oss-sec: by date
RSS Feed
About List
All Lists
Previous period
336 messages
starting Jan 01 26 and
ending Mar 18 26
Date index |
Thread index |
Author index
Thursday, 01 January
Re: Best practices for signature verifcation Simon Josefsson
Re: Re: Best practices for signature verifcation Ali Polatel
Re: Best practices for signature verifcation Clemens Lang
Friday, 02 January
Re: Systemd vsock sshd wish42offcl98
Re: Best practices for signature verifcation Soatok Dreamseeker
Re: Re: Best practices for signature verifcation Peter Gutmann
Re: Re: Best practices for signature verifcation Demi Marie Obenour
Re: Systemd vsock sshd Greg Dahlman
Re: Systemd vsock sshd Carlos Rodriguez-Fernandez
Saturday, 03 January
Re: Re: Best practices for signature verifcation Demi Marie Obenour
Re: Best practices for signature verifcation Demi Marie Obenour
Monday, 05 January
CVE-2025-66518: Apache Kyuubi: Unauthorized directory access due to missing path normalization Akira Ajisaka
Re: Re: Best practices for signature verifcation Peter Gutmann
Re: Many vulnerabilities in GnuPG Stephan Verbücheln
GnuPG ticket T7900 (was: Many vulnerabilities in GnuPG) Werner Koch
Re: Re: Best practices for signature verifcation Valtteri Vuorikoski
Re: Re: Best practices for signature verifcation Jeffrey Walton
CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Martin Desruisseaux
Re: Best practices for signature verifcation Clemens Lang
Re: Re: Best practices for signature verifcation Morten Linderud
Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith
Re: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Sebastian Pipping
Re: Best practices for signature verifcation Demi Marie Obenour
Re: Re: Best practices for signature verifcation Demi Marie Obenour
Multiple vulnerabilities in aiohttp Sam Bull
Re: Buffer overflow in /bin/su from UNIX v4 Peter Gutmann
Re: Re: Best practices for signature verifcation Peter Gutmann
Tuesday, 06 January
Re: Re: Best practices for signature verifcation Taavi Eomäe
Re: [External] : [oss-security] Buffer overflow in /bin/su from UNIX v4 Casper Dik
Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith
wget2-2.2.1 released with security fixes Alan Coopersmith
[ADVISORY] curl CVE-2025-13034: No QUIC certificate pinning with GnuTLS Daniel Stenberg
[ADVISORY] curl CVE-2025-14017: broken TLS options for threaded LDAPS Daniel Stenberg
[ADVISORY] curl CVE-2025-14524: bearer token leak on cross-protocol redirect Daniel Stenberg
[ADVISORY] curl CVE-2025-14819: OpenSSL partial chain store policy bypass Daniel Stenberg
[ADVISORY] curl CVE-2025-15079: libssh global knownhost override Daniel Stenberg
Wednesday, 07 January
[ADVISORY] curl CVE-2025-15224: libssh key passphrase bypass without agent set Daniel Stenberg
TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859) Matthias Gerstner
Foomuuri: Lack of Client Authorization and Input Verification allow Control over Firewall Configuration (CVE-2025-67603, CVE-2025-67858) Matthias Gerstner
Thursday, 08 January
CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller Szymon Janc
CVE-2025-53470: Apache NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver Szymon Janc
CVE-2025-53477: Apache NimBLE: NULL Pointer Dereference in NimBLE host HCI layer Szymon Janc
CVE-2025-62235: Apache NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing Szymon Janc
Fwd: libtasn1-4.21.0 released [stable] - fixes CVE-2025-13151 Alan Coopersmith
Re: Systemd vsock sshd Solar Designer
Re: Systemd vsock sshd Greg Dahlman
Friday, 09 January
InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) Matthias Gerstner
Net-SNMP snmptrapd vulnerability [CVE-2025-68615] Alan Coopersmith
Saturday, 10 January
The Curious Case of Stack Pivot Detection Ali Polatel
Null Pointer Dereference in HarfBuzz Alan Coopersmith
Sunday, 11 January
CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Lukasz Lenart
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer
Monday, 12 January
Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Hanno Böck
Re: Null Pointer Dereference in HarfBuzz Jan Engelhardt
Re: Null Pointer Dereference in HarfBuzz Greg KH
Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre
Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Loganaden Velvindron
libpng 1.6.54: two heap buffer over-read vulnerabilities fixed: CVE-2026-22695, CVE-2026-22801 Cosmin Truta
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer
Tuesday, 13 January
NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer
Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre
CVE-2025-66169: Apache Camel: Cypher injection vulnerability in Camel-Neo4j component Andrea Cosentino
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Alan Coopersmith
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann
Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer
Thursday, 15 January
[CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley
Re: The Curious Case of Stack Pivot Detection Adam Zabrocki
Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Alan Coopersmith
Re: Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Steffen Nurpmeso
CVE-2025-68438: Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated Ephraim Anierobi
CVE-2025-68675: Apache Airflow: proxy credentials for various providers might leak in task logs Ephraim Anierobi
Re: Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith
Re: Re: Best practices for signature verifcation Peter Gutmann
Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso
Friday, 16 January
Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley
CVE-2025-60021: Apache bRPC: Remote command injection vulnerability in heap builtin service Guangming Chen
The GNU C Library security advisories update for 2026-01-16 Siddhesh Poyarekar
The GNU C Library security advisories update for 2026-01-16 (part 2) Carlos O'Donell
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Michel Lind
Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann
[OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1 Jeremy Stanley
Re: Re: Best practices for signature verifcation Jacob Bachmeyer
Saturday, 17 January
CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant
Re: CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant
Re: CVE-2025-8110 in Gogs self-hosted git service Chad Dougherty
Re: CVE-2025-8110 in Gogs self-hosted git service Collin Funk
Re: CVE-2025-8110 in Gogs self-hosted git service Michael Orlitzky
Tuesday, 20 January
WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality mohammed gaming 222
GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Simon Josefsson
The GNU C Library security advisories update for 2026-01-20 Carlos O'Donell
CVE-2026-22022: Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin Jason Gerlowski
CVE-2026-22444: Apache Solr: Insufficient file-access checking in standalone core-creation requests Jason Gerlowski
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Moritz Mühlenhoff
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Alan Coopersmith
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann
Wednesday, 21 January
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Hanno Böck
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Jakub Wilk
ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) Michał Kępień
Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Soatok Dreamseeker
Vulnerable tmpdir handling in pytest Michael Orlitzky
CVE-2024-31884 Ceph: Incorrect usage of certificate checking via Pybind Sage [They / Them] McTaggart
Thursday, 22 January
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Christian Fischer
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Demi Marie Obenour
Friday, 23 January
Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson
Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann
Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson
CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Alan Coopersmith
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Stuart Henderson
Re: Vulnerability management and Open Source: FOSDEM BoF Brian Behlendorf
CVE-2025-27821: HDFS native client: Out of bounds write in URI parser of native HDFS client Chris Nauroth
8 CVEs in Cpython announced this week Alan Coopersmith
CVE-2026-24656: Apache Karaf: Decanter log-socket collector has deserialization vulnerability Jean-Baptiste Onofré
Saturday, 24 January
Re: Vulnerability management and Open Source: FOSDEM BoF Solar Designer
Sunday, 25 January
Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann
Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson
Monday, 26 January
CVE-2016-15057: Apache Continuum: Command injection leading to RCE Arnout Engelen
Tuesday, 27 January
Xen Security Advisory 477 v2 (CVE-2025-58150) - x86: buffer overrun with shadow paging + tracing Xen . org security team
Xen Security Advisory 478 v2 (CVE-2025-58151) - varstored: TOCTOU issues with mapped guest memory Xen . org security team
Xen Security Advisory 479 v2 (CVE-2026-23553) - x86: incomplete IBPB for vCPU isolation Xen . org security team
Agno's PythonTools: Path traversal leads to sensitive information disclosure and potential RCE Ali Raza
OpenSSL Security Advisory Tomas Mraz
Clarification: rbash escape via history built-ins cyber security
OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Tomas Mraz
GnuPG security release Sam James
Re: GnuPG security release Pedro Sampaio
Re: GnuPG security release Jan Schaumann
Re: GnuPG security release Salvatore Bonaccorso
Wednesday, 28 January
Re: Clarification: rbash escape via history built-ins cyber security
Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Demi Marie Obenour
Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Tomas Mraz
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Paul Ducklin
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Alan Coopersmith
Thursday, 29 January
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Jakub Wilk
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Sebastian Pipping
Friday, 30 January
Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Jakub Wilk
Saturday, 31 January
libexpat 2.7.4 fixes CVE-2026-24515 and CVE-2026-25210 Sebastian Pipping
Security incident on plone GitHub org with force pushes Maurits van Rees
Monday, 02 February
CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login Francesco Chicchiriccò
CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters Francesco Chicchiriccò
[kubernetes] Multiple issues in ingress-nginx Tabitha Sable
Tuesday, 03 February
Django CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 Jacob Walls
Re: Systemd vsock sshd Bastian Blank
Wednesday, 04 February
CVE-2026-24735: Apache Answer: Revision API Improper Access Control leads to Information Disclosure Enxin Xie
NGINX < 1.29.5, 1.28.2 MitM injection CVE-2026-1642 Jan Schaumann
Thursday, 05 February
[vim-security] buffer overflow in helpfile option handling affects Vim <9.1.2132 Christian Brabandt
Friday, 06 February
On patch vs commit messages Sam James
Saturday, 07 February
Go 1.25.7 and Go 1.24.13 are released with 2 CVE fixes Alan Coopersmith
Sunday, 08 February
CVE-2026-23903: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems Lenny Primak
CVE-2026-23901: Apache Shiro: Brute force attack possible to determine valid user names Lenny Primak
Monday, 09 February
Re: On patch vs commit messages Florian Weimer
CVE-2026-22922: Apache Airflow: Airflow externalLogUrl Permission Bypass Ephraim Anierobi
CVE-2026-24098: Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors Ephraim Anierobi
CVE-2026-24343: Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions Qingran Zhao
CVE-2026-23906: Apache Druid: Authentication Bypass via LDAP Anonymous Bind Karan Kumar
gnutls 3.8.12 fixes CVE-2026-1584 & CVE-2025-14831 Alan Coopersmith
libpng 1.6.55: Heap buffer overflow vulnerability fixed: CVE-2026-25646 Cosmin Truta
FreeRDP fixes 12 CVEs in 3.22.0 release Alan Coopersmith
Re: FreeRDP fixes 12 CVEs in 3.22.0 release Solar Designer
Tuesday, 10 February
PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor Otto Moerbeek
CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage Chris Dunlap
PyCA cryptography 46.0.5 released with fix for CVE-2026-26007 Alan Coopersmith
Wednesday, 11 February
Pillow 12.1.1 released with fix for CVE-2026-25990 Alan Coopersmith
Thursday, 12 February
CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code Ryan Skraba
Friday, 13 February
CVE-2025-40905: WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions Alan Coopersmith
[vim-security] NetBeans specialKeys Stack Buffer Overflow with Vim <9.1.2148 Christian Brabandt
Monday, 16 February
CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates David Handermann
Tuesday, 17 February
[OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Jeremy Stanley
Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Salvatore Bonaccorso
Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Jeremy Stanley
CVE-2026-25087: Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering Antoine Pitrou
zlib security audit by 7asecurity Sam James
Re: CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage Sam James
[OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) errata 1 Jeremy Stanley
Re: zlib security audit by 7asecurity Simon Josefsson
Re: Re: zlib security audit by 7asecurity Jan Engelhardt
Re: Re: zlib security audit by 7asecurity Sevan Janiyan
Re: zlib security audit by 7asecurity Steffen Nurpmeso
Wednesday, 18 February
Multiple vulnerabilities in Jenkins Daniel Beck
Re: Re: zlib security audit by 7asecurity Sevan Janiyan
CVE-2026-25747: Apache Camel: Deserialization of Untrusted Data in Camel LevelDB Andrea Cosentino
CVE-2026-23552: Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Andrea Cosentino
Re: Re: zlib security audit by 7asecurity Sevan Janiyan
MIT/Heimdal Kerberos credentials cache type FILE risks Solar Designer
Re: Systemd vsock sshd Solar Designer
Thursday, 19 February
Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager Alan Coopersmith
Re: Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager Soatok Dreamseeker
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery
Friday, 20 February
OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Joe Malcolm
Re: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Eli Schwartz
Sunday, 22 February
Re: MIT/Heimdal Kerberos credentials cache type FILE risks Tim Wadhwa-Brown (twadhwab)
Monday, 23 February
CVE-2026-26079/CVE-2026-25916: Roundcube vulns prior to 1.5.13/1.6.13 Valtteri Vuorikoski
CVE-2025-27555: Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli Jarek Potiuk
CVE-2024-56373: Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information Jarek Potiuk
Re: Telnetd Vulnerability Report Justin Swartz
Re: Telnetd Vulnerability Report Solar Designer
Re: Telnetd Vulnerability Report Solar Designer
Tuesday, 24 February
CVE-2026-23969: Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering Daniel Gaspar
CVE-2026-23980: Apache Superset: Improper Neutralization of Special Elements used in a SQL Command Daniel Gaspar
CVE-2026-23982: Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass Daniel Gaspar
CVE-2026-23983: Apache Superset: Sensitive Data Exposure via REST API (disabled by default) Daniel Gaspar
CVE-2026-23984: Apache Superset: SQLLab Read-Only Bypass on PostgreSQL Daniel Gaspar
Re: Telnetd Vulnerability Report Ron Ben Yizhak
Re: Re: Telnetd Vulnerability Report kf503bla
Re: Telnetd Vulnerability Report Solar Designer
Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM)
Unsound Workshop at ECOOP 2026 Jan Bessai
Re: Unsound Workshop at ECOOP 2026 Solar Designer
Re: Telnetd Vulnerability Report Vincent Lefevre
Re: Telnetd Vulnerability Report Eddie Chapman
Re: Telnetd Vulnerability Report Justin Swartz
Re: Telnetd Vulnerability Report Eddie Chapman
Wednesday, 25 February
Re: Re: Telnetd Vulnerability Report Marco Moock
Re: Telnetd Vulnerability Report kf503bla
Re: Telnetd Vulnerability Report Solar Designer
Re: OpenSSL Security Advisory (updated text for CVE-2025-15467) Tomas Mraz
Re: Telnetd Vulnerability Report Steffen Nurpmeso
Re: Telnetd Vulnerability Report Marco Moock
Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM)
Re: Telnetd Vulnerability Report Steffen Nurpmeso
CVE-2026-27900 - Sensitive Information Exposure in Debug Logs of Terraform Provider for Linode Liang, Zhiwei
Thursday, 26 February
Re: Re: Telnetd Vulnerability Report Florian Weimer
Re: Telnetd Vulnerability Report Albert Veli
Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM)
Re: Re: Telnetd Vulnerability Report Demi Marie Obenour
Friday, 27 February
CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover
OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Alan Coopersmith
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Florian Weimer
[vim-security] OS Command Injection in netrw affects Vim < 9.2.0073 Christian Brabandt
[vim-security] Heap-based Buffer Overflow in Emacs tags parsing affects Vim < 9.2.0074 Christian Brabandt
[vim-security] Heap-based Buffer Underflow in Emacs tags parsing affects Vim < 9.2.0075 Christian Brabandt
[vim-security] Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076 Christian Brabandt
[vim-security] Multiple Vulnerabilities in Swap File Recovery affect Vim < 9.2.0077 Christian Brabandt
[vim-security] Stack-buffer-overflow in build_stl_str_hl() affects Vim < 9.2.0078 Christian Brabandt
CVE-2026-3255: HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function Robert Rothenberg
Fwd: CVE-2018-25160: HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend Robert Rothenberg
Sunday, 01 March
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Demi Marie Obenour
Monday, 02 March
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Florian Weimer
Exiv2 version 0.28.8 released with fixes for 3 low-severity CVEs Kevin Backhouse
CVE-2025-59060: Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient Velmurugan Periasamy
CVE-2025-59059: Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator Velmurugan Periasamy
Fwd: [siren] [Security Advisory] Active Exploitation of Weak GitHub Actions Configurations Solar Designer
Tuesday, 03 March
Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Demi Marie Obenour
Django CVE-2026-25673 and CVE-2026-25674 Natalia Bidart
CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Justin Bertram
CVE-2025-66168: Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated Christopher L. Shannon
[OSSA-2026-003] OpenStack Vitrage: Remote code execution through Vitrage query parser (CVE-2026-28370) Jeremy Stanley
Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338) Jan Schaumann
Announcing FreeType 2.14.2, fixes CVE-2026-23865 Alan Coopersmith
Wednesday, 04 March
Re: CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Yogesh Mittal
Thursday, 05 March
CVE-2024-57854: Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator Robert Rothenberg
CVE-2025-40926: Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely Robert Rothenberg
CVE-2025-40931: Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id Robert Rothenberg
CVE-2026-3257: UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library Robert Rothenberg
CVE-2026-3381: Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib Robert Rothenberg
Fwd: [CVE-2026-2297] SourcelessFileLoader does not use io.open_code() Alan Coopersmith
CVE-2025-13350 for Ubuntu Linux kernel Seth Arnold
Go 1.26.1 and Go 1.25.8 are released with 5 CVE fixes Alan Coopersmith
Friday, 06 March
Re: CVE-2026-28372: Telnetd Vulnerability Report Solar Designer
Re: CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover
CVE-2025-69534 in Python-Markdown Alan Coopersmith
Saturday, 07 March
Re: CVE-2026-28372: Telnetd Vulnerability Report Salvatore Bonaccorso
Re: CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover
Re: Telnetd Vulnerability Report Justin Swartz
CVE-2026-24281: Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager Andor Molnar
CVE-2026-24308: Apache ZooKeeper: Sensitive information disclosure in client configuration handling Andor Molnar
CVE-2026-30909: Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows Timothy Legge
CVE-2026-30910: Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows Timothy Legge
Re: Telnetd Vulnerability Report Solar Designer
Re: Telnetd Vulnerability Report Justin Swartz
Re: Re: Telnetd Vulnerability Report Pat Gunn
Re: Telnetd Vulnerability Report Justin Swartz
Sunday, 08 March
Re: Telnetd Vulnerability Report Solar Designer
AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities christopher.downs
Re: AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities Hanno Böck
Re: Telnetd Vulnerability Report Justin Swartz
Re: Telnetd Vulnerability Report Solar Designer
CVE-2025-69219: Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator Jarek Potiuk
CVE-2025-55017: Apache IoTDB: Path Traversal Vulnerability Haonan Hou
CVE-2025-64152: Apache IoTDB: Path Traversal Vulnerability Haonan Hou
CVE-2026-24713: Apache IoTDB: JEXL Expression Injection Vulnerability Haonan Hou
CVE-2026-24015: Apache IoTDB: Insecure Default Configuration Vulnerability Haonan Hou
Monday, 09 March
CVE-2026-25604: Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass Jarek Potiuk
CVE-2026-28431+more: Misskey/Sharkey "extremely severe" vulnerabilities Valtteri Vuorikoski
[kubernetes] CVE-2026-3288: ingress-nginx rewrite-target nginx configuration injection Tabitha Sable
Tuesday, 10 March
CVE-2026-23907: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Tilman Hausherr
[ADVISORY] curl: CVE-2026-1965: bad reuse of HTTP Negotiate connection Daniel Stenberg
[ADVISORY] curl: CVE-2026-3783: token leak with redirect and netrc Daniel Stenberg
Wednesday, 11 March
[ADVISORY] curl: CVE-2026-3784: wrong proxy connection reuse with credentials Daniel Stenberg
[ADVISORY] curl: CVE-2026-3805: use after free in SMB connection reuse Daniel Stenberg
The GNU C Library security advisory update for 2026-03-11 Siddhesh Poyarekar
[vim-security] NFA regex engine NULL pointer dereference affects Vim < 9.2.0137 Christian Brabandt
Thursday, 12 March
CVE-2025-60012: Apache Livy: Restrict file access György Gál
CVE-2025-66249: Apache Livy: Unauthorized directory access György Gál
OpenSSH GSSAPI keyex patch issue Marc Deslauriers
Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Justin Swartz
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer
Multiple vulnerabilities in AppArmor Qualys Security Advisory
Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Paul Eggert
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer
Friday, 13 March
Some telnet clients leak environment variables Justin Swartz
Re: Some telnet clients leak environment variables Stuart Henderson
OpenSSL Security Advisory Tomas Mraz
CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability Holden Karau
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk
Saturday, 14 March
Re: Some telnet clients leak environment variables Solar Designer
Re: OpenSSH GSSAPI keyex patch issue Solar Designer
Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy
Sunday, 15 March
Foswiki 2.1.11 is released, fixes CVE-2026-2861 Michael Daum
Re: Foswiki 2.1.11 is released, fixes CVE-2026-2861 Solar Designer
10+ CVEs in GStreamer Solar Designer
Monday, 16 March
Re: Foswiki 2.1.11 is released, fixes CVE-2026-2861 Michael Daum
[CVE-2026-4224] CPython Stack overflow parsing XML with deeply nested DTD content models Alan Coopersmith
[oss-security][CVE-2026-3644] CPython Incomplete control character validation in http.cookies Alan Coopersmith
CVE-2026-4177: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter Timothy Legge
Tuesday, 17 March
[kubernetes] CVE-2026-3864: CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server Rita Zhang
CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization Rahul Vats
CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications Rahul Vats
CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata Rahul Vats
CVE-2026-28563: Apache Airflow: DAG authorization bypass Rahul Vats
Xen Security Advisory 480 v3 (CVE-2026-23554) - Use after free of paging structures in EPT Xen . org security team
Xen Security Advisory 481 v2 (CVE-2026-23555) - Xenstored DoS by unprivileged domain Xen . org security team
snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Qualys Security Advisory
Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michal Zalewski
libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Sebastian Pipping
Re: libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Alan Coopersmith
Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michael Orlitzky
Wednesday, 18 March
Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy
[SBA-ADV-20251205-01] LibreChat 0.8.1-rc2 RAG API Authentication Bypass SBA Research Security Advisory