Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 18)
Hi Dmitry,

This was brought to the distros list on March 5. On March 6, I wrote:

"Looks like Red Hat packages are also affected. In particular, I looked
at openssh-8.0p1-gssapi-keyex.patch from RHEL 9."

so it's not like Red Hat could assume this was limited to Debian/Ubuntu.

I now recall that something similar happened on a previous occasion,
where you were not aware of a relevant issue until public disclosure.

So we seem to...

[SBA-ADV-20251205-01] LibreChat 0.8.1-rc2 RAG API Authentication Bypass SBA Research Security Advisory (Mar 18)
# LibreChat RAG API Authentication Bypass #

Link:
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass

## Vulnerability Overview ##

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session
mechanism and RAG API which compromises the service-level authentication of
the RAG API.

* **Identifier** : SBA-ADV-20251205-01
* **Type of Vulnerability** :...

Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 18)
Dear colleagues,

Thanks for sharing your findings!
Can we somehow establish some better coordination in case of widely used
downstream patches, especially for such an important, ubiquitous and
heavily patched component as OpenSSH?

Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michael Orlitzky (Mar 17)
It's required by POSIX which, funny enough, forbids /tmp from being
used the way snap-confine is using it. I wouldn't expect either of
these projects to care about POSIX, but the same description was
copied & pasted into the FHS. And to its credit, systemd has a
page full of documentation on how to avoid this exact problem.

1. https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap10.html
2....

Re: libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Alan Coopersmith (Mar 17)
I note the blog post also reminds us:

"So much for the fixed vulnerabilities. There are also three known unfixed
security issues remaining in libexpat, and there is a GitHub issue listing
known unfixed security issues in libexpat for anyone interested."

with a link to https://github.com/libexpat/libexpat/issues/1160 inline.

libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Sebastian Pipping (Mar 17)
Hello oss-security,

just a quick note that libexpat 2.7.5 (or "Expat 2.7.5") released
today is fixing three vulnerabilities.

Some key links are:

- The blog post about it:
https://blog.hartwork.org/posts/expat-2-7-5-released/

- The change log of release 2.7.5
https://github.com/libexpat/libexpat/blob/R_2_7_5/expat/Changes

- The fixing pull requests
- https://github.com/libexpat/libexpat/pull/1158
-...

Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michal Zalewski (Mar 17)
Nice work... flashbacks from 2002
(https://lcamtuf.coredump.cx/tmp_paper.txt). It's frankly somewhat
mind-boggling that distros keep a world-writable /tmp this day and
age. Whatever questionable benefits it has, it also contributed to
plenty of pointless and easily avoidable vulns.

/mz

snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Qualys Security Advisory (Mar 17)
Qualys Security Advisory

Good things come to those who wait:
snap-confine + systemd-tmpfiles = root (CVE-2026-3888)

========================================================================
Contents
========================================================================

Summary
Case study: Ubuntu Desktop 24.04
- Analysis
- Exploitation
Case study: Ubuntu Desktop 25.10
- Overview
- Exploitation
A quick note on the uutils coreutils (the...

Xen Security Advisory 481 v2 (CVE-2026-23555) - Xenstored DoS by unprivileged domain Xen . org security team (Mar 17)
Xen Security Advisory CVE-2026-23555 / XSA-481
version 2

Xenstored DoS by unprivileged domain

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Any guest issuing a Xenstore command accessing a node using the
(illegal) node path "/local/domain/", will crash xenstored due to a
clobbered error indicator in xenstored when verifying...

Xen Security Advisory 480 v3 (CVE-2026-23554) - Use after free of paging structures in EPT Xen . org security team (Mar 17)
Xen Security Advisory CVE-2026-23554 / XSA-480
version 3

Use after free of paging structures in EPT

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The Intel EPT paging code uses an optimization to defer flushing of any cached
EPT state until the p2m lock is dropped, so that multiple modifications done
under the same locked region only...

CVE-2026-28563: Apache Airflow: DAG authorization bypass Rahul Vats (Mar 17)
Severity: low

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.1.8

Description:

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without
filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate
DAGs they are not authorized to view.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later,...

CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata Rahul Vats (Mar 17)
Severity: low

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.1.8

Description:

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization
filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of
DAGs that the requester is not authorized to access is returned.

Users are recommended to upgrade to...

CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications Rahul Vats (Mar 17)
Severity: Medium

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.1.8

Description:

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the
configured [webserver] base_url or [api] base_url.
This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request
headers, allowing full session takeover without attacking...

CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization Rahul Vats (Mar 17)
Severity: low

Affected versions:

- Apache Airflow (apache-airflow) 3.1.0 before 3.1.8

Description:

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's
Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL
workflows belonging to any other task instance.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which...

[kubernetes] CVE-2026-3864: CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server Rita Zhang (Mar 17)
Hello Kubernetes Community,

A vulnerability was identified in the Kubernetes CSI Driver for NFS where
insufficient validation of the subDir parameter in volume identifiers could
allow path traversal. A malicious user with the ability to create a
PersistentVolume referencing the NFS CSI driver could craft a volumeHandle
containing traversal sequences (for example ../). When the driver performs
cleanup operations during volume deletion, these...

More Lists

Dozens of other network security lists are archived at SecLists.Org.