oss-sec: by date
RSS Feed
About List
All Lists
Previous period
361 messages
starting Oct 01 25 and
ending Dec 31 25
Date index |
Thread index |
Author index
Wednesday, 01 October
Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Mike O'Connor
Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Emilio Pozuelo Monfort
Django CVE-2025-59681 and CVE-2025-59682 Jacob Walls
Thursday, 02 October
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz
Friday, 03 October
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
fetchmail-SA-2025-01: SMTP AUTH denial of service Alan Coopersmith
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
Saturday, 04 October
Re: fetchmail-SA-2025-01: SMTP AUTH denial of service now called CVE-2025-61962. Matthias Andree
Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27
Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
Sunday, 05 October
Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27
Monday, 06 October
Announce: OpenSSH 10.1 released Damien Miller
Resource consumption weakness in Postgres-using applications & frameworks Peter Bex
Tuesday, 07 October
Re: Announce: OpenSSH 10.1 released David Leadbeater
redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution Jan Schaumann
several vulnerabilities fixed in Go 1.25.2 and Go 1.24.8 Jan Schaumann
Wednesday, 08 October
Fwd: Heads-up: Upcoming Samba security releases Douglas Bagnall
Thursday, 09 October
CVE-2025-62228: Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiers Leonard Xu
Friday, 10 October
Announce: OpenSSH 10.2 released Damien Miller
Go 1.25.2 and Go 1.24.8 fix 10 vulnerabilities Alan Coopersmith
Saturday, 11 October
Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V 许佳凯
Re: Announce: OpenSSH 10.1 released Demi Marie Obenour
Sunday, 12 October
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution lunbun
Monday, 13 October
BoringSSL private key loading is not constant time Billy Brumley
GHSL-2025-042: Use After Free (UAF) in Poppler - CVE-2025-52885 Alan Coopersmith
Re: BoringSSL private key loading is not constant time Jeffrey Walton
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0007 Adrian Perez de Castro
Re: BoringSSL private key loading is not constant time Peter Gutmann
Re: Announce: OpenSSH 10.1 released David Leadbeater
Tuesday, 14 October
Re: BoringSSL private key loading is not constant time Alex Gaynor
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Peter Gutmann
Re: BoringSSL private key loading is not constant time Demi Marie Obenour
CVE-2024-44088: Apache Geode: Reflected XSS William Hodges
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time David Benjamin
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Hanno Böck
CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks Holden Karau
Re: BoringSSL private key loading is not constant time Alex Gaynor
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Jacob Bachmeyer
Wednesday, 15 October
Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
CVE-2025-54539: Apache ActiveMQ NMS AMQP Client: Deserialization of Untrusted Data Krzysztof Porębski
RE: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Caveney, Seamus G
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
Thursday, 16 October
CVE-2025-61581: Apache Traffic Control: ReDoS issue in Traffic Router configuration Arnout Engelen
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
Re: Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V Solar Designer
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution Solar Designer
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Peter Gutmann
Friday, 17 October
CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system William Hodges
rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Solar Designer
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Jacob Bachmeyer
Saturday, 18 October
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Fabio Degrigis
Monday, 20 October
CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated administrators Francesco Chicchiriccò
Tuesday, 21 October
Xen Security Advisory 475 v2 (CVE-2025-58147,CVE-2025-58148) - x86: Incorrect input sanitisation in Viridian hypercalls Xen . org security team
Re: BoringSSL private key loading is not constant time Jacob Bachmeyer
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour
Wednesday, 22 October
ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) Michał Kępień
Thursday, 23 October
PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor Otto Moerbeek
Friday, 24 October
Xen Security Advisory 476 v1 (CVE-2025-58149) - Incorrect removal of permissions on PCI device unplug Xen . org security team
Sunday, 26 October
OOB read / segfault and endless loop in courier mail server 1.5.0 Hanno Böck
Monday, 27 October
Questionable CVE's reported against dnsmasq Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Jeremy Stanley
Re: Questionable CVE's reported against dnsmasq Andrew Latham
CVE-2025-55752: Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled Mark Thomas
CVE-2025-55754: Apache Tomcat: console manipulation via escape sequences in log messages Mark Thomas
CVE-2025-61795: Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS Mark Thomas
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping
Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff
Re: Questionable CVE's reported against dnsmasq Stuart Henderson
Re: Questionable CVE's reported against dnsmasq Jeffrey Walton
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping
Re: Questionable CVE's reported against dnsmasq Collin Funk
Re: Questionable CVE's reported against dnsmasq Michael Orlitzky
Re: Questionable CVE's reported against dnsmasq Matthew Fernandez
Re: Questionable CVE's reported against dnsmasq Hank Leininger
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Re: Questionable CVE's reported against dnsmasq Solar Designer
Re: Questionable CVE's reported against dnsmasq nightmare . yeah27
Re: Questionable CVE's reported against dnsmasq Eli Schwartz
Tuesday, 28 October
Re: Questionable CVE's reported against dnsmasq Simon McVittie
Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan
Re: Questionable CVE's reported against dnsmasq Stuart Henderson
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Wednesday, 29 October
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Re: Multiple vulnerabilities in Jenkins plugins Sebastian Pipping
CVE-2025-30189: Dovecot IMAP Server: Using auth caching causes the first lookup to be cached for all lookups Camelia Lavender
ISC has disclosed one vulnerability in Kea (CVE-2025-11232) Wlodek Wencel
CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator" Kaxil Naik
CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API Kaxil Naik
CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables) Kaxil Naik
Re: Questionable CVE's reported against dnsmasq Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Douglas Bagnall
Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso
Thursday, 30 October
CVE-2025-62232: Apache APISIX: APISIX basic-auth logs plaintext credentials at info level Ashish Tiwari
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Eddie Chapman
Friday, 31 October
Re: Questionable CVE's reported against dnsmasq Petr Menšík
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping
OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875) Matthias Gerstner
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability nightmare . yeah27
Re: Questionable CVE's reported against dnsmasq Art Manion
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer
Re: Multiple vulnerabilities in Jenkins plugins Solar Designer
Re: Questionable CVE's reported against dnsmasq Solar Designer
Saturday, 01 November
Re: Questionable CVE's reported against dnsmasq Art Manion
Re: Questionable CVE's reported against dnsmasq Russ Allbery
Re: Questionable CVE's reported against dnsmasq Collin Funk
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Re: Questionable CVE's reported against dnsmasq Russ Allbery
Re: Questionable CVE's reported against dnsmasq Solar Designer
Sunday, 02 November
Re: Questionable CVE's reported against dnsmasq Jeremy Stanley
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Monday, 03 November
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
Re: Questionable CVE's reported against dnsmasq Russ Allbery
Re: Questionable CVE's reported against dnsmasq Art Manion
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Tuesday, 04 November
[SECURITY ADVISORY] wcurl path traversal with percent-encoded slashes Daniel Stenberg
[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Becoming a CVE Naming Authority for your project Rodrigo Freire
CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server Mingyu Chen
Re: Questionable CVE's reported against dnsmasq Art Manion
[CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour
Re: Becoming a CVE Naming Authority for your project Greg KH
Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Solar Designer
[SECURITY ADVISORY] curl: missing SFTP host verification with wolfSSH Daniel Stenberg
Wednesday, 05 November
runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Aleksa Sarai
Xen Security Advisory 471 v3 (CVE-2024-36350,CVE-2024-36357) - x86: Transitive Scheduler Attacks Xen . org security team
[CVE-2025-54574] SQUID-2025:1 Buffer Overflow in URN Handling Amos Jeffries
[CVE-2025-62168] SQUID-2025:2 Information Disclosure in Error handling Amos Jeffries
Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries
Re: Becoming a CVE Naming Authority for your project Olle E. Johansson
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Re: Becoming a CVE Naming Authority for your project Peter Gutmann
Re: Becoming a CVE Naming Authority for your project Yogesh Mittal
Django CVE-2025-64458 and CVE-2025-64459 Natalia Bidart
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
Re: Becoming a CVE Naming Authority for your project Matthew Fernandez
Re: Becoming a CVE Naming Authority for your project Art Manion
Re: Becoming a CVE Naming Authority for your project Pedro Sampaio
Re: Becoming a CVE Naming Authority for your project Pedro Sampaio
Re: Questionable CVE's reported against dnsmasq Pedro Sampaio
Thursday, 06 November
scx: Unauthenticated scx_loader D-Bus Service can lead to major Denial-of-Service Matthias Gerstner
Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 akendo () akendo eu
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Re: Becoming a CVE Naming Authority for your project Olle E. Johansson
Re: Becoming a CVE Naming Authority for your project Pat Gunn
Re: Becoming a CVE Naming Authority for your project Jeremy Stanley
Friday, 07 November
Re: Becoming a CVE Naming Authority for your project Peter Gutmann
Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Ali Polatel
Tuesday, 11 November
CVE-2025-59118: Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload Jacques Le Roux
CVE-2025-61623: Apache OFBiz: Reflected Cross-site Scripting Jacques Le Roux
CVE-2024-47866 Ceph: RGW DoS via improper input validation. Sage [They / Them] McTaggart
CVE-2025-64401: Apache OpenOffice: Remote documents loaded without prompt via IFrame Arrigo Marchiori
CVE-2025-64402: Apache OpenOffice: Remote documents loaded without prompt via OLE objects Arrigo Marchiori
CVE-2025-64403: Apache OpenOffice: Remote documents loaded without prompt via "external data sources" in Calc Arrigo Marchiori
CVE-2025-64404: Apache OpenOffice: Remote documents loaded without prompt via background and bullet images Arrigo Marchiori
CVE-2025-64405: Apache OpenOffice: Remote documents loaded without prompt via DDE function Arrigo Marchiori
CVE-2025-64406: Apache OpenOffice: Possible memory corruption during CSV import Arrigo Marchiori
CVE-2025-64407: Apache OpenOffice: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables Arrigo Marchiori
Wednesday, 12 November
CVE-2025-57812 libcupsfilters, cups-filters 1.x: Multiple TIFF-related issues in libcupsfilters Zdenek Dohnal
CVE-2025-64503 libcupsfilters, cups-filters 1.x: out of bounds write in pdftoraster Zdenek Dohnal
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
Thursday, 13 November
Re: Questionable CVE's reported against dnsmasq Alexander Patrakov
Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
CVE-2025-40300 / VMScape Bjoern Franke
Friday, 14 November
Re: CVE-2025-40300 / VMScape Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Jeffrey Walton
Re: CVE-2025-40300 / VMScape Moritz Mühlenhoff
PostgreSQL releases fixes for CVE-2025-12817 & CVE-2025-12818 Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
Sunday, 16 November
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso
Monday, 17 November
GitGuardian GGShield SSL/TLS Verification Bypass (No CVE) tanish saxena
Re: CVE-2025-40300 / VMScape Bjoern Franke
Re: CVE-2025-40300 / VMScape Solar Designer
lightdm-kde-greeter: Privilege Escalation from lightdm Service User to root in KAuth Helper Service (CVE-2025-62876) Matthias Gerstner
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley
Tuesday, 18 November
[SECURITY PATCH 0/8] GRUB2 vulnerabilities - 2025/11/18 Daniel Kiper
[SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation Daniel Kiper
[SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() Daniel Kiper
[SECURITY PATCH 3/8] net/net: Unregister net_set_vlan command on unload Daniel Kiper
[SECURITY PATCH 4/8] gettext/gettext: Unregister gettext command on module unload Daniel Kiper
[SECURITY PATCH 5/8] normal/main: Unregister commands on module unload Daniel Kiper
[SECURITY PATCH 6/8] tests/lib/functional_test: Unregister commands on module unload Daniel Kiper
[SECURITY PATCH 7/8] commands/usbtest: Use correct string length field Daniel Kiper
[SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing Daniel Kiper
Re: SQLite - Integer Overflow in FTS5 Extension [CVE-2025-7709] John Hein
Wednesday, 19 November
CVE-2025-64408: Apache Causeway: Java deserialization vulnerability to authenticated attackers Dan Haywood
Thursday, 20 November
CVE-2025-64524 cups-filters: Heap Buffer Overflow in rastertopclx Filter Leading to Potential Arbitrary Code Execution Zdenek Dohnal
gnutls 3.8.11 released with fix for CVE-2025-9820 Alan Coopersmith
Friday, 21 November
libpng 1.6.51: Four buffer overflow vulnerabilities fixed: CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018 Cosmin Truta
Monday, 24 November
CVE-2025-65998: Apache Syncope: Default AES key used for internal password encryption Francesco Chicchiriccò
Tuesday, 25 November
CVE-2025-59390: Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly. Karan Kumar
Wednesday, 26 November
5 CVE's fixed in Fluent Bit Alan Coopersmith
CVE-2025-62728: Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs Stamatis Zampetakis
Unbound: 1.24.2 addresses CVE-2025-11411 (again) Yorgos Thessalonikefs
CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability Zhenxu Ke
CVE-2025-59302: Apache CloudStack: Potential remote code execution on Javascript engine defined rules Harikrishna Patnala
CVE-2025-59454: Apache CloudStack: Lack of user permission validation leading to data leak for few APIs Harikrishna Patnala
Thursday, 27 November
CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack Zdenek Dohnal
CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues Zdenek Dohnal
Friday, 28 November
CVE-2023-48796: Apache DolphinScheduler: Sensitive information disclosure Lidong Dai
CVE-2025-59790: Apache Kvrocks: RESET command grants admin privileges Hulk Lin
CVE-2025-59792: Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins Hulk Lin
Sunday, 30 November
CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser Wang Weibing
Monday, 01 December
CVE-2025-64775: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - S2-068 Lukasz Lenart
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0008 Adrian Perez de Castro
[kubernetes] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager Nathan Herz
CVE-2025-12183 in lz4-java, fixed in new fork Alan Coopersmith
Re: 5 CVE's fixed in Fluent Bit Christian Brabandt
expat looking for help with another unfixed non-public denial-of-service vulnerability [CVE-2025-66382] Alan Coopersmith
Tuesday, 02 December
Re: 5 CVE's fixed in Fluent Bit Christian Fischer
Django CVE-2025-13372 and CVE-2025-64460 Natalia Bidart
Re: 5 CVE's fixed in Fluent Bit Christian Brabandt
[vim-security] A Windows uncontrolled search path vulnerability affects Vim < 9.1.1947 Christian Brabandt
FW: X.Org Security Advisory: multiple security issues in xkbcomp Peter Hutterer
Wednesday, 03 December
Re: Questionable CVE's reported against dnsmasq Christian Fischer
Re: 5 CVE's fixed in Fluent Bit Christian Fischer
CVE-2025-55182: RCE in React Server Components Jan Schaumann
libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta
Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith
Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta
Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Greg Roelofs
CVE-2025-53960: Apache StreamPark: Use the user’s password as the secret key Vulnerability Huajie Wang
Thursday, 04 December
CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected Tim Allison
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro
CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals Eric Covener
CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... Eric Covener
CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF Eric Covener
CVE-2025-65082: Apache HTTP Server: CGI environment variable override Eric Covener
CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo Eric Covener
Re: [webkit-gtk] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro
React2Shell (CVE-2025-55182/CVE-2025-66478) Jeffrey Walton
Friday, 05 December
Island: Sandboxing tool powered by Landlock Mickaël Salaün
CVE-2025-66566 fixed in lz4-java 1.10.1 Alan Coopersmith
Go 1.25.5 and Go 1.24.11 are released - fix CVE-2025-61729 & CVE-2025-61727 Alan Coopersmith
CVE-2025-66418 & CVE-2025-66471 fixed in urllib3 2.6.0 Alan Coopersmith
CPython vulnerable to CVE-2025-13836, CVE-2025-13837, & CVE-2025-12084 Alan Coopersmith
Monday, 08 December
PowerDNS Security Announcement 2025-07 and 2025-08 regarding PowerDNS Recursor Otto Moerbeek
CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Brad House
Re: CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Demi Marie Obenour
Tuesday, 09 December
CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability VGalaxies
Wednesday, 10 December
EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann
CVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed Lukasz Lenart
LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre
Multiple vulnerabilities in Jenkins and Jenkins plugins Kevin Guerroudj
Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Marco Moock
smb4k: Major Vulnerabilities in KAuth Helper (CVE-2025-66002, CVE-2025-66003) Matthias Gerstner
CVE-2025-8110 in Gogs self-hosted git service Alan Coopersmith
Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre
Thursday, 11 December
Update: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann
Re: CVE-2025-8110 in Gogs self-hosted git service Jakub Wilk
Re: CVE-2025-8110 in Gogs self-hosted git service Martin Weinelt
CVE-2025-23408: Apache Fineract: weak password policy Adam Monsen
CVE-2025-58130: Apache Fineract: Server Key not masked Adam Monsen
CVE-2025-58137: Apache Fineract: IDOR via self-service API Adam Monsen
Friday, 12 December
CVE-2025-66388: Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI Ephraim Anierobi
CVE-2025-65995: Apache Airflow: Disclosure of secrets to UI via kwargs Ephraim Anierobi
CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Huajie Wang
CVE-2025-54981: Apache StreamPark: Weak Encryption Algorithm in StreamPark Huajie Wang
Re: CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Solar Designer
Sunday, 14 December
Re: Update: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann
additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) Jan Schaumann
Monday, 15 December
uriparser 1.0.0 fixes CVE-2025-67899 (DoS, CWE-674) Sebastian Pipping
Tuesday, 16 December
XXE vulnerabilities in electronic invoicing software (Kivitendo, peppol-py, ZUV) Hanno Böck
Dropbear 2025.89 fixes privilege escalation, CVE-2025-14282 Matt Johnston
CVE-2025-67895: Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2 Jarek Potiuk
[CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings turistu
Re: [CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings Jacob Bachmeyer
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010 Adrian Perez de Castro
Wednesday, 17 December
[kubernetes] CVE-2025-14269: Credential caching in Headlamp with Helm enabled Craig Ingram
Thursday, 18 December
CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender Piotr Karwasz
CVE-2025-66524: Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor David Handermann
Release: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99.1 released Heiko Schlittermann
Friday, 19 December
Avahi simple protocol server accepts unlimited connections [CVE-2025-59529] Alan Coopersmith
Saturday, 20 December
Re: A couple of security issues? Greg KH
A couple of security issues? Artem S. Tashkinov
Friday, 26 December
CVE-2018-25153 against GNU barcode seems bogus Collin Funk
[Advisory] WebKit/iOS 26.2: Gigacage Boundary Violation via Logic Flaw enabling OOB Access Joseph Goydish II
Saturday, 27 December
CVE-2025-68460/CVE-2025-68461: Roundcube XSS + I-D prior to 1.5.12/1.6.12 Valtteri Vuorikoski
CVE-2025-68637: : Insecure SSL Configuration in Uniffle HTTP Client roryqi
Many vulnerabilities in GnuPG Demi Marie Obenour
Re: Many vulnerabilities in GnuPG Solar Designer
Re: Many vulnerabilities in GnuPG Solar Designer
Systemd vsock sshd Greg Dahlman
Re: Many vulnerabilities in GnuPG Jacob Bachmeyer
Sunday, 28 December
Re: Many vulnerabilities in GnuPG Stephan Verbücheln
Re: Many vulnerabilities in GnuPG Sam James
Re: Many vulnerabilities in GnuPG Sam James
Re: Systemd vsock sshd yen-mummify-yeah
Re: Systemd vsock sshd Sam James
Re: Systemd vsock sshd Sam James
Re: Many vulnerabilities in GnuPG Jeffrey Walton
Best practices for signature verifcation Demi Marie Obenour
Re: Many vulnerabilities in GnuPG Demi Marie Obenour
Re: Systemd vsock sshd Greg Dahlman
Re: Systemd vsock sshd Jacob Bachmeyer
Re: Many vulnerabilities in GnuPG Salvatore Bonaccorso
Monday, 29 December
Re: Best practices for signature verifcation kf503bla
Re: Many vulnerabilities in GnuPG Stephan Verbücheln
Re: Many vulnerabilities in GnuPG Werner Koch
Re: Many vulnerabilities in GnuPG Neal Gompa
Re: Many vulnerabilities in GnuPG Andreas Metzler
Re: Systemd vsock sshd Benjamin McMahon
Re: Systemd vsock sshd Greg Dahlman
CVE-2025-47411: Apache StreamPipes: Leverage of User ID for Privilege Escalation Philipp Zehnder
Re: Many vulnerabilities in GnuPG Lexi Groves (49016)
Re: Best practices for signature verifcation Steffen Nurpmeso
Re: Best practices for signature verifcation Max Jonas Werner
BSDiff (bspatch): remotely triggerable out-of-bound memory access Steffen Nurpmeso
Re: Systemd vsock sshd Greg Dahlman
Re: Systemd vsock sshd Pat Gunn
"MongoBleed" CVE-2025-14847 in many versions of MongoDB Alan Coopersmith
Re: Systemd vsock sshd Greg Dahlman
Re: Many vulnerabilities in GnuPG Henrik Ahlgren
Re: Many vulnerabilities in GnuPG Sam James
Re: Many vulnerabilities in GnuPG Peter Gutmann
Re: Many vulnerabilities in GnuPG Demi Marie Obenour
Tuesday, 30 December
Re: Many vulnerabilities in GnuPG Alan Coopersmith
Re: Systemd vsock sshd Jacob Bachmeyer
Systemd vsock sshd wish42offcl98
Re: safe use of cleartext signatures? (was: Many vulnerabilities in GnuPG) Jacob Bachmeyer
Re: safe use of cleartext signatures? Werner Koch
Re: Many vulnerabilities in GnuPG Jacob Bachmeyer
Re: Many vulnerabilities in GnuPG Demi Marie Obenour
Re: Many vulnerabilities in GnuPG Demi Marie Obenour
Re: Many vulnerabilities in GnuPG Peter Gutmann
Re: safe use of cleartext signatures? Demi Marie Obenour
Re: Systemd vsock sshd Demi Marie Obenour
Re: Many vulnerabilities in GnuPG Sam James
Re: Systemd vsock sshd Greg Dahlman
Re: Many vulnerabilities in GnuPG Henrik Ahlgren
Re: Many vulnerabilities in GnuPG Collin Funk
Re: Best practices for signature verifcation Ali Polatel
Re: Re: Best practices for signature verifcation Eli Schwartz
Re: Re: Best practices for signature verifcation Eli Schwartz
Re: Many vulnerabilities in GnuPG Jacob Bachmeyer
Re: Many vulnerabilities in GnuPG Jeffrey Walton
Wednesday, 31 December
Re: Many vulnerabilities in GnuPG Peter Gutmann
Re: safe use of cleartext signatures? Werner Koch
Re: Best practices for signature verifcation Simon Josefsson
CVE-2025-48768: Apache NuttX RTOS: fs/inode: fs_inoderemove root inode removal Tomasz Cedro
CVE-2025-48769: Apache NuttX RTOS: fs/vfs/fs_rename: use after free Tomasz Cedro
Re: Best practices for signature verifcation Steffen Nurpmeso
Re: Re: Best practices for signature verifcation Collin Funk
Re: Re: Best practices for signature verifcation Demi Marie Obenour
Re: Systemd vsock sshd Pat Gunn