Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Ellenor Bjornsdottir (Apr 28)
FYI:

As Alan Coopersmith just said, oss-security is a public mailing list.
You would need to have emailed only individual persons and private
mailing lists (like secalert () redhat com and Mr Butskoy) related to the
development and distribution of the program in question for this to
have been coordinated disclosure. The public message to
oss-security () lists openwall com would then need to be posted in July,
not this month.

Remember that for...

CVE-2026-40560: Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence Timothy Legge (Apr 28)
========================================================================
CVE-2026-40560 CPAN Security Group
========================================================================

CVE ID: CVE-2026-40560
Distribution: Starman
Versions: before 0.4018

MetaCPAN: https://metacpan.org/dist/Starman
VCS Repo: https://github.com/miyagawa/Starman

Starman versions before 0.4018...

Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Alan Coopersmith (Apr 28)
No, you cc'ed oss-security, a public mailing list with public archives:
https://www.openwall.com/lists/oss-security/2026/04/28/20
so you made uncoordinated public disclosure (aka "dropped 0-day") today.

Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Dmitry Butskoy (Apr 28)
MOHAMED,

From the appearing of this fragment of code in 2.0.12 (2008 year), the
statement "n -= hlen;" is present here. Including the current version of
2.1.6, see line 1423 of traceroute/traceroute.c :

What source did you use? Why is your report for version 2.1.2 when the
latest version is 2.1.6?

Note again, that the version of 2.1.2 has this statement as well.

Could you please find out where you got this inherently corrupted...

Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Dmitry Butskoy (Apr 28)
Thanks for the report. I'll review it in the next few hours.

MOHAMED AZIZ RAHMOUNI wrote:

[SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 MOHAMED AZIZ RAHMOUNI (Apr 28)
Hello,

I am reporting a security vulnerability I discovered in traceroute 2.1.2
during manual code review and dynamic fuzzing.

Summary:
An out-of-bounds read exists in traceroute/traceroute.c. After recvmsg()
returns, bufp is advanced past the IPv4 header (bufp += hlen) but n is not
decremented accordingly. The subsequent call:

handle_extensions(pb, bufp + offs, n - offs, step);

passes a len value that is hlen bytes (20 for IPv4, 40 for...

Re: Coordinated Disclosure in the LLM Age Greg Dahlman (Apr 28)
As I have been struggling about the ethics of releasing a POC I discussed
on this list (which just shared previously disclosed issues) let me provide
some feedback.

1) While most model providers are following the common dark pattern of
implicitly opting in non-enterprise users into data collection for
training, the maximum acceptable embargo period for issues disclosed to
these lists is 14 days, way shorter than the training period for the...

Xen Security Advisory 489 v1 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RBAC issues in XAPI Xen . org security team (Apr 28)
Xen Security Advisory CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486 / XSA-489

Multiple RBAC issues in XAPI

ISSUE DESCRIPTION
=================

XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged....

CVE-2026-41873: Pony Mail: Admin account takeover via request smuggling Arnout Engelen (Apr 28)
Severity: critical

Affected versions:

- Pony Mail: all versions

Description:

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
vulnerability in Pony Mail leading to admin account takeover.

This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under
development under the name "Pony Mail Foal" that is not...

The GNU C Library security advisories update for 2026-04-28 Carlos O'Donell (Apr 28)
The following security advisories have been published:

GLIBC-SA-2026-0011:
===================
Potential buffer overflow in ns_sprintrrf TSIG handling path

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the
GNU C Library version 2.2 and newer fail to enforce the caller-supplied
buffer length, and can result in an out-of-bounds write when printing
TSIG records.

A defect in the TSIG case handling within ns_sprintrrf performs a...

Coordinated Disclosure in the LLM Age Jeremy Stanley (Apr 28)
As I'm sure is the case for everyone, the projects I work in are
under a seemingly unending deluge of vulnerability reports from
researchers using LLMs to mine for security gold in our software. At
the same time, we see maintainers on our projects relying on
LLM-oriented tools to develop fixes for vulnerabilities and compose
prose for advisories.

While I take a moment to catch my breath, this new Bizarro World
we're all living in...

Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver Xen . org security team (Apr 28)
Xen Security Advisory CVE-2026-31787 / XSA-487
version 2

Linux kernel double free in Xen privcmd driver

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The Linux kernel's privcmd driver can be abused to circumvent kernel
lockdown (secure boot) by causing a double free of kernel memory.

Note that this operation can be performed by root...

Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping Xen . org security team (Apr 28)
Xen Security Advisory CVE-2026-23558 / XSA-486
version 2

grant table v2 race in status page mapping

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The adjustments made for XSA-379 as well as those subsequently becoming
XSA-387 still left a race window, when a HVM or PVH guest does a grant
table version change from v2 to v1 in parallel with...

Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file Xen . org security team (Apr 28)
Xen Security Advisory CVE-2026-31786 / XSA-485
version 2

Linux kernel out of bounds read via Xen-related sysfs file

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The Linux sysfs file /sys/hypervisor/properties/buildid does not
contain printable information, but a binary value of typically 16 or
20 bytes, which is not terminated by a zero byte....

Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command Xen . org security team (Apr 28)
Xen Security Advisory CVE-2026-23557 / XSA-484
version 2

Xenstored DoS via XS_RESET_WATCHES command

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES
command within a transaction due to an assert() triggering.

In case xenstored was built with NDEBUG #defined nothing bad...

More Lists

Dozens of other network security lists are archived at SecLists.Org.