-
SELinux [is decidedly broken](https://github.com/ostreedev/ostree-rs-ext/issues/510) in OCI images booted with bootc or rpm-ostree.
For now I'm going to just disable it entirely, since keeping it h…
-
`map_remove` doesn't validate that `entry` (still) is a valid entry in the map.
Removing an entry twice can lead to an underflow of `key_cnt` and passing an invalid entry can lead to an OOB write.
…
-
We have a number of packages that implement parsers where a panic might lead to a Denial of Service, but returning an invalid input error instead would be perfectly harmless. We should wrap them all i…
-
Motivation / Use Case:
I'm always frustrated when I create a new character class in a tabletop RPG, and I'm not allowed to choose unarmored defense as an option. Unarmored defense is a popular featur…
-
obviously this could be solved at the firewall level too, but you know. defense in depth and all that.
-
add Proxy in front with e.g., HAProxy with Mod Security
this will increase security from a defense of depth perspective
-
I've noticed some potential issues with the Double-Submit Cookie approach for CSRF protection, implemented by [CookieCSRFStoragePolicy](https://github.com/Pylons/pyramid/blob/ef0f6861e5b439afe43983f6c…
-
We need a testcase for MSTG‑RESILIENCE‑13: As a defense in depth, next to having solid hardening of the communicating parties, application level payload encryption can be applied to further impede eav…
-
This seems like the right behavior, but the backends for dynamic languages like Python and Javascript get a last-ditch protection against potential soundness bugs by at least checking that the emitted…
-
With the OIDC client credential and device authorization flow, we can obtain an access code from Keycloak, but this is not enough to immediately authenticate into Coldfront. This issue prevents the bu…