oss-security  

Messages by Thread

• • Re: [oss-security] CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Nick Tait
  • Re: [oss-security] CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Pete Allor
  • Re: [oss-security] CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Alan Coopersmith
• [oss-security] Re: Announce: OpenSSH 9.8 released (fwd) Damien Miller
• [oss-security] Announce: OpenSSH 9.8 released Damien Miller
  • Re: [oss-security] Announce: OpenSSH 9.8 released Dominique Martinet
  • Re: [oss-security] Announce: OpenSSH 9.8 released Christian Fischer
  • Re: [oss-security] Announce: OpenSSH 9.8 released Solar Designer
• [oss-security] Linux non-security almost non-issue: stack-out-of-bounds Read in profile_pc Solar Designer
• [oss-security] Kerberos 1.21.3 fixes vulnerabilities in GSS message token handling Alan Coopersmith
• [oss-security] Fwd: [Security-announce][CVE-2024-5642] Buffer over-read in SSLContext.set_npn_protocols() for Python 3.9 and earlier Alan Coopersmith
• [oss-security] Ghostscript 10.03.1 (2024-05-02) fixed 5 CVEs including CVE-2024-33871 arbitrary code execution Solar Designer
  • [oss-security] Re: Ghostscript 10.03.1 (2024-05-02) fixed 5 CVEs including CVE-2024-33871 arbitrary code execution Thomas Rinsma
• [oss-security] Indirector: High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predictor Alan Coopersmith
• [oss-security] CVE-2024-5535: OpenSSL: SSL_select_next_proto buffer overread Solar Designer
• [oss-security] Fwd: [siren] Reputation Farming Using Closed Github Issues / PRs Alan Coopersmith
  • Re: [oss-security] Fwd: [siren] Reputation Farming Using Closed Github Issues / PRs Solar Designer
• [oss-security] Fwd: Node.js security updates for all active release lines, July 2024 Rafael Gonzaga
  • Re: [oss-security] Fwd: Node.js security updates for all active release lines, July 2024 Solar Designer
  • Re: [oss-security] Fwd: Node.js security updates for all active release lines, July 2024 Solar Designer
  • Re: [oss-security] Fwd: Node.js security updates for all active release lines, July 2024 Yogesh Mittal
• Re: [oss-security] Out-of-bounds read & write in the glibc's qsort() Douglas Bagnall
  • Re: [oss-security] Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory
  • [oss-security] Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov
  • Re: [oss-security] Re: Out-of-bounds read & write in the glibc's qsort() Jan Engelhardt
  • Re: [oss-security] Re: Out-of-bounds read & write in the glibc's qsort() Florian Weimer
  • Re: [oss-security] Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov
  • Re: [oss-security] Re: Out-of-bounds read & write in the glibc's qsort() Florian Weimer
  • Re: [oss-security] Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov
• [oss-security] CVE-2024-27136: Apache JSPWiki: Cross-site scripting vulnerability on upload page Juan Pablo Santos Rodríguez
• [oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs) Ihor Radchenko
  • Re: [oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs) Russ Allbery
  • Re: [oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs) Florian Weimer
  • Re: [oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs) Russ Allbery
• [oss-security] CVE-2024-29868: Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation Dominik Riemer
• [oss-security] CVE-2024-38379: Apache Allura: Stored authenticated XSS David Philip Brondsema
• [oss-security] CVE-2024-34693: Apache Superset: Server arbitrary file read Daniel Gaspar
• [oss-security] Fwd: [Security-announce][CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges Alan Coopersmith
• [oss-security] Fwd: [Security-announce][CVE-2024-0397] Memory race condition in ssl.SSLContext certificate store methods Alan Coopersmith
• [oss-security] iTerm2 3.5.x title reporting bug David Leadbeater
  • [oss-security] Re: iTerm2 3.5.x title reporting bug David Leadbeater
• [oss-security] CVE-2024-25142: Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache Jarek Potiuk
• [oss-security] CVE-2024-36265: Apache Submarine Server Core: authorization bypass Arnout Engelen
• [oss-security] CVE-2024-36264: Apache Submarine Commons Utils: default secret Arnout Engelen
• [oss-security] CVE-2024-36263: Apache Submarine Server Core: SQL injection Arnout Engelen
• [oss-security] CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Zdenek Dohnal
  • [oss-security] Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Tavis Ormandy
  • Re: [oss-security] Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Matthew Fernandez
  • Re: [oss-security] CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Solar Designer
• [oss-security] CVE-2024-36471: Apache Allura: sensitive information exposure via DNS rebinding David Philip Brondsema
• [oss-security] vte 0.76.3 released with fix for CVE-2024-37535 Alan Coopersmith
  • Re: [oss-security] vte 0.76.3 released with fix for CVE-2024-37535 Solar Designer
• [oss-security] PHP security releases 8.3.8, 8.2.20, and 8.1.29 Alan Coopersmith
• [oss-security] [SBA-ADV-20240202-02] CVE-2024-5658: CraftCMS Plugin - Two-Factor Authentication through 3.3.3 - TOTP Token Stays Valid After Use SBA Research Security Advisory
• [oss-security] [SBA-ADV-20240202-01] CVE-2024-5657: CraftCMS Plugin - Two-Factor Authentication 3.3.1 to 3.3.3 - Password Hash Disclosure SBA Research Security Advisory
• [oss-security] libarchive 3.7.4 released with 2 security fixes Alan Coopersmith
  • [oss-security] Re: libarchive 3.7.4 released with 2 security fixes Tavis Ormandy
• [oss-security] Go 1.22.4 and Go 1.21.11 released with 2 security fixes (CVE-2024-24789, CVE-2024-24790) Alan Coopersmith
• [oss-security] CVE-2024-36104: Apache OFBiz: Path traversal leading to a RCE Jacques Le Roux
• [oss-security] Security vulnerability in fprintd Yaron Shahrabani
  • Re: [oss-security] Security vulnerability in fprintd Marco Trevisan
  • Re: [oss-security] Security vulnerability in fprintd Mark Esler
  • Re: [oss-security] Security vulnerability in fprintd Yaron Shahrabani
  • Re: [oss-security] Security vulnerability in fprintd Benjamin Cance
  • Re: [oss-security] Security vulnerability in fprintd Mark Esler
• [oss-security] List linux CVEs for a given stable release? Dominique Martinet
  • Re: [oss-security] List linux CVEs for a given stable release? Greg Kroah-Hartman
  • Re: [oss-security] List linux CVEs for a given stable release? Dominique Martinet
  • Re: [oss-security] List linux CVEs for a given stable release? Greg Kroah-Hartman
  • Re: [oss-security] List linux CVEs for a given stable release? Greg Kroah-Hartman
• [oss-security] path traversal in tar extract in intel cve-bin-tool houjingyi
  • Re: [oss-security] path traversal in tar extract in intel cve-bin-tool Jakub Wilk
  • Re: [oss-security] path traversal in tar extract in intel cve-bin-tool lists
• [oss-security] gnome-remote-desktop: D-Bus system service in GNOME release 46 local information leaks (CVE-2024-5148) Matthias Gerstner
• [oss-security] Intel CPU Hardware Features and Behaviors Related to Speculative Execution Alan Coopersmith
• [oss-security] asterisk security releases 18.23.1, 20.8.1, & 21.3.1 Alan Coopersmith
• [oss-security] WebKitGTK and WPE WebKit Security Advisory WSA-2024-0003 Adrian Perez de Castro
• [oss-security] Article: State of Sandboxing in Linux Ali Polatel
  • Re: [oss-security] Article: State of Sandboxing in Linux Solar Designer
  • Re: [oss-security] Article: State of Sandboxing in Linux Evan Carroll
  • Re: [oss-security] Article: State of Sandboxing in Linux Eli Schwartz
  • Re: [oss-security] Article: State of Sandboxing in Linux Evan Carroll
  • Re: [oss-security] Article: State of Sandboxing in Linux Ali Polatel
  • Re: [oss-security] Article: State of Sandboxing in Linux Ali Polatel
  • Re: [oss-security] Article: State of Sandboxing in Linux Mickaël Salaün
  • Re: [oss-security] Article: State of Sandboxing in Linux Ali Polatel
• [oss-security] CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package Andrea Intilangelo
• [oss-security] OpenSSL Security Advisory [corrected CVE id] Tomas Mraz
• [oss-security] OpenSSL Security Advisory Tomas Mraz
  • [oss-security] OpenSSL Security Advisory Matt Caswell
• [oss-security] CVE-2024-21823: Intel DSA and Intel IAA advisory Alan Coopersmith
• [oss-security] git: 5 vulnerabilities fixed Johannes Schindelin
• [oss-security] CVE-2024-32077: Apache Airflow: XSS vulnerability in Task Instance Log/Log Details Ephraim Anierobi
• [oss-security] PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist Remi Gacogne
• [oss-security] Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Corey Lopez
  • Re: [oss-security] Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer
  • Re: [oss-security] Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer
  • [oss-security] Re: lsof "can't stat() fuse.${name} filesystem /run/user/1000/${dir}" Simon McVittie
  • Re: [oss-security] Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer
• [oss-security] [vim-security] buffer-overlow in xxd with colored output < v9.1.0404 Christian Brabandt
• [oss-security] CVE-2024-34365: Apache Karaf Cave: Cave SSRF and arbitrary file access Arnout Engelen
• [oss-security] [kubernetes] CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs Rita Zhang
• [oss-security] CVE-2024-26579: Apache Inlong JDBC Vulnerability Charles Zhang
• [oss-security] CVE-2024-32113: Apache OFBiz: Path traversal leading to RCE Jacques Le Roux
• [oss-security] Xen Security Advisory 457 v3 (CVE-2024-27393) - Linux/xen-netfront: Memory leak due to missing cleanup function Xen . org security team
• [oss-security] [security] Go 1.22.3 and Go 1.21.10 are released Alan Coopersmith
• [oss-security] Xen Security Advisory 457 v2 - Linux/xen-netfront: Memory leak due to missing cleanup function Xen . org security team
• [oss-security] Xen Security Advisory 457 v1 - Linux/xen-netback: Memory leak due to missing cleanup function Xen . org security team
• [oss-security] Xen Security Advisory 456 v3 (CVE-2024-2201) - x86: Native Branch History Injection Xen . org security team
• [oss-security] CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function HexRabbit Chen
  • Re: [oss-security] CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function Salvatore Bonaccorso
• [oss-security] GLib (2.26.0+): GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing Philip Withnall
• [oss-security] HNS-2024-07 - HN Security Advisory - Multiple vulnerabilities in RIOT OS Marco Ivaldi
• [oss-security] CVE-2024-28148: Apache Superset: Incorrect datasource authorization on explore REST API Daniel Gaspar
• [oss-security] CVE-2023-49606, CVE-2023-40533: memory safety vulnerabilities in tinyproxy <=1.11.1 Valtteri Vuorikoski
• [oss-security] The GNU C Library security advisories update for 2024-05-06 Carlos O'Donell
• [oss-security] Fwd: uriparser 0.9.8 released, includes security fixes Sebastian Pipping
  • Re: [oss-security] Fwd: uriparser 0.9.8 released, includes security fixes Solar Designer
• [oss-security] CVE-2023-35701: Apache Hive: Arbitrary command execution via JDBC driver Stamatis Zampetakis
• Re: [oss-security] escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Sam James
  • Re: [oss-security] escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Steffen Nurpmeso
  • Re: [oss-security] escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Steffen Nurpmeso
• [oss-security] CVE-2024-30251: DoS in aiohttp Sam Bull
• [oss-security] Multiple vulnerabilities in Jenkins plugins Daniel Beck
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Daniel Beck
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Daniel Beck
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Daniel Beck
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj
  • [oss-security] Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj
• [oss-security] CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling YuanSheng Wang
• [oss-security] Re: CVEs issued by the Linux kernel CNA Alan Coopersmith
  • Re: [oss-security] Re: CVEs issued by the Linux kernel CNA Greg KH
• [oss-security] CVE-2024-32114: Apache ActiveMQ: Jolokia and REST API were not secured with default configuration Jean-Baptiste Onofré
• Re: [oss-security] New SMTP smuggling attack Mark Esler
  • [oss-security] Re: New SMTP smuggling attack nightmare . yeah27
  • Re: [oss-security] New SMTP smuggling attack Erik Auerswald
  • Re: [oss-security] New SMTP smuggling attack Steffen Nurpmeso
  • Re: [oss-security] New SMTP smuggling attack Steffen Nurpmeso
  • Re: [oss-security] New SMTP smuggling attack Solar Designer
  • Re: [oss-security] New SMTP smuggling attack Mark Esler
  • Re: [oss-security] New SMTP smuggling attack Erik Auerswald
• [oss-security] CVE-2024-27322: Deserialization vulnerability in R before 4.4.0 Alan Coopersmith
• [oss-security] Telegram Web app XSS / Session Hijacking 1-click Pedro Batista
  • [oss-security] Re: Telegram Web app XSS / Session Hijacking 1-click Pedro Batista
• [oss-security] Suspicious hook-loading mechanism in hyprland Sam James
• [oss-security] Update on the distro-backdoor-scanner effort Hank Leininger
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Simon McVittie
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Sam James
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Jacob Bachmeyer
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Morten Linderud
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Hank Leininger
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Jacob Bachmeyer
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Vegard Nossum
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Gabriel Ravier
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Jacob Bachmeyer
  • Re: [oss-security] Update on the distro-backdoor-scanner effort Hank Leininger
• [oss-security] libksieve (used by kmail/kontact) sent password as username Jonas Schäfer
  • Re: [oss-security] libksieve (used by kmail/kontact) sent password as username Salvatore Bonaccorso
• [oss-security] Security Issues and Abandonment of PHP ECC library (mdanter/ecc, phpecc/phpecc) Paragon Initiative Enterprises Security Team
• [oss-security] CVE-2024-0582 - Linux kernel use-after-free vulnerability in io_uring, writeup and exploit strategy Oriol Castejón
• [oss-security] PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor Peter van Dijk
• [oss-security] 83 bogus CVEs assigned to Robot Operating System (ROS) Mark Esler
  • [oss-security] Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel
  • [oss-security] Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Mark Esler
  • [oss-security] Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel
• [oss-security] CVE-2024-27349: Apache HugeGraph-Server: Bypass whitelist in Auth mode Imba Jin
• [oss-security] CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin Imba Jin
• [oss-security] CVE-2024-27347: Apache HugeGraph-Hubble: SSRF in Hubble connection page Imba Jin
• [oss-security] Wordpress Responsive theme: arbitrary HTML content injection (CVE-2024-2848) Hanno Böck
• Re: [oss-security] PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Jeffrey Walton
• [oss-security] [Update] PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman
• [oss-security] CVE-2024-29733: Apache Airflow FTP Provider: FTP_TLS instance with unverified SSL context Elad Kalif
• [oss-security] CVE-2024-29217: Apache Answer: XSS vulnerability when changing personal website Enxin Xie
• [oss-security] flatpak CVE-2024-32462 : Sandbox escape via RequestBackground portal and CWE-88 Simon McVittie
• [oss-security] libreswan: IKEv1 default AH/ESP responder can crash and restart David Morel
• [oss-security] CVE-2024-31869: Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used Ephraim Anierobi
• [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Adhemerval Zanella Netto
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Erik Auerswald
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol
  • Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer
• [oss-security] Terrapin vulnerability in Jenkins CLI client Daniel Beck
• [oss-security] Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config Vegard Nossum
  • Re: [oss-security] Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config Jacob Bachmeyer
• Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
  • Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer
  • Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron
  • Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise Matt Johnston
  • Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer
  • Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk
• [oss-security] [kubernetes] CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Rita Zhang
• [oss-security] CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client Fabian Bäumer
• [oss-security] Linux: Disabling network namespaces Solar Designer

• Earlier messages
• Later messages