oss-sec: by thread

• RSS Feed
• About List
• All Lists

Previous period

Next period

201 messages starting Oct 01 25 and ending Nov 18 25
Date index | Thread index | Author index

• Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Mike O'Connor (Oct 01)
  • Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Emilio Pozuelo Monfort (Oct 01)
• Django CVE-2025-59681 and CVE-2025-59682 Jacob Walls (Oct 01)
• Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
  • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 02)
    • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
      • Message not available
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 03)
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
      • Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 04)
      • Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 04)
      • Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 05)
• fetchmail-SA-2025-01: SMTP AUTH denial of service Alan Coopersmith (Oct 03)
  • Re: fetchmail-SA-2025-01: SMTP AUTH denial of service now called CVE-2025-61962. Matthias Andree (Oct 04)
• Announce: OpenSSH 10.1 released Damien Miller (Oct 06)
  • Re: Announce: OpenSSH 10.1 released David Leadbeater (Oct 07)
    • Re: Announce: OpenSSH 10.1 released Demi Marie Obenour (Oct 11)
      • Re: Announce: OpenSSH 10.1 released David Leadbeater (Oct 13)
• Resource consumption weakness in Postgres-using applications & frameworks Peter Bex (Oct 06)
• redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution Jan Schaumann (Oct 07)
• several vulnerabilities fixed in Go 1.25.2 and Go 1.24.8 Jan Schaumann (Oct 07)
• Fwd: Heads-up: Upcoming Samba security releases Douglas Bagnall (Oct 08)
  • Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
    • RE: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Caveney, Seamus G (Oct 15)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour (Oct 21)
    • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour (Oct 16)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 16)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Peter Gutmann (Oct 16)
• CVE-2025-62228: Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiers Leonard Xu (Oct 09)
• Announce: OpenSSH 10.2 released Damien Miller (Oct 10)
• Go 1.25.2 and Go 1.24.8 fix 10 vulnerabilities Alan Coopersmith (Oct 10)
• Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V 许佳凯 (Oct 11)
  • Re: Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V Solar Designer (Oct 16)
• Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution lunbun (Oct 12)
  • Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution Solar Designer (Oct 16)
• BoringSSL private key loading is not constant time Billy Brumley (Oct 13)
  • Re: BoringSSL private key loading is not constant time Jeffrey Walton (Oct 13)
    • Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 13)
      • Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
      • Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 14)
      • Re: BoringSSL private key loading is not constant time Demi Marie Obenour (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
      • Re: BoringSSL private key loading is not constant time David Benjamin (Oct 14)
      • Re: BoringSSL private key loading is not constant time Hanno Böck (Oct 14)
      • Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
      • Re: BoringSSL private key loading is not constant time Jacob Bachmeyer (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 18)
      • Re: BoringSSL private key loading is not constant time Jacob Bachmeyer (Oct 21)
    • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
    • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
• GHSL-2025-042: Use After Free (UAF) in Poppler - CVE-2025-52885 Alan Coopersmith (Oct 13)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0007 Adrian Perez de Castro (Oct 13)
• CVE-2024-44088: Apache Geode: Reflected XSS William Hodges (Oct 14)
• CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks Holden Karau (Oct 14)
• CVE-2025-54539: Apache ActiveMQ NMS AMQP Client: Deserialization of Untrusted Data Krzysztof Porębski (Oct 15)
• CVE-2025-61581: Apache Traffic Control: ReDoS issue in Traffic Router configuration Arnout Engelen (Oct 16)
• CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system William Hodges (Oct 17)
• rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
  • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Solar Designer (Oct 17)
    • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
      • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Jacob Bachmeyer (Oct 17)
      • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Fabio Degrigis (Oct 18)
• CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated administrators Francesco Chicchiriccò (Oct 20)
• Xen Security Advisory 475 v2 (CVE-2025-58147,CVE-2025-58148) - x86: Incorrect input sanitisation in Viridian hypercalls Xen . org security team (Oct 21)
• ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) Michał Kępień (Oct 22)
• PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor Otto Moerbeek (Oct 23)
• Xen Security Advisory 476 v1 (CVE-2025-58149) - Incorrect removal of permissions on PCI device unplug Xen . org security team (Oct 24)
• OOB read / segfault and endless loop in courier mail server 1.5.0 Hanno Böck (Oct 26)
• Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 27)
  • Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Oct 27)
    • Re: Questionable CVE's reported against dnsmasq Andrew Latham (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Matthew Fernandez (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Eli Schwartz (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 28)
      • Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso (Oct 29)
      • Re: Questionable CVE's reported against dnsmasq Petr Menšík (Oct 31)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 31)
    • Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)
  • Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)
    • Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
    • Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Hank Leininger (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Douglas Bagnall (Oct 29)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Oct 31)
      • Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 31)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Collin Funk (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Solar Designer (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Nov 02)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 12)
      • Re: Questionable CVE's reported against dnsmasq Alexander Patrakov (Nov 13)
      • Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer (Nov 13)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 13)
      • Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Nov 14)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 14)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 02)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 04)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 04)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 05)
      • Re: Questionable CVE's reported against dnsmasq Pedro Sampaio (Nov 05)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 06)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 28)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq nightmare . yeah27 (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Simon McVittie (Oct 28)
  • Re: Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 29)
• CVE-2025-55752: Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled Mark Thomas (Oct 27)
• CVE-2025-55754: Apache Tomcat: console manipulation via escape sequences in log messages Mark Thomas (Oct 27)
• CVE-2025-61795: Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS Mark Thomas (Oct 27)
• Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Oct 28)
• Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 29)
  • Re: Multiple vulnerabilities in Jenkins plugins Sebastian Pipping (Oct 29)
    • Re: Multiple vulnerabilities in Jenkins plugins Solar Designer (Oct 31)
• CVE-2025-30189: Dovecot IMAP Server: Using auth caching causes the first lookup to be cached for all lookups Camelia Lavender (Oct 29)
• ISC has disclosed one vulnerability in Kea (CVE-2025-11232) Wlodek Wencel (Oct 29)
• CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator" Kaxil Naik (Oct 29)
• CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API Kaxil Naik (Oct 29)
• CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables) Kaxil Naik (Oct 29)
• CVE-2025-62232: Apache APISIX: APISIX basic-auth logs plaintext credentials at info level Ashish Tiwari (Oct 30)
• Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Eddie Chapman (Oct 30)
  • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability nightmare . yeah27 (Oct 31)
  • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Oct 31)
• OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875) Matthias Gerstner (Oct 31)
• [SECURITY ADVISORY] wcurl path traversal with percent-encoded slashes Daniel Stenberg (Nov 04)
• [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 04)
  • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour (Nov 04)
    • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 05)
  • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso (Nov 16)
    • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 17)
  • [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley (Nov 17)
• Becoming a CVE Naming Authority for your project Rodrigo Freire (Nov 04)
  • Re: Becoming a CVE Naming Authority for your project Greg KH (Nov 04)
    • Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
    • Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Matthew Fernandez (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Art Manion (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 06)
      • Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 07)
    • Re: Becoming a CVE Naming Authority for your project Yogesh Mittal (Nov 05)
  • Re: Becoming a CVE Naming Authority for your project Pat Gunn (Nov 06)
    • Re: Becoming a CVE Naming Authority for your project Jeremy Stanley (Nov 06)
• CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server Mingyu Chen (Nov 04)
• [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries (Nov 04)
  • Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Solar Designer (Nov 04)
    • Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries (Nov 05)
• [SECURITY ADVISORY] curl: missing SFTP host verification with wolfSSH Daniel Stenberg (Nov 04)
• runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Aleksa Sarai (Nov 05)
  • Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 akendo () akendo eu (Nov 06)
  • Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Ali Polatel (Nov 07)
• Xen Security Advisory 471 v3 (CVE-2024-36350,CVE-2024-36357) - x86: Transitive Scheduler Attacks Xen . org security team (Nov 05)
• [CVE-2025-54574] SQUID-2025:1 Buffer Overflow in URN Handling Amos Jeffries (Nov 05)
• [CVE-2025-62168] SQUID-2025:2 Information Disclosure in Error handling Amos Jeffries (Nov 05)
• Django CVE-2025-64458 and CVE-2025-64459 Natalia Bidart (Nov 05)
• scx: Unauthenticated scx_loader D-Bus Service can lead to major Denial-of-Service Matthias Gerstner (Nov 06)
• CVE-2025-59118: Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload Jacques Le Roux (Nov 11)
• CVE-2025-61623: Apache OFBiz: Reflected Cross-site Scripting Jacques Le Roux (Nov 11)
• CVE-2024-47866 Ceph: RGW DoS via improper input validation. Sage [They / Them] McTaggart (Nov 11)
• CVE-2025-64401: Apache OpenOffice: Remote documents loaded without prompt via IFrame Arrigo Marchiori (Nov 11)
• CVE-2025-64402: Apache OpenOffice: Remote documents loaded without prompt via OLE objects Arrigo Marchiori (Nov 11)
• CVE-2025-64403: Apache OpenOffice: Remote documents loaded without prompt via "external data sources" in Calc Arrigo Marchiori (Nov 11)
• CVE-2025-64404: Apache OpenOffice: Remote documents loaded without prompt via background and bullet images Arrigo Marchiori (Nov 11)
• CVE-2025-64405: Apache OpenOffice: Remote documents loaded without prompt via DDE function Arrigo Marchiori (Nov 11)
• CVE-2025-64406: Apache OpenOffice: Possible memory corruption during CSV import Arrigo Marchiori (Nov 11)
• CVE-2025-64407: Apache OpenOffice: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables Arrigo Marchiori (Nov 11)
• CVE-2025-57812 libcupsfilters, cups-filters 1.x: Multiple TIFF-related issues in libcupsfilters Zdenek Dohnal (Nov 12)
• CVE-2025-64503 libcupsfilters, cups-filters 1.x: out of bounds write in pdftoraster Zdenek Dohnal (Nov 12)
• CVE-2025-40300 / VMScape Bjoern Franke (Nov 13)
  • Re: CVE-2025-40300 / VMScape Alan Coopersmith (Nov 14)
    • Re: CVE-2025-40300 / VMScape Moritz Mühlenhoff (Nov 14)
      • Re: CVE-2025-40300 / VMScape Solar Designer (Nov 17)
    • Re: CVE-2025-40300 / VMScape Bjoern Franke (Nov 17)
• PostgreSQL releases fixes for CVE-2025-12817 & CVE-2025-12818 Alan Coopersmith (Nov 14)
• GitGuardian GGShield SSL/TLS Verification Bypass (No CVE) tanish saxena (Nov 17)
• lightdm-kde-greeter: Privilege Escalation from lightdm Service User to root in KAuth Helper Service (CVE-2025-62876) Matthias Gerstner (Nov 17)
• [SECURITY PATCH 0/8] GRUB2 vulnerabilities - 2025/11/18 Daniel Kiper (Nov 18)
• [SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation Daniel Kiper (Nov 18)
• [SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() Daniel Kiper (Nov 18)
• [SECURITY PATCH 3/8] net/net: Unregister net_set_vlan command on unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 4/8] gettext/gettext: Unregister gettext command on module unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 5/8] normal/main: Unregister commands on module unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 6/8] tests/lib/functional_test: Unregister commands on module unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 7/8] commands/usbtest: Use correct string length field Daniel Kiper (Nov 18)
• [SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing Daniel Kiper (Nov 18)
• Re: SQLite - Integer Overflow in FTS5 Extension [CVE-2025-7709] John Hein (Nov 18)

Previous period

Next period