Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2022
• 212
• 102
• –
• –
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: linux-distros list policy and Linux kernel Anthony Liguori (May 15)
My understanding is that all of the following things are expected to happen
while under a security () vger kernel org embargo:

A) Patches are posted to an appropriate public kernel mailing list and
their correctness is discussed.

B) Patches are merged into an appropriate maintainer tree.

C) Patches may be merged into Linus' tree and stable trees if appropriate.

D) Distros may release updates based on (C) as part of normal course of...

Re: linux-distros list policy and Linux kernel Igor Seletskiy (May 15)
My vote would be for #1
Linux kernel is a huge ecosystem in its own right with many vested
players. They arrived at their way of handling security issues, and
overall doing a good job. It will be really hard to change that
ecosystem from the outside. This would make #2 very similar to #3 in many
cases.

linux-distros list policy and Linux kernel Solar Designer (May 15)
Hi,

This is a lengthy and belated message, yet I think is something we need
to discuss in here.

Context:

(linux-)distros list policy is generally to treat as public issues for
which a fix is public. For issues that haven't yet been brought to
(linux-)distros, this means they shouldn't be - and instead should be
brought to oss-security right away. For issues that have been on
(linux-)distros, this means an oss-security posting is to...

CVE-2022-29162: runc < 1.1.2 incorrect handling of inheritable capabilities in default configuration Aleksa Sarai (May 11)
A security update for runc (v1.1.2) was released to mitigate
CVE-2022-29162, which is a low severity vulnerability related to
mishandling of inheritable capabilities which resulted in an atypical
Linux environment inside containers.

As the inheritable set was a subset of the permitted capabilities (which
are limited) this bug does not affect the container security boundary,
it simply ensures that programs running inside the container do not...

[SECURITY ADVISORY] curl: HSTS bypass via trailing dot Daniel Stenberg (May 10)
HSTS bypass via trailing dot
============================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-30115.html)

VULNERABILITY
-------------

curl's HSTS check could be bypassed to trick it to keep using HTTP.

Using its HSTS support, curl can be instructed to use HTTPS directly instead
of using an insecure clear-text HTTP step even when HTTP is provided in the
URL. This mechanism could be...

[SECURITY ADVISORY] curl: TLS and SSH connection too eager reuse Daniel Stenberg (May 10)
TLS and SSH connection too eager reuse
======================================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27782.html)

VULNERABILITY
-------------

libcurl would reuse a previously created connection even when a TLS or SSH
related option had been changed that should have prohibited reuse.

libcurl keeps previously used connections in a connection pool for subsequent
transfers to reuse...

[SECURITY ADVISORY] curl: CERTINFO never-ending busy-loop Daniel Stenberg (May 10)
CERTINFO never-ending busy-loop
===============================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27781.html)

VULNERABILITY
-------------

libcurl provides the `CURLOPT_CERTINFO` option to allow applications to
request details to be returned about a TLS server's certificate chain.

Due to an erroneous function, a malicious server could make libcurl built with
NSS get stuck in a...

[SECURITY ADVISORY] curl: percent-encoded path separator in URL host Daniel Stenberg (May 10)
percent-encoded path separator in URL host
==========================================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27780.html)

VULNERABILITY
-------------

The curl URL parser wrongly accepts percent-encoded URL separators like '/'
when decoding the host name part of a URL, making it a *different* URL using
the wrong host name when it is later retrieved.

For example, a URL...

[SECURITY ADVISORY] curl: cookie for trailing dot TLD Daniel Stenberg (May 10)
cookie for trailing dot TLD
===========================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27779.html)

VULNERABILITY
-------------

libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if
the host name is provided with a trailing dot.

curl can be told to receive and send cookies when communicating using
HTTP(S). curl's "cookie engine" can be built with or...

[SECURITY ADVISORY] curl: removes wrong file on error Daniel Stenberg (May 10)
curl removes wrong file on error
================================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27778.html)

VULNERABILITY
-------------

curl might remove the wrong file when `--no-clobber` is used together with
`--remove-on-error`.

The `--remove-on-error` option tells curl to remove the output file when it
returns an error, and not leave a partial file behind. The `--no-clobber`
option...

Re: Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel version Minh Yuan (May 10)
By the way, this race issue has been assigned CVE-2022-1652 by Red Hat.

Minh Yuan <yuanmingbuaa () gmail com> 于2022年5月10日周二 14:59写道：

Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel version Minh Yuan (May 10)
Hi everyone,

My fuzzer discovered another concurrency uaf between reset_interrupt and
floppy_end_request in the latest kernel version (5.17.5 for now).

The root cause is that after deallocating current_req in floppy_end_request,
reset_interrupt still holds the freed current_req->error_count and accesses
it concurrently.

Here is the KASAN report:

BUG: KASAN: use-after-free in bad_flp_intr+0x332/0x460

Call Trace:
__dump_stack...

Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt (May 09)
This is automated by ASF infrastructure, I sadly have no say over this. But maybe we can a footer with the address next
time :)

Perfect, thanks!
Jan
—

Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Archange (May 09)
Le 09/05/2022 à 13:41, Jan Lehnardt a écrit :

Sure, you should put this address in copy when posting to oss-security
then, so you would be sure people reply to that one too. ;)

Thanks, so you use a default env file to set the variable and allow
people to easily change it in the case of a clustered setup. Will do so
as well then!

Regards,
Bruno

Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt (May 09)
Hi Bruno,

first of all, thanks for maintaining CouchDB for Arch. Secondly, for any security related questions, please do not
hesitate to contact security () couchdb apache org instead of any one of the team individually, as we can’t know if any
of is available at all times (vacations and whatnot :)

As for your questions, see this PR to our packaging infrastructure for how we handle this on Debian and Centos/Rocky:...

More Lists

Dozens of other network security lists are archived at SecLists.Org.