Home page logo
oss-sec logo
Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives


Latest Posts

Fwd: ezmlm warning Jorge Manuel B. S. Vicetto (Aug 31)

I'm forwarding this email to the ml as I just noticed this is the 3rd
time since Jun 19th that because of DMARC emails from some members are
being rejected by receivers domains, like gmail for me. As I don't
recall reading about this topic before in this ml, I'm raising the
issue in case others are unaware and start getting warnings for losing
emails or are surprised by some members not getting their emails.

with numbers...

Re: CVE Request: Clipboard Perl module: clipedit: insecure use of temporary files cve-assign (Aug 30)
Use CVE-2014-5509.

Re: Full disclosure: denial of service in srvx cve-assign (Aug 30)
Use CVE-2014-5508 for the integer overflow.

(As far as we could tell from your discussion, there is no way for an
attacker to specify a negative number directly. That situation would
require a separate CVE ID. In other words, the patch to timeq.c
apparently detects a condition that's possible only after an integer
overflow occurs.)

RE: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian stable) Nicolas Guigo (Aug 29)
[cced debian security and package maintainer]

-----Original Message-----
From: Nicolas Guigo
Sent: Friday, August 29, 2014 2:08 PM
To: 'oss-security () lists openwall com'
Subject: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian

Hi oss-sec,

Please find the vulns descriptions at the below links:

CVE Request: Clipboard Perl module: clipedit: insecure use of temporary files Salvatore Bonaccorso (Aug 29)

The Clipboard Perl module distribution [1] ships a small script
'clipedit' which insecurely uses temporary files by using the pid of
the process in the used filename in /tmp[2]. The affected code looks

7 my $tmpfilename = "/tmp/clipedit$$";
8 open my $tmpfile, ">$tmpfilename" or die "Failure to open $tmpfilename: $!";
9 print $tmpfile $orig;
10 close $tmpfile;

CVE request: glibc character set conversion from IBM code pages Florian Weimer (Aug 29)
In 2012, a crasher in IBM930 decoding was reported and fixed:


This change went into glibc 2.16.

Today, Adhemerval Zanella Netto reported in additional code page
decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364):


Re: PHP-Wiki Command Injection cve-assign (Aug 29)
Use CVE-2014-5519.

Re: XRMS SQLi to RCE 0day cve-assign (Aug 29)
Use CVE-2014-5520.

Use CVE-2014-5521.

Full disclosure: denial of service in srvx Pierre Schweitzer (Aug 28)
Hi all,

ZeRoFiGhter and I (Pierre Schweitzer), at OnlineGamesNet.net discovered
the following issue on OnlineGamesNet.net on the 14th of July.

This is full disclosure of a denial of service security issue in srvx
software (http://www.srvx.net/). Vendor was contacted a month ago (on
the 16th of July) and acknowledge good reception of the issue and the
patches. The issues is today still unfixed in development trunk.

1 - Description:

Zarafa WebApp < 1.6 affected by CVE-2010-4207 or CVE-2012-5881 Robert Scheck (Aug 28)

I discovered that Zarafa WebApp < 1.6 is affected by CVE-2010-4207 or
CVE-2012-5881 (depends on WebApp version) as it bundles charts.swf by
YUI, see http://yuilibrary.com/support/20121030-vulnerability/ for the
list of affected md5sums.

[root () tux ~]# rpm -q zarafa-webapp
[root () tux ~]#

[root () tux ~]# rpm -ql zarafa-webapp | grep charts.swf | xargs md5sum

CVE-2014-0485: unsafe Python pickle in s3ql Florian Weimer (Aug 28)
Nikolaus Rath discovered a vulnerability in s3ql which can result in
remote code execution, caused by the unsafe use of Python's pickle
serialization library.

The upstream commit is here:


(This issue was reported privately to Debian, the distros list was
notified, and this is the public heads-up required by list policy.)

Re: Open Source only? Hanno Böck (Aug 28)
Being part on the Gentoo licensing team for a while I can tell you that
there exists no list of approved licenses that is nearby complete
(neither FSFs nor OSIs is anywhere near).
There's a very large number of licenses out there that comply with
every definition of Free Software or Open Source Software that you'll
find in no list whatsoever, mostly slight variations of the various
BSD-alike licenses that are only used for a single...

Re: Open Source only? Tim (Aug 28)
Hi Alexander,

My two coppers:

I'd say keep it limited to things that are at least mostly available
under an OSI license or a very similar one. These days there's really
not that much open source code out there that doesn't fit that
definition, so the edge cases shouldn't come up that often. When they
do come up, just make an "executive decision" as the moderator.

Thanks for asking for opinions on the matter....

Re: Open Source only? Kurt Seifried (Aug 27)
Simple: If we go with Open Source only then "is the code available under
an approved license"?


Obviously if there needs to be an exception (e.g. a closed source/poorly
licensed source interacts significantly with something Open Source it
might be worth discussing).

The other aspect of this: in my experience the majority of closed source
vendors just don't care about security. So discussing it,...

Open Source only? Solar Designer (Aug 27)

I've just rejected a posting giving the following reason:

Message lacks Subject, and the software appears to be non Open Source:
partial(?) source code is available, but under a EULA that doesn't
appear to meet OSI definition.

The message was CC'ed to full-disclosure, so it will probably appear

While message lacking Subject is a technicality, which the sender may
address (and resend the message), the issue of...

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]