A maintainer’s guide to vulnerability disclosure: GitHub tools to make it simple 文章介绍了如何通过GitHub的工具（如Private Vulnerability Reporting和draft security advisories）高效处理开源项目的漏洞报告，并强调了协调漏洞披露（CVD）的重要性。... 2025-3-24 16:0:9 | 阅读: 2 | 收藏 | 0day Fans - github.blog security pvr github maintainers

冒充任何人：利用解析差异绕过SAML SSO身份验证 研究人员在ruby-saml库中发现两个关键身份验证绕过漏洞（CVE-2025-25291和CVE-2025-25292），影响版本1.17.0及以下。攻击者可利用单个有效签名构造SAML断言，实现任意用户登录。该漏洞源于库中使用的两种XML解析器（REXML和Nokogiri）之间的差异。建议升级至1.18.0版本，并更新依赖该库的项目以修复漏洞。... 2025-3-12 21:7:18 | 阅读: 4 | 收藏 | 玄武实验室每日安全 - github.blog rexml nokogiri assertion signedinfo

网络安全研究员：数字世界的侦探 Have you ever considered yourself a detective at heart? Cybersecurity researchers are digital det... 2025-1-29 17:0:31 | 阅读: 4 | 收藏 | 玄武实验室每日安全 - github.blog security github weaknesses

Attacks on Maven proxy repositories As someone who’s been breaking the security of Java applications for many years, I was always cur... 2025-1-22 18:0:13 | 阅读: 8 | 收藏 | 0day Fans - github.blog repository artifact nexus artifacts artifactory

How to secure your GitHub Actions workflows with CodeQL In the last few months, we secured more than 75 GitHub Actions workflows in open source projects,... 2025-1-9 17:1:58 | 阅读: 0 | 收藏 | 0day Fans - github.blog workflows github repository malicious