
oss-sec: by thread
262 messages
starting Jan 03 25 and
ending Mar 31 25
Date index |
Thread index |
Author index
- Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman (Jan 03)
- iTerm2 < 3.5.11 logs input/ouput to /tmp/framer.txt on remote host Jan Schaumann (Jan 03)
- Re: GStreamer 1.24.10 stable security bug-fix release Alan Coopersmith (Jan 03)
- Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks Jürgen Groß (Jan 04)
- Linux: general protection fault in __vmx_vcpu_run with nested virtualization Linfeng Sun (Jan 06)
- Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Greg KH (Jan 06)
- Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Demi Marie Obenour (Jan 06)
- Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Solar Designer (Jan 07)
- Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization Greg KH (Jan 06)
- CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted data in cluster mode Maxim Solodovnik (Jan 07)
- CVE-2024-45033: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli Elad Kalif (Jan 08)
- "/bin/sh: The Biggest Unix Security Loophole" paper from 1984 Alan Coopersmith (Jan 08)
- [vim-security] heap-buffer-overflow in Vim < 9.1.1003 Christian Brabandt (Jan 11)
- CVE-2025-22828: Apache CloudStack: Unauthorised access to annotations Nux (Jan 13)
- CVE-2024-45627: Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability Heping Wang (Jan 14)
- CVE-2024-56374: Django: Potential denial-of-service vulnerability in IPv6 validation Natalia Bidart (Jan 14)
- RSYNC: 6 vulnerabilities Nick Tait (Jan 14)
- Re: RSYNC: 6 vulnerabilities Jan Schaumann (Jan 14)
- Re: RSYNC: 6 vulnerabilities Alan Coopersmith (Jan 14)
- git: 2 vulnerabilities fixed Johannes Schindelin (Jan 14)
- Re: git: 2 vulnerabilities fixed Salvatore Bonaccorso (Jan 18)
- Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga (Jan 14)
- <Possible follow-ups>
- Fwd: Node.js security updates for all active release lines, January 2025 Rafael Gonzaga (Jan 21)
- pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 15)
- Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Jacob Bachmeyer (Jan 15)
- Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 16)
- Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Steffen Nurpmeso (Jan 16)
- Re: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Russ Allbery (Jan 16)
- Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 16)
- Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Jacob Bachmeyer (Jan 15)
- Session (a fork of the Signal private messaging app) is sus Soatok Dreamseeker (Jan 15)
- [kubernetes] CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API Vellore Rajakumar, Sri Saran Balaji (Jan 15)
- Go 1.23.5 and Go 1.22.11 are released with 2 security fixes Alan Coopersmith (Jan 17)
- WriteFreely exposes database credentials though insecure file permissions Fay Stegerman (Jan 18)
- fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally unreliable Fay Stegerman (Jan 20)
- CVE-2024-13176: OpenSSL: Timing side-channel in ECDSA signature computation Tomas Mraz (Jan 20)
- CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files Colm O hEigeartaigh (Jan 20)
- Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt (Jan 20)
- Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Eli Schwartz (Jan 20)
- Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Christian Brabandt (Jan 21)
- Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 Eli Schwartz (Jan 20)
- CVE-2024-45478: Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input Velmurugan Periasamy (Jan 21)
- CVE-2024-45479: Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost Velmurugan Periasamy (Jan 21)
- Node.js security updates: CVE-2025-23083, CVE-2025-23084, CVE-2025-23085 Jan Schaumann (Jan 21)
- Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Alan Coopersmith (Jan 24)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Greg KH (Jan 24)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 25)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 26)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 27)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 28)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 28)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Greg KH (Jan 24)
- Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Alan Coopersmith (Jan 24)
- CVE-2025-23195: Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie Viraj Jasani (Jan 21)
- CVE-2025-23196: Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition Viraj Jasani (Jan 21)
- CVE-2024-51941: Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts Viraj Jasani (Jan 21)
- CERT/CC VU#199397 - Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) Alan Coopersmith (Jan 21)
- AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 21)
- Re: AMD Microcode Signature Verification Vulnerability Demi Marie Obenour (Jan 22)
- Re: AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 22)
- Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Feb 04)
- Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 05)
- Re: AMD Microcode Signature Verification Vulnerability trinity pointard (Feb 06)
- Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 06)
- Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
- Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
- Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: AMD Microcode Signature Verification Vulnerability Taylor R Campbell (Mar 06)
- Re: AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 22)
- Re: AMD Microcode Signature Verification Vulnerability Demi Marie Obenour (Jan 22)
- issue with stuck Mitre CVE requests Matthias Gerstner (Jan 22)
- Re: issue with stuck Mitre CVE requests Greg KH (Jan 22)
- Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 22)
- Re: issue with stuck Mitre CVE requests Mark Esler (Jan 24)
- Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 27)
- Re: issue with stuck Mitre CVE requests Pete Allor (Jan 27)
- Re: issue with stuck Mitre CVE requests Pedro Sampaio (Jan 22)
- Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 22)
- Re: issue with stuck Mitre CVE requests Matthias Gerstner (Jan 23)
- Re: issue with stuck Mitre CVE requests Pete Allor (Jan 23)
- Re: issue with stuck Mitre CVE requests Greg KH (Jan 22)
- CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory (Jan 22)
- Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory (Jan 23)
- Open Virtual Network egress access control list bypass. Mark Michelson (Jan 22)
- Re: Open Virtual Network egress access control list bypass. Mark Michelson (Jan 22)
- Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj (Jan 22)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 19)
- CVE-2024-53299: Apache Wicket: An attacker can intentionally trigger a memory leak Pedro Henrique Oliveira dos Santos (Jan 22)
- Oracle January 2025 Critical Patch Update Solar Designer (Jan 22)
- Re: Oracle January 2025 Critical Patch Update John Haxby (Jan 23)
- Message not available
- Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 23)
- Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
- Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 23)
- Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 24)
- Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 25)
- Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 27)
- Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 24)
- Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 23)
- Re: Oracle January 2025 Critical Patch Update Alan Coopersmith (Jan 23)
- Re: Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
- Re: Oracle January 2025 Critical Patch Update Sam James (Jan 25)
- Re: Oracle January 2025 Critical Patch Update John Haxby (Jan 29)
- Re: Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
- <Possible follow-ups>
- Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta (Feb 11)
- Re: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close Demi Marie Obenour (Feb 05)
- Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Fay Stegerman (Feb 06)
- Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow Daniel Stenberg (Feb 06)
- Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Douglas R. Reno (Feb 06)
- Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Jacob Bachmeyer (Feb 07)
- Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Rich Felker (Feb 13)
- Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() Daniel Gutson (Feb 13)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 21)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 24)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
- <Possible follow-ups>
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Jordy Zomer (Feb 21)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Feb 21)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Buherátor (Mar 06)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Mar 10)
- Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Qualys Security Advisory (Feb 21)
- Re: CVE-2025-26794: Exim: SQL injection Solar Designer (Feb 21)
- Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Mar 01)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Bastian Blank (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 06)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 07)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 12)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
- Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Jacob Bachmeyer (Mar 10)
- Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Moritz Mühlenhoff (Mar 11)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Solar Designer (Mar 12)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Eli Schwartz (Mar 12)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt (Mar 13)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Eli Schwartz (Mar 12)
- CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Douglas Bagnall (Mar 12)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Jonathan Wright (Mar 12)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 13)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Salvatore Bonaccorso (Mar 13)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Vulnerability Disclosure (Mar 13)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 13)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 14)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)
- Re: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities Qualys Security Advisory (Mar 15)
- Re: tj-action/changed-files GitHub action was compromised Mark Esler (Mar 18)
- Re: tj-action/changed-files GitHub action was compromised Jacob Bachmeyer (Mar 18)
- Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware Alan Coopersmith (Mar 23)
- Re: [kubernetes] Multiple vulnerabilities in ingress-nginx Kevin Daudt (Mar 24)
- Re: atop: Heap corruption Alan Coopersmith (Mar 26)
- Re: atop: Heap corruption Thomas Ward (Mar 26)
- Re: atop: Heap corruption Mark Steward (Mar 26)
- Re: atop: Heap corruption Solar Designer (Mar 26)
- Re: atop: Heap corruption Alan Coopersmith (Mar 28)
- CVE-2025-31160 Atop 2.11 heap problems Gerlof Langeveld (Mar 29)
- Re: atop: Heap corruption Thomas Ward (Mar 26)