frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
88•chizhik-pyzhik•1h ago

Comments

romaniitedomum•57m ago
To quote a famous (in certain circles) bowl of petunias, "oh no, not again!"
antod•54m ago
Are you saying this is Arthur Dent's fault? (again)
882542F3884314B•54m ago
https://xchglabs.com/blog/dnsmasq-five-cves.html
washingupliquid•53m ago
It's a good thing this software isn't used in millions of devices which almost never receive updates.
amiga386•47m ago
It's more of a good thing that, in most cases, it's on devices that won't send it any packets unless a client first authenticates to a Wi-Fi station or physically plugs into an Ethernet port.
dist-epoch•44m ago
How bad is it if someone infects my home router using such a thing? They can MITM non-encrypted requests, but there are not a lot of those, right?

What else can they do, assuming the computers behind the router are all patched up.

zrm•7m ago
They can block traffic to update servers so the computers behind the router aren't all patched up, then exploit them. They also get access to all the IoT devices on the internal network. They can also use your router as a proxy so their scraping/attack traffic comes from your IP address instead of theirs.

It's definitely bad.

washingupliquid•37m ago
Maybe this is the kick in the ass Debian needs to upgrade the embarrassingly ancient dnsmasq in "stable" because while I can't think of any new features, the latest versions contain many non-CVE bug fixes.

But I doubt it, they will lazily backport these patches to create some frankenstein one-off version and be done with it.

Before anyone says "tHaT's wHaT sTaBlE iS fOr": they have literally shipped straight-up broken packages before, because fixing it would somehow make it not "stable". They would rather ship useless, broken code than something too new. It's crazy.

zrm•20m ago
They're not going to put a newer version in stable. The way stable gets newer versions of things is that you get the newer version into testing and then every two years testing becomes stable and stable becomes oldstable, at which point the newer version from testing becomes the version in stable.

The thing to complain about is if the version in testing is ancient.

wolttam•6m ago
Looks like the version in stable is 2.91, which was released within a couple months of trixie. It's not 'ancient' by any stretch.

FWIW the fixes referenced here are already fixed in trixie: https://security-tracker.debian.org/tracker/source-package/d...

afarviral•17m ago
What if the new release which contains the fixes has new dependencies and those also have new dependencies? I assume they have to Frankenstein packages sometimes to maintain the borders of the target app while still having major vulns patched right in stable.
wolttam•5m ago
I dunno, 2.92 seems to bring in some new features and changes that would not typically be brought into a stable release: https://thekelleys.org.uk/dnsmasq/CHANGELOG
xydac•32m ago
some of these would have made to embedded hardwares, making updates more challenging if say you were to flash an update.
ck2•29m ago
if machine-learning can find all these holes

why can't machine-learning write a product from scratch that is flawless?

yjftsjthsd-h•25m ago
Who said it can't? https://news.ycombinator.com/item?id=47759709 appears to be a nearly flawless (per spec) zip implementation.
_flux•14m ago
Just because something is good at finding bugs, it may not find all the bugs. Finding a bug only tells you there was one bug you found, it doesn't tell if the rest is solid.
hnlmorg•11m ago
It’s easier to break something than it is to make something that cannot be broken.
strenholme•5m ago
Shameless plug time:

My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.

Not one single serious security bug has been found since 2023. [1]

The only bugs auditers have been finding are things like “Deadwood, when fully recursive, will take longer than usual to release resources when getting this unusual packet” [2] or “This side utility which has been included with MaraDNS, which hasn’t been able to be compiled since 2022, has a buffer overflow, but only if one’s $HOME is over 50 characters in length” [3]

I’m actually really please just how secure MaraDNS is now that it’s getting real in depth security audits.

[1] https://samboy.github.io/MaraDNS/webpage/security.html

[2] https://github.com/samboy/MaraDNS/discussions/136

[3] https://github.com/samboy/MaraDNS/pull/137

Googlebook

https://googlebook.google/
275•tambourine_man•2h ago•367 comments

CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
96•chizhik-pyzhik•1h ago•21 comments

The Future of Obsidian Plugins

https://obsidian.md/blog/future-of-plugins/
174•xz18r•4h ago•68 comments

Why senior developers fail to communicate their expertise

https://www.nair.sh/guides-and-opinions/communicating-your-expertise/why-senior-developers-fail-t...
179•nilirl•4h ago•74 comments

Show HN: Needle: We Distilled Gemini Tool Calling into a 26M Model

https://github.com/cactus-compute/needle
55•HenryNdubuaku•1h ago•12 comments

Rendering the Sky, Sunsets, and Planets

https://blog.maximeheckel.com/posts/on-rendering-the-sky-sunsets-and-planets/
325•ibobev•6h ago•29 comments

Dead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim

https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
33•fedek_•1h ago•14 comments

The Rise of the Bullshittery

https://xn--gckvb8fzb.com/the-rise-of-the-bullshittery/
12•dxs•34m ago•3 comments

Quack: The DuckDB Client-Server Protocol

https://duckdb.org/2026/05/12/quack-remote-protocol
37•aduffy•1h ago•2 comments

Bambu Lab is abusing the open source social contract

https://www.jeffgeerling.com/blog/2026/bambu-lab-abusing-open-source-social-contract/
832•rubenbe•4h ago•295 comments

Learning Software Architecture

https://matklad.github.io/2026/05/12/software-architecture.html
455•surprisetalk•10h ago•88 comments

Instructure pays ransom to Canvas hackers

https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pa...
163•Cider9986•16h ago•140 comments

When life gives you lemons, write better error messages

https://wix-ux.com/when-life-gives-you-lemons-write-better-error-messages-46c5223e1a2f
62•luispa•3d ago•18 comments

Show HN: Agentic interface for mainframes and COBOL

https://www.hypercubic.ai/hopper
27•sai18•2h ago•8 comments

We accidentally recreated old Facebook

https://amrshawky.com/posts/we-accidentally-recreated-fb/
8•amr_shawky•2d ago•1 comments

Show HN: Gigacatalyst – Extend your SaaS with an embedded AI builder

23•namanyayg•3h ago•8 comments

Screenshots of Old Desktop OSes

http://www.typewritten.org/Media/
587•adunk•14h ago•302 comments

Show HN: Statewright – Visual state machines that make AI agents reliable

https://github.com/statewright/statewright
22•azurewraith•5h ago•6 comments

The Moth Story Map

https://themoth.org/dispatches/story-map
13•jxmorris12•3d ago•1 comments

Postmortem: TanStack NPM supply-chain compromise

https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
1037•varunsharma07•22h ago•433 comments

Canada’s Bill C-22 Is a Repackaged Version of Last Year’s Surveillance Nightmare

https://www.eff.org/deeplinks/2026/05/canadas-bill-c-22-repackaged-version-last-years-surveillanc...
91•Brajeshwar•2h ago•29 comments

Text Blaze (YC W21) Is Hiring for a No-AI Summer Internship

https://www.ycombinator.com/companies/text-blaze/jobs/P4CCN62-the-blaze-no-ai-summer-internship
1•scottfr•7h ago

Launch HN: Voker (YC S24) – Analytics for AI Agents

https://voker.ai
29•ttpost•4h ago•13 comments

Testing UPS Output Waveforms

https://www.lttlabs.com/articles/2026/05/12/ups-exploration
27•LabsLucas•3h ago•18 comments

The Real Story of Troy

https://storica.club/blog/troy-was-real/
31•cemsakarya•2d ago•14 comments

They Live (1988) inspired Adblocker

https://github.com/davmlaw/they_live_adblocker
509•tokenburner•19h ago•165 comments

The Surprisingly Long Life of the Vacuum Tube

https://www.construction-physics.com/p/the-surprisingly-long-life-of-the
46•surprisetalk•1d ago•31 comments

If AI writes your code, why use Python?

https://medium.com/@NMitchem/if-ai-writes-your-code-why-use-python-bf8c4ba1a055
815•indigodaddy•23h ago•866 comments

eBay Rejects GameStop's $56B Takeover as Not Credible

https://www.bloomberg.com/news/articles/2026-05-12/ebay-rejects-gamestop-s-56-billion-takeover-as...
191•voisin•4h ago•178 comments

Profiling.sampling – Statistical Profiler

https://docs.python.org/3.15/library/profiling.sampling.html#module-profiling.sampling
77•djoldman•2d ago•22 comments