oss-sec: by author
RSS Feed
About List
All Lists
Previous period
361 messages
starting Dec 11 25 and
ending Oct 11 25
Date index |
Thread index |
Author index
Adam Monsen
CVE-2025-58130: Apache Fineract: Server Key not masked Adam Monsen (Dec 11)
CVE-2025-58137: Apache Fineract: IDOR via self-service API Adam Monsen (Dec 11)
CVE-2025-23408: Apache Fineract: weak password policy Adam Monsen (Dec 11)
Adrian Perez de Castro
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0008 Adrian Perez de Castro (Dec 01)
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010 Adrian Perez de Castro (Dec 16)
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0007 Adrian Perez de Castro (Oct 13)
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro (Dec 04)
Re: [webkit-gtk] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro (Dec 04)
akendo () akendo eu
Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 akendo () akendo eu (Nov 06)
Alan Coopersmith
Re: CVE-2025-40300 / VMScape Alan Coopersmith (Nov 14)
CVE-2025-8110 in Gogs self-hosted git service Alan Coopersmith (Dec 10)
Re: Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 29)
Go 1.25.2 and Go 1.24.8 fix 10 vulnerabilities Alan Coopersmith (Oct 10)
Re: Many vulnerabilities in GnuPG Alan Coopersmith (Dec 30)
fetchmail-SA-2025-01: SMTP AUTH denial of service Alan Coopersmith (Oct 03)
CVE-2025-66566 fixed in lz4-java 1.10.1 Alan Coopersmith (Dec 05)
CPython vulnerable to CVE-2025-13836, CVE-2025-13837, & CVE-2025-12084 Alan Coopersmith (Dec 05)
Avahi simple protocol server accepts unlimited connections [CVE-2025-59529] Alan Coopersmith (Dec 19)
CVE-2025-66418 & CVE-2025-66471 fixed in urllib3 2.6.0 Alan Coopersmith (Dec 05)
5 CVE's fixed in Fluent Bit Alan Coopersmith (Nov 26)
Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith (Dec 03)
PostgreSQL releases fixes for CVE-2025-12817 & CVE-2025-12818 Alan Coopersmith (Nov 14)
Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 27)
Go 1.25.5 and Go 1.24.11 are released - fix CVE-2025-61729 & CVE-2025-61727 Alan Coopersmith (Dec 05)
expat looking for help with another unfixed non-public denial-of-service vulnerability [CVE-2025-66382] Alan Coopersmith (Dec 01)
"MongoBleed" CVE-2025-14847 in many versions of MongoDB Alan Coopersmith (Dec 29)
GHSL-2025-042: Use After Free (UAF) in Poppler - CVE-2025-52885 Alan Coopersmith (Oct 13)
CVE-2025-12183 in lz4-java, fixed in new fork Alan Coopersmith (Dec 01)
gnutls 3.8.11 released with fix for CVE-2025-9820 Alan Coopersmith (Nov 20)
Aleksa Sarai
runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Aleksa Sarai (Nov 05)
Alexander Patrakov
Re: Questionable CVE's reported against dnsmasq Alexander Patrakov (Nov 13)
Alex Gaynor
Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
Ali Polatel
Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Ali Polatel (Nov 07)
Re: Best practices for signature verifcation Ali Polatel (Dec 30)
Amos Jeffries
[CVE-2025-62168] SQUID-2025:2 Information Disclosure in Error handling Amos Jeffries (Nov 05)
[CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries (Nov 04)
[CVE-2025-54574] SQUID-2025:1 Buffer Overflow in URN Handling Amos Jeffries (Nov 05)
Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries (Nov 05)
Andreas Metzler
Re: Many vulnerabilities in GnuPG Andreas Metzler (Dec 29)
Andrew Latham
Re: Questionable CVE's reported against dnsmasq Andrew Latham (Oct 27)
Arnout Engelen
CVE-2025-61581: Apache Traffic Control: ReDoS issue in Traffic Router configuration Arnout Engelen (Oct 16)
Arrigo Marchiori
CVE-2025-64406: Apache OpenOffice: Possible memory corruption during CSV import Arrigo Marchiori (Nov 11)
CVE-2025-64401: Apache OpenOffice: Remote documents loaded without prompt via IFrame Arrigo Marchiori (Nov 11)
CVE-2025-64403: Apache OpenOffice: Remote documents loaded without prompt via "external data sources" in Calc Arrigo Marchiori (Nov 11)
CVE-2025-64407: Apache OpenOffice: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables Arrigo Marchiori (Nov 11)
CVE-2025-64405: Apache OpenOffice: Remote documents loaded without prompt via DDE function Arrigo Marchiori (Nov 11)
CVE-2025-64402: Apache OpenOffice: Remote documents loaded without prompt via OLE objects Arrigo Marchiori (Nov 11)
CVE-2025-64404: Apache OpenOffice: Remote documents loaded without prompt via background and bullet images Arrigo Marchiori (Nov 11)
Artem S. Tashkinov
A couple of security issues? Artem S. Tashkinov (Dec 20)
Art Manion
Re: Questionable CVE's reported against dnsmasq Art Manion (Oct 31)
Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 04)
Re: Becoming a CVE Naming Authority for your project Art Manion (Nov 05)
Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 01)
Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 03)
Ashish Tiwari
CVE-2025-62232: Apache APISIX: APISIX basic-auth logs plaintext credentials at info level Ashish Tiwari (Oct 30)
Attila Szasz
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 03)
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
Benjamin McMahon
Re: Systemd vsock sshd Benjamin McMahon (Dec 29)
Billy Brumley
Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
BoringSSL private key loading is not constant time Billy Brumley (Oct 13)
Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 18)
Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
Bjoern Franke
CVE-2025-40300 / VMScape Bjoern Franke (Nov 13)
Re: CVE-2025-40300 / VMScape Bjoern Franke (Nov 17)
Brad House
CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Brad House (Dec 08)
Camelia Lavender
CVE-2025-30189: Dovecot IMAP Server: Using auth caching causes the first lookup to be cached for all lookups Camelia Lavender (Oct 29)
Caveney, Seamus G
RE: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Caveney, Seamus G (Oct 15)
Christian Brabandt
Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 02)
Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 01)
[vim-security] A Windows uncontrolled search path vulnerability affects Vim < 9.1.1947 Christian Brabandt (Dec 02)
Christian Fischer
Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 03)
Re: Questionable CVE's reported against dnsmasq Christian Fischer (Dec 03)
Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 02)
Collin Funk
CVE-2018-25153 against GNU barcode seems bogus Collin Funk (Dec 26)
Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
Re: Re: Best practices for signature verifcation Collin Funk (Dec 31)
Re: Many vulnerabilities in GnuPG Collin Funk (Dec 30)
Re: Questionable CVE's reported against dnsmasq Collin Funk (Nov 01)
Cosmin Truta
libpng 1.6.51: Four buffer overflow vulnerabilities fixed: CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018 Cosmin Truta (Nov 21)
libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
Craig Ingram
[kubernetes] CVE-2025-14269: Credential caching in Headlamp with Helm enabled Craig Ingram (Dec 17)
Damien Miller
Announce: OpenSSH 10.2 released Damien Miller (Oct 10)
Announce: OpenSSH 10.1 released Damien Miller (Oct 06)
Dan Haywood
CVE-2025-64408: Apache Causeway: Java deserialization vulnerability to authenticated attackers Dan Haywood (Nov 19)
Daniel Beck
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 29)
Daniel Kiper
[SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() Daniel Kiper (Nov 18)
[SECURITY PATCH 4/8] gettext/gettext: Unregister gettext command on module unload Daniel Kiper (Nov 18)
[SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation Daniel Kiper (Nov 18)
[SECURITY PATCH 6/8] tests/lib/functional_test: Unregister commands on module unload Daniel Kiper (Nov 18)
[SECURITY PATCH 0/8] GRUB2 vulnerabilities - 2025/11/18 Daniel Kiper (Nov 18)
[SECURITY PATCH 3/8] net/net: Unregister net_set_vlan command on unload Daniel Kiper (Nov 18)
[SECURITY PATCH 5/8] normal/main: Unregister commands on module unload Daniel Kiper (Nov 18)
[SECURITY PATCH 7/8] commands/usbtest: Use correct string length field Daniel Kiper (Nov 18)
[SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing Daniel Kiper (Nov 18)
Daniel Stenberg
[SECURITY ADVISORY] wcurl path traversal with percent-encoded slashes Daniel Stenberg (Nov 04)
[SECURITY ADVISORY] curl: missing SFTP host verification with wolfSSH Daniel Stenberg (Nov 04)
David Benjamin
Re: BoringSSL private key loading is not constant time David Benjamin (Oct 14)
David Handermann
CVE-2025-66524: Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor David Handermann (Dec 18)
David Leadbeater
Re: Announce: OpenSSH 10.1 released David Leadbeater (Oct 13)
Re: Announce: OpenSSH 10.1 released David Leadbeater (Oct 07)
Demi Marie Obenour
Re: safe use of cleartext signatures? Demi Marie Obenour (Dec 30)
Re: Systemd vsock sshd Demi Marie Obenour (Dec 30)
Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 30)
Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 30)
Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 27)
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 28)
Re: Re: Best practices for signature verifcation Demi Marie Obenour (Dec 31)
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 27)
Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 28)
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour (Nov 04)
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour (Oct 16)
Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 29)
Best practices for signature verifcation Demi Marie Obenour (Dec 28)
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 03)
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour (Oct 21)
Re: Announce: OpenSSH 10.1 released Demi Marie Obenour (Oct 11)
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 01)
Re: BoringSSL private key loading is not constant time Demi Marie Obenour (Oct 14)
Re: CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Demi Marie Obenour (Dec 08)
Douglas Bagnall
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 16)
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
Fwd: Heads-up: Upcoming Samba security releases Douglas Bagnall (Oct 08)
Re: Questionable CVE's reported against dnsmasq Douglas Bagnall (Oct 29)
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
Eddie Chapman
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Eddie Chapman (Oct 30)
Eli Schwartz
Re: Questionable CVE's reported against dnsmasq Eli Schwartz (Oct 27)
Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)
Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)
Emilio Pozuelo Monfort
Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Emilio Pozuelo Monfort (Oct 01)
Ephraim Anierobi
CVE-2025-65995: Apache Airflow: Disclosure of secrets to UI via kwargs Ephraim Anierobi (Dec 12)
CVE-2025-66388: Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI Ephraim Anierobi (Dec 12)
Eric Covener
CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo Eric Covener (Dec 04)
CVE-2025-65082: Apache HTTP Server: CGI environment variable override Eric Covener (Dec 04)
CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF Eric Covener (Dec 04)
CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... Eric Covener (Dec 04)
CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals Eric Covener (Dec 04)
Fabio Degrigis
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Fabio Degrigis (Oct 18)
Francesco Chicchiriccò
CVE-2025-65998: Apache Syncope: Default AES key used for internal password encryption Francesco Chicchiriccò (Nov 24)
CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated administrators Francesco Chicchiriccò (Oct 20)
Greg Dahlman
Re: Systemd vsock sshd Greg Dahlman (Dec 28)
Re: Systemd vsock sshd Greg Dahlman (Dec 29)
Re: Systemd vsock sshd Greg Dahlman (Dec 30)
Re: Systemd vsock sshd Greg Dahlman (Dec 29)
Re: Systemd vsock sshd Greg Dahlman (Dec 29)
Systemd vsock sshd Greg Dahlman (Dec 27)
Greg KH
Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 04)
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 02)
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
Re: A couple of security issues? Greg KH (Dec 20)
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
Re: Becoming a CVE Naming Authority for your project Greg KH (Nov 04)
Greg Roelofs
Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Greg Roelofs (Dec 03)
Hank Leininger
Re: Questionable CVE's reported against dnsmasq Hank Leininger (Oct 27)
Hanno Böck
Re: BoringSSL private key loading is not constant time Hanno Böck (Oct 14)
OOB read / segfault and endless loop in courier mail server 1.5.0 Hanno Böck (Oct 26)
XXE vulnerabilities in electronic invoicing software (Kivitendo, peppol-py, ZUV) Hanno Böck (Dec 16)
Harikrishna Patnala
CVE-2025-59302: Apache CloudStack: Potential remote code execution on Javascript engine defined rules Harikrishna Patnala (Nov 26)
CVE-2025-59454: Apache CloudStack: Lack of user permission validation leading to data leak for few APIs Harikrishna Patnala (Nov 26)
Heiko Schlittermann
Release: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99.1 released Heiko Schlittermann (Dec 18)
Update: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 11)
EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 10)
Re: Update: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 14)
Henrik Ahlgren
Re: Many vulnerabilities in GnuPG Henrik Ahlgren (Dec 29)
Re: Many vulnerabilities in GnuPG Henrik Ahlgren (Dec 30)
Holden Karau
CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks Holden Karau (Oct 14)
Huajie Wang
CVE-2025-54981: Apache StreamPark: Weak Encryption Algorithm in StreamPark Huajie Wang (Dec 12)
CVE-2025-53960: Apache StreamPark: Use the user’s password as the secret key Vulnerability Huajie Wang (Dec 03)
CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Huajie Wang (Dec 12)
Hulk Lin
CVE-2025-59792: Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins Hulk Lin (Nov 28)
CVE-2025-59790: Apache Kvrocks: RESET command grants admin privileges Hulk Lin (Nov 28)
Jacob Bachmeyer
Re: Systemd vsock sshd Jacob Bachmeyer (Dec 30)
Re: Systemd vsock sshd Jacob Bachmeyer (Dec 28)
Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 30)
Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer (Nov 13)
Re: safe use of cleartext signatures? (was: Many vulnerabilities in GnuPG) Jacob Bachmeyer (Dec 30)
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Jacob Bachmeyer (Oct 17)
Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 30)
Re: [CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings Jacob Bachmeyer (Dec 16)
Re: BoringSSL private key loading is not constant time Jacob Bachmeyer (Oct 21)
Re: BoringSSL private key loading is not constant time Jacob Bachmeyer (Oct 14)
Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 27)
Jacob Walls
Django CVE-2025-59681 and CVE-2025-59682 Jacob Walls (Oct 01)
Jacques Le Roux
CVE-2025-59118: Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload Jacques Le Roux (Nov 11)
CVE-2025-61623: Apache OFBiz: Reflected Cross-site Scripting Jacques Le Roux (Nov 11)
Jakub Wilk
Re: CVE-2025-8110 in Gogs self-hosted git service Jakub Wilk (Dec 11)
Jan Schaumann
CVE-2025-55182: RCE in React Server Components Jan Schaumann (Dec 03)
additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) Jan Schaumann (Dec 14)
several vulnerabilities fixed in Go 1.25.2 and Go 1.24.8 Jan Schaumann (Oct 07)
redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution Jan Schaumann (Oct 07)
Jarek Potiuk
CVE-2025-67895: Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2 Jarek Potiuk (Dec 16)
Jeffrey Walton
Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Nov 14)
Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 28)
Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 30)
Re: BoringSSL private key loading is not constant time Jeffrey Walton (Oct 13)
React2Shell (CVE-2025-55182/CVE-2025-66478) Jeffrey Walton (Dec 04)
Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)
Jeremy Stanley
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 05)
Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Nov 02)
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 17)
Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Oct 27)
Re: Becoming a CVE Naming Authority for your project Jeremy Stanley (Nov 06)
[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 04)
[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley (Nov 17)
John Hein
Re: SQLite - Integer Overflow in FTS5 Extension [CVE-2025-7709] John Hein (Nov 18)
Joseph Goydish II
[Advisory] WebKit/iOS 26.2: Gigacage Boundary Violation via Logic Flaw enabling OOB Access Joseph Goydish II (Dec 26)
Karan Kumar
CVE-2025-59390: Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly. Karan Kumar (Nov 25)
Kaxil Naik
CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator" Kaxil Naik (Oct 29)
CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API Kaxil Naik (Oct 29)
CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables) Kaxil Naik (Oct 29)
Kevin Guerroudj
Multiple vulnerabilities in Jenkins and Jenkins plugins Kevin Guerroudj (Dec 10)
kf503bla
Re: Best practices for signature verifcation kf503bla (Dec 29)
Krzysztof Porębski
CVE-2025-54539: Apache ActiveMQ NMS AMQP Client: Deserialization of Untrusted Data Krzysztof Porębski (Oct 15)
Leonard Xu
CVE-2025-62228: Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiers Leonard Xu (Oct 09)
Lexi Groves (49016)
Re: Many vulnerabilities in GnuPG Lexi Groves (49016) (Dec 29)
Lidong Dai
CVE-2023-48796: Apache DolphinScheduler: Sensitive information disclosure Lidong Dai (Nov 28)
Lukasz Lenart
CVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed Lukasz Lenart (Dec 10)
CVE-2025-64775: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - S2-068 Lukasz Lenart (Dec 01)
lunbun
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution lunbun (Oct 12)
Marco Moock
Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Marco Moock (Dec 10)
Mark Thomas
CVE-2025-61795: Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS Mark Thomas (Oct 27)
CVE-2025-55752: Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled Mark Thomas (Oct 27)
CVE-2025-55754: Apache Tomcat: console manipulation via escape sequences in log messages Mark Thomas (Oct 27)
Martin Weinelt
Re: CVE-2025-8110 in Gogs self-hosted git service Martin Weinelt (Dec 11)
Matthew Fernandez
Re: Questionable CVE's reported against dnsmasq Matthew Fernandez (Oct 27)
Re: Becoming a CVE Naming Authority for your project Matthew Fernandez (Nov 05)
Matthias Andree
Re: fetchmail-SA-2025-01: SMTP AUTH denial of service now called CVE-2025-61962. Matthias Andree (Oct 04)
Matthias Gerstner
smb4k: Major Vulnerabilities in KAuth Helper (CVE-2025-66002, CVE-2025-66003) Matthias Gerstner (Dec 10)
lightdm-kde-greeter: Privilege Escalation from lightdm Service User to root in KAuth Helper Service (CVE-2025-62876) Matthias Gerstner (Nov 17)
OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875) Matthias Gerstner (Oct 31)
scx: Unauthenticated scx_loader D-Bus Service can lead to major Denial-of-Service Matthias Gerstner (Nov 06)
Matt Johnston
Dropbear 2025.89 fixes privilege escalation, CVE-2025-14282 Matt Johnston (Dec 16)
Max Jonas Werner
Re: Best practices for signature verifcation Max Jonas Werner (Dec 29)
Michael Orlitzky
Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)
Michał Kępień
ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) Michał Kępień (Oct 22)
Mickaël Salaün
Island: Sandboxing tool powered by Landlock Mickaël Salaün (Dec 05)
Mike O'Connor
Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Mike O'Connor (Oct 01)
Mingyu Chen
CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server Mingyu Chen (Nov 04)
Moritz Mühlenhoff
Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)
Re: CVE-2025-40300 / VMScape Moritz Mühlenhoff (Nov 14)
Natalia Bidart
Django CVE-2025-13372 and CVE-2025-64460 Natalia Bidart (Dec 02)
Django CVE-2025-64458 and CVE-2025-64459 Natalia Bidart (Nov 05)
Nathan Herz
[kubernetes] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager Nathan Herz (Dec 01)
Neal Gompa
Re: Many vulnerabilities in GnuPG Neal Gompa (Dec 29)
nightmare . yeah27
Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 05)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability nightmare . yeah27 (Oct 31)
Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 04)
Re: Questionable CVE's reported against dnsmasq nightmare . yeah27 (Oct 27)
Olivier Fourdan
Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Oct 28)
Olle E. Johansson
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 05)
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 02)
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 04)
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 06)
Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 05)
Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 06)
Otto Moerbeek
PowerDNS Security Announcement 2025-07 and 2025-08 regarding PowerDNS Recursor Otto Moerbeek (Dec 08)
PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor Otto Moerbeek (Oct 23)
Pat Gunn
Re: Becoming a CVE Naming Authority for your project Pat Gunn (Nov 06)
Re: Systemd vsock sshd Pat Gunn (Dec 29)
Re: Systemd vsock sshd Pat Gunn (Dec 31)
Pedro Sampaio
Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
Re: Questionable CVE's reported against dnsmasq Pedro Sampaio (Nov 05)
Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
Peter Bex
Resource consumption weakness in Postgres-using applications & frameworks Peter Bex (Oct 06)
Peter Gutmann
Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 31)
Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 03)
Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 29)
Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 30)
Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 13)
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Peter Gutmann (Oct 16)
Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 12)
Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 05)
Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 13)
Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 07)
Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 14)
Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 14)
Peter Hutterer
FW: X.Org Security Advisory: multiple security issues in xkbcomp Peter Hutterer (Dec 02)
Petr Menšík
Re: Questionable CVE's reported against dnsmasq Petr Menšík (Oct 31)
Philipp Zehnder
CVE-2025-47411: Apache StreamPipes: Leverage of User ID for Privilege Escalation Philipp Zehnder (Dec 29)
Piotr Karwasz
CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender Piotr Karwasz (Dec 18)
Rodrigo Freire
Becoming a CVE Naming Authority for your project Rodrigo Freire (Nov 04)
roryqi
CVE-2025-68637: : Insecure SSL Configuration in Uniffle HTTP Client roryqi (Dec 27)
Russ Allbery
Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 03)
Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
Sage [They / Them] McTaggart
CVE-2024-47866 Ceph: RGW DoS via improper input validation. Sage [They / Them] McTaggart (Nov 11)
Salvatore Bonaccorso
Re: Many vulnerabilities in GnuPG Salvatore Bonaccorso (Dec 28)
Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso (Oct 29)
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso (Nov 16)
Sam James
Re: Systemd vsock sshd Sam James (Dec 28)
Re: Systemd vsock sshd Sam James (Dec 28)
Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
Re: Many vulnerabilities in GnuPG Sam James (Dec 30)
Re: Many vulnerabilities in GnuPG Sam James (Dec 29)
Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
Sebastian Pipping
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 31)
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
Re: Multiple vulnerabilities in Jenkins plugins Sebastian Pipping (Oct 29)
uriparser 1.0.0 fixes CVE-2025-67899 (DoS, CWE-674) Sebastian Pipping (Dec 15)
Simon Josefsson
Re: Best practices for signature verifcation Simon Josefsson (Dec 31)
Simon McVittie
Re: Questionable CVE's reported against dnsmasq Simon McVittie (Oct 28)
Solar Designer
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Solar Designer (Oct 17)
Re: Questionable CVE's reported against dnsmasq Solar Designer (Nov 01)
Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Solar Designer (Nov 04)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Oct 31)
Re: Multiple vulnerabilities in Jenkins plugins Solar Designer (Oct 31)
Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 31)
Re: CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Solar Designer (Dec 12)
Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 27)
Re: Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V Solar Designer (Oct 16)
Re: Many vulnerabilities in GnuPG Solar Designer (Dec 27)
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution Solar Designer (Oct 16)
Re: Many vulnerabilities in GnuPG Solar Designer (Dec 27)
Re: CVE-2025-40300 / VMScape Solar Designer (Nov 17)
Stamatis Zampetakis
CVE-2025-62728: Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs Stamatis Zampetakis (Nov 26)
Steffen Nurpmeso
Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 29)
BSDiff (bspatch): remotely triggerable out-of-bound memory access Steffen Nurpmeso (Dec 29)
Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 31)
Stephan Verbücheln
Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 29)
Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 28)
Stuart Henderson
Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 27)
Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 28)
tanish saxena
GitGuardian GGShield SSL/TLS Verification Bypass (No CVE) tanish saxena (Nov 17)
Tim Allison
CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected Tim Allison (Dec 04)
Tomasz Cedro
CVE-2025-48768: Apache NuttX RTOS: fs/inode: fs_inoderemove root inode removal Tomasz Cedro (Dec 31)
CVE-2025-48769: Apache NuttX RTOS: fs/vfs/fs_rename: use after free Tomasz Cedro (Dec 31)
turistu
[CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings turistu (Dec 16)
Valtteri Vuorikoski
CVE-2025-68460/CVE-2025-68461: Roundcube XSS + I-D prior to 1.5.12/1.6.12 Valtteri Vuorikoski (Dec 27)
VGalaxies
CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability VGalaxies (Dec 09)
Vincent Lefevre
LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre (Dec 10)
rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre (Dec 10)
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
Wang Weibing
CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser Wang Weibing (Nov 30)
Werner Koch
Re: safe use of cleartext signatures? Werner Koch (Dec 31)
Re: Many vulnerabilities in GnuPG Werner Koch (Dec 29)
Re: safe use of cleartext signatures? Werner Koch (Dec 30)
William Hodges
CVE-2024-44088: Apache Geode: Reflected XSS William Hodges (Oct 14)
CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system William Hodges (Oct 17)
wish42offcl98
Systemd vsock sshd wish42offcl98 (Dec 30)
Wlodek Wencel
ISC has disclosed one vulnerability in Kea (CVE-2025-11232) Wlodek Wencel (Oct 29)
Xen . org security team
Xen Security Advisory 476 v1 (CVE-2025-58149) - Incorrect removal of permissions on PCI device unplug Xen . org security team (Oct 24)
Xen Security Advisory 475 v2 (CVE-2025-58147,CVE-2025-58148) - x86: Incorrect input sanitisation in Viridian hypercalls Xen . org security team (Oct 21)
Xen Security Advisory 471 v3 (CVE-2024-36350,CVE-2024-36357) - x86: Transitive Scheduler Attacks Xen . org security team (Nov 05)
yen-mummify-yeah
Re: Systemd vsock sshd yen-mummify-yeah (Dec 28)
Yogesh Mittal
Re: Becoming a CVE Naming Authority for your project Yogesh Mittal (Nov 05)
Yorgos Thessalonikefs
Unbound: 1.24.2 addresses CVE-2025-11411 (again) Yorgos Thessalonikefs (Nov 26)
Zdenek Dohnal
CVE-2025-64524 cups-filters: Heap Buffer Overflow in rastertopclx Filter Leading to Potential Arbitrary Code Execution Zdenek Dohnal (Nov 20)
CVE-2025-57812 libcupsfilters, cups-filters 1.x: Multiple TIFF-related issues in libcupsfilters Zdenek Dohnal (Nov 12)
CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues Zdenek Dohnal (Nov 27)
CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack Zdenek Dohnal (Nov 27)
CVE-2025-64503 libcupsfilters, cups-filters 1.x: out of bounds write in pdftoraster Zdenek Dohnal (Nov 12)
Zhenxu Ke
CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability Zhenxu Ke (Nov 26)
许佳凯
Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V 许佳凯 (Oct 11)