oss-sec: by thread

• RSS Feed
• About List
• All Lists

Previous period

Next period

262 messages starting Jan 03 25 and ending Mar 31 25
Date index | Thread index | Author index

• Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman (Jan 03)
• iTerm2 < 3.5.11 logs input/ouput to /tmp/framer.txt on remote host Jan Schaumann (Jan 03)
• Re: GStreamer 1.24.10 stable security bug-fix release Alan Coopersmith (Jan 03)
• Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Jürgen Groß (Jan 04)
  • Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Solar Designer (Jan 04)
• Linux: general protection fault in __vmx_vcpu_run with nested virtualization Linfeng Sun (Jan 06)
  • Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Greg KH (Jan 06)
    • Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Demi Marie Obenour (Jan 06)
  • Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Solar Designer (Jan 07)
• CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted data in cluster mode Maxim Solodovnik (Jan 07)
• CVE-2024-45033: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli Elad Kalif (Jan 08)
• "/bin/sh: The Biggest Unix Security Loophole" paper from 1984 Alan Coopersmith (Jan 08)
• [vim-security] heap-buffer-overflow in Vim < 9.1.1003 Christian Brabandt (Jan 11)
• CVE-2025-22828: Apache CloudStack: Unauthorised access to annotations Nux (Jan 13)
• CVE-2024-45627: Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability Heping Wang (Jan 14)
• CVE-2024-56374: Django: Potential denial-of-service vulnerability in IPv6 validation Natalia Bidart (Jan 14)
• RSYNC: 6 vulnerabilities Nick Tait (Jan 14)
  • Re: RSYNC: 6 vulnerabilities Jan Schaumann (Jan 14)
  • Re: RSYNC: 6 vulnerabilities Alan Coopersmith (Jan 14)
• git: 2 vulnerabilities fixed Johannes Schindelin (Jan 14)
  • Re: git: 2 vulnerabilities fixed Salvatore Bonaccorso (Jan 18)
• Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga (Jan 14)
  • <Possible follow-ups>
  • Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga (Jan 21)
• pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 15)
  • Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Jacob Bachmeyer (Jan 15)
    • Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 16)
      • Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Steffen Nurpmeso (Jan 16)
      • Re: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Russ Allbery (Jan 16)
• Session (a fork of the Signal private messaging app) is sus Soatok Dreamseeker (Jan 15)
• [kubernetes] CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API Vellore Rajakumar, Sri Saran Balaji (Jan 15)
• Go 1.23.5 and Go 1.22.11 are released with 2 security fixes Alan Coopersmith (Jan 17)
• WriteFreely exposes database credentials though insecure file permissions Fay Stegerman (Jan 18)
• fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally unreliable Fay Stegerman (Jan 20)
• CVE-2024-13176: OpenSSL: Timing side-channel in ECDSA signature computation Tomas Mraz (Jan 20)
• CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files Colm O hEigeartaigh (Jan 20)
• Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt (Jan 20)
  • Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Eli Schwartz (Jan 20)
    • Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt (Jan 21)
• CVE-2024-45478: Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input Velmurugan Periasamy (Jan 21)
• CVE-2024-45479: Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost Velmurugan Periasamy (Jan 21)
• Node.js security updates: CVE-2025-23083, CVE-2025-23084, CVE-2025-23085 Jan Schaumann (Jan 21)
  • Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Alan Coopersmith (Jan 24)
    • Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Greg KH (Jan 24)
      • Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 25)
      • Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 26)
      • Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 27)
      • Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 28)
      • Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 28)
• CVE-2025-23195: Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie Viraj Jasani (Jan 21)
• CVE-2025-23196: Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition Viraj Jasani (Jan 21)
• CVE-2024-51941: Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts Viraj Jasani (Jan 21)
• CERT/CC VU#199397 - Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) Alan Coopersmith (Jan 21)
• AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 21)
  • Re: AMD Microcode Signature Verification Vulnerability Demi Marie Obenour (Jan 22)
    • Re: AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 22)
      • Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Feb 04)
      • Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 05)
      • Re: AMD Microcode Signature Verification Vulnerability trinity pointard (Feb 06)
      • Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 06)
      • Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
      • Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
      • Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
      • Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
      • Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
      • Re: AMD Microcode Signature Verification Vulnerability Taylor R Campbell (Mar 06)
• issue with stuck Mitre CVE requests Matthias Gerstner (Jan 22)
  • Re: issue with stuck Mitre CVE requests Greg KH (Jan 22)
    • Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 22)
      • Re: issue with stuck Mitre CVE requests Mark Esler (Jan 24)
      • Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 27)
      • Re: issue with stuck Mitre CVE requests Pete Allor (Jan 27)
    • Re: issue with stuck Mitre CVE requests Pedro Sampaio (Jan 22)
  • Re: issue with stuck Mitre CVE requests Matthias Gerstner (Jan 23)
    • Re: issue with stuck Mitre CVE requests Pete Allor (Jan 23)
• CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory (Jan 22)
  • Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory (Jan 23)
• Open Virtual Network egress access control list bypass. Mark Michelson (Jan 22)
  • Re: Open Virtual Network egress access control list bypass. Mark Michelson (Jan 22)
• Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj (Jan 22)
  • <Possible follow-ups>
  • Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 19)
• CVE-2024-53299: Apache Wicket: An attacker can intentionally trigger a memory leak Pedro Henrique Oliveira dos Santos (Jan 22)
• Oracle January 2025 Critical Patch Update Solar Designer (Jan 22)
  • Re: Oracle January 2025 Critical Patch Update John Haxby (Jan 23)
  • Message not available
    • Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 23)
      • Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
      • Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 23)
      • Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 24)
      • Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 25)
      • Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 27)
      • Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 24)
  • Re: Oracle January 2025 Critical Patch Update Alan Coopersmith (Jan 23)
    • Re: Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
      • Re: Oracle January 2025 Critical Patch Update Sam James (Jan 25)
    • Re: Oracle January 2025 Critical Patch Update John Haxby (Jan 29)
• dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) Matthias Gerstner (Jan 24)
  • Re: dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) U.Mutlu (Jan 26)
• 7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms Alan Coopersmith (Jan 24)
• CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files Jason Gerlowski (Jan 26)
• CVE-2024-52012: Apache Solr: Configset upload on Windows allows arbitrary path write-access Jason Gerlowski (Jan 26)
• CVE-2025-24783: Apache Cocoon: continuations may not be private Arnout Engelen (Jan 27)
• CVE-2024-23953: Apache Hive: Timing Attack Against Signature in LLAP util Ayush Saxena (Jan 28)
• CVE-2024-29869: Apache Hive: Credentials file created with non restrictive permissions Ayush Saxena (Jan 28)
• ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705) Matthijs Mekking (Jan 29)
• CVE-2024-27137: Apache Cassandra: unrestricted deserialization of JMX authentication credentials Paulo Motta (Feb 03)
• CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta (Feb 03)
  • <Possible follow-ups>
  • Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta (Feb 11)
• CVE-2025-24860: Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions Paulo Motta (Feb 03)
• CVE-2024-48019: Apache Doris: allows admin users to read arbitrary files through the REST API Mingyu Chen (Feb 04)
• KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting KoreLogic Disclosures (Feb 04)
• KL-001-2025-002: Checkmk NagVis Remote Code Execution KoreLogic Disclosures (Feb 04)
• [SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential leak Daniel Stenberg (Feb 05)
• [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close Daniel Stenberg (Feb 05)
  • Re: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close Demi Marie Obenour (Feb 05)
• [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Daniel Stenberg (Feb 05)
  • Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Fay Stegerman (Feb 06)
    • Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Daniel Stenberg (Feb 06)
• Curl SSH Insufficient Host Identity Verification Harry Sintonen (Feb 05)
• CVE-2024-37358: Apache James: denial of service through the use of IMAP literals Benoit Tellier (Feb 05)
• CVE-2024-45626: Apache James: denial of service through JMAP HTML to text conversion Benoit Tellier (Feb 05)
• CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption Solar Designer (Feb 05)
• pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Matthias Gerstner (Feb 06)
  • Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Douglas R. Reno (Feb 06)
  • Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Jacob Bachmeyer (Feb 07)
• Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0 Solar Designer (Feb 06)
• Fwd: libtasn1-4.20.0 released [fixes CVE-2024-12133] Alan Coopersmith (Feb 06)
• CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting Vulnerability Mingyang Liu (Feb 07)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001 Adrian Perez de Castro (Feb 09)
• FELIX-6751: CVE-2025-25247: Apache Felix Webconsole: XSS in services console Carsten Ziegeler (Feb 09)
• CVE-2025-26467: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only) Paulo Motta (Feb 11)
• CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected Tomas Mraz (Feb 11)
  • Re: CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected sjw (Feb 11)
• CVE-2024-32838: Apache Fineract: SQL injection vulnerabilities in offices API endpoint Arnout Engelen (Feb 12)
• CVE-2024-46910: Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user Madhan Neethiraj (Feb 12)
• [kubernetes] CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API Craig Ingram (Feb 13)
• CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker (Feb 13)
  • Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker (Feb 13)
  • Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Daniel Gutson (Feb 13)
    • Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker (Feb 13)
    • Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Nick Wellnhofer (Feb 14)
      • Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Daniel Gutson (Feb 14)
• Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. upper.underflow (Feb 13)
  • Re: Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. sjw (Feb 14)
• CVE-2024-52577: Apache Ignite: Possible RCE when deserializing incoming messages by the server node Nikita Amelchev (Feb 14)
• CVE-2025-23359: Nvidia-container-toolkit: GPU Container Escape (CVE-2024-0132 fix bypass) Yupeng(Roc) (Feb 14)
• CVE-2024-56180: Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution Xue Weiming (Feb 14)
• [CVE-2024-3220] CPython: Default mimetype known files writeable on Windows Alan Coopersmith (Feb 14)
• [vim-security] heap use-after-free in str_to_reg() in Vim < Christian Brabandt (Feb 16)
• CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection Solar Designer (Feb 16)
  • Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection James Addison (Feb 16)
    • Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection Solar Designer (Feb 20)
• Multiple Vulnerabilities in Barebox Richard Weinberger (Feb 17)
• Multiple Vulnerabilities in U-Boot Richard Weinberger (Feb 17)
• MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Feb 18)
  • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 21)
    • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
      • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 24)
      • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
  • <Possible follow-ups>
  • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Jordy Zomer (Feb 21)
    • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Feb 21)
      • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Buherátor (Mar 06)
      • Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Mar 10)
• Multiple vulnerabilities in libxml2 Nick Wellnhofer (Feb 18)
• GRUB CVE disclosures Jan Setje-Eilers (Feb 18)
• Announce: OpenSSH 9.9p2 released Damien Miller (Feb 18)
• Exim: CVE-2025-26794: upcoming security release Heiko Schlittermann (Feb 19)
• OpenH264 Decoding Functions Heap Overflow Vulnerability Alan Coopersmith (Feb 21)
• CVE-2025-26794: Exim: SQL injection Heiko Schlittermann (Feb 21)
  • Re: CVE-2025-26794: Exim: SQL injection Solar Designer (Feb 21)
• Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Feb 25)
• CPAN Security Group is CNA for Perl and CPAN Modules Stig Palmquist (Feb 25)
• GNU Emacs 30.1 released with 2 CVE fixes Alan Coopersmith (Feb 26)
  • Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)
    • Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
      • Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Mar 01)
• Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Xen . org security team (Feb 27)
  • Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Teddy Astie (Feb 27)
    • Re: Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Demi Marie Obenour (Feb 27)
• CVE-2025-27531: Apache InLong: An arbitrary file read vulnerability for JDBC Charles Zhang (Feb 27)
• [vim-security] potential code execution with tar.vim and special crafted tar files Christian Brabandt (Mar 02)
• CVE-2024-24778: Apache StreamPipes: Resources Permission Escalation Philipp Zehnder (Mar 03)
• CVE-2024-55532: Apache Ranger: Improper Neutralization of Formula Elements in a CSV File Velmurugan Periasamy (Mar 03)
• [ANNOUNCE] ATS is vulnerable to malformed requests, and also has ACL issues Masakazu Kitajo (Mar 05)
• Multiple vulnerabilities in Jenkins Kevin Guerroudj (Mar 05)
• Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
  • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
    • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
      • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
      • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Bastian Blank (Mar 05)
      • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
      • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 06)
      • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 07)
      • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 12)
• CVE-2025-26699: Django: Potential denial-of-service in django.utils.text.wrap() Sarah Boyce (Mar 06)
• CVE-2025-26865: Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE Jacques Le Roux (Mar 07)
• Go CVE-2025-22870: proxy bypass using IPv6 zone IDs Alan Coopersmith (Mar 07)
• CVE-2025-27636: Apache Camel: Camel Message Header Injection via Improper Filtering Andrea Cosentino (Mar 09)
• CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Valtteri Vuorikoski (Mar 10)
  • Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Jacob Bachmeyer (Mar 10)
    • Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Moritz Mühlenhoff (Mar 11)
• [SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page SBA Research Security Advisory (Mar 10)
• [SBA-ADV-20241209-02] CVE-2024-13919: Laravel 11.9.0-11.35.1 Reflected XSS via Route Parameter in Debug-Mode Error Page SBA Research Security Advisory (Mar 10)
• CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT Mark Thomas (Mar 10)
• CVE-2025-27017: Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record Pierre Villard (Mar 11)
• Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591) Matthias Gerstner (Mar 12)
• CVE-2025-29891: Apache Camel: Camel Message Header Injection through request parameters Andrea Cosentino (Mar 12)
• FELIX-6753: CVE-2025-27867: Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin Carsten Ziegeler (Mar 12)
• [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt (Mar 12)
  • Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Solar Designer (Mar 12)
    • Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Eli Schwartz (Mar 12)
      • Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt (Mar 13)
• CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 12)
  • CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Douglas Bagnall (Mar 12)
  • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Jonathan Wright (Mar 12)
  • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 13)
    • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Salvatore Bonaccorso (Mar 13)
    • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Vulnerability Disclosure (Mar 13)
      • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 13)
      • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)
      • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 14)
      • Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)
• [kubernetes] CVE-2025-1767: GitRepo Volume Inadvertent Local Repository Access Vellore Rajakumar, Sri Saran Balaji (Mar 13)
• Triton Product Security announcement: Debian 12 LX image from 2024-07 has static SSH keys Dan McDonald (Mar 13)
• [CVE-2024-8176] Long linear chains of entities crash Expat with stack overflow due to use of unlimited recursion Alan Coopersmith (Mar 14)
• PHP security releases 8.4.5, 8.3.19, 8.2.28, 8.1.32 Alan Coopersmith (Mar 14)
• expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities Hanno Böck (Mar 14)
  • Re: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities Qualys Security Advisory (Mar 15)
• tj-action/changed-files GitHub action was compromised Mark Esler (Mar 15)
  • Re: tj-action/changed-files GitHub action was compromised Mark Esler (Mar 18)
  • Re: tj-action/changed-files GitHub action was compromised Jacob Bachmeyer (Mar 18)
• CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL provider core function Elad Kalif (Mar 19)
• CVE-2024-47552: Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server Min Ji (Mar 19)
• CVE-2024-54016: compression bomb attack in Apache Seata Server Min Ji (Mar 19)
• CVE-2025-27888: Apache Druid: Server-Side Request Forgery and Cross-Site Scripting Adarsh Sanjeev (Mar 19)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 Adrian Perez de Castro (Mar 20)
• [kubernetes] CVE-2024-7598: Network restriction bypass via race condition during namespace termination Craig Ingram (Mar 20)
• CVE-2025-26796: Apache Oozie: XSS in Oozie Web Console Arnout Engelen (Mar 21)
• Mercurial 6.9.4 fixes CVE-2025-2361: XSS in hgweb Alan Coopersmith (Mar 21)
• CVE-2025-27553: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT Gary D. Gregory (Mar 23)
• CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message Gary D. Gregory (Mar 23)
• CVE-2025-29927: Authorization Bypass in Next.js Middleware Alan Coopersmith (Mar 23)
  • Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware Alan Coopersmith (Mar 23)
• CVE-2024-53678: Apache VCL: SQL injection vulnerability in New Block Allocation form Josh Thompson (Mar 24)
• CVE-2024-53679: Apache VCL: XSS vulnerability in User Lookup impacting user privileges Josh Thompson (Mar 24)
• [kubernetes] Multiple vulnerabilities in ingress-nginx Tabitha Sable (Mar 24)
  • Re: [kubernetes] Multiple vulnerabilities in ingress-nginx Kevin Daudt (Mar 24)
• CVE-2025-30232: UAF in Exim 4.96 to 4.98.1 Valtteri Vuorikoski (Mar 26)
• atop: Heap corruption Solar Designer (Mar 26)
  • Re: atop: Heap corruption Alan Coopersmith (Mar 26)
    • Re: atop: Heap corruption Thomas Ward (Mar 26)
      • Re: atop: Heap corruption Mark Steward (Mar 26)
      • Re: atop: Heap corruption Solar Designer (Mar 26)
    • Re: atop: Heap corruption Alan Coopersmith (Mar 28)
      • CVE-2025-31160 Atop 2.11 heap problems Gerlof Langeveld (Mar 29)
• CVE-2025-30067: Apache Kylin: The remote code execution via jdbc url Li Yang (Mar 26)
• CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api Li Yang (Mar 26)
• Three bypasses of Ubuntu's unprivileged user namespace restrictions Qualys Security Advisory (Mar 27)
• wait3() system call as a side-channel in setuid programs (nvidia-modprobe CVE-2024-0149) Wolfgang Frisch (Mar 27)
• CVE-2024-56325: Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required siddharth teotia (Mar 27)
• use-after-free (maybe?) in libspf2 Hanno Böck (Mar 28)
• CVE-2025-27427: Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission Justin Bertram (Mar 31)
• CVE-2025-30065: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata Gang Wu (Mar 31)
• CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. Enxin Xie (Mar 31)

Previous period

Next period