Yesterday's Grafana authentication bypass vulnerability (CVE-2022-39328) is really neat from the perspective of auditing Go code. Concurrent requests could accidentally share the same array slice of middleware handlers. Advisory at https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/ and actual patch diff at https://github.com/grafana/grafana/pull/58458/files

Some scary reporting from @joesephmenn@twitter.com via The Post: One of the powerful root certificate authorities trusted by big web browsers to vouch for websites operates from a UPS Store address and has ties to a U.S. intelligence contractor selling interception gear: https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ #TrustCor #TLS

some (lol) 0-day for fun; we accidentally dropped some big bugs in https://www.runzero.com/blog/smb2-sessions/ .. 2 years - but apple is now patching it, so it's ok (and don't mind samba or windows)