oss-sec: by thread

oss-sec: by thread

Previous period

128 messages starting Jan 01 26 and ending Jan 27 26
Date index | Thread index | Author index

Re: Best practices for signature verifcation Simon Josefsson (Jan 01)
- Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 02)
  - Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 03)
    - Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 05)
    - Re: Re: Best practices for signature verifcation Valtteri Vuorikoski (Jan 05)
    - Re: Re: Best practices for signature verifcation Jeffrey Walton (Jan 05)
    - Re: Re: Best practices for signature verifcation Morten Linderud (Jan 05)
    - Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 05)
    - Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 05)
    - Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 15)
    - Re: Re: Best practices for signature verifcation Jacob Bachmeyer (Jan 16)
    - Re: Re: Best practices for signature verifcation Taavi Eomäe (Jan 06)
- Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 02)
- <Possible follow-ups>
- Re: Re: Best practices for signature verifcation Ali Polatel (Jan 01)
- Re: Best practices for signature verifcation Clemens Lang (Jan 01)
  - Re: Best practices for signature verifcation Soatok Dreamseeker (Jan 02)
  - Re: Best practices for signature verifcation Demi Marie Obenour (Jan 03)
    - Re: Best practices for signature verifcation Clemens Lang (Jan 05)
    - Re: Best practices for signature verifcation Demi Marie Obenour (Jan 05)
Re: Systemd vsock sshd wish42offcl98 (Jan 02)
- Re: Systemd vsock sshd Greg Dahlman (Jan 02)
  - Re: Systemd vsock sshd Carlos Rodriguez-Fernandez (Jan 02)
- <Possible follow-ups>
- Re: Systemd vsock sshd Solar Designer (Jan 08)
  - Re: Systemd vsock sshd Greg Dahlman (Jan 08)
CVE-2025-66518: Apache Kyuubi: Unauthorized directory access due to missing path normalization Akira Ajisaka (Jan 05)
Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Jan 05)
GnuPG ticket T7900 (was: Many vulnerabilities in GnuPG) Werner Koch (Jan 05)
CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Martin Desruisseaux (Jan 05)
- Re: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Sebastian Pipping (Jan 05)
Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Jan 05)
- Re: Buffer overflow in /bin/su from UNIX v4 Peter Gutmann (Jan 05)
- Re: [External] : [oss-security] Buffer overflow in /bin/su from UNIX v4 Casper Dik (Jan 06)
Multiple vulnerabilities in aiohttp Sam Bull (Jan 05)
Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith (Jan 06)
- Re: Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith (Jan 15)
wget2-2.2.1 released with security fixes Alan Coopersmith (Jan 06)
[ADVISORY] curl CVE-2025-13034: No QUIC certificate pinning with GnuTLS Daniel Stenberg (Jan 06)
[ADVISORY] curl CVE-2025-14017: broken TLS options for threaded LDAPS Daniel Stenberg (Jan 06)
[ADVISORY] curl CVE-2025-14524: bearer token leak on cross-protocol redirect Daniel Stenberg (Jan 06)
[ADVISORY] curl CVE-2025-14819: OpenSSL partial chain store policy bypass Daniel Stenberg (Jan 06)
[ADVISORY] curl CVE-2025-15079: libssh global knownhost override Daniel Stenberg (Jan 06)
[ADVISORY] curl CVE-2025-15224: libssh key passphrase bypass without agent set Daniel Stenberg (Jan 07)
TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859) Matthias Gerstner (Jan 07)
Foomuuri: Lack of Client Authorization and Input Verification allow Control over Firewall Configuration (CVE-2025-67603, CVE-2025-67858) Matthias Gerstner (Jan 07)
CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller Szymon Janc (Jan 08)
CVE-2025-53470: Apache NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver Szymon Janc (Jan 08)
CVE-2025-53477: Apache NimBLE: NULL Pointer Dereference in NimBLE host HCI layer Szymon Janc (Jan 08)
CVE-2025-62235: Apache NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing Szymon Janc (Jan 08)
Fwd: libtasn1-4.21.0 released [stable] - fixes CVE-2025-13151 Alan Coopersmith (Jan 08)
InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) Matthias Gerstner (Jan 09)
Net-SNMP snmptrapd vulnerability [CVE-2025-68615] Alan Coopersmith (Jan 09)
The Curious Case of Stack Pivot Detection Ali Polatel (Jan 10)
- Re: The Curious Case of Stack Pivot Detection Adam Zabrocki (Jan 15)
Null Pointer Dereference in HarfBuzz Alan Coopersmith (Jan 10)
- Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 11)
  - Re: Null Pointer Dereference in HarfBuzz Jan Engelhardt (Jan 12)
    - Re: Null Pointer Dereference in HarfBuzz Greg KH (Jan 12)
    - Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 13)
  - Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre (Jan 12)
    - Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 12)
    - Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre (Jan 13)
    - Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 13)
CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Lukasz Lenart (Jan 11)
- Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Hanno Böck (Jan 12)
  - Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Loganaden Velvindron (Jan 12)
libpng 1.6.54: two heap buffer over-read vulnerabilities fixed: CVE-2026-22695, CVE-2026-22801 Cosmin Truta (Jan 12)
NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 13)
- Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Alan Coopersmith (Jan 13)
  - Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 13)
    - Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Michel Lind (Jan 16)
    - Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 16)
CVE-2025-66169: Apache Camel: Cypher injection vulnerability in Camel-Neo4j component Andrea Cosentino (Jan 13)
[CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 15)
- Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso (Jan 15)
  - Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 16)
- [OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1 Jeremy Stanley (Jan 16)
Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Alan Coopersmith (Jan 15)
- Re: Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Steffen Nurpmeso (Jan 15)
CVE-2025-68438: Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated Ephraim Anierobi (Jan 15)
CVE-2025-68675: Apache Airflow: proxy credentials for various providers might leak in task logs Ephraim Anierobi (Jan 15)
CVE-2025-60021: Apache bRPC: Remote command injection vulnerability in heap builtin service Guangming Chen (Jan 16)
The GNU C Library security advisories update for 2026-01-16 Siddhesh Poyarekar (Jan 16)
The GNU C Library security advisories update for 2026-01-16 (part 2) Carlos O'Donell (Jan 16)
CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant (Jan 17)
- Re: CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant (Jan 17)
Re: CVE-2025-8110 in Gogs self-hosted git service Chad Dougherty (Jan 17)
- Re: CVE-2025-8110 in Gogs self-hosted git service Collin Funk (Jan 17)
  - Re: CVE-2025-8110 in Gogs self-hosted git service Michael Orlitzky (Jan 17)
WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality mohammed gaming 222 (Jan 20)
- Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Moritz Mühlenhoff (Jan 20)
  - Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Hanno Böck (Jan 21)
    - Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Soatok Dreamseeker (Jan 21)
- Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Alan Coopersmith (Jan 20)
GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Simon Josefsson (Jan 20)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)
  - Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Jakub Wilk (Jan 21)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Christian Fischer (Jan 22)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Demi Marie Obenour (Jan 22)
The GNU C Library security advisories update for 2026-01-20 Carlos O'Donell (Jan 20)
CVE-2026-22022: Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin Jason Gerlowski (Jan 20)
CVE-2026-22444: Apache Solr: Insufficient file-access checking in standalone core-creation requests Jason Gerlowski (Jan 20)
ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) Michał Kępień (Jan 21)
Vulnerable tmpdir handling in pytest Michael Orlitzky (Jan 21)
CVE-2024-31884 Ceph: Incorrect usage of certificate checking via Pybind Sage [They / Them] McTaggart (Jan 21)
Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 23)
- Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann (Jan 23)
  - Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 23)
  - Re: Vulnerability management and Open Source: FOSDEM BoF Brian Behlendorf (Jan 23)
    - Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann (Jan 25)
    - Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 25)
  - Re: Vulnerability management and Open Source: FOSDEM BoF Solar Designer (Jan 24)
CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Alan Coopersmith (Jan 23)
- Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Stuart Henderson (Jan 23)
CVE-2025-27821: HDFS native client: Out of bounds write in URI parser of native HDFS client Chris Nauroth (Jan 23)
8 CVEs in Cpython announced this week Alan Coopersmith (Jan 23)
CVE-2026-24656: Apache Karaf: Decanter log-socket collector has deserialization vulnerability Jean-Baptiste Onofré (Jan 23)
CVE-2016-15057: Apache Continuum: Command injection leading to RCE Arnout Engelen (Jan 26)
Xen Security Advisory 477 v2 (CVE-2025-58150) - x86: buffer overrun with shadow paging + tracing Xen . org security team (Jan 27)
Xen Security Advisory 478 v2 (CVE-2025-58151) - varstored: TOCTOU issues with mapped guest memory Xen . org security team (Jan 27)
Xen Security Advisory 479 v2 (CVE-2026-23553) - x86: incomplete IBPB for vCPU isolation Xen . org security team (Jan 27)
Agno's PythonTools: Path traversal leads to sensitive information disclosure and potential RCE Ali Raza (Jan 27)
OpenSSL Security Advisory Tomas Mraz (Jan 27)
Clarification: rbash escape via history built-ins cyber security (Jan 27)
OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Tomas Mraz (Jan 27)
GnuPG security release Sam James (Jan 27)
- Re: GnuPG security release Pedro Sampaio (Jan 27)
- Re: GnuPG security release Jan Schaumann (Jan 27)
- Re: GnuPG security release Salvatore Bonaccorso (Jan 27)

Previous period