oss-sec: by thread

• RSS Feed
• About List
• All Lists

Previous period

Next period

361 messages starting Oct 01 25 and ending Dec 31 25
Date index | Thread index | Author index

• Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Mike O'Connor (Oct 01)
  • Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Emilio Pozuelo Monfort (Oct 01)
• Django CVE-2025-59681 and CVE-2025-59682 Jacob Walls (Oct 01)
• Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
  • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 02)
    • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
      • Message not available
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 03)
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
      • Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 04)
      • Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 04)
      • Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 05)
• fetchmail-SA-2025-01: SMTP AUTH denial of service Alan Coopersmith (Oct 03)
  • Re: fetchmail-SA-2025-01: SMTP AUTH denial of service now called CVE-2025-61962. Matthias Andree (Oct 04)
• Announce: OpenSSH 10.1 released Damien Miller (Oct 06)
  • Re: Announce: OpenSSH 10.1 released David Leadbeater (Oct 07)
    • Re: Announce: OpenSSH 10.1 released Demi Marie Obenour (Oct 11)
      • Re: Announce: OpenSSH 10.1 released David Leadbeater (Oct 13)
• Resource consumption weakness in Postgres-using applications & frameworks Peter Bex (Oct 06)
• redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution Jan Schaumann (Oct 07)
• several vulnerabilities fixed in Go 1.25.2 and Go 1.24.8 Jan Schaumann (Oct 07)
• Fwd: Heads-up: Upcoming Samba security releases Douglas Bagnall (Oct 08)
  • Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
    • RE: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Caveney, Seamus G (Oct 15)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour (Oct 21)
    • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour (Oct 16)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 16)
      • Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Peter Gutmann (Oct 16)
• CVE-2025-62228: Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiers Leonard Xu (Oct 09)
• Announce: OpenSSH 10.2 released Damien Miller (Oct 10)
• Go 1.25.2 and Go 1.24.8 fix 10 vulnerabilities Alan Coopersmith (Oct 10)
• Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V 许佳凯 (Oct 11)
  • Re: Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V Solar Designer (Oct 16)
• Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution lunbun (Oct 12)
  • Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution Solar Designer (Oct 16)
• BoringSSL private key loading is not constant time Billy Brumley (Oct 13)
  • Re: BoringSSL private key loading is not constant time Jeffrey Walton (Oct 13)
    • Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 13)
      • Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
      • Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 14)
      • Re: BoringSSL private key loading is not constant time Demi Marie Obenour (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
      • Re: BoringSSL private key loading is not constant time David Benjamin (Oct 14)
      • Re: BoringSSL private key loading is not constant time Hanno Böck (Oct 14)
      • Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
      • Re: BoringSSL private key loading is not constant time Jacob Bachmeyer (Oct 14)
      • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 18)
      • Re: BoringSSL private key loading is not constant time Jacob Bachmeyer (Oct 21)
    • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
    • Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
• GHSL-2025-042: Use After Free (UAF) in Poppler - CVE-2025-52885 Alan Coopersmith (Oct 13)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0007 Adrian Perez de Castro (Oct 13)
• CVE-2024-44088: Apache Geode: Reflected XSS William Hodges (Oct 14)
• CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks Holden Karau (Oct 14)
• CVE-2025-54539: Apache ActiveMQ NMS AMQP Client: Deserialization of Untrusted Data Krzysztof Porębski (Oct 15)
• CVE-2025-61581: Apache Traffic Control: ReDoS issue in Traffic Router configuration Arnout Engelen (Oct 16)
• CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system William Hodges (Oct 17)
• rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
  • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Solar Designer (Oct 17)
    • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
      • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Jacob Bachmeyer (Oct 17)
      • Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Fabio Degrigis (Oct 18)
• CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated administrators Francesco Chicchiriccò (Oct 20)
• Xen Security Advisory 475 v2 (CVE-2025-58147,CVE-2025-58148) - x86: Incorrect input sanitisation in Viridian hypercalls Xen . org security team (Oct 21)
• ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) Michał Kępień (Oct 22)
• PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor Otto Moerbeek (Oct 23)
• Xen Security Advisory 476 v1 (CVE-2025-58149) - Incorrect removal of permissions on PCI device unplug Xen . org security team (Oct 24)
• OOB read / segfault and endless loop in courier mail server 1.5.0 Hanno Böck (Oct 26)
• Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 27)
  • Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Oct 27)
    • Re: Questionable CVE's reported against dnsmasq Andrew Latham (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Matthew Fernandez (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Eli Schwartz (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 28)
      • Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso (Oct 29)
      • Re: Questionable CVE's reported against dnsmasq Petr Menšík (Oct 31)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 31)
    • Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)
  • Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)
    • Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
    • Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Hank Leininger (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Douglas Bagnall (Oct 29)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Oct 31)
      • Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 31)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Collin Funk (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Solar Designer (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Nov 02)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 12)
      • Re: Questionable CVE's reported against dnsmasq Alexander Patrakov (Nov 13)
      • Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer (Nov 13)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 13)
      • Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Nov 14)
      • Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 14)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 02)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 03)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 04)
      • Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 04)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 05)
      • Re: Questionable CVE's reported against dnsmasq Pedro Sampaio (Nov 05)
      • Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 06)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 28)
      • Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq nightmare . yeah27 (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Simon McVittie (Oct 28)
  • Re: Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 29)
  • Re: Questionable CVE's reported against dnsmasq Christian Fischer (Dec 03)
• CVE-2025-55752: Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled Mark Thomas (Oct 27)
• CVE-2025-55754: Apache Tomcat: console manipulation via escape sequences in log messages Mark Thomas (Oct 27)
• CVE-2025-61795: Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS Mark Thomas (Oct 27)
• Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Oct 28)
• Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 29)
  • Re: Multiple vulnerabilities in Jenkins plugins Sebastian Pipping (Oct 29)
    • Re: Multiple vulnerabilities in Jenkins plugins Solar Designer (Oct 31)
• CVE-2025-30189: Dovecot IMAP Server: Using auth caching causes the first lookup to be cached for all lookups Camelia Lavender (Oct 29)
• ISC has disclosed one vulnerability in Kea (CVE-2025-11232) Wlodek Wencel (Oct 29)
• CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator" Kaxil Naik (Oct 29)
• CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API Kaxil Naik (Oct 29)
• CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables) Kaxil Naik (Oct 29)
• CVE-2025-62232: Apache APISIX: APISIX basic-auth logs plaintext credentials at info level Ashish Tiwari (Oct 30)
• Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Eddie Chapman (Oct 30)
  • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability nightmare . yeah27 (Oct 31)
  • Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Oct 31)
• OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875) Matthias Gerstner (Oct 31)
• [SECURITY ADVISORY] wcurl path traversal with percent-encoded slashes Daniel Stenberg (Nov 04)
• [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 04)
  • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour (Nov 04)
    • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 05)
  • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso (Nov 16)
    • Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 17)
  • [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley (Nov 17)
• Becoming a CVE Naming Authority for your project Rodrigo Freire (Nov 04)
  • Re: Becoming a CVE Naming Authority for your project Greg KH (Nov 04)
    • Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
    • Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Matthew Fernandez (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Art Manion (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
      • Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 06)
      • Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 07)
    • Re: Becoming a CVE Naming Authority for your project Yogesh Mittal (Nov 05)
  • Re: Becoming a CVE Naming Authority for your project Pat Gunn (Nov 06)
    • Re: Becoming a CVE Naming Authority for your project Jeremy Stanley (Nov 06)
• CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server Mingyu Chen (Nov 04)
• [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries (Nov 04)
  • Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Solar Designer (Nov 04)
    • Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries (Nov 05)
• [SECURITY ADVISORY] curl: missing SFTP host verification with wolfSSH Daniel Stenberg (Nov 04)
• runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Aleksa Sarai (Nov 05)
  • Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 akendo () akendo eu (Nov 06)
  • Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Ali Polatel (Nov 07)
• Xen Security Advisory 471 v3 (CVE-2024-36350,CVE-2024-36357) - x86: Transitive Scheduler Attacks Xen . org security team (Nov 05)
• [CVE-2025-54574] SQUID-2025:1 Buffer Overflow in URN Handling Amos Jeffries (Nov 05)
• [CVE-2025-62168] SQUID-2025:2 Information Disclosure in Error handling Amos Jeffries (Nov 05)
• Django CVE-2025-64458 and CVE-2025-64459 Natalia Bidart (Nov 05)
• scx: Unauthenticated scx_loader D-Bus Service can lead to major Denial-of-Service Matthias Gerstner (Nov 06)
• CVE-2025-59118: Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload Jacques Le Roux (Nov 11)
• CVE-2025-61623: Apache OFBiz: Reflected Cross-site Scripting Jacques Le Roux (Nov 11)
• CVE-2024-47866 Ceph: RGW DoS via improper input validation. Sage [They / Them] McTaggart (Nov 11)
• CVE-2025-64401: Apache OpenOffice: Remote documents loaded without prompt via IFrame Arrigo Marchiori (Nov 11)
• CVE-2025-64402: Apache OpenOffice: Remote documents loaded without prompt via OLE objects Arrigo Marchiori (Nov 11)
• CVE-2025-64403: Apache OpenOffice: Remote documents loaded without prompt via "external data sources" in Calc Arrigo Marchiori (Nov 11)
• CVE-2025-64404: Apache OpenOffice: Remote documents loaded without prompt via background and bullet images Arrigo Marchiori (Nov 11)
• CVE-2025-64405: Apache OpenOffice: Remote documents loaded without prompt via DDE function Arrigo Marchiori (Nov 11)
• CVE-2025-64406: Apache OpenOffice: Possible memory corruption during CSV import Arrigo Marchiori (Nov 11)
• CVE-2025-64407: Apache OpenOffice: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables Arrigo Marchiori (Nov 11)
• CVE-2025-57812 libcupsfilters, cups-filters 1.x: Multiple TIFF-related issues in libcupsfilters Zdenek Dohnal (Nov 12)
• CVE-2025-64503 libcupsfilters, cups-filters 1.x: out of bounds write in pdftoraster Zdenek Dohnal (Nov 12)
• CVE-2025-40300 / VMScape Bjoern Franke (Nov 13)
  • Re: CVE-2025-40300 / VMScape Alan Coopersmith (Nov 14)
    • Re: CVE-2025-40300 / VMScape Moritz Mühlenhoff (Nov 14)
      • Re: CVE-2025-40300 / VMScape Solar Designer (Nov 17)
    • Re: CVE-2025-40300 / VMScape Bjoern Franke (Nov 17)
• PostgreSQL releases fixes for CVE-2025-12817 & CVE-2025-12818 Alan Coopersmith (Nov 14)
• GitGuardian GGShield SSL/TLS Verification Bypass (No CVE) tanish saxena (Nov 17)
• lightdm-kde-greeter: Privilege Escalation from lightdm Service User to root in KAuth Helper Service (CVE-2025-62876) Matthias Gerstner (Nov 17)
• [SECURITY PATCH 0/8] GRUB2 vulnerabilities - 2025/11/18 Daniel Kiper (Nov 18)
• [SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation Daniel Kiper (Nov 18)
• [SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() Daniel Kiper (Nov 18)
• [SECURITY PATCH 3/8] net/net: Unregister net_set_vlan command on unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 4/8] gettext/gettext: Unregister gettext command on module unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 5/8] normal/main: Unregister commands on module unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 6/8] tests/lib/functional_test: Unregister commands on module unload Daniel Kiper (Nov 18)
• [SECURITY PATCH 7/8] commands/usbtest: Use correct string length field Daniel Kiper (Nov 18)
• [SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing Daniel Kiper (Nov 18)
• Re: SQLite - Integer Overflow in FTS5 Extension [CVE-2025-7709] John Hein (Nov 18)
• CVE-2025-64408: Apache Causeway: Java deserialization vulnerability to authenticated attackers Dan Haywood (Nov 19)
• CVE-2025-64524 cups-filters: Heap Buffer Overflow in rastertopclx Filter Leading to Potential Arbitrary Code Execution Zdenek Dohnal (Nov 20)
• gnutls 3.8.11 released with fix for CVE-2025-9820 Alan Coopersmith (Nov 20)
• libpng 1.6.51: Four buffer overflow vulnerabilities fixed: CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018 Cosmin Truta (Nov 21)
• CVE-2025-65998: Apache Syncope: Default AES key used for internal password encryption Francesco Chicchiriccò (Nov 24)
• CVE-2025-59390: Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly. Karan Kumar (Nov 25)
• 5 CVE's fixed in Fluent Bit Alan Coopersmith (Nov 26)
  • Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 01)
    • Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 02)
      • Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 02)
      • Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 03)
• CVE-2025-62728: Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs Stamatis Zampetakis (Nov 26)
• Unbound: 1.24.2 addresses CVE-2025-11411 (again) Yorgos Thessalonikefs (Nov 26)
• CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability Zhenxu Ke (Nov 26)
• CVE-2025-59302: Apache CloudStack: Potential remote code execution on Javascript engine defined rules Harikrishna Patnala (Nov 26)
• CVE-2025-59454: Apache CloudStack: Lack of user permission validation leading to data leak for few APIs Harikrishna Patnala (Nov 26)
• CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack Zdenek Dohnal (Nov 27)
• CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues Zdenek Dohnal (Nov 27)
• CVE-2023-48796: Apache DolphinScheduler: Sensitive information disclosure Lidong Dai (Nov 28)
• CVE-2025-59790: Apache Kvrocks: RESET command grants admin privileges Hulk Lin (Nov 28)
• CVE-2025-59792: Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins Hulk Lin (Nov 28)
• CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser Wang Weibing (Nov 30)
• CVE-2025-64775: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - S2-068 Lukasz Lenart (Dec 01)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0008 Adrian Perez de Castro (Dec 01)
• [kubernetes] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager Nathan Herz (Dec 01)
• CVE-2025-12183 in lz4-java, fixed in new fork Alan Coopersmith (Dec 01)
  • CVE-2025-66566 fixed in lz4-java 1.10.1 Alan Coopersmith (Dec 05)
• expat looking for help with another unfixed non-public denial-of-service vulnerability [CVE-2025-66382] Alan Coopersmith (Dec 01)
• Django CVE-2025-13372 and CVE-2025-64460 Natalia Bidart (Dec 02)
• [vim-security] A Windows uncontrolled search path vulnerability affects Vim < 9.1.1947 Christian Brabandt (Dec 02)
• FW: X.Org Security Advisory: multiple security issues in xkbcomp Peter Hutterer (Dec 02)
• CVE-2025-55182: RCE in React Server Components Jan Schaumann (Dec 03)
  • additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) Jan Schaumann (Dec 14)
• libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
  • Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith (Dec 03)
    • Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
      • Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Greg Roelofs (Dec 03)
• CVE-2025-53960: Apache StreamPark: Use the user’s password as the secret key Vulnerability Huajie Wang (Dec 03)
• CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected Tim Allison (Dec 04)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro (Dec 04)
  • Re: [webkit-gtk] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro (Dec 04)
• CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals Eric Covener (Dec 04)
• CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... Eric Covener (Dec 04)
• CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF Eric Covener (Dec 04)
• CVE-2025-65082: Apache HTTP Server: CGI environment variable override Eric Covener (Dec 04)
• CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo Eric Covener (Dec 04)
• React2Shell (CVE-2025-55182/CVE-2025-66478) Jeffrey Walton (Dec 04)
• Island: Sandboxing tool powered by Landlock Mickaël Salaün (Dec 05)
• Go 1.25.5 and Go 1.24.11 are released - fix CVE-2025-61729 & CVE-2025-61727 Alan Coopersmith (Dec 05)
• CVE-2025-66418 & CVE-2025-66471 fixed in urllib3 2.6.0 Alan Coopersmith (Dec 05)
• CPython vulnerable to CVE-2025-13836, CVE-2025-13837, & CVE-2025-12084 Alan Coopersmith (Dec 05)
• PowerDNS Security Announcement 2025-07 and 2025-08 regarding PowerDNS Recursor Otto Moerbeek (Dec 08)
• CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Brad House (Dec 08)
  • Re: CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Demi Marie Obenour (Dec 08)
• CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability VGalaxies (Dec 09)
• EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 10)
  • Update: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 11)
    • Re: Update: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann (Dec 14)
      • Release: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99.1 released Heiko Schlittermann (Dec 18)
• CVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed Lukasz Lenart (Dec 10)
• LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre (Dec 10)
  • Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Marco Moock (Dec 10)
    • Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre (Dec 10)
• Multiple vulnerabilities in Jenkins and Jenkins plugins Kevin Guerroudj (Dec 10)
• smb4k: Major Vulnerabilities in KAuth Helper (CVE-2025-66002, CVE-2025-66003) Matthias Gerstner (Dec 10)
• CVE-2025-8110 in Gogs self-hosted git service Alan Coopersmith (Dec 10)
  • Re: CVE-2025-8110 in Gogs self-hosted git service Jakub Wilk (Dec 11)
    • Re: CVE-2025-8110 in Gogs self-hosted git service Martin Weinelt (Dec 11)
• CVE-2025-23408: Apache Fineract: weak password policy Adam Monsen (Dec 11)
• CVE-2025-58130: Apache Fineract: Server Key not masked Adam Monsen (Dec 11)
• CVE-2025-58137: Apache Fineract: IDOR via self-service API Adam Monsen (Dec 11)
• CVE-2025-66388: Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI Ephraim Anierobi (Dec 12)
• CVE-2025-65995: Apache Airflow: Disclosure of secrets to UI via kwargs Ephraim Anierobi (Dec 12)
• CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Huajie Wang (Dec 12)
  • Re: CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Solar Designer (Dec 12)
• CVE-2025-54981: Apache StreamPark: Weak Encryption Algorithm in StreamPark Huajie Wang (Dec 12)
• uriparser 1.0.0 fixes CVE-2025-67899 (DoS, CWE-674) Sebastian Pipping (Dec 15)
• XXE vulnerabilities in electronic invoicing software (Kivitendo, peppol-py, ZUV) Hanno Böck (Dec 16)
• Dropbear 2025.89 fixes privilege escalation, CVE-2025-14282 Matt Johnston (Dec 16)
• CVE-2025-67895: Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2 Jarek Potiuk (Dec 16)
• [CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings turistu (Dec 16)
  • Re: [CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings Jacob Bachmeyer (Dec 16)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010 Adrian Perez de Castro (Dec 16)
• [kubernetes] CVE-2025-14269: Credential caching in Headlamp with Helm enabled Craig Ingram (Dec 17)
• CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender Piotr Karwasz (Dec 18)
• CVE-2025-66524: Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor David Handermann (Dec 18)
• Avahi simple protocol server accepts unlimited connections [CVE-2025-59529] Alan Coopersmith (Dec 19)
• A couple of security issues? Artem S. Tashkinov (Dec 20)
  • Re: A couple of security issues? Greg KH (Dec 20)
• CVE-2018-25153 against GNU barcode seems bogus Collin Funk (Dec 26)
• [Advisory] WebKit/iOS 26.2: Gigacage Boundary Violation via Logic Flaw enabling OOB Access Joseph Goydish II (Dec 26)
• CVE-2025-68460/CVE-2025-68461: Roundcube XSS + I-D prior to 1.5.12/1.6.12 Valtteri Vuorikoski (Dec 27)
• CVE-2025-68637: : Insecure SSL Configuration in Uniffle HTTP Client roryqi (Dec 27)
• Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 27)
  • Re: Many vulnerabilities in GnuPG Solar Designer (Dec 27)
    • Re: Many vulnerabilities in GnuPG Solar Designer (Dec 27)
    • Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 27)
      • Re: Many vulnerabilities in GnuPG Salvatore Bonaccorso (Dec 28)
      • Re: Many vulnerabilities in GnuPG Werner Koch (Dec 29)
      • Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 29)
      • Re: safe use of cleartext signatures? (was: Many vulnerabilities in GnuPG) Jacob Bachmeyer (Dec 30)
      • Re: safe use of cleartext signatures? Werner Koch (Dec 30)
      • Re: safe use of cleartext signatures? Demi Marie Obenour (Dec 30)
      • Re: safe use of cleartext signatures? Werner Koch (Dec 31)
      • Re: Many vulnerabilities in GnuPG Lexi Groves (49016) (Dec 29)
      • Re: Many vulnerabilities in GnuPG Henrik Ahlgren (Dec 29)
      • Re: Many vulnerabilities in GnuPG Sam James (Dec 29)
      • Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 30)
      • Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 30)
      • Re: Many vulnerabilities in GnuPG Sam James (Dec 30)
      • Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 30)
    • Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
  • Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 28)
    • Re: Many vulnerabilities in GnuPG Andreas Metzler (Dec 29)
    • Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 29)
      • Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 30)
      • Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 30)
      • Re: Many vulnerabilities in GnuPG Henrik Ahlgren (Dec 30)
      • Re: Many vulnerabilities in GnuPG Collin Funk (Dec 30)
      • Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 31)
      • Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 30)
  • Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
    • Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 28)
    • Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 28)
      • Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 29)
      • Re: Many vulnerabilities in GnuPG Alan Coopersmith (Dec 30)
      • Re: Many vulnerabilities in GnuPG Neal Gompa (Dec 29)
• Systemd vsock sshd Greg Dahlman (Dec 27)
  • Message not available
    • Re: Systemd vsock sshd yen-mummify-yeah (Dec 28)
  • Re: Systemd vsock sshd Sam James (Dec 28)
    • Re: Systemd vsock sshd Sam James (Dec 28)
      • Re: Systemd vsock sshd Greg Dahlman (Dec 28)
  • Re: Systemd vsock sshd Jacob Bachmeyer (Dec 28)
    • Re: Systemd vsock sshd Benjamin McMahon (Dec 29)
      • Re: Systemd vsock sshd Greg Dahlman (Dec 29)
      • Re: Systemd vsock sshd Pat Gunn (Dec 29)
      • Re: Systemd vsock sshd Greg Dahlman (Dec 29)
      • Re: Systemd vsock sshd Jacob Bachmeyer (Dec 30)
      • Re: Systemd vsock sshd Demi Marie Obenour (Dec 30)
      • Re: Systemd vsock sshd Pat Gunn (Dec 31)
    • Re: Systemd vsock sshd Greg Dahlman (Dec 29)
  • <Possible follow-ups>
  • Systemd vsock sshd wish42offcl98 (Dec 30)
    • Re: Systemd vsock sshd Greg Dahlman (Dec 30)
• Best practices for signature verifcation Demi Marie Obenour (Dec 28)
  • Message not available
    • Re: Best practices for signature verifcation kf503bla (Dec 29)
      • Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 29)
      • Re: Best practices for signature verifcation Max Jonas Werner (Dec 29)
      • Re: Best practices for signature verifcation Simon Josefsson (Dec 31)
      • Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 31)
      • Re: Re: Best practices for signature verifcation Collin Funk (Dec 31)
      • Re: Re: Best practices for signature verifcation Demi Marie Obenour (Dec 31)
  • Re: Best practices for signature verifcation Ali Polatel (Dec 30)
    • Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)
    • Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)
• CVE-2025-47411: Apache StreamPipes: Leverage of User ID for Privilege Escalation Philipp Zehnder (Dec 29)
• BSDiff (bspatch): remotely triggerable out-of-bound memory access Steffen Nurpmeso (Dec 29)
• "MongoBleed" CVE-2025-14847 in many versions of MongoDB Alan Coopersmith (Dec 29)
• CVE-2025-48768: Apache NuttX RTOS: fs/inode: fs_inoderemove root inode removal Tomasz Cedro (Dec 31)
• CVE-2025-48769: Apache NuttX RTOS: fs/vfs/fs_rename: use after free Tomasz Cedro (Dec 31)

Previous period

Next period