Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

fetchmail-SA-2025-01: SMTP AUTH denial of service Alan Coopersmith (Oct 03)
fetchmail-SA-2025-01: SMTP AUTH denial of service

Topics: fetchmail SMTP client can crash when authenticating

Author: Matthias Andree
Version: 1.0
Announced: 2025-10-03
Type: failure to validate network input in certain configurations
Impact: fetchmail tries to read from address 1 and can crash
Severity: moderate

URL: https://www.fetchmail.info/fetchmail-SA-2025-01.txt
Project URL:...

Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
Wait, we got an award and no one invited us to the party to receive it?
That's sad, we need to add it to our shelf of "awards we never knew we
wanted to shoot for" :)

While I appreciate the invitation, unfortunately my travel schedule will
not allow me to attend FOSDEM next year. Fortunately your list of
questions have already been covered by me in previous talks I have given
so you can refer to them and follow up if you have...

Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
*Hi Greg,*

I am writing to formally invite you to a public debate at next year’s
FOSDEM.

Our past discussions surrounding the HFS+ vulnerability—and the
subsequent "lamest vendor response" award the Linux CNA received at
DEFCON—highlighted a significant disconnect in how we approach security,
disclosure, and community roles. My goal is not to re-litigate a past
issue, but to bring transparency to crucial questions that many...

Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 02)
If you feel the Linux CNA has issued CVEs in an inconsistent way, please
contact them and the people there will be glad to research the issue and
get back to you. They are issuing, on average, 13 CVEs a day, and so
stuff like this easily gets lost in the firehose.

The Linux CNA is also currently "backfilling" many old CVE entries that
previously came from the GSD database, and perhaps the issues you are
referring to came from there....

Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
I’m not going to frame this in a flame-inducing way, but MITRE has been
sitting on my dispute request for months without even adding a clear
“DISPUTED” flag. That makes it feel like my input doesn’t really matter
in this process in the grand scheme of vulnerability management, so be
it. For the same reason, I’d rather not repeat my letter to MITRE here,
as the arguments there, while clear and very important in my view, risk...

Django CVE-2025-59681 and CVE-2025-59682 Jacob Walls (Oct 01)
* Announce link:
https://www.djangoproject.com/weblog/2025/oct/01/security-releases/

* Announce content:
In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django
team
is issuing releases for
`Django 5.2.7 <https://docs.djangoproject.com/en/dev/releases/5.2.7/>`_,
`Django 5.1.13 <https://docs.djangoproject.com/en/dev/releases/5.1.13/>`_,
and
`Django 4.2.25 <...

Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Emilio Pozuelo Monfort (Oct 01)
The CVE got assigned by MITRE, so one can dispute it with MITRE directly.
Apparently it's already been done, and the CVE appears as disputed [1]. I'm not
sure if it will go from there to rejected.

Cheers,
Emilio

[1] https://www.cve.org/CVERecord?id=CVE-2023-51767

Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Mike O'Connor (Oct 01)
:> Second, I had expected ECC to "kill Rowhammer dead" only to find that it
:> can be possible to cause enough bit flips to get all the way from one
:> valid ECC word to another valid ECC word before ECC scrub reaches the
:> location.  I suspect that the DDR5 built-in ECC is supposed to resolve
:> Rowhammer, but we will have to wait and see if it actually achieves that
:> goal.

You won't have to wait very...

malware in SoopSocks package on PyPi Alan Coopersmith (Sep 30)
https://x.com/jfrogsecurity/status/1973081889977114815 reports:

Our security team uncovered a malicious PyPI package called SoopSocks,
which disguises itself as a SOCKS5 proxy but behaves like a backdoor.

Our research revealed that it installs persistence via Windows services
and scheduled tasks, modifies firewall rules, silently executes PowerShell
with UAC bypass, and exfiltrates host and network data to a hardcoded Discord
webhook every 30...

Re: How to do secure coding and create secure software Solar Designer (Sep 30)
Message accepted assuming that it is indeed final. No further messages
from you on this topic are likely to be accepted, so please don't bother
writing any.

Basically, you're just trolling. But it is unimportant that you do. We
nevertheless had a few valid and interesting points made in this thread.

Not replying to you, but for others on the list:

Input validation is important, but it is also important to distinguish
genuine...

Re: How to do secure coding and create secure software Amit (Sep 30)
Definitely, let's wind down this thread.

My final point: My whole idea was that a normal programmer doesn't know
that if all functions (including main) are secure then the software will be
secure. And the programmer should only worry about making his/her functions
secure and not think about the whole software and the programmer doesn't
need to think about side-channel attacks, buffer-overflow attacks, etc.
Basically, I have...

CVE-2025-61735: Apache Kylin: Server-Side Request Forgery Li Yang (Sep 30)
Severity: low

Affected versions:

- Apache Kylin 4.0.0 through 5.0.2

Description:

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin.

This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin
access is well protected.

Users are recommended to upgrade to version 5.0.3, which fixes the issue.

This issue is being tracked as KYLIN-6082

Credit:

liuhuajin...

CVE-2025-61734: Apache Kylin: improper restriction of file read Li Yang (Sep 30)
Severity: low

Affected versions:

- Apache Kylin 4.0.0 through 5.0.2

Description:

Files or Directories Accessible to External Parties vulnerability in Apache Kylin.
You are fine as long as the Kylin's system and project admin access is well protected.

This issue affects Apache Kylin: from 4.0.0 through 5.0.2.

Users are recommended to upgrade to version 5.0.3, which fixes the issue.

This issue is being tracked as KYLIN-6082

Credit:...

CVE-2025-61733: Apache Kylin: Authentication bypass Li Yang (Sep 30)
Severity: high

Affected versions:

- Apache Kylin 4.0.0 through 5.0.2

Description:

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.

This issue affects Apache Kylin: from 4.0.0 through 5.0.2.

Users are recommended to upgrade to version 5.0.3, which fixes the issue.

This issue is being tracked as KYLIN-6081

Credit:

liuhuajin <liuhuajin1 () huawei com> (finder)

References:...

FreeIPA - CVE-2025-7493 - Privilege Escalation from host to domain admin Marco Benatto (Sep 30)
Hello all,

please find the announcement of a Privilege Escalation vulnerability
in FreeIPA bellow.

Upstream release note:

https://www.freeipa.org/release-notes/4-12-5.html

==== Security Report ====

* CVE-2025-7493

Continuation of CVE-2025-4404 due to incomplete uniqueness checks for multiple
Kerberos attributes. In CVE-2025-4404 it was found that uniqueness of the
canonical Kerberos principal name and its aliases was not complete. We...

More Lists

Dozens of other network security lists are archived at SecLists.Org.