Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2025
• 262
• 289
• 251
• 267
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: CVE-2025-8110 in Gogs self-hosted git service Martin Weinelt (Dec 11)
Per gusted, a Forgejo developer, the relevant code was rewritten way
back in https://github.com/go-gitea/gitea/pull/6314.

People have since tried to attack it, but have not been successful.

That means Forgejo and Gitea are most likely unaffected.

---

Martin Weinelt

Re: CVE-2025-8110 in Gogs self-hosted git service Jakub Wilk (Dec 11)
* Alan Coopersmith <alan.coopersmith () oracle com>, 2025-12-10 15:18:

Gogs has a couple of notable forks: Gitea, Forgejo.
Does anyone know if they are affected?

Update: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 11)
Update: Coordinated release date

Heiko Schlittermann <hs () nodmarc schlittermann de> (Mi 10 Dez 2025 13:51:13 CET):
…

Coordinated Release Date: 2025-12-18 15:00 UTC.
Repo-URL: https://code.exim.org/exim/exim
Tag: exim-4.99.1 (on branch exim-4.99+fixes)

To allow distros to prepare the packages: starting from 2025-12-15 15:00 UTC
you can git-pull the 4.99.1 release via ssh://git () code exim org/exim/exim-distros
(The repo is...

Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre (Dec 10)
Here, with LibreOffice, this is worse, because this occurs whenever
the LibreOffice window gets the focus.

As a comparison, with Atril, when I choose "Save As...", the file name
(without the extension) gets selected and the PRIMARY selection is
modified (it gets this selection), which is bad. But at least, when
I modify the PRIMARY selection by selecting something in another
application and the focus is given back to the "Save...

CVE-2025-8110 in Gogs self-hosted git service Alan Coopersmith (Dec 10)
https://github.com/gogs/gogs offers a MIT-licensed self-hosted git service.

https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit warns of
CVE-2025-8110, an as-yet-unfixed vulnerability in this service which they say
they are seeing being actively exploited.

It says:

[...]

The original blog post at
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
has further details, including images that are missing from...

smb4k: Major Vulnerabilities in KAuth Helper (CVE-2025-66002, CVE-2025-66003) Matthias Gerstner (Dec 10)
Hello list,

please find below a detailed report of vulnerabilities found in smb4k [1].
These issues have been pre-disclosed to the distros mailing list on
2025-12-01, and today is the general publication date. We also offer a
rendered HTML version of this report on our blog [2].

Summary: smb4k is a KDE desktop related utility which allows
unprivileged mounts of Samba/CIFS network shares. The utility was
already rejected from entering openSUSE...

Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Marco Moock (Dec 10)
Am 10.12.2025 um 12:35:17 Uhr schrieb Vincent Lefevre:

This behavior exists in various applications like browsers, when
focusing the address bar (I saw that in Pale Moon). Dunno if that is
related to the GTK toolkit.

The common behavior for applications is that text is only copied to
primary if it is actively selected.

Multiple vulnerabilities in Jenkins and Jenkins plugins Kevin Guerroudj (Dec 10)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.541
* Jenkins LTS 2.528.3
* BlazeMeter Plugin 4.27
* Coverage Plugin 2.3056.v1dfe888b_0249
* Git client Plugin 6.4.1

Additionally, we announce unresolved security issues in the following
plugins:

* HashiCorp Vault Plugin
* Redpen...

LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre (Dec 10)
Under Linux X11, LibreOffice (Writer, Calc, Draw...) silently puts
searched text into the PRIMARY selection when a search is active and
its window gets the focus. This can yield such text to be disclosed
to web sites (when one clicks with the middle button in some form)
and to other applications using the same X server (without needing
any action from the user).

A search in LibreOffice should have remained local to LibreOffice.
Text entered in...

CVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed Lukasz Lenart (Dec 10)
Severity: important

Affected versions:
- Apache Struts (org.apache.struts:struts2-core) 2.0.0 through 6.7.*
- Apache Struts (org.apache.struts:struts2-core) 7.0.0 through 7.0.*

Description:
Denial of Service vulnerability in Apache Struts, file leak in
multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0
through 7.0.3.
Users are recommended to upgrade to version 6.8.0 or...

EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 10)
Dear Exim users,

we got reported two possible (related) vulnerabilities in the
latest 4.99 release. From the original report:

,---
| In vulnerable configurations, a remote, unauthenticated attacker can
| achieve heap corruption. I was unable to develop an end-to-end exploit
| chain for remote code execution, but it may be possible with further
| work.
`---

We do not publish any further details yet, until the fix goes public.

While we do not...

CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability VGalaxies (Dec 09)
Severity: moderate

Affected versions:

- Apache HugeGraph-Server 1.0.0 ~ 1.5.0 (before 1.7.0)

Description:

A remote code execution vulnerability exists where a malicious Raft
node can exploit insecure Hessian deserialization within the PD store.
The fix enforces IP-based authentication to restrict cluster
membership and implements a strict class whitelist to harden the
Hessian serialization process against object injection attacks.

Users are...

Re: CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Demi Marie Obenour (Dec 08)
Use-after-free can also lead to information leaks or code execution.

CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Brad House (Dec 08)
Moderate.

Use after free() in read_answer() when process_answer() may terminate a
query such as after maximum attempts. This was causing the connection to
be closed, but still possibly additional answers to be processed. This
is a missed case from CVE-2025-31498.

Use after free will lead to crash / Denial of Service.

Patch:
https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618.patch

Links:...

PowerDNS Security Announcement 2025-07 and 2025-08 regarding PowerDNS Recursor Otto Moerbeek (Dec 08)
Today we have released PowerDNS Recursor 5.1.9, 5.2.7 and 5.3.3.

These releases fix two PowerDNS Security Advisories:

* 2025-07: Internal logic flaw in cache management can lead to a
denial of service in Recursor
* 2025-08: Insufficient validation of incoming notifies over TCP can
lead to a denial of service in Recursor.
__________________________________________________________________

PowerDNS Security...

More Lists

Dozens of other network security lists are archived at SecLists.Org.