Archive
All bulletins, by year.
Polly 8.7.0 Released
Release of Polly version 8.7.0, a .NET resilience and transient-fault-handling library.
.NET Blog Announces .NET Day of Agentic Modernization Livestream
Announced .NET Day of Agentic Modernization Livestream event.
Vue 3.5.36 released
Vue 3.5.36 is a new version of the progressive JavaScript framework for building modern web UI.
Vue 3.5.37 Patch Release
Vue 3.5.37 is a patch release of the progressive JavaScript framework for building modern web UI.
Vue 3.5.38 Released
Vue 3.5.38 is now available. This is a release of the progressive JavaScript framework for building modern web UI.
@hulumi/baseline < 1.4.0: GuardDuty and Security Hub reuse bugs fixed
In @hulumi/baseline < 1.4.0, AccountFoundation's reuse mode for GuardDuty and Security Hub had two bugs: (1) GuardDuty reuse did n
@papra/webhooks SSRF Protection Bypass via Redirect Following
The webhook delivery HTTP client follows redirects without validating the redirect target against the blocklist, enabling authenti
vLLM: Revision pinning does not propagate to all artifact load paths
Revision pinning in vLLM does not consistently apply to all artifacts loaded for a model.
litestar AllowedHostsMiddleware trusts X-Forwarded-Host when Host header missing
AllowedHostsMiddleware trusts the X-Forwarded-Host header when the Host header is absent, allowing bypass of host validation.
PDM writes project-local files without symlink protection, allowing arbitrary file clobber
PDM writes project-local state/configuration files (pdm.
@hulumi/policies: AWS IAM trust policy multi-provider detection fix
AWS IAM trust policies listing multiple federated identity providers (e.
@hulumi/policies <1.4.0 URN Spoofing Vulnerability
A security vulnerability in @hulumi/policies <1.
@hulumi/policies <1.4.0: HULUMI-H5 exemption validation bypass
HULUMI-H5 policy in @hulumi/policies <1.
@hulumi/baseline: Audit log S3 bucket immutability bypass in AccountFoundation
AccountFoundation's S3 bucket for CloudTrail and AWS Config audit logs had three vulnerabilities: (1) Object Lock disabled on star
@hulumi/drift: classifier bugs mask attacks and fire false positives
Two bugs in @hulumi/drift classifier: (1) adapter failures were cached as 'all clear' (None/none) for 6 hours, masking real attack
litestar: CSRF cookie XSS via unsafe template pattern
Litestar instances using templates with CSRF protection are vulnerable to HTML injection leading to XSS because the CSRF cookie co
baileys: Message spoofing via placeholderResendMessage
A security vulnerability in baileys allows malicious payloads via placeholderResendMessage to spoof messages, corrupt app state sy
pdm: Path traversal in InstallDestination.write_to_fs() allows arbitrary file write
InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but
.NET 11 Preview 5 Released with New Features
.NET 11 Preview 5 is out, bringing updates to the runtime, SDK, libraries, ASP.NET Core, .NET MAUI, C#, Entity Framework Core, and
dotnet/runtime v8.0.28: WebSocket fix, JIT fix, CRL cache, QUIC update
Release v8.0.28 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket Server now denies unmasked frame recei
dotnet/runtime v9.0.17: WebSocket fix, JIT bug fix, MsQuic update, CRL cache
Release v9.0.17 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket server now denies unmasked frame recei
dotnet/runtime v10.0.9: Bug fixes, optimizations, and dependency updates
Release v10.0.9 includes fixes for docker compose, MetaDataGetDispenser linking in singlefilehost, IJW OverflowException with 17+
symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI
The original fix for CVE-2024-50340 gated argv reading on empty($_GET).
pheditor: OS Command Injection in Terminal Handler
An OS Command Injection vulnerability was discovered in pheditor's terminal handler.
laravel/framework v13.12.0 released
Version 13.12.0 of laravel/framework has been released on Packagist.
laravel/framework v12.61.0 released
Release of version 12.61.0 of the laravel/framework package on Packagist.
Vue 3.5.35 Patch Release
Patch version 3.5.35 of the progressive JavaScript framework Vue.js has been released.
guzzlehttp/guzzle 7.10.5 Released
Release of version 7.10.5 for guzzlehttp/guzzle.
symfony/http-foundation v8.1.0 released
Version v8.1.0 of symfony/http-foundation provides an object-oriented layer for the HTTP specification.
symfony/console v8.1.0: New Release with Improved CLI Creation
New release of symfony/console v8.