oss-sec: by author
RSS Feed
About List
All Lists
Previous period
431 messages
starting Mar 31 26 and
ending Mar 04 26
Date index |
Thread index |
Author index
Aaron Conole
[ADVISORY] CVE-2026-34956: Open vSwitch: Invalid memory access in conntrack FTP alg. Aaron Conole (Mar 31)
Abhinav Agarwal
CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) Abhinav Agarwal (Mar 20)
Re: CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) Abhinav Agarwal (Mar 25)
Adam Zabrocki
Re: The Curious Case of Stack Pivot Detection Adam Zabrocki (Jan 15)
Adrian Perez de Castro
WebKitGTK and WPE WebKit Security Advisory WSA-2026-0001 Adrian Perez de Castro (Mar 18)
WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002 Adrian Perez de Castro (Mar 27)
Akira Ajisaka
CVE-2025-66518: Apache Kyuubi: Unauthorized directory access due to missing path normalization Akira Ajisaka (Jan 05)
Aki Tuomi
Dovecot Security Advisory OXDC-2026-0001 Aki Tuomi (Mar 27)
Alan Coopersmith
Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Alan Coopersmith (Jan 15)
Net-SNMP snmptrapd vulnerability [CVE-2025-68615] Alan Coopersmith (Jan 09)
pyOpenSSL 26.0.0 released with two CVE fixes Alan Coopersmith (Mar 20)
CVE-2025-69534 in Python-Markdown Alan Coopersmith (Mar 06)
Fwd: [CVE-2026-2297] SourcelessFileLoader does not use io.open_code() Alan Coopersmith (Mar 05)
Go 1.25.7 and Go 1.24.13 are released with 2 CVE fixes Alan Coopersmith (Feb 07)
Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Jan 05)
gnutls 3.8.12 fixes CVE-2026-1584 & CVE-2025-14831 Alan Coopersmith (Feb 09)
CVE-2025-40905: WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions Alan Coopersmith (Feb 13)
FreeRDP fixes 12 CVEs in 3.22.0 release Alan Coopersmith (Feb 09)
nghttp2 Denial of service: Assertion failure due to the missing state validation Alan Coopersmith (Mar 20)
Trivy github actions repo compromised, infostealer added Alan Coopersmith (Mar 20)
Re: Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith (Jan 15)
Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith (Jan 06)
Announcing FreeType 2.14.2, fixes CVE-2026-23865 Alan Coopersmith (Mar 03)
[CVE-2026-30922] Denial of Service in pyasn1 via Unbounded Recursion Alan Coopersmith (Mar 20)
Re: libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Alan Coopersmith (Mar 17)
Fwd: libtasn1-4.21.0 released [stable] - fixes CVE-2025-13151 Alan Coopersmith (Jan 08)
pyca/cryptography: CVE-2026-34073: X.509: bypass of name constraints on wildcard SANs with matching peer names Alan Coopersmith (Mar 30)
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Alan Coopersmith (Jan 20)
[oss-security][CVE-2026-3644] CPython Incomplete control character validation in http.cookies Alan Coopersmith (Mar 16)
Go 1.26.1 and Go 1.25.8 are released with 5 CVE fixes Alan Coopersmith (Mar 05)
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Alan Coopersmith (Jan 13)
Pillow 12.1.1 released with fix for CVE-2026-25990 Alan Coopersmith (Feb 11)
Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager Alan Coopersmith (Feb 19)
Fwd: [CPython][CVE-2026-4519] webbrowser.open() API allows leading dashes Alan Coopersmith (Mar 20)
wget2-2.2.1 released with security fixes Alan Coopersmith (Jan 06)
[CVE-2026-4224] CPython Stack overflow parsing XML with deeply nested DTD content models Alan Coopersmith (Mar 16)
TigerVNC 1.16.2 security release Alan Coopersmith (Mar 26)
litellm pypi packages compromised, infostealer added Alan Coopersmith (Mar 24)
OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Alan Coopersmith (Feb 27)
Re: Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Mar 21)
Null Pointer Dereference in HarfBuzz Alan Coopersmith (Jan 10)
PyCA cryptography 46.0.5 released with fix for CVE-2026-26007 Alan Coopersmith (Feb 10)
CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Alan Coopersmith (Jan 23)
8 CVEs in Cpython announced this week Alan Coopersmith (Jan 23)
Re: Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Mar 20)
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Alan Coopersmith (Jan 28)
Albert Veli
Re: Telnetd Vulnerability Report Albert Veli (Feb 26)
Alexander Bochmann
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)
Alex Gaynor
Re: pyOpenSSL 26.0.0 released with two CVE fixes Alex Gaynor (Mar 20)
Ali Polatel
The Curious Case of Stack Pivot Detection Ali Polatel (Jan 10)
Re: Re: Best practices for signature verifcation Ali Polatel (Jan 01)
Ali Raza
Off-by-one heap buffer overflow in libuv Ali Raza (Mar 19)
Re: Off-by-one heap buffer overflow in libuv Ali Raza (Mar 19)
Re: Off-by-one heap buffer overflow in libuv Ali Raza (Mar 19)
Re: Off-by-one heap buffer overflow in libuv Ali Raza (Mar 19)
Agno's PythonTools: Path traversal leads to sensitive information disclosure and potential RCE Ali Raza (Jan 27)
Amos Jeffries
[ADVISORY] SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515) Amos Jeffries (Mar 24)
[ADVISORY] SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748) Amos Jeffries (Mar 24)
[ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526) Amos Jeffries (Mar 24)
Andor Molnar
CVE-2026-24308: Apache ZooKeeper: Sensitive information disclosure in client configuration handling Andor Molnar (Mar 07)
CVE-2026-24281: Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager Andor Molnar (Mar 07)
Andrea Cosentino
CVE-2026-25747: Apache Camel: Deserialization of Untrusted Data in Camel LevelDB Andrea Cosentino (Feb 18)
CVE-2026-23552: Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Andrea Cosentino (Feb 18)
CVE-2025-66169: Apache Camel: Cypher injection vulnerability in Camel-Neo4j component Andrea Cosentino (Jan 13)
Andrew Cooper
Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown Andrew Cooper (Mar 24)
Antoine Pitrou
CVE-2026-25087: Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering Antoine Pitrou (Feb 17)
Arnout Engelen
CVE-2016-15057: Apache Continuum: Command injection leading to RCE Arnout Engelen (Jan 26)
Bastian Blank
Re: Systemd vsock sshd Bastian Blank (Feb 03)
Brian Behlendorf
Re: Vulnerability management and Open Source: FOSDEM BoF Brian Behlendorf (Jan 23)
Brian Rosmaita
[OSSA-2026-004] Glance: Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality (CVE-2026-pending) Brian Rosmaita (Mar 19)
Carlos O'Donell
The GNU C Library security advisories update for 2026-03-23 Carlos O'Donell (Mar 23)
The GNU C Library security advisories update for 2026-01-20 Carlos O'Donell (Jan 20)
The GNU C Library security advisories update for 2026-01-16 (part 2) Carlos O'Donell (Jan 16)
Carlos Rodriguez-Fernandez
Re: Systemd vsock sshd Carlos Rodriguez-Fernandez (Jan 02)
Casper Dik
Re: [External] : [oss-security] Buffer overflow in /bin/su from UNIX v4 Casper Dik (Jan 06)
Chad Dougherty
Re: CVE-2025-8110 in Gogs self-hosted git service Chad Dougherty (Jan 17)
Chris Dunlap
CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage Chris Dunlap (Feb 10)
Chris Nauroth
CVE-2025-27821: HDFS native client: Out of bounds write in URI parser of native HDFS client Chris Nauroth (Jan 23)
Christian Brabandt
[vim-security] NFA regex engine NULL pointer dereference affects Vim < 9.2.0137 Christian Brabandt (Mar 11)
[vim-security] Heap-based Buffer Underflow in Emacs tags parsing affects Vim < 9.2.0075 Christian Brabandt (Feb 27)
[vim-security] Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076 Christian Brabandt (Feb 27)
[vim-security] OS Command Injection in netrw affects Vim < 9.2.0073 Christian Brabandt (Feb 27)
[vim-security] buffer overflow in helpfile option handling affects Vim <9.1.2132 Christian Brabandt (Feb 05)
[vim-security] NetBeans specialKeys Stack Buffer Overflow with Vim <9.1.2148 Christian Brabandt (Feb 13)
[vim-security] Vim modeline bypass via various options affects Vim < 9.2.0276 Christian Brabandt (Mar 31)
Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Mar 31)
[vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Mar 30)
[vim-security] Multiple Vulnerabilities in Swap File Recovery affect Vim < 9.2.0077 Christian Brabandt (Feb 27)
[vim-security]: Command injection via newline in glob() affects Vim < 9.2.0202 Christian Brabandt (Mar 19)
[vim-security] Heap-based Buffer Overflow in Emacs tags parsing affects Vim < 9.2.0074 Christian Brabandt (Feb 27)
[vim-security] Stack-buffer-overflow in build_stl_str_hl() affects Vim < 9.2.0078 Christian Brabandt (Feb 27)
Christian Fischer
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Christian Fischer (Jan 22)
christopher.downs
AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities christopher.downs (Mar 08)
Christopher L. Shannon
CVE-2025-66168: Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated Christopher L. Shannon (Mar 03)
Clemens Lang
Re: Best practices for signature verifcation Clemens Lang (Jan 01)
Re: Best practices for signature verifcation Clemens Lang (Jan 05)
Coia Prant
CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant (Jan 17)
Re: CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant (Jan 17)
Collin Funk
Re: CVE-2025-8110 in Gogs self-hosted git service Collin Funk (Jan 17)
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk (Mar 13)
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk (Mar 12)
Cosmin Truta
libpng 1.6.56: Two high-severity vulnerabilities fixed: CVE-2026-33416, CVE-2026-33636 Cosmin Truta (Mar 25)
libpng 1.6.54: two heap buffer over-read vulnerabilities fixed: CVE-2026-22695, CVE-2026-22801 Cosmin Truta (Jan 12)
libpng 1.6.55: Heap buffer overflow vulnerability fixed: CVE-2026-25646 Cosmin Truta (Feb 09)
cyber security
Re: Clarification: rbash escape via history built-ins cyber security (Jan 28)
[CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability cyber security (Mar 29)
Clarification: rbash escape via history built-ins cyber security (Jan 27)
Daniel Beck
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Mar 18)
Multiple vulnerabilities in Jenkins Daniel Beck (Feb 18)
Daniel Gaspar
CVE-2026-23984: Apache Superset: SQLLab Read-Only Bypass on PostgreSQL Daniel Gaspar (Feb 24)
CVE-2026-23983: Apache Superset: Sensitive Data Exposure via REST API (disabled by default) Daniel Gaspar (Feb 24)
CVE-2026-23982: Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass Daniel Gaspar (Feb 24)
CVE-2026-23980: Apache Superset: Improper Neutralization of Special Elements used in a SQL Command Daniel Gaspar (Feb 24)
CVE-2026-23969: Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering Daniel Gaspar (Feb 24)
Daniel Stenberg
[ADVISORY] curl: CVE-2026-1965: bad reuse of HTTP Negotiate connection Daniel Stenberg (Mar 10)
[ADVISORY] curl CVE-2025-14819: OpenSSL partial chain store policy bypass Daniel Stenberg (Jan 06)
[ADVISORY] curl CVE-2025-15079: libssh global knownhost override Daniel Stenberg (Jan 06)
[ADVISORY] curl: CVE-2026-3805: use after free in SMB connection reuse Daniel Stenberg (Mar 11)
[ADVISORY] curl CVE-2025-14017: broken TLS options for threaded LDAPS Daniel Stenberg (Jan 06)
[ADVISORY] curl: CVE-2026-3784: wrong proxy connection reuse with credentials Daniel Stenberg (Mar 11)
[ADVISORY] curl CVE-2025-15224: libssh key passphrase bypass without agent set Daniel Stenberg (Jan 07)
[ADVISORY] curl CVE-2025-14524: bearer token leak on cross-protocol redirect Daniel Stenberg (Jan 06)
[ADVISORY] curl CVE-2025-13034: No QUIC certificate pinning with GnuTLS Daniel Stenberg (Jan 06)
[ADVISORY] curl: CVE-2026-3783: token leak with redirect and netrc Daniel Stenberg (Mar 10)
David A. Wheeler
Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 David A. Wheeler (Mar 31)
David Handermann
CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates David Handermann (Feb 16)
Demi Marie Obenour
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Demi Marie Obenour (Mar 01)
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Demi Marie Obenour (Jan 22)
Re: Best practices for signature verifcation Demi Marie Obenour (Jan 03)
Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 03)
Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 05)
Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Demi Marie Obenour (Mar 30)
Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Demi Marie Obenour (Jan 28)
Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 02)
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Demi Marie Obenour (Mar 03)
Re: Best practices for signature verifcation Demi Marie Obenour (Jan 05)
Re: Re: Telnetd Vulnerability Report Demi Marie Obenour (Feb 26)
Re: KVM shadow EPT stale rmap use-after-free Demi Marie Obenour (Mar 30)
Dmitry Belyavskiy
Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 14)
Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 18)
Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 18)
Eddie Chapman
Re: Telnetd Vulnerability Report Eddie Chapman (Feb 24)
Re: Telnetd Vulnerability Report Eddie Chapman (Feb 24)
Eli Schwartz
Re: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Eli Schwartz (Feb 20)
Enxin Xie
CVE-2026-24735: Apache Answer: Revision API Improper Access Control leads to Information Disclosure Enxin Xie (Feb 04)
Ephraim Anierobi
CVE-2025-68675: Apache Airflow: proxy credentials for various providers might leak in task logs Ephraim Anierobi (Jan 15)
CVE-2026-24098: Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors Ephraim Anierobi (Feb 09)
CVE-2026-22922: Apache Airflow: Airflow externalLogUrl Permission Bypass Ephraim Anierobi (Feb 09)
CVE-2025-68438: Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated Ephraim Anierobi (Jan 15)
Florian Weimer
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Florian Weimer (Mar 02)
Re: On patch vs commit messages Florian Weimer (Feb 09)
Re: Re: Telnetd Vulnerability Report Florian Weimer (Feb 26)
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Florian Weimer (Feb 27)
Francesco Chicchiriccò
CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login Francesco Chicchiriccò (Feb 02)
CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters Francesco Chicchiriccò (Feb 02)
Greg Dahlman
Re: Systemd vsock sshd Greg Dahlman (Jan 08)
Re: Systemd vsock sshd Greg Dahlman (Jan 02)
Greg KH
Re: Multiple vulnerabilities in AppArmor Greg KH (Mar 27)
Re: Multiple vulnerabilities in AppArmor Greg KH (Mar 29)
Re: Multiple vulnerabilities in AppArmor Greg KH (Mar 31)
Re: Null Pointer Dereference in HarfBuzz Greg KH (Jan 12)
Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown Greg KH (Mar 24)
Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown Greg KH (Mar 24)
Re: Multiple vulnerabilities in AppArmor Greg KH (Mar 28)
Guangming Chen
CVE-2025-60021: Apache bRPC: Remote command injection vulnerability in heap builtin service Guangming Chen (Jan 16)
Guillem Jover
CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Feb 27)
Re: CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Mar 07)
Re: CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Mar 06)
György Gál
CVE-2025-60012: Apache Livy: Restrict file access György Gál (Mar 12)
CVE-2025-66249: Apache Livy: Unauthorized directory access György Gál (Mar 12)
Hanno Böck
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Hanno Böck (Jan 21)
Re: AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities Hanno Böck (Mar 08)
Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Hanno Böck (Jan 12)
Haonan Hou
CVE-2025-64152: Apache IoTDB: Path Traversal Vulnerability Haonan Hou (Mar 08)
CVE-2026-24713: Apache IoTDB: JEXL Expression Injection Vulnerability Haonan Hou (Mar 08)
CVE-2026-24015: Apache IoTDB: Insecure Default Configuration Vulnerability Haonan Hou (Mar 08)
CVE-2025-55017: Apache IoTDB: Path Traversal Vulnerability Haonan Hou (Mar 08)
Holden Karau
CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability Holden Karau (Mar 13)
Jacob Bachmeyer
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 13)
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 13)
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer (Feb 19)
Re: CVE-2026-4176: Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib Jacob Bachmeyer (Mar 29)
Re: Re: Best practices for signature verifcation Jacob Bachmeyer (Jan 16)
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 11)
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 12)
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer (Feb 19)
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer (Feb 19)
Jacob Walls
Django CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 Jacob Walls (Feb 03)
Jakub Wilk
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Jakub Wilk (Jan 29)
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Jakub Wilk (Jan 21)
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Jakub Wilk (Jan 30)
Jan Bessai
Unsound Workshop at ECOOP 2026 Jan Bessai (Feb 24)
Jan Engelhardt
Re: Re: zlib security audit by 7asecurity Jan Engelhardt (Feb 17)
Re: Null Pointer Dereference in HarfBuzz Jan Engelhardt (Jan 12)
Jan Schaumann
NGINX < 1.29.5, 1.28.2 MitM injection CVE-2026-1642 Jan Schaumann (Feb 04)
Re: GnuPG security release Jan Schaumann (Jan 27)
NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 13)
backdoor in litellm version 1.82.7 Jan Schaumann (Mar 25)
NodeJS Security Releases fixes High, 5 Medium, 2 Low severity issues Jan Schaumann (Mar 24)
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 16)
Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338) Jan Schaumann (Mar 03)
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 13)
Jarek Potiuk
CVE-2025-27555: Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli Jarek Potiuk (Feb 23)
CVE-2025-69219: Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator Jarek Potiuk (Mar 08)
CVE-2024-56373: Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information Jarek Potiuk (Feb 23)
CVE-2026-25604: Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass Jarek Potiuk (Mar 09)
Jason Gerlowski
CVE-2026-22022: Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin Jason Gerlowski (Jan 20)
CVE-2026-22444: Apache Solr: Insufficient file-access checking in standalone core-creation requests Jason Gerlowski (Jan 20)
Jean-Baptiste Onofré
CVE-2026-24656: Apache Karaf: Decanter log-socket collector has deserialization vulnerability Jean-Baptiste Onofré (Jan 23)
Jeffrey Walton
Re: OpenSSH GSSAPI keyex patch issue Jeffrey Walton (Mar 18)
Re: Re: Best practices for signature verifcation Jeffrey Walton (Jan 05)
Jens Scheffler
CVE-2026-32794: Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange Jens Scheffler (Mar 30)
Jeremy Stanley
[OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1 Jeremy Stanley (Jan 16)
[OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) errata 1 Jeremy Stanley (Feb 17)
[OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Jeremy Stanley (Feb 17)
Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 16)
[CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 15)
Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Jeremy Stanley (Feb 17)
[OSSA-2026-003] OpenStack Vitrage: Remote code execution through Vitrage query parser (CVE-2026-28370) Jeremy Stanley (Mar 03)
Jeremy Utiera
Re: Trivy github actions repo compromised, infostealer added Jeremy Utiera (Mar 23)
Joe Malcolm
OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Joe Malcolm (Feb 20)
John Johansen
Re: Multiple vulnerabilities in AppArmor John Johansen (Mar 28)
Re: Multiple vulnerabilities in AppArmor John Johansen (Mar 31)
Juergen Gross
Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown Juergen Gross (Mar 26)
Justin Bertram
CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Justin Bertram (Mar 03)
CVE-2026-32642: Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission Justin Bertram (Mar 20)
Justin Swartz
Re: Telnetd Vulnerability Report Justin Swartz (Mar 07)
Re: Telnetd Vulnerability Report Justin Swartz (Feb 24)
Re: Telnetd Vulnerability Report Justin Swartz (Mar 08)
Re: Telnetd Vulnerability Report Justin Swartz (Mar 07)
Re: Telnetd Vulnerability Report Justin Swartz (Mar 07)
Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Justin Swartz (Mar 12)
Re: Telnetd Vulnerability Report Justin Swartz (Feb 23)
Re: Buffer overflow in /bin/su from UNIX v4 Justin Swartz (Mar 21)
Some telnet clients leak environment variables Justin Swartz (Mar 13)
Karan Kumar
CVE-2026-23906: Apache Druid: Authentication Bypass via LDAP Anonymous Bind Karan Kumar (Feb 09)
Kevin Backhouse
Exiv2 version 0.28.8 released with fixes for 3 low-severity CVEs Kevin Backhouse (Mar 02)
kf503bla
Re: Re: Telnetd Vulnerability Report kf503bla (Feb 24)
Re: Re: Multiple vulnerabilities in AppArmor kf503bla (Mar 27)
Re: Telnetd Vulnerability Report kf503bla (Feb 25)
Re: Buffer overflow in /bin/su from UNIX v4 kf503bla (Mar 21)
Lenny Primak
CVE-2026-23901: Apache Shiro: Brute force attack possible to determine valid user names Lenny Primak (Feb 08)
CVE-2026-23903: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems Lenny Primak (Feb 08)
Liang, Zhiwei
CVE-2026-27900 - Sensitive Information Exposure in Debug Logs of Terraform Provider for Linode Liang, Zhiwei (Feb 25)
Loganaden Velvindron
Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Loganaden Velvindron (Jan 12)
Lukasz Lenart
CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Lukasz Lenart (Jan 11)
Lyndon Nerenberg (VE7TFX/VE6BBM)
Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM) (Feb 26)
Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM) (Feb 24)
Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM) (Feb 25)
Marc Deslauriers
OpenSSH GSSAPI keyex patch issue Marc Deslauriers (Mar 12)
Marco Moock
Re: Telnetd Vulnerability Report Marco Moock (Feb 25)
Re: Re: Telnetd Vulnerability Report Marco Moock (Feb 25)
Martin Desruisseaux
CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Martin Desruisseaux (Jan 05)
Matthias Gerstner
Foomuuri: Lack of Client Authorization and Input Verification allow Control over Firewall Configuration (CVE-2025-67603, CVE-2025-67858) Matthias Gerstner (Jan 07)
TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859) Matthias Gerstner (Jan 07)
InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) Matthias Gerstner (Jan 09)
Maurits van Rees
Security incident on plone GitHub org with force pushes Maurits van Rees (Jan 31)
Michael Daum
Re: Foswiki 2.1.11 is released, fixes CVE-2026-2861 Michael Daum (Mar 16)
Foswiki 2.1.11 is released, fixes CVE-2026-2861 Michael Daum (Mar 15)
Michael Orlitzky
Vulnerable tmpdir handling in pytest Michael Orlitzky (Jan 21)
Re: CVE-2025-8110 in Gogs self-hosted git service Michael Orlitzky (Jan 17)
Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michael Orlitzky (Mar 17)
Michael Straßberger
Axios Supply-Chain Attack [v1.14.1] [0.30.4] --> plain-crypto-js [4.2.0][4.2.1] Michael Straßberger (Mar 31)
Michał Kępień
ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) Michał Kępień (Jan 21)
Michal Zalewski
Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michal Zalewski (Mar 17)
Michel Lind
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Michel Lind (Jan 16)
mohammed gaming 222
WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality mohammed gaming 222 (Jan 20)
Moritz Mühlenhoff
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Moritz Mühlenhoff (Jan 20)
Morten Linderud
Re: Re: Best practices for signature verifcation Morten Linderud (Jan 05)
Natalia Bidart
Django CVE-2026-25673 and CVE-2026-25674 Natalia Bidart (Mar 03)
Nicki Křížek
ISC has disclosed four vulnerabilities in BIND 9 (CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591) Nicki Křížek (Mar 25)
Olle E. Johansson
Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 23)
Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 23)
Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 25)
Ondrej Gajdusek
CVE-2026-1961: Foreman: Remote Code Execution via command injection in WebSocket proxy Ondrej Gajdusek (Mar 27)
Otto Moerbeek
PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor Otto Moerbeek (Feb 10)
Pat Gunn
Re: Re: Telnetd Vulnerability Report Pat Gunn (Mar 07)
Paul Ducklin
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Paul Ducklin (Jan 28)
Paul Eggert
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Paul Eggert (Mar 12)
Pedro Sampaio
Re: GnuPG security release Pedro Sampaio (Jan 27)
Peter Davies
ISC has disclosed one vulnerability in Kea (CVE-2026-3608) Peter Davies (Mar 25)
Peter Gutmann
Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann (Jan 23)
Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 05)
Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 02)
Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 15)
Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 05)
Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann (Jan 25)
Re: Buffer overflow in /bin/su from UNIX v4 Peter Gutmann (Mar 21)
Re: Buffer overflow in /bin/su from UNIX v4 Peter Gutmann (Jan 05)
piedcrow
CVE-2026-4851: remote-to-local code execution in GRID::Machine piedcrow (Mar 26)
Qingran Zhao
CVE-2026-24343: Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions Qingran Zhao (Feb 09)
Qualys Security Advisory
Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 27)
snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Qualys Security Advisory (Mar 17)
Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 12)
Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 26)
Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 12)
Rahul Vats
CVE-2026-28563: Apache Airflow: DAG authorization bypass Rahul Vats (Mar 17)
CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization Rahul Vats (Mar 17)
CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications Rahul Vats (Mar 17)
CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata Rahul Vats (Mar 17)
Remi Gacogne
PowerDNS Security Advisory 2026-02 for DNSdist: Multiple issues Remi Gacogne (Mar 31)
Rita Zhang
[kubernetes] CVE-2026-3864: CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server Rita Zhang (Mar 17)
Robert Davies
CVE-2026-31972: samtools <= 1.21 Use-after-free in mpileup leading to an invalid read Robert Davies (Mar 18)
CVE-2026-31970: HTSlib <= 1.23 heap buffer overflow in the BGZF index file reader Robert Davies (Mar 18)
CVE-2026-31973: samtools <= 1.23 NULL pointer dereference in cram-size Robert Davies (Mar 18)
HTSlib <= 1.23 Multiple vulnerabilities in the CRAM file reader Robert Davies (Mar 18)
Robert Rothenberg
CVE-2024-57854: Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator Robert Rothenberg (Mar 05)
Fwd: CVE-2026-5087: PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely Robert Rothenberg (Mar 31)
CVE-2025-40926: Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely Robert Rothenberg (Mar 05)
CVE-2025-40931: Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id Robert Rothenberg (Mar 05)
CVE-2025-15604: Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions Robert Rothenberg (Mar 28)
CVE-2024-14030: Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library Robert Rothenberg (Mar 31)
CVE-2026-3255: HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function Robert Rothenberg (Feb 27)
CVE-2024-14031: Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library Robert Rothenberg (Mar 31)
Fwd: CVE-2018-25160: HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend Robert Rothenberg (Feb 27)
CVE-2026-3257: UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library Robert Rothenberg (Mar 05)
CVE-2025-15618: Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key Robert Rothenberg (Mar 31)
CVE-2026-3256: HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids Robert Rothenberg (Mar 28)
CVE-2026-3381: Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib Robert Rothenberg (Mar 05)
Ron Ben Yizhak
Re: Telnetd Vulnerability Report Ron Ben Yizhak (Feb 24)
Russ Allbery
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery (Feb 19)
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery (Feb 19)
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery (Feb 19)
Ryan Skraba
CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code Ryan Skraba (Feb 12)
Sage [They / Them] McTaggart
CVE-2024-31884 Ceph: Incorrect usage of certificate checking via Pybind Sage [They / Them] McTaggart (Jan 21)
Salvatore Bonaccorso
Re: CVE-2026-28372: Telnetd Vulnerability Report Salvatore Bonaccorso (Mar 07)
Re: GnuPG security release Salvatore Bonaccorso (Jan 27)
Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso (Jan 15)
Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Salvatore Bonaccorso (Feb 17)
Re: CVE-2006-10002: XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes Salvatore Bonaccorso (Mar 22)
Sam Bull
Multiple vulnerabilities in aiohttp Sam Bull (Jan 05)
Sam James
On patch vs commit messages Sam James (Feb 06)
zlib security audit by 7asecurity Sam James (Feb 17)
Fwd: XZ Utils 5.8.3 and a security fix Sam James (Mar 31)
Re: CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage Sam James (Feb 17)
GnuPG security release Sam James (Jan 27)
Sandipan Roy
KVM shadow EPT stale rmap use-after-free Sandipan Roy (Mar 30)
SBA Research Security Advisory
[SBA-ADV-20251205-01] LibreChat 0.8.1-rc2 RAG API Authentication Bypass SBA Research Security Advisory (Mar 18)
Sebastian Pipping
Re: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Sebastian Pipping (Jan 05)
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Sebastian Pipping (Jan 29)
libexpat 2.7.4 fixes CVE-2026-24515 and CVE-2026-25210 Sebastian Pipping (Jan 31)
libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Sebastian Pipping (Mar 17)
Seth Arnold
CVE-2025-13350 for Ubuntu Linux kernel Seth Arnold (Mar 05)
Sevan Janiyan
Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 18)
Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 17)
Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 18)
Siddhesh Poyarekar
The GNU C Library security advisories update for 2026-01-16 Siddhesh Poyarekar (Jan 16)
The GNU C Library security advisory update for 2026-03-30 Siddhesh Poyarekar (Mar 30)
The GNU C Library security advisory update for 2026-03-11 Siddhesh Poyarekar (Mar 11)
Simon Josefsson
Re: Best practices for signature verifcation Simon Josefsson (Jan 01)
GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Simon Josefsson (Jan 20)
Re: zlib security audit by 7asecurity Simon Josefsson (Feb 17)
Soatok Dreamseeker
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Soatok Dreamseeker (Jan 21)
Re: Best practices for signature verifcation Soatok Dreamseeker (Jan 02)
Re: Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager Soatok Dreamseeker (Feb 19)
Solar Designer
Re: Systemd vsock sshd Solar Designer (Feb 18)
Re: Foswiki 2.1.11 is released, fixes CVE-2026-2861 Solar Designer (Mar 15)
Re: Buffer overflow in /bin/su from UNIX v4 Solar Designer (Mar 21)
Re: Telnetd Vulnerability Report Solar Designer (Feb 24)
Re: FreeRDP fixes 12 CVEs in 3.22.0 release Solar Designer (Feb 09)
Re: Telnetd Vulnerability Report Solar Designer (Mar 08)
Re: Unsound Workshop at ECOOP 2026 Solar Designer (Feb 24)
Re: [ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526) Solar Designer (Mar 27)
Re: Telnetd Vulnerability Report Solar Designer (Feb 23)
Re: Some telnet clients leak environment variables Solar Designer (Mar 14)
Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 18)
Re: Telnetd Vulnerability Report Solar Designer (Feb 25)
Re: Telnetd Vulnerability Report Solar Designer (Mar 07)
Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 14)
Re: CVE-2026-28372: Telnetd Vulnerability Report Solar Designer (Mar 06)
Re: Systemd vsock sshd Solar Designer (Jan 08)
Re: Telnetd Vulnerability Report Solar Designer (Mar 08)
10+ CVEs in GStreamer Solar Designer (Mar 15)
Fwd: [siren] [Security Advisory] Active Exploitation of Weak GitHub Actions Configurations Solar Designer (Mar 02)
Re: Vulnerability management and Open Source: FOSDEM BoF Solar Designer (Jan 24)
7 CVEs fixed in nginx Solar Designer (Mar 25)
MIT/Heimdal Kerberos credentials cache type FILE risks Solar Designer (Feb 18)
Re: Telnetd Vulnerability Report Solar Designer (Feb 23)
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer (Mar 12)
Re: KVM shadow EPT stale rmap use-after-free Solar Designer (Mar 30)
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer (Mar 12)
Steffen Nurpmeso
Re: Buffer overflow in /bin/su from UNIX v4 Steffen Nurpmeso (Mar 21)
Re: Telnetd Vulnerability Report Steffen Nurpmeso (Feb 25)
Re: Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Steffen Nurpmeso (Jan 15)
Re: Telnetd Vulnerability Report Steffen Nurpmeso (Feb 25)
Re: zlib security audit by 7asecurity Steffen Nurpmeso (Feb 17)
Stephan Verbücheln
Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Jan 05)
Stig Palmquist
CVE-2026-4176: Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib Stig Palmquist (Mar 29)
Stuart Henderson
Re: Off-by-one heap buffer overflow in libuv Stuart Henderson (Mar 19)
Re: Some telnet clients leak environment variables Stuart Henderson (Mar 13)
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Stuart Henderson (Jan 23)
Szymon Janc
CVE-2025-53470: Apache NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver Szymon Janc (Jan 08)
CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller Szymon Janc (Jan 08)
CVE-2025-53477: Apache NimBLE: NULL Pointer Dereference in NimBLE host HCI layer Szymon Janc (Jan 08)
CVE-2025-62235: Apache NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing Szymon Janc (Jan 08)
Taavi Eomäe
Re: Re: Best practices for signature verifcation Taavi Eomäe (Jan 06)
Tabitha Sable
[kubernetes] CVE-2026-4342: ingress-nginx comment-based nginx configuration injection Tabitha Sable (Mar 19)
[kubernetes] Multiple issues in ingress-nginx Tabitha Sable (Feb 02)
[kubernetes] CVE-2026-3288: ingress-nginx rewrite-target nginx configuration injection Tabitha Sable (Mar 09)
Tianyu Chen
Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Tianyu Chen (Mar 31)
Tilman Hausherr
CVE-2026-23907: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Tilman Hausherr (Mar 10)
Timothy Legge
CVE-2026-30910: Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows Timothy Legge (Mar 07)
CVE-2006-10002: XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes Timothy Legge (Mar 19)
CVE-2026-4177: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter Timothy Legge (Mar 16)
CVE-2006-10003: XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack Timothy Legge (Mar 19)
CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution Timothy Legge (Mar 25)
CVE-2026-30909: Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows Timothy Legge (Mar 07)
Tim Wadhwa-Brown (twadhwab)
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Tim Wadhwa-Brown (twadhwab) (Feb 22)
Tomas Mraz
OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Tomas Mraz (Jan 27)
OpenSSL Security Advisory Tomas Mraz (Mar 13)
OpenSSL Security Advisory Tomas Mraz (Jan 27)
Re: OpenSSL Security Advisory (updated text for CVE-2025-15467) Tomas Mraz (Feb 25)
Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Tomas Mraz (Jan 28)
Valtteri Vuorikoski
Re: Re: Best practices for signature verifcation Valtteri Vuorikoski (Jan 05)
CVE-2026-28431+more: Misskey/Sharkey "extremely severe" vulnerabilities Valtteri Vuorikoski (Mar 09)
CVE-2026-26079/CVE-2026-25916: Roundcube vulns prior to 1.5.13/1.6.13 Valtteri Vuorikoski (Feb 23)
Velmurugan Periasamy
CVE-2025-59059: Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator Velmurugan Periasamy (Mar 02)
CVE-2025-59060: Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient Velmurugan Periasamy (Mar 02)
Vincent Lefevre
Re: Telnetd Vulnerability Report Vincent Lefevre (Feb 24)
Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre (Jan 12)
Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre (Jan 13)
Werner Koch
GnuPG ticket T7900 (was: Many vulnerabilities in GnuPG) Werner Koch (Jan 05)
wish42offcl98
Re: Systemd vsock sshd wish42offcl98 (Jan 02)
Xen . org security team
Xen Security Advisory 480 v3 (CVE-2026-23554) - Use after free of paging structures in EPT Xen . org security team (Mar 17)
Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown Xen . org security team (Mar 24)
Xen Security Advisory 477 v2 (CVE-2025-58150) - x86: buffer overrun with shadow paging + tracing Xen . org security team (Jan 27)
Xen Security Advisory 479 v2 (CVE-2026-23553) - x86: incomplete IBPB for vCPU isolation Xen . org security team (Jan 27)
Xen Security Advisory 482 v3 (CVE-2026-31788) - Linux privcmd driver can circumvent kernel lockdown Xen . org security team (Mar 24)
Xen Security Advisory 478 v2 (CVE-2025-58151) - varstored: TOCTOU issues with mapped guest memory Xen . org security team (Jan 27)
Xen Security Advisory 481 v2 (CVE-2026-23555) - Xenstored DoS by unprivileged domain Xen . org security team (Mar 17)
Yogesh Mittal
Re: CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Yogesh Mittal (Mar 04)