oss-sec: by date

262 messages starting Jan 03 25 and ending Mar 31 25
Date index | Thread index | Author index


Friday, 03 January

Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman
iTerm2 < 3.5.11 logs input/ouput to /tmp/framer.txt on remote host Jan Schaumann
Re: GStreamer 1.24.10 stable security bug-fix release Alan Coopersmith

Saturday, 04 January

Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Jürgen Groß
Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Solar Designer

Monday, 06 January

Linux: general protection fault in __vmx_vcpu_run with nested virtualization Linfeng Sun
Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Greg KH
Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Demi Marie Obenour

Tuesday, 07 January

Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Solar Designer
CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted data in cluster mode Maxim Solodovnik

Wednesday, 08 January

CVE-2024-45033: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli Elad Kalif
"/bin/sh: The Biggest Unix Security Loophole" paper from 1984 Alan Coopersmith

Saturday, 11 January

[vim-security] heap-buffer-overflow in Vim < 9.1.1003 Christian Brabandt

Monday, 13 January

CVE-2025-22828: Apache CloudStack: Unauthorised access to annotations Nux

Tuesday, 14 January

CVE-2024-45627: Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability Heping Wang
CVE-2024-56374: Django: Potential denial-of-service vulnerability in IPv6 validation Natalia Bidart
RSYNC: 6 vulnerabilities Nick Tait
git: 2 vulnerabilities fixed Johannes Schindelin
Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga
Re: RSYNC: 6 vulnerabilities Jan Schaumann
Re: RSYNC: 6 vulnerabilities Alan Coopersmith

Wednesday, 15 January

pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner
Session (a fork of the Signal private messaging app) is sus Soatok Dreamseeker
[kubernetes] CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API Vellore Rajakumar, Sri Saran Balaji
Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Jacob Bachmeyer

Thursday, 16 January

Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner
Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Steffen Nurpmeso
Re: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Russ Allbery

Friday, 17 January

Go 1.23.5 and Go 1.22.11 are released with 2 security fixes Alan Coopersmith

Saturday, 18 January

WriteFreely exposes database credentials though insecure file permissions Fay Stegerman
Re: git: 2 vulnerabilities fixed Salvatore Bonaccorso

Monday, 20 January

fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally unreliable Fay Stegerman
CVE-2024-13176: OpenSSL: Timing side-channel in ECDSA signature computation Tomas Mraz
CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files Colm O hEigeartaigh
Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt
Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Eli Schwartz

Tuesday, 21 January

Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt
CVE-2024-45478: Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input Velmurugan Periasamy
CVE-2024-45479: Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost Velmurugan Periasamy
Node.js security updates: CVE-2025-23083, CVE-2025-23084, CVE-2025-23085 Jan Schaumann
Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga
CVE-2025-23195: Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie Viraj Jasani
CVE-2025-23196: Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition Viraj Jasani
CVE-2024-51941: Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts Viraj Jasani
CERT/CC VU#199397 - Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) Alan Coopersmith
AMD Microcode Signature Verification Vulnerability Tavis Ormandy

Wednesday, 22 January

issue with stuck Mitre CVE requests Matthias Gerstner
Re: issue with stuck Mitre CVE requests Greg KH
CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory
Open Virtual Network egress access control list bypass. Mark Michelson
Re: AMD Microcode Signature Verification Vulnerability Demi Marie Obenour
Re: issue with stuck Mitre CVE requests Johannes Segitz
Re: issue with stuck Mitre CVE requests Pedro Sampaio
Re: AMD Microcode Signature Verification Vulnerability Tavis Ormandy
Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj
Re: Open Virtual Network egress access control list bypass. Mark Michelson
CVE-2024-53299: Apache Wicket: An attacker can intentionally trigger a memory leak Pedro Henrique Oliveira dos Santos
Oracle January 2025 Critical Patch Update Solar Designer

Thursday, 23 January

Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory
Re: issue with stuck Mitre CVE requests Matthias Gerstner
Re: Oracle January 2025 Critical Patch Update John Haxby
Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal
Re: Oracle January 2025 Critical Patch Update Alan Coopersmith
Re: issue with stuck Mitre CVE requests Pete Allor
Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer
Re: Oracle January 2025 Critical Patch Update Solar Designer
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno

Friday, 24 January

dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) Matthias Gerstner
Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal
Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Alan Coopersmith
7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms Alan Coopersmith
Re: issue with stuck Mitre CVE requests Mark Esler
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Greg KH

Saturday, 25 January

Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno
Re: Oracle January 2025 Critical Patch Update Sam James

Sunday, 26 January

CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files Jason Gerlowski
CVE-2024-52012: Apache Solr: Configset upload on Windows allows arbitrary path write-access Jason Gerlowski
Re: dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) U.Mutlu
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer

Monday, 27 January

Re: issue with stuck Mitre CVE requests Johannes Segitz
CVE-2025-24783: Apache Cocoon: continuations may not be private Arnout Engelen
Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal
Re: issue with stuck Mitre CVE requests Pete Allor
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor

Tuesday, 28 January

Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor
CVE-2024-23953: Apache Hive: Timing Attack Against Signature in LLAP util Ayush Saxena
CVE-2024-29869: Apache Hive: Credentials file created with non restrictive permissions Ayush Saxena

Wednesday, 29 January

ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705) Matthijs Mekking
Re: Oracle January 2025 Critical Patch Update John Haxby

Monday, 03 February

CVE-2024-27137: Apache Cassandra: unrestricted deserialization of JMX authentication credentials Paulo Motta
CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta
CVE-2025-24860: Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions Paulo Motta

Tuesday, 04 February

Re: AMD Microcode Signature Verification Vulnerability Solar Designer
CVE-2024-48019: Apache Doris: allows admin users to read arbitrary files through the REST API Mingyu Chen
KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting KoreLogic Disclosures
KL-001-2025-002: Checkmk NagVis Remote Code Execution KoreLogic Disclosures

Wednesday, 05 February

[SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential leak Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Daniel Stenberg
Curl SSH Insufficient Host Identity Verification Harry Sintonen
Re: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close Demi Marie Obenour
CVE-2024-37358: Apache James: denial of service through the use of IMAP literals Benoit Tellier
CVE-2024-45626: Apache James: denial of service through JMAP HTML to text conversion Benoit Tellier
CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption Solar Designer
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer

Thursday, 06 February

Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Daniel Stenberg
pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Matthias Gerstner
Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Fay Stegerman
Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0 Solar Designer
Fwd: libtasn1-4.20.0 released [fixes CVE-2024-12133] Alan Coopersmith
Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Douglas R. Reno
Re: AMD Microcode Signature Verification Vulnerability trinity pointard
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer

Friday, 07 February

Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Jacob Bachmeyer
CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting Vulnerability Mingyang Liu

Sunday, 09 February

WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001 Adrian Perez de Castro
FELIX-6751: CVE-2025-25247: Apache Felix Webconsole: XSS in services console Carsten Ziegeler

Tuesday, 11 February

Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta
CVE-2025-26467: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only) Paulo Motta
CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected Tomas Mraz
Re: CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected sjw

Wednesday, 12 February

CVE-2024-32838: Apache Fineract: SQL injection vulnerabilities in offices API endpoint Arnout Engelen
CVE-2024-46910: Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user Madhan Neethiraj

Thursday, 13 February

[kubernetes] CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API Craig Ingram
CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Daniel Gutson
Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. upper.underflow

Friday, 14 February

CVE-2024-52577: Apache Ignite: Possible RCE when deserializing incoming messages by the server node Nikita Amelchev
Re: Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. sjw
CVE-2025-23359: Nvidia-container-toolkit: GPU Container Escape (CVE-2024-0132 fix bypass) Yupeng(Roc)
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Nick Wellnhofer
Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Daniel Gutson
CVE-2024-56180: Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution Xue Weiming
[CVE-2024-3220] CPython: Default mimetype known files writeable on Windows Alan Coopersmith

Sunday, 16 February

[vim-security] heap use-after-free in str_to_reg() in Vim < Christian Brabandt
CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection Solar Designer
Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection James Addison

Monday, 17 February

Multiple Vulnerabilities in Barebox Richard Weinberger
Multiple Vulnerabilities in U-Boot Richard Weinberger

Tuesday, 18 February

MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory
Multiple vulnerabilities in libxml2 Nick Wellnhofer
GRUB CVE disclosures Jan Setje-Eilers
Announce: OpenSSH 9.9p2 released Damien Miller

Wednesday, 19 February

Exim: CVE-2025-26794: upcoming security release Heiko Schlittermann

Thursday, 20 February

Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection Solar Designer

Friday, 21 February

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Jordy Zomer
OpenH264 Decoding Functions Heap Overflow Vulnerability Alan Coopersmith
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory
CVE-2025-26794: Exim: SQL injection Heiko Schlittermann
Re: CVE-2025-26794: Exim: SQL injection Solar Designer
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer

Monday, 24 February

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy

Tuesday, 25 February

Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan
CPAN Security Group is CNA for Perl and CPAN Modules Stig Palmquist

Wednesday, 26 February

GNU Emacs 30.1 released with 2 CVE fixes Alan Coopersmith

Thursday, 27 February

Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Xen . org security team
Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin
Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Teddy Astie
Re: Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Demi Marie Obenour
CVE-2025-27531: Apache InLong: An arbitrary file read vulnerability for JDBC Charles Zhang

Saturday, 01 March

Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren
Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin

Sunday, 02 March

[vim-security] potential code execution with tar.vim and special crafted tar files Christian Brabandt

Monday, 03 March

CVE-2024-24778: Apache StreamPipes: Resources Permission Escalation Philipp Zehnder
CVE-2024-55532: Apache Ranger: Improper Neutralization of Formula Elements in a CSV File Velmurugan Periasamy

Wednesday, 05 March

[ANNOUNCE] ATS is vulnerable to malformed requests, and also has ACL issues Masakazu Kitajo
Multiple vulnerabilities in Jenkins Kevin Guerroudj
Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer
Re: AMD Microcode Signature Verification Vulnerability Solar Designer
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer
Re: AMD Microcode Signature Verification Vulnerability Solar Designer
Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer
Re: AMD Microcode Signature Verification Vulnerability Solar Designer
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Bastian Blank
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer

Thursday, 06 March

Re: AMD Microcode Signature Verification Vulnerability Taylor R Campbell
CVE-2025-26699: Django: Potential denial-of-service in django.utils.text.wrap() Sarah Boyce
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Buherátor

Friday, 07 March

CVE-2025-26865: Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE Jacques Le Roux
Go CVE-2025-22870: proxy bypass using IPv6 zone IDs Alan Coopersmith
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper

Sunday, 09 March

CVE-2025-27636: Apache Camel: Camel Message Header Injection via Improper Filtering Andrea Cosentino

Monday, 10 March

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory
CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Valtteri Vuorikoski
[SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page SBA Research Security Advisory
[SBA-ADV-20241209-02] CVE-2024-13919: Laravel 11.9.0-11.35.1 Reflected XSS via Route Parameter in Debug-Mode Error Page SBA Research Security Advisory
CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT Mark Thomas
Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Jacob Bachmeyer

Tuesday, 11 March

CVE-2025-27017: Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record Pierre Villard
Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Moritz Mühlenhoff

Wednesday, 12 March

Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591) Matthias Gerstner
CVE-2025-29891: Apache Camel: Camel Message Header Injection through request parameters Andrea Cosentino
FELIX-6753: CVE-2025-27867: Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin Carsten Ziegeler
[vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt
CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind
CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Douglas Bagnall
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Jonathan Wright
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer
Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Solar Designer
Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Eli Schwartz

Thursday, 13 March

Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers
[kubernetes] CVE-2025-1767: GitRepo Volume Inadvertent Local Repository Access Vellore Rajakumar, Sri Saran Balaji
Triton Product Security announcement: Debian 12 LX image from 2024-07 has static SSH keys Dan McDonald
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Salvatore Bonaccorso
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Vulnerability Disclosure
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind

Friday, 14 March

Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers
Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind
[CVE-2024-8176] Long linear chains of entities crash Expat with stack overflow due to use of unlimited recursion Alan Coopersmith
PHP security releases 8.4.5, 8.3.19, 8.2.28, 8.1.32 Alan Coopersmith
expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities Hanno Böck

Saturday, 15 March

Re: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities Qualys Security Advisory
tj-action/changed-files GitHub action was compromised Mark Esler

Tuesday, 18 March

Re: tj-action/changed-files GitHub action was compromised Mark Esler
Re: tj-action/changed-files GitHub action was compromised Jacob Bachmeyer

Wednesday, 19 March

Multiple vulnerabilities in Jenkins plugins Daniel Beck
CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL provider core function Elad Kalif
CVE-2024-47552: Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server Min Ji
CVE-2024-54016: compression bomb attack in Apache Seata Server Min Ji
CVE-2025-27888: Apache Druid: Server-Side Request Forgery and Cross-Site Scripting Adarsh Sanjeev

Thursday, 20 March

WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 Adrian Perez de Castro
[kubernetes] CVE-2024-7598: Network restriction bypass via race condition during namespace termination Craig Ingram

Friday, 21 March

CVE-2025-26796: Apache Oozie: XSS in Oozie Web Console Arnout Engelen
Mercurial 6.9.4 fixes CVE-2025-2361: XSS in hgweb Alan Coopersmith

Sunday, 23 March

CVE-2025-27553: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT Gary D. Gregory
CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message Gary D. Gregory
CVE-2025-29927: Authorization Bypass in Next.js Middleware Alan Coopersmith
Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware Alan Coopersmith

Monday, 24 March

CVE-2024-53678: Apache VCL: SQL injection vulnerability in New Block Allocation form Josh Thompson
CVE-2024-53679: Apache VCL: XSS vulnerability in User Lookup impacting user privileges Josh Thompson
[kubernetes] Multiple vulnerabilities in ingress-nginx Tabitha Sable
Re: [kubernetes] Multiple vulnerabilities in ingress-nginx Kevin Daudt

Wednesday, 26 March

CVE-2025-30232: UAF in Exim 4.96 to 4.98.1 Valtteri Vuorikoski
atop: Heap corruption Solar Designer
Re: atop: Heap corruption Alan Coopersmith
Re: atop: Heap corruption Thomas Ward
Re: atop: Heap corruption Mark Steward
Re: atop: Heap corruption Solar Designer
CVE-2025-30067: Apache Kylin: The remote code execution via jdbc url Li Yang
CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api Li Yang

Thursday, 27 March

Three bypasses of Ubuntu's unprivileged user namespace restrictions Qualys Security Advisory
wait3() system call as a side-channel in setuid programs (nvidia-modprobe CVE-2024-0149) Wolfgang Frisch
CVE-2024-56325: Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required siddharth teotia

Friday, 28 March

use-after-free (maybe?) in libspf2 Hanno Böck
Re: atop: Heap corruption Alan Coopersmith

Saturday, 29 March

CVE-2025-31160 Atop 2.11 heap problems Gerlof Langeveld

Monday, 31 March

CVE-2025-27427: Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission Justin Bertram
CVE-2025-30065: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata Gang Wu
CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. Enxin Xie