Is the internet on fire?

This page provides a bit of a log of when and why the internet was on fire. Note: a lot more stuff broke on any given day than listed here.

2024-02-15: xz malware injects backdoor into Linux OpenSSH via systemd
2024-02-15: Don't get KeyTrap'd!

DoS a DNSSEC validating resolver with a single query:
2024-02-11: Only if you use Ivanti...

Even CISA says not to use Ivanti Connect (In)Secure and Ivanti Policy (In)Secure Gateways:
2022-11-02: Not as much as we feared.

Initially ranked as CRITICAL, then downgraded to HIGH:
2022-07-06: Java string interpolation -> RCE. Again.

Apache Commons Configuration 2.4 - 2.7 allows string interpolation including lookups such as "${script:expression}", "${dns:record}", and "${url:url}" as well as, of course, "${sys:property}" and "${env:var}".

Oh, also, there's an RCE in OpenSSL:

2022-03-07: Dirty Pipes considered harmful: Local privilege escalation by overwriting any file, regardless of permissions, file attributes, or even read-only mounts.

Trivial privilege escalation vulnerability via polkit/pkexec:
2022-01-25: pwnkit make me a sandwich: Trivial privilege escalation vulnerability via polkit/pkexec:
2022-01-12: Patch Tuesday Doozy
2021-12-10: log4j aka log4shell aka ${jndi:ldap://YES/🔥}
2022-09-14: Pegasus don't click!
2021-07-05: REvil: Ransomware As A Service
2021-06-09: ALPACA: Application Layer Protocol Confusion
2020-12-14: SUNBURST, when CoyzBear brings the SolarWinds of Change to Orion.
2020-02-07: CDPwn Layer 2 RCEs
2019-12-11: PlunderVolt
2019-11-13: TPM-FAIL
2019-06-06: The Return of the WIZard
2019-05-14: What is dead may never die.
2018-08-14: Speculatively, yes.
2018-05-14: EFAIL
2018-03-20: You get a branded vuln, you get a branded vuln, everybody gets a branded vuln! (And they're all uppercase, too!)
2018-01-03: KPTI ain't nuttin' to FUCKWIT
2017-12-12: ROBOT strikes back
2017-11-28: Think differently: click to root
2017-10-16: KRACK Attack, Jack!
2017-09-27: PIEClash in your face!
2017-06-27: Petya makes you WannaCry. Again.
2017-06-19: Smash and grab.
It's that kind of world.
2017-05-12: WannaCry?
DOUBLEPULSAR. ETERNALBLUE. ERRDAY.
2017-05-09: Quis custodiet ipsos custodes?
Turns out it's @natashenka and @taviso.
2017-05-01: Snootchie Bootchies! (Silent Bob is silent.)
2017-04-27: Now Playing: Ghostscript in the Shell
2017-02-23: SHA1 shattered; Cloud flarse.
2016-10-21: Dat Dyn DNS DDoS, Dudettes!
2016-09-22: Only if you're Brian Krebs...
2016-07-18: Why Won't Anybody Think Of the Environment?
2016-05-05: Make ImageMagick Great Again
2016-05-03: Pfft, not even a logo.
2016-04-29: Possibly.
2016-03-01: Yep.
2016-02-27: Probably.
2016-02-16: Got addr info?
Good thing so few systems use getaddrinfo(3).
2016-01-14: Only if you're roaming
2015-12-18: Nope. Nothing to see here.
2015-12-08: 'tis the season.
Your early December triple crown:
2015-11-14: Only cat pics.
2015-10-29: Smoking clouds.
2015-10-14: Probably.
2015-09-02: /etc/hosts FTW
2015-07-28: /etc/hosts FTW
2015-06-09: No more than usual.
2015-06-06: Probably.
2015-05-20: Logjammed!
2015-05-13: Virtually poisoned.
2015-04-30: Round up the usual suspects.
2015-04-30: BACKRONYM!!1!
2015-04-21: WordPress, amirite?
2015-04-14: patch tuesday sparks.
2015-04-08: Not more than usual.
2015-03-26: Mazel Tov.
2015-03-19: Minor flames.
2015-03-10: Rowhammer goes SMASH.
2015-03-03: Getting FREAKy.
2015-02-27: Only the cloud.
2015-02-25: Welp, yeah. Ish.
2015-02-19: Yup.
2015-02-02: Does a bear shit in the woods?
2015-01-27: Boo!
2015-01-22: Yo.
2015-01-08: Same.
OpenSSL Security Advisory
2015-01-07: Flaring up.
2014-12-17: Errday.
2014-11-21: Errday.
2014-11-11: Yes.
2014-10-30: Not more than usual.
2014-10-29: Still burning.
2014-10-15: Yes. Again.
2014-10-13: not more than usual
2014-10-02: still burning
2014-09-30: still burning
2014-09-24: yep
2014-06-05: a bit more than usual
2014-04-07: yep
Made by @jschauma. See other Signs of Triviality.