oss-sec: by author
RSS Feed
About List
All Lists
Previous period
183 messages
starting Oct 30 24 and
ending Dec 24 24
Date index |
Thread index |
Author index
Adrian Perez de Castro
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0006 Adrian Perez de Castro (Oct 30)
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 Adrian Perez de Castro (Dec 22)
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 Adrian Perez de Castro (Nov 27)
Agostino Sarubbo
Re: CVE-2024-54677: Apache Tomcat: DoS in examples web application Agostino Sarubbo (Dec 17)
Alan Coopersmith
4 recent security bugs in GNOME's libsoup Alan Coopersmith (Nov 09)
GStreamer 1.24.10 stable security bug-fix release Alan Coopersmith (Dec 13)
Re: 4 recent security bugs in GNOME's libsoup Alan Coopersmith (Nov 12)
CVE-2024-52533: Buffer overflow in socks proxy code in glib < 2.82.1 Alan Coopersmith (Nov 12)
CVE-2024-8508 in Unbound DNS server prior to 1.21.1 Alan Coopersmith (Oct 04)
libarchive 3.7.5 released with security fixes Alan Coopersmith (Oct 10)
Fwd: wget-1.25.0 released [fixes CVE-2024-10524] Alan Coopersmith (Nov 18)
Fwd: [Security-announce][CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines() Alan Coopersmith (Dec 06)
Re: CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith (Oct 04)
CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith (Oct 04)
Alexander Patrakov
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Alexander Patrakov (Oct 31)
Ali Polatel
Re: Article: State of Sandboxing in Linux Ali Polatel (Nov 25)
Re: Article: State of Sandboxing in Linux Ali Polatel (Nov 25)
Re: shell wildcard expansion (un)safety Ali Polatel (Nov 12)
Re: Article: State of Sandboxing in Linux Ali Polatel (Nov 25)
Andor Molnar
CVE-2024-51504: Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server Andor Molnar (Nov 06)
Andrew Cooper
Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables Andrew Cooper (Nov 12)
Chao Gong
CVE-2024-41151: Apache HertzBeat: RCE by notice template injection vulnerability Chao Gong (Nov 16)
CVE-2024-45505: Apache HertzBeat (incubating): Exists Native Deser RCE and file writing vulnerabilities Chao Gong (Nov 16)
CVE-2024-45791: Apache HertzBeat: Exposure sensitive token via http GET method with query string Chao Gong (Nov 16)
Christian Brabandt
[vim-security] use-after-free when closing buffers in Vim < 9.1.0764 Christian Brabandt (Oct 06)
Clemens Lang
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Clemens Lang (Nov 12)
Craig Ingram
[kubernetes] CVE-2024-10220: Arbitrary command execution through gitRepo volume Craig Ingram (Nov 20)
Daniel Augusto Veronezi Salvador
CVE-2024-50386: Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure Daniel Augusto Veronezi Salvador (Nov 12)
CVE-2024-45462: Apache CloudStack: Incomplete session invalidation on web interface logout Daniel Augusto Veronezi Salvador (Oct 15)
CVE-2024-45693: Apache CloudStack: Request origin validation bypass makes account takeover possible Daniel Augusto Veronezi Salvador (Oct 15)
CVE-2024-45461: Apache CloudStack Quota plugin: Access checks not enforced in Quota Daniel Augusto Veronezi Salvador (Oct 15)
CVE-2024-45219: Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure Daniel Augusto Veronezi Salvador (Oct 15)
Daniel Beck
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Nov 27)
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Oct 02)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 13)
Daniel Gaspar
CVE-2024-55633: Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access Daniel Gaspar (Dec 12)
CVE-2024-53947: Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions Daniel Gaspar (Dec 09)
CVE-2024-53949: Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled Daniel Gaspar (Dec 09)
CVE-2024-53948: Apache Superset: Error verbosity exposes metadata in analytics databases Daniel Gaspar (Dec 09)
Daniel Sahlberg
[SECURITY][ANNOUNCE] Apache Subversion 1.14.5 released Daniel Sahlberg (Dec 08)
Daniel Stenberg
[SECURITY ADVISTORY] curl: CVE-2024-9681 HSTS subdomain overwrites parent cache entry Daniel Stenberg (Nov 05)
[SECURITY ADVISORY] curl: CVE-2024-11053: netrc and redirect credential leak Daniel Stenberg (Dec 10)
David A. Wheeler
Re: shell wildcard expansion (un)safety David A. Wheeler (Nov 06)
David Handermann
CVE-2024-52067: Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log David Handermann (Nov 20)
CVE-2024-56512: Apache NiFi: Missing Complete Authorization for Parameter and Service References David Handermann (Dec 27)
CVE-2024-45477: Apache NiFi: Improper Neutralization of Input in Parameter Description David Handermann (Oct 28)
David M. Johnson
CVE-2024-46911: Apache Roller: Weakness in CSRF protection allows privilege escalation David M. Johnson (Oct 11)
David Woodhouse
Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks David Woodhouse (Dec 23)
Demi Marie Obenour
Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Demi Marie Obenour (Dec 25)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Demi Marie Obenour (Oct 15)
Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables Demi Marie Obenour (Nov 12)
Dewey Dunnington
CVE-2024-52338: Apache Arrow R package: Arbitrary code execution when loading a malicious data file Dewey Dunnington (Nov 28)
Dominik Czarnota
Re: shell wildcard expansion (un)safety Dominik Czarnota (Nov 08)
Dr. Christopher Kunz
Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Dr. Christopher Kunz (Oct 23)
Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Dr. Christopher Kunz (Oct 24)
Dr. Thomas Orgis
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Dr. Thomas Orgis (Nov 01)
mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Dr. Thomas Orgis (Oct 30)
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Dr. Thomas Orgis (Nov 01)
Eli Schwartz
Re: shell wildcard expansion (un)safety Eli Schwartz (Nov 10)
Re: qBittorrent RCE, Browser Hijacking vulnerabilities Eli Schwartz (Oct 30)
Re: shell wildcard expansion (un)safety Eli Schwartz (Nov 06)
Re: Article: State of Sandboxing in Linux Eli Schwartz (Nov 25)
Emmanuel Lécharny
CVE-2024-52046: Apache MINA: MINA applications using unbounded deserialization may allow RCE Emmanuel Lécharny (Dec 24)
Enxin Xie
CVE-2024-45719: Apache Answer: Predictable Authorization Token Using UUIDv1 Enxin Xie (Nov 22)
Ephraim Anierobi
CVE-2024-45784: Apache Airflow: Sensitive configuration values are not masked in the logs by default Ephraim Anierobi (Nov 14)
CVE-2024-50378: Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli Ephraim Anierobi (Nov 08)
Eric Friedrich
CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments Eric Friedrich (Dec 23)
Ethan Rose
CVE-2024-45106: Apache Ozone: Improper authentication when generating S3 secrets Ethan Rose (Dec 02)
Evan Carroll
Re: Article: State of Sandboxing in Linux Evan Carroll (Nov 24)
Re: Article: State of Sandboxing in Linux Evan Carroll (Nov 25)
Fay Stegerman
Re: shell wildcard expansion (un)safety Fay Stegerman (Nov 06)
Re: shell wildcard expansion (un)safety Fay Stegerman (Nov 10)
Florian Weimer
Re: Re: Out-of-bounds read & write in the glibc's qsort() Florian Weimer (Dec 23)
Re: Re: Out-of-bounds read & write in the glibc's qsort() Florian Weimer (Dec 23)
Francesco Chicchiriccò
CVE-2024-45031: Apache Syncope: Stored XSS in Console and Enduser Francesco Chicchiriccò (Oct 24)
Gary D. Gregory
CVE-2024-47554: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader Gary D. Gregory (Oct 03)
Georgi Guninski
Re: shell wildcard expansion (un)safety Georgi Guninski (Nov 08)
Greg Harris
CVE-2024-31141: Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider Greg Harris (Nov 18)
Houston Putman
CVE-2024-45216: Apache Solr: Authentication bypass possible using a fake URL Path ending Houston Putman (Oct 15)
CVE-2024-45217: Apache Solr: ConfigSets created during a backup restore command are trusted implicitly Houston Putman (Oct 15)
Imba Jin
CVE-2024-43441: Apache HugeGraph-Server: Fixed JWT Token(Secret) Imba Jin (Dec 24)
Jacob Bachmeyer
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Jacob Bachmeyer (Oct 29)
Jacques Le Roux
CVE-2024-48962: Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE) Jacques Le Roux (Nov 16)
CVE-2024-47208: Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE Jacques Le Roux (Nov 16)
Jakub Wilk
Re: shell wildcard expansion (un)safety Jakub Wilk (Nov 07)
Re: Local Privilege Escalations in needrestart Jakub Wilk (Dec 04)
Jan Engelhardt
Re: Re: Out-of-bounds read & write in the glibc's qsort() Jan Engelhardt (Dec 21)
Jan Schaumann
Vulnerability in golang.org/x/crypto [CVE-2024-45337: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass] Jan Schaumann (Dec 11)
Jay Faulkner
OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming Jay Faulkner (Oct 05)
[OSSA-2024-005] Neutron: Authorization bypassed when setting tags on Neutron networks (CVE-2024-53916) Jay Faulkner (Dec 03)
Jeroen Roovers
Re: shell wildcard expansion (un)safety Jeroen Roovers (Nov 10)
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Jeroen Roovers (Nov 30)
Joel GUITTET
RE: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Joel GUITTET (Nov 12)
CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Joel GUITTET (Oct 29)
Joel Smith
[kubernetes] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials Joel Smith (Oct 14)
Johannes Segitz
CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Johannes Segitz (Oct 04)
Jose Exposito Quintana
CVE-2024-9632: X.Org X server and Xwayland: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap Jose Exposito Quintana (Oct 29)
Justin Bertram
CVE-2023-50780: Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans Justin Bertram (Oct 14)
larry0
Re[2]: cups-browsed vulnerable to DDoS amplification attack larry0 (Oct 04)
Larry Cashdollar
Re: cups-browsed vulnerable to DDoS amplification attack Larry Cashdollar (Oct 03)
cups-browsed vulnerable to DDoS amplification attack Larry Cashdollar (Oct 03)
lists
Re: shell wildcard expansion (un)safety lists (Nov 10)
Li Yang
CVE-2024-23590: Apache Kylin: Session fixation in web interface Li Yang (Nov 03)
Lubomir Rintel
CVE-2024-9050: NetworkManager-libreswan IPSec VPN plugin local code execution Lubomir Rintel (Oct 24)
Luiz Augusto von Dentz
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz (Nov 29)
Manikumar
CVE-2024-56128: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption Manikumar (Dec 18)
Marco Benatto
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Marco Benatto (Oct 30)
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Marco Benatto (Oct 31)
Mark Esler
Re: Local Privilege Escalations in needrestart Mark Esler (Nov 26)
Mark Thomas
CVE-2024-50379: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation Mark Thomas (Dec 17)
CVE-2024-54677: Apache Tomcat: DoS in examples web application Mark Thomas (Dec 17)
CVE-2024-56337: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete Mark Thomas (Dec 20)
CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API Mark Thomas (Nov 18)
CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2 Mark Thomas (Nov 18)
Re: CVE-2024-54677: Apache Tomcat: DoS in examples web application Mark Thomas (Dec 18)
CVE-2024-52318: Apache Tomcat: Incorrect JSP tag recycling leads to XSS Mark Thomas (Nov 18)
Martin Tzvetanov Grigorov
CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Martin Tzvetanov Grigorov (Oct 03)
Masakazu Kitajo
[ANNOUNCE] Apache Traffic Server is vulnerable to specific user inputs Masakazu Kitajo (Nov 13)
Mats Wichmann
Re: shell wildcard expansion (un)safety Mats Wichmann (Nov 07)
Matthias Gerstner
Re: tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337) Matthias Gerstner (Nov 29)
authentik: remote timing attack in MetricsView HTTP Basic Auth (CVE-2024-52307) Matthias Gerstner (Nov 27)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Matthias Gerstner (Oct 17)
tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337) Matthias Gerstner (Nov 28)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Matthias Gerstner (Oct 15)
SSSD: Weaknesses in Privilege Separation due to Issues in Privileged Helper Programs Matthias Gerstner (Dec 19)
stalld: unpatched fixed temporary file use and other issues Matthias Gerstner (Nov 29)
Maxime Coquelin
CVE-2024-11614: DPDK Vhost Rx checksum vulnerability Maxime Coquelin (Dec 17)
Max Nikulin
Re: shell wildcard expansion (un)safety Max Nikulin (Nov 07)
Mickaël Salaün
Re: Article: State of Sandboxing in Linux Mickaël Salaün (Nov 24)
Nick Boyce
Re: CVE-2024-50379: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation Nick Boyce (Dec 18)
Otto Moerbeek
PowerDNS Security Advisory 2024-04 Otto Moerbeek (Oct 03)
Paul Irwin
CVE-2024-43383: Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator Paul Irwin (Oct 30)
Peter van Dijk
Re: cups-browsed vulnerable to DDoS amplification attack Peter van Dijk (Oct 03)
Qualys Security Advisory
Local Privilege Escalations in needrestart Qualys Security Advisory (Nov 19)
Salvatore Bonaccorso
Re: Local Privilege Escalations in needrestart Salvatore Bonaccorso (Nov 30)
Sarah Boyce
Django CVE-2024-53907 and CVE-2024-53908 Sarah Boyce (Dec 04)
Sean Whitton
Re: shell wildcard expansion (un)safety Sean Whitton (Nov 17)
Sec Guy
qBittorrent RCE, Browser Hijacking vulnerabilities Sec Guy (Oct 30)
Simon Josefsson
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson (Oct 05)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson (Oct 08)
Simon McVittie
Re: tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337) Simon McVittie (Nov 28)
Simon Steiner
CVE-2024-28168: Apache XML Graphics FOP: XML External Entity (XXE) Processing Simon Steiner (Oct 09)
Solar Designer
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Solar Designer (Nov 12)
Re: shell wildcard expansion (un)safety Solar Designer (Nov 07)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 07)
Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 28)
Re: shell wildcard expansion (un)safety Solar Designer (Nov 06)
Fwd: Operational Notification: BIND 9.20 defect in QPzone implementation Solar Designer (Dec 20)
shell wildcard expansion (un)safety Solar Designer (Nov 05)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 17)
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 29)
Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Solar Designer (Dec 25)
Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Solar Designer (Dec 25)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 08)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 15)
Re: PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 Solar Designer (Nov 16)
PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 Solar Designer (Nov 16)
Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Solar Designer (Nov 07)
Stamatis Zampetakis
CVE-2024-23945: Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails Stamatis Zampetakis (Dec 23)
CVE-2022-41137: Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore Stamatis Zampetakis (Dec 04)
Stefan Sperling
CVE-2024-45720: Apache Subversion: Command line argument injection on Windows platforms Stefan Sperling (Oct 08)
Steffen Nurpmeso
Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 15)
Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 06)
Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Steffen Nurpmeso (Oct 17)
Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
Szymon Janc
CVE-2024-51569: Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in Number of Completed Packets HCI event handler Szymon Janc (Nov 26)
CVE-2024-47248: Apache NimBLE: Buffer overflow in NimBLE MESH Bluetooth stack Szymon Janc (Nov 26)
CVE-2024-47250: Apache NimBLE: Lack of input validation in HCI advertising report could lead to potential out-of-bound access Szymon Janc (Nov 26)
CVE-2024-47249: Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in multiple advertisement handler Szymon Janc (Nov 26)
tianshu qiu
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 29)
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
Tomas Mraz
CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Tomas Mraz (Oct 16)
Xen . org security team
Xen Security Advisory 465 v3 (CVE-2024-53240) - Backend can crash Linux netfront Xen . org security team (Dec 17)
Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables Xen . org security team (Nov 12)
Xen Security Advisory 463 v2 (CVE-2024-45818) - Deadlock in x86 HVM standard VGA handling Xen . org security team (Nov 12)
Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Xen . org security team (Dec 17)
Yair Mizrahi
CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Yair Mizrahi (Dec 25)
Yuri Gribov
Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov (Dec 21)
Re: Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov (Dec 23)
Re: Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov (Dec 24)