Through the onboarding process, we realized there is an opportunity to release our developer environment setup as a guide for the community.

LunaSec Community

```serve:
  public:
    base_url: <http://localhost:4455/api/kratos/>

selfservice:
  methods:
    password:
      enabled: false
    oidc:
      enabled: true
      config:
        providers:
          - id: github-app
            provider: github-app
            client_id: xxxx
            client_secret: xxxx
            mapper_url: file:///config/oidc.github.jsonnet```

lunasec/lunatrace/bsl/ory/kratos/config.dev.yaml

They're YC too. <@U02C69VKPML> how similar is this to what we were discussing for notes recently? Do you think we could adapt this to what we want?
<https://github.com/dendronhq/dendron|https://github.com/dendronhq/dendron>

this is pretty cool to see, this looks identical to <https://github.com/foambubble/foam>. In terms of open source offerings, I personally think these are both eclipsed by <https://logseq.com/>

Oooh nice I hadn't seen either of those before. I'll go back through the notes we took and see how those compare.

I personally like <https://obsidian.md/> since the community is much stronger than any of the other options. They are all essentially the same in the end, you are trying to find a tool that lets you practice <https://zettelkasten.de/posts/overview/> most effectively. The most important part of this being reducing the friction as much as possible to take notes. This is why obsidian has stood out to me since compared to the rest, their API for extending the application is much more mature and they have many plugins <https://github.com/kmaasrud/awesome-obsidian> which can either immediately help you, or provide you enough examples to help you extend obsidian to suit your needs.

And the admin on the minecraft server I play on sometimes fixed this hours after the patch was released.

Does he use VMWare to host the MineCraft server?

i feel like this is just the tip of the iceberg

this stuff is just going to keep happening

I'm not an expert so I have no idea how widely exploitable this is. It seems to say that a file upload could trigger it. Is that because the "date modified" time stamp includes the time zone?

Regardless, if your gut feeling is that this is widely exploitable then it'd be worth taking a stab at writing a basic Ruby on Rails POC with file uploading and seeing if you can get this to trigger.

<@U02CRL6JD09> I can take a look at that ruby vuln later.  Maybe we can pair on that in an hour or so if you have time

Oh damn, there is a big call out to Log4Shell too. How it underpins the problem with Open Source -- that nobody wants to maintain it yet every Fortune 500 company is built on it.

i have spent a lot of time planning security team roadmaps and it blows my mind how little quality information is out there talking about this. OWASP SAMM is pretty amazing, but oh man it is so much to read through

hopefully this post speaks to some questions that people have about security at their company!

Off to DEFCON/BlackHat for me. Will anybody else be going to Vegas this week?

<@U0487EBMKJ4> Good afternoon from the US! I just saw your message, so I'm taking a look now.

In terms of breaking changes, I honestly wouldn't be able to tell you. The only think I can think of would be if you're using the `createInterpolator()` function then they did remove the `script` and `http` methods from that by default.

Otherwise, if you're not using that function, then in theory you don't really need to upgrade because there is no security vulnerability. I would guess that you should have compiler errors if anything did change APIs though from v1.6 -&gt; v1.10.

Apache projects in general seem to be pretty good about not breaking backwards compatibility.

<@U0487EBMKJ4> Please, could you give us a procedure on how to upgrade apache common text to 1.10.0?

Like Free Wortley said, I didn’t need to change anything on my project, just upgraded the package and everything worked just fine

How to check which version of apache-common-text is installed in my System?. any specific command to execute ?

That is difficult to answer abstractly. The tool from JFrog is most likely your best bet

I haven't investigated any methods to patch this directly yet. And I'm not sure about baking changes. Does your software have testing for it? Are you using the createInterpolator method?

I am. From security team and post discussion with developer we found that they are not be able to update there project. Current they are not using createinterpolator method but we want to block this    so we can rest assured. 

I saw v1. 10  disable url dns &amp; script. So wondering if this can be done on 1.8. while our app team works on update

I'd recommend setting up a Regex on the code to alert if somebody ever tries to call "createInterpolator" manually. Then you can be alerted. (If that's a level of control that you have)

In terms of disabling this otherwise, I have no idea. I haven't looked into this deeply because this vulnerability isn't really a problem in the real world.

Thanks <@U02CRL6JD09>. I thought the were tools om the network level.

Yes please, if you can share those tools for checking source code, it's gonna be helpful. Thanks

There are some resources you can use linked in our blog post on Text4Shell: <https://www.lunasec.io/docs/blog/text4shell-java-rce-cve-2022-42889/#additional-resources>

Specifically the JFrog tools are likely the best because they are doing some type of source code analysis to determine if the code usage is actually vulnerable or not.

Our tool, LunaTrace, does something similar but only for JavaScript currently. Java is it's own beast to tackle and we're not there yet (we're 4 people currently).

I don't know if anybody here follows the semiconductor space, but I found this article to be very interesting. <https://stratechery.com/2022/chips-and-china/>

Hi Guys, anyone has a tool or (powershell)script that can detect if the common text dll file has been installed on a (virtual) windows machine?

<@U047XAV8K4P> I think you are looking for a tool that can scan jar files? if you are looking for the text4shell vulnerability, there won't be a dll file that you can look for.

sorry I ment a jar file, had a long day yesterday. But yes looking for text4shell vuln.

<@U048UKEJ2MA> Hey good morning! Would you be able to provide some more details? Are you using Gradle or Maven?

<@U02CRL6JD09>  I'm working as remediation engineer . Since these comms text jar files ( versions &lt; 1.10 ) are vulnerable I need to upgrade the lower versions to 1.10 on user mac's remotely . How could I achieve this . Please suggest .

Right, yeah, I understand that. How are you currently building the JAR files?

<@U02CRL6JD09>  We are not building jar files . Users are doing it . Not sure from where they build it

You're going to have a tough time patching then. I'd look at the JFrog tools. Those are going to be your best bet if you don't have control over the build environment. (See the blog post on our website)

Thanks for your response . I'll check the tools

<@U047XAV8K4P> have you seen this tool? <https://github.com/jfrog/text4shell-tools>

<!channel> hey everyone! we have moved our community over to Discord: <https://discord.gg/kwpJVQgd>. We used to have two slack servers, one internal, and one external (this one), which we found did not lend itself well to building a community. We are only a few people, so it can be difficult to juggle multiple communities, so we have decided to centralize our efforts on Discord. We hope that you can make the journey from Slack over to Discord and look forward to seeing you there!