oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	92	64
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2025/02/22 #1: Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (Solar Designer <solar@...nwall.com>)
2025/02/21 #5: Re: CVE-2025-26794: Exim: SQL injection (Solar Designer <solar@...nwall.com>)
2025/02/21 #4: CVE-2025-26794: Exim: SQL injection (Heiko Schlittermann <hs@...marc.schlittermann.de>)
2025/02/21 #3: Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (Qualys Security Advisory <qsa@...lys.com>)
2025/02/21 #2: OpenH264 Decoding Functions Heap Overflow Vulnerability (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/02/21 #1: Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (Jordy Zomer <jordy@...ing.systems>)
2025/02/20 #1: Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enablin… (Solar Designer <solar@...nwall.com>)
2025/02/19 #1: Exim: CVE-2025-26794: upcoming security release (Heiko Schlittermann <hs@...marc.schlittermann.de>)
2025/02/18 #4: Announce: OpenSSH 9.9p2 released (Damien Miller <djm@....openbsd.org>)
2025/02/18 #3: GRUB CVE disclosures (Jan Setje-Eilers <Jan.SetjeEilers@...cle.com>)
2025/02/18 #2: Multiple vulnerabilities in libxml2 (Nick Wellnhofer <wellnhofer@...um.de>)
2025/02/18 #1: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (Qualys Security Advisory <qsa@...lys.com>)
2025/02/17 #2: Multiple Vulnerabilities in U-Boot (Richard Weinberger <richard@...ma-star.at>)
2025/02/17 #1: Multiple Vulnerabilities in Barebox (Richard Weinberger <richard@...ma-star.at>)
2025/02/16 #3: Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enab… (James Addison <james@...iperadar.com>)
2025/02/16 #2: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling ps… (Solar Designer <solar@...nwall.com>)
2025/02/16 #1: [vim-security] heap use-after-free in str_to_reg() in Vim < (Christian Brabandt <cb@...bit.org>)
2025/02/14 #8: [CVE-2024-3220] CPython: Default mimetype known files writeable on Windows (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/02/14 #7: CVE-2024-56180: Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution (Xue Weiming <mikexue@...che.org>)
2025/02/14 #6: Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() (Daniel Gutson <danielgutson@...il.com>)
2025/02/14 #5: Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() (Nick Wellnhofer <wellnhofer@...um.de>)
2025/02/14 #4: CVE-2025-23359: Nvidia-container-toolkit: GPU Container Escape (CVE-2024-0132 fix bypass) ("Yupeng(Roc)" <roc.yupeng@...wei.com>)
2025/02/14 #3: Re: Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. (sjw@....ch)
2025/02/14 #2: CVE-2024-52577: Apache Ignite: Possible RCE when deserializing incoming messages by the server node (Nikita Amelchev <namelchev@...che.org>)
2025/02/14 #1: Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. ("upper.underflow" <upper.underflow@...ton.me>)
2025/02/13 #5: Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() (Daniel Gutson <danielgutson@...il.com>)
2025/02/13 #4: Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() (Rich Felker <dalias@...c.org>)
2025/02/13 #3: Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() (Rich Felker <dalias@...c.org>)
2025/02/13 #2: CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv() (Rich Felker <dalias@...c.org>)
2025/02/13 #1: [kubernetes] CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API (Craig Ingram <cjingram@...gle.com>)
2025/02/12 #2: CVE-2024-46910: Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user (Madhan Neethiraj <madhan@...che.org>)
2025/02/12 #1: CVE-2024-32838: Apache Fineract: SQL injection vulnerabilities in offices API endpoint (Arnout Engelen <engelen@...che.org>)
2025/02/11 #4: Re: CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected (sjw@....ch)
2025/02/11 #3: CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected (Tomas Mraz <tomas@...nssl.org>)
2025/02/11 #2: CVE-2025-26467: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe a… (Paulo Motta <paulo@...che.org>)
2025/02/11 #1: Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsa… (Paulo Motta <paulo@...che.org>)
2025/02/10 #1: FELIX-6751: CVE-2025-25247: Apache Felix Webconsole: XSS in services console (Carsten Ziegeler <cziegeler@...che.org>)
2025/02/09 #1: WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001 (Adrian Perez de Castro <aperez@...lia.com>)
2025/02/07 #4: CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting Vulnerability (Mingyang Liu <twice@...che.org>)
2025/02/07 #3: Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) (Jacob Bachmeyer <jcb62281@...il.com>)
2025/02/07 #2: Re: AMD Microcode Signature Verification Vulnerability (Jacob Bachmeyer <jcb62281@...il.com>)
2025/02/07 #1: Re: AMD Microcode Signature Verification Vulnerability (trinity pointard <trinity.pointard@...il.com>)
2025/02/06 #7: Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
2025/02/06 #6: Fwd: libtasn1-4.20.0 released [fixes CVE-2024-12133] (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/02/06 #5: Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0 (Solar Designer <solar@...nwall.com>)
2025/02/06 #4: Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow (Fay Stegerman <flx@...usk.net>)
2025/02/06 #3: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) (Matthias Gerstner <mgerstner@...e.de>)
2025/02/06 #2: Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow (Daniel Stenberg <daniel@...x.se>)
2025/02/06 #1: Re: AMD Microcode Signature Verification Vulnerability (Jacob Bachmeyer <jcb62281@...il.com>)
2025/02/05 #8: CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption (Solar Designer <solar@...nwall.com>)
2025/02/05 #7: CVE-2024-45626: Apache James: denial of service through JMAP HTML to text conversion (Benoit Tellier <btellier@...che.org>)
2025/02/05 #6: CVE-2024-37358: Apache James: denial of service through the use of IMAP literals (Benoit Tellier <btellier@...che.org>)
2025/02/05 #5: Re: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close (Demi Marie Obenour <demi@...isiblethingslab.com>)
2025/02/05 #4: Curl SSH Insufficient Host Identity Verification (Harry Sintonen <sintonen@....fi>)
2025/02/05 #3: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow (Daniel Stenberg <daniel@...x.se>)
2025/02/05 #2: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close (Daniel Stenberg <daniel@...x.se>)
2025/02/05 #1: [SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential leak (Daniel Stenberg <daniel@...x.se>)
2025/02/04 #4: KL-001-2025-002: Checkmk NagVis Remote Code Execution (KoreLogic Disclosures <disclosures@...elogic.com>)
2025/02/04 #3: KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting (KoreLogic Disclosures <disclosures@...elogic.com>)
2025/02/04 #2: CVE-2024-48019: Apache Doris: allows admin users to read arbitrary files through the REST API (Mingyu Chen <morningman@...che.org>)
2025/02/04 #1: Re: AMD Microcode Signature Verification Vulnerability (Solar Designer <solar@...nwall.com>)
2025/02/03 #3: CVE-2025-24860: Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to diff… (Paulo Motta <paulo@...che.org>)
2025/02/03 #2: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe a… (Paulo Motta <paulo@...che.org>)
2025/02/03 #1: CVE-2024-27137: Apache Cassandra: unrestricted deserialization of JMX authentication credentials (Paulo Motta <paulo@...che.org>)
2025/01/29 #2: Re: Oracle January 2025 Critical Patch Update (John Haxby <john.haxby@...cle.com>)
2025/01/29 #1: ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705) (Matthijs Mekking <matthijs@....org>)
2025/01/28 #4: CVE-2024-29869: Apache Hive: Credentials file created with non restrictive permissions (Ayush Saxena <ayushsaxena@...che.org>)
2025/01/28 #3: CVE-2024-23953: Apache Hive: Timing Attack Against Signature in LLAP util (Ayush Saxena <ayushsaxena@...che.org>)
2025/01/28 #2: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Pete Allor <pallor@...hat.com>)
2025/01/28 #1: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Florian Weimer <fweimer@...hat.com>)
2025/01/27 #6: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Pete Allor <pallor@...hat.com>)
2025/01/27 #5: Re: issue with stuck Mitre CVE requests (Pete Allor <pallor@...hat.com>)
2025/01/27 #4: Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
2025/01/27 #3: CVE-2025-24783: Apache Cocoon: continuations may not be private (Arnout Engelen <engelen@...che.org>)
2025/01/27 #2: Re: issue with stuck Mitre CVE requests (Johannes Segitz <jsegitz@...e.de>)
2025/01/27 #1: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Florian Weimer <fweimer@...hat.com>)
2025/01/26 #3: Re: dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) ("U.Mutlu" <um4711@...luit.com>)
2025/01/26 #2: CVE-2024-52012: Apache Solr: Configset upload on Windows allows arbitrary path write-access (Jason Gerlowski <gerlowskija@...che.org>)
2025/01/26 #1: CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files (Jason Gerlowski <gerlowskija@...che.org>)
2025/01/25 #6: Re: Oracle January 2025 Critical Patch Update (Sam James <sam@...too.org>)
2025/01/25 #5: Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
2025/01/25 #4: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Pete Allor <pallor@...hat.com>)
2025/01/25 #3: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Greg KH <greg@...ah.com>)
2025/01/25 #2: Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/25 #1: Re: issue with stuck Mitre CVE requests (Mark Esler <mark.esler@...onical.com>)
2025/01/24 #6: 7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/24 #5: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/24 #4: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
2025/01/24 #3: dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) (Matthias Gerstner <mgerstner@...e.de>)
2025/01/24 #2: Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
2025/01/24 #1: Re: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/23 #8: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/23 #7: Re: issue with stuck Mitre CVE requests (Pete Allor <pallor@...hat.com>)
2025/01/23 #6: Re: Oracle January 2025 Critical Patch Update (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/23 #5: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
2025/01/23 #4: Re: Oracle January 2025 Critical Patch Update (John Haxby <john.haxby@...cle.com>)
2025/01/23 #3: Re: issue with stuck Mitre CVE requests (Matthias Gerstner <mgerstner@...e.de>)
2025/01/23 #2: Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() (Qualys Security Advisory <qsa@...lys.com>)
2025/01/23 #1: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/22 #12: CVE-2024-53299: Apache Wicket: An attacker can intentionally trigger a memory leak (Pedro Henrique Oliveira dos Santos <pedro@...che.org>)

30855 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.