oss-sec: by author
RSS Feed
About List
All Lists
Previous period
262 messages
starting Mar 19 25 and
ending Feb 14 25
Date index |
Thread index |
Author index
Adarsh Sanjeev
CVE-2025-27888: Apache Druid: Server-Side Request Forgery and Cross-Site Scripting Adarsh Sanjeev (Mar 19)
Adrian Perez de Castro
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 Adrian Perez de Castro (Mar 20)
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001 Adrian Perez de Castro (Feb 09)
Alan Coopersmith
CERT/CC VU#199397 - Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) Alan Coopersmith (Jan 21)
OpenH264 Decoding Functions Heap Overflow Vulnerability Alan Coopersmith (Feb 21)
[CVE-2024-8176] Long linear chains of entities crash Expat with stack overflow due to use of unlimited recursion Alan Coopersmith (Mar 14)
CVE-2025-29927: Authorization Bypass in Next.js Middleware Alan Coopersmith (Mar 23)
Fwd: libtasn1-4.20.0 released [fixes CVE-2024-12133] Alan Coopersmith (Feb 06)
"/bin/sh: The Biggest Unix Security Loophole" paper from 1984 Alan Coopersmith (Jan 08)
Re: atop: Heap corruption Alan Coopersmith (Mar 26)
Re: GStreamer 1.24.10 stable security bug-fix release Alan Coopersmith (Jan 03)
Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware Alan Coopersmith (Mar 23)
Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Alan Coopersmith (Jan 24)
GNU Emacs 30.1 released with 2 CVE fixes Alan Coopersmith (Feb 26)
Re: RSYNC: 6 vulnerabilities Alan Coopersmith (Jan 14)
Re: atop: Heap corruption Alan Coopersmith (Mar 28)
Go CVE-2025-22870: proxy bypass using IPv6 zone IDs Alan Coopersmith (Mar 07)
7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms Alan Coopersmith (Jan 24)
Go 1.23.5 and Go 1.22.11 are released with 2 security fixes Alan Coopersmith (Jan 17)
Mercurial 6.9.4 fixes CVE-2025-2361: XSS in hgweb Alan Coopersmith (Mar 21)
PHP security releases 8.4.5, 8.3.19, 8.2.28, 8.1.32 Alan Coopersmith (Mar 14)
[CVE-2024-3220] CPython: Default mimetype known files writeable on Windows Alan Coopersmith (Feb 14)
Re: Oracle January 2025 Critical Patch Update Alan Coopersmith (Jan 23)
Andrea Cosentino
CVE-2025-29891: Apache Camel: Camel Message Header Injection through request parameters Andrea Cosentino (Mar 12)
CVE-2025-27636: Apache Camel: Camel Message Header Injection via Improper Filtering Andrea Cosentino (Mar 09)
Andrew Cooper
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 06)
Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 07)
Arnout Engelen
CVE-2025-26796: Apache Oozie: XSS in Oozie Web Console Arnout Engelen (Mar 21)
CVE-2025-24783: Apache Cocoon: continuations may not be private Arnout Engelen (Jan 27)
CVE-2024-32838: Apache Fineract: SQL injection vulnerabilities in offices API endpoint Arnout Engelen (Feb 12)
Ayush Saxena
CVE-2024-23953: Apache Hive: Timing Attack Against Signature in LLAP util Ayush Saxena (Jan 28)
CVE-2024-29869: Apache Hive: Credentials file created with non restrictive permissions Ayush Saxena (Jan 28)
Bastian Blank
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Bastian Blank (Mar 05)
Benoit Tellier
CVE-2024-37358: Apache James: denial of service through the use of IMAP literals Benoit Tellier (Feb 05)
CVE-2024-45626: Apache James: denial of service through JMAP HTML to text conversion Benoit Tellier (Feb 05)
Bruce Lowenthal
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 27)
Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 24)
Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 23)
Buherátor
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Buherátor (Mar 06)
Carsten Ziegeler
FELIX-6753: CVE-2025-27867: Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin Carsten Ziegeler (Mar 12)
FELIX-6751: CVE-2025-25247: Apache Felix Webconsole: XSS in services console Carsten Ziegeler (Feb 09)
Charles Zhang
CVE-2025-27531: Apache InLong: An arbitrary file read vulnerability for JDBC Charles Zhang (Feb 27)
Christian Brabandt
Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt (Jan 20)
[vim-security] heap-buffer-overflow in Vim < 9.1.1003 Christian Brabandt (Jan 11)
Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt (Mar 13)
[vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt (Mar 12)
[vim-security] heap use-after-free in str_to_reg() in Vim < Christian Brabandt (Feb 16)
[vim-security] potential code execution with tar.vim and special crafted tar files Christian Brabandt (Mar 02)
Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt (Jan 21)
Colm O hEigeartaigh
CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files Colm O hEigeartaigh (Jan 20)
Craig Ingram
[kubernetes] CVE-2024-7598: Network restriction bypass via race condition during namespace termination Craig Ingram (Mar 20)
[kubernetes] CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API Craig Ingram (Feb 13)
Damien Miller
Announce: OpenSSH 9.9p2 released Damien Miller (Feb 18)
Daniel Beck
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 19)
Daniel Gutson
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Daniel Gutson (Feb 14)
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Daniel Gutson (Feb 13)
Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential leak Daniel Stenberg (Feb 05)
Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Daniel Stenberg (Feb 06)
[SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Daniel Stenberg (Feb 05)
[SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close Daniel Stenberg (Feb 05)
Dan McDonald
Triton Product Security announcement: Debian 12 LX image from 2024-07 has static SSH keys Dan McDonald (Mar 13)
Demi Marie Obenour
Re: AMD Microcode Signature Verification Vulnerability Demi Marie Obenour (Jan 22)
Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Demi Marie Obenour (Jan 06)
Re: Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Demi Marie Obenour (Feb 27)
Re: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close Demi Marie Obenour (Feb 05)
Dmitry Belyavskiy
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
Douglas Bagnall
CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Douglas Bagnall (Mar 12)
Douglas R. Reno
Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Douglas R. Reno (Feb 06)
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 23)
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 25)
Elad Kalif
CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL provider core function Elad Kalif (Mar 19)
CVE-2024-45033: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli Elad Kalif (Jan 08)
Eli Schwartz
Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Eli Schwartz (Jan 20)
Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Eli Schwartz (Mar 12)
Enxin Xie
CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. Enxin Xie (Mar 31)
Fay Stegerman
fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally unreliable Fay Stegerman (Jan 20)
WriteFreely exposes database credentials though insecure file permissions Fay Stegerman (Jan 18)
Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Fay Stegerman (Feb 06)
Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman (Jan 03)
Florian Weimer
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 28)
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 26)
Gang Wu
CVE-2025-30065: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata Gang Wu (Mar 31)
Gary D. Gregory
CVE-2025-27553: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT Gary D. Gregory (Mar 23)
CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message Gary D. Gregory (Mar 23)
Gerlof Langeveld
CVE-2025-31160 Atop 2.11 heap problems Gerlof Langeveld (Mar 29)
Greg KH
Re: issue with stuck Mitre CVE requests Greg KH (Jan 22)
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Greg KH (Jan 24)
Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Greg KH (Jan 06)
Hanno Böck
expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities Hanno Böck (Mar 14)
use-after-free (maybe?) in libspf2 Hanno Böck (Mar 28)
Harry Sintonen
Curl SSH Insufficient Host Identity Verification Harry Sintonen (Feb 05)
Heiko Schlittermann
Exim: CVE-2025-26794: upcoming security release Heiko Schlittermann (Feb 19)
CVE-2025-26794: Exim: SQL injection Heiko Schlittermann (Feb 21)
Henrik Ahlgren
Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
Heping Wang
CVE-2024-45627: Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability Heping Wang (Jan 14)
Jacob Bachmeyer
Re: tj-action/changed-files GitHub action was compromised Jacob Bachmeyer (Mar 18)
Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Jacob Bachmeyer (Mar 10)
Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Jacob Bachmeyer (Jan 15)
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Jacob Bachmeyer (Feb 07)
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 05)
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 06)
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
Jacques Le Roux
CVE-2025-26865: Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE Jacques Le Roux (Mar 07)
James Addison
Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection James Addison (Feb 16)
Jan Schaumann
Re: RSYNC: 6 vulnerabilities Jan Schaumann (Jan 14)
iTerm2 < 3.5.11 logs input/ouput to /tmp/framer.txt on remote host Jan Schaumann (Jan 03)
Node.js security updates: CVE-2025-23083, CVE-2025-23084, CVE-2025-23085 Jan Schaumann (Jan 21)
Jan Setje-Eilers
GRUB CVE disclosures Jan Setje-Eilers (Feb 18)
Jason Gerlowski
CVE-2024-52012: Apache Solr: Configset upload on Windows allows arbitrary path write-access Jason Gerlowski (Jan 26)
CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files Jason Gerlowski (Jan 26)
Johannes Schindelin
git: 2 vulnerabilities fixed Johannes Schindelin (Jan 14)
Johannes Segitz
Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 27)
Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 22)
John Haxby
Re: Oracle January 2025 Critical Patch Update John Haxby (Jan 23)
Re: Oracle January 2025 Critical Patch Update John Haxby (Jan 29)
Jonathan Wright
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Jonathan Wright (Mar 12)
Jordy Zomer
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Jordy Zomer (Feb 21)
Josh Thompson
CVE-2024-53679: Apache VCL: XSS vulnerability in User Lookup impacting user privileges Josh Thompson (Mar 24)
CVE-2024-53678: Apache VCL: SQL injection vulnerability in New Block Allocation form Josh Thompson (Mar 24)
Jürgen Groß
Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Jürgen Groß (Jan 04)
Justin Bertram
CVE-2025-27427: Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission Justin Bertram (Mar 31)
Kevin Daudt
Re: [kubernetes] Multiple vulnerabilities in ingress-nginx Kevin Daudt (Mar 24)
Kevin Guerroudj
Multiple vulnerabilities in Jenkins Kevin Guerroudj (Mar 05)
Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj (Jan 22)
KoreLogic Disclosures
KL-001-2025-002: Checkmk NagVis Remote Code Execution KoreLogic Disclosures (Feb 04)
KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting KoreLogic Disclosures (Feb 04)
Linfeng Sun
Linux: general protection fault in __vmx_vcpu_run with nested virtualization Linfeng Sun (Jan 06)
Li Yang
CVE-2025-30067: Apache Kylin: The remote code execution via jdbc url Li Yang (Mar 26)
CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api Li Yang (Mar 26)
Madhan Neethiraj
CVE-2024-46910: Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user Madhan Neethiraj (Feb 12)
Marc Deslauriers
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 13)
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)
Mark Esler
Re: issue with stuck Mitre CVE requests Mark Esler (Jan 24)
tj-action/changed-files GitHub action was compromised Mark Esler (Mar 15)
Re: tj-action/changed-files GitHub action was compromised Mark Esler (Mar 18)
Mark Michelson
Re: Open Virtual Network egress access control list bypass. Mark Michelson (Jan 22)
Open Virtual Network egress access control list bypass. Mark Michelson (Jan 22)
Mark Steward
Re: atop: Heap corruption Mark Steward (Mar 26)
Mark Thomas
CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT Mark Thomas (Mar 10)
Masakazu Kitajo
[ANNOUNCE] ATS is vulnerable to malformed requests, and also has ACL issues Masakazu Kitajo (Mar 05)
Matthias Gerstner
Re: issue with stuck Mitre CVE requests Matthias Gerstner (Jan 23)
Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591) Matthias Gerstner (Mar 12)
pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Matthias Gerstner (Feb 06)
Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 16)
issue with stuck Mitre CVE requests Matthias Gerstner (Jan 22)
dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) Matthias Gerstner (Jan 24)
pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 15)
Matthijs Mekking
ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705) Matthijs Mekking (Jan 29)
Maxim Solodovnik
CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted data in cluster mode Maxim Solodovnik (Jan 07)
Max Nikulin
Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)
Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Mar 01)
Michel Lind
CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 12)
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 13)
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 14)
Mingyang Liu
CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting Vulnerability Mingyang Liu (Feb 07)
Mingyu Chen
CVE-2024-48019: Apache Doris: allows admin users to read arbitrary files through the REST API Mingyu Chen (Feb 04)
Min Ji
CVE-2024-47552: Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server Min Ji (Mar 19)
CVE-2024-54016: compression bomb attack in Apache Seata Server Min Ji (Mar 19)
Moritz Mühlenhoff
Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Moritz Mühlenhoff (Mar 11)
Natalia Bidart
CVE-2024-56374: Django: Potential denial-of-service vulnerability in IPv6 validation Natalia Bidart (Jan 14)
Nick Tait
RSYNC: 6 vulnerabilities Nick Tait (Jan 14)
Nick Wellnhofer
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Nick Wellnhofer (Feb 14)
Multiple vulnerabilities in libxml2 Nick Wellnhofer (Feb 18)
Nikita Amelchev
CVE-2024-52577: Apache Ignite: Possible RCE when deserializing incoming messages by the server node Nikita Amelchev (Feb 14)
Nux
CVE-2025-22828: Apache CloudStack: Unauthorised access to annotations Nux (Jan 13)
Olivier Fourdan
Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Feb 25)
Paulo Motta
CVE-2024-27137: Apache Cassandra: unrestricted deserialization of JMX authentication credentials Paulo Motta (Feb 03)
Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta (Feb 11)
CVE-2025-24860: Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions Paulo Motta (Feb 03)
CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta (Feb 03)
CVE-2025-26467: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only) Paulo Motta (Feb 11)
Pedro Henrique Oliveira dos Santos
CVE-2024-53299: Apache Wicket: An attacker can intentionally trigger a memory leak Pedro Henrique Oliveira dos Santos (Jan 22)
Pedro Sampaio
Re: issue with stuck Mitre CVE requests Pedro Sampaio (Jan 22)
Pete Allor
Re: issue with stuck Mitre CVE requests Pete Allor (Jan 27)
Re: issue with stuck Mitre CVE requests Pete Allor (Jan 23)
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 25)
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 27)
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 28)
Philipp Zehnder
CVE-2024-24778: Apache StreamPipes: Resources Permission Escalation Philipp Zehnder (Mar 03)
Pierre Villard
CVE-2025-27017: Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record Pierre Villard (Mar 11)
Qualys Security Advisory
MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Feb 18)
CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory (Jan 22)
Three bypasses of Ubuntu's unprivileged user namespace restrictions Qualys Security Advisory (Mar 27)
Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory (Jan 23)
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Feb 21)
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Mar 10)
Re: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities Qualys Security Advisory (Mar 15)
Rafael Gonzaga
Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga (Jan 21)
Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga (Jan 14)
Richard Weinberger
Multiple Vulnerabilities in Barebox Richard Weinberger (Feb 17)
Multiple Vulnerabilities in U-Boot Richard Weinberger (Feb 17)
Rich Felker
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker (Feb 13)
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker (Feb 13)
CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker (Feb 13)
Russ Allbery
Re: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Russ Allbery (Jan 16)
Salvatore Bonaccorso
Re: git: 2 vulnerabilities fixed Salvatore Bonaccorso (Jan 18)
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Salvatore Bonaccorso (Mar 13)
Sam James
Re: Oracle January 2025 Critical Patch Update Sam James (Jan 25)
Sarah Boyce
CVE-2025-26699: Django: Potential denial-of-service in django.utils.text.wrap() Sarah Boyce (Mar 06)
SBA Research Security Advisory
[SBA-ADV-20241209-02] CVE-2024-13919: Laravel 11.9.0-11.35.1 Reflected XSS via Route Parameter in Debug-Mode Error Page SBA Research Security Advisory (Mar 10)
[SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page SBA Research Security Advisory (Mar 10)
siddharth teotia
CVE-2024-56325: Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required siddharth teotia (Mar 27)
sjw
Re: CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected sjw (Feb 11)
Re: Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. sjw (Feb 14)
Soatok Dreamseeker
Session (a fork of the Signal private messaging app) is sus Soatok Dreamseeker (Jan 15)
Solar Designer
Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Solar Designer (Mar 12)
Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection Solar Designer (Feb 20)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 24)
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 24)
Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Solar Designer (Jan 04)
CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection Solar Designer (Feb 16)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
atop: Heap corruption Solar Designer (Mar 26)
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 21)
Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0 Solar Designer (Feb 06)
Re: Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 12)
Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Feb 04)
Oracle January 2025 Critical Patch Update Solar Designer (Jan 22)
Re: atop: Heap corruption Solar Designer (Mar 26)
Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Solar Designer (Jan 07)
CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption Solar Designer (Feb 05)
Re: CVE-2025-26794: Exim: SQL injection Solar Designer (Feb 21)
Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
Steffen Nurpmeso
Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Steffen Nurpmeso (Jan 16)
Stig Palmquist
CPAN Security Group is CNA for Perl and CPAN Modules Stig Palmquist (Feb 25)
Tabitha Sable
[kubernetes] Multiple vulnerabilities in ingress-nginx Tabitha Sable (Mar 24)
Tavis Ormandy
Re: AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 22)
AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 21)
Taylor R Campbell
Re: AMD Microcode Signature Verification Vulnerability Taylor R Campbell (Mar 06)
Teddy Astie
Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Teddy Astie (Feb 27)
Thomas Ward
Re: atop: Heap corruption Thomas Ward (Mar 26)
Tomas Mraz
CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected Tomas Mraz (Feb 11)
CVE-2024-13176: OpenSSL: Timing side-channel in ECDSA signature computation Tomas Mraz (Jan 20)
trinity pointard
Re: AMD Microcode Signature Verification Vulnerability trinity pointard (Feb 06)
U.Mutlu
Re: dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) U.Mutlu (Jan 26)
upper.underflow
Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. upper.underflow (Feb 13)
Valtteri Vuorikoski
CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Valtteri Vuorikoski (Mar 10)
CVE-2025-30232: UAF in Exim 4.96 to 4.98.1 Valtteri Vuorikoski (Mar 26)
Vellore Rajakumar, Sri Saran Balaji
[kubernetes] CVE-2025-1767: GitRepo Volume Inadvertent Local Repository Access Vellore Rajakumar, Sri Saran Balaji (Mar 13)
[kubernetes] CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API Vellore Rajakumar, Sri Saran Balaji (Jan 15)
Velmurugan Periasamy
CVE-2024-55532: Apache Ranger: Improper Neutralization of Formula Elements in a CSV File Velmurugan Periasamy (Mar 03)
CVE-2024-45479: Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost Velmurugan Periasamy (Jan 21)
CVE-2024-45478: Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input Velmurugan Periasamy (Jan 21)
Viraj Jasani
CVE-2025-23195: Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie Viraj Jasani (Jan 21)
CVE-2025-23196: Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition Viraj Jasani (Jan 21)
CVE-2024-51941: Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts Viraj Jasani (Jan 21)
Vulnerability Disclosure
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Vulnerability Disclosure (Mar 13)
Wolfgang Frisch
wait3() system call as a side-channel in setuid programs (nvidia-modprobe CVE-2024-0149) Wolfgang Frisch (Mar 27)
Xen . org security team
Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Xen . org security team (Feb 27)
Xue Weiming
CVE-2024-56180: Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution Xue Weiming (Feb 14)
Yupeng(Roc)
CVE-2025-23359: Nvidia-container-toolkit: GPU Container Escape (CVE-2024-0132 fix bypass) Yupeng(Roc) (Feb 14)