oss-sec: by date
RSS Feed
About List
All Lists
Previous period
293 messages
starting Jul 01 24 and
ending Sep 28 24
Date index |
Thread index |
Author index
Monday, 01 July
Announce: OpenSSH 9.8 released Damien Miller
Re: Announce: OpenSSH 9.8 released (fwd) Damien Miller
CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory
CVE-2024-36387: Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2 Eric Covener
CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF Eric Covener
CVE-2024-38473: Apache HTTP Server proxy encoding problem Eric Covener
CVE-2024-38474: Apache HTTP Server weakness with encoded question marks in backreferences Eric Covener
CVE-2024-38475: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. Eric Covener
CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect Eric Covener
CVE-2024-38477: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request Eric Covener
CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy handler substitution Eric Covener
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems jvoisin
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Mathias Krause
Tuesday, 02 July
Re: Announce: OpenSSH 9.8 released Dominique Martinet
[OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498) Jeremy Stanley
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jacob Bachmeyer
Wednesday, 03 July
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jeffrey Walton
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory
Re: Announce: OpenSSH 9.8 released Christian Fischer
Re: Ghostscript 10.03.1 (2024-05-02) fixed 5 CVEs including CVE-2024-33871 arbitrary code execution Thomas Rinsma
CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType Eric Covener
CVE-2024-39844: ZNC modtcl RCE Martin Weinelt
CVE-2023-52168, CVE-2023-52169: buffer overflow, over-read vulnerabilities in the 7-Zip archiver Maxim Suhanov
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Yves-Alexis Perez
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory
Thursday, 04 July
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jacob Bachmeyer
Friday, 05 July
[ANNOUNCE] Apache CloudStack LTS Security Releases 4.18.2.1 and 4.19.0.2 Abhishek Kumar
Sunday, 07 July
CVE-2024-37389: Apache NiFi: Improper Neutralization of Input in Parameter Context Description David Handermann
Monday, 08 July
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer
ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Florian Weimer
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Simon McVittie
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch David A. Wheeler
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Florian Weimer
Tuesday, 09 July
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Damien Miller
Django CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614 Natalia Bidart
CVE-2024-3596: RADIUS/UDP vulnerable to improved MD5 collision attack Alan Coopersmith
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer
Wednesday, 10 July
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Nick Tait
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Pete Allor
linux-distros application for CentOS Project's Hyperscale SIG Michel Lind
Re: linux-distros application for CentOS Project's Hyperscale SIG Demi Marie Obenour
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez
Re: linux-distros application for CentOS Project's Hyperscale SIG Mark Esler
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Alan Coopersmith
Thursday, 11 July
Re: linux-distros application for CentOS Project's Hyperscale SIG Michel Lind
Re: linux-distros application for CentOS Project's Hyperscale SIG Neil Hanlon
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch David A. Wheeler
Re: Fwd: Node.js security updates for all active release lines, July 2024 Solar Designer
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez
Friday, 12 July
backtrace_symbols() misuse by Ceph and its supposedly-safe use Alexander Patrakov
CVE-2024-36522: Apache Wicket: Remote code execution via XSLT injection Martin Tzvetanov Grigorov
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso
Saturday, 13 July
Re: backtrace_symbols() misuse by Ceph and its supposedly-safe use Jacob Bachmeyer
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Jacob Bachmeyer
Re: backtrace_symbols() misuse by Ceph and its supposedly-safe use Simon McVittie
CVE-2023-41916: Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading Heping Wang
CVE-2023-49566: Apache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerability Heping Wang
CVE-2023-46801: Apache Linkis DataSource: Remote code execution vulnerability in apache Linkis 1.4.0 Heping Wang
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso
Sunday, 14 July
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Demi Marie Obenour
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Jacob Bachmeyer
Monday, 15 July
Re: linux-distros application for CentOS Project's Hyperscale SIG Jonathan Wright
CVE-2023-52290: Apache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerability Huajie Wang
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso
Tuesday, 16 July
Xen Security Advisory 458 v2 (CVE-2024-31143) - double unlock in x86 guest IRQ handling Xen . org security team
Xen Security Advisory 459 v2 (CVE-2024-31144) - Xapi: Metadata injection attack against backup/restore functionality Xen . org security team
CVE-2024-39887: Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions Daniel Gaspar
CVE-2024-39863: Apache Airflow: Potential XSS Vulnerability Ephraim Anierobi
CVE-2024-39877: Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler Ephraim Anierobi
Landlock news #4 Mickaël Salaün
CVE-2024-30471: Apache StreamPipes: Potential creation of multiple identical accounts Dominik Riemer
CVE-2024-31411: Apache StreamPipes: Potential remote code execution (RCE) via file upload Dominik Riemer
CVE-2024-31979: Apache StreamPipes: Possibility of SSRF in pipeline element installation process Dominik Riemer
Wednesday, 17 July
CVE-2023-52291: Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution Huajie Wang
CVE-2024-29737: Apache StreamPark (incubating): maven build params could trigger remote command execution Huajie Wang
[kubernetes] CVE-2024-5321: Incorrect permissions on Windows containers logs Craig Ingram
CVE-2024-29120: Apache StreamPark: Information leakage vulnerability Huajie Wang
Python Infrastructure Admin Token Leaked Through Docker Hub Andrii Polkovnychenko [EXT]
CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType Eric Covener
CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows Eric Covener
Thursday, 18 July
CVE-2024-29178: Apache StreamPark: FreeMarker SSTI RCE Vulnerability Huajie Wang
CVE-2024-29736: Apache CXF: SSRF vulnerability via WADL stylesheet parameter Colm O hEigeartaigh
CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE Colm O hEigeartaigh
CVE-2024-41172: Unrestricted memory consumption in CXF HTTP clients Colm O hEigeartaigh
Friday, 19 July
[ANNOUNCE] Apache CloudStack CVE-2024-41107: SAML Signature Exclusion Abhishek Kumar
CVE-2024-41107: Apache CloudStack: SAML Signature Exclusion Rohit Yadav
Re: Fwd: Node.js security updates for all active release lines, July 2024 Yogesh Mittal
Monday, 22 July
CVE-2024-23321: Apache RocketMQ: Unauthorized Exposure of Sensitive Data Rongtong Jin
CVE-2024-34457: Apache StreamPark IDOR Vulnerability Huajie Wang
CVE-2024-38503: Apache Syncope: HTML tags can be injected into Console or Enduser text fields Francesco Chicchiriccò
CVE-2024-29070: Apache StreamPark: session not invalidated after logout Huajie Wang
GNU C Library version 2.40 released with 5 CVE fixes Alan Coopersmith
Tuesday, 23 July
ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Aram Sargsyan
[OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767) Jeremy Stanley
CVE-2024-41178: Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files Andrew Lamb
Re: linux-distros application for CentOS Project's Hyperscale SIG Solar Designer
CVE-2024-39676: Apache Pinot: Unauthorized endpoint exposed sensitive information Yupeng Fu
Re: linux-distros application for CentOS Project's Hyperscale SIG Michel Lind
[SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2024-6874: macidn punycode buffer overread Daniel Stenberg
Wednesday, 24 July
CVE-2023-48362: Apache Drill: XXE Vulnerability in XML Format Reader James Turton
inux kernel: virtio-net host dos John Haxby
Re: [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str Demi Marie Obenour
Thursday, 25 July
[ANNOUNCE] Apache Traffic Server is vulnerable to request smuggling and DoS Masakazu Kitajo
CVE-2024-25090: Apache Roller: Insufficient input validation for some user profile and bookmark fields when Roller in untested-users mode David M. Johnson
Friday, 26 July
GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith
Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer
Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith
Saturday, 27 July
Re: linux kernel: virtio-net host dos Salvatore Bonaccorso
Sunday, 28 July
Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer
Re: Announce: OpenSSH 9.8 released Solar Designer
Monday, 29 July
Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Florian Weimer
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez
Fwd: [Security-announce] [CVE-2024-3219] Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection Alan Coopersmith
Tuesday, 30 July
CVE-2023-48396: Apache SeaTunnel Web: Authentication bypass Jun Gao
Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
Wednesday, 31 July
[SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread Daniel Stenberg
Re: ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Valtteri Vuorikoski
Thursday, 01 August
[vim-security] use-after-free in tagstack_clear_entry() in Vim < v9.1.0647 Christian Brabandt
[vim-security] double-free in dialog_changed() in Vim < v9.1.0648 Christian Brabandt
CPython CVE-2024-6923: Email header injection due to unquoted newlines Alan Coopersmith
Neat VNC Security Vulnerability Andri Yngvason
Re: CPython CVE-2024-6923: Email header injection due to unquoted newlines Hanno Böck
Friday, 02 August
CVE-2024-27181: Apache Linkis Basic management services: Privilege Escalation Attack vulnerability Heping Wang
CVE-2024-27182: Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability Heping Wang
CVE-2024-36268: Apache InLong TubeMQ Client: Remote Code Execution vulnerability Charles Zhang
Re: Neat VNC Security Vulnerability Solar Designer
RE: Neat VNC Security Vulnerability Dane Bouchie
RE: Neat VNC Security Vulnerability Dane Bouchie
Re: Neat VNC Security Vulnerability Solar Designer
Re: Neat VNC Security Vulnerability Andri Yngvason
Saturday, 03 August
Re: Neat VNC Security Vulnerability Salvatore Bonaccorso
Sunday, 04 August
CVE-2024-38856: Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code Jacques Le Roux
CVE-2024-42447: Apache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for Airflow Jarek Potiuk
Monday, 05 August
CVE-2024-36448: Apache IoTDB Workbench: SSRF Vulnerability (EOL) Haonan Hou
Tuesday, 06 August
feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
Django CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 Sarah Boyce
Tracking down a lost CVE request (MITRE) Michael Orlitzky
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
CVE-2024-42062: Apache CloudStack: User Key Exposure to Domain Admins Rohit Yadav
CVE-2024-42222: Apache CloudStack: Unauthorised Network List Access Rohit Yadav
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Stuart Henderson
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Alex Gaynor
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jan Engelhardt
Wednesday, 07 August
Multiple vulnerabilities in Jenkins Daniel Beck
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Bob Friesenhahn
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Chad Sheridan
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Dan Kegel
Re: feedback requested regarding deprecation of TLS 1.0/1.1 niekt0
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Solar Designer
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
Thursday, 08 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Duncan Grisby
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
KL-001-2024-005: Open WebUI Stored Cross-Site Scripting KoreLogic Disclosures
KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal KoreLogic Disclosures
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
Re: feedback requested regarding deprecation of TLS 1.0/1.1 steffen
Friday, 09 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jens Timmerman
CVE-2024-41890: Apache Answer: The link to reset the user's password will remain valid after sending a new link Enxin Xie
CVE-2024-41888: Apache Answer: The link for resetting user password is not Single-Use Enxin Xie
CVE-2024-29831: Apache DolphinScheduler: RCE by arbitrary js execution ShunFeng Cai
CVE-2024-30188: Apache DolphinScheduler: Resource File Read And Write Vulnerability ShunFeng Cai
Sunday, 11 August
CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL Solar Designer
Monday, 12 August
CVE-2024-42008 and more: XSS vulnerabilities in Roundcube webmail Valtteri Vuorikoski
CVE-2024-41909: Apache MINA SSHD: integrity check bypass Arnout Engelen
Wednesday, 14 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Mike O'Connor
Xen Security Advisory 460 v2 (CVE-2024-31145) - error handling in x86 IOMMU identity mapping Xen . org security team
Xen Security Advisory 461 v2 (CVE-2024-31146) - PCI device pass-through with shared resources Xen . org security team
CVE-2024-7347: nginx: ngx_http_mp4_module: Worker process crash by using a specially crafted mp4 file Solar Designer
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn
flatpak CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist) Simon McVittie
Re: Tracking down a lost CVE request (MITRE) Mark Esler
Re: Tracking down a lost CVE request (MITRE) Michael Orlitzky
Thursday, 15 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Hanno Böck
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
Dovecot CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive Aki Tuomi
Dovecot CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message Aki Tuomi
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
[vim-security] use-after-free in alist_add() in Vim < v9.1.0678 Christian Brabandt
Friday, 16 August
Re: collision confounders (was: feedback requested regarding deprecation of TLS 1.0/1.1) Jacob Bachmeyer
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
Heads-up: there are two versions of Intel microcode update IPU 2024.3 Samuel Verschelde
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
[kubernetes] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass Craig Ingram
Unbound 1.21.0 released with multiple security fixes Alan Coopersmith
AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 Adrian Perez de Castro
Saturday, 17 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
Landlock Houdini fix: CVE-2024-42318 Mickaël Salaün
Re: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) Alfredo Ortega
Sunday, 18 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
Monday, 19 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
Re: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler
Tuesday, 20 August
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
CVE-2024-43202: Apache DolphinScheduler: Remote Code Execution Vulnerability ShunFeng Cai
CVE-2024-22281: Apache Helix Front (UI): Helix front hard-coded secret in the express-session Junkai Xue
Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
Wednesday, 21 August
CVE-2023-49198: Apache SeaTunnel Web: Arbitrary file read vulnerability Jun Gao
CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link Ephraim Anierobi
Thursday, 22 August
CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Alan Coopersmith
gh:facebook/rocksdb v9.5.2 - SupplyChainAttackPoC for Meta BB Andreas Stieger
[vim-security] heap-buffer-overflow in do_search() in Vim < 9.1.0689 Christian Brabandt
Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
Friday, 23 August
Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
Sunday, 25 August
[vim-security] heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697 Christian Brabandt
Monday, 26 August
CVE-2023-49582: Apache Portable Runtime (APR): Unexpected lax shared memory permissions Eric Covener
Saturday, 31 August
[vim-security] heap-buffer-overflow in Vim > 9.1.0038 && < 9.1.0707 Christian Brabandt
Monday, 02 September
Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() 2639161967
Re: Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Solar Designer
CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai
Tuesday, 03 September
Re: CVE-2024-45310: runc can be tricked into creating empty files/directories on host Mike O'Connor
Django CVE-2024-45230 and CVE-2024-45231 Natalia Bidart
CVE-2024-6119: OpenSSL: Possible denial of service in X.509 name checks Tomas Mraz
CPython: [CVE-2024-6232] Regular-expression DoS when parsing TarFile headers Alan Coopersmith
CVE-2024-45195: Apache OFBiz: Confused controller-view authorization logic (forced browsing) Jacques Le Roux
CVE-2024-45507: Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE Jacques Le Roux
Wednesday, 04 September
Webmin UDP/10000 discovery service Loop DoS (COK-2024-05-05) Sergei G
Re: CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai
CVE-2024-43402: Rust before 1.81.0 didn't fully fix argument escaping for batch files Pietro Albini
[OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082) Brian Rosmaita
Thursday, 05 September
Go 1.23.1 and Go 1.22.7 released with 3 security fixes Alan Coopersmith
Friday, 06 September
Re: Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Michael Ellerman
CVE-2024-45498: Apache Airflow: Command Injection in an example DAG Ephraim Anierobi
CVE-2024-45034: Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes Ephraim Anierobi
CVE-2024-7012, CVE-2024-7923: Authentication bypass in Foreman & Pulpcore Christian Hoffmann
libpcap 1.10.5 released with two security fixes Alan Coopersmith
Saturday, 07 September
CVE-2024-45751: CHAP authentication bypass in user-space Linux target framework (tgt) up to v1.0.92 David Gstir
Security fixes available in Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 Alan Coopersmith
Monday, 09 September
CVE-2024-6655 Library injection from CWD in GTK-2/GTK-3 Dimitrios Glynos
Tuesday, 10 September
[SECURITY ADVISORY] curl: CVE-2024-8096: OCSP stapling bypass with GnuTLS Daniel Stenberg
Wednesday, 11 September
CVE-2024-22399: Apache Seata: Remote Code Execution vulnerability via Hessian Deserialization in Apache Seata Server Min Ji
Tuesday, 17 September
CVE-2024-45384: Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack Karan Kumar
CVE-2024-45537: Apache Druid: Users can provide MySQL JDBC properties not on allow list Karan Kumar
Friday, 20 September
Performance Co-Pilot (PCP): pmcd network daemon security issues and review results (CVE-2024-45769), (CVE-2024-45770) Matthias Gerstner
Saturday, 21 September
CVE-2024-42323: Apache HertzBeat: RCE by snakeYaml deser load malicious xml Chao Gong
Monday, 23 September
CVE-2024-46544: Apache Tomcat Connectors: mod_jk: local users can view and modify configuration Mark Thomas
CVE-2024-38286: Apache Tomcat: Denial of Service Mark Thomas
Tuesday, 24 September
Xen Security Advisory 462 v2 (CVE-2024-45817) - x86: Deadlock in vlapic_error() Xen . org security team
CVE-2024-39928: Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability Heping Wang
CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Joel GUITTET
Re: CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Solar Designer
CVE-2024-23454: Apache Hadoop: Temporary File Local Information Disclosure Shilun Fan
Wednesday, 25 September
CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Enxin Xie
Re: CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Sandipan Roy
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0005 Adrian Perez de Castro
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer
RE: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Goldberg, Adam
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Demi Marie Obenour
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Jeffrey Walton
Thursday, 26 September
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses LinkinStar
CVE-2024-47197: Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials Slawomir Jaranowski
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer
CUPS printing system vulnerabilities Solar Designer
Re: CUPS printing system vulnerabilities Alan Coopersmith
Re: CUPS printing system vulnerabilities Solar Designer
Re: CUPS printing system vulnerabilities Zdenek Dohnal
Re: CUPS printing system vulnerabilities Mark Esler
Re: CUPS printing system vulnerabilities Michael Sweet
Friday, 27 September
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Alexander Patrakov
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer
Re: CUPS printing system vulnerabilities Will Dormann
Re: List linux CVEs for a given stable release? Greg Kroah-Hartman
Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Sam Bull
Saturday, 28 September
CVE-2024-45772: Apache Lucene Replicator: Deserialization of Untrusted Data Robert Muir