oss-sec: by date
RSS Feed
About List
All Lists
Previous period
201 messages
starting Oct 01 25 and
ending Nov 18 25
Date index |
Thread index |
Author index
Wednesday, 01 October
Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Mike O'Connor
Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Emilio Pozuelo Monfort
Django CVE-2025-59681 and CVE-2025-59682 Jacob Walls
Thursday, 02 October
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz
Friday, 03 October
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
fetchmail-SA-2025-01: SMTP AUTH denial of service Alan Coopersmith
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz
Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
Saturday, 04 October
Re: fetchmail-SA-2025-01: SMTP AUTH denial of service now called CVE-2025-61962. Matthias Andree
Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27
Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH
Sunday, 05 October
Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27
Monday, 06 October
Announce: OpenSSH 10.1 released Damien Miller
Resource consumption weakness in Postgres-using applications & frameworks Peter Bex
Tuesday, 07 October
Re: Announce: OpenSSH 10.1 released David Leadbeater
redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution Jan Schaumann
several vulnerabilities fixed in Go 1.25.2 and Go 1.24.8 Jan Schaumann
Wednesday, 08 October
Fwd: Heads-up: Upcoming Samba security releases Douglas Bagnall
Thursday, 09 October
CVE-2025-62228: Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiers Leonard Xu
Friday, 10 October
Announce: OpenSSH 10.2 released Damien Miller
Go 1.25.2 and Go 1.24.8 fix 10 vulnerabilities Alan Coopersmith
Saturday, 11 October
Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V 许佳凯
Re: Announce: OpenSSH 10.1 released Demi Marie Obenour
Sunday, 12 October
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution lunbun
Monday, 13 October
BoringSSL private key loading is not constant time Billy Brumley
GHSL-2025-042: Use After Free (UAF) in Poppler - CVE-2025-52885 Alan Coopersmith
Re: BoringSSL private key loading is not constant time Jeffrey Walton
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0007 Adrian Perez de Castro
Re: BoringSSL private key loading is not constant time Peter Gutmann
Re: Announce: OpenSSH 10.1 released David Leadbeater
Tuesday, 14 October
Re: BoringSSL private key loading is not constant time Alex Gaynor
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Peter Gutmann
Re: BoringSSL private key loading is not constant time Demi Marie Obenour
CVE-2024-44088: Apache Geode: Reflected XSS William Hodges
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time David Benjamin
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Hanno Böck
CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks Holden Karau
Re: BoringSSL private key loading is not constant time Alex Gaynor
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: BoringSSL private key loading is not constant time Jacob Bachmeyer
Wednesday, 15 October
Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
CVE-2025-54539: Apache ActiveMQ NMS AMQP Client: Deserialization of Untrusted Data Krzysztof Porębski
RE: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Caveney, Seamus G
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
Thursday, 16 October
CVE-2025-61581: Apache Traffic Control: ReDoS issue in Traffic Router configuration Arnout Engelen
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall
Re: Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V Solar Designer
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution Solar Designer
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Peter Gutmann
Friday, 17 October
CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system William Hodges
rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Solar Designer
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Jacob Bachmeyer
Saturday, 18 October
Re: BoringSSL private key loading is not constant time Billy Brumley
Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Fabio Degrigis
Monday, 20 October
CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated administrators Francesco Chicchiriccò
Tuesday, 21 October
Xen Security Advisory 475 v2 (CVE-2025-58147,CVE-2025-58148) - x86: Incorrect input sanitisation in Viridian hypercalls Xen . org security team
Re: BoringSSL private key loading is not constant time Jacob Bachmeyer
Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour
Wednesday, 22 October
ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) Michał Kępień
Thursday, 23 October
PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor Otto Moerbeek
Friday, 24 October
Xen Security Advisory 476 v1 (CVE-2025-58149) - Incorrect removal of permissions on PCI device unplug Xen . org security team
Sunday, 26 October
OOB read / segfault and endless loop in courier mail server 1.5.0 Hanno Böck
Monday, 27 October
Questionable CVE's reported against dnsmasq Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Jeremy Stanley
Re: Questionable CVE's reported against dnsmasq Andrew Latham
CVE-2025-55752: Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled Mark Thomas
CVE-2025-55754: Apache Tomcat: console manipulation via escape sequences in log messages Mark Thomas
CVE-2025-61795: Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS Mark Thomas
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping
Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff
Re: Questionable CVE's reported against dnsmasq Stuart Henderson
Re: Questionable CVE's reported against dnsmasq Jeffrey Walton
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping
Re: Questionable CVE's reported against dnsmasq Collin Funk
Re: Questionable CVE's reported against dnsmasq Michael Orlitzky
Re: Questionable CVE's reported against dnsmasq Matthew Fernandez
Re: Questionable CVE's reported against dnsmasq Hank Leininger
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Re: Questionable CVE's reported against dnsmasq Solar Designer
Re: Questionable CVE's reported against dnsmasq nightmare . yeah27
Re: Questionable CVE's reported against dnsmasq Eli Schwartz
Tuesday, 28 October
Re: Questionable CVE's reported against dnsmasq Simon McVittie
Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan
Re: Questionable CVE's reported against dnsmasq Stuart Henderson
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Wednesday, 29 October
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Re: Multiple vulnerabilities in Jenkins plugins Sebastian Pipping
CVE-2025-30189: Dovecot IMAP Server: Using auth caching causes the first lookup to be cached for all lookups Camelia Lavender
ISC has disclosed one vulnerability in Kea (CVE-2025-11232) Wlodek Wencel
CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator" Kaxil Naik
CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API Kaxil Naik
CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables) Kaxil Naik
Re: Questionable CVE's reported against dnsmasq Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Douglas Bagnall
Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso
Thursday, 30 October
CVE-2025-62232: Apache APISIX: APISIX basic-auth logs plaintext credentials at info level Ashish Tiwari
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Eddie Chapman
Friday, 31 October
Re: Questionable CVE's reported against dnsmasq Petr Menšík
Re: Questionable CVE's reported against dnsmasq Sebastian Pipping
OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875) Matthias Gerstner
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability nightmare . yeah27
Re: Questionable CVE's reported against dnsmasq Art Manion
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer
Re: Multiple vulnerabilities in Jenkins plugins Solar Designer
Re: Questionable CVE's reported against dnsmasq Solar Designer
Saturday, 01 November
Re: Questionable CVE's reported against dnsmasq Art Manion
Re: Questionable CVE's reported against dnsmasq Russ Allbery
Re: Questionable CVE's reported against dnsmasq Collin Funk
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Re: Questionable CVE's reported against dnsmasq Russ Allbery
Re: Questionable CVE's reported against dnsmasq Solar Designer
Sunday, 02 November
Re: Questionable CVE's reported against dnsmasq Jeremy Stanley
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Monday, 03 November
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
Re: Questionable CVE's reported against dnsmasq Russ Allbery
Re: Questionable CVE's reported against dnsmasq Art Manion
Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour
Tuesday, 04 November
[SECURITY ADVISORY] wcurl path traversal with percent-encoded slashes Daniel Stenberg
[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Becoming a CVE Naming Authority for your project Rodrigo Freire
CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server Mingyu Chen
Re: Questionable CVE's reported against dnsmasq Art Manion
[CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour
Re: Becoming a CVE Naming Authority for your project Greg KH
Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Solar Designer
[SECURITY ADVISORY] curl: missing SFTP host verification with wolfSSH Daniel Stenberg
Wednesday, 05 November
runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Aleksa Sarai
Xen Security Advisory 471 v3 (CVE-2024-36350,CVE-2024-36357) - x86: Transitive Scheduler Attacks Xen . org security team
[CVE-2025-54574] SQUID-2025:1 Buffer Overflow in URN Handling Amos Jeffries
[CVE-2025-62168] SQUID-2025:2 Information Disclosure in Error handling Amos Jeffries
Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries
Re: Becoming a CVE Naming Authority for your project Olle E. Johansson
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Re: Becoming a CVE Naming Authority for your project Peter Gutmann
Re: Becoming a CVE Naming Authority for your project Yogesh Mittal
Django CVE-2025-64458 and CVE-2025-64459 Natalia Bidart
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
Re: Becoming a CVE Naming Authority for your project Matthew Fernandez
Re: Becoming a CVE Naming Authority for your project Art Manion
Re: Becoming a CVE Naming Authority for your project Pedro Sampaio
Re: Becoming a CVE Naming Authority for your project Pedro Sampaio
Re: Questionable CVE's reported against dnsmasq Pedro Sampaio
Thursday, 06 November
scx: Unauthenticated scx_loader D-Bus Service can lead to major Denial-of-Service Matthias Gerstner
Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 akendo () akendo eu
Re: Questionable CVE's reported against dnsmasq Olle E. Johansson
Re: Becoming a CVE Naming Authority for your project Olle E. Johansson
Re: Becoming a CVE Naming Authority for your project Pat Gunn
Re: Becoming a CVE Naming Authority for your project Jeremy Stanley
Friday, 07 November
Re: Becoming a CVE Naming Authority for your project Peter Gutmann
Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Ali Polatel
Tuesday, 11 November
CVE-2025-59118: Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload Jacques Le Roux
CVE-2025-61623: Apache OFBiz: Reflected Cross-site Scripting Jacques Le Roux
CVE-2024-47866 Ceph: RGW DoS via improper input validation. Sage [They / Them] McTaggart
CVE-2025-64401: Apache OpenOffice: Remote documents loaded without prompt via IFrame Arrigo Marchiori
CVE-2025-64402: Apache OpenOffice: Remote documents loaded without prompt via OLE objects Arrigo Marchiori
CVE-2025-64403: Apache OpenOffice: Remote documents loaded without prompt via "external data sources" in Calc Arrigo Marchiori
CVE-2025-64404: Apache OpenOffice: Remote documents loaded without prompt via background and bullet images Arrigo Marchiori
CVE-2025-64405: Apache OpenOffice: Remote documents loaded without prompt via DDE function Arrigo Marchiori
CVE-2025-64406: Apache OpenOffice: Possible memory corruption during CSV import Arrigo Marchiori
CVE-2025-64407: Apache OpenOffice: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables Arrigo Marchiori
Wednesday, 12 November
CVE-2025-57812 libcupsfilters, cups-filters 1.x: Multiple TIFF-related issues in libcupsfilters Zdenek Dohnal
CVE-2025-64503 libcupsfilters, cups-filters 1.x: out of bounds write in pdftoraster Zdenek Dohnal
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
Thursday, 13 November
Re: Questionable CVE's reported against dnsmasq Alexander Patrakov
Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
CVE-2025-40300 / VMScape Bjoern Franke
Friday, 14 November
Re: CVE-2025-40300 / VMScape Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Jeffrey Walton
Re: CVE-2025-40300 / VMScape Moritz Mühlenhoff
PostgreSQL releases fixes for CVE-2025-12817 & CVE-2025-12818 Alan Coopersmith
Re: Questionable CVE's reported against dnsmasq Peter Gutmann
Sunday, 16 November
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso
Monday, 17 November
GitGuardian GGShield SSL/TLS Verification Bypass (No CVE) tanish saxena
Re: CVE-2025-40300 / VMScape Bjoern Franke
Re: CVE-2025-40300 / VMScape Solar Designer
lightdm-kde-greeter: Privilege Escalation from lightdm Service User to root in KAuth Helper Service (CVE-2025-62876) Matthias Gerstner
Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley
Tuesday, 18 November
[SECURITY PATCH 0/8] GRUB2 vulnerabilities - 2025/11/18 Daniel Kiper
[SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation Daniel Kiper
[SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() Daniel Kiper
[SECURITY PATCH 3/8] net/net: Unregister net_set_vlan command on unload Daniel Kiper
[SECURITY PATCH 4/8] gettext/gettext: Unregister gettext command on module unload Daniel Kiper
[SECURITY PATCH 5/8] normal/main: Unregister commands on module unload Daniel Kiper
[SECURITY PATCH 6/8] tests/lib/functional_test: Unregister commands on module unload Daniel Kiper
[SECURITY PATCH 7/8] commands/usbtest: Use correct string length field Daniel Kiper
[SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing Daniel Kiper
Re: SQLite - Integer Overflow in FTS5 Extension [CVE-2025-7709] John Hein