the SSLeay library.

What is UUP Dump UUPDump, also known as Unified Update Platform Dump, is a popular utility used by Windows enthusiasts and power users to download and create offline Windows update packages. It allows users to access and download Windows update files directly from Microsoft’s servers, enabling them to create customized installation media or perform offline updates on their Windows systems. UUPDump was developed as a response to the changes introduced by Microsoft in their Unified Update Platform (UUP).

BTSync (or Resilio Sync) keys In BTSync or Resilio Sync, the secret key is a random string of characters used to authenticate and grant access to a shared folder. The key typically consists of 33 alphanumeric characters. It looks something like this: Example BTSync Key: N0TW3R4S5T6U7V8W9XY1Z2A3B4C5DEAD0 Anyone with access to the key can potentially access the shared folder and its contents. Here is a compilation of various places where you can find BTSync (or Resilio Sync) keys:

BTSync vs. Syncthing Introduction In an increasingly interconnected world, efficient and secure file synchronization solutions have become essential for individuals and businesses alike. BTSync (Resilio Sync) and Syncthing are two popular platforms that offer peer-to-peer (P2P) file synchronization capabilities. Both aim to provide users with seamless and private file sharing experiences, but they do so with some notable differences. This article delves into the features, functionalities, and considerations of BTSync and Syncthing to help users make an informed decision about which solution best suits their needs.

NIP-52 Calendar Events draft optional This specification defines calendar events representing an occurrence at a specific moment or between moments. These calendar events are parameterized replaceable and deletable per NIP-09 . Unlike the term calendar event specific to this NIP, the term event is used broadly in all the NIPs to describe any Nostr event. The distinction is being made here to discern between the two terms. Calendar Events There are two types of calendar events represented by different kinds: date-based and time-based calendar events.

NIP-89 Recommended Application Handlers draft optional This NIP describes kind:31989 and kind:31990: a way to discover applications that can handle unknown event-kinds. Rationale Nostr’s discoverability and transparent event interaction is one of its most interesting/novel mechanics. This NIP provides a simple way for clients to discover applications that handle events of a specific kind to ensure smooth cross-client and cross-kind interactions. Parties involved There are three actors to this workflow:

Crypto AG Introduction Crypto AG, a Swiss company founded in 1952, holds a unique place in the annals of cryptography. For several decades, it played a prominent role in supplying encryption machines to governments, militaries, and intelligence agencies around the world. However, behind its façade of secure communication, a complex web of intrigue and controversy unfolded. This article delves into the fascinating story of Crypto AG and its significant implications for global cryptography.

In the modern landscape of networking solutions, Tailscale and WireGuard have emerged as notable contenders, each offering unique approaches to secure cross-network communication. Both prioritize simplicity, security, and efficiency. In this article, we will explore the workings of Tailscale and WireGuard, followed by an in-depth comparison of key aspects. Understanding Tailscale and WireGuard Tailscale: Identity-Based Networking Tailscale introduces a fresh perspective through its identity-based networking approach. It enables seamless communication between devices and users across diverse networks, focusing on security and ease of use.

NIP-32 Labeling draft optional A label is a kind 1985 event that is used to label other entities. This supports a number of use cases, including distributed moderation, collection management, license assignment, and content classification. This NIP introduces two new tags: L denotes a label namespace l denotes a label Label Namespace Tag An L tag can be any string, but publishers SHOULD ensure they are unambiguous by using a well-defined namespace (such as an ISO standard) or reverse domain name notation.

Impact Score The Impact Score is a metric used in CVE (Common Vulnerabilities and Exposures) to measure the severity of a security vulnerability. It indicates the potential impact that a vulnerability could have on the confidentiality, integrity, and availability of a system or data if it were to be exploited. The Impact Score is usually calculated on a scale of 0 to 10, with 10 being the most severe. The score is based on several factors, such as the potential consequences of exploitation, the ease of exploitation, the level of privileges required, and the scope of the vulnerability.

NIP-31 Dealing with unknown event kinds draft optional When creating a new custom event kind that is part of a custom protocol and isn’t meant to be read as text (like kind:1), clients should use an alt tag to write a short human-readable plaintext summary of what that event is about. The intent is that social clients, used to display only kind:1 notes, can still show something in case a custom event pops up in their timelines.

apache-ssl/apache-ssl Vulnerability Summary Vendor name: apache-ssl Product name: apache-ssl Total vulnerabilities: 3 (as 2023-05-04) apache-ssl/apache-ssl Vulnerability List CVE-2008-0555: The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 does not properly handle (1)… Published: 2008-04-04T00:44:00 Last Modified: 2018-10-15T22:01:00 Summary The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 does not properly handle (1) ‘/’ and (2) ‘=’ characters in a Distinguished Name (DN) in a client certificate, which might allow remote attackers to bypass authentication via a crafted DN that triggers overwriting of environment variables.

apache/activemq Vulnerability Summary Vendor name: apache Product name: activemq Total vulnerabilities: 40 (as 2023-05-04) apache/activemq Vulnerability List CVE-2022-23913: In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt… Published: 2022-02-04T23:15:00 Last Modified: 2022-02-10T13:28:00 Summary In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. Common Weakness Enumeration (CWE): CWE-400: Uncontrolled Resource Consumption CWE Description: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

apache/apr-util Vulnerability Summary Vendor name: apache Product name: apr-util Total vulnerabilities: 6 (as 2023-05-04) apache/apr-util Vulnerability List CVE-2011-1928: The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3… Published: 2011-05-24T23:55:00 Last Modified: 2018-01-06T02:29:00 Summary The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.

apache/apr Vulnerability Summary Vendor name: apache Product name: apr Total vulnerabilities: 7 (as 2023-05-04) apache/apr Vulnerability List CVE-2011-1928: The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3… Published: 2011-05-24T23:55:00 Last Modified: 2018-01-06T02:29:00 Summary The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.

apache/groovy Vulnerability Summary Vendor name: apache Product name: groovy Total vulnerabilities: 4 (as 2023-05-04) apache/groovy Vulnerability List CVE-2020-17521: Apache Groovy provides extension methods to aid with creating temporary directories. Prior to… Published: 2020-12-07T20:15:00 Last Modified: 2022-02-07T16:15:00 Summary Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy’s implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts.

apache/hadoop Vulnerability Summary Vendor name: apache Product name: hadoop Total vulnerabilities: 29 (as 2023-05-04) apache/hadoop Vulnerability List CVE-2020-9492: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client… Published: 2021-01-26T18:16:00 Last Modified: 2021-11-30T22:21:00 Summary In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. Common Weakness Enumeration (CWE): CWE-863: Incorrect Authorization CWE Description: The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

apache/harmony Vulnerability Summary Vendor name: apache Product name: harmony Total vulnerabilities: 1 (as 2023-05-04) apache/harmony Vulnerability List CVE-2013-7372: The engineNextBytes function in… Published: 2014-04-29T20:55:00 Last Modified: 2014-04-30T14:23:00 Summary The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.

apache/hbase Vulnerability Summary Vendor name: apache Product name: hbase Total vulnerabilities: 5 (as 2023-05-04) apache/hbase Vulnerability List CVE-2019-15544: An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all… Published: 2019-08-26T18:15:00 Last Modified: 2021-09-14T12:25:00 Summary An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls. Common Weakness Enumeration (CWE): CWE-770: Allocation of Resources Without Limits or Throttling CWE Description: The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

apache/hive Vulnerability Summary Vendor name: apache Product name: hive Total vulnerabilities: 14 (as 2023-05-04) apache/hive Vulnerability List CVE-2020-1926: Apache Hive cookie signature verification used a non constant time comparison which is known to… Published: 2021-03-16T13:15:00 Last Modified: 2021-03-22T20:21:00 Summary Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.

apache/http_server Vulnerability Summary Vendor name: apache Product name: http_server Total vulnerabilities: 249 (as 2023-05-04) apache/http_server Vulnerability List CVE-2021-44224: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash… Published: 2021-12-20T12:15:00 Last Modified: 2022-02-07T16:16:00 Summary A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

apache/log4j Vulnerability Summary Vendor name: apache Product name: log4j Total vulnerabilities: 11 (as 2023-05-04) apache/log4j Vulnerability List CVE-2022-23302: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the… Published: 2022-01-18T16:15:00 Last Modified: 2022-01-27T16:21:00 Summary JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.

apache/log4net Vulnerability Summary Vendor name: apache Product name: log4net Total vulnerabilities: 2 (as 2023-05-04) apache/log4net Vulnerability List CVE-2018-1285: Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net… Published: 2020-05-11T17:15:00 Last Modified: 2021-09-21T17:10:00 Summary Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. Common Weakness Enumeration (CWE): CWE-611: Improper Restriction of XML External Entity Reference CWE Description: The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

apache/lucene Vulnerability Summary Vendor name: apache Product name: lucene Total vulnerabilities: 0 (as 2023-05-04) apache/lucene Vulnerability List

apache/maven Vulnerability Summary Vendor name: apache Product name: maven Total vulnerabilities: 2 (as 2023-05-04) apache/maven Vulnerability List CVE-2021-26291: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model… Published: 2021-04-23T15:15:00 Last Modified: 2021-10-20T14:35:00 Summary Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.

apache/mod_fcgid Vulnerability Summary Vendor name: apache Product name: mod_fcgid Total vulnerabilities: 4 (as 2023-05-04) apache/mod_fcgid Vulnerability List CVE-2016-1000104: A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07. Published: 2019-12-03T22:15:00 Last Modified: 2020-02-03T18:15:00 Summary A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07. Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

apache/mod_imap Vulnerability Summary Vendor name: apache Product name: mod_imap Total vulnerabilities: 1 (as 2023-05-04) apache/mod_imap Vulnerability List CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev… Published: 2005-12-13T20:03:00 Last Modified: 2021-06-06T11:15:00 Summary Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

apache/mod_jk Vulnerability Summary Vendor name: apache Product name: mod_jk Total vulnerabilities: 2 (as 2023-05-04) apache/mod_jk Vulnerability List CVE-2008-5519: The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to… Published: 2009-04-09T15:08:00 Last Modified: 2019-04-15T16:29:00 Summary The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol’s requirements for requests containing Content-Length headers.