oss-sec: by thread

• RSS Feed
• About List
• All Lists

Previous period

Next period

336 messages starting Jan 01 26 and ending Mar 18 26
Date index | Thread index | Author index

• Re: Best practices for signature verifcation Simon Josefsson (Jan 01)
  • Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 02)
    • Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 03)
      • Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 05)
      • Re: Re: Best practices for signature verifcation Valtteri Vuorikoski (Jan 05)
      • Re: Re: Best practices for signature verifcation Jeffrey Walton (Jan 05)
      • Re: Re: Best practices for signature verifcation Morten Linderud (Jan 05)
      • Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 05)
      • Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 05)
      • Re: Re: Best practices for signature verifcation Peter Gutmann (Jan 15)
      • Re: Re: Best practices for signature verifcation Jacob Bachmeyer (Jan 16)
      • Re: Re: Best practices for signature verifcation Taavi Eomäe (Jan 06)
  • Re: Re: Best practices for signature verifcation Demi Marie Obenour (Jan 02)
  • <Possible follow-ups>
  • Re: Re: Best practices for signature verifcation Ali Polatel (Jan 01)
  • Re: Best practices for signature verifcation Clemens Lang (Jan 01)
    • Re: Best practices for signature verifcation Soatok Dreamseeker (Jan 02)
    • Re: Best practices for signature verifcation Demi Marie Obenour (Jan 03)
      • Re: Best practices for signature verifcation Clemens Lang (Jan 05)
      • Re: Best practices for signature verifcation Demi Marie Obenour (Jan 05)
• Re: Systemd vsock sshd wish42offcl98 (Jan 02)
  • Re: Systemd vsock sshd Greg Dahlman (Jan 02)
    • Re: Systemd vsock sshd Carlos Rodriguez-Fernandez (Jan 02)
  • <Possible follow-ups>
  • Re: Systemd vsock sshd Solar Designer (Jan 08)
    • Re: Systemd vsock sshd Greg Dahlman (Jan 08)
  • Re: Systemd vsock sshd Bastian Blank (Feb 03)
    • Re: Systemd vsock sshd Solar Designer (Feb 18)
• CVE-2025-66518: Apache Kyuubi: Unauthorized directory access due to missing path normalization Akira Ajisaka (Jan 05)
• Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Jan 05)
• GnuPG ticket T7900 (was: Many vulnerabilities in GnuPG) Werner Koch (Jan 05)
• CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Martin Desruisseaux (Jan 05)
  • Re: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Sebastian Pipping (Jan 05)
• Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Jan 05)
  • Re: Buffer overflow in /bin/su from UNIX v4 Peter Gutmann (Jan 05)
  • Re: [External] : [oss-security] Buffer overflow in /bin/su from UNIX v4 Casper Dik (Jan 06)
• Multiple vulnerabilities in aiohttp Sam Bull (Jan 05)
• Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith (Jan 06)
  • Re: Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith (Jan 15)
• wget2-2.2.1 released with security fixes Alan Coopersmith (Jan 06)
• [ADVISORY] curl CVE-2025-13034: No QUIC certificate pinning with GnuTLS Daniel Stenberg (Jan 06)
• [ADVISORY] curl CVE-2025-14017: broken TLS options for threaded LDAPS Daniel Stenberg (Jan 06)
• [ADVISORY] curl CVE-2025-14524: bearer token leak on cross-protocol redirect Daniel Stenberg (Jan 06)
• [ADVISORY] curl CVE-2025-14819: OpenSSL partial chain store policy bypass Daniel Stenberg (Jan 06)
• [ADVISORY] curl CVE-2025-15079: libssh global knownhost override Daniel Stenberg (Jan 06)
• [ADVISORY] curl CVE-2025-15224: libssh key passphrase bypass without agent set Daniel Stenberg (Jan 07)
• TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859) Matthias Gerstner (Jan 07)
• Foomuuri: Lack of Client Authorization and Input Verification allow Control over Firewall Configuration (CVE-2025-67603, CVE-2025-67858) Matthias Gerstner (Jan 07)
• CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller Szymon Janc (Jan 08)
• CVE-2025-53470: Apache NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver Szymon Janc (Jan 08)
• CVE-2025-53477: Apache NimBLE: NULL Pointer Dereference in NimBLE host HCI layer Szymon Janc (Jan 08)
• CVE-2025-62235: Apache NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing Szymon Janc (Jan 08)
• Fwd: libtasn1-4.21.0 released [stable] - fixes CVE-2025-13151 Alan Coopersmith (Jan 08)
• InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) Matthias Gerstner (Jan 09)
• Net-SNMP snmptrapd vulnerability [CVE-2025-68615] Alan Coopersmith (Jan 09)
• The Curious Case of Stack Pivot Detection Ali Polatel (Jan 10)
  • Re: The Curious Case of Stack Pivot Detection Adam Zabrocki (Jan 15)
• Null Pointer Dereference in HarfBuzz Alan Coopersmith (Jan 10)
  • Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 11)
    • Re: Null Pointer Dereference in HarfBuzz Jan Engelhardt (Jan 12)
      • Re: Null Pointer Dereference in HarfBuzz Greg KH (Jan 12)
      • Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 13)
    • Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre (Jan 12)
      • Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 12)
      • Re: Null Pointer Dereference in HarfBuzz Vincent Lefevre (Jan 13)
      • Re: Null Pointer Dereference in HarfBuzz Jacob Bachmeyer (Jan 13)
• CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Lukasz Lenart (Jan 11)
  • Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Hanno Böck (Jan 12)
    • Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Loganaden Velvindron (Jan 12)
• libpng 1.6.54: two heap buffer over-read vulnerabilities fixed: CVE-2026-22695, CVE-2026-22801 Cosmin Truta (Jan 12)
• NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 13)
  • Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Alan Coopersmith (Jan 13)
    • Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 13)
      • Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Michel Lind (Jan 16)
      • Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) Jan Schaumann (Jan 16)
• CVE-2025-66169: Apache Camel: Cypher injection vulnerability in Camel-Neo4j component Andrea Cosentino (Jan 13)
• [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 15)
  • Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso (Jan 15)
    • Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 16)
  • [OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1 Jeremy Stanley (Jan 16)
• Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Alan Coopersmith (Jan 15)
  • Re: Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes Steffen Nurpmeso (Jan 15)
• CVE-2025-68438: Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated Ephraim Anierobi (Jan 15)
• CVE-2025-68675: Apache Airflow: proxy credentials for various providers might leak in task logs Ephraim Anierobi (Jan 15)
• CVE-2025-60021: Apache bRPC: Remote command injection vulnerability in heap builtin service Guangming Chen (Jan 16)
• The GNU C Library security advisories update for 2026-01-16 Siddhesh Poyarekar (Jan 16)
• The GNU C Library security advisories update for 2026-01-16 (part 2) Carlos O'Donell (Jan 16)
• CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant (Jan 17)
  • Re: CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption Coia Prant (Jan 17)
• Re: CVE-2025-8110 in Gogs self-hosted git service Chad Dougherty (Jan 17)
  • Re: CVE-2025-8110 in Gogs self-hosted git service Collin Funk (Jan 17)
    • Re: CVE-2025-8110 in Gogs self-hosted git service Michael Orlitzky (Jan 17)
• WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality mohammed gaming 222 (Jan 20)
  • Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Moritz Mühlenhoff (Jan 20)
    • Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Hanno Böck (Jan 21)
      • Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Soatok Dreamseeker (Jan 21)
  • Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality Alan Coopersmith (Jan 20)
• GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Simon Josefsson (Jan 20)
  • Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)
    • Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Jakub Wilk (Jan 21)
  • Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Christian Fischer (Jan 22)
  • Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Demi Marie Obenour (Jan 22)
  • <Possible follow-ups>
  • Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Paul Ducklin (Jan 28)
• The GNU C Library security advisories update for 2026-01-20 Carlos O'Donell (Jan 20)
• CVE-2026-22022: Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin Jason Gerlowski (Jan 20)
• CVE-2026-22444: Apache Solr: Insufficient file-access checking in standalone core-creation requests Jason Gerlowski (Jan 20)
• ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) Michał Kępień (Jan 21)
• Vulnerable tmpdir handling in pytest Michael Orlitzky (Jan 21)
• CVE-2024-31884 Ceph: Incorrect usage of certificate checking via Pybind Sage [They / Them] McTaggart (Jan 21)
• Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 23)
  • Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann (Jan 23)
    • Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 23)
    • Re: Vulnerability management and Open Source: FOSDEM BoF Brian Behlendorf (Jan 23)
      • Re: Vulnerability management and Open Source: FOSDEM BoF Peter Gutmann (Jan 25)
      • Re: Vulnerability management and Open Source: FOSDEM BoF Olle E. Johansson (Jan 25)
    • Re: Vulnerability management and Open Source: FOSDEM BoF Solar Designer (Jan 24)
• CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Alan Coopersmith (Jan 23)
  • Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Stuart Henderson (Jan 23)
  • Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Alan Coopersmith (Jan 28)
    • Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Jakub Wilk (Jan 29)
      • Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Sebastian Pipping (Jan 29)
  • Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter Jakub Wilk (Jan 30)
• CVE-2025-27821: HDFS native client: Out of bounds write in URI parser of native HDFS client Chris Nauroth (Jan 23)
• 8 CVEs in Cpython announced this week Alan Coopersmith (Jan 23)
• CVE-2026-24656: Apache Karaf: Decanter log-socket collector has deserialization vulnerability Jean-Baptiste Onofré (Jan 23)
• CVE-2016-15057: Apache Continuum: Command injection leading to RCE Arnout Engelen (Jan 26)
• Xen Security Advisory 477 v2 (CVE-2025-58150) - x86: buffer overrun with shadow paging + tracing Xen . org security team (Jan 27)
• Xen Security Advisory 478 v2 (CVE-2025-58151) - varstored: TOCTOU issues with mapped guest memory Xen . org security team (Jan 27)
• Xen Security Advisory 479 v2 (CVE-2026-23553) - x86: incomplete IBPB for vCPU isolation Xen . org security team (Jan 27)
• Agno's PythonTools: Path traversal leads to sensitive information disclosure and potential RCE Ali Raza (Jan 27)
• OpenSSL Security Advisory Tomas Mraz (Jan 27)
  • <Possible follow-ups>
  • OpenSSL Security Advisory Tomas Mraz (Mar 13)
• Clarification: rbash escape via history built-ins cyber security (Jan 27)
  • Re: Clarification: rbash escape via history built-ins cyber security (Jan 28)
• OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Tomas Mraz (Jan 27)
  • Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Demi Marie Obenour (Jan 28)
    • Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) Tomas Mraz (Jan 28)
  • Re: OpenSSL Security Advisory (updated text for CVE-2025-15467) Tomas Mraz (Feb 25)
• GnuPG security release Sam James (Jan 27)
  • Re: GnuPG security release Pedro Sampaio (Jan 27)
  • Re: GnuPG security release Jan Schaumann (Jan 27)
  • Re: GnuPG security release Salvatore Bonaccorso (Jan 27)
• libexpat 2.7.4 fixes CVE-2026-24515 and CVE-2026-25210 Sebastian Pipping (Jan 31)
• Security incident on plone GitHub org with force pushes Maurits van Rees (Jan 31)
• CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login Francesco Chicchiriccò (Feb 02)
• CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters Francesco Chicchiriccò (Feb 02)
• [kubernetes] Multiple issues in ingress-nginx Tabitha Sable (Feb 02)
• Django CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 Jacob Walls (Feb 03)
• CVE-2026-24735: Apache Answer: Revision API Improper Access Control leads to Information Disclosure Enxin Xie (Feb 04)
• NGINX < 1.29.5, 1.28.2 MitM injection CVE-2026-1642 Jan Schaumann (Feb 04)
• [vim-security] buffer overflow in helpfile option handling affects Vim <9.1.2132 Christian Brabandt (Feb 05)
• On patch vs commit messages Sam James (Feb 06)
  • Re: On patch vs commit messages Florian Weimer (Feb 09)
• Go 1.25.7 and Go 1.24.13 are released with 2 CVE fixes Alan Coopersmith (Feb 07)
• CVE-2026-23903: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems Lenny Primak (Feb 08)
• CVE-2026-23901: Apache Shiro: Brute force attack possible to determine valid user names Lenny Primak (Feb 08)
• CVE-2026-22922: Apache Airflow: Airflow externalLogUrl Permission Bypass Ephraim Anierobi (Feb 09)
• CVE-2026-24098: Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors Ephraim Anierobi (Feb 09)
• CVE-2026-24343: Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions Qingran Zhao (Feb 09)
• CVE-2026-23906: Apache Druid: Authentication Bypass via LDAP Anonymous Bind Karan Kumar (Feb 09)
• gnutls 3.8.12 fixes CVE-2026-1584 & CVE-2025-14831 Alan Coopersmith (Feb 09)
• libpng 1.6.55: Heap buffer overflow vulnerability fixed: CVE-2026-25646 Cosmin Truta (Feb 09)
• FreeRDP fixes 12 CVEs in 3.22.0 release Alan Coopersmith (Feb 09)
  • Re: FreeRDP fixes 12 CVEs in 3.22.0 release Solar Designer (Feb 09)
• PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor Otto Moerbeek (Feb 10)
• CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage Chris Dunlap (Feb 10)
  • Re: CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage Sam James (Feb 17)
• PyCA cryptography 46.0.5 released with fix for CVE-2026-26007 Alan Coopersmith (Feb 10)
• Pillow 12.1.1 released with fix for CVE-2026-25990 Alan Coopersmith (Feb 11)
• CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code Ryan Skraba (Feb 12)
• CVE-2025-40905: WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions Alan Coopersmith (Feb 13)
• [vim-security] NetBeans specialKeys Stack Buffer Overflow with Vim <9.1.2148 Christian Brabandt (Feb 13)
• CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates David Handermann (Feb 16)
• [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Jeremy Stanley (Feb 17)
  • Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Salvatore Bonaccorso (Feb 17)
    • Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) Jeremy Stanley (Feb 17)
      • [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) errata 1 Jeremy Stanley (Feb 17)
• CVE-2026-25087: Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering Antoine Pitrou (Feb 17)
• zlib security audit by 7asecurity Sam James (Feb 17)
  • Re: zlib security audit by 7asecurity Simon Josefsson (Feb 17)
    • Re: Re: zlib security audit by 7asecurity Jan Engelhardt (Feb 17)
      • Re: zlib security audit by 7asecurity Steffen Nurpmeso (Feb 17)
    • Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 17)
      • Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 18)
      • Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 18)
• Multiple vulnerabilities in Jenkins Daniel Beck (Feb 18)
• CVE-2026-25747: Apache Camel: Deserialization of Untrusted Data in Camel LevelDB Andrea Cosentino (Feb 18)
• CVE-2026-23552: Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Andrea Cosentino (Feb 18)
• MIT/Heimdal Kerberos credentials cache type FILE risks Solar Designer (Feb 18)
  • Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer (Feb 19)
    • Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery (Feb 19)
      • Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer (Feb 19)
      • Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery (Feb 19)
      • Re: MIT/Heimdal Kerberos credentials cache type FILE risks Jacob Bachmeyer (Feb 19)
      • Re: MIT/Heimdal Kerberos credentials cache type FILE risks Russ Allbery (Feb 19)
  • Re: MIT/Heimdal Kerberos credentials cache type FILE risks Tim Wadhwa-Brown (twadhwab) (Feb 22)
• Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager Alan Coopersmith (Feb 19)
  • Re: Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager Soatok Dreamseeker (Feb 19)
• OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Joe Malcolm (Feb 20)
  • Re: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Eli Schwartz (Feb 20)
• CVE-2026-26079/CVE-2026-25916: Roundcube vulns prior to 1.5.13/1.6.13 Valtteri Vuorikoski (Feb 23)
• CVE-2025-27555: Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli Jarek Potiuk (Feb 23)
• CVE-2024-56373: Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information Jarek Potiuk (Feb 23)
• Re: Telnetd Vulnerability Report Justin Swartz (Feb 23)
  • Re: Telnetd Vulnerability Report Solar Designer (Feb 23)
    • Re: Telnetd Vulnerability Report Solar Designer (Feb 23)
      • Re: Telnetd Vulnerability Report Justin Swartz (Mar 07)
      • Re: Telnetd Vulnerability Report Solar Designer (Mar 07)
      • Re: Telnetd Vulnerability Report Justin Swartz (Mar 07)
      • Re: Telnetd Vulnerability Report Justin Swartz (Mar 07)
      • Re: Telnetd Vulnerability Report Solar Designer (Mar 08)
      • Re: Telnetd Vulnerability Report Justin Swartz (Mar 08)
      • Re: Telnetd Vulnerability Report Solar Designer (Mar 08)
      • Re: Re: Telnetd Vulnerability Report Pat Gunn (Mar 07)
  • Re: Telnetd Vulnerability Report Ron Ben Yizhak (Feb 24)
    • CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Feb 27)
      • Re: CVE-2026-28372: Telnetd Vulnerability Report Solar Designer (Mar 06)
      • Re: CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Mar 06)
      • Re: CVE-2026-28372: Telnetd Vulnerability Report Salvatore Bonaccorso (Mar 07)
      • Re: CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Mar 07)
  • Message not available
    • Re: Re: Telnetd Vulnerability Report kf503bla (Feb 24)
      • Re: Telnetd Vulnerability Report Solar Designer (Feb 24)
      • Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM) (Feb 24)
      • Re: Telnetd Vulnerability Report Vincent Lefevre (Feb 24)
      • Message not available
      • Re: Telnetd Vulnerability Report kf503bla (Feb 25)
      • Re: Telnetd Vulnerability Report Solar Designer (Feb 25)
      • Re: Telnetd Vulnerability Report Steffen Nurpmeso (Feb 25)
      • Re: Telnetd Vulnerability Report Marco Moock (Feb 25)
      • Re: Telnetd Vulnerability Report Steffen Nurpmeso (Feb 25)
      • Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM) (Feb 25)
      • Re: Telnetd Vulnerability Report Albert Veli (Feb 26)
      • Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM) (Feb 26)
      • Re: Telnetd Vulnerability Report Eddie Chapman (Feb 24)
      • Re: Telnetd Vulnerability Report Justin Swartz (Feb 24)
      • Re: Telnetd Vulnerability Report Eddie Chapman (Feb 24)
      • Re: Re: Telnetd Vulnerability Report Marco Moock (Feb 25)
      • Re: Re: Telnetd Vulnerability Report Florian Weimer (Feb 26)
      • Re: Re: Telnetd Vulnerability Report Demi Marie Obenour (Feb 26)
• CVE-2026-23969: Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering Daniel Gaspar (Feb 24)
• CVE-2026-23980: Apache Superset: Improper Neutralization of Special Elements used in a SQL Command Daniel Gaspar (Feb 24)
• CVE-2026-23982: Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass Daniel Gaspar (Feb 24)
• CVE-2026-23983: Apache Superset: Sensitive Data Exposure via REST API (disabled by default) Daniel Gaspar (Feb 24)
• CVE-2026-23984: Apache Superset: SQLLab Read-Only Bypass on PostgreSQL Daniel Gaspar (Feb 24)
• Unsound Workshop at ECOOP 2026 Jan Bessai (Feb 24)
  • Re: Unsound Workshop at ECOOP 2026 Solar Designer (Feb 24)
• CVE-2026-27900 - Sensitive Information Exposure in Debug Logs of Terraform Provider for Linode Liang, Zhiwei (Feb 25)
• OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Alan Coopersmith (Feb 27)
  • Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Florian Weimer (Feb 27)
    • Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Demi Marie Obenour (Mar 01)
      • Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Florian Weimer (Mar 02)
      • Re: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Demi Marie Obenour (Mar 03)
• [vim-security] OS Command Injection in netrw affects Vim < 9.2.0073 Christian Brabandt (Feb 27)
• [vim-security] Heap-based Buffer Overflow in Emacs tags parsing affects Vim < 9.2.0074 Christian Brabandt (Feb 27)
• [vim-security] Heap-based Buffer Underflow in Emacs tags parsing affects Vim < 9.2.0075 Christian Brabandt (Feb 27)
• [vim-security] Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076 Christian Brabandt (Feb 27)
• [vim-security] Multiple Vulnerabilities in Swap File Recovery affect Vim < 9.2.0077 Christian Brabandt (Feb 27)
• [vim-security] Stack-buffer-overflow in build_stl_str_hl() affects Vim < 9.2.0078 Christian Brabandt (Feb 27)
• CVE-2026-3255: HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function Robert Rothenberg (Feb 27)
• Fwd: CVE-2018-25160: HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend Robert Rothenberg (Feb 27)
• Exiv2 version 0.28.8 released with fixes for 3 low-severity CVEs Kevin Backhouse (Mar 02)
• CVE-2025-59060: Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient Velmurugan Periasamy (Mar 02)
• CVE-2025-59059: Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator Velmurugan Periasamy (Mar 02)
• Fwd: [siren] [Security Advisory] Active Exploitation of Weak GitHub Actions Configurations Solar Designer (Mar 02)
• Django CVE-2026-25673 and CVE-2026-25674 Natalia Bidart (Mar 03)
• CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Justin Bertram (Mar 03)
  • Re: CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Yogesh Mittal (Mar 04)
• CVE-2025-66168: Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated Christopher L. Shannon (Mar 03)
• [OSSA-2026-003] OpenStack Vitrage: Remote code execution through Vitrage query parser (CVE-2026-28370) Jeremy Stanley (Mar 03)
• Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338) Jan Schaumann (Mar 03)
• Announcing FreeType 2.14.2, fixes CVE-2026-23865 Alan Coopersmith (Mar 03)
• CVE-2024-57854: Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator Robert Rothenberg (Mar 05)
• CVE-2025-40926: Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely Robert Rothenberg (Mar 05)
• CVE-2025-40931: Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id Robert Rothenberg (Mar 05)
• CVE-2026-3257: UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library Robert Rothenberg (Mar 05)
• CVE-2026-3381: Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib Robert Rothenberg (Mar 05)
• Fwd: [CVE-2026-2297] SourcelessFileLoader does not use io.open_code() Alan Coopersmith (Mar 05)
• CVE-2025-13350 for Ubuntu Linux kernel Seth Arnold (Mar 05)
• Go 1.26.1 and Go 1.25.8 are released with 5 CVE fixes Alan Coopersmith (Mar 05)
• CVE-2025-69534 in Python-Markdown Alan Coopersmith (Mar 06)
• CVE-2026-24281: Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager Andor Molnar (Mar 07)
• CVE-2026-24308: Apache ZooKeeper: Sensitive information disclosure in client configuration handling Andor Molnar (Mar 07)
• CVE-2026-30909: Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows Timothy Legge (Mar 07)
• CVE-2026-30910: Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows Timothy Legge (Mar 07)
• AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities christopher.downs (Mar 08)
  • Re: AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities Hanno Böck (Mar 08)
• CVE-2025-69219: Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator Jarek Potiuk (Mar 08)
• CVE-2025-55017: Apache IoTDB: Path Traversal Vulnerability Haonan Hou (Mar 08)
• CVE-2025-64152: Apache IoTDB: Path Traversal Vulnerability Haonan Hou (Mar 08)
• CVE-2026-24713: Apache IoTDB: JEXL Expression Injection Vulnerability Haonan Hou (Mar 08)
• CVE-2026-24015: Apache IoTDB: Insecure Default Configuration Vulnerability Haonan Hou (Mar 08)
• CVE-2026-25604: Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass Jarek Potiuk (Mar 09)
• CVE-2026-28431+more: Misskey/Sharkey "extremely severe" vulnerabilities Valtteri Vuorikoski (Mar 09)
• [kubernetes] CVE-2026-3288: ingress-nginx rewrite-target nginx configuration injection Tabitha Sable (Mar 09)
• CVE-2026-23907: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Tilman Hausherr (Mar 10)
• [ADVISORY] curl: CVE-2026-1965: bad reuse of HTTP Negotiate connection Daniel Stenberg (Mar 10)
• [ADVISORY] curl: CVE-2026-3783: token leak with redirect and netrc Daniel Stenberg (Mar 10)
• [ADVISORY] curl: CVE-2026-3784: wrong proxy connection reuse with credentials Daniel Stenberg (Mar 11)
• [ADVISORY] curl: CVE-2026-3805: use after free in SMB connection reuse Daniel Stenberg (Mar 11)
• The GNU C Library security advisory update for 2026-03-11 Siddhesh Poyarekar (Mar 11)
• [vim-security] NFA regex engine NULL pointer dereference affects Vim < 9.2.0137 Christian Brabandt (Mar 11)
• CVE-2025-60012: Apache Livy: Restrict file access György Gál (Mar 12)
• CVE-2025-66249: Apache Livy: Unauthorized directory access György Gál (Mar 12)
• OpenSSH GSSAPI keyex patch issue Marc Deslauriers (Mar 12)
  • Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 14)
    • Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 14)
  • Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 18)
• Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Justin Swartz (Mar 12)
  • Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer (Mar 12)
    • Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk (Mar 12)
      • Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Paul Eggert (Mar 12)
  • Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer (Mar 12)
  • Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk (Mar 13)
• Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 12)
  • Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 12)
• Some telnet clients leak environment variables Justin Swartz (Mar 13)
  • Re: Some telnet clients leak environment variables Stuart Henderson (Mar 13)
    • Re: Some telnet clients leak environment variables Solar Designer (Mar 14)
• CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability Holden Karau (Mar 13)
• Foswi­ki 2.1.11 is re­leased, fixes CVE-2026-2861 Michael Daum (Mar 15)
  • Re: Foswi­ki 2.1.11 is re­leased, fixes CVE-2026-2861 Solar Designer (Mar 15)
    • Re: Foswi­ki 2.1.11 is re­leased, fixes CVE-2026-2861 Michael Daum (Mar 16)
• 10+ CVEs in GStreamer Solar Designer (Mar 15)
• [CVE-2026-4224] CPython Stack overflow parsing XML with deeply nested DTD content models Alan Coopersmith (Mar 16)
• [oss-security][CVE-2026-3644] CPython Incomplete control character validation in http.cookies Alan Coopersmith (Mar 16)
• CVE-2026-4177: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter Timothy Legge (Mar 16)
• [kubernetes] CVE-2026-3864: CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server Rita Zhang (Mar 17)
• CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization Rahul Vats (Mar 17)
• CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications Rahul Vats (Mar 17)
• CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata Rahul Vats (Mar 17)
• CVE-2026-28563: Apache Airflow: DAG authorization bypass Rahul Vats (Mar 17)
• Xen Security Advisory 480 v3 (CVE-2026-23554) - Use after free of paging structures in EPT Xen . org security team (Mar 17)
• Xen Security Advisory 481 v2 (CVE-2026-23555) - Xenstored DoS by unprivileged domain Xen . org security team (Mar 17)
• snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Qualys Security Advisory (Mar 17)
  • Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michal Zalewski (Mar 17)
    • Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michael Orlitzky (Mar 17)
• libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Sebastian Pipping (Mar 17)
  • Re: libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) Alan Coopersmith (Mar 17)
• [SBA-ADV-20251205-01] LibreChat 0.8.1-rc2 RAG API Authentication Bypass SBA Research Security Advisory (Mar 18)

Previous period

Next period