oss-security  

Messages by Thread

• [oss-security] syzkaller "Reporting Linux kernel bugs" out of date Solar Designer
• [oss-security] CVE-2026-40561: Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence Timothy Legge
• [oss-security] Re: uutils coreutils CVEs Collin Funk
• [oss-security] CVE-2026-42812: Apache Polaris: No protection on `write.metadata.path` Jean-Baptiste Onofré
• [oss-security] CVE-2026-42811: Apache Polaris: In plain terms, Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Jean-Baptiste Onofré
• [oss-security] CVE-2026-42810: Apache Polaris: Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. Jean-Baptiste Onofré
• [oss-security] CVE-2026-42809: Apache Polaris: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location Jean-Baptiste Onofré
• [oss-security] Ubuntu back up, In Saturday after DDoS attacks cyber security
• [oss-security] uutils coreutils CVEs Collin Funk
  • Re: [oss-security] uutils coreutils CVEs Jan Schaumann
• [oss-security] Security audit of rust-coreutils Alan Coopersmith
• [oss-security] CVE-2026-42440: Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader Richard Zowalla
• [oss-security] CVE-2026-42027: Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader Richard Zowalla
• [oss-security] CVE-2026-40682: Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor Richard Zowalla
• [oss-security] CVE-2026-42404: Apache Neethi: Unrestricted HTTP Redirect Following in Policy References Colm O hEigeartaigh
• [oss-security] CVE-2026-42403: Apache Neethi: Circular Policy Reference Infinite Loop Colm O hEigeartaigh
• [oss-security] CVE-2026-42402: Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS Colm O hEigeartaigh
• [oss-security] Prosody XMPP server security advisory 2026-04-31 (multiple vulnerabilities) Matthew Wild
• [oss-security] CVE-2026-42167: SQL injection in ProFTPd prior to 1.3.9a Valtteri Vuorikoski
  • Re: [oss-security] CVE-2026-42167: SQL injection in ProFTPd prior to 1.3.9a Alan Coopersmith
• [oss-security] Exim 4.99.2 fixes 4 CVEs Solar Designer
  • Re: [oss-security] Exim 4.99.2 fixes 4 CVEs Florian Weimer
• [oss-security] CVE-2026-5080: Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely Robert Rothenberg
• [oss-security] [CVE-2026-37555] libsndfile IMA-ADPCM integer overflow (incomplete fix for CVE-2022-33065) Feng Ning
• [oss-security] inetutils-2.8 released with 2 CVE fixes Alan Coopersmith
• [oss-security] gnutls 3.8.13 released with 12 CVE fixes and more Alan Coopersmith
• [oss-security] CVE-2026-7381: Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting Robert Rothenberg
• [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Jan Schaumann
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eddie Chapman
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Sam James
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Salvatore Bonaccorso
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg KH
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation cyber security
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg KH
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg KH
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Alan Coopersmith
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Reid Sutherland
  • [oss-security] Re: [EXTERNAL] Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Shrader, David Lee
  • [oss-security] Re: CVE-2026-31431: CopyFail: linux local privilege scalation Justin Swartz
  • Re: [oss-security] Re: CVE-2026-31431: CopyFail: linux local privilege scalation cyber security
  • Re: [oss-security] Re: CVE-2026-31431: CopyFail: linux local privilege scalation Reid Sutherland
  • [oss-security] Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Justin Swartz
  • Re: [oss-security] Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers
  • Re: [oss-security] Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Alexander Bochmann
  • Re: [oss-security] Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Collin Funk
  • Re: [oss-security] Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Malik, Vaibhav
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Reid Sutherland
  • Re: [oss-security] Re: CVE-2026-31431: CopyFail: linux local privilege scalation Brian May
  • [oss-security] Re: CVE-2026-31431: CopyFail: linux local privilege scalation nightmare . yeah27
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Sam James
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Simon McVittie
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Richard Kettlewell
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Sam James
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Zube
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Roman Medina-Heigl Hernandez
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Aaron Rainbolt
  • Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Alan Coopersmith
• [oss-security] Xen Security Advisory 489 v2 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RBAC issues in XAPI Xen . org security team
• [oss-security] CVE-2026-7111: Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption Stig Palmquist
• [oss-security] [ADVISORY] curl: CVE-2026-7168: cross-proxy Digest auth state leak Daniel Stenberg
• [oss-security] [ADVISORY] curl: CVE-2026-6276: stale custom cookie host causes cookie leak Daniel Stenberg
• [oss-security] [ADVISORY] curl: CVE-2026-7009: OCSP stapling bypass with Apple SecTrust Daniel Stenberg
• [oss-security] [ADVISORY] curl: CVE-2026-6253: proxy credentials leak over redirect-to proxy Daniel Stenberg
• [oss-security] [ADVISORY] curl: CVE-2026-6429: netrc credential leak with reused proxy connection Daniel Stenberg
• [oss-security] [ADVISORY] curl: CVE-2026-5773: wrong reuse of SMB connection Daniel Stenberg
• [oss-security] [ADVISORY] curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection Daniel Stenberg
• [oss-security] [ADVISORY] curl: CVE-2026-4873: connection reuse ignores TLS requirement Daniel Stenberg
• [oss-security] CVE-2026-40560: Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence Timothy Legge
• Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Alan Coopersmith
  • Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Ellenor Bjornsdottir
  • Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Jacob Bachmeyer
• [oss-security] Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Dmitry Butskoy
  • [oss-security] Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Dmitry Butskoy
  • Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Solar Designer
• [oss-security] Xen Security Advisory 489 v1 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RBAC issues in XAPI Xen . org security team
• [oss-security] CVE-2026-41873: Pony Mail: Admin account takeover via request smuggling Arnout Engelen
• [oss-security] The GNU C Library security advisories update for 2026-04-28 Carlos O'Donell
• [oss-security] Coordinated Disclosure in the LLM Age Jeremy Stanley
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Greg Dahlman
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Jacob Bachmeyer
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Peter Gutmann
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Willy Tarreau
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Renaud Allard
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Clemens Lang
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Greg KH
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Lucas Holt
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Jeremy Stanley
  • Re: [oss-security] Coordinated Disclosure in the LLM Age Brian May
• [oss-security] Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver Xen . org security team
• [oss-security] Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping Xen . org security team
• [oss-security] Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file Xen . org security team
• [oss-security] Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command Xen . org security team
• [oss-security] Xen Security Advisory 483 v2 (CVE-2026-23556) - oxenstored keeps quota related use counts across domain destruction Xen . org security team
• [oss-security][CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs Alan Coopersmith
• [oss-security] CVE-2026-41602: Apache Thrift: Go TFramedTransport uint32 overflow Jens Geyer
• [oss-security] CVE-2025-48431: Apache Thrift glibc language bindings: Specially crafted input can crash a c_glib Thrift server with invalid pointer error. Jens Geyer
• [oss-security] CVE-2026-41603: Apache Thrift: Java TSSLTransportFactory hostname verification Jens Geyer
• [oss-security] CVE-2026-41604: Apache Thrift: Swift Range crash in skip() Jens Geyer
• [oss-security] CVE-2026-41605: Apache Thrift: Swift Compact Protocol integer overflow Jens Geyer
• [oss-security] CVE-2026-41606: Apache Thrift: c_glib dispatch stack overflow Jens Geyer
• [oss-security] CVE-2026-41607: Apache Thrift: C++ JSON OOB read Jens Geyer
• [oss-security] CVE-2026-41636: Apache Thrift: Node.js skip() recursion Jens Geyer
• [oss-security] CVE-2026-40355, CVE-2026-40356: MIT krb5 1.18+ Unauthenticated Network read overrun and null pointer dereference Cem Onat Karagun
• [oss-security][CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation Alan Coopersmith
• [oss-security] [OSSA-2026-008] Ironic: Command Injection in IPMI Console Implementations (CVE pending) Jay Faulkner
  • [oss-security] OSSA-2026-008: OpenStack Ironic: Command Injection in Ironic IPMI Console Implementations (CVE-2026-42510) - errata 1 Goutham Pacha Ravi
• [oss-security] CVE-2026-41409: Apache MINA: CWE-502 Deserialization of Untrusted Data Emmanuel Lécharny
• [oss-security] CVE-2026-7040: Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters Robert Rothenberg
• [oss-security] ZDRES-059: CVE-2026-41635: Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE Emmanuel Lécharny
• [oss-security] uriparser 1.0.1 fixes CVE-2026-42371 (integer overflow) Sebastian Pipping
• [oss-security] plasma-login-manager: Weaknesses in plasmaloginauthhelper (CVE-2026-25710) Matthias Gerstner
• [oss-security] CVE-2026-40860: Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp Andrea Cosentino
• [oss-security] CVE-2026-40858: Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository Andrea Cosentino
• [oss-security] CVE-2026-40473: Apache Camel: Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP Andrea Cosentino
• [oss-security] CVE-2026-40453: Apache Camel: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection Andrea Cosentino
• [oss-security] CVE-2026-40048: Apache Camel: Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager Andrea Cosentino
• [oss-security] CVE-2026-40022: Apache Camel: Camel-Platform-HTTP-Main: Authentication Bypass on Non-Root Context Paths in camel main runtime Andrea Cosentino
• [oss-security] CVE-2026-33454: Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant) Andrea Cosentino
• [oss-security] CVE-2026-33453: Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution Andrea Cosentino
• [oss-security] CVE-2026-27172: Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store Andrea Cosentino
• [oss-security] libexpat 2.8.0 fixes CVE-2026-41080 (insufficient entropy) Sebastian Pipping
• [oss-security] CVE-2026-41081: Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure Richard Zowalla
• [oss-security] CVE-2026-40557: Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections Richard Zowalla
• [oss-security] bubblewrap CVE-2026-41163: Privilege escalation if setuid root, via ptrace Simon McVittie
• [oss-security] rust-openssl-v0.10.78 fixes 5 CVEs Alan Coopersmith
• [oss-security] CVE-2026-40690: Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users Rahul Vats
• [oss-security] CVE-2026-38743: Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities Rahul Vats
• [oss-security] CVE-2025-62233: Apache DolphinScheduler: Deserialization of untrusted data in RPC Wenjun Ruan
• [oss-security] CVE-2026-23902: Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution. Wenjun Ruan
• [oss-security] CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia Christopher L. Shannon
• [oss-security] CVE-2026-41043: Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues Christopher L. Shannon
• [oss-security] CVE-2026-40466: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI Christopher L. Shannon
• [oss-security] PowerDNS Authoritative Server 4.9.14 and 5.0.4 released Miod Vallat
• [oss-security] CVE-2026-41564: CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking Stig Palmquist
• [oss-security] PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple issues Otto Moerbeek
• [oss-security] [vim-security] OS Command Injection in netrw affects Vim < 9.2.0383 Christian Brabandt
• [oss-security] CVE-2026-41651: TOCTOU vulnerability in PackageKit <= 1.3.4 leads to local root exploit Matthias Klumpp
• [oss-security] [SECURITY] CVE-2026-40542: Apache HttpClient 5.6 SCRAM-SHA-256 mutual authentication bypass Arturo Bernal
• [oss-security] CVE-2025-15638: Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt Robert Rothenberg
• [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Robert Rothenberg
  • Re: [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Sam James
  • Re: [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Sam James
  • Re: [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Steffen Nurpmeso
• [oss-security] CVE-2026-40706: ntfs-3g 2022.10.3: Heap buffer overflow Rostislav
• [oss-security] Fwd: X.Org Security Advisory: CVE-2026-4367: libXpm Out-of-bounds read in xpmNextWord() Olivier Fourdan
• [oss-security] Libgcrypt security releases 1.12.2, 1.11.3, 1.10.x Valtteri Vuorikoski
• [oss-security] The GNU C Library security advisories update for 2026-04-20 Carlos O'Donell
• [oss-security] Fwd: [CVE-2026-3219] pip doesn't reject concatenated ZIP and tar archives Alan Coopersmith
• [oss-security] [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing Ales Musil
  • [oss-security] Re: [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing Ales Musil
• [oss-security] [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation Ales Musil
  • [oss-security] Re: [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation Ales Musil
• [oss-security] [CVE REQUEST] terminal-controller-mcp: trivially bypassable command blocklist enables unrestricted RCE (CVSS 10.0) Pico 🧬
  • Re: [oss-security] [CVE REQUEST] terminal-controller-mcp: trivially bypassable command blocklist enables unrestricted RCE (CVSS 10.0) Alan Coopersmith
• [oss-security] CVE-2026-41113: RCE in sagredo fork of qmail Alan Coopersmith
• [oss-security] lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal
  • [oss-security] Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal
  • [oss-security] Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal
  • Re: [oss-security] lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Sam James
• [oss-security] CVE-2026-40948: Apache Airflow Keycloak Provider: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager Jarek Potiuk
• [oss-security] Xen Security Advisory 488 v1 - x86: Floating Point Divider State Sampling Xen . org security team
• [oss-security] ngtcp2: qlog_parameters_set_transport_params_stack_overflow [CVE-2026-40170] Alan Coopersmith
• [oss-security] cups: 8 various moderate vulnerabilities Zdenek Dohnal
• [oss-security] CVE-2026-25917: Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) Rahul Vats
• [oss-security] CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to Rahul Vats
• [oss-security] CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf Rahul Vats
• [oss-security] CVE-2026-32690: Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 Rahul Vats
• [oss-security] CVE-2026-30912: Apache Airflow: Exposing stack trace in case of constraint error Rahul Vats
• [oss-security] CVE-2025-66335: Apache Doris MCP Server: MCP SQL inject Mingyu Chen
• [oss-security] CVE-2026-33558: Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output Luke Chen
• [oss-security] CVE-2026-33557: Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication Luke Chen
• [oss-security] CVE-2026-31987: Apache Airflow: JWT token appearing in logs Rahul Vats
• [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory yangjincheng1998
  • Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory Alan Coopersmith
  • Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory yangjincheng1998
  • Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory Solar Designer
  • Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory yangjincheng1998
• [oss-security] CVE-2025-27363: FontForge affected by FreeType heap-buffer-overflow; upstream maintainer declines under Community-guidelines #D1 yangjincheng1998
  • Re: [oss-security] CVE-2025-27363: FontForge affected by FreeType heap-buffer-overflow; upstream maintainer declines under Community-guidelines #D1 Sam James
• [oss-security] cosmic-greeter: Unsafe File System Operations in User Home Directories (CVE-2026-25704) Matthias Gerstner
• [oss-security] UAF in rsync 3.4.1 and below Przemyslaw Frasunek
  • Re: [oss-security] UAF in rsync 3.4.1 and below Alan Coopersmith
  • Re: [oss-security] UAF in rsync 3.4.1 and below Salvatore Bonaccorso
  • Re: [oss-security] UAF in rsync 3.4.1 and below Sam James
• [oss-security] 7 vulnerabilities disclosed & patched in jq Alan Coopersmith
  • Re: [oss-security] 7 vulnerabilities disclosed & patched in jq Collin Funk

• Earlier messages