oss-sec: by date
RSS Feed
About List
All Lists
Previous period
183 messages
starting Oct 02 24 and
ending Dec 27 24
Date index |
Thread index |
Author index
Wednesday, 02 October
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck
Thursday, 03 October
CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Martin Tzvetanov Grigorov
CVE-2024-47554: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader Gary D. Gregory
PowerDNS Security Advisory 2024-04 Otto Moerbeek
cups-browsed vulnerable to DDoS amplification attack Larry Cashdollar
Re: cups-browsed vulnerable to DDoS amplification attack Peter van Dijk
Re: cups-browsed vulnerable to DDoS amplification attack Larry Cashdollar
Friday, 04 October
Re[2]: cups-browsed vulnerable to DDoS amplification attack larry0
CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Johannes Segitz
CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith
Re: CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith
CVE-2024-8508 in Unbound DNS server prior to 1.21.1 Alan Coopersmith
Saturday, 05 October
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson
OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming Jay Faulkner
Sunday, 06 October
[vim-security] use-after-free when closing buffers in Vim < 9.1.0764 Christian Brabandt
Monday, 07 October
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
Tuesday, 08 October
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson
CVE-2024-45720: Apache Subversion: Command line argument injection on Windows platforms Stefan Sperling
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
Wednesday, 09 October
CVE-2024-28168: Apache XML Graphics FOP: XML External Entity (XXE) Processing Simon Steiner
Thursday, 10 October
libarchive 3.7.5 released with security fixes Alan Coopersmith
Friday, 11 October
CVE-2024-46911: Apache Roller: Weakness in CSRF protection allows privilege escalation David M. Johnson
Monday, 14 October
[kubernetes] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials Joel Smith
CVE-2023-50780: Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans Justin Bertram
Tuesday, 15 October
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Matthias Gerstner
CVE-2024-45219: Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure Daniel Augusto Veronezi Salvador
CVE-2024-45461: Apache CloudStack Quota plugin: Access checks not enforced in Quota Daniel Augusto Veronezi Salvador
CVE-2024-45462: Apache CloudStack: Incomplete session invalidation on web interface logout Daniel Augusto Veronezi Salvador
CVE-2024-45693: Apache CloudStack: Request origin validation bypass makes account takeover possible Daniel Augusto Veronezi Salvador
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Demi Marie Obenour
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
CVE-2024-45216: Apache Solr: Authentication bypass possible using a fake URL Path ending Houston Putman
CVE-2024-45217: Apache Solr: ConfigSets created during a backup restore command are trusted implicitly Houston Putman
Wednesday, 16 October
CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Tomas Mraz
Thursday, 17 October
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Matthias Gerstner
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Steffen Nurpmeso
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
Wednesday, 23 October
Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Dr. Christopher Kunz
Thursday, 24 October
Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Dr. Christopher Kunz
CVE-2024-45031: Apache Syncope: Stored XSS in Console and Enduser Francesco Chicchiriccò
CVE-2024-9050: NetworkManager-libreswan IPSec VPN plugin local code execution Lubomir Rintel
Monday, 28 October
CVE-2024-45477: Apache NiFi: Improper Neutralization of Input in Parameter Description David Handermann
Tuesday, 29 October
CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Joel GUITTET
CVE-2024-9632: X.Org X server and Xwayland: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap Jose Exposito Quintana
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Jacob Bachmeyer
Wednesday, 30 October
mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Dr. Thomas Orgis
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Marco Benatto
qBittorrent RCE, Browser Hijacking vulnerabilities Sec Guy
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0006 Adrian Perez de Castro
CVE-2024-43383: Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator Paul Irwin
Re: qBittorrent RCE, Browser Hijacking vulnerabilities Eli Schwartz
Thursday, 31 October
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Marco Benatto
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Alexander Patrakov
Friday, 01 November
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Dr. Thomas Orgis
Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) Dr. Thomas Orgis
Sunday, 03 November
CVE-2024-23590: Apache Kylin: Session fixation in web interface Li Yang
Tuesday, 05 November
shell wildcard expansion (un)safety Solar Designer
[SECURITY ADVISTORY] curl: CVE-2024-9681 HSTS subdomain overwrites parent cache entry Daniel Stenberg
Wednesday, 06 November
Re: shell wildcard expansion (un)safety David A. Wheeler
Re: shell wildcard expansion (un)safety Eli Schwartz
CVE-2024-51504: Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server Andor Molnar
Re: shell wildcard expansion (un)safety Fay Stegerman
Re: shell wildcard expansion (un)safety Steffen Nurpmeso
Re: shell wildcard expansion (un)safety Solar Designer
Thursday, 07 November
Re: shell wildcard expansion (un)safety Jakub Wilk
Re: shell wildcard expansion (un)safety Max Nikulin
Re: shell wildcard expansion (un)safety Steffen Nurpmeso
Re: shell wildcard expansion (un)safety Steffen Nurpmeso
Re: shell wildcard expansion (un)safety Mats Wichmann
Re: shell wildcard expansion (un)safety Solar Designer
Re: shell wildcard expansion (un)safety Steffen Nurpmeso
Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Solar Designer
Friday, 08 November
Re: shell wildcard expansion (un)safety Georgi Guninski
CVE-2024-50378: Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli Ephraim Anierobi
Re: shell wildcard expansion (un)safety Dominik Czarnota
Saturday, 09 November
4 recent security bugs in GNOME's libsoup Alan Coopersmith
Sunday, 10 November
Re: shell wildcard expansion (un)safety Eli Schwartz
Re: shell wildcard expansion (un)safety lists
Re: shell wildcard expansion (un)safety Jeroen Roovers
Re: shell wildcard expansion (un)safety Fay Stegerman
Tuesday, 12 November
Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables Xen . org security team
Xen Security Advisory 463 v2 (CVE-2024-45818) - Deadlock in x86 HVM standard VGA handling Xen . org security team
CVE-2024-50386: Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure Daniel Augusto Veronezi Salvador
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Solar Designer
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Clemens Lang
RE: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets Joel GUITTET
Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables Andrew Cooper
Re: 4 recent security bugs in GNOME's libsoup Alan Coopersmith
Re: shell wildcard expansion (un)safety Ali Polatel
Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables Demi Marie Obenour
CVE-2024-52533: Buffer overflow in socks proxy code in glib < 2.82.1 Alan Coopersmith
Wednesday, 13 November
[ANNOUNCE] Apache Traffic Server is vulnerable to specific user inputs Masakazu Kitajo
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Thursday, 14 November
CVE-2024-45784: Apache Airflow: Sensitive configuration values are not masked in the logs by default Ephraim Anierobi
Friday, 15 November
Re: shell wildcard expansion (un)safety Steffen Nurpmeso
Saturday, 16 November
CVE-2024-48962: Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE) Jacques Le Roux
CVE-2024-47208: Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE Jacques Le Roux
CVE-2024-45505: Apache HertzBeat (incubating): Exists Native Deser RCE and file writing vulnerabilities Chao Gong
CVE-2024-45791: Apache HertzBeat: Exposure sensitive token via http GET method with query string Chao Gong
CVE-2024-41151: Apache HertzBeat: RCE by notice template injection vulnerability Chao Gong
PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 Solar Designer
Re: PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 Solar Designer
Sunday, 17 November
Re: shell wildcard expansion (un)safety Sean Whitton
Monday, 18 November
CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API Mark Thomas
CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2 Mark Thomas
CVE-2024-52318: Apache Tomcat: Incorrect JSP tag recycling leads to XSS Mark Thomas
CVE-2024-31141: Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider Greg Harris
Fwd: wget-1.25.0 released [fixes CVE-2024-10524] Alan Coopersmith
Tuesday, 19 November
Local Privilege Escalations in needrestart Qualys Security Advisory
Wednesday, 20 November
[kubernetes] CVE-2024-10220: Arbitrary command execution through gitRepo volume Craig Ingram
CVE-2024-52067: Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log David Handermann
Friday, 22 November
CVE-2024-45719: Apache Answer: Predictable Authorization Token Using UUIDv1 Enxin Xie
Sunday, 24 November
Re: Article: State of Sandboxing in Linux Mickaël Salaün
Re: Article: State of Sandboxing in Linux Evan Carroll
Monday, 25 November
Re: Article: State of Sandboxing in Linux Eli Schwartz
Re: Article: State of Sandboxing in Linux Ali Polatel
Re: Article: State of Sandboxing in Linux Ali Polatel
Re: Article: State of Sandboxing in Linux Evan Carroll
Re: Article: State of Sandboxing in Linux Ali Polatel
Tuesday, 26 November
CVE-2024-47248: Apache NimBLE: Buffer overflow in NimBLE MESH Bluetooth stack Szymon Janc
CVE-2024-47249: Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in multiple advertisement handler Szymon Janc
CVE-2024-47250: Apache NimBLE: Lack of input validation in HCI advertising report could lead to potential out-of-bound access Szymon Janc
CVE-2024-51569: Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in Number of Completed Packets HCI event handler Szymon Janc
Re: Local Privilege Escalations in needrestart Mark Esler
Wednesday, 27 November
authentik: remote timing attack in MetricsView HTTP Basic Auth (CVE-2024-52307) Matthias Gerstner
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 Adrian Perez de Castro
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck
Thursday, 28 November
tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337) Matthias Gerstner
Re: tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337) Simon McVittie
CVE-2024-52338: Apache Arrow R package: Arbitrary code execution when loading a malicious data file Dewey Dunnington
Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer
Friday, 29 November
Re: tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337) Matthias Gerstner
stalld: unpatched fixed temporary file use and other issues Matthias Gerstner
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer
Saturday, 30 November
Re: Local Privilege Escalations in needrestart Salvatore Bonaccorso
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Jeroen Roovers
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu
Monday, 02 December
CVE-2024-45106: Apache Ozone: Improper authentication when generating S3 secrets Ethan Rose
Tuesday, 03 December
[OSSA-2024-005] Neutron: Authorization bypassed when setting tags on Neutron networks (CVE-2024-53916) Jay Faulkner
Wednesday, 04 December
Re: Local Privilege Escalations in needrestart Jakub Wilk
CVE-2022-41137: Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore Stamatis Zampetakis
Django CVE-2024-53907 and CVE-2024-53908 Sarah Boyce
Friday, 06 December
Fwd: [Security-announce][CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines() Alan Coopersmith
Sunday, 08 December
[SECURITY][ANNOUNCE] Apache Subversion 1.14.5 released Daniel Sahlberg
Monday, 09 December
CVE-2024-53947: Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions Daniel Gaspar
CVE-2024-53948: Apache Superset: Error verbosity exposes metadata in analytics databases Daniel Gaspar
CVE-2024-53949: Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled Daniel Gaspar
Tuesday, 10 December
[SECURITY ADVISORY] curl: CVE-2024-11053: netrc and redirect credential leak Daniel Stenberg
Wednesday, 11 December
Vulnerability in golang.org/x/crypto [CVE-2024-45337: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass] Jan Schaumann
Thursday, 12 December
CVE-2024-55633: Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access Daniel Gaspar
Friday, 13 December
GStreamer 1.24.10 stable security bug-fix release Alan Coopersmith
Tuesday, 17 December
Xen Security Advisory 465 v3 (CVE-2024-53240) - Backend can crash Linux netfront Xen . org security team
Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Xen . org security team
CVE-2024-11614: DPDK Vhost Rx checksum vulnerability Maxime Coquelin
CVE-2024-50379: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation Mark Thomas
CVE-2024-54677: Apache Tomcat: DoS in examples web application Mark Thomas
Re: CVE-2024-54677: Apache Tomcat: DoS in examples web application Agostino Sarubbo
Wednesday, 18 December
Re: CVE-2024-54677: Apache Tomcat: DoS in examples web application Mark Thomas
Re: CVE-2024-50379: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation Nick Boyce
CVE-2024-56128: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption Manikumar
Thursday, 19 December
SSSD: Weaknesses in Privilege Separation due to Issues in Privileged Helper Programs Matthias Gerstner
Friday, 20 December
CVE-2024-56337: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete Mark Thomas
Fwd: Operational Notification: BIND 9.20 defect in QPzone implementation Solar Designer
Saturday, 21 December
Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov
Re: Re: Out-of-bounds read & write in the glibc's qsort() Jan Engelhardt
Sunday, 22 December
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 Adrian Perez de Castro
Monday, 23 December
Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks David Woodhouse
CVE-2024-23945: Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails Stamatis Zampetakis
CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments Eric Friedrich
Re: Re: Out-of-bounds read & write in the glibc's qsort() Florian Weimer
Re: Re: Out-of-bounds read & write in the glibc's qsort() Florian Weimer
Re: Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov
Tuesday, 24 December
Re: Re: Out-of-bounds read & write in the glibc's qsort() Yuri Gribov
CVE-2024-43441: Apache HugeGraph-Server: Fixed JWT Token(Secret) Imba Jin
CVE-2024-52046: Apache MINA: MINA applications using unbounded deserialization may allow RCE Emmanuel Lécharny
Wednesday, 25 December
CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Yair Mizrahi
Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Solar Designer
Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Demi Marie Obenour
Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion Solar Designer
Friday, 27 December
CVE-2024-56512: Apache NiFi: Missing Complete Authorization for Parameter and Service References David Handermann